From 6f490164accbb2ad82f51bf36579c3df20a7c3d0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 24 Jul 2023 18:51:07 +0200 Subject: [PATCH] temp dirs while a release happens... --- ...odule_firmware-for-firmware_tg357766.patch | 37 + ...ssible-null-dereference-in-snd_ac97_.patch | 42 + ...ck-fix-mutex-call-in-snd_jack_report.patch | 91 + ...l-and-__align-_str-outside-ifdef-__a.patch | 62 + tmp-4.19/arcv2-entry-avoid-a-branch.patch | 38 + ...ents-about-hardware-auto-save-on-tak.patch | 158 ++ ...-out-the-z-flag-unclobber-from-commo.patch | 89 + ...ite-to-enable-use-of-double-load-sto.patch | 466 ++++ ...es-avoid-missing-declaration-warning.patch | 103 + ...x-drop-clock-names-from-the-spi-node.patch | 42 + ...p93xx-fix-missing-prototype-warnings.patch | 48 + ...rion5x-fix-d2net-gpio-initialization.patch | 55 + ...s-ulcb-kf-remove-flow-control-for-sc.patch | 46 + ...ement-max-value-for-alc-capture-targ.patch | 91 + ...null-point-check-in-node-allocations.patch | 92 + ...tions-to-__be32-in-affs_hardblocks.h.patch | 142 ++ ...address-kcsan-report-on-bpf_lru_list.patch | 177 ++ ...a-root-from-the-dirty-cow-roots-list.patch | 84 + .../can-bcm-fix-uaf-in-bcm_proc_show.patch | 92 + ...ip-sending-responses-for-revoke-msgs.patch | 47 + ...ers-cadence-ttc-fix-memory-leak-in-t.patch | 81 + ...ers-cadence-ttc-use-ttc-driver-as-pl.patch | 86 + ...vers-unify-the-names-to-timer-format.patch | 219 ++ ...ild-warnings-when-debug_fs-is-not-en.patch | 88 + ...heck-debug_objects_enabled-before-re.patch | 74 + .../drm-amdgpu-validate-vm-ioctl-flags.patch | 33 + ...se-after-free-in-nonblocking-commits.patch | 91 + ...nitialized-variable-in-drm_cvt_modes.patch | 39 + ...-fix-active-size-for-ampire-am-48027.patch | 51 + ...fix-possible-division-by-zero-errors.patch | 94 + ...ete-description-of-evm_inode_setattr.patch | 39 + ...t-when-handling-xattrs-in-inode-body.patch | 54 + ...alue-of-freeze_bdev-in-ext4_shutdown.patch | 43 + ...x-wrong-unit-use-in-ext4_mb_clear_bb.patch | 35 + ...locks-on-successful-block-allocation.patch | 92 + ...l-doc-of-property-capability-fields-.patch | 46 + ...l-doc-of-property-fields-to-avoid-wa.patch | 45 + ...rror-path-handling-in-truncate_dnode.patch | 39 + ...ix-missing-irq-check-in-au1200fb_drv.patch | 40 + ...-use-after-free-bug-in-imsttfb_probe.patch | 75 + ...warn-about-invalid-left-right-margin.patch | 43 + ..._mipid-fix-an-error-handling-path-in.patch | 44 + ...eturn-positive-pid-value-for-f_getlk.patch | 36 + ...date-don-t-invalidate-if-interrupted.patch | 34 + .../gfs2-don-t-deref-jdesc-in-evict.patch | 63 + ...se-after-free-in-__gtp_encap_destroy.patch | 190 ++ ...-the-timeout-for-init-and-self-check.patch | 45 + .../hwrng-virtio-add-an-internal-buffer.patch | 127 + ...-virtio-always-add-a-pending-request.patch | 111 + .../hwrng-virtio-don-t-wait-on-cleanup.patch | 58 + .../hwrng-virtio-don-t-waste-entropy.patch | 130 + ...x-race-on-data_avail-and-actual-data.patch | 86 + ...iic_wakeup-and-__xiic_start_xfer-in-.patch | 112 + ...ry-to-handle-more-interrupt-events-a.patch | 60 + ...dma.h-tx-num_descs-off-by-one-errors.patch | 110 + ...tr-deref-of-ip6_null_entry-rt6i_idev.patch | 145 ++ ...ix-igb_down-hung-on-surprise-removal.patch | 89 + ...-not-hardcode-interrupt-trigger-type.patch | 39 + ...drv260x-sleep-between-polling-go-bit.patch | 39 + ...le-allocation-in-integrity_inode_get.patch | 62 + ...x-a-potential-refcount-underflow-for.patch | 53 + ...ix-return-value-of-ipvlan_queue_xmit.patch | 66 + ...c-fix-missing-allocation-of-irq-desc.patch | 53 + ...c-kill-use-of-irq_create_strict_mapp.patch | 41 + ...usage-in-jffs2_build_xattr_subsystem.patch | 128 + ...lidate-db_l2nbperpage-while-mounting.patch | 66 + ...a-memory-leak-in-crash_shrink_memory.patch | 93 + ..._s390_get_cmma_bits-for-gfns-in-mems.patch | 74 + ...initial-match-offset-for-every-block.patch | 59 + ...on-t-drop-packet-from-non-root-netns.patch | 50 + ...r-fill-non-message-tx-data-fields-wi.patch | 75 + ...uption-for-raid456-when-reshape-rest.patch | 60 + ...card-support-for-the-original-layout.patch | 203 ++ ...slab-out-of-bounds-in-md_bitmap_get_.patch | 65 + ...-loss-while-replacement-replace-rdev.patch | 79 + ...0-fix-overflow-of-md-safe_mode_delay.patch | 51 + ...rong-setting-of-max_corr_read_errors.patch | 38 + ...event-soft-lockup-while-flush-writes.patch | 79 + ...a-usb-check-az6007_read-return-value.patch | 38 + ...fix-warning-due-to-null-work_func_t-.patch | 83 + ...h-fix-struct-v4l2_input-tuner-index-.patch | 62 + ...ke-memstick_debug_get_tpc_name-stati.patch | 49 + ...saradc-fix-clock-divider-mask-length.patch | 37 + ...dd-missing-check-for-platform_get_re.patch | 38 + ...t5033-drop-rt5033-battery-sub-device.patch | 41 + ...isable-the-regulators-if-they-are-en.patch | 45 + ...free-irqs-before-removing-the-device.patch | 50 + ...st-re-init-completion-for-every-test.patch | 44 + ...isable-trim-on-kingston-emmc04g-m627.patch | 46 + ...sable-trim-on-micron-mtfc4gacajcn-1m.patch | 44 + ...ion-mismatch-message-for-r_arm_-pc24.patch | 106 + ...ion-mismatch-message-for-r_arm_abs32.patch | 133 + ...mum-limit-of-allocated-index-in-nbd_.patch | 41 + ...io-unregistration-has-clocks-enabled.patch | 39 + ...ports-without-iff_unicast_flt-in-br_.patch | 198 ++ ...e-netdev-dev_addr-assignment-helpers.patch | 82 + ...cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch | 78 + ...ipv6-check-return-value-of-pskb_trim.patch | 39 + ...an743x-don-t-sleep-in-atomic-context.patch | 72 + ...-fix-txq_map-in-case-of-txq_number-1.patch | 48 + ...limit-of-tcp_linger2-with-tcp_fin_ti.patch | 73 + ...dit-add-size-check-for-tca_pedit_par.patch | 57 + ...sched-make-psched_mtu-rtnl-less-safe.patch | 49 + ...t-up-the-nfnetlink-header-and-use-it.patch | 704 ++++++ ...id-nf_ct_helper_hash-uses-after-free.patch | 51 + ...ntrack_sip-fix-the-ct_sip_parse_nume.patch | 53 + ...e_error-to-deal-with-bound-set-chain.patch | 101 + ...g-points-during-loop-detection-walks.patch | 50 + ...les-can-t-schedule-in-nft_chain_vali.patch | 64 + ...f_tables-fix-nat-hook-table-deletion.patch | 104 + ...es-fix-scheduling-while-atomic-splat.patch | 39 + ...les-fix-spurious-set-element-inserti.patch | 49 + ...r-path-handling-with-nft_msg_newrule.patch | 73 + ...ent-oob-access-in-nft_byteorder_eval.patch | 211 ++ ...nd-anonymous-set-before-commit-phase.patch | 137 + ...ymous-set-if-rule-construction-fails.patch | 33 + ...t_generic-infra-for-transaction-data.patch | 1032 ++++++++ ...tion-to-set-the-base-sequence-number.patch | 117 + ...__sock_i_ino-for-__netlink_diag_dump.patch | 152 ++ ...ard-code-device-address-lenth-in-fdb.patch | 157 ++ ...otential-deadlock-in-netlink_set_err.patch | 117 + ...eral-pointers-to-u8-char-and-sk_buff.patch | 465 ++++ ...sible-use-of-uninitialized-variable-.patch | 41 + ...-op_recall-flag-for-write-delegation.patch | 32 + ...r-handling-in-amd_ntb_pci_driver_ini.patch | 64 + ...rror-handling-in-idt_pci_driver_init.patch | 66 + ...ror-handling-in-intel_ntb_pci_driver.patch | 65 + ...-ntb_tool-add-check-for-devm_kcalloc.patch | 39 + ...t-fix-possible-memory-leak-while-dev.patch | 42 + ...dma-alias-quirk-for-marvell-88se9235.patch | 36 + ...clear_master-stub-for-non-config_pci.patch | 39 + ...elopos-e2-s2-h2-pcie-ports-in-d3cold.patch | 46 + ...to-read-only-registers-for-ip-v2.3.3.patch | 34 + ...ut-to-wait-for-phy-plls-to-be-locked.patch | 81 + ...configuration-enable-bit-after-probe.patch | 40 + ...ration-for-rk3399-pcie-endpoint-core.patch | 113 + ...-variable-to-access-32-bit-registers.patch | 76 + ...te-pci-device-id-to-correct-register.patch | 60 + ...ux-fix-off-by-one-in-die_get_varname.patch | 45 + ...-cyc-timestamps-after-standalone-cbr.patch | 39 + ...duced-by-switch-to-die_get_decl_file.patch | 115 + ...ect-internal-gpio0-debounce-handling.patch | 77 + ...in-handling-clearing-pins-at-startup.patch | 39 + ...special-debounce-behavior-for-gpio-0.patch | 40 + ...amd_pinconf_set-for-all-config-optio.patch | 108 + ...4-check-return-value-of-devm_kasprin.patch | 41 + ...ew-return-correct-value-if-pin-in-pu.patch | 57 + ...nteger-overflow-issues-in-genpd_pars.patch | 48 + ...ure-timer-id-search-loop-limit-is-va.patch | 115 + ...c_early_debug_cpm-only-when-serial_c.patch | 46 + ...eon-avoid-double-free-in-ci_dpm_init.patch | 110 + ...ort-for-asix-devices-with-a-fifo-bug.patch | 139 ++ ...-the-lookup-process-failing-to-get-s.patch | 113 + ...deadloop-issue-on-reading-trace_pipe.patch | 128 + ...se-some-resources-in-st_rtc_probe-in.patch | 40 + ...f-fix-buffer-overflow-in-tcp_basertt.patch | 36 + ...-balance-task-to-its-current-running.patch | 96 + ...resolve-gtags-empty-index-generation.patch | 65 + ...-error-handling-for-initialization-f.patch | 47 + ...id-rport-returned-by-fc_bsg_to_rport.patch | 37 + ...x-potential-null-pointer-dereference.patch | 35 + ...-qla2xxx-pointer-may-be-dereferenced.patch | 36 + ...ait-for-io-return-on-terminate-rport.patch | 71 + ...al-deadlock-on-net-sctp.addr_wq_lock.patch | 57 + ...-atmel-don-t-enable-irqs-prematurely.patch | 45 + tmp-4.19/series | 220 ++ ...a-fix-dma-channel-offset-calculation.patch | 103 + ...p-to-translate-device-tree-address-i.patch | 44 + .../soc-fsl-qe-fix-usb.c-build-errors.patch | 60 + ...urn-error-if-neither-hif_mspi-nor-ms.patch | 58 + .../spi-bcm63xx-fix-max-prepend-length.patch | 47 + ...ts_per_word-while-cs-is-still-active.patch | 72 + ...lax-message-sanity-checking-a-little.patch | 46 + ...ue-conditional-in-fsl_spi_do_one_msg.patch | 39 + ...fix-uaf-in-svc_tcp_listen_data_ready.patch | 142 ++ ...data-races-around-fastopenq.max_qlen.patch | 77 + ...-data-races-around-rskq_defer_accept.patch | 53 + ...nnotate-data-races-around-tp-linger2.patch | 52 + ...e-data-races-around-tp-notsent_lowat.patch | 64 + ...data-races-in-__tcp_oow_rate_limited.patch | 55 + ...race-condition-in-dev-vtpmx-creation.patch | 80 + ...rs-if-they-have-referenced-variables.patch | 127 + ...l-to-add-histogram-to-hist_vars-list.patch | 38 + ...ewide-remove-uninitialized_var-usage.patch | 2204 +++++++++++++++++ ...c24xx_serial_getclk-in-case-of-error.patch | 40 + ...4xx_serial_getclk-when-iterating-clk.patch | 48 + tmp-4.19/udp6-fix-udp6_ehashfn-typo.patch | 40 + ...o-fix-memory-leak-in-tahvo_usb_probe.patch | 43 + ...b-serial-option-add-lara-r6-01b-pids.patch | 65 + ...o-imsttfb-check-for-ioremap-failures.patch | 78 + ...t-icmp6inmsgs-on-the-original-netdev.patch | 127 + tmp-4.19/w1-fix-loop-in-w1_fini.patch | 43 + ...fine-dummy-watchdog_update_hrtimer_t.patch | 89 + ...re-properly-prevent-false-positives-.patch | 84 + ...uninitialized-warning-in-airo_get_ra.patch | 47 + ...-referencing-uninit-memory-in-ath9k_.patch | 58 + ...onvert-msecs-to-jiffies-where-needed.patch | 51 + ...-allow-to-overwrite-endpoint0-attrib.patch | 54 + ...r9003-mac-hardware-hang-check-regist.patch | 95 + ...ossible-stall-on-ath9k_txq_list_has_.patch | 111 + ...n-error-handling-path-in-atmel_probe.patch | 59 + ...mvm-avoid-baid-size-integer-overflow.patch | 47 + ...-the-size-of-a-memory-allocation-in-.patch | 48 + ...-an-error-handling-path-in-orinoco_c.patch | 58 + ...-an-error-handling-path-in-spectrum_.patch | 59 + ...-useless-status-variable-in-parse_ad.patch | 53 + ...-an-error-handling-path-in-ray_probe.patch | 69 + ...ray_cs-utilize-strnlen-in-parse_addr.patch | 67 + ...ot-set-mmc_pm_keep_power-in-shutdown.patch | 41 + ...ix-wstringop-overflow-warning-in-ioc.patch | 71 + ...ix-an-error-handling-path-in-wl3501_.patch | 66 + ...bunch-of-formatting-issues-related-t.patch | 143 ++ ...sspelling-and-provide-missing-docume.patch | 64 + ...501_cs-remove-unnecessary-null-check.patch | 41 + tmp-4.19/wl3501_cs-use-eth_hw_addr_set.patch | 40 + ...work_-constant-types-clarify-masking.patch | 140 ++ tmp-4.19/x86-cpu-amd-add-a-zenbleed-fix.patch | 161 ++ ...the-errata-checking-functionality-up.patch | 181 ++ ...de-amd-load-late-on-both-threads-too.patch | 30 + ...cated-cache-line-for-mwait_play_dead.patch | 91 + ...xtensa-iss-fix-call-to-split_if_spec.patch | 34 + ...lid-disable-dmi-quirk-for-nextbook-a.patch | 45 + ...acklight-native-dmi-quirk-for-apple-.patch | 43 + ...acklight-native-dmi-quirk-for-lenovo.patch | 44 + ...odule_firmware-for-firmware_tg357766.patch | 37 + ...ssible-null-dereference-in-snd_ac97_.patch | 42 + ...ble-mute-led-on-hp-laptop-15s-eq2xxx.patch | 73 + ...realtek-remove-3k-pull-low-procedure.patch | 66 + ...ck-fix-mutex-call-in-snd_jack_report.patch | 91 + ...te-offset_in_bo-of-drm_amdgpu_gem_va.patch | 73 + ...sing-error-check-for-rhashtable_inse.patch | 47 + ...l-and-__align-_str-outside-ifdef-__a.patch | 62 + ...es-avoid-missing-declaration-warning.patch | 103 + ...x-drop-clock-names-from-the-spi-node.patch | 42 + ...bcm5301x-fix-duplex-full-full-duplex.patch | 56 + ...ve-model-property-out-of-pinctrl-nod.patch | 41 + ...7-common-fix-backlight-pwm-specifier.patch | 49 + ...orrect-uart_b-and-uart_c-clock-refer.patch | 51 + ...correct-uart_b-and-uart_c-clock-refe.patch | 47 + ...x-audio-routing-on-stm32mp15xx-dhcom.patch | 52 + ...x-i2s-endpoint-format-property-for-s.patch | 36 + ...ve-ethernet-mac-eeprom-from-som-to-c.patch | 59 + ...horten-the-av96-hdmi-sound-card-name.patch | 38 + ...p93xx-fix-missing-prototype-warnings.patch | 48 + ...fix-missing-tick_broadcast-prototype.patch | 41 + ...rion5x-fix-d2net-gpio-initialization.patch | 55 + ...hip-sparx5-do-not-use-psci-on-refere.patch | 74 + ...pq8096-fix-fixed-regulator-name-prop.patch | 49 + ...m-msm8916-correct-camss-unit-address.patch | 39 + ...om-msm8994-correct-spmi-unit-address.patch | 39 + ...m-msm8996-correct-camss-unit-address.patch | 39 + ...s-ulcb-kf-remove-flow-control-for-sc.patch | 46 + ...k3-j7200-fix-physical-address-of-pin.patch | 83 + .../arm64-mm-fix-va-range-sanity-check.patch | 106 + ...ption_irq_entry-with-__irq_entry-as-.patch | 166 ++ ...ot-set-rate-constraints-for-unsuppor.patch | 91 + ...ement-max-value-for-alc-capture-targ.patch | 91 + ...i-disable-bit-clock-with-transmitter.patch | 43 + ...check-return-value-of-devm_kasprintf.patch | 66 + ...c-mediatek-mt8173-fix-irq-error-path.patch | 53 + ..._soc_component_initialize-error-path.patch | 42 + ...se-flexible-array-in-ioctl-structure.patch | 80 + ...make-the-failure-behavior-consistent.patch | 43 + ...e-fixup-btree_cache_wait-list-damage.patch | 120 + ...null-point-check-in-node-allocations.patch | 92 + ...pin_lock_irqsave-in-adjust_inuse_and.patch | 150 ++ ...w-checks-for-amiga-partition-support.patch | 202 ++ ...tions-to-__be32-in-affs_hardblocks.h.patch | 142 ++ ...-overflow-in-amiga-partition-support.patch | 68 + ...ignedness-issue-for-amiga-partitions.patch | 39 + ...address-kcsan-report-on-bpf_lru_list.patch | 177 ++ ...a-lock_sock-for-tcp_zerocopy_receive.patch | 788 ++++++ ...t-riscv-jit-to-provide-bpf_line_info.patch | 75 + ...ted-misreported-as-negative-value-on.patch | 150 ++ ...k-warning-when-enabling-stp-in-netns.patch | 71 + ...23-dup-to-btrfs_reduce_alloc_profile.patch | 140 ++ ...ash-to-fast-checksum-implementations.patch | 59 + ...a-root-from-the-dirty-cow-roots-list.patch | 84 + ...ion-with-qgroups-enabled-after-abort.patch | 89 + ...x-dispc-quirk-masking-bool-variables.patch | 49 + .../can-bcm-fix-uaf-in-bcm_proc_show.patch | 92 + ...dmsg-fix-return-error-fix-on-tx-path.patch | 44 + ...ip-sending-responses-for-revoke-msgs.patch | 47 + ...e925-check-return-value-of-kasprintf.patch | 63 + ...mn-fix-memory-leak-in-imx8mn_clocks_.patch | 58 + ...mp-improve-error-handling-in-imx8mp_.patch | 85 + ...-clk-check-return-value-of-kasprintf.patch | 40 + ...pq6018-use-floor-ops-for-sdcc-clocks.patch | 37 + ...k-qcom-ipq6018-fix-networking-resets.patch | 72 + ...-allow-specifying-custom-reset-delay.patch | 67 + ...eset-support-resetting-multiple-bits.patch | 72 + ...ysfs-properties-to-allow-checking-re.patch | 148 ++ ...llow-different-output-vdd_sel-values.patch | 362 +++ ...heck-return-value-of-devm_-kasprintf.patch | 51 + ...-free-unused-memory-on-probe-failure.patch | 86 + ...n-error-if-one-synth-clock-registrat.patch | 72 + ...gra124-emc-fix-potential-memory-leak.patch | 45 + ...ctrl-check-return-value-of-kasprintf.patch | 52 + ...5-check-memory-returned-by-kasprintf.patch | 108 + ...ers-cadence-ttc-fix-memory-leak-in-t.patch | 81 + ...ss-of-connection-info-when-a-module-.patch | 69 + ...tate-fix-energy_performance_preferen.patch | 42 + ...rvell-cesa-fix-type-mismatch-warning.patch | 49 + ...ild-warnings-when-debug_fs-is-not-en.patch | 88 + ...x-dax_mapping_release-use-after-free.patch | 79 + tmp-5.10/dax-introduce-alloc_dev_dax_id.patch | 195 ++ ...heck-debug_objects_enabled-before-re.patch | 74 + ...devlink_port_type_warn-source-device.patch | 77 + ...secure-pwrc-always-enable-dma-domain.patch | 42 + ...isplay-correct-dmub_fw_version-macro.patch | 37 + ...explicitly-specify-update-type-per-p.patch | 49 + .../drm-amdgpu-validate-vm-ioctl-flags.patch | 33 + ...otential-deallocation-of-previously-.patch | 58 + ...-vblank-enabled-self-refresh-disable.patch | 83 + ...se-after-free-in-nonblocking-commits.patch | 91 + ...768-add-atomic_get_input_bus_fmts-im.patch | 98 + ...tc358768-always-enable-hs-video-mode.patch | 49 + ...58768-fix-pll-parameters-computation.patch | 49 + ...ge-tc358768-fix-pll-target-frequency.patch | 74 + ...358768-fix-tclk_trailcnt-computation.patch | 92 + ...c358768-fix-tclk_zerocnt-computation.patch | 54 + ...c358768-fix-ths_trailcnt-computation.patch | 60 + ...tc358768-fix-ths_zerocnt-computation.patch | 54 + ...e-tc358768-fix-txtagocnt-computation.patch | 44 + ...ory-leak-in-drm_client_modeset_probe.patch | 46 + ...ory-leak-in-drm_client_target_cloned.patch | 68 + ...e-resources-after-unregistering-them.patch | 46 + ...ot-enable-color-management-if-dspps-.patch | 54 + ...arp-ls043t1le01-adjust-mode-settings.patch | 60 + ...-add-connector_type-for-innolux_at04.patch | 39 + ...-add-powertip-ph800480t013-drm_displ.patch | 38 + ...-fix-active-size-for-ampire-am-48027.patch | 51 + ...fix-possible-division-by-zero-errors.patch | 94 + ...leave-vblank-enabled-in-self-refresh.patch | 94 + ...se-devm_clk_get_enabled-in-sun4i_tco.patch | 116 + ...fix-function-names-in-vram-helper-do.patch | 56 + ...nite-loop-in-z_erofs_do_read_page-wh.patch | 54 + ...ompact-4b-support-for-16k-block-size.patch | 66 + ...ete-description-of-evm_inode_setattr.patch | 39 + ...t-when-handling-xattrs-in-inode-body.patch | 54 + ...ffer-heads-from-last-failed-mounting.patch | 121 + ...alue-of-freeze_bdev-in-ext4_shutdown.patch | 43 + ...x-wrong-unit-use-in-ext4_mb_clear_bb.patch | 35 + ...wrong-unit-use-in-ext4_mb_new_blocks.patch | 34 + ...4_free_blocks-for-fast-commit-replay.patch | 52 + ...locks-on-successful-block-allocation.patch | 92 + ...move-ext4-locking-of-moved-directory.patch | 59 + ...l-doc-of-property-capability-fields-.patch | 46 + ...l-doc-of-property-fields-to-avoid-wa.patch | 45 + ...rror-path-handling-in-truncate_dnode.patch | 39 + ...ointer-dereference-f2fs_write_end_io.patch | 161 ++ ...b-marks-on-kernel-internal-pseudo-fs.patch | 74 + ...ix-missing-irq-check-in-au1200fb_drv.patch | 40 + ...-use-after-free-bug-in-imsttfb_probe.patch | 75 + ...warn-about-invalid-left-right-margin.patch | 43 + ..._mipid-fix-an-error-handling-path-in.patch | 44 + ...ource-leak-in-svc_create_memory_pool.patch | 39 + ...-when-generating-legacy-mount-string.patch | 43 + ...eturn-positive-pid-value-for-f_getlk.patch | 36 + ...king-order-for-unrelated-directories.patch | 104 + tmp-5.10/fs-lock-moved-directories.patch | 126 + tmp-5.10/fs-no-need-to-check-source.patch | 45 + ...pe-reveal-missing-function-protoypes.patch | 56 + ...ll-pages-used-in-ftrace_process_locs.patch | 131 + ...er-of-pages-allocated-in-ftrace_page.patch | 136 + ...date-don-t-invalidate-if-interrupted.patch | 34 + ...se-after-free-in-__gtp_encap_destroy.patch | 190 ++ ...default-duplex-configuration-to-full.patch | 43 + ...idpp_quirk_delayed_init-for-the-t651.patch | 34 + ...han-int-when-dealing-with-timestamps.patch | 70 + ...m1275-allow-setting-sample-averaging.patch | 94 + ...enable-adm1272-temperature-reporting.patch | 65 + ...wmon-fix-fan-pwm-temperature-scaling.patch | 48 + ...275-fix-problems-with-temperature-mo.patch | 128 + ...-the-timeout-for-init-and-self-check.patch | 45 + ...ock-enabled-while-hwrng-is-registere.patch | 96 + .../hwrng-virtio-add-an-internal-buffer.patch | 127 + ...-virtio-always-add-a-pending-request.patch | 111 + .../hwrng-virtio-don-t-wait-on-cleanup.patch | 58 + .../hwrng-virtio-don-t-waste-entropy.patch | 130 + ...x-race-on-data_avail-and-actual-data.patch | 86 + ...missing-unwind-goto-in-qup_i2c_probe.patch | 75 + ...iic_wakeup-and-__xiic_start_xfer-in-.patch | 112 + ...ry-to-handle-more-interrupt-events-a.patch | 60 + ...bounds-when-setting-channels-on-remo.patch | 160 ++ ...vf-fix-use-after-free-in-free_netdev.patch | 215 ++ ...dma.h-tx-num_descs-off-by-one-errors.patch | 111 + ...g-mmu_node-used-for-user-sdma-packet.patch | 765 ++++++ ...i1-use-bitmap_zalloc-when-applicable.patch | 60 + ...tr-deref-of-ip6_null_entry-rt6i_idev.patch | 145 ++ ...ix-igb_down-hung-on-surprise-removal.patch | 89 + ...le-and-fix-rx-hash-usage-by-netstack.patch | 149 ++ ...erting-of-empty-frame-for-launchtime.patch | 128 + ...fix-launchtime-before-start-of-cycle.patch | 46 + ...gc-fix-race-condition-in-ptp-tx-code.patch | 237 ++ ...e-delay-during-tx-ring-configuration.patch | 46 + ...n-supported-and-advertising-fields-o.patch | 39 + tmp-5.10/ima-fix-build-warnings.patch | 61 + ...-not-hardcode-interrupt-trigger-type.patch | 39 + ...drv260x-sleep-between-polling-go-bit.patch | 39 + ...le-allocation-in-integrity_inode_get.patch | 62 + ...d-reschedule-point-to-handle_tw_list.patch | 38 + ...re-iopoll-locks-around-deferred-work.patch | 82 + ...uring-use-io_schedule-in-cqring-wait.patch | 78 + ...ibly-for-request-completions-on-exit.patch | 73 + ...ove-warn_on-to-prevent-panic_on_warn.patch | 42 + ...x-a-potential-refcount-underflow-for.patch | 53 + ...ix-return-value-of-ipvlan_queue_xmit.patch | 66 + ...c-fix-missing-allocation-of-irq-desc.patch | 53 + ...c-kill-use-of-irq_create_strict_mapp.patch | 41 + ...usage-in-jffs2_build_xattr_subsystem.patch | 128 + ...lidate-db_l2nbperpage-while-mounting.patch | 66 + ...ct-64-bits-atomic-builtins-from-32-b.patch | 71 + ...ng-kernfs_idr_lock-to-remove-an-id-f.patch | 39 + ...a-memory-leak-in-crash_shrink_memory.patch | 93 + ...icate-key-to-a-keyring-s-assoc_array.patch | 177 ++ ..._s390_get_cmma_bits-for-gfns-in-mems.patch | 74 + ...0-vsie-fix-the-length-of-apcb-bitmap.patch | 52 + ...netdev_led_mode_linkup-on-dev-rename.patch | 39 + ...initial-match-offset-for-every-block.patch | 59 + ...tof-and-container_of-to-work-with-co.patch | 62 + ...on-t-drop-packet-from-non-root-netns.patch | 50 + ...r-fill-non-message-tx-data-fields-wi.patch | 75 + ...uption-for-raid456-when-reshape-rest.patch | 60 + ...card-support-for-the-original-layout.patch | 203 ++ ...slab-out-of-bounds-in-md_bitmap_get_.patch | 65 + ...-loss-while-replacement-replace-rdev.patch | 79 + ...ll-ptr-deref-of-mreplace-in-raid10_s.patch | 81 + ...0-fix-overflow-of-md-safe_mode_delay.patch | 51 + ...rong-setting-of-max_corr_read_errors.patch | 38 + ...event-soft-lockup-while-flush-writes.patch | 79 + ...riable-dereferenced-before-check-asd.patch | 63 + ...in_platform-fix-out_len-in-gmin_get_.patch | 42 + ...ia-cec-i2c-ch7322-also-select-regmap.patch | 69 + ...a-usb-check-az6007_read-return-value.patch | 38 + ...fix-warning-due-to-null-work_func_t-.patch | 83 + ...elpers-fix-align-of-non-power-of-two.patch | 51 + ...h-fix-struct-v4l2_input-tuner-index-.patch | 62 + ...pfe-fix-testing-array-offset-after-u.patch | 50 + ...ke-memstick_debug_get_tpc_name-stati.patch | 49 + ...saradc-fix-clock-divider-mask-length.patch | 37 + ...dd-missing-check-for-platform_get_re.patch | 38 + ...t5033-drop-rt5033-battery-sub-device.patch | 41 + ...fx-fix-error-path-in-stmfx_chip_init.patch | 38 + ...x-nullify-stmfx-vdd-in-case-of-error.patch | 41 + ...isable-the-regulators-if-they-are-en.patch | 45 + ...oongson-fix-cpu_probe_loongson-again.patch | 85 + ...rpc-scalar-with-correct-buffer-count.patch | 37 + ...free-irqs-before-removing-the-device.patch | 50 + ...st-re-init-completion-for-every-test.patch | 44 + ...ge_vaddr-to-p4d_pgtable-and-make-it-.patch | 240 ++ ...ge_vaddr-to-pud_pgtable-and-make-it-.patch | 425 ++++ ...isable-trim-on-kingston-emmc04g-m627.patch | 46 + ...sable-trim-on-micron-mtfc4gacajcn-1m.patch | 44 + ...c-mmci-set-probe_prefer_asynchronous.patch | 33 + ...ty-issue-when-64bit-dma-mode-is-used.patch | 58 + ...-off-by-one-in-is_executable_section.patch | 36 + ...ion-mismatch-message-for-r_arm_-pc24.patch | 106 + ...ion-mismatch-message-for-r_arm_abs32.patch | 133 + ...n-fix-unaligned-dma-buffers-handling.patch | 44 + ...mum-limit-of-allocated-index-in-nbd_.patch | 41 + ...ve-reset-before-64-bit-dma-detection.patch | 60 + ...io-unregistration-has-clocks-enabled.patch | 39 + ...ne-turning-irqs-off-to-avoid-soc-han.patch | 55 + ...ports-without-iff_unicast_flt-in-br_.patch | 198 ++ ...e-netdev-dev_addr-assignment-helpers.patch | 82 + ...105-fix-mac-da-patching-from-meta-fr.patch | 46 + ...et-dsa-vsc73xx-fix-mtu-configuration.patch | 54 + ...out-of-bounds-in-exponential-backoff.patch | 81 + ...cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch | 78 + ...t-introduce-net.ipv4.tcp_migrate_req.patch | 99 + ...use-kfree_sensitive-instead-of-kfree.patch | 38 + ...ipv6-check-return-value-of-pskb_trim.patch | 39 + ...an743x-don-t-sleep-in-atomic-context.patch | 72 + ...for-not_ready-flag-state-after-locki.patch | 133 + ...uble-free-in-mlx5e_destroy_flow_tabl.patch | 38 + ...-fix-txq_map-in-case-of-txq_number-1.patch | 48 + ...after-free-caused-by-nfc_llcp_find_l.patch | 558 +++++ ...stale-pointer-dereference-in-phy_ini.patch | 74 + ...corruption-on-frag-list-segmentation.patch | 102 + ...dit-add-size-check-for-tca_pedit_par.patch | 57 + ...-fix-improper-refcount-update-leads-.patch | 62 + ...-ensure-both-minimum-and-maximum-por.patch | 82 + ...sched-make-psched_mtu-rtnl-less-safe.patch | 49 + ...q-account-for-stab-overhead-in-qfq_e.patch | 96 + ...q-refactor-parsing-of-netlink-parame.patch | 87 + ...reintroduce-lmax-bound-check-for-mtu.patch | 47 + ...t-stmmac-fix-double-serdes-powerdown.patch | 50 + ...initialized-data-in-nsim_dev_trap_fa.patch | 55 + ...id-nf_ct_helper_hash-uses-after-free.patch | 51 + ...ack-dccp-copy-entire-header-to-stack.patch | 149 ++ ...ntrack_sip-fix-the-ct_sip_parse_nume.patch | 53 + ...e_error-to-deal-with-bound-set-chain.patch | 170 ++ ...g-points-during-loop-detection-walks.patch | 50 + ...les-can-t-schedule-in-nft_chain_vali.patch | 64 + ...-genmask-when-looking-up-chain-by-id.patch | 120 + ...nt-references-from-preparation-phase.patch | 376 +++ ...-fix-chain-binding-transaction-logic.patch | 432 ++++ ...es-fix-scheduling-while-atomic-splat.patch | 39 + ...les-fix-spurious-set-element-inserti.patch | 49 + ...r-path-handling-with-nft_msg_newrule.patch | 73 + ...ent-oob-access-in-nft_byteorder_eval.patch | 211 ++ ...nd-anonymous-set-before-commit-phase.patch | 139 ++ ...nbound-chain-set-before-commit-phase.patch | 54 + ...les-skip-bound-chain-in-netns-releas.patch | 37 + ...ables-skip-bound-chain-on-rule-flush.patch | 43 + ...ymous-set-if-rule-construction-fails.patch | 33 + ...t_generic-infra-for-transaction-data.patch | 1443 +++++++++++ ...t_pipapo-fix-improper-element-remova.patch | 63 + ...ta-activation-deactivation-functions.patch | 92 + ...__sock_i_ino-for-__netlink_diag_dump.patch | 152 ++ ...ard-code-device-address-lenth-in-fdb.patch | 157 ++ ...otential-deadlock-in-netlink_set_err.patch | 117 + ...eral-pointers-to-u8-char-and-sk_buff.patch | 465 ++++ ...sible-use-of-uninitialized-variable-.patch | 41 + ...mplify-llcp_sock_connect-error-paths.patch | 51 + ...-op_recall-flag-for-write-delegation.patch | 32 + ...he-session-table-upon-receiving-nfs4.patch | 41 + ...r-handling-in-amd_ntb_pci_driver_ini.patch | 64 + ...rror-handling-in-idt_pci_driver_init.patch | 66 + ...ror-handling-in-intel_ntb_pci_driver.patch | 65 + ...-ntb_tool-add-check-for-devm_kcalloc.patch | 39 + ...t-fix-possible-memory-leak-while-dev.patch | 42 + ...t-proc_create_single_data-conversion.patch | 117 + ...-direction-of-unmapping-integrity-da.patch | 41 + ...-mapping-for-nix-block-from-cgx-conn.patch | 74 + ...nt-allocate-bpids-for-lbk-interfaces.patch | 43 + ...entry-revalidate-flags-after-copy-up.patch | 163 ++ ...dma-alias-quirk-for-marvell-88se9235.patch | 36 + ...clear_master-stub-for-non-config_pci.patch | 39 + ...-aspm-on-mfd-function-removal-to-avo.patch | 94 + ...nce-fix-gen2-link-retraining-process.patch | 88 + ...ftpci100-release-the-clock-resources.patch | 75 + ...l-bringup-sequence-if-card-is-not-pr.patch | 74 + ...elopos-e2-s2-h2-pcie-ports-in-d3cold.patch | 46 + ...to-read-only-registers-for-ip-v2.3.3.patch | 34 + ...ut-to-wait-for-phy-plls-to-be-locked.patch | 81 + ...configuration-enable-bit-after-probe.patch | 40 + ...ration-for-rk3399-pcie-endpoint-core.patch | 113 + ...-address-alignment-for-endpoint-mode.patch | 35 + ...-variable-to-access-32-bit-registers.patch | 76 + ...te-pci-device-id-to-correct-register.patch | 60 + tmp-5.10/perf-arm-cmn-fix-dtc-reset.patch | 58 + ...issing-setlocale-call-to-allow-usage.patch | 79 + ...nbuffered-output-when-pipe-tee-ing-t.patch | 101 + ...ux-fix-off-by-one-in-die_get_varname.patch | 45 + ...bs-fix-interface-via-core-pmu-events.patch | 164 ++ ...duced-by-switch-to-die_get_decl_file.patch | 115 + ...allocation-of-evsel-priv-related-to-.patch | 100 + ...up-struct-evsel_script-method-prefix.patch | 93 + ...b-check-return-value-of-devm_kzalloc.patch | 40 + ...-the-driver-reference-in-usb-phy-dev.patch | 40 + ...ect-internal-gpio0-debounce-handling.patch | 77 + ...in-handling-clearing-pins-at-startup.patch | 39 + ...special-debounce-behavior-for-gpio-0.patch | 40 + ...amd_pinconf_set-for-all-config-optio.patch | 108 + ...4-check-return-value-of-devm_kasprin.patch | 41 + ...handle-gpiochip_add_pin_range-errors.patch | 41 + ...ew-return-correct-value-if-pin-in-pu.patch | 57 + ...-break-possible-infinite-loop-when-p.patch | 84 + .../platform-x86-wmi-move-variables.patch | 80 + ...-x86-wmi-remove-unnecessary-argument.patch | 75 + ...rm-x86-wmi-use-guid_t-and-guid_equal.patch | 177 ++ ...nteger-overflow-issues-in-genpd_pars.patch | 48 + ...ure-timer-id-search-loop-limit-is-va.patch | 115 + ...prevent-rt-livelock-in-itimer_delete.patch | 110 + ...-rapl-fix-config_iosf_mbi-dependency.patch | 73 + ...c_early_debug_cpm-only-when-serial_c.patch | 46 + ...-mm-fix-directmap-stats-in-proc-memi.patch | 158 ++ ...ing-recordmcount-with-binutils-v2.37.patch | 49 + ...ix-the-condition-when-checking-if-al.patch | 40 + ...sriov-perform-null-check-on-iov-befo.patch | 53 + tmp-5.10/pptp-fix-fib-lookup-calls.patch | 116 + .../pstore-ram-add-check-for-kstrdup.patch | 37 + ...ce-real_period-to-be-zero-in-suspend.patch | 48 + ...-apply-state-to-already-disabled-pwm.patch | 90 + ...eon-avoid-double-free-in-ci_dpm_init.patch | 110 + ...e-rcu_scale_-after-kfree_scale_clean.patch | 245 ++ ...p-kfree_scale_thread-thread-s-after-.patch | 81 + ...s-mark-trc_reader_nesting-data-races.patch | 80 + ..._reader_special.b.need_qs-data-races.patch | 62 + ...read_check_handler-atomic-operations.patch | 92 + .../rcuscale-always-log-error-message.patch | 71 + ...-output-claims-too-few-grace-periods.patch | 69 + ...utdown-from-wait_event-to-wait_event.patch | 57 + ...id-calling-wake_up-threads-from-spin.patch | 99 + ...able-kill-tasklet-only-if-it-is-enab.patch | 150 ++ ..._re-fix-to-remove-an-unnecessary-log.patch | 44 + ...-to-remove-unnecessary-return-labels.patch | 66 + ...ove-a-redundant-check-inside-bnxt_re.patch | 54 + ...-unique-names-while-registering-inte.patch | 157 ++ ...xt_re-wraparound-mbox-producer-index.patch | 55 + ...happens-before-issuing-more-requests.patch | 126 + ...an-the-hardware-related-code-for-hem.patch | 293 +++ .../rdma-hns-fix-coding-style-issues.patch | 453 ++++ ...-fix-hns_roce_table_get-return-value.patch | 45 + ...rdma-hns-use-refcount_t-apis-for-hem.patch | 128 + ...bs_ex_cmd_mask-values-that-are-linke.patch | 207 ++ ...-register-length-in-smbus-i-o-limits.patch | 54 + ...ion-of-maximum-transfer-length-fixes.patch | 64 + ...ix-more-error-checking-for-debugfs_c.patch | 40 + ...r-core-streamline-debugfs-operations.patch | 100 + ...ort-for-asix-devices-with-a-fifo-bug.patch | 139 ++ ...l-corruption-when-moving-a-directory.patch | 66 + ...-the-lookup-process-failing-to-get-s.patch | 113 + ...d-resource-leak-in-mtk_thermal_probe.patch | 61 + ...n-usb-conn-gpio-set-last-role-to-unk.patch | 98 + ...deadloop-issue-on-reading-trace_pipe.patch | 128 + tmp-5.10/riscv-bpf-avoid-breaking-w-x.patch | 45 + ...ix-inconsistent-jit-image-generation.patch | 137 + ...pf_jit_alloc_exec-and-bpf_jit_free_e.patch | 69 + ...se-some-resources-in-st_rtc_probe-in.patch | 40 + ...-rtext_filter_skip_stats-to-ifla_vf_.patch | 167 ++ ...or-fix-misaligned-symbol-build-error.patch | 53 + tmp-5.10/s390-qeth-fix-vipa-deletion.patch | 42 + ...f-fix-buffer-overflow-in-tcp_basertt.patch | 36 + ...ment-registers-in-sample-trampolines.patch | 68 + ...-balance-task-to-its-current-running.patch | 96 + ...resolve-gtags-empty-index-generation.patch | 65 + ...-error-handling-for-initialization-f.patch | 47 + ...x-null-dereference-in-error-handling.patch | 47 + ...2xxx-array-index-may-go-out-of-bound.patch | 36 + ...id-rport-returned-by-fc_bsg_to_rport.patch | 37 + ...i-qla2xxx-correct-the-index-of-array.patch | 51 + .../scsi-qla2xxx-fix-buffer-overrun.patch | 38 + ...x-fix-error-code-in-qla2x00_start_sp.patch | 38 + ...x-potential-null-pointer-dereference.patch | 35 + ...-qla2xxx-pointer-may-be-dereferenced.patch | 36 + ...move-unused-nvme_ls_waitq-wait-queue.patch | 91 + ...ait-for-io-return-on-terminate-rport.patch | 71 + ...bpf_bypass_getsockopt-proto-callback.patch | 93 + ...al-deadlock-on-net-sctp.addr_wq_lock.patch | 57 + ...keys-modify-mismatched-function-name.patch | 40 + ...d-verifier-test-for-ptr_to_mem-spill.patch | 109 + ...ink-remove-netdevsim-device-after-ip.patch | 40 + ...lftests-tc-add-ct-action-kconfig-dep.patch | 43 + ...lftests-tc-set-timeout-to-15-minutes.patch | 43 + ...ock-port-for-stop_rx-in-omap8250_irq.patch | 39 + ...-port-for-uart_ier-access-in-omap825.patch | 57 + ...-fix-freeing-of-resources-on-failed-.patch | 42 + ...-use-force_suspend-and-resume-for-sy.patch | 78 + ...-atmel-don-t-enable-irqs-prematurely.patch | 45 + tmp-5.10/series | 512 ++++ ...en-reading-stats-while-nic-is-resett.patch | 70 + ...a-fix-dma-channel-offset-calculation.patch | 103 + ...p-to-translate-device-tree-address-i.patch | 44 + ...inter-from-integer-of-different-size.patch | 49 + ...-kill_sb-method-of-ramfs-based-tmpfs.patch | 60 + .../soc-fsl-qe-fix-usb.c-build-errors.patch | 60 + ...urn-error-if-neither-hif_mspi-nor-ms.patch | 58 + .../spi-bcm63xx-fix-max-prepend-length.patch | 47 + ...m-correct-cs_toggle-bit-in-spi_trans.patch | 44 + ...fix-uaf-in-svc_tcp_listen_data_ready.patch | 138 ++ ...data-races-around-fastopenq.max_qlen.patch | 77 + ...a-races-around-icsk-icsk_syn_retries.patch | 69 + ...a-races-around-icsk-icsk_user_timeou.patch | 54 + ...-data-races-around-rskq_defer_accept.patch | 53 + ...a-races-around-tcp_rsk-req-ts_recent.patch | 184 ++ ...data-races-around-tp-keepalive_intvl.patch | 68 + ...ata-races-around-tp-keepalive_probes.patch | 69 + ...-data-races-around-tp-keepalive_time.patch | 58 + ...nnotate-data-races-around-tp-linger2.patch | 52 + ...e-data-races-around-tp-notsent_lowat.patch | 64 + ...te-data-races-around-tp-tcp_tx_delay.patch | 46 + ...data-races-in-__tcp_oow_rate_limited.patch | 55 + ...es-around-sysctl_tcp_syn-ack-_retrie.patch | 86 + ...turn-enomem-instead-of-enospc-on-fai.patch | 111 + ...sun8i-fix-some-error-handling-paths-.patch | 144 ++ ...-claim-locality-in-interrupt-handler.patch | 39 + ...race-condition-in-dev-vtpmx-creation.patch | 80 + ...of-iter-temp-when-reading-trace_pipe.patch | 54 + ...-dereference-in-tracing_err_log_open.patch | 61 + ...rs-if-they-have-referenced-variables.patch | 127 + ...l-to-add-histogram-to-hist_vars-list.patch | 38 + ...-to-count-error-code-to-total-length.patch | 38 + ...d-missing-hrtimer-modes-to-decode_hr.patch | 47 + ...rt-add-earlycon-for-imx8ulp-platform.patch | 29 + ...c24xx_serial_getclk-in-case-of-error.patch | 40 + ...4xx_serial_getclk-when-iterating-clk.patch | 48 + tmp-5.10/udp6-fix-udp6_ehashfn-typo.patch | 40 + tmp-5.10/um-use-host_dir-for-mrproper.patch | 40 + ...onn-gpio-set-last-role-to-unknown-be.patch | 104 + ...ore-init-errors-to-udc-during-pullup.patch | 52 + ...12a-fix-an-error-handling-path-in-dw.patch | 51 + ...x-an-error-handling-path-in-dwc3_qco.patch | 38 + ...-dwc3-qcom-fix-potential-memory-leak.patch | 53 + ...lease-the-correct-resources-in-dwc3_.patch | 44 + ...ial-add-null-pointer-check-in-gseria.patch | 56 + ...usbfs_notify_suspend-resume-function.patch | 52 + ...o-fix-memory-leak-in-tahvo_usb_probe.patch | 43 + ...b-serial-option-add-lara-r6-01b-pids.patch | 65 + ...o-imsttfb-check-for-ioremap-failures.patch | 77 + tmp-5.10/w1-fix-loop-in-w1_fini.patch | 43 + ...rm-fix-locking-behavior-in-convert_t.patch | 91 + ...fine-dummy-watchdog_update_hrtimer_t.patch | 89 + ...re-properly-prevent-false-positives-.patch | 84 + ...uninitialized-warning-in-airo_get_ra.patch | 47 + ...registration-of-6ghz-only-phy-withou.patch | 71 + ...-referencing-uninit-memory-in-ath9k_.patch | 58 + ...onvert-msecs-to-jiffies-where-needed.patch | 51 + ...-allow-to-overwrite-endpoint0-attrib.patch | 54 + ...r9003-mac-hardware-hang-check-regist.patch | 95 + ...ossible-stall-on-ath9k_txq_list_has_.patch | 111 + ...n-error-handling-path-in-atmel_probe.patch | 59 + ...ewrite-merging-of-inherited-elements.patch | 290 +++ ...mvm-avoid-baid-size-integer-overflow.patch | 47 + ...ull-from-txqs-with-softirqs-disabled.patch | 47 + ...-the-size-of-a-memory-allocation-in-.patch | 48 + ...-an-error-handling-path-in-orinoco_c.patch | 58 + ...-an-error-handling-path-in-spectrum_.patch | 59 + ...-useless-status-variable-in-parse_ad.patch | 53 + ...-an-error-handling-path-in-ray_probe.patch | 69 + ...ray_cs-utilize-strnlen-in-parse_addr.patch | 67 + ...configure-wowlan-in-shutdown-hook-if.patch | 52 + ...ot-set-mmc_pm_keep_power-in-shutdown.patch | 41 + ...ix-wstringop-overflow-warning-in-ioc.patch | 71 + ...x-for-absent-rsn-capabilities-wfa-te.patch | 55 + ...ix-an-error-handling-path-in-wl3501_.patch | 66 + ...ets-when-setting-initial-private-key.patch | 118 + ...ing-use-saner-cpu-selection-wrapping.patch | 111 + ...sspelling-and-provide-missing-docume.patch | 64 + tmp-5.10/wl3501_cs-use-eth_hw_addr_set.patch | 40 + ...work_-constant-types-clarify-masking.patch | 140 ++ tmp-5.10/x86-cpu-amd-add-a-zenbleed-fix.patch | 161 ++ ...the-errata-checking-functionality-up.patch | 181 ++ ...de-amd-load-late-on-both-threads-too.patch | 30 + ...__swp_entry_to_pte-for-xen-pv-guests.patch | 47 + ...-show-tasks-pid-in-current-pid-names.patch | 55 + ...cated-cache-line-for-mwait_play_dead.patch | 91 + ...x-resume-issue-of-some-zhaoxin-hosts.patch | 38 + ...-trb-prefetch-issue-of-zhaoxin-hosts.patch | 71 + ...haoxin-xhci-root-hub-speed-correctly.patch | 127 + .../xsk-honor-so_bindtodevice-on-bind.patch | 101 + ...xtensa-iss-fix-call-to-split_if_spec.patch | 34 + ...l-up-loops-in-dsp-setup-code-for-aud.patch | 150 ++ ...a-realtek-add-quirk-for-clevo-ns70au.patch | 32 + ...ble-mute-led-on-hp-laptop-15s-eq2xxx.patch | 73 + ...realtek-remove-3k-pull-low-procedure.patch | 66 + ...x-resource-leaks-on-component-remove.patch | 157 ++ ...x-resource-leaks-on-component-remove.patch | 54 + ...cd938x-fix-codec-initialisation-race.patch | 54 + ...fix-missing-clsh-ctrl-error-handling.patch | 37 + ...fix-missing-mbhc-init-error-handling.patch | 51 + ...x-resource-leaks-on-component-remove.patch | 151 ++ ...8x-fix-soundwire-initialisation-race.patch | 55 + ...i-disable-bit-clock-with-transmitter.patch | 43 + ...g-idx-logic-in-check_max_stack_depth.patch | 75 + ...k-warning-when-enabling-stp-in-netns.patch | 71 + ...ion-with-qgroups-enabled-after-abort.patch | 89 + ...inding-block-group-with-super-blocks.patch | 38 + .../can-bcm-fix-uaf-in-bcm_proc_show.patch | 92 + .../can-raw-fix-receiver-memory-leak.patch | 233 ++ ...mpc-split-by-default-on-special-asic.patch | 42 + ...-phy-active-for-dp-displays-on-dcn31.patch | 42 + ...ory-leak-in-drm_client_modeset_probe.patch | 46 + ...ory-leak-in-drm_client_target_cloned.patch | 68 + ...nteger-overflow-in-radeon_cs_parser_.patch | 38 + ..._hw_addr_set-instead-of-ether_addr_c.patch | 999 ++++++++ .../ethernet-use-of_get_ethdev_address.patch | 433 ++++ ...t-when-handling-xattrs-in-inode-body.patch | 54 + ...ix-missing-irq-check-in-au1200fb_drv.patch | 40 + ...warn-about-invalid-left-right-margin.patch | 43 + ...-read-only-mounted-filesystem-in-txb.patch | 36 + ...s-fix-null-ptr-deref-read-in-txbegin.patch | 40 + ...-array-index-out-of-bounds-in-dballo.patch | 83 + ...use-ioctl-translate-enosys-in-outarg.patch | 88 + ...date-don-t-invalidate-if-interrupted.patch | 34 + ...bounds-when-setting-channels-on-remo.patch | 160 ++ ...vf-fix-use-after-free-in-free_netdev.patch | 215 ++ ...t-garbled-tx-queue-with-xdp-zerocopy.patch | 73 + ...check-chechpointing-non-dirty-buffer.patch | 191 ++ ...icate-key-to-a-keyring-s-assoc_array.patch | 177 ++ ...on-t-drop-packet-from-non-root-netns.patch | 50 + ...c-prom-address-warray-bounds-warning.patch | 51 + ...et-mtk_eth_soc-handle-probe-deferral.patch | 86 + ...cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch | 78 + ...use-kfree_sensitive-instead-of-kfree.patch | 38 + ...ipv6-check-return-value-of-pskb_trim.patch | 39 + ...stale-pointer-dereference-in-phy_ini.patch | 74 + ...f-undo-tcf_bind_filter-in-case-of-an.patch | 165 ++ ...les-fix-spurious-set-element-inserti.patch | 49 + ...les-skip-bound-chain-in-netns-releas.patch | 37 + ...ables-skip-bound-chain-on-rule-flush.patch | 43 + ...t_pipapo-fix-improper-element-remova.patch | 63 + ...nt-allocate-bpids-for-lbk-interfaces.patch | 43 + ...a-helper-for-loading-netdev-dev_addr.patch | 91 + ...ibrary-not-found-error-when-using-cs.patch | 94 + ...duced-by-switch-to-die_get_decl_file.patch | 115 + ...amd_pinconf_set-for-all-config-optio.patch | 108 + tmp-5.15/quota-fix-warning-in-dqgrab.patch | 100 + ...isable-quotas-when-add_dquot_ref-fai.patch | 40 + ...-register-length-in-smbus-i-o-limits.patch | 54 + ...ion-of-maximum-transfer-length-fixes.patch | 64 + ...-the-lookup-process-failing-to-get-s.patch | 113 + ...keys-modify-mismatched-function-name.patch | 40 + ...ests-tc-add-conntrack-procfs-kconfig.patch | 42 + ...lftests-tc-add-ct-action-kconfig-dep.patch | 43 + ...lftests-tc-set-timeout-to-15-minutes.patch | 43 + tmp-5.15/series | 80 + .../spi-bcm63xx-fix-max-prepend-length.patch | 47 + ...data-races-around-fastopenq.max_qlen.patch | 77 + ...a-races-around-icsk-icsk_syn_retries.patch | 69 + ...a-races-around-icsk-icsk_user_timeou.patch | 54 + ...-data-races-around-rskq_defer_accept.patch | 53 + ...a-races-around-tcp_rsk-req-ts_recent.patch | 184 ++ ...data-races-around-tp-keepalive_intvl.patch | 68 + ...ata-races-around-tp-keepalive_probes.patch | 69 + ...-data-races-around-tp-keepalive_time.patch | 58 + ...nnotate-data-races-around-tp-linger2.patch | 52 + ...e-data-races-around-tp-notsent_lowat.patch | 64 + ...te-data-races-around-tp-tcp_tx_delay.patch | 46 + ...l-to-add-histogram-to-hist_vars-list.patch | 38 + ...lized-array-access-for-some-pathname.patch | 36 + tmp-5.15/x86-cpu-amd-add-a-zenbleed-fix.patch | 161 ++ ...the-errata-checking-functionality-up.patch | 181 ++ ...odule_firmware-for-firmware_tg357766.patch | 37 + ...ssible-null-dereference-in-snd_ac97_.patch | 42 + ...ck-fix-mutex-call-in-snd_jack_report.patch | 91 + ...l-and-__align-_str-outside-ifdef-__a.patch | 62 + ...es-avoid-missing-declaration-warning.patch | 103 + ...x-drop-clock-names-from-the-spi-node.patch | 42 + ...ve-model-property-out-of-pinctrl-nod.patch | 41 + ...p93xx-fix-missing-prototype-warnings.patch | 48 + ...rion5x-fix-d2net-gpio-initialization.patch | 55 + ...m-msm8916-correct-camss-unit-address.patch | 39 + ...s-ulcb-kf-remove-flow-control-for-sc.patch | 46 + .../arm64-mm-fix-va-range-sanity-check.patch | 106 + ...ot-set-rate-constraints-for-unsuppor.patch | 91 + ...ement-max-value-for-alc-capture-targ.patch | 91 + ...check-return-value-of-devm_kasprintf.patch | 66 + ...null-point-check-in-node-allocations.patch | 92 + ...nitial-chip-reset-to-support-bcm5358.patch | 85 + ...w-checks-for-amiga-partition-support.patch | 204 ++ ...tions-to-__be32-in-affs_hardblocks.h.patch | 142 ++ ...-overflow-in-amiga-partition-support.patch | 68 + ...ignedness-issue-for-amiga-partitions.patch | 39 + ...address-kcsan-report-on-bpf_lru_list.patch | 177 ++ ...a-root-from-the-dirty-cow-roots-list.patch | 84 + ...ion-with-qgroups-enabled-after-abort.patch | 89 + .../can-bcm-fix-uaf-in-bcm_proc_show.patch | 92 + ...ip-sending-responses-for-revoke-msgs.patch | 47 + ...e925-check-return-value-of-kasprintf.patch | 63 + ...-clk-check-return-value-of-kasprintf.patch | 40 + ...gra124-emc-fix-potential-memory-leak.patch | 45 + ...ers-cadence-ttc-fix-memory-leak-in-t.patch | 81 + ...ers-cadence-ttc-use-ttc-driver-as-pl.patch | 86 + ...xtack-support-for-src-and-dst-port-r.patch | 78 + ...rvell-cesa-fix-type-mismatch-warning.patch | 49 + ...ild-warnings-when-debug_fs-is-not-en.patch | 88 + ...kcipher-remove-crypto_has_ablkcipher.patch | 88 + ...unify-the-crypto_has_skcipher-functi.patch | 84 + ...heck-debug_objects_enabled-before-re.patch | 74 + ...devlink_port_type_warn-source-device.patch | 77 + .../drm-amdgpu-validate-vm-ioctl-flags.patch | 33 + ...otential-deallocation-of-previously-.patch | 58 + ...-vblank-enabled-self-refresh-disable.patch | 83 + ...se-after-free-in-nonblocking-commits.patch | 91 + ...ory-leak-in-drm_client_modeset_probe.patch | 46 + ...ory-leak-in-drm_client_target_cloned.patch | 68 + ...-error-return-from-wait_for_register.patch | 45 + ...el-add-and-fill-drm_panel-type-field.patch | 854 +++++++ ...lise-panel-dev-and-funcs-through-drm.patch | 724 ++++++ ...-add-connector_type-for-innolux_at04.patch | 39 + ...-fix-active-size-for-ampire-am-48027.patch | 51 + ...fix-possible-division-by-zero-errors.patch | 94 + ...leave-vblank-enabled-in-self-refresh.patch | 94 + ...se-devm_clk_get_enabled-in-sun4i_tco.patch | 116 + ...nite-loop-in-z_erofs_do_read_page-wh.patch | 54 + ...ompact-4b-support-for-16k-block-size.patch | 66 + ...ete-description-of-evm_inode_setattr.patch | 39 + ...t-when-handling-xattrs-in-inode-body.patch | 54 + ...alue-of-freeze_bdev-in-ext4_shutdown.patch | 43 + ...x-wrong-unit-use-in-ext4_mb_clear_bb.patch | 35 + ...locks-on-successful-block-allocation.patch | 92 + ...move-ext4-locking-of-moved-directory.patch | 59 + ...l-doc-of-property-capability-fields-.patch | 46 + ...l-doc-of-property-fields-to-avoid-wa.patch | 45 + ...rror-path-handling-in-truncate_dnode.patch | 39 + ...b-marks-on-kernel-internal-pseudo-fs.patch | 74 + ...ix-missing-irq-check-in-au1200fb_drv.patch | 40 + ...-use-after-free-bug-in-imsttfb_probe.patch | 75 + ...warn-about-invalid-left-right-margin.patch | 43 + ..._mipid-fix-an-error-handling-path-in.patch | 44 + ...ource-leak-in-svc_create_memory_pool.patch | 39 + ...-when-generating-legacy-mount-string.patch | 43 + ...eturn-positive-pid-value-for-f_getlk.patch | 36 + ...king-order-for-unrelated-directories.patch | 104 + tmp-5.4/fs-lock-moved-directories.patch | 126 + tmp-5.4/fs-no-need-to-check-source.patch | 45 + ...date-don-t-invalidate-if-interrupted.patch | 34 + tmp-5.4/gfs2-don-t-deref-jdesc-in-evict.patch | 63 + ...se-after-free-in-__gtp_encap_destroy.patch | 190 ++ ...han-int-when-dealing-with-timestamps.patch | 70 + ...-the-timeout-for-init-and-self-check.patch | 45 + ...g-st-fix-w-1-unused-variable-warning.patch | 43 + ...ock-enabled-while-hwrng-is-registere.patch | 96 + .../hwrng-virtio-add-an-internal-buffer.patch | 127 + ...-virtio-always-add-a-pending-request.patch | 111 + .../hwrng-virtio-don-t-wait-on-cleanup.patch | 58 + .../hwrng-virtio-don-t-waste-entropy.patch | 130 + ...x-race-on-data_avail-and-actual-data.patch | 86 + ...iic_wakeup-and-__xiic_start_xfer-in-.patch | 112 + ...ry-to-handle-more-interrupt-events-a.patch | 60 + ...vf-fix-use-after-free-in-free_netdev.patch | 215 ++ ...dma.h-tx-num_descs-off-by-one-errors.patch | 110 + ...tr-deref-of-ip6_null_entry-rt6i_idev.patch | 145 ++ ...ix-igb_down-hung-on-surprise-removal.patch | 89 + ...e-delay-during-tx-ring-configuration.patch | 46 + ...n-supported-and-advertising-fields-o.patch | 39 + tmp-5.4/ima-fix-build-warnings.patch | 61 + ...-not-hardcode-interrupt-trigger-type.patch | 39 + ...drv260x-sleep-between-polling-go-bit.patch | 39 + ...le-allocation-in-integrity_inode_get.patch | 62 + ...c-clean-irq-affinity-on-queue-deinit.patch | 38 + tmp-5.4/ionic-improve-irq-numa-locality.patch | 42 + ...nic-ionic_intr_free-parameter-change.patch | 68 + .../ionic-move-irq-request-to-qcq-alloc.patch | 140 ++ ...ove-warn_on-to-prevent-panic_on_warn.patch | 42 + ...x-a-potential-refcount-underflow-for.patch | 53 + ...ix-return-value-of-ipvlan_queue_xmit.patch | 66 + ...c-fix-missing-allocation-of-irq-desc.patch | 53 + ...c-kill-use-of-irq_create_strict_mapp.patch | 41 + ...usage-in-jffs2_build_xattr_subsystem.patch | 128 + ...lidate-db_l2nbperpage-while-mounting.patch | 66 + ...a-memory-leak-in-crash_shrink_memory.patch | 93 + ..._s390_get_cmma_bits-for-gfns-in-mems.patch | 74 + ...0-vsie-fix-the-length-of-apcb-bitmap.patch | 52 + ...initial-match-offset-for-every-block.patch | 59 + ...on-t-drop-packet-from-non-root-netns.patch | 50 + ...r-fill-non-message-tx-data-fields-wi.patch | 75 + ...uption-for-raid456-when-reshape-rest.patch | 60 + ...card-support-for-the-original-layout.patch | 203 ++ ...slab-out-of-bounds-in-md_bitmap_get_.patch | 65 + ...-loss-while-replacement-replace-rdev.patch | 79 + ...ll-ptr-deref-of-mreplace-in-raid10_s.patch | 81 + ...0-fix-overflow-of-md-safe_mode_delay.patch | 51 + ...rong-setting-of-max_corr_read_errors.patch | 38 + ...event-soft-lockup-while-flush-writes.patch | 79 + ...a-usb-check-az6007_read-return-value.patch | 38 + ...fix-warning-due-to-null-work_func_t-.patch | 83 + ...h-fix-struct-v4l2_input-tuner-index-.patch | 62 + ...pfe-fix-testing-array-offset-after-u.patch | 50 + ...ke-memstick_debug_get_tpc_name-stati.patch | 49 + ...saradc-fix-clock-divider-mask-length.patch | 37 + ...dd-missing-check-for-platform_get_re.patch | 38 + ...t5033-drop-rt5033-battery-sub-device.patch | 41 + ...fx-fix-error-path-in-stmfx_chip_init.patch | 38 + ...isable-the-regulators-if-they-are-en.patch | 45 + ...rpc-scalar-with-correct-buffer-count.patch | 37 + ...free-irqs-before-removing-the-device.patch | 50 + ...st-re-init-completion-for-every-test.patch | 44 + ...isable-trim-on-kingston-emmc04g-m627.patch | 46 + ...sable-trim-on-micron-mtfc4gacajcn-1m.patch | 44 + ...ty-issue-when-64bit-dma-mode-is-used.patch | 58 + ...-off-by-one-in-is_executable_section.patch | 36 + ...ion-mismatch-message-for-r_arm_-pc24.patch | 106 + ...ion-mismatch-message-for-r_arm_abs32.patch | 133 + ...n-fix-unaligned-dma-buffers-handling.patch | 44 + ...mum-limit-of-allocated-index-in-nbd_.patch | 41 + ...io-unregistration-has-clocks-enabled.patch | 39 + ...ports-without-iff_unicast_flt-in-br_.patch | 198 ++ ...e-netdev-dev_addr-assignment-helpers.patch | 82 + ...105-fix-mac-da-patching-from-meta-fr.patch | 46 + ...cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch | 78 + ...ipv6-check-return-value-of-pskb_trim.patch | 39 + ...an743x-don-t-sleep-in-atomic-context.patch | 72 + ...-fix-txq_map-in-case-of-txq_number-1.patch | 48 + ...after-free-caused-by-nfc_llcp_find_l.patch | 558 +++++ ...limit-of-tcp_linger2-with-tcp_fin_ti.patch | 73 + ...dit-add-size-check-for-tca_pedit_par.patch | 57 + ...-fix-improper-refcount-update-leads-.patch | 62 + ...-ensure-both-minimum-and-maximum-por.patch | 82 + ...sched-make-psched_mtu-rtnl-less-safe.patch | 49 + ...t-up-the-nfnetlink-header-and-use-it.patch | 707 ++++++ ...id-nf_ct_helper_hash-uses-after-free.patch | 51 + ...ack-dccp-copy-entire-header-to-stack.patch | 149 ++ ...ntrack_sip-fix-the-ct_sip_parse_nume.patch | 53 + ...e_error-to-deal-with-bound-set-chain.patch | 109 + ...g-points-during-loop-detection-walks.patch | 50 + ...les-can-t-schedule-in-nft_chain_vali.patch | 64 + ...f_tables-fix-nat-hook-table-deletion.patch | 104 + ...es-fix-scheduling-while-atomic-splat.patch | 39 + ...les-fix-spurious-set-element-inserti.patch | 49 + ...r-path-handling-with-nft_msg_newrule.patch | 73 + ...ent-oob-access-in-nft_byteorder_eval.patch | 211 ++ ...nd-anonymous-set-before-commit-phase.patch | 142 ++ ...ymous-set-if-rule-construction-fails.patch | 33 + ...t_generic-infra-for-transaction-data.patch | 1214 +++++++++ ...tion-to-set-the-base-sequence-number.patch | 117 + ...__sock_i_ino-for-__netlink_diag_dump.patch | 152 ++ ...ard-code-device-address-lenth-in-fdb.patch | 157 ++ ...otential-deadlock-in-netlink_set_err.patch | 117 + ...eral-pointers-to-u8-char-and-sk_buff.patch | 465 ++++ ...sible-use-of-uninitialized-variable-.patch | 41 + ...mplify-llcp_sock_connect-error-paths.patch | 51 + ...-op_recall-flag-for-write-delegation.patch | 32 + ...he-session-table-upon-receiving-nfs4.patch | 41 + ...r-handling-in-amd_ntb_pci_driver_ini.patch | 64 + ...rror-handling-in-idt_pci_driver_init.patch | 66 + ...ror-handling-in-intel_ntb_pci_driver.patch | 65 + ...-ntb_tool-add-check-for-devm_kcalloc.patch | 39 + ...t-fix-possible-memory-leak-while-dev.patch | 42 + ...dma-alias-quirk-for-marvell-88se9235.patch | 36 + ...clear_master-stub-for-non-config_pci.patch | 39 + ...-aspm-on-mfd-function-removal-to-avo.patch | 94 + ...ftpci100-release-the-clock-resources.patch | 75 + ...l-bringup-sequence-if-card-is-not-pr.patch | 74 + ...elopos-e2-s2-h2-pcie-ports-in-d3cold.patch | 46 + ...to-read-only-registers-for-ip-v2.3.3.patch | 34 + ...ut-to-wait-for-phy-plls-to-be-locked.patch | 81 + ...configuration-enable-bit-after-probe.patch | 40 + ...ration-for-rk3399-pcie-endpoint-core.patch | 113 + ...-address-alignment-for-endpoint-mode.patch | 35 + ...-variable-to-access-32-bit-registers.patch | 76 + ...te-pci-device-id-to-correct-register.patch | 60 + ...ux-fix-off-by-one-in-die_get_varname.patch | 45 + ...duced-by-switch-to-die_get_decl_file.patch | 115 + ...ect-internal-gpio0-debounce-handling.patch | 77 + ...in-handling-clearing-pins-at-startup.patch | 39 + ...special-debounce-behavior-for-gpio-0.patch | 40 + ...amd_pinconf_set-for-all-config-optio.patch | 108 + ...4-check-return-value-of-devm_kasprin.patch | 41 + ...ew-return-correct-value-if-pin-in-pu.patch | 57 + ...-break-possible-infinite-loop-when-p.patch | 84 + ...86-wmi-fix-indentation-in-some-cases.patch | 48 + tmp-5.4/platform-x86-wmi-move-variables.patch | 80 + ...-x86-wmi-remove-unnecessary-argument.patch | 75 + ...-replace-uuid-redefinitions-by-their.patch | 100 + ...rm-x86-wmi-use-guid_t-and-guid_equal.patch | 177 ++ ...nteger-overflow-issues-in-genpd_pars.patch | 48 + ...ure-timer-id-search-loop-limit-is-va.patch | 115 + ...-rapl-fix-config_iosf_mbi-dependency.patch | 73 + ...c_early_debug_cpm-only-when-serial_c.patch | 46 + ...ing-recordmcount-with-binutils-v2.37.patch | 49 + ...ix-the-condition-when-checking-if-al.patch | 40 + .../pstore-ram-add-check-for-kstrdup.patch | 37 + ...ce-real_period-to-be-zero-in-suspend.patch | 48 + ...-apply-state-to-already-disabled-pwm.patch | 90 + ...eon-avoid-double-free-in-ci_dpm_init.patch | 110 + ..._re-fix-to-remove-an-unnecessary-log.patch | 44 + ...ix-more-error-checking-for-debugfs_c.patch | 40 + ...r-core-streamline-debugfs-operations.patch | 100 + ...ort-for-asix-devices-with-a-fifo-bug.patch | 139 ++ ...l-corruption-when-moving-a-directory.patch | 66 + ...-the-lookup-process-failing-to-get-s.patch | 113 + ...deadloop-issue-on-reading-trace_pipe.patch | 128 + ...se-some-resources-in-st_rtc_probe-in.patch | 40 + ...-rtext_filter_skip_stats-to-ifla_vf_.patch | 167 ++ ...f-fix-buffer-overflow-in-tcp_basertt.patch | 36 + ...-balance-task-to-its-current-running.patch | 96 + ...resolve-gtags-empty-index-generation.patch | 65 + ...-error-handling-for-initialization-f.patch | 47 + ...x-null-dereference-in-error-handling.patch | 47 + ...id-rport-returned-by-fc_bsg_to_rport.patch | 37 + ...i-qla2xxx-correct-the-index-of-array.patch | 51 + ...x-fix-error-code-in-qla2x00_start_sp.patch | 38 + ...x-potential-null-pointer-dereference.patch | 35 + ...-qla2xxx-pointer-may-be-dereferenced.patch | 36 + ...move-unused-nvme_ls_waitq-wait-queue.patch | 91 + ...ait-for-io-return-on-terminate-rport.patch | 71 + ...al-deadlock-on-net-sctp.addr_wq_lock.patch | 57 + ...ink-remove-netdevsim-device-after-ip.patch | 40 + ...lftests-tc-set-timeout-to-15-minutes.patch | 49 + ...-use-force_suspend-and-resume-for-sy.patch | 78 + ...-atmel-don-t-enable-irqs-prematurely.patch | 45 + tmp-5.4/series | 316 +++ ...a-fix-dma-channel-offset-calculation.patch | 103 + ...p-to-translate-device-tree-address-i.patch | 44 + .../soc-fsl-qe-fix-usb.c-build-errors.patch | 60 + ...urn-error-if-neither-hif_mspi-nor-ms.patch | 58 + .../spi-bcm63xx-fix-max-prepend-length.patch | 47 + ...m-correct-cs_toggle-bit-in-spi_trans.patch | 44 + ...fix-uaf-in-svc_tcp_listen_data_ready.patch | 142 ++ ...data-races-around-fastopenq.max_qlen.patch | 77 + ...-data-races-around-rskq_defer_accept.patch | 53 + ...nnotate-data-races-around-tp-linger2.patch | 52 + ...e-data-races-around-tp-notsent_lowat.patch | 64 + ...te-data-races-around-tp-tcp_tx_delay.patch | 46 + ...data-races-in-__tcp_oow_rate_limited.patch | 55 + ...race-condition-in-dev-vtpmx-creation.patch | 80 + ...-dereference-in-tracing_err_log_open.patch | 61 + ...rs-if-they-have-referenced-variables.patch | 127 + ...l-to-add-histogram-to-hist_vars-list.patch | 38 + ...-to-count-error-code-to-total-length.patch | 38 + ...d-missing-hrtimer-modes-to-decode_hr.patch | 47 + ...rt-add-earlycon-for-imx8ulp-platform.patch | 29 + ...c24xx_serial_getclk-in-case-of-error.patch | 40 + ...4xx_serial_getclk-when-iterating-clk.patch | 48 + tmp-5.4/udp6-fix-udp6_ehashfn-typo.patch | 40 + ...ore-init-errors-to-udc-during-pullup.patch | 52 + ...-dwc3-qcom-fix-potential-memory-leak.patch | 53 + ...lease-the-correct-resources-in-dwc3_.patch | 44 + ...usbfs_notify_suspend-resume-function.patch | 52 + ...o-fix-memory-leak-in-tahvo_usb_probe.patch | 43 + ...b-serial-option-add-lara-r6-01b-pids.patch | 65 + ...o-imsttfb-check-for-ioremap-failures.patch | 78 + tmp-5.4/w1-fix-loop-in-w1_fini.patch | 43 + ...fine-dummy-watchdog_update_hrtimer_t.patch | 89 + ...re-properly-prevent-false-positives-.patch | 84 + ...uninitialized-warning-in-airo_get_ra.patch | 47 + ...-referencing-uninit-memory-in-ath9k_.patch | 58 + ...onvert-msecs-to-jiffies-where-needed.patch | 51 + ...-allow-to-overwrite-endpoint0-attrib.patch | 54 + ...r9003-mac-hardware-hang-check-regist.patch | 95 + ...ossible-stall-on-ath9k_txq_list_has_.patch | 111 + ...n-error-handling-path-in-atmel_probe.patch | 59 + ...ewrite-merging-of-inherited-elements.patch | 290 +++ ...mvm-avoid-baid-size-integer-overflow.patch | 47 + ...ull-from-txqs-with-softirqs-disabled.patch | 47 + ...-the-size-of-a-memory-allocation-in-.patch | 48 + ...-an-error-handling-path-in-orinoco_c.patch | 58 + ...-an-error-handling-path-in-spectrum_.patch | 59 + ...-useless-status-variable-in-parse_ad.patch | 53 + ...-an-error-handling-path-in-ray_probe.patch | 69 + ...ray_cs-utilize-strnlen-in-parse_addr.patch | 67 + ...ot-set-mmc_pm_keep_power-in-shutdown.patch | 41 + ...ix-wstringop-overflow-warning-in-ioc.patch | 71 + ...ix-an-error-handling-path-in-wl3501_.patch | 66 + ...bunch-of-formatting-issues-related-t.patch | 143 ++ ...sspelling-and-provide-missing-docume.patch | 64 + ...501_cs-remove-unnecessary-null-check.patch | 41 + tmp-5.4/wl3501_cs-use-eth_hw_addr_set.patch | 40 + ...work_-constant-types-clarify-masking.patch | 140 ++ tmp-5.4/x86-cpu-amd-add-a-zenbleed-fix.patch | 161 ++ ...the-errata-checking-functionality-up.patch | 181 ++ ...de-amd-load-late-on-both-threads-too.patch | 30 + ...-show-tasks-pid-in-current-pid-names.patch | 55 + ...l-use-is_closid_match-in-more-places.patch | 93 + ...cated-cache-line-for-mwait_play_dead.patch | 91 + .../xsk-honor-so_bindtodevice-on-bind.patch | 101 + ...xsk-improve-documentation-for-af_xdp.patch | 423 ++++ ...xtensa-iss-fix-call-to-split_if_spec.patch | 34 + ...acklight-native-dmi-quirk-for-dell-s.patch | 41 + ...l-up-loops-in-dsp-setup-code-for-aud.patch | 150 ++ ...a-realtek-add-quirk-for-clevo-ns70au.patch | 32 + ...ble-mute-led-on-hp-laptop-15s-eq2xxx.patch | 73 + ...-fix-generic-fixup-definition-for-cs.patch | 82 + ...realtek-remove-3k-pull-low-procedure.patch | 66 + ...ge-is-allocated-after-sve-vl-changes.patch | 93 + ...-for-invalid-dai-id-handling-in-acp_.patch | 63 + ...x-resource-leaks-on-component-remove.patch | 157 ++ ...x-resource-leaks-on-component-remove.patch | 54 + ...cd938x-fix-codec-initialisation-race.patch | 54 + ...d938x-fix-db-range-for-hphl-and-hphr.patch | 51 + ...-wcd938x-fix-mbhc-impedance-loglevel.patch | 43 + ...fix-missing-clsh-ctrl-error-handling.patch | 37 + ...fix-missing-mbhc-init-error-handling.patch | 51 + ...x-resource-leaks-on-component-remove.patch | 151 ++ ...8x-fix-soundwire-initialisation-race.patch | 55 + ...toload-with-automatic-module-loading.patch | 86 + ...i-disable-bit-clock-with-transmitter.patch | 43 + ...ble-mctl_mclk_en-bit-for-master-mode.patch | 58 + ...do-not-close-gpr-port-before-closing.patch | 60 + ...dioreach-fix-topology-probe-deferral.patch | 37 + ...c-rt5640-fix-sleep-in-atomic-context.patch | 65 + ...race-uninitialized-data-in-dfsentry_.patch | 60 + tmp-6.1/asoc-tegra-fix-adx-byte-map.patch | 124 + tmp-6.1/asoc-tegra-fix-amx-byte-map.patch | 125 + ...ent-call-disconnect-callback-before-.patch | 168 ++ ...nc-avoid-use-after-free-in-dbg-for-h.patch | 60 + ...x-iso_conn-related-locking-and-valid.patch | 292 +++ ...u-for-hci_conn_params-and-iterate-sa.patch | 594 +++++ ...address-kcsan-report-on-bpf_lru_list.patch | 177 ++ ...-markings-during-state-checkpointing.patch | 128 + ...-tracking-for-programs-with-subprogs.patch | 246 ++ ...i-type-used-for-freplace-attached-fu.patch | 55 + ...g-idx-logic-in-check_max_stack_depth.patch | 75 + ...ing-only-if-writing-to-unprivileged_.patch | 47 + ..._max_stack_depth-for-async-callbacks.patch | 102 + ...top-setting-precise-in-current-state.patch | 234 ++ ...id-taking-fast-sock-lock-in-iterator.patch | 152 ++ ...k-warning-when-enabling-stp-in-netns.patch | 71 + ...ore-careful-when-setting-mirror_num_.patch | 50 + ...ace-between-balance-and-cancel-pause.patch | 96 + ...ion-with-qgroups-enabled-after-abort.patch | 89 + ...fter-read_folio-in-btrfs_cont_expand.patch | 98 + ...inding-block-group-with-super-blocks.patch | 38 + .../can-bcm-fix-uaf-in-bcm_proc_show.patch | 92 + ...b-gs_can_open-improve-error-handling.patch | 117 + ..._chip_set_mode-increase-poll-timeout.patch | 87 + .../can-raw-fix-receiver-memory-leak.patch | 233 ++ ...k-during-reconnection-after-timeout-.patch | 100 + ...devlink_port_type_warn-source-device.patch | 77 + ...esv-stop-leaking-on-krealloc-failure.patch | 71 + ...-non-null-before-checking-if-enabled.patch | 38 + ...mpc-split-by-default-on-special-asic.patch | 42 + ...-phy-active-for-dp-displays-on-dcn31.patch | 42 + ...-accept-async-flips-for-fast-updates.patch | 82 + ...xclock-consistent-for-sienna-cichlid.patch | 45 + ...-make-mclk-consistent-for-smu-13.0.7.patch | 30 + ...eactivation-by-hrtimer_try_to_cancel.patch | 101 + ...ory-leak-in-drm_client_modeset_probe.patch | 46 + ...ory-leak-in-drm_client_target_cloned.patch | 68 + ...nteger-overflow-in-radeon_cs_parser_.patch | 38 + ..._move-corruption-when-adding-a-entry.patch | 49 + ...x-do-a-final-check-before-timing-out.patch | 69 + ...t-when-handling-xattrs-in-inode-body.patch | 54 + ...ix-missing-irq-check-in-au1200fb_drv.patch | 40 + ...-removed-unneeded-release_mem_region.patch | 36 + ...warn-about-invalid-left-right-margin.patch | 43 + ...-read-only-mounted-filesystem-in-txb.patch | 36 + ...s-fix-null-ptr-deref-read-in-txbegin.patch | 41 + ...-array-index-out-of-bounds-in-dballo.patch | 83 + ...when-userspace-set-the-fuse_init_ext.patch | 45 + ...use-ioctl-translate-enosys-in-outarg.patch | 88 + ...date-don-t-invalidate-if-interrupted.patch | 34 + ...r-03f0-464a-hp-elite-presenter-mouse.patch | 49 + ...ock-caused-by-rtnl-and-driver-s-lock.patch | 342 +++ ...bounds-when-setting-channels-on-remo.patch | 160 ++ ...fix-reset-task-race-with-iavf_remove.patch | 190 ++ ...vf-fix-use-after-free-in-free_netdev.patch | 215 ++ ...make-functions-static-where-possible.patch | 223 ++ ...v_update_features-into-watchdog-task.patch | 95 + ...-vlan-offloading-caps-once-after-vfr.patch | 66 + ...-internal-state-to-free-traffic-irqs.patch | 65 + ...-reset-in-callbacks-which-trigger-it.patch | 253 ++ ...ix-igb_down-hung-on-surprise-removal.patch | 89 + ...avoid-transmit-queue-timeout-for-xdp.patch | 61 + ...t-garbled-tx-queue-with-xdp-zerocopy.patch | 79 + ...-for-req_f_nowait-as-final-for-io-wq.patch | 39 + ...check-chechpointing-non-dirty-buffer.patch | 191 ++ ..._of_names-to-list-of-special-symbols.patch | 41 + ...ly-sequence-symbols-when-config_lto_.patch | 151 ++ ...-the-performance-of-kallsyms_lookup_.patch | 241 ++ ...to-only-suffixes-from-promoted-globa.patch | 104 + ...icate-key-to-a-keyring-s-assoc_array.patch | 177 ++ ...on-t-drop-packet-from-non-root-netns.patch | 50 + ...ix-node-allocation-testing-on-32-bit.patch | 40 + ...-limit-when-creating-a-new-root-node.patch | 44 + ...c-prom-address-warray-bounds-warning.patch | 51 + ...p-correct-ksz8795-static-mac-table-a.patch | 94 + ...p-ksz8-make-ksz8_r_sta_mac_table-sta.patch | 54 + ...p-ksz8-separate-static-mac-table-ope.patch | 111 + ...p-ksz8_r_sta_mac_table-avoid-using-e.patch | 154 ++ ...t-litex-add-support-for-64-bit-stats.patch | 82 + ...et-mtk_eth_soc-handle-probe-deferral.patch | 86 + ...cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch | 78 + ...ncpy-not-using-dest-buf-length-as-le.patch | 140 ++ ...sistent-txhash-in-time_wait-and-syn_.patch | 134 + ...use-kfree_sensitive-instead-of-kfree.patch | 38 + ...ipv6-check-return-value-of-pskb_trim.patch | 39 + ...stale-pointer-dereference-in-phy_ini.patch | 74 + ...f-undo-tcf_bind_filter-in-case-of-an.patch | 165 ++ ...tchall-undo-tcf_bind_filter-in-case-.patch | 98 + ...2-undo-refcount-decrement-in-case-up.patch | 49 + ...2-undo-tcf_bind_filter-if-u32_replac.patch | 122 + ...les-can-t-schedule-in-nft_chain_vali.patch | 64 + ...les-fix-spurious-set-element-inserti.patch | 49 + ...les-skip-bound-chain-in-netns-releas.patch | 37 + ...ables-skip-bound-chain-on-rule-flush.patch | 43 + ...t_pipapo-fix-improper-element-remova.patch | 63 + ...nt-allocate-bpids-for-lbk-interfaces.patch | 43 + ...isplay-device-name-for-compatibility.patch | 51 + ...nd-offset-of-struct-vfsmount-in-ovl_.patch | 58 + ...ibrary-not-found-error-when-using-cs.patch | 94 + ...duced-by-switch-to-die_get_decl_file.patch | 115 + ...rzg2l-handle-non-unique-subnode-name.patch | 118 + ...rzv2m-handle-non-unique-subnode-name.patch | 116 + tmp-6.1/quota-fix-warning-in-dqgrab.patch | 100 + ...isable-quotas-when-add_dquot_ref-fai.patch | 40 + ...nal-concurrent-load-from-cpu_no_qs.b.patch | 76 + ...pr_info-with-spin-lock-in-cblist_ini.patch | 91 + ...-register-length-in-smbus-i-o-limits.patch | 54 + ...ion-of-maximum-transfer-length-fixes.patch | 64 + ...-the-lookup-process-failing-to-get-s.patch | 113 + ...-balance-task-to-its-current-running.patch | 96 + ...e-recent_used_cpu-to-test-p-cpus_ptr.patch | 41 + ...-unprivileged-polling-of-n-2s-period.patch | 434 ++++ ...-extract-update_triggers-side-effect.patch | 91 + ...ix-avgs_work-re-arm-in-psi_avgs_work.patch | 141 ++ ...earrange-polling-code-in-preparation.patch | 247 ++ ...-existing-poll-members-in-preparatio.patch | 432 ++++ ...rnfs-polling-functions-for-psi-trigg.patch | 176 ++ ...pdate-the-usage-in-the-comment-block.patch | 31 + ...-to-date-with-current-implementation.patch | 34 + ...keys-modify-mismatched-function-name.patch | 40 + ...selftests-bpf-fix-sk_assign-on-s390x.patch | 123 + ...make-test_align-selftest-more-robust.patch | 134 + ...xit_bpf2bpf-func_replace_return_code.patch | 95 + ...ests-tc-add-conntrack-procfs-kconfig.patch | 42 + ...lftests-tc-add-ct-action-kconfig-dep.patch | 43 + ...lftests-tc-set-timeout-to-15-minutes.patch | 43 + tmp-6.1/series | 179 ++ .../spi-bcm63xx-fix-max-prepend-length.patch | 47 + ...compatible-for-intel-mount-evans-soc.patch | 81 + ...sleading-comment-for-mount-evans-soc.patch | 41 + ...ear-loopback-bit-after-loopback-test.patch | 40 + ...data-races-around-fastopenq.max_qlen.patch | 77 + ...a-races-around-icsk-icsk_syn_retries.patch | 69 + ...a-races-around-icsk-icsk_user_timeou.patch | 54 + ...-data-races-around-rskq_defer_accept.patch | 53 + ...a-races-around-tcp_rsk-req-ts_recent.patch | 184 ++ ...data-races-around-tcp_rsk-req-txhash.patch | 170 ++ ...data-races-around-tp-keepalive_intvl.patch | 68 + ...ata-races-around-tp-keepalive_probes.patch | 69 + ...-data-races-around-tp-keepalive_time.patch | 58 + ...nnotate-data-races-around-tp-linger2.patch | 52 + ...e-data-races-around-tp-notsent_lowat.patch | 64 + ...te-data-races-around-tp-tcp_tx_delay.patch | 46 + ...notate-data-races-around-tp-tsoffset.patch | 63 + ...l-to-add-histogram-to-hist_vars-list.patch | 38 + ...lized-array-access-for-some-pathname.patch | 41 + ...support-default-regdb-while-searchin.patch | 137 + ...ix-memory-leak-in-wmi-firmware-stats.patch | 63 + ...registration-of-6ghz-only-phy-withou.patch | 71 + ...i-iwlwifi-add-support-for-new-pci-id.patch | 43 + ...mvm-avoid-baid-size-integer-overflow.patch | 47 + ...e-add-device-id-51f1-for-killer-1675.patch | 38 + ..._hwsim-fix-possible-null-dereference.patch | 46 + ...ix-wstringop-overflow-warning-in-ioc.patch | 71 + tmp-6.1/x86-cpu-amd-add-a-zenbleed-fix.patch | 161 ++ ...the-errata-checking-functionality-up.patch | 181 ++ ...d-consistent-integer-overflow-checks.patch | 70 + ...el-qaic-fix-a-leak-in-map_user_pages.patch | 43 + ...en-bounds-checking-in-decode_message.patch | 76 + ...en-bounds-checking-in-encode_message.patch | 88 + ...lid-disable-dmi-quirk-for-nextbook-a.patch | 45 + ...remove-zen-specific-match-and-quirks.patch | 132 + ...acklight-native-dmi-quirk-for-apple-.patch | 43 + ...acklight-native-dmi-quirk-for-dell-s.patch | 46 + ...acklight-native-dmi-quirk-for-lenovo.patch | 44 + ...i_quirk_uart1_skip-for-lenovo-yoga-b.patch | 79 + ...p-i2c-clients-quirk-for-nextbook-are.patch | 76 + ...l-up-loops-in-dsp-setup-code-for-aud.patch | 150 ++ ...a-realtek-add-quirk-for-clevo-ns70au.patch | 32 + ...-add-quirks-for-rog-ally-cs35l41-aud.patch | 93 + ...ble-mute-led-on-hp-laptop-15s-eq2xxx.patch | 73 + ...-fix-generic-fixup-definition-for-cs.patch | 77 + ...realtek-remove-3k-pull-low-procedure.patch | 66 + .../arm64-fix-hfgxtr_el2-field-naming.patch | 70 + ...ge-is-allocated-after-sve-vl-changes.patch | 93 + .../arm64-mm-fix-va-range-sanity-check.patch | 106 + ...ption_irq_entry-with-__irq_entry-as-.patch | 166 ++ ...-for-invalid-dai-id-handling-in-acp_.patch | 63 + ...x-resource-leaks-on-component-remove.patch | 157 ++ ...x-resource-leaks-on-component-remove.patch | 54 + ...cd938x-fix-codec-initialisation-race.patch | 54 + ...d938x-fix-db-range-for-hphl-and-hphr.patch | 51 + ...-wcd938x-fix-mbhc-impedance-loglevel.patch | 43 + ...fix-missing-clsh-ctrl-error-handling.patch | 37 + ...fix-missing-mbhc-init-error-handling.patch | 51 + ...x-resource-leaks-on-component-remove.patch | 151 ++ ...8x-fix-soundwire-initialisation-race.patch | 55 + tmp-6.4/asoc-cs35l45-select-regmap_irq.patch | 41 + ...toload-with-automatic-module-loading.patch | 86 + ...i-disable-bit-clock-with-transmitter.patch | 43 + ...ble-mctl_mclk_en-bit-for-master-mode.patch | 53 + ...do-not-close-gpr-port-before-closing.patch | 60 + ...dioreach-fix-topology-probe-deferral.patch | 37 + ...c-rt5640-fix-sleep-in-atomic-context.patch | 65 + ...race-uninitialized-data-in-dfsentry_.patch | 60 + tmp-6.4/asoc-tegra-fix-adx-byte-map.patch | 119 + tmp-6.4/asoc-tegra-fix-amx-byte-map.patch | 125 + ...dereference-on-q-elevator-in-blk_mq_.patch | 61 + ...-fix-bluetooth-on-intel-macbook-2014.patch | 47 + ...nn-return-err_ptr-instead-of-null-wh.patch | 58 + ...ent-call-disconnect-callback-before-.patch | 168 ++ ...nc-avoid-use-after-free-in-dbg-for-h.patch | 60 + ...x-iso_conn-related-locking-and-valid.patch | 292 +++ ...x-sco_conn-related-locking-and-valid.patch | 100 + ...u-for-hci_conn_params-and-iterate-sa.patch | 594 +++++ ...address-kcsan-report-on-bpf_lru_list.patch | 177 ++ ...i-type-used-for-freplace-attached-fu.patch | 55 + ...sary-user-triggerable-warn_once-in-v.patch | 47 + ...g-idx-logic-in-check_max_stack_depth.patch | 75 + ...ing-only-if-writing-to-unprivileged_.patch | 47 + ..._max_stack_depth-for-async-callbacks.patch | 102 + ...ilence-a-warning-in-btf_type_id_size.patch | 100 + ...id-taking-fast-sock-lock-in-iterator.patch | 152 ++ ...k-warning-when-enabling-stp-in-netns.patch | 71 + ...saction-at-update_ref_for_cow-when-r.patch | 54 + ...ash-to-fast-checksum-implementations.patch | 59 + ...ore-careful-when-setting-mirror_num_.patch | 44 + ...heck-pageerror-in-__extent_writepage.patch | 79 + ...after-an-error-during-orphan-cleanup.patch | 38 + ...er-after-error-during-orphan-cleanup.patch | 173 ++ ...ace-between-balance-and-cancel-pause.patch | 96 + ...ion-with-qgroups-enabled-after-abort.patch | 89 + ...ys-verify-the-p-q-contents-for-scrub.patch | 117 + ...fter-read_folio-in-btrfs_cont_expand.patch | 98 + ...inding-block-group-with-super-blocks.patch | 38 + .../can-bcm-fix-uaf-in-bcm_proc_show.patch | 92 + ...ix-time-stamp-counter-initialization.patch | 292 +++ ...b-gs_can_open-improve-error-handling.patch | 117 + ..._chip_set_mode-increase-poll-timeout.patch | 87 + .../can-raw-fix-receiver-memory-leak.patch | 233 ++ ...k-during-reconnection-after-timeout-.patch | 100 + ...lth-report-on-unregistered-instance-.patch | 43 + ...devlink_port_type_warn-source-device.patch | 77 + ...esv-stop-leaking-on-krealloc-failure.patch | 71 + ...-non-null-before-checking-if-enabled.patch | 38 + ...mpc-split-by-default-on-special-asic.patch | 42 + ...-phy-active-for-dp-displays-on-dcn31.patch | 42 + ...-accept-async-flips-for-fast-updates.patch | 82 + ...xclock-consistent-for-sienna-cichlid.patch | 40 + ...-make-mclk-consistent-for-smu-13.0.7.patch | 30 + ...eactivation-by-hrtimer_try_to_cancel.patch | 101 + ...ory-leak-in-drm_client_modeset_probe.patch | 46 + ...ory-leak-in-drm_client_target_cloned.patch | 68 + ...f-add-sentinel-to-xehp_oa_b_counters.patch | 49 + ...gpio-for-hpd-not-pmgr-aux-interrupts.patch | 63 + ...au-i2c-fix-number-of-aux-event-slots.patch | 83 + ...s-nv50-init-hpd_irq_lock-for-pior-dp.patch | 41 + ...nteger-overflow-in-radeon_cs_parser_.patch | 38 + ..._move-corruption-when-adding-a-entry.patch | 49 + ...x-do-a-final-check-before-timing-out.patch | 69 + ...rofs-fix-detection-of-atomic-context.patch | 100 + ...t-when-handling-xattrs-in-inode-body.patch | 54 + ...ix-missing-irq-check-in-au1200fb_drv.patch | 40 + ...-removed-unneeded-release_mem_region.patch | 36 + ...warn-about-invalid-left-right-margin.patch | 43 + ...-read-only-mounted-filesystem-in-txb.patch | 41 + ...s-fix-null-ptr-deref-read-in-txbegin.patch | 40 + ...-array-index-out-of-bounds-in-dballo.patch | 83 + ...use-add-feature-flag-for-expire-only.patch | 62 + ...when-userspace-set-the-fuse_init_ext.patch | 45 + ...use-ioctl-translate-enosys-in-outarg.patch | 88 + ...date-don-t-invalidate-if-interrupted.patch | 34 + ...ix-dodgy-bit-handling-for-gso_udp_l4.patch | 85 + ...r-03f0-464a-hp-elite-presenter-mouse.patch | 49 + ...goff-when-searching-for-free-mapping.patch | 42 + ...ock-caused-by-rtnl-and-driver-s-lock.patch | 342 +++ ...bounds-when-setting-channels-on-remo.patch | 160 ++ ...fix-reset-task-race-with-iavf_remove.patch | 190 ++ ...vf-fix-use-after-free-in-free_netdev.patch | 215 ++ ...make-functions-static-where-possible.patch | 223 ++ ...-internal-state-to-free-traffic-irqs.patch | 65 + ...-reset-in-callbacks-which-trigger-it.patch | 253 ++ ...ent-null-pointer-deref-during-reload.patch | 187 ++ ...er-netdev-and-devlink_port-only-once.patch | 90 + ...ix-igb_down-hung-on-surprise-removal.patch | 89 + ...avoid-transmit-queue-timeout-for-xdp.patch | 61 + ...t-garbled-tx-queue-with-xdp-zerocopy.patch | 79 + ...hitecture-provided-get_unmapped_area.patch | 134 + ...-for-req_f_nowait-as-final-for-io-wq.patch | 39 + ...gnedness-bug-in-iommu_sva_alloc_pasi.patch | 45 + ...er-mark-copy_iovec_from_user-noclone.patch | 43 + ...check-chechpointing-non-dirty-buffer.patch | 191 ++ ...to-only-suffixes-from-promoted-globa.patch | 104 + ...-rust-avoid-creating-temporary-files.patch | 74 + ...icate-key-to-a-keyring-s-assoc_array.patch | 177 ++ ...ging-notifiers-for-unaligned-memslot.patch | 204 ++ ...eemption-in-kvm_arch_hardware_enable.patch | 66 + ...l2-when-setting-non-cntkctl_el1-bits.patch | 65 + ...bell-request-robust-w.r.t-preemption.patch | 134 + ...on-t-drop-packet-from-non-root-netns.patch | 50 + ...ix-node-allocation-testing-on-32-bit.patch | 40 + ...-limit-when-creating-a-new-root-node.patch | 44 + ...uption-for-raid456-when-reshape-rest.patch | 60 + ...event-soft-lockup-while-flush-writes.patch | 79 + ...c-prom-address-warray-bounds-warning.patch | 56 + ...r-conversion-of-apply_vma_lock_flags.patch | 70 + ...p-correct-ksz8795-static-mac-table-a.patch | 94 + ...t-litex-add-support-for-64-bit-stats.patch | 82 + ..._eth_soc-always-mtk_get_ib1_pkt_type.patch | 40 + ...et-mtk_eth_soc-handle-probe-deferral.patch | 86 + ...cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch | 78 + ...ncpy-not-using-dest-buf-length-as-le.patch | 140 ++ ...sistent-txhash-in-time_wait-and-syn_.patch | 134 + ...use-kfree_sensitive-instead-of-kfree.patch | 38 + ...ipv6-check-return-value-of-pskb_trim.patch | 39 + ...stale-pointer-dereference-in-phy_ini.patch | 74 + ...f-undo-tcf_bind_filter-in-case-of-an.patch | 165 ++ ...tchall-undo-tcf_bind_filter-in-case-.patch | 98 + ...2-undo-refcount-decrement-in-case-up.patch | 49 + ...2-undo-tcf_bind_filter-if-u32_replac.patch | 122 + ...les-can-t-schedule-in-nft_chain_vali.patch | 64 + ...les-fix-spurious-set-element-inserti.patch | 49 + ...les-skip-bound-chain-in-netns-releas.patch | 37 + ...ables-skip-bound-chain-on-rule-flush.patch | 43 + ...t_pipapo-fix-improper-element-remova.patch | 63 + ...nt-allocate-bpids-for-lbk-interfaces.patch | 43 + ...isplay-device-name-for-compatibility.patch | 51 + ...nd-offset-of-struct-vfsmount-in-ovl_.patch | 58 + ...ibrary-not-found-error-when-using-cs.patch | 94 + ...duced-by-switch-to-die_get_decl_file.patch | 115 + ...read-dwarf-files-from-the-correct-cu.patch | 66 + ...rzg2l-handle-non-unique-subnode-name.patch | 118 + ...rzv2m-handle-non-unique-subnode-name.patch | 116 + ...ure-timer-id-search-loop-limit-is-va.patch | 115 + ...-move-pr_get_auxv-out-of-pr_mce_kill.patch | 67 + tmp-6.4/quota-fix-warning-in-dqgrab.patch | 100 + ...isable-quotas-when-add_dquot_ref-fai.patch | 40 + ...elated-problem-for-chip-version-42-a.patch | 44 + ...nal-concurrent-load-from-cpu_no_qs.b.patch | 76 + ...pr_info-with-spin-lock-in-cblist_ini.patch | 91 + ...-register-length-in-smbus-i-o-limits.patch | 54 + ...ion-of-maximum-transfer-length-fixes.patch | 64 + ...-fix-null-pointer-deref-with-partial.patch | 42 + ...-r8169-disable-aspm-during-napi-poll.patch | 52 + ...-the-lookup-process-failing-to-get-s.patch | 113 + ...-buffer-calculations-for-cca-replies.patch | 93 + ...-balance-task-to-its-current-running.patch | 96 + ...e-recent_used_cpu-to-test-p-cpus_ptr.patch | 41 + ...rnfs-polling-functions-for-psi-trigg.patch | 176 ++ ...on-t-grab-scsi-host-module-reference.patch | 69 + ...fix-blktrace-debugfs-entries-leakage.patch | 77 + ...keys-modify-mismatched-function-name.patch | 40 + ...irty-fix-incorrect-position-of-endif.patch | 37 + ...ests-tc-add-conntrack-procfs-kconfig.patch | 42 + ...lftests-tc-add-ct-action-kconfig-dep.patch | 43 + ...lftests-tc-set-timeout-to-15-minutes.patch | 43 + tmp-6.4/series | 227 ++ ...mb-client-fix-missed-ses-refcounting.patch | 101 + .../spi-bcm63xx-fix-max-prepend-length.patch | 47 + ...spi-add-compatible-for-amd-pensando-.patch | 91 + ...compatible-for-intel-mount-evans-soc.patch | 81 + ...sleading-comment-for-mount-evans-soc.patch | 41 + ...ear-loopback-bit-after-loopback-test.patch | 40 + ...data-races-around-fastopenq.max_qlen.patch | 77 + ...a-races-around-icsk-icsk_syn_retries.patch | 69 + ...a-races-around-icsk-icsk_user_timeou.patch | 54 + ...-data-races-around-rskq_defer_accept.patch | 53 + ...a-races-around-tcp_rsk-req-ts_recent.patch | 184 ++ ...data-races-around-tcp_rsk-req-txhash.patch | 170 ++ ...data-races-around-tp-keepalive_intvl.patch | 68 + ...ata-races-around-tp-keepalive_probes.patch | 69 + ...-data-races-around-tp-keepalive_time.patch | 58 + ...nnotate-data-races-around-tp-linger2.patch | 52 + ...e-data-races-around-tp-notsent_lowat.patch | 64 + ...te-data-races-around-tp-tcp_tx_delay.patch | 46 + ...notate-data-races-around-tp-tsoffset.patch | 63 + ...ure-stack-protector-guard-is-never-z.patch | 45 + ...l-to-add-histogram-to-hist_vars-list.patch | 38 + ...lized-array-access-for-some-pathname.patch | 41 + ...vrf-fix-lockdep-splat-in-output-path.patch | 156 ++ ...support-default-regdb-while-searchin.patch | 137 + ...ix-memory-leak-in-wmi-firmware-stats.patch | 63 + ...registration-of-6ghz-only-phy-withou.patch | 71 + ...d-null-pointer-access-during-managem.patch | 41 + ...i-iwlwifi-add-support-for-new-pci-id.patch | 43 + ...-add-null-check-before-dereferencing.patch | 68 + ...mvm-avoid-baid-size-integer-overflow.patch | 47 + ...-fix-potential-array-out-of-bounds-a.patch | 51 + ...e-add-device-id-51f1-for-killer-1675.patch | 38 + ..._hwsim-fix-possible-null-dereference.patch | 46 + ...check-the-hisr-rx_request-bit-in-rtw.patch | 93 + ...ix-wstringop-overflow-warning-in-ioc.patch | 71 + tmp-6.4/x86-cpu-amd-add-a-zenbleed-fix.patch | 161 ++ ...the-errata-checking-functionality-up.patch | 181 ++ 1540 files changed, 135238 insertions(+) create mode 100644 tmp-4.19/add-module_firmware-for-firmware_tg357766.patch create mode 100644 tmp-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch create mode 100644 tmp-4.19/alsa-jack-fix-mutex-call-in-snd_jack_report.patch create mode 100644 tmp-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch create mode 100644 tmp-4.19/arcv2-entry-avoid-a-branch.patch create mode 100644 tmp-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch create mode 100644 tmp-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch create mode 100644 tmp-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch create mode 100644 tmp-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch create mode 100644 tmp-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch create mode 100644 tmp-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch create mode 100644 tmp-4.19/arm-orion5x-fix-d2net-gpio-initialization.patch create mode 100644 tmp-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch create mode 100644 tmp-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch create mode 100644 tmp-4.19/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch create mode 100644 tmp-4.19/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch create mode 100644 tmp-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch create mode 100644 tmp-4.19/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch create mode 100644 tmp-4.19/can-bcm-fix-uaf-in-bcm_proc_show.patch create mode 100644 tmp-4.19/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch create mode 100644 tmp-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch create mode 100644 tmp-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch create mode 100644 tmp-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch create mode 100644 tmp-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch create mode 100644 tmp-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch create mode 100644 tmp-4.19/drm-amdgpu-validate-vm-ioctl-flags.patch create mode 100644 tmp-4.19/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch create mode 100644 tmp-4.19/drm-edid-fix-uninitialized-variable-in-drm_cvt_modes.patch create mode 100644 tmp-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch create mode 100644 tmp-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch create mode 100644 tmp-4.19/evm-complete-description-of-evm_inode_setattr.patch create mode 100644 tmp-4.19/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch create mode 100644 tmp-4.19/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch create mode 100644 tmp-4.19/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch create mode 100644 tmp-4.19/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch create mode 100644 tmp-4.19/extcon-fix-kernel-doc-of-property-capability-fields-.patch create mode 100644 tmp-4.19/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch create mode 100644 tmp-4.19/f2fs-fix-error-path-handling-in-truncate_dnode.patch create mode 100644 tmp-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch create mode 100644 tmp-4.19/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch create mode 100644 tmp-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch create mode 100644 tmp-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch create mode 100644 tmp-4.19/fs-dlm-return-positive-pid-value-for-f_getlk.patch create mode 100644 tmp-4.19/fuse-revalidate-don-t-invalidate-if-interrupted.patch create mode 100644 tmp-4.19/gfs2-don-t-deref-jdesc-in-evict.patch create mode 100644 tmp-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch create mode 100644 tmp-4.19/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch create mode 100644 tmp-4.19/hwrng-virtio-add-an-internal-buffer.patch create mode 100644 tmp-4.19/hwrng-virtio-always-add-a-pending-request.patch create mode 100644 tmp-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch create mode 100644 tmp-4.19/hwrng-virtio-don-t-waste-entropy.patch create mode 100644 tmp-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch create mode 100644 tmp-4.19/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch create mode 100644 tmp-4.19/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch create mode 100644 tmp-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch create mode 100644 tmp-4.19/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch create mode 100644 tmp-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch create mode 100644 tmp-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch create mode 100644 tmp-4.19/input-drv260x-sleep-between-polling-go-bit.patch create mode 100644 tmp-4.19/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch create mode 100644 tmp-4.19/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch create mode 100644 tmp-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch create mode 100644 tmp-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch create mode 100644 tmp-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch create mode 100644 tmp-4.19/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch create mode 100644 tmp-4.19/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch create mode 100644 tmp-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch create mode 100644 tmp-4.19/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch create mode 100644 tmp-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch create mode 100644 tmp-4.19/llc-don-t-drop-packet-from-non-root-netns.patch create mode 100644 tmp-4.19/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch create mode 100644 tmp-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch create mode 100644 tmp-4.19/md-raid0-add-discard-support-for-the-original-layout.patch create mode 100644 tmp-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch create mode 100644 tmp-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch create mode 100644 tmp-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch create mode 100644 tmp-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch create mode 100644 tmp-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch create mode 100644 tmp-4.19/media-usb-check-az6007_read-return-value.patch create mode 100644 tmp-4.19/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch create mode 100644 tmp-4.19/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch create mode 100644 tmp-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch create mode 100644 tmp-4.19/meson-saradc-fix-clock-divider-mask-length.patch create mode 100644 tmp-4.19/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch create mode 100644 tmp-4.19/mfd-rt5033-drop-rt5033-battery-sub-device.patch create mode 100644 tmp-4.19/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch create mode 100644 tmp-4.19/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch create mode 100644 tmp-4.19/misc-pci_endpoint_test-re-init-completion-for-every-test.patch create mode 100644 tmp-4.19/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch create mode 100644 tmp-4.19/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch create mode 100644 tmp-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch create mode 100644 tmp-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch create mode 100644 tmp-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch create mode 100644 tmp-4.19/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch create mode 100644 tmp-4.19/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch create mode 100644 tmp-4.19/net-create-netdev-dev_addr-assignment-helpers.patch create mode 100644 tmp-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch create mode 100644 tmp-4.19/net-ipv6-check-return-value-of-pskb_trim.patch create mode 100644 tmp-4.19/net-lan743x-don-t-sleep-in-atomic-context.patch create mode 100644 tmp-4.19/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch create mode 100644 tmp-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch create mode 100644 tmp-4.19/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch create mode 100644 tmp-4.19/net-sched-make-psched_mtu-rtnl-less-safe.patch create mode 100644 tmp-4.19/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch create mode 100644 tmp-4.19/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch create mode 100644 tmp-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch create mode 100644 tmp-4.19/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch create mode 100644 tmp-4.19/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch create mode 100644 tmp-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch create mode 100644 tmp-4.19/netfilter-nf_tables-fix-nat-hook-table-deletion.patch create mode 100644 tmp-4.19/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch create mode 100644 tmp-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch create mode 100644 tmp-4.19/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch create mode 100644 tmp-4.19/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch create mode 100644 tmp-4.19/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch create mode 100644 tmp-4.19/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch create mode 100644 tmp-4.19/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch create mode 100644 tmp-4.19/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch create mode 100644 tmp-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch create mode 100644 tmp-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch create mode 100644 tmp-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch create mode 100644 tmp-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch create mode 100644 tmp-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch create mode 100644 tmp-4.19/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch create mode 100644 tmp-4.19/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch create mode 100644 tmp-4.19/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch create mode 100644 tmp-4.19/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch create mode 100644 tmp-4.19/ntb-ntb_tool-add-check-for-devm_kcalloc.patch create mode 100644 tmp-4.19/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch create mode 100644 tmp-4.19/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch create mode 100644 tmp-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch create mode 100644 tmp-4.19/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch create mode 100644 tmp-4.19/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch create mode 100644 tmp-4.19/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch create mode 100644 tmp-4.19/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch create mode 100644 tmp-4.19/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch create mode 100644 tmp-4.19/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch create mode 100644 tmp-4.19/pci-rockchip-write-pci-device-id-to-correct-register.patch create mode 100644 tmp-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch create mode 100644 tmp-4.19/perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch create mode 100644 tmp-4.19/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch create mode 100644 tmp-4.19/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch create mode 100644 tmp-4.19/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch create mode 100644 tmp-4.19/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch create mode 100644 tmp-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch create mode 100644 tmp-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch create mode 100644 tmp-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch create mode 100644 tmp-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch create mode 100644 tmp-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch create mode 100644 tmp-4.19/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch create mode 100644 tmp-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch create mode 100644 tmp-4.19/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch create mode 100644 tmp-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch create mode 100644 tmp-4.19/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch create mode 100644 tmp-4.19/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch create mode 100644 tmp-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch create mode 100644 tmp-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch create mode 100644 tmp-4.19/scripts-tags.sh-resolve-gtags-empty-index-generation.patch create mode 100644 tmp-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch create mode 100644 tmp-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch create mode 100644 tmp-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch create mode 100644 tmp-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch create mode 100644 tmp-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch create mode 100644 tmp-4.19/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch create mode 100644 tmp-4.19/serial-atmel-don-t-enable-irqs-prematurely.patch create mode 100644 tmp-4.19/series create mode 100644 tmp-4.19/sh-dma-fix-dma-channel-offset-calculation.patch create mode 100644 tmp-4.19/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch create mode 100644 tmp-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch create mode 100644 tmp-4.19/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch create mode 100644 tmp-4.19/spi-bcm63xx-fix-max-prepend-length.patch create mode 100644 tmp-4.19/spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch create mode 100644 tmp-4.19/spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch create mode 100644 tmp-4.19/spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch create mode 100644 tmp-4.19/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch create mode 100644 tmp-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch create mode 100644 tmp-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch create mode 100644 tmp-4.19/tcp-annotate-data-races-around-tp-linger2.patch create mode 100644 tmp-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch create mode 100644 tmp-4.19/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch create mode 100644 tmp-4.19/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch create mode 100644 tmp-4.19/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch create mode 100644 tmp-4.19/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch create mode 100644 tmp-4.19/treewide-remove-uninitialized_var-usage.patch create mode 100644 tmp-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch create mode 100644 tmp-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch create mode 100644 tmp-4.19/udp6-fix-udp6_ehashfn-typo.patch create mode 100644 tmp-4.19/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch create mode 100644 tmp-4.19/usb-serial-option-add-lara-r6-01b-pids.patch create mode 100644 tmp-4.19/video-imsttfb-check-for-ioremap-failures.patch create mode 100644 tmp-4.19/vrf-increment-icmp6inmsgs-on-the-original-netdev.patch create mode 100644 tmp-4.19/w1-fix-loop-in-w1_fini.patch create mode 100644 tmp-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch create mode 100644 tmp-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch create mode 100644 tmp-4.19/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch create mode 100644 tmp-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch create mode 100644 tmp-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch create mode 100644 tmp-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch create mode 100644 tmp-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch create mode 100644 tmp-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch create mode 100644 tmp-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch create mode 100644 tmp-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch create mode 100644 tmp-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch create mode 100644 tmp-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch create mode 100644 tmp-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch create mode 100644 tmp-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch create mode 100644 tmp-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch create mode 100644 tmp-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch create mode 100644 tmp-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch create mode 100644 tmp-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch create mode 100644 tmp-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch create mode 100644 tmp-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch create mode 100644 tmp-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch create mode 100644 tmp-4.19/wl3501_cs-remove-unnecessary-null-check.patch create mode 100644 tmp-4.19/wl3501_cs-use-eth_hw_addr_set.patch create mode 100644 tmp-4.19/workqueue-clean-up-work_-constant-types-clarify-masking.patch create mode 100644 tmp-4.19/x86-cpu-amd-add-a-zenbleed-fix.patch create mode 100644 tmp-4.19/x86-cpu-amd-move-the-errata-checking-functionality-up.patch create mode 100644 tmp-4.19/x86-microcode-amd-load-late-on-both-threads-too.patch create mode 100644 tmp-4.19/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch create mode 100644 tmp-4.19/xtensa-iss-fix-call-to-split_if_spec.patch create mode 100644 tmp-5.10/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch create mode 100644 tmp-5.10/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch create mode 100644 tmp-5.10/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch create mode 100644 tmp-5.10/add-module_firmware-for-firmware_tg357766.patch create mode 100644 tmp-5.10/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch create mode 100644 tmp-5.10/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch create mode 100644 tmp-5.10/alsa-hda-realtek-remove-3k-pull-low-procedure.patch create mode 100644 tmp-5.10/alsa-jack-fix-mutex-call-in-snd_jack_report.patch create mode 100644 tmp-5.10/amdgpu-validate-offset_in_bo-of-drm_amdgpu_gem_va.patch create mode 100644 tmp-5.10/apparmor-fix-missing-error-check-for-rhashtable_inse.patch create mode 100644 tmp-5.10/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch create mode 100644 tmp-5.10/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch create mode 100644 tmp-5.10/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch create mode 100644 tmp-5.10/arm-dts-bcm5301x-fix-duplex-full-full-duplex.patch create mode 100644 tmp-5.10/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch create mode 100644 tmp-5.10/arm-dts-iwg20d-q7-common-fix-backlight-pwm-specifier.patch create mode 100644 tmp-5.10/arm-dts-meson8-correct-uart_b-and-uart_c-clock-refer.patch create mode 100644 tmp-5.10/arm-dts-meson8b-correct-uart_b-and-uart_c-clock-refe.patch create mode 100644 tmp-5.10/arm-dts-stm32-fix-audio-routing-on-stm32mp15xx-dhcom.patch create mode 100644 tmp-5.10/arm-dts-stm32-fix-i2s-endpoint-format-property-for-s.patch create mode 100644 tmp-5.10/arm-dts-stm32-move-ethernet-mac-eeprom-from-som-to-c.patch create mode 100644 tmp-5.10/arm-dts-stm32-shorten-the-av96-hdmi-sound-card-name.patch create mode 100644 tmp-5.10/arm-ep93xx-fix-missing-prototype-warnings.patch create mode 100644 tmp-5.10/arm-omap2-fix-missing-tick_broadcast-prototype.patch create mode 100644 tmp-5.10/arm-orion5x-fix-d2net-gpio-initialization.patch create mode 100644 tmp-5.10/arm64-dts-microchip-sparx5-do-not-use-psci-on-refere.patch create mode 100644 tmp-5.10/arm64-dts-qcom-apq8096-fix-fixed-regulator-name-prop.patch create mode 100644 tmp-5.10/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch create mode 100644 tmp-5.10/arm64-dts-qcom-msm8994-correct-spmi-unit-address.patch create mode 100644 tmp-5.10/arm64-dts-qcom-msm8996-correct-camss-unit-address.patch create mode 100644 tmp-5.10/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch create mode 100644 tmp-5.10/arm64-dts-ti-k3-j7200-fix-physical-address-of-pin.patch create mode 100644 tmp-5.10/arm64-mm-fix-va-range-sanity-check.patch create mode 100644 tmp-5.10/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch create mode 100644 tmp-5.10/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch create mode 100644 tmp-5.10/asoc-es8316-increment-max-value-for-alc-capture-targ.patch create mode 100644 tmp-5.10/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch create mode 100644 tmp-5.10/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch create mode 100644 tmp-5.10/asoc-mediatek-mt8173-fix-irq-error-path.patch create mode 100644 tmp-5.10/asoc-mediatek-mt8173-fix-snd_soc_component_initialize-error-path.patch create mode 100644 tmp-5.10/autofs-use-flexible-array-in-ioctl-structure.patch create mode 100644 tmp-5.10/bcache-fix-__bch_btree_node_alloc-to-make-the-failure-behavior-consistent.patch create mode 100644 tmp-5.10/bcache-fixup-btree_cache_wait-list-damage.patch create mode 100644 tmp-5.10/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch create mode 100644 tmp-5.10/blk-iocost-use-spin_lock_irqsave-in-adjust_inuse_and.patch create mode 100644 tmp-5.10/block-add-overflow-checks-for-amiga-partition-support.patch create mode 100644 tmp-5.10/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch create mode 100644 tmp-5.10/block-fix-signed-int-overflow-in-amiga-partition-support.patch create mode 100644 tmp-5.10/block-partition-fix-signedness-issue-for-amiga-partitions.patch create mode 100644 tmp-5.10/bpf-address-kcsan-report-on-bpf_lru_list.patch create mode 100644 tmp-5.10/bpf-remove-extra-lock_sock-for-tcp_zerocopy_receive.patch create mode 100644 tmp-5.10/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch create mode 100644 tmp-5.10/bpftool-jit-limited-misreported-as-negative-value-on.patch create mode 100644 tmp-5.10/bridge-add-extack-warning-when-enabling-stp-in-netns.patch create mode 100644 tmp-5.10/btrfs-add-handling-for-raid1c23-dup-to-btrfs_reduce_alloc_profile.patch create mode 100644 tmp-5.10/btrfs-add-xxhash-to-fast-checksum-implementations.patch create mode 100644 tmp-5.10/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch create mode 100644 tmp-5.10/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch create mode 100644 tmp-5.10/bus-ti-sysc-fix-dispc-quirk-masking-bool-variables.patch create mode 100644 tmp-5.10/can-bcm-fix-uaf-in-bcm_proc_show.patch create mode 100644 tmp-5.10/can-isotp-isotp_sendmsg-fix-return-error-fix-on-tx-path.patch create mode 100644 tmp-5.10/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch create mode 100644 tmp-5.10/clk-cdce925-check-return-value-of-kasprintf.patch create mode 100644 tmp-5.10/clk-imx-clk-imx8mn-fix-memory-leak-in-imx8mn_clocks_.patch create mode 100644 tmp-5.10/clk-imx-clk-imx8mp-improve-error-handling-in-imx8mp_.patch create mode 100644 tmp-5.10/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch create mode 100644 tmp-5.10/clk-qcom-gcc-ipq6018-use-floor-ops-for-sdcc-clocks.patch create mode 100644 tmp-5.10/clk-qcom-ipq6018-fix-networking-resets.patch create mode 100644 tmp-5.10/clk-qcom-reset-allow-specifying-custom-reset-delay.patch create mode 100644 tmp-5.10/clk-qcom-reset-support-resetting-multiple-bits.patch create mode 100644 tmp-5.10/clk-si5341-add-sysfs-properties-to-allow-checking-re.patch create mode 100644 tmp-5.10/clk-si5341-allow-different-output-vdd_sel-values.patch create mode 100644 tmp-5.10/clk-si5341-check-return-value-of-devm_-kasprintf.patch create mode 100644 tmp-5.10/clk-si5341-free-unused-memory-on-probe-failure.patch create mode 100644 tmp-5.10/clk-si5341-return-error-if-one-synth-clock-registrat.patch create mode 100644 tmp-5.10/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch create mode 100644 tmp-5.10/clk-ti-clkctrl-check-return-value-of-kasprintf.patch create mode 100644 tmp-5.10/clk-vc5-check-memory-returned-by-kasprintf.patch create mode 100644 tmp-5.10/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch create mode 100644 tmp-5.10/coresight-fix-loss-of-connection-info-when-a-module-.patch create mode 100644 tmp-5.10/cpufreq-intel_pstate-fix-energy_performance_preferen.patch create mode 100644 tmp-5.10/crypto-marvell-cesa-fix-type-mismatch-warning.patch create mode 100644 tmp-5.10/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch create mode 100644 tmp-5.10/dax-fix-dax_mapping_release-use-after-free.patch create mode 100644 tmp-5.10/dax-introduce-alloc_dev_dax_id.patch create mode 100644 tmp-5.10/debugobjects-recheck-debug_objects_enabled-before-re.patch create mode 100644 tmp-5.10/devlink-report-devlink_port_type_warn-source-device.patch create mode 100644 tmp-5.10/drivers-meson-secure-pwrc-always-enable-dma-domain.patch create mode 100644 tmp-5.10/drm-amd-display-correct-dmub_fw_version-macro.patch create mode 100644 tmp-5.10/drm-amd-display-explicitly-specify-update-type-per-p.patch create mode 100644 tmp-5.10/drm-amdgpu-validate-vm-ioctl-flags.patch create mode 100644 tmp-5.10/drm-amdkfd-fix-potential-deallocation-of-previously-.patch create mode 100644 tmp-5.10/drm-atomic-allow-vblank-enabled-self-refresh-disable.patch create mode 100644 tmp-5.10/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch create mode 100644 tmp-5.10/drm-bridge-tc358768-add-atomic_get_input_bus_fmts-im.patch create mode 100644 tmp-5.10/drm-bridge-tc358768-always-enable-hs-video-mode.patch create mode 100644 tmp-5.10/drm-bridge-tc358768-fix-pll-parameters-computation.patch create mode 100644 tmp-5.10/drm-bridge-tc358768-fix-pll-target-frequency.patch create mode 100644 tmp-5.10/drm-bridge-tc358768-fix-tclk_trailcnt-computation.patch create mode 100644 tmp-5.10/drm-bridge-tc358768-fix-tclk_zerocnt-computation.patch create mode 100644 tmp-5.10/drm-bridge-tc358768-fix-ths_trailcnt-computation.patch create mode 100644 tmp-5.10/drm-bridge-tc358768-fix-ths_zerocnt-computation.patch create mode 100644 tmp-5.10/drm-bridge-tc358768-fix-txtagocnt-computation.patch create mode 100644 tmp-5.10/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch create mode 100644 tmp-5.10/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch create mode 100644 tmp-5.10/drm-msm-dp-free-resources-after-unregistering-them.patch create mode 100644 tmp-5.10/drm-msm-dpu-do-not-enable-color-management-if-dspps-.patch create mode 100644 tmp-5.10/drm-panel-sharp-ls043t1le01-adjust-mode-settings.patch create mode 100644 tmp-5.10/drm-panel-simple-add-connector_type-for-innolux_at04.patch create mode 100644 tmp-5.10/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch create mode 100644 tmp-5.10/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch create mode 100644 tmp-5.10/drm-radeon-fix-possible-division-by-zero-errors.patch create mode 100644 tmp-5.10/drm-rockchip-vop-leave-vblank-enabled-in-self-refresh.patch create mode 100644 tmp-5.10/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch create mode 100644 tmp-5.10/drm-vram-helper-fix-function-names-in-vram-helper-do.patch create mode 100644 tmp-5.10/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch create mode 100644 tmp-5.10/erofs-fix-compact-4b-support-for-16k-block-size.patch create mode 100644 tmp-5.10/evm-complete-description-of-evm_inode_setattr.patch create mode 100644 tmp-5.10/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch create mode 100644 tmp-5.10/ext4-fix-reusing-stale-buffer-heads-from-last-failed-mounting.patch create mode 100644 tmp-5.10/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch create mode 100644 tmp-5.10/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch create mode 100644 tmp-5.10/ext4-fix-wrong-unit-use-in-ext4_mb_new_blocks.patch create mode 100644 tmp-5.10/ext4-get-block-from-bh-in-ext4_free_blocks-for-fast-commit-replay.patch create mode 100644 tmp-5.10/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch create mode 100644 tmp-5.10/ext4-remove-ext4-locking-of-moved-directory.patch create mode 100644 tmp-5.10/extcon-fix-kernel-doc-of-property-capability-fields-.patch create mode 100644 tmp-5.10/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch create mode 100644 tmp-5.10/f2fs-fix-error-path-handling-in-truncate_dnode.patch create mode 100644 tmp-5.10/f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch create mode 100644 tmp-5.10/fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch create mode 100644 tmp-5.10/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch create mode 100644 tmp-5.10/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch create mode 100644 tmp-5.10/fbdev-imxfb-warn-about-invalid-left-right-margin.patch create mode 100644 tmp-5.10/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch create mode 100644 tmp-5.10/firmware-stratix10-svc-fix-a-potential-resource-leak-in-svc_create_memory_pool.patch create mode 100644 tmp-5.10/fs-avoid-empty-option-when-generating-legacy-mount-string.patch create mode 100644 tmp-5.10/fs-dlm-return-positive-pid-value-for-f_getlk.patch create mode 100644 tmp-5.10/fs-establish-locking-order-for-unrelated-directories.patch create mode 100644 tmp-5.10/fs-lock-moved-directories.patch create mode 100644 tmp-5.10/fs-no-need-to-check-source.patch create mode 100644 tmp-5.10/fs-pipe-reveal-missing-function-protoypes.patch create mode 100644 tmp-5.10/ftrace-fix-possible-warning-on-checking-all-pages-used-in-ftrace_process_locs.patch create mode 100644 tmp-5.10/ftrace-store-the-order-of-pages-allocated-in-ftrace_page.patch create mode 100644 tmp-5.10/fuse-revalidate-don-t-invalidate-if-interrupted.patch create mode 100644 tmp-5.10/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch create mode 100644 tmp-5.10/gve-set-default-duplex-configuration-to-full.patch create mode 100644 tmp-5.10/hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch create mode 100644 tmp-5.10/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch create mode 100644 tmp-5.10/hwmon-adm1275-allow-setting-sample-averaging.patch create mode 100644 tmp-5.10/hwmon-adm1275-enable-adm1272-temperature-reporting.patch create mode 100644 tmp-5.10/hwmon-gsc-hwmon-fix-fan-pwm-temperature-scaling.patch create mode 100644 tmp-5.10/hwmon-pmbus-adm1275-fix-problems-with-temperature-mo.patch create mode 100644 tmp-5.10/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch create mode 100644 tmp-5.10/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch create mode 100644 tmp-5.10/hwrng-virtio-add-an-internal-buffer.patch create mode 100644 tmp-5.10/hwrng-virtio-always-add-a-pending-request.patch create mode 100644 tmp-5.10/hwrng-virtio-don-t-wait-on-cleanup.patch create mode 100644 tmp-5.10/hwrng-virtio-don-t-waste-entropy.patch create mode 100644 tmp-5.10/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch create mode 100644 tmp-5.10/i2c-qup-add-missing-unwind-goto-in-qup_i2c_probe.patch create mode 100644 tmp-5.10/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch create mode 100644 tmp-5.10/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch create mode 100644 tmp-5.10/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch create mode 100644 tmp-5.10/iavf-fix-use-after-free-in-free_netdev.patch create mode 100644 tmp-5.10/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch create mode 100644 tmp-5.10/ib-hfi1-fix-wrong-mmu_node-used-for-user-sdma-packet.patch create mode 100644 tmp-5.10/ib-hfi1-use-bitmap_zalloc-when-applicable.patch create mode 100644 tmp-5.10/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch create mode 100644 tmp-5.10/igb-fix-igb_down-hung-on-surprise-removal.patch create mode 100644 tmp-5.10/igc-enable-and-fix-rx-hash-usage-by-netstack.patch create mode 100644 tmp-5.10/igc-fix-inserting-of-empty-frame-for-launchtime.patch create mode 100644 tmp-5.10/igc-fix-launchtime-before-start-of-cycle.patch create mode 100644 tmp-5.10/igc-fix-race-condition-in-ptp-tx-code.patch create mode 100644 tmp-5.10/igc-remove-delay-during-tx-ring-configuration.patch create mode 100644 tmp-5.10/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch create mode 100644 tmp-5.10/ima-fix-build-warnings.patch create mode 100644 tmp-5.10/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch create mode 100644 tmp-5.10/input-drv260x-sleep-between-polling-go-bit.patch create mode 100644 tmp-5.10/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch create mode 100644 tmp-5.10/io_uring-add-reschedule-point-to-handle_tw_list.patch create mode 100644 tmp-5.10/io_uring-ensure-iopoll-locks-around-deferred-work.patch create mode 100644 tmp-5.10/io_uring-use-io_schedule-in-cqring-wait.patch create mode 100644 tmp-5.10/io_uring-wait-interruptibly-for-request-completions-on-exit.patch create mode 100644 tmp-5.10/ionic-remove-warn_on-to-prevent-panic_on_warn.patch create mode 100644 tmp-5.10/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch create mode 100644 tmp-5.10/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch create mode 100644 tmp-5.10/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch create mode 100644 tmp-5.10/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch create mode 100644 tmp-5.10/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch create mode 100644 tmp-5.10/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch create mode 100644 tmp-5.10/kcsan-don-t-expect-64-bits-atomic-builtins-from-32-b.patch create mode 100644 tmp-5.10/kernfs-fix-missing-kernfs_idr_lock-to-remove-an-id-f.patch create mode 100644 tmp-5.10/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch create mode 100644 tmp-5.10/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch create mode 100644 tmp-5.10/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch create mode 100644 tmp-5.10/kvm-s390-vsie-fix-the-length-of-apcb-bitmap.patch create mode 100644 tmp-5.10/leds-trigger-netdev-recheck-netdev_led_mode_linkup-on-dev-rename.patch create mode 100644 tmp-5.10/lib-ts_bm-reset-initial-match-offset-for-every-block.patch create mode 100644 tmp-5.10/libbpf-fix-offsetof-and-container_of-to-work-with-co.patch create mode 100644 tmp-5.10/llc-don-t-drop-packet-from-non-root-netns.patch create mode 100644 tmp-5.10/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch create mode 100644 tmp-5.10/md-fix-data-corruption-for-raid456-when-reshape-rest.patch create mode 100644 tmp-5.10/md-raid0-add-discard-support-for-the-original-layout.patch create mode 100644 tmp-5.10/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch create mode 100644 tmp-5.10/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch create mode 100644 tmp-5.10/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch create mode 100644 tmp-5.10/md-raid10-fix-overflow-of-md-safe_mode_delay.patch create mode 100644 tmp-5.10/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch create mode 100644 tmp-5.10/md-raid10-prevent-soft-lockup-while-flush-writes.patch create mode 100644 tmp-5.10/media-atomisp-fix-variable-dereferenced-before-check-asd.patch create mode 100644 tmp-5.10/media-atomisp-gmin_platform-fix-out_len-in-gmin_get_.patch create mode 100644 tmp-5.10/media-cec-i2c-ch7322-also-select-regmap.patch create mode 100644 tmp-5.10/media-usb-check-az6007_read-return-value.patch create mode 100644 tmp-5.10/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch create mode 100644 tmp-5.10/media-venus-helpers-fix-align-of-non-power-of-two.patch create mode 100644 tmp-5.10/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch create mode 100644 tmp-5.10/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch create mode 100644 tmp-5.10/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch create mode 100644 tmp-5.10/meson-saradc-fix-clock-divider-mask-length.patch create mode 100644 tmp-5.10/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch create mode 100644 tmp-5.10/mfd-rt5033-drop-rt5033-battery-sub-device.patch create mode 100644 tmp-5.10/mfd-stmfx-fix-error-path-in-stmfx_chip_init.patch create mode 100644 tmp-5.10/mfd-stmfx-nullify-stmfx-vdd-in-case-of-error.patch create mode 100644 tmp-5.10/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch create mode 100644 tmp-5.10/mips-loongson-fix-cpu_probe_loongson-again.patch create mode 100644 tmp-5.10/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch create mode 100644 tmp-5.10/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch create mode 100644 tmp-5.10/misc-pci_endpoint_test-re-init-completion-for-every-test.patch create mode 100644 tmp-5.10/mm-rename-p4d_page_vaddr-to-p4d_pgtable-and-make-it-.patch create mode 100644 tmp-5.10/mm-rename-pud_page_vaddr-to-pud_pgtable-and-make-it-.patch create mode 100644 tmp-5.10/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch create mode 100644 tmp-5.10/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch create mode 100644 tmp-5.10/mmc-mmci-set-probe_prefer_asynchronous.patch create mode 100644 tmp-5.10/mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch create mode 100644 tmp-5.10/modpost-fix-off-by-one-in-is_executable_section.patch create mode 100644 tmp-5.10/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch create mode 100644 tmp-5.10/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch create mode 100644 tmp-5.10/mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch create mode 100644 tmp-5.10/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch create mode 100644 tmp-5.10/net-axienet-move-reset-before-64-bit-dma-detection.patch create mode 100644 tmp-5.10/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch create mode 100644 tmp-5.10/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch create mode 100644 tmp-5.10/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch create mode 100644 tmp-5.10/net-create-netdev-dev_addr-assignment-helpers.patch create mode 100644 tmp-5.10/net-dsa-tag_sja1105-fix-mac-da-patching-from-meta-fr.patch create mode 100644 tmp-5.10/net-dsa-vsc73xx-fix-mtu-configuration.patch create mode 100644 tmp-5.10/net-ena-fix-shift-out-of-bounds-in-exponential-backoff.patch create mode 100644 tmp-5.10/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch create mode 100644 tmp-5.10/net-introduce-net.ipv4.tcp_migrate_req.patch create mode 100644 tmp-5.10/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch create mode 100644 tmp-5.10/net-ipv6-check-return-value-of-pskb_trim.patch create mode 100644 tmp-5.10/net-lan743x-don-t-sleep-in-atomic-context.patch create mode 100644 tmp-5.10/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch create mode 100644 tmp-5.10/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch create mode 100644 tmp-5.10/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch create mode 100644 tmp-5.10/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch create mode 100644 tmp-5.10/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch create mode 100644 tmp-5.10/net-prevent-skb-corruption-on-frag-list-segmentation.patch create mode 100644 tmp-5.10/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch create mode 100644 tmp-5.10/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch create mode 100644 tmp-5.10/net-sched-flower-ensure-both-minimum-and-maximum-por.patch create mode 100644 tmp-5.10/net-sched-make-psched_mtu-rtnl-less-safe.patch create mode 100644 tmp-5.10/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch create mode 100644 tmp-5.10/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch create mode 100644 tmp-5.10/net-sched-sch_qfq-reintroduce-lmax-bound-check-for-mtu.patch create mode 100644 tmp-5.10/net-stmmac-fix-double-serdes-powerdown.patch create mode 100644 tmp-5.10/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch create mode 100644 tmp-5.10/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch create mode 100644 tmp-5.10/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch create mode 100644 tmp-5.10/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch create mode 100644 tmp-5.10/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch create mode 100644 tmp-5.10/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch create mode 100644 tmp-5.10/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch create mode 100644 tmp-5.10/netfilter-nf_tables-do-not-ignore-genmask-when-looking-up-chain-by-id.patch create mode 100644 tmp-5.10/netfilter-nf_tables-drop-map-element-references-from-preparation-phase.patch create mode 100644 tmp-5.10/netfilter-nf_tables-fix-chain-binding-transaction-logic.patch create mode 100644 tmp-5.10/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch create mode 100644 tmp-5.10/netfilter-nf_tables-fix-spurious-set-element-inserti.patch create mode 100644 tmp-5.10/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch create mode 100644 tmp-5.10/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch create mode 100644 tmp-5.10/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch create mode 100644 tmp-5.10/netfilter-nf_tables-reject-unbound-chain-set-before-commit-phase.patch create mode 100644 tmp-5.10/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch create mode 100644 tmp-5.10/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch create mode 100644 tmp-5.10/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch create mode 100644 tmp-5.10/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch create mode 100644 tmp-5.10/netfilter-nft_set_pipapo-fix-improper-element-remova.patch create mode 100644 tmp-5.10/netfilter-nftables-rename-set-element-data-activation-deactivation-functions.patch create mode 100644 tmp-5.10/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch create mode 100644 tmp-5.10/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch create mode 100644 tmp-5.10/netlink-fix-potential-deadlock-in-netlink_set_err.patch create mode 100644 tmp-5.10/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch create mode 100644 tmp-5.10/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch create mode 100644 tmp-5.10/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch create mode 100644 tmp-5.10/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch create mode 100644 tmp-5.10/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch create mode 100644 tmp-5.10/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch create mode 100644 tmp-5.10/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch create mode 100644 tmp-5.10/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch create mode 100644 tmp-5.10/ntb-ntb_tool-add-check-for-devm_kcalloc.patch create mode 100644 tmp-5.10/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch create mode 100644 tmp-5.10/nubus-partially-revert-proc_create_single_data-conversion.patch create mode 100644 tmp-5.10/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch create mode 100644 tmp-5.10/octeontx2-af-fix-mapping-for-nix-block-from-cgx-conn.patch create mode 100644 tmp-5.10/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch create mode 100644 tmp-5.10/ovl-update-of-dentry-revalidate-flags-after-copy-up.patch create mode 100644 tmp-5.10/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch create mode 100644 tmp-5.10/pci-add-pci_clear_master-stub-for-non-config_pci.patch create mode 100644 tmp-5.10/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch create mode 100644 tmp-5.10/pci-cadence-fix-gen2-link-retraining-process.patch create mode 100644 tmp-5.10/pci-ftpci100-release-the-clock-resources.patch create mode 100644 tmp-5.10/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch create mode 100644 tmp-5.10/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch create mode 100644 tmp-5.10/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch create mode 100644 tmp-5.10/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch create mode 100644 tmp-5.10/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch create mode 100644 tmp-5.10/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch create mode 100644 tmp-5.10/pci-rockchip-set-address-alignment-for-endpoint-mode.patch create mode 100644 tmp-5.10/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch create mode 100644 tmp-5.10/pci-rockchip-write-pci-device-id-to-correct-register.patch create mode 100644 tmp-5.10/perf-arm-cmn-fix-dtc-reset.patch create mode 100644 tmp-5.10/perf-bench-add-missing-setlocale-call-to-allow-usage.patch create mode 100644 tmp-5.10/perf-bench-use-unbuffered-output-when-pipe-tee-ing-t.patch create mode 100644 tmp-5.10/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch create mode 100644 tmp-5.10/perf-ibs-fix-interface-via-core-pmu-events.patch create mode 100644 tmp-5.10/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch create mode 100644 tmp-5.10/perf-script-fix-allocation-of-evsel-priv-related-to-.patch create mode 100644 tmp-5.10/perf-script-fixup-struct-evsel_script-method-prefix.patch create mode 100644 tmp-5.10/phy-tegra-xusb-check-return-value-of-devm_kzalloc.patch create mode 100644 tmp-5.10/phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch create mode 100644 tmp-5.10/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch create mode 100644 tmp-5.10/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch create mode 100644 tmp-5.10/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch create mode 100644 tmp-5.10/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch create mode 100644 tmp-5.10/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch create mode 100644 tmp-5.10/pinctrl-bcm2835-handle-gpiochip_add_pin_range-errors.patch create mode 100644 tmp-5.10/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch create mode 100644 tmp-5.10/platform-x86-wmi-break-possible-infinite-loop-when-p.patch create mode 100644 tmp-5.10/platform-x86-wmi-move-variables.patch create mode 100644 tmp-5.10/platform-x86-wmi-remove-unnecessary-argument.patch create mode 100644 tmp-5.10/platform-x86-wmi-use-guid_t-and-guid_equal.patch create mode 100644 tmp-5.10/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch create mode 100644 tmp-5.10/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch create mode 100644 tmp-5.10/posix-timers-prevent-rt-livelock-in-itimer_delete.patch create mode 100644 tmp-5.10/powercap-rapl-fix-config_iosf_mbi-dependency.patch create mode 100644 tmp-5.10/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch create mode 100644 tmp-5.10/powerpc-book3s64-mm-fix-directmap-stats-in-proc-memi.patch create mode 100644 tmp-5.10/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch create mode 100644 tmp-5.10/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch create mode 100644 tmp-5.10/powerpc-powernv-sriov-perform-null-check-on-iov-befo.patch create mode 100644 tmp-5.10/pptp-fix-fib-lookup-calls.patch create mode 100644 tmp-5.10/pstore-ram-add-check-for-kstrdup.patch create mode 100644 tmp-5.10/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch create mode 100644 tmp-5.10/pwm-sysfs-do-not-apply-state-to-already-disabled-pwm.patch create mode 100644 tmp-5.10/radeon-avoid-double-free-in-ci_dpm_init.patch create mode 100644 tmp-5.10/rcu-rcuscale-move-rcu_scale_-after-kfree_scale_clean.patch create mode 100644 tmp-5.10/rcu-rcuscale-stop-kfree_scale_thread-thread-s-after-.patch create mode 100644 tmp-5.10/rcu-tasks-mark-trc_reader_nesting-data-races.patch create mode 100644 tmp-5.10/rcu-tasks-mark-trc_reader_special.b.need_qs-data-races.patch create mode 100644 tmp-5.10/rcu-tasks-simplify-trc_read_check_handler-atomic-operations.patch create mode 100644 tmp-5.10/rcuscale-always-log-error-message.patch create mode 100644 tmp-5.10/rcuscale-console-output-claims-too-few-grace-periods.patch create mode 100644 tmp-5.10/rcuscale-move-shutdown-from-wait_event-to-wait_event.patch create mode 100644 tmp-5.10/rdma-bnxt_re-avoid-calling-wake_up-threads-from-spin.patch create mode 100644 tmp-5.10/rdma-bnxt_re-disable-kill-tasklet-only-if-it-is-enab.patch create mode 100644 tmp-5.10/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch create mode 100644 tmp-5.10/rdma-bnxt_re-fix-to-remove-unnecessary-return-labels.patch create mode 100644 tmp-5.10/rdma-bnxt_re-remove-a-redundant-check-inside-bnxt_re.patch create mode 100644 tmp-5.10/rdma-bnxt_re-use-unique-names-while-registering-inte.patch create mode 100644 tmp-5.10/rdma-bnxt_re-wraparound-mbox-producer-index.patch create mode 100644 tmp-5.10/rdma-cma-ensure-rdma_addr_cancel-happens-before-issuing-more-requests.patch create mode 100644 tmp-5.10/rdma-hns-clean-the-hardware-related-code-for-hem.patch create mode 100644 tmp-5.10/rdma-hns-fix-coding-style-issues.patch create mode 100644 tmp-5.10/rdma-hns-fix-hns_roce_table_get-return-value.patch create mode 100644 tmp-5.10/rdma-hns-use-refcount_t-apis-for-hem.patch create mode 100644 tmp-5.10/rdma-remove-uverbs_ex_cmd_mask-values-that-are-linke.patch create mode 100644 tmp-5.10/regmap-account-for-register-length-in-smbus-i-o-limits.patch create mode 100644 tmp-5.10/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch create mode 100644 tmp-5.10/regulator-core-fix-more-error-checking-for-debugfs_c.patch create mode 100644 tmp-5.10/regulator-core-streamline-debugfs-operations.patch create mode 100644 tmp-5.10/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch create mode 100644 tmp-5.10/revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch create mode 100644 tmp-5.10/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch create mode 100644 tmp-5.10/revert-thermal-drivers-mediatek-use-devm_of_iomap-to-avoid-resource-leak-in-mtk_thermal_probe.patch create mode 100644 tmp-5.10/revert-usb-common-usb-conn-gpio-set-last-role-to-unk.patch create mode 100644 tmp-5.10/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch create mode 100644 tmp-5.10/riscv-bpf-avoid-breaking-w-x.patch create mode 100644 tmp-5.10/riscv-bpf-fix-inconsistent-jit-image-generation.patch create mode 100644 tmp-5.10/riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch create mode 100644 tmp-5.10/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch create mode 100644 tmp-5.10/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch create mode 100644 tmp-5.10/s390-decompressor-fix-misaligned-symbol-build-error.patch create mode 100644 tmp-5.10/s390-qeth-fix-vipa-deletion.patch create mode 100644 tmp-5.10/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch create mode 100644 tmp-5.10/samples-ftrace-save-required-argument-registers-in-sample-trampolines.patch create mode 100644 tmp-5.10/sched-fair-don-t-balance-task-to-its-current-running.patch create mode 100644 tmp-5.10/scripts-tags.sh-resolve-gtags-empty-index-generation.patch create mode 100644 tmp-5.10/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch create mode 100644 tmp-5.10/scsi-qedf-fix-null-dereference-in-error-handling.patch create mode 100644 tmp-5.10/scsi-qla2xxx-array-index-may-go-out-of-bound.patch create mode 100644 tmp-5.10/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch create mode 100644 tmp-5.10/scsi-qla2xxx-correct-the-index-of-array.patch create mode 100644 tmp-5.10/scsi-qla2xxx-fix-buffer-overrun.patch create mode 100644 tmp-5.10/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch create mode 100644 tmp-5.10/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch create mode 100644 tmp-5.10/scsi-qla2xxx-pointer-may-be-dereferenced.patch create mode 100644 tmp-5.10/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch create mode 100644 tmp-5.10/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch create mode 100644 tmp-5.10/sctp-add-bpf_bypass_getsockopt-proto-callback.patch create mode 100644 tmp-5.10/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch create mode 100644 tmp-5.10/security-keys-modify-mismatched-function-name.patch create mode 100644 tmp-5.10/selftests-bpf-add-verifier-test-for-ptr_to_mem-spill.patch create mode 100644 tmp-5.10/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch create mode 100644 tmp-5.10/selftests-tc-add-ct-action-kconfig-dep.patch create mode 100644 tmp-5.10/selftests-tc-set-timeout-to-15-minutes.patch create mode 100644 tmp-5.10/serial-8250-lock-port-for-stop_rx-in-omap8250_irq.patch create mode 100644 tmp-5.10/serial-8250-lock-port-for-uart_ier-access-in-omap825.patch create mode 100644 tmp-5.10/serial-8250-omap-fix-freeing-of-resources-on-failed-.patch create mode 100644 tmp-5.10/serial-8250_omap-use-force_suspend-and-resume-for-sy.patch create mode 100644 tmp-5.10/serial-atmel-don-t-enable-irqs-prematurely.patch create mode 100644 tmp-5.10/series create mode 100644 tmp-5.10/sfc-fix-crash-when-reading-stats-while-nic-is-resett.patch create mode 100644 tmp-5.10/sh-dma-fix-dma-channel-offset-calculation.patch create mode 100644 tmp-5.10/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch create mode 100644 tmp-5.10/sh-pgtable-3level-fix-cast-to-pointer-from-integer-of-different-size.patch create mode 100644 tmp-5.10/shmem-use-ramfs_kill_sb-for-kill_sb-method-of-ramfs-based-tmpfs.patch create mode 100644 tmp-5.10/soc-fsl-qe-fix-usb.c-build-errors.patch create mode 100644 tmp-5.10/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch create mode 100644 tmp-5.10/spi-bcm63xx-fix-max-prepend-length.patch create mode 100644 tmp-5.10/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch create mode 100644 tmp-5.10/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-fastopenq.max_qlen.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-rskq_defer_accept.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_intvl.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_probes.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_time.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-tp-linger2.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-tp-notsent_lowat.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch create mode 100644 tmp-5.10/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch create mode 100644 tmp-5.10/tcp-fix-data-races-around-sysctl_tcp_syn-ack-_retrie.patch create mode 100644 tmp-5.10/test_firmware-return-enomem-instead-of-enospc-on-fai.patch create mode 100644 tmp-5.10/thermal-drivers-sun8i-fix-some-error-handling-paths-.patch create mode 100644 tmp-5.10/tpm-tpm_tis-claim-locality-in-interrupt-handler.patch create mode 100644 tmp-5.10/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch create mode 100644 tmp-5.10/tracing-fix-memory-leak-of-iter-temp-when-reading-trace_pipe.patch create mode 100644 tmp-5.10/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch create mode 100644 tmp-5.10/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch create mode 100644 tmp-5.10/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch create mode 100644 tmp-5.10/tracing-probes-fix-not-to-count-error-code-to-total-length.patch create mode 100644 tmp-5.10/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch create mode 100644 tmp-5.10/tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch create mode 100644 tmp-5.10/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch create mode 100644 tmp-5.10/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch create mode 100644 tmp-5.10/udp6-fix-udp6_ehashfn-typo.patch create mode 100644 tmp-5.10/um-use-host_dir-for-mrproper.patch create mode 100644 tmp-5.10/usb-common-usb-conn-gpio-set-last-role-to-unknown-be.patch create mode 100644 tmp-5.10/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch create mode 100644 tmp-5.10/usb-dwc3-meson-g12a-fix-an-error-handling-path-in-dw.patch create mode 100644 tmp-5.10/usb-dwc3-qcom-fix-an-error-handling-path-in-dwc3_qco.patch create mode 100644 tmp-5.10/usb-dwc3-qcom-fix-potential-memory-leak.patch create mode 100644 tmp-5.10/usb-dwc3-qcom-release-the-correct-resources-in-dwc3_.patch create mode 100644 tmp-5.10/usb-gadget-u_serial-add-null-pointer-check-in-gseria.patch create mode 100644 tmp-5.10/usb-hide-unused-usbfs_notify_suspend-resume-function.patch create mode 100644 tmp-5.10/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch create mode 100644 tmp-5.10/usb-serial-option-add-lara-r6-01b-pids.patch create mode 100644 tmp-5.10/video-imsttfb-check-for-ioremap-failures.patch create mode 100644 tmp-5.10/w1-fix-loop-in-w1_fini.patch create mode 100644 tmp-5.10/w1-w1_therm-fix-locking-behavior-in-convert_t.patch create mode 100644 tmp-5.10/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch create mode 100644 tmp-5.10/watchdog-perf-more-properly-prevent-false-positives-.patch create mode 100644 tmp-5.10/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch create mode 100644 tmp-5.10/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch create mode 100644 tmp-5.10/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch create mode 100644 tmp-5.10/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch create mode 100644 tmp-5.10/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch create mode 100644 tmp-5.10/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch create mode 100644 tmp-5.10/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch create mode 100644 tmp-5.10/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch create mode 100644 tmp-5.10/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch create mode 100644 tmp-5.10/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch create mode 100644 tmp-5.10/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch create mode 100644 tmp-5.10/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch create mode 100644 tmp-5.10/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch create mode 100644 tmp-5.10/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch create mode 100644 tmp-5.10/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch create mode 100644 tmp-5.10/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch create mode 100644 tmp-5.10/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch create mode 100644 tmp-5.10/wifi-rsi-do-not-configure-wowlan-in-shutdown-hook-if.patch create mode 100644 tmp-5.10/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch create mode 100644 tmp-5.10/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch create mode 100644 tmp-5.10/wifi-wilc1000-fix-for-absent-rsn-capabilities-wfa-te.patch create mode 100644 tmp-5.10/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch create mode 100644 tmp-5.10/wireguard-netlink-send-staged-packets-when-setting-initial-private-key.patch create mode 100644 tmp-5.10/wireguard-queueing-use-saner-cpu-selection-wrapping.patch create mode 100644 tmp-5.10/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch create mode 100644 tmp-5.10/wl3501_cs-use-eth_hw_addr_set.patch create mode 100644 tmp-5.10/workqueue-clean-up-work_-constant-types-clarify-masking.patch create mode 100644 tmp-5.10/x86-cpu-amd-add-a-zenbleed-fix.patch create mode 100644 tmp-5.10/x86-cpu-amd-move-the-errata-checking-functionality-up.patch create mode 100644 tmp-5.10/x86-microcode-amd-load-late-on-both-threads-too.patch create mode 100644 tmp-5.10/x86-mm-fix-__swp_entry_to_pte-for-xen-pv-guests.patch create mode 100644 tmp-5.10/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch create mode 100644 tmp-5.10/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch create mode 100644 tmp-5.10/xhci-fix-resume-issue-of-some-zhaoxin-hosts.patch create mode 100644 tmp-5.10/xhci-fix-trb-prefetch-issue-of-zhaoxin-hosts.patch create mode 100644 tmp-5.10/xhci-show-zhaoxin-xhci-root-hub-speed-correctly.patch create mode 100644 tmp-5.10/xsk-honor-so_bindtodevice-on-bind.patch create mode 100644 tmp-5.10/xtensa-iss-fix-call-to-split_if_spec.patch create mode 100644 tmp-5.15/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch create mode 100644 tmp-5.15/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch create mode 100644 tmp-5.15/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch create mode 100644 tmp-5.15/alsa-hda-realtek-remove-3k-pull-low-procedure.patch create mode 100644 tmp-5.15/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch create mode 100644 tmp-5.15/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch create mode 100644 tmp-5.15/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch create mode 100644 tmp-5.15/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch create mode 100644 tmp-5.15/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch create mode 100644 tmp-5.15/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch create mode 100644 tmp-5.15/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch create mode 100644 tmp-5.15/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch create mode 100644 tmp-5.15/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch create mode 100644 tmp-5.15/bridge-add-extack-warning-when-enabling-stp-in-netns.patch create mode 100644 tmp-5.15/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch create mode 100644 tmp-5.15/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch create mode 100644 tmp-5.15/can-bcm-fix-uaf-in-bcm_proc_show.patch create mode 100644 tmp-5.15/can-raw-fix-receiver-memory-leak.patch create mode 100644 tmp-5.15/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch create mode 100644 tmp-5.15/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch create mode 100644 tmp-5.15/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch create mode 100644 tmp-5.15/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch create mode 100644 tmp-5.15/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch create mode 100644 tmp-5.15/ethernet-use-eth_hw_addr_set-instead-of-ether_addr_c.patch create mode 100644 tmp-5.15/ethernet-use-of_get_ethdev_address.patch create mode 100644 tmp-5.15/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch create mode 100644 tmp-5.15/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch create mode 100644 tmp-5.15/fbdev-imxfb-warn-about-invalid-left-right-margin.patch create mode 100644 tmp-5.15/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch create mode 100644 tmp-5.15/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch create mode 100644 tmp-5.15/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch create mode 100644 tmp-5.15/fuse-ioctl-translate-enosys-in-outarg.patch create mode 100644 tmp-5.15/fuse-revalidate-don-t-invalidate-if-interrupted.patch create mode 100644 tmp-5.15/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch create mode 100644 tmp-5.15/iavf-fix-use-after-free-in-free_netdev.patch create mode 100644 tmp-5.15/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch create mode 100644 tmp-5.15/jbd2-recheck-chechpointing-non-dirty-buffer.patch create mode 100644 tmp-5.15/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch create mode 100644 tmp-5.15/llc-don-t-drop-packet-from-non-root-netns.patch create mode 100644 tmp-5.15/mips-dec-prom-address-warray-bounds-warning.patch create mode 100644 tmp-5.15/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch create mode 100644 tmp-5.15/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch create mode 100644 tmp-5.15/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch create mode 100644 tmp-5.15/net-ipv6-check-return-value-of-pskb_trim.patch create mode 100644 tmp-5.15/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch create mode 100644 tmp-5.15/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch create mode 100644 tmp-5.15/netfilter-nf_tables-fix-spurious-set-element-inserti.patch create mode 100644 tmp-5.15/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch create mode 100644 tmp-5.15/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch create mode 100644 tmp-5.15/netfilter-nft_set_pipapo-fix-improper-element-remova.patch create mode 100644 tmp-5.15/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch create mode 100644 tmp-5.15/of-net-add-a-helper-for-loading-netdev-dev_addr.patch create mode 100644 tmp-5.15/perf-build-fix-library-not-found-error-when-using-cs.patch create mode 100644 tmp-5.15/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch create mode 100644 tmp-5.15/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch create mode 100644 tmp-5.15/quota-fix-warning-in-dqgrab.patch create mode 100644 tmp-5.15/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch create mode 100644 tmp-5.15/regmap-account-for-register-length-in-smbus-i-o-limits.patch create mode 100644 tmp-5.15/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch create mode 100644 tmp-5.15/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch create mode 100644 tmp-5.15/security-keys-modify-mismatched-function-name.patch create mode 100644 tmp-5.15/selftests-tc-add-conntrack-procfs-kconfig.patch create mode 100644 tmp-5.15/selftests-tc-add-ct-action-kconfig-dep.patch create mode 100644 tmp-5.15/selftests-tc-set-timeout-to-15-minutes.patch create mode 100644 tmp-5.15/series create mode 100644 tmp-5.15/spi-bcm63xx-fix-max-prepend-length.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-fastopenq.max_qlen.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-rskq_defer_accept.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_intvl.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_probes.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_time.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-tp-linger2.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-tp-notsent_lowat.patch create mode 100644 tmp-5.15/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch create mode 100644 tmp-5.15/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch create mode 100644 tmp-5.15/udf-fix-uninitialized-array-access-for-some-pathname.patch create mode 100644 tmp-5.15/x86-cpu-amd-add-a-zenbleed-fix.patch create mode 100644 tmp-5.15/x86-cpu-amd-move-the-errata-checking-functionality-up.patch create mode 100644 tmp-5.4/add-module_firmware-for-firmware_tg357766.patch create mode 100644 tmp-5.4/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch create mode 100644 tmp-5.4/alsa-jack-fix-mutex-call-in-snd_jack_report.patch create mode 100644 tmp-5.4/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch create mode 100644 tmp-5.4/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch create mode 100644 tmp-5.4/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch create mode 100644 tmp-5.4/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch create mode 100644 tmp-5.4/arm-ep93xx-fix-missing-prototype-warnings.patch create mode 100644 tmp-5.4/arm-orion5x-fix-d2net-gpio-initialization.patch create mode 100644 tmp-5.4/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch create mode 100644 tmp-5.4/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch create mode 100644 tmp-5.4/arm64-mm-fix-va-range-sanity-check.patch create mode 100644 tmp-5.4/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch create mode 100644 tmp-5.4/asoc-es8316-increment-max-value-for-alc-capture-targ.patch create mode 100644 tmp-5.4/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch create mode 100644 tmp-5.4/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch create mode 100644 tmp-5.4/bgmac-fix-initial-chip-reset-to-support-bcm5358.patch create mode 100644 tmp-5.4/block-add-overflow-checks-for-amiga-partition-support.patch create mode 100644 tmp-5.4/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch create mode 100644 tmp-5.4/block-fix-signed-int-overflow-in-amiga-partition-support.patch create mode 100644 tmp-5.4/block-partition-fix-signedness-issue-for-amiga-partitions.patch create mode 100644 tmp-5.4/bpf-address-kcsan-report-on-bpf_lru_list.patch create mode 100644 tmp-5.4/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch create mode 100644 tmp-5.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch create mode 100644 tmp-5.4/can-bcm-fix-uaf-in-bcm_proc_show.patch create mode 100644 tmp-5.4/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch create mode 100644 tmp-5.4/clk-cdce925-check-return-value-of-kasprintf.patch create mode 100644 tmp-5.4/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch create mode 100644 tmp-5.4/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch create mode 100644 tmp-5.4/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch create mode 100644 tmp-5.4/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch create mode 100644 tmp-5.4/cls_flower-add-extack-support-for-src-and-dst-port-r.patch create mode 100644 tmp-5.4/crypto-marvell-cesa-fix-type-mismatch-warning.patch create mode 100644 tmp-5.4/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch create mode 100644 tmp-5.4/crypto-skcipher-remove-crypto_has_ablkcipher.patch create mode 100644 tmp-5.4/crypto-skcipher-unify-the-crypto_has_skcipher-functi.patch create mode 100644 tmp-5.4/debugobjects-recheck-debug_objects_enabled-before-re.patch create mode 100644 tmp-5.4/devlink-report-devlink_port_type_warn-source-device.patch create mode 100644 tmp-5.4/drm-amdgpu-validate-vm-ioctl-flags.patch create mode 100644 tmp-5.4/drm-amdkfd-fix-potential-deallocation-of-previously-.patch create mode 100644 tmp-5.4/drm-atomic-allow-vblank-enabled-self-refresh-disable.patch create mode 100644 tmp-5.4/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch create mode 100644 tmp-5.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch create mode 100644 tmp-5.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch create mode 100644 tmp-5.4/drm-i915-initialise-outparam-for-error-return-from-wait_for_register.patch create mode 100644 tmp-5.4/drm-panel-add-and-fill-drm_panel-type-field.patch create mode 100644 tmp-5.4/drm-panel-initialise-panel-dev-and-funcs-through-drm.patch create mode 100644 tmp-5.4/drm-panel-simple-add-connector_type-for-innolux_at04.patch create mode 100644 tmp-5.4/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch create mode 100644 tmp-5.4/drm-radeon-fix-possible-division-by-zero-errors.patch create mode 100644 tmp-5.4/drm-rockchip-vop-leave-vblank-enabled-in-self-refresh.patch create mode 100644 tmp-5.4/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch create mode 100644 tmp-5.4/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch create mode 100644 tmp-5.4/erofs-fix-compact-4b-support-for-16k-block-size.patch create mode 100644 tmp-5.4/evm-complete-description-of-evm_inode_setattr.patch create mode 100644 tmp-5.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch create mode 100644 tmp-5.4/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch create mode 100644 tmp-5.4/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch create mode 100644 tmp-5.4/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch create mode 100644 tmp-5.4/ext4-remove-ext4-locking-of-moved-directory.patch create mode 100644 tmp-5.4/extcon-fix-kernel-doc-of-property-capability-fields-.patch create mode 100644 tmp-5.4/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch create mode 100644 tmp-5.4/f2fs-fix-error-path-handling-in-truncate_dnode.patch create mode 100644 tmp-5.4/fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch create mode 100644 tmp-5.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch create mode 100644 tmp-5.4/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch create mode 100644 tmp-5.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch create mode 100644 tmp-5.4/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch create mode 100644 tmp-5.4/firmware-stratix10-svc-fix-a-potential-resource-leak-in-svc_create_memory_pool.patch create mode 100644 tmp-5.4/fs-avoid-empty-option-when-generating-legacy-mount-string.patch create mode 100644 tmp-5.4/fs-dlm-return-positive-pid-value-for-f_getlk.patch create mode 100644 tmp-5.4/fs-establish-locking-order-for-unrelated-directories.patch create mode 100644 tmp-5.4/fs-lock-moved-directories.patch create mode 100644 tmp-5.4/fs-no-need-to-check-source.patch create mode 100644 tmp-5.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch create mode 100644 tmp-5.4/gfs2-don-t-deref-jdesc-in-evict.patch create mode 100644 tmp-5.4/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch create mode 100644 tmp-5.4/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch create mode 100644 tmp-5.4/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch create mode 100644 tmp-5.4/hwrng-st-fix-w-1-unused-variable-warning.patch create mode 100644 tmp-5.4/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch create mode 100644 tmp-5.4/hwrng-virtio-add-an-internal-buffer.patch create mode 100644 tmp-5.4/hwrng-virtio-always-add-a-pending-request.patch create mode 100644 tmp-5.4/hwrng-virtio-don-t-wait-on-cleanup.patch create mode 100644 tmp-5.4/hwrng-virtio-don-t-waste-entropy.patch create mode 100644 tmp-5.4/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch create mode 100644 tmp-5.4/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch create mode 100644 tmp-5.4/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch create mode 100644 tmp-5.4/iavf-fix-use-after-free-in-free_netdev.patch create mode 100644 tmp-5.4/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch create mode 100644 tmp-5.4/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch create mode 100644 tmp-5.4/igb-fix-igb_down-hung-on-surprise-removal.patch create mode 100644 tmp-5.4/igc-remove-delay-during-tx-ring-configuration.patch create mode 100644 tmp-5.4/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch create mode 100644 tmp-5.4/ima-fix-build-warnings.patch create mode 100644 tmp-5.4/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch create mode 100644 tmp-5.4/input-drv260x-sleep-between-polling-go-bit.patch create mode 100644 tmp-5.4/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch create mode 100644 tmp-5.4/ionic-clean-irq-affinity-on-queue-deinit.patch create mode 100644 tmp-5.4/ionic-improve-irq-numa-locality.patch create mode 100644 tmp-5.4/ionic-ionic_intr_free-parameter-change.patch create mode 100644 tmp-5.4/ionic-move-irq-request-to-qcq-alloc.patch create mode 100644 tmp-5.4/ionic-remove-warn_on-to-prevent-panic_on_warn.patch create mode 100644 tmp-5.4/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch create mode 100644 tmp-5.4/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch create mode 100644 tmp-5.4/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch create mode 100644 tmp-5.4/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch create mode 100644 tmp-5.4/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch create mode 100644 tmp-5.4/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch create mode 100644 tmp-5.4/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch create mode 100644 tmp-5.4/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch create mode 100644 tmp-5.4/kvm-s390-vsie-fix-the-length-of-apcb-bitmap.patch create mode 100644 tmp-5.4/lib-ts_bm-reset-initial-match-offset-for-every-block.patch create mode 100644 tmp-5.4/llc-don-t-drop-packet-from-non-root-netns.patch create mode 100644 tmp-5.4/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch create mode 100644 tmp-5.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch create mode 100644 tmp-5.4/md-raid0-add-discard-support-for-the-original-layout.patch create mode 100644 tmp-5.4/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch create mode 100644 tmp-5.4/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch create mode 100644 tmp-5.4/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch create mode 100644 tmp-5.4/md-raid10-fix-overflow-of-md-safe_mode_delay.patch create mode 100644 tmp-5.4/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch create mode 100644 tmp-5.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch create mode 100644 tmp-5.4/media-usb-check-az6007_read-return-value.patch create mode 100644 tmp-5.4/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch create mode 100644 tmp-5.4/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch create mode 100644 tmp-5.4/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch create mode 100644 tmp-5.4/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch create mode 100644 tmp-5.4/meson-saradc-fix-clock-divider-mask-length.patch create mode 100644 tmp-5.4/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch create mode 100644 tmp-5.4/mfd-rt5033-drop-rt5033-battery-sub-device.patch create mode 100644 tmp-5.4/mfd-stmfx-fix-error-path-in-stmfx_chip_init.patch create mode 100644 tmp-5.4/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch create mode 100644 tmp-5.4/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch create mode 100644 tmp-5.4/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch create mode 100644 tmp-5.4/misc-pci_endpoint_test-re-init-completion-for-every-test.patch create mode 100644 tmp-5.4/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch create mode 100644 tmp-5.4/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch create mode 100644 tmp-5.4/mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch create mode 100644 tmp-5.4/modpost-fix-off-by-one-in-is_executable_section.patch create mode 100644 tmp-5.4/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch create mode 100644 tmp-5.4/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch create mode 100644 tmp-5.4/mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch create mode 100644 tmp-5.4/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch create mode 100644 tmp-5.4/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch create mode 100644 tmp-5.4/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch create mode 100644 tmp-5.4/net-create-netdev-dev_addr-assignment-helpers.patch create mode 100644 tmp-5.4/net-dsa-tag_sja1105-fix-mac-da-patching-from-meta-fr.patch create mode 100644 tmp-5.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch create mode 100644 tmp-5.4/net-ipv6-check-return-value-of-pskb_trim.patch create mode 100644 tmp-5.4/net-lan743x-don-t-sleep-in-atomic-context.patch create mode 100644 tmp-5.4/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch create mode 100644 tmp-5.4/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch create mode 100644 tmp-5.4/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch create mode 100644 tmp-5.4/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch create mode 100644 tmp-5.4/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch create mode 100644 tmp-5.4/net-sched-flower-ensure-both-minimum-and-maximum-por.patch create mode 100644 tmp-5.4/net-sched-make-psched_mtu-rtnl-less-safe.patch create mode 100644 tmp-5.4/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch create mode 100644 tmp-5.4/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch create mode 100644 tmp-5.4/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch create mode 100644 tmp-5.4/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch create mode 100644 tmp-5.4/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch create mode 100644 tmp-5.4/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch create mode 100644 tmp-5.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch create mode 100644 tmp-5.4/netfilter-nf_tables-fix-nat-hook-table-deletion.patch create mode 100644 tmp-5.4/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch create mode 100644 tmp-5.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch create mode 100644 tmp-5.4/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch create mode 100644 tmp-5.4/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch create mode 100644 tmp-5.4/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch create mode 100644 tmp-5.4/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch create mode 100644 tmp-5.4/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch create mode 100644 tmp-5.4/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch create mode 100644 tmp-5.4/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch create mode 100644 tmp-5.4/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch create mode 100644 tmp-5.4/netlink-fix-potential-deadlock-in-netlink_set_err.patch create mode 100644 tmp-5.4/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch create mode 100644 tmp-5.4/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch create mode 100644 tmp-5.4/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch create mode 100644 tmp-5.4/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch create mode 100644 tmp-5.4/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch create mode 100644 tmp-5.4/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch create mode 100644 tmp-5.4/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch create mode 100644 tmp-5.4/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch create mode 100644 tmp-5.4/ntb-ntb_tool-add-check-for-devm_kcalloc.patch create mode 100644 tmp-5.4/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch create mode 100644 tmp-5.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch create mode 100644 tmp-5.4/pci-add-pci_clear_master-stub-for-non-config_pci.patch create mode 100644 tmp-5.4/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch create mode 100644 tmp-5.4/pci-ftpci100-release-the-clock-resources.patch create mode 100644 tmp-5.4/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch create mode 100644 tmp-5.4/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch create mode 100644 tmp-5.4/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch create mode 100644 tmp-5.4/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch create mode 100644 tmp-5.4/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch create mode 100644 tmp-5.4/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch create mode 100644 tmp-5.4/pci-rockchip-set-address-alignment-for-endpoint-mode.patch create mode 100644 tmp-5.4/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch create mode 100644 tmp-5.4/pci-rockchip-write-pci-device-id-to-correct-register.patch create mode 100644 tmp-5.4/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch create mode 100644 tmp-5.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch create mode 100644 tmp-5.4/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch create mode 100644 tmp-5.4/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch create mode 100644 tmp-5.4/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch create mode 100644 tmp-5.4/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch create mode 100644 tmp-5.4/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch create mode 100644 tmp-5.4/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch create mode 100644 tmp-5.4/platform-x86-wmi-break-possible-infinite-loop-when-p.patch create mode 100644 tmp-5.4/platform-x86-wmi-fix-indentation-in-some-cases.patch create mode 100644 tmp-5.4/platform-x86-wmi-move-variables.patch create mode 100644 tmp-5.4/platform-x86-wmi-remove-unnecessary-argument.patch create mode 100644 tmp-5.4/platform-x86-wmi-replace-uuid-redefinitions-by-their.patch create mode 100644 tmp-5.4/platform-x86-wmi-use-guid_t-and-guid_equal.patch create mode 100644 tmp-5.4/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch create mode 100644 tmp-5.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch create mode 100644 tmp-5.4/powercap-rapl-fix-config_iosf_mbi-dependency.patch create mode 100644 tmp-5.4/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch create mode 100644 tmp-5.4/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch create mode 100644 tmp-5.4/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch create mode 100644 tmp-5.4/pstore-ram-add-check-for-kstrdup.patch create mode 100644 tmp-5.4/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch create mode 100644 tmp-5.4/pwm-sysfs-do-not-apply-state-to-already-disabled-pwm.patch create mode 100644 tmp-5.4/radeon-avoid-double-free-in-ci_dpm_init.patch create mode 100644 tmp-5.4/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch create mode 100644 tmp-5.4/regulator-core-fix-more-error-checking-for-debugfs_c.patch create mode 100644 tmp-5.4/regulator-core-streamline-debugfs-operations.patch create mode 100644 tmp-5.4/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch create mode 100644 tmp-5.4/revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch create mode 100644 tmp-5.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch create mode 100644 tmp-5.4/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch create mode 100644 tmp-5.4/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch create mode 100644 tmp-5.4/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch create mode 100644 tmp-5.4/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch create mode 100644 tmp-5.4/sched-fair-don-t-balance-task-to-its-current-running.patch create mode 100644 tmp-5.4/scripts-tags.sh-resolve-gtags-empty-index-generation.patch create mode 100644 tmp-5.4/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch create mode 100644 tmp-5.4/scsi-qedf-fix-null-dereference-in-error-handling.patch create mode 100644 tmp-5.4/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch create mode 100644 tmp-5.4/scsi-qla2xxx-correct-the-index-of-array.patch create mode 100644 tmp-5.4/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch create mode 100644 tmp-5.4/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch create mode 100644 tmp-5.4/scsi-qla2xxx-pointer-may-be-dereferenced.patch create mode 100644 tmp-5.4/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch create mode 100644 tmp-5.4/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch create mode 100644 tmp-5.4/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch create mode 100644 tmp-5.4/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch create mode 100644 tmp-5.4/selftests-tc-set-timeout-to-15-minutes.patch create mode 100644 tmp-5.4/serial-8250_omap-use-force_suspend-and-resume-for-sy.patch create mode 100644 tmp-5.4/serial-atmel-don-t-enable-irqs-prematurely.patch create mode 100644 tmp-5.4/series create mode 100644 tmp-5.4/sh-dma-fix-dma-channel-offset-calculation.patch create mode 100644 tmp-5.4/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch create mode 100644 tmp-5.4/soc-fsl-qe-fix-usb.c-build-errors.patch create mode 100644 tmp-5.4/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch create mode 100644 tmp-5.4/spi-bcm63xx-fix-max-prepend-length.patch create mode 100644 tmp-5.4/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch create mode 100644 tmp-5.4/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch create mode 100644 tmp-5.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch create mode 100644 tmp-5.4/tcp-annotate-data-races-around-rskq_defer_accept.patch create mode 100644 tmp-5.4/tcp-annotate-data-races-around-tp-linger2.patch create mode 100644 tmp-5.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch create mode 100644 tmp-5.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch create mode 100644 tmp-5.4/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch create mode 100644 tmp-5.4/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch create mode 100644 tmp-5.4/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch create mode 100644 tmp-5.4/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch create mode 100644 tmp-5.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch create mode 100644 tmp-5.4/tracing-probes-fix-not-to-count-error-code-to-total-length.patch create mode 100644 tmp-5.4/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch create mode 100644 tmp-5.4/tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch create mode 100644 tmp-5.4/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch create mode 100644 tmp-5.4/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch create mode 100644 tmp-5.4/udp6-fix-udp6_ehashfn-typo.patch create mode 100644 tmp-5.4/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch create mode 100644 tmp-5.4/usb-dwc3-qcom-fix-potential-memory-leak.patch create mode 100644 tmp-5.4/usb-dwc3-qcom-release-the-correct-resources-in-dwc3_.patch create mode 100644 tmp-5.4/usb-hide-unused-usbfs_notify_suspend-resume-function.patch create mode 100644 tmp-5.4/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch create mode 100644 tmp-5.4/usb-serial-option-add-lara-r6-01b-pids.patch create mode 100644 tmp-5.4/video-imsttfb-check-for-ioremap-failures.patch create mode 100644 tmp-5.4/w1-fix-loop-in-w1_fini.patch create mode 100644 tmp-5.4/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch create mode 100644 tmp-5.4/watchdog-perf-more-properly-prevent-false-positives-.patch create mode 100644 tmp-5.4/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch create mode 100644 tmp-5.4/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch create mode 100644 tmp-5.4/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch create mode 100644 tmp-5.4/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch create mode 100644 tmp-5.4/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch create mode 100644 tmp-5.4/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch create mode 100644 tmp-5.4/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch create mode 100644 tmp-5.4/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch create mode 100644 tmp-5.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch create mode 100644 tmp-5.4/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch create mode 100644 tmp-5.4/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch create mode 100644 tmp-5.4/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch create mode 100644 tmp-5.4/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch create mode 100644 tmp-5.4/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch create mode 100644 tmp-5.4/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch create mode 100644 tmp-5.4/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch create mode 100644 tmp-5.4/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch create mode 100644 tmp-5.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch create mode 100644 tmp-5.4/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch create mode 100644 tmp-5.4/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch create mode 100644 tmp-5.4/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch create mode 100644 tmp-5.4/wl3501_cs-remove-unnecessary-null-check.patch create mode 100644 tmp-5.4/wl3501_cs-use-eth_hw_addr_set.patch create mode 100644 tmp-5.4/workqueue-clean-up-work_-constant-types-clarify-masking.patch create mode 100644 tmp-5.4/x86-cpu-amd-add-a-zenbleed-fix.patch create mode 100644 tmp-5.4/x86-cpu-amd-move-the-errata-checking-functionality-up.patch create mode 100644 tmp-5.4/x86-microcode-amd-load-late-on-both-threads-too.patch create mode 100644 tmp-5.4/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch create mode 100644 tmp-5.4/x86-resctrl-use-is_closid_match-in-more-places.patch create mode 100644 tmp-5.4/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch create mode 100644 tmp-5.4/xsk-honor-so_bindtodevice-on-bind.patch create mode 100644 tmp-5.4/xsk-improve-documentation-for-af_xdp.patch create mode 100644 tmp-5.4/xtensa-iss-fix-call-to-split_if_spec.patch create mode 100644 tmp-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch create mode 100644 tmp-6.1/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch create mode 100644 tmp-6.1/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch create mode 100644 tmp-6.1/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch create mode 100644 tmp-6.1/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch create mode 100644 tmp-6.1/alsa-hda-realtek-remove-3k-pull-low-procedure.patch create mode 100644 tmp-6.1/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch create mode 100644 tmp-6.1/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch create mode 100644 tmp-6.1/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch create mode 100644 tmp-6.1/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch create mode 100644 tmp-6.1/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch create mode 100644 tmp-6.1/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch create mode 100644 tmp-6.1/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch create mode 100644 tmp-6.1/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch create mode 100644 tmp-6.1/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch create mode 100644 tmp-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch create mode 100644 tmp-6.1/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch create mode 100644 tmp-6.1/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch create mode 100644 tmp-6.1/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch create mode 100644 tmp-6.1/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch create mode 100644 tmp-6.1/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch create mode 100644 tmp-6.1/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch create mode 100644 tmp-6.1/asoc-rt5640-fix-sleep-in-atomic-context.patch create mode 100644 tmp-6.1/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch create mode 100644 tmp-6.1/asoc-tegra-fix-adx-byte-map.patch create mode 100644 tmp-6.1/asoc-tegra-fix-amx-byte-map.patch create mode 100644 tmp-6.1/bluetooth-hci_event-call-disconnect-callback-before-.patch create mode 100644 tmp-6.1/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch create mode 100644 tmp-6.1/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch create mode 100644 tmp-6.1/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch create mode 100644 tmp-6.1/bpf-address-kcsan-report-on-bpf_lru_list.patch create mode 100644 tmp-6.1/bpf-aggressively-forget-precise-markings-during-state-checkpointing.patch create mode 100644 tmp-6.1/bpf-allow-precision-tracking-for-programs-with-subprogs.patch create mode 100644 tmp-6.1/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch create mode 100644 tmp-6.1/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch create mode 100644 tmp-6.1/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch create mode 100644 tmp-6.1/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch create mode 100644 tmp-6.1/bpf-stop-setting-precise-in-current-state.patch create mode 100644 tmp-6.1/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch create mode 100644 tmp-6.1/bridge-add-extack-warning-when-enabling-stp-in-netns.patch create mode 100644 tmp-6.1/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch create mode 100644 tmp-6.1/btrfs-fix-race-between-balance-and-cancel-pause.patch create mode 100644 tmp-6.1/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch create mode 100644 tmp-6.1/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch create mode 100644 tmp-6.1/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch create mode 100644 tmp-6.1/can-bcm-fix-uaf-in-bcm_proc_show.patch create mode 100644 tmp-6.1/can-gs_usb-gs_can_open-improve-error-handling.patch create mode 100644 tmp-6.1/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch create mode 100644 tmp-6.1/can-raw-fix-receiver-memory-leak.patch create mode 100644 tmp-6.1/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch create mode 100644 tmp-6.1/devlink-report-devlink_port_type_warn-source-device.patch create mode 100644 tmp-6.1/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch create mode 100644 tmp-6.1/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch create mode 100644 tmp-6.1/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch create mode 100644 tmp-6.1/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch create mode 100644 tmp-6.1/drm-amd-display-only-accept-async-flips-for-fast-updates.patch create mode 100644 tmp-6.1/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch create mode 100644 tmp-6.1/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch create mode 100644 tmp-6.1/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch create mode 100644 tmp-6.1/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch create mode 100644 tmp-6.1/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch create mode 100644 tmp-6.1/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch create mode 100644 tmp-6.1/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch create mode 100644 tmp-6.1/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch create mode 100644 tmp-6.1/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch create mode 100644 tmp-6.1/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch create mode 100644 tmp-6.1/fbdev-imxfb-removed-unneeded-release_mem_region.patch create mode 100644 tmp-6.1/fbdev-imxfb-warn-about-invalid-left-right-margin.patch create mode 100644 tmp-6.1/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch create mode 100644 tmp-6.1/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch create mode 100644 tmp-6.1/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch create mode 100644 tmp-6.1/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch create mode 100644 tmp-6.1/fuse-ioctl-translate-enosys-in-outarg.patch create mode 100644 tmp-6.1/fuse-revalidate-don-t-invalidate-if-interrupted.patch create mode 100644 tmp-6.1/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch create mode 100644 tmp-6.1/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch create mode 100644 tmp-6.1/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch create mode 100644 tmp-6.1/iavf-fix-reset-task-race-with-iavf_remove.patch create mode 100644 tmp-6.1/iavf-fix-use-after-free-in-free_netdev.patch create mode 100644 tmp-6.1/iavf-make-functions-static-where-possible.patch create mode 100644 tmp-6.1/iavf-move-netdev_update_features-into-watchdog-task.patch create mode 100644 tmp-6.1/iavf-send-vlan-offloading-caps-once-after-vfr.patch create mode 100644 tmp-6.1/iavf-use-internal-state-to-free-traffic-irqs.patch create mode 100644 tmp-6.1/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch create mode 100644 tmp-6.1/igb-fix-igb_down-hung-on-surprise-removal.patch create mode 100644 tmp-6.1/igc-avoid-transmit-queue-timeout-for-xdp.patch create mode 100644 tmp-6.1/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch create mode 100644 tmp-6.1/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch create mode 100644 tmp-6.1/jbd2-recheck-chechpointing-non-dirty-buffer.patch create mode 100644 tmp-6.1/kallsyms-add-kallsyms_seqs_of_names-to-list-of-special-symbols.patch create mode 100644 tmp-6.1/kallsyms-correctly-sequence-symbols-when-config_lto_.patch create mode 100644 tmp-6.1/kallsyms-improve-the-performance-of-kallsyms_lookup_.patch create mode 100644 tmp-6.1/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch create mode 100644 tmp-6.1/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch create mode 100644 tmp-6.1/llc-don-t-drop-packet-from-non-root-netns.patch create mode 100644 tmp-6.1/maple_tree-fix-node-allocation-testing-on-32-bit.patch create mode 100644 tmp-6.1/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch create mode 100644 tmp-6.1/mips-dec-prom-address-warray-bounds-warning.patch create mode 100644 tmp-6.1/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch create mode 100644 tmp-6.1/net-dsa-microchip-ksz8-make-ksz8_r_sta_mac_table-sta.patch create mode 100644 tmp-6.1/net-dsa-microchip-ksz8-separate-static-mac-table-ope.patch create mode 100644 tmp-6.1/net-dsa-microchip-ksz8_r_sta_mac_table-avoid-using-e.patch create mode 100644 tmp-6.1/net-ethernet-litex-add-support-for-64-bit-stats.patch create mode 100644 tmp-6.1/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch create mode 100644 tmp-6.1/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch create mode 100644 tmp-6.1/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch create mode 100644 tmp-6.1/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch create mode 100644 tmp-6.1/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch create mode 100644 tmp-6.1/net-ipv6-check-return-value-of-pskb_trim.patch create mode 100644 tmp-6.1/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch create mode 100644 tmp-6.1/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch create mode 100644 tmp-6.1/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch create mode 100644 tmp-6.1/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch create mode 100644 tmp-6.1/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch create mode 100644 tmp-6.1/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch create mode 100644 tmp-6.1/netfilter-nf_tables-fix-spurious-set-element-inserti.patch create mode 100644 tmp-6.1/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch create mode 100644 tmp-6.1/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch create mode 100644 tmp-6.1/netfilter-nft_set_pipapo-fix-improper-element-remova.patch create mode 100644 tmp-6.1/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch create mode 100644 tmp-6.1/of-preserve-of-display-device-name-for-compatibility.patch create mode 100644 tmp-6.1/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch create mode 100644 tmp-6.1/perf-build-fix-library-not-found-error-when-using-cs.patch create mode 100644 tmp-6.1/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch create mode 100644 tmp-6.1/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch create mode 100644 tmp-6.1/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch create mode 100644 tmp-6.1/quota-fix-warning-in-dqgrab.patch create mode 100644 tmp-6.1/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch create mode 100644 tmp-6.1/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch create mode 100644 tmp-6.1/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch create mode 100644 tmp-6.1/regmap-account-for-register-length-in-smbus-i-o-limits.patch create mode 100644 tmp-6.1/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch create mode 100644 tmp-6.1/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch create mode 100644 tmp-6.1/sched-fair-don-t-balance-task-to-its-current-running.patch create mode 100644 tmp-6.1/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch create mode 100644 tmp-6.1/sched-psi-allow-unprivileged-polling-of-n-2s-period.patch create mode 100644 tmp-6.1/sched-psi-extract-update_triggers-side-effect.patch create mode 100644 tmp-6.1/sched-psi-fix-avgs_work-re-arm-in-psi_avgs_work.patch create mode 100644 tmp-6.1/sched-psi-rearrange-polling-code-in-preparation.patch create mode 100644 tmp-6.1/sched-psi-rename-existing-poll-members-in-preparatio.patch create mode 100644 tmp-6.1/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch create mode 100644 tmp-6.1/scripts-kallsyms-update-the-usage-in-the-comment-block.patch create mode 100644 tmp-6.1/scripts-kallsyms.c-make-the-comment-up-to-date-with-current-implementation.patch create mode 100644 tmp-6.1/security-keys-modify-mismatched-function-name.patch create mode 100644 tmp-6.1/selftests-bpf-fix-sk_assign-on-s390x.patch create mode 100644 tmp-6.1/selftests-bpf-make-test_align-selftest-more-robust.patch create mode 100644 tmp-6.1/selftests-bpf-workaround-verification-failure-for-fexit_bpf2bpf-func_replace_return_code.patch create mode 100644 tmp-6.1/selftests-tc-add-conntrack-procfs-kconfig.patch create mode 100644 tmp-6.1/selftests-tc-add-ct-action-kconfig-dep.patch create mode 100644 tmp-6.1/selftests-tc-set-timeout-to-15-minutes.patch create mode 100644 tmp-6.1/series create mode 100644 tmp-6.1/spi-bcm63xx-fix-max-prepend-length.patch create mode 100644 tmp-6.1/spi-dw-add-compatible-for-intel-mount-evans-soc.patch create mode 100644 tmp-6.1/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch create mode 100644 tmp-6.1/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-fastopenq.max_qlen.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-rskq_defer_accept.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_intvl.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_probes.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_time.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-tp-linger2.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-tp-notsent_lowat.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch create mode 100644 tmp-6.1/tcp-annotate-data-races-around-tp-tsoffset.patch create mode 100644 tmp-6.1/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch create mode 100644 tmp-6.1/udf-fix-uninitialized-array-access-for-some-pathname.patch create mode 100644 tmp-6.1/wifi-ath11k-add-support-default-regdb-while-searchin.patch create mode 100644 tmp-6.1/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch create mode 100644 tmp-6.1/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch create mode 100644 tmp-6.1/wifi-iwlwifi-add-support-for-new-pci-id.patch create mode 100644 tmp-6.1/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch create mode 100644 tmp-6.1/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch create mode 100644 tmp-6.1/wifi-mac80211_hwsim-fix-possible-null-dereference.patch create mode 100644 tmp-6.1/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch create mode 100644 tmp-6.1/x86-cpu-amd-add-a-zenbleed-fix.patch create mode 100644 tmp-6.1/x86-cpu-amd-move-the-errata-checking-functionality-up.patch create mode 100644 tmp-6.4/accel-qaic-add-consistent-integer-overflow-checks.patch create mode 100644 tmp-6.4/accel-qaic-fix-a-leak-in-map_user_pages.patch create mode 100644 tmp-6.4/accel-qaic-tighten-bounds-checking-in-decode_message.patch create mode 100644 tmp-6.4/accel-qaic-tighten-bounds-checking-in-encode_message.patch create mode 100644 tmp-6.4/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch create mode 100644 tmp-6.4/acpi-resource-remove-zen-specific-match-and-quirks.patch create mode 100644 tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch create mode 100644 tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch create mode 100644 tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch create mode 100644 tmp-6.4/acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch create mode 100644 tmp-6.4/acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch create mode 100644 tmp-6.4/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch create mode 100644 tmp-6.4/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch create mode 100644 tmp-6.4/alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch create mode 100644 tmp-6.4/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch create mode 100644 tmp-6.4/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch create mode 100644 tmp-6.4/alsa-hda-realtek-remove-3k-pull-low-procedure.patch create mode 100644 tmp-6.4/arm64-fix-hfgxtr_el2-field-naming.patch create mode 100644 tmp-6.4/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch create mode 100644 tmp-6.4/arm64-mm-fix-va-range-sanity-check.patch create mode 100644 tmp-6.4/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch create mode 100644 tmp-6.4/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch create mode 100644 tmp-6.4/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch create mode 100644 tmp-6.4/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch create mode 100644 tmp-6.4/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch create mode 100644 tmp-6.4/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch create mode 100644 tmp-6.4/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch create mode 100644 tmp-6.4/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch create mode 100644 tmp-6.4/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch create mode 100644 tmp-6.4/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch create mode 100644 tmp-6.4/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch create mode 100644 tmp-6.4/asoc-cs35l45-select-regmap_irq.patch create mode 100644 tmp-6.4/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch create mode 100644 tmp-6.4/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch create mode 100644 tmp-6.4/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch create mode 100644 tmp-6.4/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch create mode 100644 tmp-6.4/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch create mode 100644 tmp-6.4/asoc-rt5640-fix-sleep-in-atomic-context.patch create mode 100644 tmp-6.4/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch create mode 100644 tmp-6.4/asoc-tegra-fix-adx-byte-map.patch create mode 100644 tmp-6.4/asoc-tegra-fix-amx-byte-map.patch create mode 100644 tmp-6.4/blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch create mode 100644 tmp-6.4/bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch create mode 100644 tmp-6.4/bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch create mode 100644 tmp-6.4/bluetooth-hci_event-call-disconnect-callback-before-.patch create mode 100644 tmp-6.4/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch create mode 100644 tmp-6.4/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch create mode 100644 tmp-6.4/bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch create mode 100644 tmp-6.4/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch create mode 100644 tmp-6.4/bpf-address-kcsan-report-on-bpf_lru_list.patch create mode 100644 tmp-6.4/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch create mode 100644 tmp-6.4/bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch create mode 100644 tmp-6.4/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch create mode 100644 tmp-6.4/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch create mode 100644 tmp-6.4/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch create mode 100644 tmp-6.4/bpf-silence-a-warning-in-btf_type_id_size.patch create mode 100644 tmp-6.4/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch create mode 100644 tmp-6.4/bridge-add-extack-warning-when-enabling-stp-in-netns.patch create mode 100644 tmp-6.4/btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch create mode 100644 tmp-6.4/btrfs-add-xxhash-to-fast-checksum-implementations.patch create mode 100644 tmp-6.4/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch create mode 100644 tmp-6.4/btrfs-don-t-check-pageerror-in-__extent_writepage.patch create mode 100644 tmp-6.4/btrfs-fix-double-iput-on-inode-after-an-error-during-orphan-cleanup.patch create mode 100644 tmp-6.4/btrfs-fix-iput-on-error-pointer-after-error-during-orphan-cleanup.patch create mode 100644 tmp-6.4/btrfs-fix-race-between-balance-and-cancel-pause.patch create mode 100644 tmp-6.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch create mode 100644 tmp-6.4/btrfs-raid56-always-verify-the-p-q-contents-for-scrub.patch create mode 100644 tmp-6.4/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch create mode 100644 tmp-6.4/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch create mode 100644 tmp-6.4/can-bcm-fix-uaf-in-bcm_proc_show.patch create mode 100644 tmp-6.4/can-gs_usb-fix-time-stamp-counter-initialization.patch create mode 100644 tmp-6.4/can-gs_usb-gs_can_open-improve-error-handling.patch create mode 100644 tmp-6.4/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch create mode 100644 tmp-6.4/can-raw-fix-receiver-memory-leak.patch create mode 100644 tmp-6.4/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch create mode 100644 tmp-6.4/devlink-make-health-report-on-unregistered-instance-.patch create mode 100644 tmp-6.4/devlink-report-devlink_port_type_warn-source-device.patch create mode 100644 tmp-6.4/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch create mode 100644 tmp-6.4/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch create mode 100644 tmp-6.4/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch create mode 100644 tmp-6.4/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch create mode 100644 tmp-6.4/drm-amd-display-only-accept-async-flips-for-fast-updates.patch create mode 100644 tmp-6.4/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch create mode 100644 tmp-6.4/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch create mode 100644 tmp-6.4/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch create mode 100644 tmp-6.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch create mode 100644 tmp-6.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch create mode 100644 tmp-6.4/drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch create mode 100644 tmp-6.4/drm-nouveau-disp-pior-dp-uses-gpio-for-hpd-not-pmgr-aux-interrupts.patch create mode 100644 tmp-6.4/drm-nouveau-i2c-fix-number-of-aux-event-slots.patch create mode 100644 tmp-6.4/drm-nouveau-kms-nv50-init-hpd_irq_lock-for-pior-dp.patch create mode 100644 tmp-6.4/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch create mode 100644 tmp-6.4/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch create mode 100644 tmp-6.4/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch create mode 100644 tmp-6.4/erofs-fix-detection-of-atomic-context.patch create mode 100644 tmp-6.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch create mode 100644 tmp-6.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch create mode 100644 tmp-6.4/fbdev-imxfb-removed-unneeded-release_mem_region.patch create mode 100644 tmp-6.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch create mode 100644 tmp-6.4/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch create mode 100644 tmp-6.4/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch create mode 100644 tmp-6.4/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch create mode 100644 tmp-6.4/fuse-add-feature-flag-for-expire-only.patch create mode 100644 tmp-6.4/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch create mode 100644 tmp-6.4/fuse-ioctl-translate-enosys-in-outarg.patch create mode 100644 tmp-6.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch create mode 100644 tmp-6.4/gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch create mode 100644 tmp-6.4/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch create mode 100644 tmp-6.4/ia64-mmap-consider-pgoff-when-searching-for-free-mapping.patch create mode 100644 tmp-6.4/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch create mode 100644 tmp-6.4/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch create mode 100644 tmp-6.4/iavf-fix-reset-task-race-with-iavf_remove.patch create mode 100644 tmp-6.4/iavf-fix-use-after-free-in-free_netdev.patch create mode 100644 tmp-6.4/iavf-make-functions-static-where-possible.patch create mode 100644 tmp-6.4/iavf-use-internal-state-to-free-traffic-irqs.patch create mode 100644 tmp-6.4/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch create mode 100644 tmp-6.4/ice-prevent-null-pointer-deref-during-reload.patch create mode 100644 tmp-6.4/ice-unregister-netdev-and-devlink_port-only-once.patch create mode 100644 tmp-6.4/igb-fix-igb_down-hung-on-surprise-removal.patch create mode 100644 tmp-6.4/igc-avoid-transmit-queue-timeout-for-xdp.patch create mode 100644 tmp-6.4/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch create mode 100644 tmp-6.4/io_uring-fix-io_uring-mmap-by-using-architecture-provided-get_unmapped_area.patch create mode 100644 tmp-6.4/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch create mode 100644 tmp-6.4/iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch create mode 100644 tmp-6.4/iov_iter-mark-copy_iovec_from_user-noclone.patch create mode 100644 tmp-6.4/jbd2-recheck-chechpointing-non-dirty-buffer.patch create mode 100644 tmp-6.4/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch create mode 100644 tmp-6.4/kbuild-rust-avoid-creating-temporary-files.patch create mode 100644 tmp-6.4/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch create mode 100644 tmp-6.4/kvm-arm64-correctly-handle-page-aging-notifiers-for-unaligned-memslot.patch create mode 100644 tmp-6.4/kvm-arm64-disable-preemption-in-kvm_arch_hardware_enable.patch create mode 100644 tmp-6.4/kvm-arm64-timers-use-cnthctl_el2-when-setting-non-cntkctl_el1-bits.patch create mode 100644 tmp-6.4/kvm-arm64-vgic-v4-make-the-doorbell-request-robust-w.r.t-preemption.patch create mode 100644 tmp-6.4/llc-don-t-drop-packet-from-non-root-netns.patch create mode 100644 tmp-6.4/maple_tree-fix-node-allocation-testing-on-32-bit.patch create mode 100644 tmp-6.4/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch create mode 100644 tmp-6.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch create mode 100644 tmp-6.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch create mode 100644 tmp-6.4/mips-dec-prom-address-warray-bounds-warning.patch create mode 100644 tmp-6.4/mm-mlock-fix-vma-iterator-conversion-of-apply_vma_lock_flags.patch create mode 100644 tmp-6.4/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch create mode 100644 tmp-6.4/net-ethernet-litex-add-support-for-64-bit-stats.patch create mode 100644 tmp-6.4/net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch create mode 100644 tmp-6.4/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch create mode 100644 tmp-6.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch create mode 100644 tmp-6.4/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch create mode 100644 tmp-6.4/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch create mode 100644 tmp-6.4/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch create mode 100644 tmp-6.4/net-ipv6-check-return-value-of-pskb_trim.patch create mode 100644 tmp-6.4/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch create mode 100644 tmp-6.4/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch create mode 100644 tmp-6.4/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch create mode 100644 tmp-6.4/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch create mode 100644 tmp-6.4/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch create mode 100644 tmp-6.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch create mode 100644 tmp-6.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch create mode 100644 tmp-6.4/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch create mode 100644 tmp-6.4/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch create mode 100644 tmp-6.4/netfilter-nft_set_pipapo-fix-improper-element-remova.patch create mode 100644 tmp-6.4/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch create mode 100644 tmp-6.4/of-preserve-of-display-device-name-for-compatibility.patch create mode 100644 tmp-6.4/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch create mode 100644 tmp-6.4/perf-build-fix-library-not-found-error-when-using-cs.patch create mode 100644 tmp-6.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch create mode 100644 tmp-6.4/perf-probe-read-dwarf-files-from-the-correct-cu.patch create mode 100644 tmp-6.4/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch create mode 100644 tmp-6.4/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch create mode 100644 tmp-6.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch create mode 100644 tmp-6.4/prctl-move-pr_get_auxv-out-of-pr_mce_kill.patch create mode 100644 tmp-6.4/quota-fix-warning-in-dqgrab.patch create mode 100644 tmp-6.4/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch create mode 100644 tmp-6.4/r8169-fix-aspm-related-problem-for-chip-version-42-a.patch create mode 100644 tmp-6.4/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch create mode 100644 tmp-6.4/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch create mode 100644 tmp-6.4/regmap-account-for-register-length-in-smbus-i-o-limits.patch create mode 100644 tmp-6.4/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch create mode 100644 tmp-6.4/regulator-da9063-fix-null-pointer-deref-with-partial.patch create mode 100644 tmp-6.4/revert-r8169-disable-aspm-during-napi-poll.patch create mode 100644 tmp-6.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch create mode 100644 tmp-6.4/s390-zcrypt-fix-reply-buffer-calculations-for-cca-replies.patch create mode 100644 tmp-6.4/sched-fair-don-t-balance-task-to-its-current-running.patch create mode 100644 tmp-6.4/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch create mode 100644 tmp-6.4/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch create mode 100644 tmp-6.4/scsi-sg-don-t-grab-scsi-host-module-reference.patch create mode 100644 tmp-6.4/scsi-sg-fix-blktrace-debugfs-entries-leakage.patch create mode 100644 tmp-6.4/security-keys-modify-mismatched-function-name.patch create mode 100644 tmp-6.4/selftests-mm-mkdirty-fix-incorrect-position-of-endif.patch create mode 100644 tmp-6.4/selftests-tc-add-conntrack-procfs-kconfig.patch create mode 100644 tmp-6.4/selftests-tc-add-ct-action-kconfig-dep.patch create mode 100644 tmp-6.4/selftests-tc-set-timeout-to-15-minutes.patch create mode 100644 tmp-6.4/series create mode 100644 tmp-6.4/smb-client-fix-missed-ses-refcounting.patch create mode 100644 tmp-6.4/spi-bcm63xx-fix-max-prepend-length.patch create mode 100644 tmp-6.4/spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch create mode 100644 tmp-6.4/spi-dw-add-compatible-for-intel-mount-evans-soc.patch create mode 100644 tmp-6.4/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch create mode 100644 tmp-6.4/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-rskq_defer_accept.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_intvl.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_probes.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_time.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-tp-linger2.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch create mode 100644 tmp-6.4/tcp-annotate-data-races-around-tp-tsoffset.patch create mode 100644 tmp-6.4/tools-nolibc-ensure-stack-protector-guard-is-never-z.patch create mode 100644 tmp-6.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch create mode 100644 tmp-6.4/udf-fix-uninitialized-array-access-for-some-pathname.patch create mode 100644 tmp-6.4/vrf-fix-lockdep-splat-in-output-path.patch create mode 100644 tmp-6.4/wifi-ath11k-add-support-default-regdb-while-searchin.patch create mode 100644 tmp-6.4/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch create mode 100644 tmp-6.4/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch create mode 100644 tmp-6.4/wifi-ath12k-avoid-null-pointer-access-during-managem.patch create mode 100644 tmp-6.4/wifi-iwlwifi-add-support-for-new-pci-id.patch create mode 100644 tmp-6.4/wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch create mode 100644 tmp-6.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch create mode 100644 tmp-6.4/wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch create mode 100644 tmp-6.4/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch create mode 100644 tmp-6.4/wifi-mac80211_hwsim-fix-possible-null-dereference.patch create mode 100644 tmp-6.4/wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch create mode 100644 tmp-6.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch create mode 100644 tmp-6.4/x86-cpu-amd-add-a-zenbleed-fix.patch create mode 100644 tmp-6.4/x86-cpu-amd-move-the-errata-checking-functionality-up.patch diff --git a/tmp-4.19/add-module_firmware-for-firmware_tg357766.patch b/tmp-4.19/add-module_firmware-for-firmware_tg357766.patch new file mode 100644 index 00000000000..fef2c046b88 --- /dev/null +++ b/tmp-4.19/add-module_firmware-for-firmware_tg357766.patch @@ -0,0 +1,37 @@ +From 06b2af89868e7ffc5fbed8aa5384da72c03ce22f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 02:13:32 +0200 +Subject: Add MODULE_FIRMWARE() for FIRMWARE_TG357766. + +From: Tobias Heider + +[ Upstream commit 046f753da6143ee16452966915087ec8b0de3c70 ] + +Fixes a bug where on the M1 mac mini initramfs-tools fails to +include the necessary firmware into the initrd. + +Fixes: c4dab50697ff ("tg3: Download 57766 EEE service patch firmware") +Signed-off-by: Tobias Heider +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/ZJt7LKzjdz8+dClx@tobhe.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 2cf144bbef3ee..43b83a3a28049 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -235,6 +235,7 @@ MODULE_DESCRIPTION("Broadcom Tigon3 ethernet driver"); + MODULE_LICENSE("GPL"); + MODULE_VERSION(DRV_MODULE_VERSION); + MODULE_FIRMWARE(FIRMWARE_TG3); ++MODULE_FIRMWARE(FIRMWARE_TG357766); + MODULE_FIRMWARE(FIRMWARE_TG3TSO); + MODULE_FIRMWARE(FIRMWARE_TG3TSO5); + +-- +2.39.2 + diff --git a/tmp-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch b/tmp-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch new file mode 100644 index 00000000000..1481eceac82 --- /dev/null +++ b/tmp-4.19/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch @@ -0,0 +1,42 @@ +From ef191039261e6299d0524a779176e2161f7e34a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 10:17:32 +0800 +Subject: ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer + +From: Su Hui + +[ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ] + +smatch error: +sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error: +we previously assumed 'rac97' could be null (see line 2072) + +remove redundant assignment, return error if rac97 is NULL. + +Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*") +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/ac97/ac97_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c +index a276c4283c7bb..3f13666a01904 100644 +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -2026,8 +2026,8 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template, + .dev_disconnect = snd_ac97_dev_disconnect, + }; + +- if (rac97) +- *rac97 = NULL; ++ if (!rac97) ++ return -EINVAL; + if (snd_BUG_ON(!bus || !template)) + return -EINVAL; + if (snd_BUG_ON(template->num >= 4)) +-- +2.39.2 + diff --git a/tmp-4.19/alsa-jack-fix-mutex-call-in-snd_jack_report.patch b/tmp-4.19/alsa-jack-fix-mutex-call-in-snd_jack_report.patch new file mode 100644 index 00000000000..ab6baadf7e5 --- /dev/null +++ b/tmp-4.19/alsa-jack-fix-mutex-call-in-snd_jack_report.patch @@ -0,0 +1,91 @@ +From 95c1235b2f413d5838e5f37cb1b8895436d3505c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 17:53:57 +0200 +Subject: ALSA: jack: Fix mutex call in snd_jack_report() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +[ Upstream commit 89dbb335cb6a627a4067bc42caa09c8bc3326d40 ] + +snd_jack_report() is supposed to be callable from an IRQ context, too, +and it's indeed used in that way from virtsnd driver. The fix for +input_dev race in commit 1b6a6fc5280e ("ALSA: jack: Access input_dev +under mutex"), however, introduced a mutex lock in snd_jack_report(), +and this resulted in a potential sleep-in-atomic. + +For addressing that problem, this patch changes the relevant code to +use the object get/put and removes the mutex usage. That is, +snd_jack_report(), it takes input_get_device() and leaves with +input_put_device() for assuring the input_dev being assigned. + +Although the whole mutex could be reduced, we keep it because it can +be still a protection for potential races between creation and +deletion. + +Fixes: 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/cf95f7fe-a748-4990-8378-000491b40329@moroto.mountain +Tested-by: Amadeusz Sławiński +Cc: +Link: https://lore.kernel.org/r/20230706155357.3470-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/jack.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/sound/core/jack.c b/sound/core/jack.c +index 074b15fcb0ac4..06e0fc7b64179 100644 +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -378,6 +378,7 @@ void snd_jack_report(struct snd_jack *jack, int status) + { + struct snd_jack_kctl *jack_kctl; + #ifdef CONFIG_SND_JACK_INPUT_DEV ++ struct input_dev *idev; + int i; + #endif + +@@ -389,30 +390,28 @@ void snd_jack_report(struct snd_jack *jack, int status) + status & jack_kctl->mask_bits); + + #ifdef CONFIG_SND_JACK_INPUT_DEV +- mutex_lock(&jack->input_dev_lock); +- if (!jack->input_dev) { +- mutex_unlock(&jack->input_dev_lock); ++ idev = input_get_device(jack->input_dev); ++ if (!idev) + return; +- } + + for (i = 0; i < ARRAY_SIZE(jack->key); i++) { + int testbit = SND_JACK_BTN_0 >> i; + + if (jack->type & testbit) +- input_report_key(jack->input_dev, jack->key[i], ++ input_report_key(idev, jack->key[i], + status & testbit); + } + + for (i = 0; i < ARRAY_SIZE(jack_switch_types); i++) { + int testbit = 1 << i; + if (jack->type & testbit) +- input_report_switch(jack->input_dev, ++ input_report_switch(idev, + jack_switch_types[i], + status & testbit); + } + +- input_sync(jack->input_dev); +- mutex_unlock(&jack->input_dev_lock); ++ input_sync(idev); ++ input_put_device(idev); + #endif /* CONFIG_SND_JACK_INPUT_DEV */ + } + EXPORT_SYMBOL(snd_jack_report); +-- +2.39.2 + diff --git a/tmp-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch b/tmp-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch new file mode 100644 index 00000000000..e31faaea748 --- /dev/null +++ b/tmp-4.19/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch @@ -0,0 +1,62 @@ +From ad8837c42c62766fa3f8dfe3b124485fc46c71a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 00:50:50 +0900 +Subject: ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ + guard + +From: Masahiro Yamada + +[ Upstream commit 92e2921eeafdfca9acd9b83f07d2b7ca099bac24 ] + +ASM_NL is useful not only in *.S files but also in .c files for using +inline assembler in C code. + +On ARC, however, ASM_NL is evaluated inconsistently. It is expanded to +a backquote (`) in *.S files, but a semicolon (;) in *.c files because +arch/arc/include/asm/linkage.h defines it inside #ifdef __ASSEMBLY__, +so the definition for C code falls back to the default value defined in +include/linux/linkage.h. + +If ASM_NL is used in inline assembler in .c files, it will result in +wrong assembly code because a semicolon is not an instruction separator, +but the start of a comment for ARC. + +Move ASM_NL (also __ALIGN and __ALIGN_STR) out of the #ifdef. + +Fixes: 9df62f054406 ("arch: use ASM_NL instead of ';' for assembler new line character in the macro") +Fixes: 8d92e992a785 ("ARC: define __ALIGN_STR and __ALIGN symbols for ARC") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/linkage.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h +index f3d29d4840d58..b89ca8b4d5975 100644 +--- a/arch/arc/include/asm/linkage.h ++++ b/arch/arc/include/asm/linkage.h +@@ -11,6 +11,10 @@ + + #include + ++#define ASM_NL ` /* use '`' to mark new line in macro */ ++#define __ALIGN .align 4 ++#define __ALIGN_STR __stringify(__ALIGN) ++ + #ifdef __ASSEMBLY__ + + .macro ST2 e, o, off +@@ -31,10 +35,6 @@ + #endif + .endm + +-#define ASM_NL ` /* use '`' to mark new line in macro */ +-#define __ALIGN .align 4 +-#define __ALIGN_STR __stringify(__ALIGN) +- + /* annotation for data we want in DCCM - if enabled in .config */ + .macro ARCFP_DATA nm + #ifdef CONFIG_ARC_HAS_DCCM +-- +2.39.2 + diff --git a/tmp-4.19/arcv2-entry-avoid-a-branch.patch b/tmp-4.19/arcv2-entry-avoid-a-branch.patch new file mode 100644 index 00000000000..77768c453b6 --- /dev/null +++ b/tmp-4.19/arcv2-entry-avoid-a-branch.patch @@ -0,0 +1,38 @@ +From 75acdde2ef23456085ec596574a650610356060a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2019 16:24:15 -0700 +Subject: ARCv2: entry: avoid a branch + +From: Vineet Gupta + +[ Upstream commit ab854bfcd310b5872fe12eb8d3f2c30fe427f8f7 ] + +Signed-off-by: Vineet Gupta +Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/entry-arcv2.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h +index 3209a67629606..beaf655666cbd 100644 +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -100,12 +100,11 @@ + ; 2. Upon entry SP is always saved (for any inspection, unwinding etc), + ; but on return, restored only if U mode + ++ lr r9, [AUX_USER_SP] ; U mode SP ++ + mov.nz r9, sp + add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP +- bnz 1f + +- lr r9, [AUX_USER_SP] ; U mode SP +-1: + PUSH r9 ; SP (pt_regs->sp) + + PUSH fp +-- +2.39.2 + diff --git a/tmp-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch b/tmp-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch new file mode 100644 index 00000000000..59f7315a690 --- /dev/null +++ b/tmp-4.19/arcv2-entry-comments-about-hardware-auto-save-on-tak.patch @@ -0,0 +1,158 @@ +From d101114608fd77f1804cd33e13286d0ff46f7084 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2019 16:55:15 -0700 +Subject: ARCv2: entry: comments about hardware auto-save on taken interrupts + +From: Vineet Gupta + +[ Upstream commit 45869eb0c0afd72bd5ab2437d4b00915697c044a ] + +Signed-off-by: Vineet Gupta +Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/entry-arcv2.h | 78 ++++++++++++++++++++++++------ + 1 file changed, 62 insertions(+), 16 deletions(-) + +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h +index 225e7df2d8ed8..1c3520d1fa420 100644 +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -7,15 +7,54 @@ + #include + #include /* For THREAD_SIZE */ + ++/* ++ * Interrupt/Exception stack layout (pt_regs) for ARCv2 ++ * (End of struct aligned to end of page [unless nested]) ++ * ++ * INTERRUPT EXCEPTION ++ * ++ * manual --------------------- manual ++ * | orig_r0 | ++ * | event/ECR | ++ * | bta | ++ * | user_r25 | ++ * | gp | ++ * | fp | ++ * | sp | ++ * | r12 | ++ * | r30 | ++ * | r58 | ++ * | r59 | ++ * hw autosave --------------------- ++ * optional | r0 | ++ * | r1 | ++ * ~ ~ ++ * | r9 | ++ * | r10 | ++ * | r11 | ++ * | blink | ++ * | lpe | ++ * | lps | ++ * | lpc | ++ * | ei base | ++ * | ldi base | ++ * | jli base | ++ * --------------------- ++ * hw autosave | pc / eret | ++ * mandatory | stat32 / erstatus | ++ * --------------------- ++ */ ++ + /*------------------------------------------------------------------------*/ + .macro INTERRUPT_PROLOGUE called_from +- +- ; Before jumping to Interrupt Vector, hardware micro-ops did following: ++ ; (A) Before jumping to Interrupt Vector, hardware micro-ops did following: + ; 1. SP auto-switched to kernel mode stack +- ; 2. STATUS32.Z flag set to U mode at time of interrupt (U:1, K:0) +- ; 3. Auto saved: r0-r11, blink, LPE,LPS,LPC, JLI,LDI,EI, PC, STAT32 ++ ; 2. STATUS32.Z flag set if in U mode at time of interrupt (U:1,K:0) ++ ; 3. Auto save: (mandatory) Push PC and STAT32 on stack ++ ; hardware does even if CONFIG_ARC_IRQ_NO_AUTOSAVE ++ ; 4. Auto save: (optional) r0-r11, blink, LPE,LPS,LPC, JLI,LDI,EI + ; +- ; Now manually save: r12, sp, fp, gp, r25 ++ ; (B) Manually saved some regs: r12,r25,r30, sp,fp,gp, ACCL pair + + #ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE + .ifnc \called_from, exception +@@ -57,14 +96,17 @@ + ; - U mode: retrieve it from AUX_USER_SP + ; - K mode: add the offset from current SP where H/w starts auto push + ; +- ; Utilize the fact that Z bit is set if Intr taken in U mode ++ ; 1. Utilize the fact that Z bit is set if Intr taken in U mode ++ ; 2. Upon entry SP is always saved (for any inspection, unwinding etc), ++ ; but on return, restored only if U mode ++ + mov.nz r9, sp +- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ++ add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP + bnz 1f + +- lr r9, [AUX_USER_SP] ++ lr r9, [AUX_USER_SP] ; U mode SP + 1: +- PUSH r9 ; SP ++ PUSH r9 ; SP (pt_regs->sp) + + PUSH fp + PUSH gp +@@ -85,6 +127,8 @@ + /*------------------------------------------------------------------------*/ + .macro INTERRUPT_EPILOGUE called_from + ++ ; INPUT: r0 has STAT32 of calling context ++ ; INPUT: Z flag set if returning to K mode + .ifnc \called_from, exception + add sp, sp, 12 ; skip BTA/ECR/orig_r0 placeholderss + .endif +@@ -98,9 +142,10 @@ + POP gp + POP fp + +- ; Don't touch AUX_USER_SP if returning to K mode (Z bit set) +- ; (Z bit set on K mode is inverse of INTERRUPT_PROLOGUE) +- add.z sp, sp, 4 ++ ; Restore SP (into AUX_USER_SP) only if returning to U mode ++ ; - for K mode, it will be implicitly restored as stack is unwound ++ ; - Z flag set on K is inverse of what hardware does on interrupt entry ++ ; but that doesn't really matter + bz 1f + + POPAX AUX_USER_SP +@@ -145,11 +190,11 @@ + /*------------------------------------------------------------------------*/ + .macro EXCEPTION_PROLOGUE + +- ; Before jumping to Exception Vector, hardware micro-ops did following: ++ ; (A) Before jumping to Exception Vector, hardware micro-ops did following: + ; 1. SP auto-switched to kernel mode stack +- ; 2. STATUS32.Z flag set to U mode at time of interrupt (U:1,K:0) ++ ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0) + ; +- ; Now manually save the complete reg file ++ ; (B) Manually save the complete reg file below + + PUSH r9 ; freeup a register: slot of erstatus + +@@ -195,12 +240,13 @@ + PUSHAX ecr ; r9 contains ECR, expected by EV_Trap + + PUSH r0 ; orig_r0 ++ ; OUTPUT: r9 has ECR + .endm + + /*------------------------------------------------------------------------*/ + .macro EXCEPTION_EPILOGUE + +- ; Assumes r0 has PT_status32 ++ ; INPUT: r0 has STAT32 of calling context + btst r0, STATUS_U_BIT ; Z flag set if K, used in INTERRUPT_EPILOGUE + + add sp, sp, 8 ; orig_r0/ECR don't need restoring +-- +2.39.2 + diff --git a/tmp-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch b/tmp-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch new file mode 100644 index 00000000000..652387be135 --- /dev/null +++ b/tmp-4.19/arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch @@ -0,0 +1,89 @@ +From e4c727839b77a24016fb973f42e27538b4d5f0b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Apr 2019 19:16:37 -0700 +Subject: ARCv2: entry: push out the Z flag unclobber from common + EXCEPTION_PROLOGUE + +From: Vineet Gupta + +[ Upstream commit 23c0cbd0c75c3b564850294427fd2be2bc2a015b ] + +Upon a taken interrupt/exception from User mode, HS hardware auto sets Z flag. +This helps shave a few instructions from EXCEPTION_PROLOGUE by eliding +re-reading ERSTATUS and some bit fiddling. + +However TLB Miss Exception handler can clobber the CPU flags and still end +up in EXCEPTION_PROLOGUE in the slow path handling TLB handling case: + + EV_TLBMissD + do_slow_path_pf + EV_TLBProtV (aliased to call_do_page_fault) + EXCEPTION_PROLOGUE + +As a result, EXCEPTION_PROLOGUE need to "unclobber" the Z flag which this +patch changes. It is now pushed out to TLB Miss Exception handler. +The reasons beings: + + - The flag restoration is only needed for slowpath TLB Miss Exception + handling, but currently being in EXCEPTION_PROLOGUE penalizes all + exceptions such as ProtV and syscall Trap, where Z flag is already + as expected. + + - Pushing unclobber out to where it was clobbered is much cleaner and + also serves to document the fact. + + - Makes EXCEPTION_PROLGUE similar to INTERRUPT_PROLOGUE so easier to + refactor the common parts which is what this series aims to do + +Signed-off-by: Vineet Gupta +Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/entry-arcv2.h | 8 -------- + arch/arc/mm/tlbex.S | 11 +++++++++++ + 2 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h +index 1c3520d1fa420..3209a67629606 100644 +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -225,14 +225,6 @@ + + ; -- for interrupts, regs above are auto-saved by h/w in that order -- + ; Now do what ISR prologue does (manually save r12, sp, fp, gp, r25) +- ; +- ; Set Z flag if this was from U mode (expected by INTERRUPT_PROLOGUE) +- ; Although H/w exception micro-ops do set Z flag for U mode (just like +- ; for interrupts), it could get clobbered in case we soft land here from +- ; a TLB Miss exception handler (tlbex.S) +- +- and r10, r10, STATUS_U_MASK +- xor.f 0, r10, STATUS_U_MASK + + INTERRUPT_PROLOGUE exception + +diff --git a/arch/arc/mm/tlbex.S b/arch/arc/mm/tlbex.S +index 0e1e47a67c736..e50cac799a518 100644 +--- a/arch/arc/mm/tlbex.S ++++ b/arch/arc/mm/tlbex.S +@@ -396,6 +396,17 @@ EV_TLBMissD_fast_ret: ; additional label for VDK OS-kit instrumentation + ;-------- Common routine to call Linux Page Fault Handler ----------- + do_slow_path_pf: + ++#ifdef CONFIG_ISA_ARCV2 ++ ; Set Z flag if exception in U mode. Hardware micro-ops do this on any ++ ; taken interrupt/exception, and thus is already the case at the entry ++ ; above, but ensuing code would have already clobbered. ++ ; EXCEPTION_PROLOGUE called in slow path, relies on correct Z flag set ++ ++ lr r2, [erstatus] ++ and r2, r2, STATUS_U_MASK ++ bxor.f 0, r2, STATUS_U_BIT ++#endif ++ + ; Restore the 4-scratch regs saved by fast path miss handler + TLBMISS_RESTORE_REGS + +-- +2.39.2 + diff --git a/tmp-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch b/tmp-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch new file mode 100644 index 00000000000..84b7ea115f7 --- /dev/null +++ b/tmp-4.19/arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch @@ -0,0 +1,466 @@ +From d0fb99fc001ef3d140785f937db576f9b135eadd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 May 2019 15:36:46 -0700 +Subject: ARCv2: entry: rewrite to enable use of double load/stores LDD/STD + +From: Vineet Gupta + +[ Upstream commit a4880801a72ecc2dcdfa432f81a754f3e7438567 ] + + - the motivation was to be remove blatent copy-paste due to hasty support + of CONFIG_ARC_IRQ_NO_AUTOSAVE support + + - but with refactoring we could use LDD/STD to greatly optimize the code + +Signed-off-by: Vineet Gupta +Stable-dep-of: 92e2921eeafd ("ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard") +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/entry-arcv2.h | 297 ++++++++++++++--------------- + arch/arc/include/asm/linkage.h | 18 ++ + arch/arc/kernel/asm-offsets.c | 7 + + arch/arc/kernel/entry-arcv2.S | 4 +- + 4 files changed, 167 insertions(+), 159 deletions(-) + +diff --git a/arch/arc/include/asm/entry-arcv2.h b/arch/arc/include/asm/entry-arcv2.h +index beaf655666cbd..0733752ce7fe8 100644 +--- a/arch/arc/include/asm/entry-arcv2.h ++++ b/arch/arc/include/asm/entry-arcv2.h +@@ -46,7 +46,8 @@ + */ + + /*------------------------------------------------------------------------*/ +-.macro INTERRUPT_PROLOGUE called_from ++.macro INTERRUPT_PROLOGUE ++ + ; (A) Before jumping to Interrupt Vector, hardware micro-ops did following: + ; 1. SP auto-switched to kernel mode stack + ; 2. STATUS32.Z flag set if in U mode at time of interrupt (U:1,K:0) +@@ -57,39 +58,87 @@ + ; (B) Manually saved some regs: r12,r25,r30, sp,fp,gp, ACCL pair + + #ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE +-.ifnc \called_from, exception +- st.as r9, [sp, -10] ; save r9 in it's final stack slot +- sub sp, sp, 12 ; skip JLI, LDI, EI +- +- PUSH lp_count +- PUSHAX lp_start +- PUSHAX lp_end +- PUSH blink +- +- PUSH r11 +- PUSH r10 +- +- sub sp, sp, 4 ; skip r9 +- +- PUSH r8 +- PUSH r7 +- PUSH r6 +- PUSH r5 +- PUSH r4 +- PUSH r3 +- PUSH r2 +- PUSH r1 +- PUSH r0 +-.endif +-#endif ++ ; carve pt_regs on stack (case #3), PC/STAT32 already on stack ++ sub sp, sp, SZ_PT_REGS - 8 + +-#ifdef CONFIG_ARC_HAS_ACCL_REGS +- PUSH r59 +- PUSH r58 ++ __SAVE_REGFILE_HARD ++#else ++ ; carve pt_regs on stack (case #4), which grew partially already ++ sub sp, sp, PT_r0 + #endif + +- PUSH r30 +- PUSH r12 ++ __SAVE_REGFILE_SOFT ++.endm ++ ++/*------------------------------------------------------------------------*/ ++.macro EXCEPTION_PROLOGUE ++ ++ ; (A) Before jumping to Exception Vector, hardware micro-ops did following: ++ ; 1. SP auto-switched to kernel mode stack ++ ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0) ++ ; ++ ; (B) Manually save the complete reg file below ++ ++ sub sp, sp, SZ_PT_REGS ; carve pt_regs ++ ++ ; _HARD saves r10 clobbered by _SOFT as scratch hence comes first ++ ++ __SAVE_REGFILE_HARD ++ __SAVE_REGFILE_SOFT ++ ++ st r0, [sp] ; orig_r0 ++ ++ lr r10, [eret] ++ lr r11, [erstatus] ++ ST2 r10, r11, PT_ret ++ ++ lr r10, [ecr] ++ lr r11, [erbta] ++ ST2 r10, r11, PT_event ++ mov r9, r10 ++ ++ ; OUTPUT: r9 has ECR ++.endm ++ ++/*------------------------------------------------------------------------ ++ * This macro saves the registers manually which would normally be autosaved ++ * by hardware on taken interrupts. It is used by ++ * - exception handlers (which don't have autosave) ++ * - interrupt autosave disabled due to CONFIG_ARC_IRQ_NO_AUTOSAVE ++ */ ++.macro __SAVE_REGFILE_HARD ++ ++ ST2 r0, r1, PT_r0 ++ ST2 r2, r3, PT_r2 ++ ST2 r4, r5, PT_r4 ++ ST2 r6, r7, PT_r6 ++ ST2 r8, r9, PT_r8 ++ ST2 r10, r11, PT_r10 ++ ++ st blink, [sp, PT_blink] ++ ++ lr r10, [lp_end] ++ lr r11, [lp_start] ++ ST2 r10, r11, PT_lpe ++ ++ st lp_count, [sp, PT_lpc] ++ ++ ; skip JLI, LDI, EI for now ++.endm ++ ++/*------------------------------------------------------------------------ ++ * This macros saves a bunch of other registers which can't be autosaved for ++ * various reasons: ++ * - r12: the last caller saved scratch reg since hardware saves in pairs so r0-r11 ++ * - r30: free reg, used by gcc as scratch ++ * - ACCL/ACCH pair when they exist ++ */ ++.macro __SAVE_REGFILE_SOFT ++ ++ ST2 gp, fp, PT_r26 ; gp (r26), fp (r27) ++ ++ st r12, [sp, PT_sp + 4] ++ st r30, [sp, PT_sp + 8] + + ; Saving pt_regs->sp correctly requires some extra work due to the way + ; Auto stack switch works +@@ -100,46 +149,32 @@ + ; 2. Upon entry SP is always saved (for any inspection, unwinding etc), + ; but on return, restored only if U mode + +- lr r9, [AUX_USER_SP] ; U mode SP ++ lr r10, [AUX_USER_SP] ; U mode SP + +- mov.nz r9, sp +- add.nz r9, r9, SZ_PT_REGS - PT_sp - 4 ; K mode SP ++ ; ISA requires ADD.nz to have same dest and src reg operands ++ mov.nz r10, sp ++ add.nz r10, r10, SZ_PT_REGS ; K mode SP + +- PUSH r9 ; SP (pt_regs->sp) +- +- PUSH fp +- PUSH gp ++ st r10, [sp, PT_sp] ; SP (pt_regs->sp) + + #ifdef CONFIG_ARC_CURR_IN_REG +- PUSH r25 ; user_r25 ++ st r25, [sp, PT_user_r25] + GET_CURR_TASK_ON_CPU r25 +-#else +- sub sp, sp, 4 + #endif + +-.ifnc \called_from, exception +- sub sp, sp, 12 ; BTA/ECR/orig_r0 placeholder per pt_regs +-.endif ++#ifdef CONFIG_ARC_HAS_ACCL_REGS ++ ST2 r58, r59, PT_sp + 12 ++#endif + + .endm + + /*------------------------------------------------------------------------*/ +-.macro INTERRUPT_EPILOGUE called_from ++.macro __RESTORE_REGFILE_SOFT + +- ; INPUT: r0 has STAT32 of calling context +- ; INPUT: Z flag set if returning to K mode +-.ifnc \called_from, exception +- add sp, sp, 12 ; skip BTA/ECR/orig_r0 placeholderss +-.endif +- +-#ifdef CONFIG_ARC_CURR_IN_REG +- POP r25 +-#else +- add sp, sp, 4 +-#endif ++ LD2 gp, fp, PT_r26 ; gp (r26), fp (r27) + +- POP gp +- POP fp ++ ld r12, [sp, PT_sp + 4] ++ ld r30, [sp, PT_sp + 8] + + ; Restore SP (into AUX_USER_SP) only if returning to U mode + ; - for K mode, it will be implicitly restored as stack is unwound +@@ -147,129 +182,77 @@ + ; but that doesn't really matter + bz 1f + +- POPAX AUX_USER_SP ++ ld r10, [sp, PT_sp] ; SP (pt_regs->sp) ++ sr r10, [AUX_USER_SP] + 1: +- POP r12 +- POP r30 + +-#ifdef CONFIG_ARC_HAS_ACCL_REGS +- POP r58 +- POP r59 ++#ifdef CONFIG_ARC_CURR_IN_REG ++ ld r25, [sp, PT_user_r25] + #endif + +-#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE +-.ifnc \called_from, exception +- POP r0 +- POP r1 +- POP r2 +- POP r3 +- POP r4 +- POP r5 +- POP r6 +- POP r7 +- POP r8 +- POP r9 +- POP r10 +- POP r11 +- +- POP blink +- POPAX lp_end +- POPAX lp_start +- +- POP r9 +- mov lp_count, r9 +- +- add sp, sp, 12 ; skip JLI, LDI, EI +- ld.as r9, [sp, -10] ; reload r9 which got clobbered +-.endif ++#ifdef CONFIG_ARC_HAS_ACCL_REGS ++ LD2 r58, r59, PT_sp + 12 + #endif +- + .endm + + /*------------------------------------------------------------------------*/ +-.macro EXCEPTION_PROLOGUE ++.macro __RESTORE_REGFILE_HARD + +- ; (A) Before jumping to Exception Vector, hardware micro-ops did following: +- ; 1. SP auto-switched to kernel mode stack +- ; 2. STATUS32.Z flag set if in U mode at time of exception (U:1,K:0) +- ; +- ; (B) Manually save the complete reg file below ++ ld blink, [sp, PT_blink] + +- PUSH r9 ; freeup a register: slot of erstatus ++ LD2 r10, r11, PT_lpe ++ sr r10, [lp_end] ++ sr r11, [lp_start] + +- PUSHAX eret +- sub sp, sp, 12 ; skip JLI, LDI, EI +- PUSH lp_count +- PUSHAX lp_start +- PUSHAX lp_end +- PUSH blink ++ ld r10, [sp, PT_lpc] ; lp_count can't be target of LD ++ mov lp_count, r10 + +- PUSH r11 +- PUSH r10 ++ LD2 r0, r1, PT_r0 ++ LD2 r2, r3, PT_r2 ++ LD2 r4, r5, PT_r4 ++ LD2 r6, r7, PT_r6 ++ LD2 r8, r9, PT_r8 ++ LD2 r10, r11, PT_r10 ++.endm + +- ld.as r9, [sp, 10] ; load stashed r9 (status32 stack slot) +- lr r10, [erstatus] +- st.as r10, [sp, 10] ; save status32 at it's right stack slot + +- PUSH r9 +- PUSH r8 +- PUSH r7 +- PUSH r6 +- PUSH r5 +- PUSH r4 +- PUSH r3 +- PUSH r2 +- PUSH r1 +- PUSH r0 ++/*------------------------------------------------------------------------*/ ++.macro INTERRUPT_EPILOGUE + +- ; -- for interrupts, regs above are auto-saved by h/w in that order -- +- ; Now do what ISR prologue does (manually save r12, sp, fp, gp, r25) ++ ; INPUT: r0 has STAT32 of calling context ++ ; INPUT: Z flag set if returning to K mode + +- INTERRUPT_PROLOGUE exception ++ ; _SOFT clobbers r10 restored by _HARD hence the order + +- PUSHAX erbta +- PUSHAX ecr ; r9 contains ECR, expected by EV_Trap ++ __RESTORE_REGFILE_SOFT ++ ++#ifdef CONFIG_ARC_IRQ_NO_AUTOSAVE ++ __RESTORE_REGFILE_HARD ++ add sp, sp, SZ_PT_REGS - 8 ++#else ++ add sp, sp, PT_r0 ++#endif + +- PUSH r0 ; orig_r0 +- ; OUTPUT: r9 has ECR + .endm + + /*------------------------------------------------------------------------*/ + .macro EXCEPTION_EPILOGUE + + ; INPUT: r0 has STAT32 of calling context +- btst r0, STATUS_U_BIT ; Z flag set if K, used in INTERRUPT_EPILOGUE +- +- add sp, sp, 8 ; orig_r0/ECR don't need restoring +- POPAX erbta +- +- INTERRUPT_EPILOGUE exception +- +- POP r0 +- POP r1 +- POP r2 +- POP r3 +- POP r4 +- POP r5 +- POP r6 +- POP r7 +- POP r8 +- POP r9 +- POP r10 +- POP r11 +- +- POP blink +- POPAX lp_end +- POPAX lp_start +- +- POP r9 +- mov lp_count, r9 +- +- add sp, sp, 12 ; skip JLI, LDI, EI +- POPAX eret +- POPAX erstatus +- +- ld.as r9, [sp, -12] ; reload r9 which got clobbered ++ ++ btst r0, STATUS_U_BIT ; Z flag set if K, used in restoring SP ++ ++ ld r10, [sp, PT_event + 4] ++ sr r10, [erbta] ++ ++ LD2 r10, r11, PT_ret ++ sr r10, [eret] ++ sr r11, [erstatus] ++ ++ __RESTORE_REGFILE_SOFT ++ __RESTORE_REGFILE_HARD ++ ++ add sp, sp, SZ_PT_REGS + .endm + + .macro FAKE_RET_FROM_EXCPN +diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h +index 07c8e1a6c56e2..f3d29d4840d58 100644 +--- a/arch/arc/include/asm/linkage.h ++++ b/arch/arc/include/asm/linkage.h +@@ -13,6 +13,24 @@ + + #ifdef __ASSEMBLY__ + ++.macro ST2 e, o, off ++#ifdef CONFIG_ARC_HAS_LL64 ++ std \e, [sp, \off] ++#else ++ st \e, [sp, \off] ++ st \o, [sp, \off+4] ++#endif ++.endm ++ ++.macro LD2 e, o, off ++#ifdef CONFIG_ARC_HAS_LL64 ++ ldd \e, [sp, \off] ++#else ++ ld \e, [sp, \off] ++ ld \o, [sp, \off+4] ++#endif ++.endm ++ + #define ASM_NL ` /* use '`' to mark new line in macro */ + #define __ALIGN .align 4 + #define __ALIGN_STR __stringify(__ALIGN) +diff --git a/arch/arc/kernel/asm-offsets.c b/arch/arc/kernel/asm-offsets.c +index ecaf34e9235c2..e90dccecfd833 100644 +--- a/arch/arc/kernel/asm-offsets.c ++++ b/arch/arc/kernel/asm-offsets.c +@@ -58,7 +58,14 @@ int main(void) + DEFINE(PT_r5, offsetof(struct pt_regs, r5)); + DEFINE(PT_r6, offsetof(struct pt_regs, r6)); + DEFINE(PT_r7, offsetof(struct pt_regs, r7)); ++ DEFINE(PT_r8, offsetof(struct pt_regs, r8)); ++ DEFINE(PT_r10, offsetof(struct pt_regs, r10)); ++ DEFINE(PT_r26, offsetof(struct pt_regs, r26)); + DEFINE(PT_ret, offsetof(struct pt_regs, ret)); ++ DEFINE(PT_blink, offsetof(struct pt_regs, blink)); ++ DEFINE(PT_lpe, offsetof(struct pt_regs, lp_end)); ++ DEFINE(PT_lpc, offsetof(struct pt_regs, lp_count)); ++ DEFINE(PT_user_r25, offsetof(struct pt_regs, user_r25)); + + DEFINE(SZ_CALLEE_REGS, sizeof(struct callee_regs)); + DEFINE(SZ_PT_REGS, sizeof(struct pt_regs)); +diff --git a/arch/arc/kernel/entry-arcv2.S b/arch/arc/kernel/entry-arcv2.S +index 562089d62d9d6..6cbf0ee8a20a7 100644 +--- a/arch/arc/kernel/entry-arcv2.S ++++ b/arch/arc/kernel/entry-arcv2.S +@@ -70,7 +70,7 @@ reserved: + + ENTRY(handle_interrupt) + +- INTERRUPT_PROLOGUE irq ++ INTERRUPT_PROLOGUE + + # irq control APIs local_irq_save/restore/disable/enable fiddle with + # global interrupt enable bits in STATUS32 (.IE for 1 prio, .E[] for 2 prio) +@@ -226,7 +226,7 @@ debug_marker_l1: + bset.nz r11, r11, AUX_IRQ_ACT_BIT_U ; NZ means U + sr r11, [AUX_IRQ_ACT] + +- INTERRUPT_EPILOGUE irq ++ INTERRUPT_EPILOGUE + rtie + + ;####### Return from Exception / pure kernel mode ####### +-- +2.39.2 + diff --git a/tmp-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch b/tmp-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch new file mode 100644 index 00000000000..eaed1169263 --- /dev/null +++ b/tmp-4.19/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch @@ -0,0 +1,103 @@ +From b648318ddaf8c9c7c7a842d6e3b8fde1d8af0729 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 19:28:42 +0100 +Subject: ARM: 9303/1: kprobes: avoid missing-declaration warnings + +From: Arnd Bergmann + +[ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ] + +checker_stack_use_t32strd() and kprobe_handler() can be made static since +they are not used from other files, while coverage_start_registers() +and __kprobes_test_case() are used from assembler code, and just need +a declaration to avoid a warning with the global definition. + +arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd' +arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler' +arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers' +arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start' +arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16' +arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32' + +Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions") +Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation") +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Kees Cook +Signed-off-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/probes/kprobes/checkers-common.c | 2 +- + arch/arm/probes/kprobes/core.c | 2 +- + arch/arm/probes/kprobes/opt-arm.c | 2 -- + arch/arm/probes/kprobes/test-core.c | 2 +- + arch/arm/probes/kprobes/test-core.h | 4 ++++ + 5 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/probes/kprobes/checkers-common.c b/arch/arm/probes/kprobes/checkers-common.c +index 971119c294741..aa10e5e46ebb2 100644 +--- a/arch/arm/probes/kprobes/checkers-common.c ++++ b/arch/arm/probes/kprobes/checkers-common.c +@@ -48,7 +48,7 @@ enum probes_insn checker_stack_use_imm_0xx(probes_opcode_t insn, + * Different from other insn uses imm8, the real addressing offset of + * STRD in T32 encoding should be imm8 * 4. See ARMARM description. + */ +-enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, ++static enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, + struct arch_probes_insn *asi, + const struct decode_header *h) + { +diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c +index 62da8e2211e4b..0a7090a65bcad 100644 +--- a/arch/arm/probes/kprobes/core.c ++++ b/arch/arm/probes/kprobes/core.c +@@ -239,7 +239,7 @@ singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) + * kprobe, and that level is reserved for user kprobe handlers, so we can't + * risk encountering a new kprobe in an interrupt handler. + */ +-void __kprobes kprobe_handler(struct pt_regs *regs) ++static void __kprobes kprobe_handler(struct pt_regs *regs) + { + struct kprobe *p, *cur; + struct kprobe_ctlblk *kcb; +diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c +index cf08cb7267670..1516c340a0766 100644 +--- a/arch/arm/probes/kprobes/opt-arm.c ++++ b/arch/arm/probes/kprobes/opt-arm.c +@@ -158,8 +158,6 @@ __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty) + } + } + +-extern void kprobe_handler(struct pt_regs *regs); +- + static void + optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs) + { +diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c +index cc237fa9b90fb..1c86c5d980c5b 100644 +--- a/arch/arm/probes/kprobes/test-core.c ++++ b/arch/arm/probes/kprobes/test-core.c +@@ -723,7 +723,7 @@ static const char coverage_register_lookup[16] = { + [REG_TYPE_NOSPPCX] = COVERAGE_ANY_REG | COVERAGE_SP, + }; + +-unsigned coverage_start_registers(const struct decode_header *h) ++static unsigned coverage_start_registers(const struct decode_header *h) + { + unsigned regs = 0; + int i; +diff --git a/arch/arm/probes/kprobes/test-core.h b/arch/arm/probes/kprobes/test-core.h +index 94285203e9f74..459ebda077139 100644 +--- a/arch/arm/probes/kprobes/test-core.h ++++ b/arch/arm/probes/kprobes/test-core.h +@@ -456,3 +456,7 @@ void kprobe_thumb32_test_cases(void); + #else + void kprobe_arm_test_cases(void); + #endif ++ ++void __kprobes_test_case_start(void); ++void __kprobes_test_case_end_16(void); ++void __kprobes_test_case_end_32(void); +-- +2.39.2 + diff --git a/tmp-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch b/tmp-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch new file mode 100644 index 00000000000..be7310d817f --- /dev/null +++ b/tmp-4.19/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch @@ -0,0 +1,42 @@ +From 4e52ab7d7ce44846873fd33945aadd2562facd21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 14:28:30 +0200 +Subject: ARM: dts: BCM5301X: Drop "clock-names" from the SPI node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ] + +There is no such property in the SPI controller binding documentation. +Also Linux driver doesn't look for it. + +This fixes: +arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected) + From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm5301x.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi +index 6edc4bd1e7eaf..a6406a347690e 100644 +--- a/arch/arm/boot/dts/bcm5301x.dtsi ++++ b/arch/arm/boot/dts/bcm5301x.dtsi +@@ -468,7 +468,6 @@ spi@18029200 { + "spi_lr_session_done", + "spi_lr_overread"; + clocks = <&iprocmed>; +- clock-names = "iprocmed"; + num-cs = <2>; + #address-cells = <1>; + #size-cells = <0>; +-- +2.39.2 + diff --git a/tmp-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch b/tmp-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch new file mode 100644 index 00000000000..1c80e49cf00 --- /dev/null +++ b/tmp-4.19/arm-ep93xx-fix-missing-prototype-warnings.patch @@ -0,0 +1,48 @@ +From d144f3f81fdf6521253b26f80c563d4fd016ec06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 17:30:58 +0200 +Subject: ARM: ep93xx: fix missing-prototype warnings + +From: Arnd Bergmann + +[ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ] + +ep93xx_clocksource_read() is only called from the file it is declared in, +while ep93xx_timer_init() is declared in a header that is not included here. + +arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init' +arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read' + +Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS") +Acked-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-ep93xx/timer-ep93xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-ep93xx/timer-ep93xx.c b/arch/arm/mach-ep93xx/timer-ep93xx.c +index de998830f534f..b07956883e165 100644 +--- a/arch/arm/mach-ep93xx/timer-ep93xx.c ++++ b/arch/arm/mach-ep93xx/timer-ep93xx.c +@@ -9,6 +9,7 @@ + #include + #include + #include "soc.h" ++#include "platform.h" + + /************************************************************************* + * Timer handling for EP93xx +@@ -60,7 +61,7 @@ static u64 notrace ep93xx_read_sched_clock(void) + return ret; + } + +-u64 ep93xx_clocksource_read(struct clocksource *c) ++static u64 ep93xx_clocksource_read(struct clocksource *c) + { + u64 ret; + +-- +2.39.2 + diff --git a/tmp-4.19/arm-orion5x-fix-d2net-gpio-initialization.patch b/tmp-4.19/arm-orion5x-fix-d2net-gpio-initialization.patch new file mode 100644 index 00000000000..f0266df5c4e --- /dev/null +++ b/tmp-4.19/arm-orion5x-fix-d2net-gpio-initialization.patch @@ -0,0 +1,55 @@ +From f8ef1233939495c405a9faa4bd1ae7d3f581bae4 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 16 May 2023 17:31:05 +0200 +Subject: ARM: orion5x: fix d2net gpio initialization + +From: Arnd Bergmann + +commit f8ef1233939495c405a9faa4bd1ae7d3f581bae4 upstream. + +The DT version of this board has a custom file with the gpio +device. However, it does nothing because the d2net_init() +has no caller or prototype: + +arch/arm/mach-orion5x/board-d2net.c:101:13: error: no previous prototype for 'd2net_init' + +Call it from the board-dt file as intended. + +Fixes: 94b0bd366e36 ("ARM: orion5x: convert d2net to Device Tree") +Reviewed-by: Andrew Lunn +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230516153109.514251-10-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-orion5x/board-dt.c | 3 +++ + arch/arm/mach-orion5x/common.h | 6 ++++++ + 2 files changed, 9 insertions(+) + +--- a/arch/arm/mach-orion5x/board-dt.c ++++ b/arch/arm/mach-orion5x/board-dt.c +@@ -63,6 +63,9 @@ static void __init orion5x_dt_init(void) + if (of_machine_is_compatible("maxtor,shared-storage-2")) + mss2_init(); + ++ if (of_machine_is_compatible("lacie,d2-network")) ++ d2net_init(); ++ + of_platform_default_populate(NULL, orion5x_auxdata_lookup, NULL); + } + +--- a/arch/arm/mach-orion5x/common.h ++++ b/arch/arm/mach-orion5x/common.h +@@ -75,6 +75,12 @@ extern void mss2_init(void); + static inline void mss2_init(void) {} + #endif + ++#ifdef CONFIG_MACH_D2NET_DT ++void d2net_init(void); ++#else ++static inline void d2net_init(void) {} ++#endif ++ + /***************************************************************************** + * Helpers to access Orion registers + ****************************************************************************/ diff --git a/tmp-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch b/tmp-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch new file mode 100644 index 00000000000..26ea09779ca --- /dev/null +++ b/tmp-4.19/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch @@ -0,0 +1,46 @@ +From b47a7c0f977c015c3bb169a6ccbe0fb4704473aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 10:48:22 +0200 +Subject: arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1 + +From: Wolfram Sang + +[ Upstream commit 1a2c4e5635177939a088d22fa35c6a7032725663 ] + +The schematics are misleading, the flow control is for HSCIF1. We need +SCIF1 for GNSS/GPS which does not use flow control. + +Fixes: c6c816e22bc8 ("arm64: dts: ulcb-kf: enable SCIF1") +Signed-off-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230525084823.4195-2-wsa+renesas@sang-engineering.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/ulcb-kf.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi +index 8bf3091a899c8..5abffdaf4077e 100644 +--- a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi ++++ b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi +@@ -165,7 +165,7 @@ hscif0_pins: hscif0 { + }; + + scif1_pins: scif1 { +- groups = "scif1_data_b", "scif1_ctrl"; ++ groups = "scif1_data_b"; + function = "scif1"; + }; + +@@ -178,7 +178,6 @@ usb0_pins: usb0 { + &scif1 { + pinctrl-0 = <&scif1_pins>; + pinctrl-names = "default"; +- uart-has-rtscts; + + status = "okay"; + }; +-- +2.39.2 + diff --git a/tmp-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch b/tmp-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch new file mode 100644 index 00000000000..3380105e7d4 --- /dev/null +++ b/tmp-4.19/asoc-es8316-increment-max-value-for-alc-capture-targ.patch @@ -0,0 +1,91 @@ +From 8f45f8cea8f66aefea559e9624ac96ba2ff58970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 21:11:38 +0300 +Subject: ASoC: es8316: Increment max value for ALC Capture Target Volume + control + +From: Cristian Ciocaltea + +[ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ] + +The following error occurs when trying to restore a previously saved +ALSA mixer state (tested on a Rock 5B board): + + $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog + $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog + alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument + +According to ES8316 datasheet, the register at address 0x2B, which is +related to the above mixer control, contains by default the value 0xB0. +Considering the corresponding ALC target bits (ALCLVL) are 7:4, the +control is initialized with 11, which is one step above the maximum +value allowed by the driver: + + ALCLVL | dB gain + -------+-------- + 0000 | -16.5 + 0001 | -15.0 + 0010 | -13.5 + .... | ..... + 0111 | -6.0 + 1000 | -4.5 + 1001 | -3.0 + 1010 | -1.5 + .... | ..... + 1111 | -1.5 + +The tests performed using the VU meter feature (--vumeter=TYPE) of +arecord/aplay confirm the specs are correct and there is no measured +gain if the 1011-1111 range would have been mapped to 0 dB: + + dB gain | VU meter % + --------+----------- + -6.0 | 30-31 + -4.5 | 35-36 + -3.0 | 42-43 + -1.5 | 50-51 + 0.0 | 50-51 + +Increment the max value allowed for ALC Capture Target Volume control, +so that it matches the hardware default. Additionally, update the +related TLV to prevent an artificial extension of the dB gain range. + +Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8316.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c +index 57130edaf3aba..834e542021fee 100644 +--- a/sound/soc/codecs/es8316.c ++++ b/sound/soc/codecs/es8316.c +@@ -45,7 +45,12 @@ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(dac_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(adc_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_max_gain_tlv, -650, 150, 0); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_min_gain_tlv, -1200, 150, 0); +-static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_target_tlv, -1650, 150, 0); ++ ++static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(alc_target_tlv, ++ 0, 10, TLV_DB_SCALE_ITEM(-1650, 150, 0), ++ 11, 11, TLV_DB_SCALE_ITEM(-150, 0, 0), ++); ++ + static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(hpmixer_gain_tlv, + 0, 4, TLV_DB_SCALE_ITEM(-1200, 150, 0), + 8, 11, TLV_DB_SCALE_ITEM(-450, 150, 0), +@@ -107,7 +112,7 @@ static const struct snd_kcontrol_new es8316_snd_controls[] = { + alc_max_gain_tlv), + SOC_SINGLE_TLV("ALC Capture Min Volume", ES8316_ADC_ALC2, 0, 28, 0, + alc_min_gain_tlv), +- SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 10, 0, ++ SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 11, 0, + alc_target_tlv), + SOC_SINGLE("ALC Capture Hold Time", ES8316_ADC_ALC3, 0, 10, 0), + SOC_SINGLE("ALC Capture Decay Time", ES8316_ADC_ALC4, 4, 10, 0), +-- +2.39.2 + diff --git a/tmp-4.19/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch b/tmp-4.19/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch new file mode 100644 index 00000000000..0fd0e40c180 --- /dev/null +++ b/tmp-4.19/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch @@ -0,0 +1,92 @@ +From 028ddcac477b691dd9205c92f991cc15259d033e Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Thu, 15 Jun 2023 20:12:21 +0800 +Subject: bcache: Remove unnecessary NULL point check in node allocations + +From: Zheng Wang + +commit 028ddcac477b691dd9205c92f991cc15259d033e upstream. + +Due to the previous fix of __bch_btree_node_alloc, the return value will +never be a NULL pointer. So IS_ERR is enough to handle the failure +situation. Fix it by replacing IS_ERR_OR_NULL check by an IS_ERR check. + +Fixes: cafe56359144 ("bcache: A block layer cache") +Cc: stable@vger.kernel.org +Signed-off-by: Zheng Wang +Signed-off-by: Coly Li +Link: https://lore.kernel.org/r/20230615121223.22502-5-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 10 +++++----- + drivers/md/bcache/super.c | 4 ++-- + 2 files changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1174,7 +1174,7 @@ static struct btree *btree_node_alloc_re + { + struct btree *n = bch_btree_node_alloc(b->c, op, b->level, b->parent); + +- if (!IS_ERR_OR_NULL(n)) { ++ if (!IS_ERR(n)) { + mutex_lock(&n->write_lock); + bch_btree_sort_into(&b->keys, &n->keys, &b->c->sort); + bkey_copy_key(&n->key, &b->key); +@@ -1377,7 +1377,7 @@ static int btree_gc_coalesce(struct btre + memset(new_nodes, 0, sizeof(new_nodes)); + closure_init_stack(&cl); + +- while (nodes < GC_MERGE_NODES && !IS_ERR_OR_NULL(r[nodes].b)) ++ while (nodes < GC_MERGE_NODES && !IS_ERR(r[nodes].b)) + keys += r[nodes++].keys; + + blocks = btree_default_blocks(b->c) * 2 / 3; +@@ -1389,7 +1389,7 @@ static int btree_gc_coalesce(struct btre + + for (i = 0; i < nodes; i++) { + new_nodes[i] = btree_node_alloc_replacement(r[i].b, NULL); +- if (IS_ERR_OR_NULL(new_nodes[i])) ++ if (IS_ERR(new_nodes[i])) + goto out_nocoalesce; + } + +@@ -1524,7 +1524,7 @@ out_nocoalesce: + atomic_dec(&b->c->prio_blocked); + + for (i = 0; i < nodes; i++) +- if (!IS_ERR_OR_NULL(new_nodes[i])) { ++ if (!IS_ERR(new_nodes[i])) { + btree_node_free(new_nodes[i]); + rw_unlock(true, new_nodes[i]); + } +@@ -1706,7 +1706,7 @@ static int bch_btree_gc_root(struct btre + if (should_rewrite) { + n = btree_node_alloc_replacement(b, NULL); + +- if (!IS_ERR_OR_NULL(n)) { ++ if (!IS_ERR(n)) { + bch_btree_node_write_sync(n); + + bch_btree_set_root(n); +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1576,7 +1576,7 @@ static void cache_set_flush(struct closu + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +- if (!IS_ERR_OR_NULL(c->root)) ++ if (!IS_ERR(c->root)) + list_add(&c->root->list, &c->btree_cache); + + /* Should skip this if we're unregistering because of an error */ +@@ -1921,7 +1921,7 @@ static int run_cache_set(struct cache_se + + err = "cannot allocate new btree root"; + c->root = __bch_btree_node_alloc(c, NULL, 0, true, NULL); +- if (IS_ERR_OR_NULL(c->root)) ++ if (IS_ERR(c->root)) + goto err; + + mutex_lock(&c->root->write_lock); diff --git a/tmp-4.19/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch b/tmp-4.19/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch new file mode 100644 index 00000000000..ca54e71c9d2 --- /dev/null +++ b/tmp-4.19/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch @@ -0,0 +1,142 @@ +From 95a55437dc49fb3342c82e61f5472a71c63d9ed0 Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:24 +1200 +Subject: block: change all __u32 annotations to __be32 in affs_hardblocks.h + +From: Michael Schmitz + +commit 95a55437dc49fb3342c82e61f5472a71c63d9ed0 upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use u64 as type for sector address and size to allow using disks up to +2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD +format allows to specify disk sizes up to 2^128 bytes (though native +OS limitations reduce this somewhat, to max 2^68 bytes), so check for +u64 overflow carefully to protect against overflowing sector_t. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted (now resubmitted as patch 1 of this series). + +Patch 3 (this series) adds additional error checking and warning +messages. One of the error checks now makes use of the previously +unused rdb_CylBlocks field, which causes a 'sparse' warning +(cast to restricted __be32). + +Annotate all 32 bit fields in affs_hardblocks.h as __be32, as the +on-disk format of RDB and partition blocks is always big endian. + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Reviewed-by: Christoph Hellwig +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230620201725.7020-3-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/affs_hardblocks.h | 68 +++++++++++++++++------------------ + 1 file changed, 34 insertions(+), 34 deletions(-) + +--- a/include/uapi/linux/affs_hardblocks.h ++++ b/include/uapi/linux/affs_hardblocks.h +@@ -7,42 +7,42 @@ + /* Just the needed definitions for the RDB of an Amiga HD. */ + + struct RigidDiskBlock { +- __u32 rdb_ID; ++ __be32 rdb_ID; + __be32 rdb_SummedLongs; +- __s32 rdb_ChkSum; +- __u32 rdb_HostID; ++ __be32 rdb_ChkSum; ++ __be32 rdb_HostID; + __be32 rdb_BlockBytes; +- __u32 rdb_Flags; +- __u32 rdb_BadBlockList; ++ __be32 rdb_Flags; ++ __be32 rdb_BadBlockList; + __be32 rdb_PartitionList; +- __u32 rdb_FileSysHeaderList; +- __u32 rdb_DriveInit; +- __u32 rdb_Reserved1[6]; +- __u32 rdb_Cylinders; +- __u32 rdb_Sectors; +- __u32 rdb_Heads; +- __u32 rdb_Interleave; +- __u32 rdb_Park; +- __u32 rdb_Reserved2[3]; +- __u32 rdb_WritePreComp; +- __u32 rdb_ReducedWrite; +- __u32 rdb_StepRate; +- __u32 rdb_Reserved3[5]; +- __u32 rdb_RDBBlocksLo; +- __u32 rdb_RDBBlocksHi; +- __u32 rdb_LoCylinder; +- __u32 rdb_HiCylinder; +- __u32 rdb_CylBlocks; +- __u32 rdb_AutoParkSeconds; +- __u32 rdb_HighRDSKBlock; +- __u32 rdb_Reserved4; ++ __be32 rdb_FileSysHeaderList; ++ __be32 rdb_DriveInit; ++ __be32 rdb_Reserved1[6]; ++ __be32 rdb_Cylinders; ++ __be32 rdb_Sectors; ++ __be32 rdb_Heads; ++ __be32 rdb_Interleave; ++ __be32 rdb_Park; ++ __be32 rdb_Reserved2[3]; ++ __be32 rdb_WritePreComp; ++ __be32 rdb_ReducedWrite; ++ __be32 rdb_StepRate; ++ __be32 rdb_Reserved3[5]; ++ __be32 rdb_RDBBlocksLo; ++ __be32 rdb_RDBBlocksHi; ++ __be32 rdb_LoCylinder; ++ __be32 rdb_HiCylinder; ++ __be32 rdb_CylBlocks; ++ __be32 rdb_AutoParkSeconds; ++ __be32 rdb_HighRDSKBlock; ++ __be32 rdb_Reserved4; + char rdb_DiskVendor[8]; + char rdb_DiskProduct[16]; + char rdb_DiskRevision[4]; + char rdb_ControllerVendor[8]; + char rdb_ControllerProduct[16]; + char rdb_ControllerRevision[4]; +- __u32 rdb_Reserved5[10]; ++ __be32 rdb_Reserved5[10]; + }; + + #define IDNAME_RIGIDDISK 0x5244534B /* "RDSK" */ +@@ -50,16 +50,16 @@ struct RigidDiskBlock { + struct PartitionBlock { + __be32 pb_ID; + __be32 pb_SummedLongs; +- __s32 pb_ChkSum; +- __u32 pb_HostID; ++ __be32 pb_ChkSum; ++ __be32 pb_HostID; + __be32 pb_Next; +- __u32 pb_Flags; +- __u32 pb_Reserved1[2]; +- __u32 pb_DevFlags; ++ __be32 pb_Flags; ++ __be32 pb_Reserved1[2]; ++ __be32 pb_DevFlags; + __u8 pb_DriveName[32]; +- __u32 pb_Reserved2[15]; ++ __be32 pb_Reserved2[15]; + __be32 pb_Environment[17]; +- __u32 pb_EReserved[15]; ++ __be32 pb_EReserved[15]; + }; + + #define IDNAME_PARTITION 0x50415254 /* "PART" */ diff --git a/tmp-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch b/tmp-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch new file mode 100644 index 00000000000..7569c7a2f4a --- /dev/null +++ b/tmp-4.19/bpf-address-kcsan-report-on-bpf_lru_list.patch @@ -0,0 +1,177 @@ +From 2c488883c37e2823eef1b80cae4edf8e97997e0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 21:37:48 -0700 +Subject: bpf: Address KCSAN report on bpf_lru_list + +From: Martin KaFai Lau + +[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] + +KCSAN reported a data-race when accessing node->ref. +Although node->ref does not have to be accurate, +take this chance to use a more common READ_ONCE() and WRITE_ONCE() +pattern instead of data_race(). + +There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). +This patch also adds bpf_lru_node_clear_ref() to do the +WRITE_ONCE(node->ref, 0) also. + +================================================================== +BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem + +write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: +__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] +__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] +__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 +bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] +bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] +bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 +prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] +__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: +bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] +__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x01 -> 0x00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 +================================================================== + +Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com +Signed-off-by: Martin KaFai Lau +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- + kernel/bpf/bpf_lru_list.h | 7 ++----- + 2 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c +index 9b5eeff72fd37..39a0e768adc39 100644 +--- a/kernel/bpf/bpf_lru_list.c ++++ b/kernel/bpf/bpf_lru_list.c +@@ -44,7 +44,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) + /* bpf_lru_node helpers */ + static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) + { +- return node->ref; ++ return READ_ONCE(node->ref); ++} ++ ++static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) ++{ ++ WRITE_ONCE(node->ref, 0); + } + + static void bpf_lru_list_count_inc(struct bpf_lru_list *l, +@@ -92,7 +97,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, + + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, &l->lists[tgt_type]); + } + +@@ -113,7 +118,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; + } +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + + /* If the moving node is the next_inactive_rotation candidate, + * move the next_inactive_rotation pointer also. +@@ -356,7 +361,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, + *(u32 *)((void *)node + lru->hash_offset) = hash; + node->cpu = cpu; + node->type = BPF_LRU_LOCAL_LIST_T_PENDING; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, local_pending_list(loc_l)); + } + +@@ -422,7 +427,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, + if (!list_empty(free_list)) { + node = list_first_entry(free_list, struct bpf_lru_node, list); + *(u32 *)((void *)node + lru->hash_offset) = hash; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); + } + +@@ -525,7 +530,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, + } + + node->type = BPF_LRU_LOCAL_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, local_free_list(loc_l)); + + raw_spin_unlock_irqrestore(&loc_l->lock, flags); +@@ -571,7 +576,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, + + node = (struct bpf_lru_node *)(buf + node_offset); + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + buf += elem_size; + } +@@ -597,7 +602,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, + node = (struct bpf_lru_node *)(buf + node_offset); + node->cpu = cpu; + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + i++; + buf += elem_size; +diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h +index 7d4f89b7cb841..08da78b59f0b9 100644 +--- a/kernel/bpf/bpf_lru_list.h ++++ b/kernel/bpf/bpf_lru_list.h +@@ -66,11 +66,8 @@ struct bpf_lru { + + static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) + { +- /* ref is an approximation on access frequency. It does not +- * have to be very accurate. Hence, no protection is used. +- */ +- if (!node->ref) +- node->ref = 1; ++ if (!READ_ONCE(node->ref)) ++ WRITE_ONCE(node->ref, 1); + } + + int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, +-- +2.39.2 + diff --git a/tmp-4.19/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch b/tmp-4.19/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch new file mode 100644 index 00000000000..49404c8f14e --- /dev/null +++ b/tmp-4.19/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch @@ -0,0 +1,84 @@ +From b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 19 Jun 2023 17:21:47 +0100 +Subject: btrfs: fix race when deleting quota root from the dirty cow roots list + +From: Filipe Manana + +commit b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 upstream. + +When disabling quotas we are deleting the quota root from the list +fs_info->dirty_cowonly_roots without taking the lock that protects it, +which is struct btrfs_fs_info::trans_lock. This unsynchronized list +manipulation may cause chaos if there's another concurrent manipulation +of this list, such as when adding a root to it with +ctree.c:add_root_to_dirty_list(). + +This can result in all sorts of weird failures caused by a race, such as +the following crash: + + [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI + [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 + [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] + [337571.279928] Code: 85 38 06 00 (...) + [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 + [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 + [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 + [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b + [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 + [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 + [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 + [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 + [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [337571.282874] Call Trace: + [337571.283101] + [337571.283327] ? __die_body+0x1b/0x60 + [337571.283570] ? die_addr+0x39/0x60 + [337571.283796] ? exc_general_protection+0x22e/0x430 + [337571.284022] ? asm_exc_general_protection+0x22/0x30 + [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] + [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] + [337571.284803] ? _raw_spin_unlock+0x15/0x30 + [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] + [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] + [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] + [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 + [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] + [337571.286358] ? mod_objcg_state+0xd2/0x360 + [337571.286577] ? refill_obj_stock+0xb0/0x160 + [337571.286798] ? seq_release+0x25/0x30 + [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 + [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 + [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 + [337571.287675] __x64_sys_ioctl+0x88/0xc0 + [337571.287901] do_syscall_64+0x38/0x90 + [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc + [337571.288352] RIP: 0033:0x7f478aaffe9b + +So fix this by locking struct btrfs_fs_info::trans_lock before deleting +the quota root from that list. + +Fixes: bed92eae26cc ("Btrfs: qgroup implementation and prototypes") +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -1115,7 +1115,9 @@ int btrfs_quota_disable(struct btrfs_fs_ + goto end_trans; + } + ++ spin_lock(&fs_info->trans_lock); + list_del("a_root->dirty_list); ++ spin_unlock(&fs_info->trans_lock); + + btrfs_tree_lock(quota_root->node); + clean_tree_block(fs_info, quota_root->node); diff --git a/tmp-4.19/can-bcm-fix-uaf-in-bcm_proc_show.patch b/tmp-4.19/can-bcm-fix-uaf-in-bcm_proc_show.patch new file mode 100644 index 00000000000..14dcaf380e3 --- /dev/null +++ b/tmp-4.19/can-bcm-fix-uaf-in-bcm_proc_show.patch @@ -0,0 +1,92 @@ +From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 15 Jul 2023 17:25:43 +0800 +Subject: can: bcm: Fix UAF in bcm_proc_show() + +From: YueHaibing + +commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream. + +BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 +Read of size 8 at addr ffff888155846230 by task cat/7862 + +CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0xd5/0x150 + print_report+0xc1/0x5e0 + kasan_report+0xba/0xf0 + bcm_proc_show+0x969/0xa80 + seq_read_iter+0x4f6/0x1260 + seq_read+0x165/0x210 + proc_reg_read+0x227/0x300 + vfs_read+0x1d5/0x8d0 + ksys_read+0x11e/0x240 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Allocated by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x9e/0xa0 + bcm_sendmsg+0x264b/0x44e0 + sock_sendmsg+0xda/0x180 + ____sys_sendmsg+0x735/0x920 + ___sys_sendmsg+0x11d/0x1b0 + __sys_sendmsg+0xfa/0x1d0 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x27/0x40 + ____kasan_slab_free+0x161/0x1c0 + slab_free_freelist_hook+0x119/0x220 + __kmem_cache_free+0xb4/0x2e0 + rcu_core+0x809/0x1bd0 + +bcm_op is freed before procfs entry be removed in bcm_release(), +this lead to bcm_proc_show() may read the freed bcm_op. + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Signed-off-by: YueHaibing +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1520,6 +1520,12 @@ static int bcm_release(struct socket *so + + lock_sock(sk); + ++#if IS_ENABLED(CONFIG_PROC_FS) ++ /* remove procfs entry */ ++ if (net->can.bcmproc_dir && bo->bcm_proc_read) ++ remove_proc_entry(bo->procname, net->can.bcmproc_dir); ++#endif /* CONFIG_PROC_FS */ ++ + list_for_each_entry_safe(op, next, &bo->tx_ops, list) + bcm_remove_op(op); + +@@ -1555,12 +1561,6 @@ static int bcm_release(struct socket *so + list_for_each_entry_safe(op, next, &bo->rx_ops, list) + bcm_remove_op(op); + +-#if IS_ENABLED(CONFIG_PROC_FS) +- /* remove procfs entry */ +- if (net->can.bcmproc_dir && bo->bcm_proc_read) +- remove_proc_entry(bo->procname, net->can.bcmproc_dir); +-#endif /* CONFIG_PROC_FS */ +- + /* remove device reference */ + if (bo->bound) { + bo->bound = 0; diff --git a/tmp-4.19/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch b/tmp-4.19/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch new file mode 100644 index 00000000000..bdebd6ffa01 --- /dev/null +++ b/tmp-4.19/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch @@ -0,0 +1,47 @@ +From 257e6172ab36ebbe295a6c9ee9a9dd0fe54c1dc2 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Wed, 28 Jun 2023 07:57:09 +0800 +Subject: ceph: don't let check_caps skip sending responses for revoke msgs + +From: Xiubo Li + +commit 257e6172ab36ebbe295a6c9ee9a9dd0fe54c1dc2 upstream. + +If a client sends out a cap update dropping caps with the prior 'seq' +just before an incoming cap revoke request, then the client may drop +the revoke because it believes it's already released the requested +capabilities. + +This causes the MDS to wait indefinitely for the client to respond +to the revoke. It's therefore always a good idea to ack the cap +revoke request with the bumped up 'seq'. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/61782 +Signed-off-by: Xiubo Li +Reviewed-by: Milind Changire +Reviewed-by: Patrick Donnelly +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/caps.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -3285,6 +3285,15 @@ static void handle_cap_grant(struct inod + } + BUG_ON(cap->issued & ~cap->implemented); + ++ /* don't let check_caps skip sending a response to MDS for revoke msgs */ ++ if (le32_to_cpu(grant->op) == CEPH_CAP_OP_REVOKE) { ++ cap->mds_wanted = 0; ++ if (cap == ci->i_auth_cap) ++ check_caps = 1; /* check auth cap only */ ++ else ++ check_caps = 2; /* check all caps */ ++ } ++ + if (extra_info->inline_version > 0 && + extra_info->inline_version >= ci->i_inline_version) { + ci->i_inline_version = extra_info->inline_version; diff --git a/tmp-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch b/tmp-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch new file mode 100644 index 00000000000..2c4588c7317 --- /dev/null +++ b/tmp-4.19/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch @@ -0,0 +1,81 @@ +From cdce24c230c530209c4401a7acb8c7930aa81309 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 06:56:11 +0000 +Subject: clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe + +From: Feng Mingxi + +[ Upstream commit 8b5bf64c89c7100c921bd807ba39b2eb003061ab ] + +Smatch reports: +drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe() +warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516. + +timer_baseaddr may have the problem of not being released after use, +I replaced it with the devm_of_iomap() function and added the clk_put() +function to cleanup the "clk_ce" and "clk_cs". + +Fixes: e932900a3279 ("arm: zynq: Use standard timer binding") +Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error") +Signed-off-by: Feng Mingxi +Reviewed-by: Dongliang Mu +Acked-by: Michal Simek +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20230425065611.702917-1-m202271825@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-cadence-ttc.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c +index b1df0ded8f521..16b9bfb257564 100644 +--- a/drivers/clocksource/timer-cadence-ttc.c ++++ b/drivers/clocksource/timer-cadence-ttc.c +@@ -494,10 +494,10 @@ static int __init ttc_timer_probe(struct platform_device *pdev) + * and use it. Note that the event timer uses the interrupt and it's the + * 2nd TTC hence the irq_of_parse_and_map(,1) + */ +- timer_baseaddr = of_iomap(timer, 0); +- if (!timer_baseaddr) { ++ timer_baseaddr = devm_of_iomap(&pdev->dev, timer, 0, NULL); ++ if (IS_ERR(timer_baseaddr)) { + pr_err("ERROR: invalid timer base address\n"); +- return -ENXIO; ++ return PTR_ERR(timer_baseaddr); + } + + irq = irq_of_parse_and_map(timer, 1); +@@ -521,20 +521,27 @@ static int __init ttc_timer_probe(struct platform_device *pdev) + clk_ce = of_clk_get(timer, clksel); + if (IS_ERR(clk_ce)) { + pr_err("ERROR: timer input clock not found\n"); +- return PTR_ERR(clk_ce); ++ ret = PTR_ERR(clk_ce); ++ goto put_clk_cs; + } + + ret = ttc_setup_clocksource(clk_cs, timer_baseaddr, timer_width); + if (ret) +- return ret; ++ goto put_clk_ce; + + ret = ttc_setup_clockevent(clk_ce, timer_baseaddr + 4, irq); + if (ret) +- return ret; ++ goto put_clk_ce; + + pr_info("%s #0 at %p, irq=%d\n", timer->name, timer_baseaddr, irq); + + return 0; ++ ++put_clk_ce: ++ clk_put(clk_ce); ++put_clk_cs: ++ clk_put(clk_cs); ++ return ret; + } + + static const struct of_device_id ttc_timer_of_match[] = { +-- +2.39.2 + diff --git a/tmp-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch b/tmp-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch new file mode 100644 index 00000000000..aefa2443a58 --- /dev/null +++ b/tmp-4.19/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch @@ -0,0 +1,86 @@ +From 86fdffa20ff885a32027563da0692cd00e56eca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 02:36:28 -0800 +Subject: clocksource/drivers/cadence-ttc: Use ttc driver as platform driver + +From: Rajan Vaja + +[ Upstream commit f5ac896b6a23eb46681cdbef440c1d991b04e519 ] + +Currently TTC driver is TIMER_OF_DECLARE type driver. Because of +that, TTC driver may be initialized before other clock drivers. If +TTC driver is dependent on that clock driver then initialization of +TTC driver will failed. + +So use TTC driver as platform driver instead of using +TIMER_OF_DECLARE. + +Signed-off-by: Rajan Vaja +Tested-by: Michal Simek +Acked-by: Michal Simek +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/1573122988-18399-1-git-send-email-rajan.vaja@xilinx.com +Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe") +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-cadence-ttc.c | 26 +++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c +index a7eb858a84a0f..b1df0ded8f521 100644 +--- a/drivers/clocksource/timer-cadence-ttc.c ++++ b/drivers/clocksource/timer-cadence-ttc.c +@@ -23,6 +23,8 @@ + #include + #include + #include ++#include ++#include + + /* + * This driver configures the 2 16/32-bit count-up timers as follows: +@@ -472,13 +474,7 @@ static int __init ttc_setup_clockevent(struct clk *clk, + return err; + } + +-/** +- * ttc_timer_init - Initialize the timer +- * +- * Initializes the timer hardware and register the clock source and clock event +- * timers with Linux kernal timer framework +- */ +-static int __init ttc_timer_init(struct device_node *timer) ++static int __init ttc_timer_probe(struct platform_device *pdev) + { + unsigned int irq; + void __iomem *timer_baseaddr; +@@ -486,6 +482,7 @@ static int __init ttc_timer_init(struct device_node *timer) + static int initialized; + int clksel, ret; + u32 timer_width = 16; ++ struct device_node *timer = pdev->dev.of_node; + + if (initialized) + return 0; +@@ -540,4 +537,17 @@ static int __init ttc_timer_init(struct device_node *timer) + return 0; + } + +-TIMER_OF_DECLARE(ttc, "cdns,ttc", ttc_timer_init); ++static const struct of_device_id ttc_timer_of_match[] = { ++ {.compatible = "cdns,ttc"}, ++ {}, ++}; ++ ++MODULE_DEVICE_TABLE(of, ttc_timer_of_match); ++ ++static struct platform_driver ttc_timer_driver = { ++ .driver = { ++ .name = "cdns_ttc_timer", ++ .of_match_table = ttc_timer_of_match, ++ }, ++}; ++builtin_platform_driver_probe(ttc_timer_driver, ttc_timer_probe); +-- +2.39.2 + diff --git a/tmp-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch b/tmp-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch new file mode 100644 index 00000000000..46574bac1d9 --- /dev/null +++ b/tmp-4.19/clocksource-drivers-unify-the-names-to-timer-format.patch @@ -0,0 +1,219 @@ +From ca60c700dea2b20caf43a6b9c00124a3dd36d227 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Sep 2018 05:59:23 +0200 +Subject: clocksource/drivers: Unify the names to timer-* format +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Lezcano + +[ Upstream commit 9d8d47ea6ec6048abc75ccc4486aff1a7db1ff4b ] + +In order to make some housekeeping in the directory, this patch renames +drivers to the timer-* format in order to unify their names. + +There is no functional changes. + +Acked-by: Uwe Kleine-König +Acked-by: Vladimir Zapolskiy +Acked-by: Liviu Dudau + +Signed-off-by: Daniel Lezcano +Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe") +Signed-off-by: Sasha Levin +--- + MAINTAINERS | 10 +++---- + drivers/clocksource/Makefile | 26 +++++++++---------- + ...-armada-370-xp.c => timer-armada-370-xp.c} | 0 + ...adence_ttc_timer.c => timer-cadence-ttc.c} | 0 + .../{time-efm32.c => timer-efm32.c} | 0 + .../{fsl_ftm_timer.c => timer-fsl-ftm.c} | 0 + .../{time-lpc32xx.c => timer-lpc32xx.c} | 0 + .../{time-orion.c => timer-orion.c} | 0 + .../clocksource/{owl-timer.c => timer-owl.c} | 0 + .../{time-pistachio.c => timer-pistachio.c} | 0 + .../{qcom-timer.c => timer-qcom.c} | 0 + .../{versatile.c => timer-versatile.c} | 0 + .../{vf_pit_timer.c => timer-vf-pit.c} | 0 + .../{vt8500_timer.c => timer-vt8500.c} | 0 + .../{zevio-timer.c => timer-zevio.c} | 0 + 15 files changed, 18 insertions(+), 18 deletions(-) + rename drivers/clocksource/{time-armada-370-xp.c => timer-armada-370-xp.c} (100%) + rename drivers/clocksource/{cadence_ttc_timer.c => timer-cadence-ttc.c} (100%) + rename drivers/clocksource/{time-efm32.c => timer-efm32.c} (100%) + rename drivers/clocksource/{fsl_ftm_timer.c => timer-fsl-ftm.c} (100%) + rename drivers/clocksource/{time-lpc32xx.c => timer-lpc32xx.c} (100%) + rename drivers/clocksource/{time-orion.c => timer-orion.c} (100%) + rename drivers/clocksource/{owl-timer.c => timer-owl.c} (100%) + rename drivers/clocksource/{time-pistachio.c => timer-pistachio.c} (100%) + rename drivers/clocksource/{qcom-timer.c => timer-qcom.c} (100%) + rename drivers/clocksource/{versatile.c => timer-versatile.c} (100%) + rename drivers/clocksource/{vf_pit_timer.c => timer-vf-pit.c} (100%) + rename drivers/clocksource/{vt8500_timer.c => timer-vt8500.c} (100%) + rename drivers/clocksource/{zevio-timer.c => timer-zevio.c} (100%) + +diff --git a/MAINTAINERS b/MAINTAINERS +index 3d3d7f5d1c3f1..59003315a9597 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -1180,7 +1180,7 @@ N: owl + F: arch/arm/mach-actions/ + F: arch/arm/boot/dts/owl-* + F: arch/arm64/boot/dts/actions/ +-F: drivers/clocksource/owl-* ++F: drivers/clocksource/timer-owl* + F: drivers/pinctrl/actions/* + F: drivers/soc/actions/ + F: include/dt-bindings/power/owl-* +@@ -1603,7 +1603,7 @@ L: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers) + S: Maintained + F: arch/arm/boot/dts/lpc43* + F: drivers/clk/nxp/clk-lpc18xx* +-F: drivers/clocksource/time-lpc32xx.c ++F: drivers/clocksource/timer-lpc32xx.c + F: drivers/i2c/busses/i2c-lpc2k.c + F: drivers/memory/pl172.c + F: drivers/mtd/spi-nor/nxp-spifi.c +@@ -2219,7 +2219,7 @@ F: arch/arm/mach-vexpress/ + F: */*/vexpress* + F: */*/*/vexpress* + F: drivers/clk/versatile/clk-vexpress-osc.c +-F: drivers/clocksource/versatile.c ++F: drivers/clocksource/timer-versatile.c + N: mps2 + + ARM/VFP SUPPORT +@@ -2241,7 +2241,7 @@ M: Tony Prisk + L: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers) + S: Maintained + F: arch/arm/mach-vt8500/ +-F: drivers/clocksource/vt8500_timer.c ++F: drivers/clocksource/timer-vt8500.c + F: drivers/i2c/busses/i2c-wmt.c + F: drivers/mmc/host/wmt-sdmmc.c + F: drivers/pwm/pwm-vt8500.c +@@ -2306,7 +2306,7 @@ F: drivers/cpuidle/cpuidle-zynq.c + F: drivers/block/xsysace.c + N: zynq + N: xilinx +-F: drivers/clocksource/cadence_ttc_timer.c ++F: drivers/clocksource/timer-cadence-ttc.c + F: drivers/i2c/busses/i2c-cadence.c + F: drivers/mmc/host/sdhci-of-arasan.c + F: drivers/edac/synopsys_edac.c +diff --git a/drivers/clocksource/Makefile b/drivers/clocksource/Makefile +index db51b2427e8a6..e33b21d3f9d8b 100644 +--- a/drivers/clocksource/Makefile ++++ b/drivers/clocksource/Makefile +@@ -23,8 +23,8 @@ obj-$(CONFIG_FTTMR010_TIMER) += timer-fttmr010.o + obj-$(CONFIG_ROCKCHIP_TIMER) += rockchip_timer.o + obj-$(CONFIG_CLKSRC_NOMADIK_MTU) += nomadik-mtu.o + obj-$(CONFIG_CLKSRC_DBX500_PRCMU) += clksrc-dbx500-prcmu.o +-obj-$(CONFIG_ARMADA_370_XP_TIMER) += time-armada-370-xp.o +-obj-$(CONFIG_ORION_TIMER) += time-orion.o ++obj-$(CONFIG_ARMADA_370_XP_TIMER) += timer-armada-370-xp.o ++obj-$(CONFIG_ORION_TIMER) += timer-orion.o + obj-$(CONFIG_BCM2835_TIMER) += bcm2835_timer.o + obj-$(CONFIG_CLPS711X_TIMER) += clps711x-timer.o + obj-$(CONFIG_ATLAS7_TIMER) += timer-atlas7.o +@@ -36,25 +36,25 @@ obj-$(CONFIG_SUN4I_TIMER) += sun4i_timer.o + obj-$(CONFIG_SUN5I_HSTIMER) += timer-sun5i.o + obj-$(CONFIG_MESON6_TIMER) += meson6_timer.o + obj-$(CONFIG_TEGRA_TIMER) += tegra20_timer.o +-obj-$(CONFIG_VT8500_TIMER) += vt8500_timer.o +-obj-$(CONFIG_NSPIRE_TIMER) += zevio-timer.o ++obj-$(CONFIG_VT8500_TIMER) += timer-vt8500.o ++obj-$(CONFIG_NSPIRE_TIMER) += timer-zevio.o + obj-$(CONFIG_BCM_KONA_TIMER) += bcm_kona_timer.o +-obj-$(CONFIG_CADENCE_TTC_TIMER) += cadence_ttc_timer.o +-obj-$(CONFIG_CLKSRC_EFM32) += time-efm32.o ++obj-$(CONFIG_CADENCE_TTC_TIMER) += timer-cadence-ttc.o ++obj-$(CONFIG_CLKSRC_EFM32) += timer-efm32.o + obj-$(CONFIG_CLKSRC_STM32) += timer-stm32.o + obj-$(CONFIG_CLKSRC_EXYNOS_MCT) += exynos_mct.o +-obj-$(CONFIG_CLKSRC_LPC32XX) += time-lpc32xx.o ++obj-$(CONFIG_CLKSRC_LPC32XX) += timer-lpc32xx.o + obj-$(CONFIG_CLKSRC_MPS2) += mps2-timer.o + obj-$(CONFIG_CLKSRC_SAMSUNG_PWM) += samsung_pwm_timer.o +-obj-$(CONFIG_FSL_FTM_TIMER) += fsl_ftm_timer.o +-obj-$(CONFIG_VF_PIT_TIMER) += vf_pit_timer.o +-obj-$(CONFIG_CLKSRC_QCOM) += qcom-timer.o ++obj-$(CONFIG_FSL_FTM_TIMER) += timer-fsl-ftm.o ++obj-$(CONFIG_VF_PIT_TIMER) += timer-vf-pit.o ++obj-$(CONFIG_CLKSRC_QCOM) += timer-qcom.o + obj-$(CONFIG_MTK_TIMER) += timer-mediatek.o +-obj-$(CONFIG_CLKSRC_PISTACHIO) += time-pistachio.o ++obj-$(CONFIG_CLKSRC_PISTACHIO) += timer-pistachio.o + obj-$(CONFIG_CLKSRC_TI_32K) += timer-ti-32k.o + obj-$(CONFIG_CLKSRC_NPS) += timer-nps.o + obj-$(CONFIG_OXNAS_RPS_TIMER) += timer-oxnas-rps.o +-obj-$(CONFIG_OWL_TIMER) += owl-timer.o ++obj-$(CONFIG_OWL_TIMER) += timer-owl.o + obj-$(CONFIG_SPRD_TIMER) += timer-sprd.o + obj-$(CONFIG_NPCM7XX_TIMER) += timer-npcm7xx.o + +@@ -66,7 +66,7 @@ obj-$(CONFIG_ARM_TIMER_SP804) += timer-sp804.o + obj-$(CONFIG_ARCH_HAS_TICK_BROADCAST) += dummy_timer.o + obj-$(CONFIG_KEYSTONE_TIMER) += timer-keystone.o + obj-$(CONFIG_INTEGRATOR_AP_TIMER) += timer-integrator-ap.o +-obj-$(CONFIG_CLKSRC_VERSATILE) += versatile.o ++obj-$(CONFIG_CLKSRC_VERSATILE) += timer-versatile.o + obj-$(CONFIG_CLKSRC_MIPS_GIC) += mips-gic-timer.o + obj-$(CONFIG_CLKSRC_TANGO_XTAL) += tango_xtal.o + obj-$(CONFIG_CLKSRC_IMX_GPT) += timer-imx-gpt.o +diff --git a/drivers/clocksource/time-armada-370-xp.c b/drivers/clocksource/timer-armada-370-xp.c +similarity index 100% +rename from drivers/clocksource/time-armada-370-xp.c +rename to drivers/clocksource/timer-armada-370-xp.c +diff --git a/drivers/clocksource/cadence_ttc_timer.c b/drivers/clocksource/timer-cadence-ttc.c +similarity index 100% +rename from drivers/clocksource/cadence_ttc_timer.c +rename to drivers/clocksource/timer-cadence-ttc.c +diff --git a/drivers/clocksource/time-efm32.c b/drivers/clocksource/timer-efm32.c +similarity index 100% +rename from drivers/clocksource/time-efm32.c +rename to drivers/clocksource/timer-efm32.c +diff --git a/drivers/clocksource/fsl_ftm_timer.c b/drivers/clocksource/timer-fsl-ftm.c +similarity index 100% +rename from drivers/clocksource/fsl_ftm_timer.c +rename to drivers/clocksource/timer-fsl-ftm.c +diff --git a/drivers/clocksource/time-lpc32xx.c b/drivers/clocksource/timer-lpc32xx.c +similarity index 100% +rename from drivers/clocksource/time-lpc32xx.c +rename to drivers/clocksource/timer-lpc32xx.c +diff --git a/drivers/clocksource/time-orion.c b/drivers/clocksource/timer-orion.c +similarity index 100% +rename from drivers/clocksource/time-orion.c +rename to drivers/clocksource/timer-orion.c +diff --git a/drivers/clocksource/owl-timer.c b/drivers/clocksource/timer-owl.c +similarity index 100% +rename from drivers/clocksource/owl-timer.c +rename to drivers/clocksource/timer-owl.c +diff --git a/drivers/clocksource/time-pistachio.c b/drivers/clocksource/timer-pistachio.c +similarity index 100% +rename from drivers/clocksource/time-pistachio.c +rename to drivers/clocksource/timer-pistachio.c +diff --git a/drivers/clocksource/qcom-timer.c b/drivers/clocksource/timer-qcom.c +similarity index 100% +rename from drivers/clocksource/qcom-timer.c +rename to drivers/clocksource/timer-qcom.c +diff --git a/drivers/clocksource/versatile.c b/drivers/clocksource/timer-versatile.c +similarity index 100% +rename from drivers/clocksource/versatile.c +rename to drivers/clocksource/timer-versatile.c +diff --git a/drivers/clocksource/vf_pit_timer.c b/drivers/clocksource/timer-vf-pit.c +similarity index 100% +rename from drivers/clocksource/vf_pit_timer.c +rename to drivers/clocksource/timer-vf-pit.c +diff --git a/drivers/clocksource/vt8500_timer.c b/drivers/clocksource/timer-vt8500.c +similarity index 100% +rename from drivers/clocksource/vt8500_timer.c +rename to drivers/clocksource/timer-vt8500.c +diff --git a/drivers/clocksource/zevio-timer.c b/drivers/clocksource/timer-zevio.c +similarity index 100% +rename from drivers/clocksource/zevio-timer.c +rename to drivers/clocksource/timer-zevio.c +-- +2.39.2 + diff --git a/tmp-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch b/tmp-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch new file mode 100644 index 00000000000..a6e1f3d77f7 --- /dev/null +++ b/tmp-4.19/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch @@ -0,0 +1,88 @@ +From 0c67a96251f802879d2f45c09aaab210c2981721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:33:34 -0700 +Subject: crypto: nx - fix build warnings when DEBUG_FS is not enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ] + +Fix build warnings when DEBUG_FS is not enabled by using an empty +do-while loop instead of a value: + +In file included from ../drivers/crypto/nx/nx.c:27: +../drivers/crypto/nx/nx.c: In function 'nx_register_algs': +../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value] + 173 | #define NX_DEBUGFS_INIT(drv) (0) +../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT' + 573 | NX_DEBUGFS_INIT(&nx_driver); +../drivers/crypto/nx/nx.c: In function 'nx_remove': +../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value] + 174 | #define NX_DEBUGFS_FINI(drv) (0) +../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI' + 793 | NX_DEBUGFS_FINI(&nx_driver); + +Also, there is no need to build nx_debugfs.o when DEBUG_FS is not +enabled, so change the Makefile to accommodate that. + +Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption") +Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver") +Signed-off-by: Randy Dunlap +Cc: Breno Leitão +Cc: Nayna Jain +Cc: Paulo Flabiano Smorigo +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: linux-crypto@vger.kernel.org +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Christophe Leroy +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/Makefile | 2 +- + drivers/crypto/nx/nx.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/nx/Makefile b/drivers/crypto/nx/Makefile +index 015155da59c29..76139865d7fa1 100644 +--- a/drivers/crypto/nx/Makefile ++++ b/drivers/crypto/nx/Makefile +@@ -1,7 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-$(CONFIG_CRYPTO_DEV_NX_ENCRYPT) += nx-crypto.o + nx-crypto-objs := nx.o \ +- nx_debugfs.o \ + nx-aes-cbc.o \ + nx-aes-ecb.o \ + nx-aes-gcm.o \ +@@ -11,6 +10,7 @@ nx-crypto-objs := nx.o \ + nx-sha256.o \ + nx-sha512.o + ++nx-crypto-$(CONFIG_DEBUG_FS) += nx_debugfs.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_PSERIES) += nx-compress-pseries.o nx-compress.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_POWERNV) += nx-compress-powernv.o nx-compress.o + nx-compress-objs := nx-842.o +diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h +index c3e54af18645c..ebad937a9545c 100644 +--- a/drivers/crypto/nx/nx.h ++++ b/drivers/crypto/nx/nx.h +@@ -180,8 +180,8 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *, unsigned int, + int nx_debugfs_init(struct nx_crypto_driver *); + void nx_debugfs_fini(struct nx_crypto_driver *); + #else +-#define NX_DEBUGFS_INIT(drv) (0) +-#define NX_DEBUGFS_FINI(drv) (0) ++#define NX_DEBUGFS_INIT(drv) do {} while (0) ++#define NX_DEBUGFS_FINI(drv) do {} while (0) + #endif + + #define NX_PAGE_NUM(x) ((u64)(x) & 0xfffffffffffff000ULL) +-- +2.39.2 + diff --git a/tmp-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch b/tmp-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch new file mode 100644 index 00000000000..e8a1d10593c --- /dev/null +++ b/tmp-4.19/debugobjects-recheck-debug_objects_enabled-before-re.patch @@ -0,0 +1,74 @@ +From 233f69239c9aa2b9be0322933feb055562d8f437 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 19:19:02 +0900 +Subject: debugobjects: Recheck debug_objects_enabled before reporting + +From: Tetsuo Handa + +[ Upstream commit 8b64d420fe2450f82848178506d3e3a0bd195539 ] + +syzbot is reporting false a positive ODEBUG message immediately after +ODEBUG was disabled due to OOM. + + [ 1062.309646][T22911] ODEBUG: Out of memory. ODEBUG disabled + [ 1062.886755][ T5171] ------------[ cut here ]------------ + [ 1062.892770][ T5171] ODEBUG: assert_init not available (active state 0) object: ffffc900056afb20 object type: timer_list hint: process_timeout+0x0/0x40 + + CPU 0 [ T5171] CPU 1 [T22911] + -------------- -------------- + debug_object_assert_init() { + if (!debug_objects_enabled) + return; + db = get_bucket(addr); + lookup_object_or_alloc() { + debug_objects_enabled = 0; + return NULL; + } + debug_objects_oom() { + pr_warn("Out of memory. ODEBUG disabled\n"); + // all buckets get emptied here, and + } + lookup_object_or_alloc(addr, db, descr, false, true) { + // this bucket is already empty. + return ERR_PTR(-ENOENT); + } + // Emits false positive warning. + debug_print_object(&o, "assert_init"); + } + +Recheck debug_object_enabled in debug_print_object() to avoid that. + +Reported-by: syzbot +Suggested-by: Thomas Gleixner +Signed-off-by: Tetsuo Handa +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/492fe2ae-5141-d548-ebd5-62f5fe2e57f7@I-love.SAKURA.ne.jp +Closes: https://syzkaller.appspot.com/bug?extid=7937ba6a50bdd00fffdf +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 5f23d896df55a..62d095fd0c52a 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -371,6 +371,15 @@ static void debug_print_object(struct debug_obj *obj, char *msg) + struct debug_obj_descr *descr = obj->descr; + static int limit; + ++ /* ++ * Don't report if lookup_object_or_alloc() by the current thread ++ * failed because lookup_object_or_alloc()/debug_objects_oom() by a ++ * concurrent thread turned off debug_objects_enabled and cleared ++ * the hash buckets. ++ */ ++ if (!debug_objects_enabled) ++ return; ++ + if (limit < 5 && descr != descr_test) { + void *hint = descr->debug_hint ? + descr->debug_hint(obj->object) : NULL; +-- +2.39.2 + diff --git a/tmp-4.19/drm-amdgpu-validate-vm-ioctl-flags.patch b/tmp-4.19/drm-amdgpu-validate-vm-ioctl-flags.patch new file mode 100644 index 00000000000..79e55af997d --- /dev/null +++ b/tmp-4.19/drm-amdgpu-validate-vm-ioctl-flags.patch @@ -0,0 +1,33 @@ +From a2b308044dcaca8d3e580959a4f867a1d5c37fac Mon Sep 17 00:00:00 2001 +From: Bas Nieuwenhuizen +Date: Sat, 13 May 2023 14:51:00 +0200 +Subject: drm/amdgpu: Validate VM ioctl flags. + +From: Bas Nieuwenhuizen + +commit a2b308044dcaca8d3e580959a4f867a1d5c37fac upstream. + +None have been defined yet, so reject anybody setting any. Mesa sets +it to 0 anyway. + +Signed-off-by: Bas Nieuwenhuizen +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -2989,6 +2989,10 @@ int amdgpu_vm_ioctl(struct drm_device *d + struct amdgpu_fpriv *fpriv = filp->driver_priv; + int r; + ++ /* No valid flags defined yet */ ++ if (args->in.flags) ++ return -EINVAL; ++ + switch (args->in.op) { + case AMDGPU_VM_OP_RESERVE_VMID: + /* current, we only have requirement to reserve vmid from gfxhub */ diff --git a/tmp-4.19/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch b/tmp-4.19/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch new file mode 100644 index 00000000000..f1faf8d442d --- /dev/null +++ b/tmp-4.19/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch @@ -0,0 +1,91 @@ +From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Fri, 21 Jul 2023 15:58:38 +0200 +Subject: drm/atomic: Fix potential use-after-free in nonblocking commits + +From: Daniel Vetter + +commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. + +This requires a bit of background. Properly done a modeset driver's +unload/remove sequence should be + + drm_dev_unplug(); + drm_atomic_helper_shutdown(); + drm_dev_put(); + +The trouble is that the drm_dev_unplugged() checks are by design racy, +they do not synchronize against all outstanding ioctl. This is because +those ioctl could block forever (both for modeset and for driver +specific ioctls), leading to deadlocks in hotunplug. Instead the code +sections that touch the hardware need to be annotated with +drm_dev_enter/exit, to avoid accessing hardware resources after the +unload/remove has finished. + +To avoid use-after-free issues all the involved userspace visible +objects are supposed to hold a reference on the underlying drm_device, +like drm_file does. + +The issue now is that we missed one, the atomic modeset ioctl can be run +in a nonblocking fashion, and in that case it cannot rely on the implied +drm_device reference provided by the ioctl calling context. This can +result in a use-after-free if an nonblocking atomic commit is carefully +raced against a driver unload. + +Fix this by unconditionally grabbing a drm_device reference for any +drm_atomic_state structures. Strictly speaking this isn't required for +blocking commits and TEST_ONLY calls, but it's the simpler approach. + +Thanks to shanzhulig for the initial idea of grabbing an unconditional +reference, I just added comments, a condensed commit message and fixed a +minor potential issue in where exactly we drop the final reference. + +Reported-by: shanzhulig +Suggested-by: shanzhulig +Reviewed-by: Maxime Ripard +Cc: Maarten Lankhorst +Cc: Thomas Zimmermann +Cc: David Airlie +Cc: stable@kernel.org +Signed-off-by: Daniel Vetter +Signed-off-by: Daniel Vetter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_atomic.c ++++ b/drivers/gpu/drm/drm_atomic.c +@@ -91,6 +91,12 @@ drm_atomic_state_init(struct drm_device + if (!state->planes) + goto fail; + ++ /* ++ * Because drm_atomic_state can be committed asynchronously we need our ++ * own reference and cannot rely on the on implied by drm_file in the ++ * ioctl call. ++ */ ++ drm_dev_get(dev); + state->dev = dev; + + DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); +@@ -250,7 +256,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); + void __drm_atomic_state_free(struct kref *ref) + { + struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); +- struct drm_mode_config *config = &state->dev->mode_config; ++ struct drm_device *dev = state->dev; ++ struct drm_mode_config *config = &dev->mode_config; + + drm_atomic_state_clear(state); + +@@ -262,6 +269,8 @@ void __drm_atomic_state_free(struct kref + drm_atomic_state_default_release(state); + kfree(state); + } ++ ++ drm_dev_put(dev); + } + EXPORT_SYMBOL(__drm_atomic_state_free); + diff --git a/tmp-4.19/drm-edid-fix-uninitialized-variable-in-drm_cvt_modes.patch b/tmp-4.19/drm-edid-fix-uninitialized-variable-in-drm_cvt_modes.patch new file mode 100644 index 00000000000..e383b4f6ec5 --- /dev/null +++ b/tmp-4.19/drm-edid-fix-uninitialized-variable-in-drm_cvt_modes.patch @@ -0,0 +1,39 @@ +From 991fcb77f490390bcad89fa67d95763c58cdc04c Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Thu, 5 Nov 2020 18:57:02 -0500 +Subject: drm/edid: Fix uninitialized variable in drm_cvt_modes() + +From: Lyude Paul + +commit 991fcb77f490390bcad89fa67d95763c58cdc04c upstream. + +Noticed this when trying to compile with -Wall on a kernel fork. We +potentially don't set width here, which causes the compiler to complain +about width potentially being uninitialized in drm_cvt_modes(). So, let's +fix that. + +Changes since v1: +* Don't emit an error as this code isn't reachable, just mark it as such +Changes since v2: +* Remove now unused variable + +Fixes: 3f649ab728cd ("treewide: Remove uninitialized_var() usage") +Signed-off-by: Lyude Paul +Reviewed-by: Ilia Mirkin +Link: https://patchwork.freedesktop.org/patch/msgid/20201105235703.1328115-1-lyude@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_edid.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -2798,6 +2798,8 @@ static int drm_cvt_modes(struct drm_conn + case 0x0c: + width = height * 15 / 9; + break; ++ default: ++ unreachable(); + } + + for (j = 1; j < 5; j++) { diff --git a/tmp-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch b/tmp-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch new file mode 100644 index 00000000000..bcc9e6fb210 --- /dev/null +++ b/tmp-4.19/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch @@ -0,0 +1,51 @@ +From e827def04dcba9582598bfa29b10f68ed4108f2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:50:39 +0200 +Subject: drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H + +From: Dario Binacchi + +[ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ] + +The previous setting was related to the overall dimension and not to the +active display area. +In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the +following parameters: + + ---------------------------------------------------------- +| Item | Specifications | unit | + ---------------------------------------------------------- +| Display area | 98.7 (W) x 57.5 (H) | mm | + ---------------------------------------------------------- +| Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm | + ---------------------------------------------------------- + +Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H") +Signed-off-by: Dario Binacchi +Reviewed-by: Neil Armstrong +[narmstrong: fixed Fixes commit id length] +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index a424afdcc77a1..35771e0e69fa6 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -405,8 +405,8 @@ static const struct panel_desc ampire_am_480272h3tmqw_t01h = { + .num_modes = 1, + .bpc = 8, + .size = { +- .width = 105, +- .height = 67, ++ .width = 99, ++ .height = 58, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, + }; +-- +2.39.2 + diff --git a/tmp-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch b/tmp-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch new file mode 100644 index 00000000000..d8ce2e8ca6f --- /dev/null +++ b/tmp-4.19/drm-radeon-fix-possible-division-by-zero-errors.patch @@ -0,0 +1,94 @@ +From eeeaa3a9489dc01c08a7ac9ba2b400970310d8f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 08:33:27 -0700 +Subject: drm/radeon: fix possible division-by-zero errors + +From: Nikita Zhandarovich + +[ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ] + +Function rv740_get_decoded_reference_divider() may return 0 due to +unpredictable reference divider value calculated in +radeon_atom_get_clock_dividers(). This will lead to +division-by-zero error once that value is used as a divider +in calculating 'clk_s'. +While unlikely, this issue should nonetheless be prevented so add a +sanity check for such cases by testing 'decoded_ref' value against 0. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +v2: minor coding style fixes (Alex) +In practice this should actually happen as the vbios should be +properly populated. + +Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/cypress_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/ni_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/rv740_dpm.c | 8 ++++++-- + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c +index 3eb7899a4035b..2c637e04dfebc 100644 +--- a/drivers/gpu/drm/radeon/cypress_dpm.c ++++ b/drivers/gpu/drm/radeon/cypress_dpm.c +@@ -558,8 +558,12 @@ static int cypress_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c +index a7273c01de34b..2a9d415400f79 100644 +--- a/drivers/gpu/drm/radeon/ni_dpm.c ++++ b/drivers/gpu/drm/radeon/ni_dpm.c +@@ -2239,8 +2239,12 @@ static int ni_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/rv740_dpm.c b/drivers/gpu/drm/radeon/rv740_dpm.c +index afd597ec50858..50290e93c79dc 100644 +--- a/drivers/gpu/drm/radeon/rv740_dpm.c ++++ b/drivers/gpu/drm/radeon/rv740_dpm.c +@@ -251,8 +251,12 @@ int rv740_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = 0x40000 * ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = 0x40000 * ss.percentage * + (dividers.whole_fb_div + (dividers.frac_fb_div / 8)) / (clk_s * 10000); + + mpll_ss1 &= ~CLKV_MASK; +-- +2.39.2 + diff --git a/tmp-4.19/evm-complete-description-of-evm_inode_setattr.patch b/tmp-4.19/evm-complete-description-of-evm_inode_setattr.patch new file mode 100644 index 00000000000..8860eb8dd28 --- /dev/null +++ b/tmp-4.19/evm-complete-description-of-evm_inode_setattr.patch @@ -0,0 +1,39 @@ +From 3ed7461ec41add6315b7cb24e8bdc79b6637250c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 11:40:36 +0100 +Subject: evm: Complete description of evm_inode_setattr() + +From: Roberto Sassu + +[ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ] + +Add the description for missing parameters of evm_inode_setattr() to +avoid the warning arising with W=n compile option. + +Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+ +Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+ +Signed-off-by: Roberto Sassu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/evm/evm_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c +index 6d1efe1359f17..9c036a41e7347 100644 +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -474,7 +474,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) + + /** + * evm_inode_setattr - prevent updating an invalid EVM extended attribute ++ * @idmap: idmap of the mount + * @dentry: pointer to the affected dentry ++ * @attr: iattr structure containing the new file attributes + * + * Permit update of file attributes when files have a valid EVM signature, + * except in the case of them having an immutable portable signature. +-- +2.39.2 + diff --git a/tmp-4.19/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch b/tmp-4.19/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch new file mode 100644 index 00000000000..a63fa3f78be --- /dev/null +++ b/tmp-4.19/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch @@ -0,0 +1,54 @@ +From 6909cf5c4101214f4305a62d582a5b93c7e1eb9a Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Mon, 22 May 2023 14:15:20 -0400 +Subject: ext4: correct inline offset when handling xattrs in inode body + +From: Eric Whitney + +commit 6909cf5c4101214f4305a62d582a5b93c7e1eb9a upstream. + +When run on a file system where the inline_data feature has been +enabled, xfstests generic/269, generic/270, and generic/476 cause ext4 +to emit error messages indicating that inline directory entries are +corrupted. This occurs because the inline offset used to locate +inline directory entries in the inode body is not updated when an +xattr in that shared region is deleted and the region is shifted in +memory to recover the space it occupied. If the deleted xattr precedes +the system.data attribute, which points to the inline directory entries, +that attribute will be moved further up in the region. The inline +offset continues to point to whatever is located in system.data's former +location, with unfortunate effects when used to access directory entries +or (presumably) inline data in the inode body. + +Cc: stable@kernel.org +Signed-off-by: Eric Whitney +Link: https://lore.kernel.org/r/20230522181520.1570360-1-enwlinux@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1767,6 +1767,20 @@ static int ext4_xattr_set_entry(struct e + memmove(here, (void *)here + size, + (void *)last - (void *)here + sizeof(__u32)); + memset(last, 0, size); ++ ++ /* ++ * Update i_inline_off - moved ibody region might contain ++ * system.data attribute. Handling a failure here won't ++ * cause other complications for setting an xattr. ++ */ ++ if (!is_block && ext4_has_inline_data(inode)) { ++ ret = ext4_find_inline_data_nolock(inode); ++ if (ret) { ++ ext4_warning_inode(inode, ++ "unable to update i_inline_off"); ++ goto out; ++ } ++ } + } else if (s->not_found) { + /* Insert new name. */ + size_t size = EXT4_XATTR_LEN(name_len); diff --git a/tmp-4.19/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch b/tmp-4.19/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch new file mode 100644 index 00000000000..2d7511bc7e1 --- /dev/null +++ b/tmp-4.19/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch @@ -0,0 +1,43 @@ +From c4d13222afd8a64bf11bc7ec68645496ee8b54b9 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 6 Jun 2023 15:32:03 +0800 +Subject: ext4: fix to check return value of freeze_bdev() in ext4_shutdown() + +From: Chao Yu + +commit c4d13222afd8a64bf11bc7ec68645496ee8b54b9 upstream. + +freeze_bdev() can fail due to a lot of reasons, it needs to check its +reason before later process. + +Fixes: 783d94854499 ("ext4: add EXT4_IOC_GOINGDOWN ioctl") +Cc: stable@kernel.org +Signed-off-by: Chao Yu +Link: https://lore.kernel.org/r/20230606073203.1310389-1-chao@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ioctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -561,6 +561,7 @@ static int ext4_shutdown(struct super_bl + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + __u32 flags; ++ int ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -579,7 +580,9 @@ static int ext4_shutdown(struct super_bl + + switch (flags) { + case EXT4_GOING_FLAGS_DEFAULT: +- freeze_bdev(sb->s_bdev); ++ ret = freeze_bdev(sb->s_bdev); ++ if (ret) ++ return ret; + set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags); + thaw_bdev(sb->s_bdev, sb); + break; diff --git a/tmp-4.19/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch b/tmp-4.19/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch new file mode 100644 index 00000000000..e95434c2809 --- /dev/null +++ b/tmp-4.19/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch @@ -0,0 +1,35 @@ +From 247c3d214c23dfeeeb892e91a82ac1188bdaec9f Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Sat, 3 Jun 2023 23:03:18 +0800 +Subject: ext4: fix wrong unit use in ext4_mb_clear_bb + +From: Kemeng Shi + +commit 247c3d214c23dfeeeb892e91a82ac1188bdaec9f upstream. + +Function ext4_issue_discard need count in cluster. Pass count_clusters +instead of count to fix the mismatch. + +Signed-off-by: Kemeng Shi +Cc: stable@kernel.org +Reviewed-by: Ojaswin Mujoo +Link: https://lore.kernel.org/r/20230603150327.3596033-11-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4948,8 +4948,8 @@ do_more: + * them with group lock_held + */ + if (test_opt(sb, DISCARD)) { +- err = ext4_issue_discard(sb, block_group, bit, count, +- NULL); ++ err = ext4_issue_discard(sb, block_group, bit, ++ count_clusters, NULL); + if (err && err != -EOPNOTSUPP) + ext4_msg(sb, KERN_WARNING, "discard request in" + " group:%d block:%d count:%lu failed" diff --git a/tmp-4.19/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch b/tmp-4.19/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch new file mode 100644 index 00000000000..b3c565d8dd9 --- /dev/null +++ b/tmp-4.19/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch @@ -0,0 +1,92 @@ +From de25d6e9610a8b30cce9bbb19b50615d02ebca02 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 24 Apr 2023 11:38:35 +0800 +Subject: ext4: only update i_reserved_data_blocks on successful block allocation + +From: Baokun Li + +commit de25d6e9610a8b30cce9bbb19b50615d02ebca02 upstream. + +In our fault injection test, we create an ext4 file, migrate it to +non-extent based file, then punch a hole and finally trigger a WARN_ON +in the ext4_da_update_reserve_space(): + +EXT4-fs warning (device sda): ext4_da_update_reserve_space:369: +ino 14, used 11 with only 10 reserved data blocks + +When writing back a non-extent based file, if we enable delalloc, the +number of reserved blocks will be subtracted from the number of blocks +mapped by ext4_ind_map_blocks(), and the extent status tree will be +updated. We update the extent status tree by first removing the old +extent_status and then inserting the new extent_status. If the block range +we remove happens to be in an extent, then we need to allocate another +extent_status with ext4_es_alloc_extent(). + + use old to remove to add new + |----------|------------|------------| + old extent_status + +The problem is that the allocation of a new extent_status failed due to a +fault injection, and __es_shrink() did not get free memory, resulting in +a return of -ENOMEM. Then do_writepages() retries after receiving -ENOMEM, +we map to the same extent again, and the number of reserved blocks is again +subtracted from the number of blocks in that extent. Since the blocks in +the same extent are subtracted twice, we end up triggering WARN_ON at +ext4_da_update_reserve_space() because used > ei->i_reserved_data_blocks. + +For non-extent based file, we update the number of reserved blocks after +ext4_ind_map_blocks() is executed, which causes a problem that when we call +ext4_ind_map_blocks() to create a block, it doesn't always create a block, +but we always reduce the number of reserved blocks. So we move the logic +for updating reserved blocks to ext4_ind_map_blocks() to ensure that the +number of reserved blocks is updated only after we do succeed in allocating +some new blocks. + +Fixes: 5f634d064c70 ("ext4: Fix quota accounting error with fallocate") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/indirect.c | 8 ++++++++ + fs/ext4/inode.c | 10 ---------- + 2 files changed, 8 insertions(+), 10 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -642,6 +642,14 @@ int ext4_ind_map_blocks(handle_t *handle + + ext4_update_inode_fsync_trans(handle, inode, 1); + count = ar.len; ++ ++ /* ++ * Update reserved blocks/metadata blocks after successful block ++ * allocation which had been deferred till now. ++ */ ++ if (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) ++ ext4_da_update_reserve_space(inode, count, 1); ++ + got_it: + map->m_flags |= EXT4_MAP_MAPPED; + map->m_pblk = le32_to_cpu(chain[depth-1].key); +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -668,16 +668,6 @@ found: + */ + ext4_clear_inode_state(inode, EXT4_STATE_EXT_MIGRATE); + } +- +- /* +- * Update reserved blocks/metadata blocks after successful +- * block allocation which had been deferred till now. We don't +- * support fallocate for non extent files. So we can update +- * reserve space here. +- */ +- if ((retval > 0) && +- (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE)) +- ext4_da_update_reserve_space(inode, retval, 1); + } + + if (retval > 0) { diff --git a/tmp-4.19/extcon-fix-kernel-doc-of-property-capability-fields-.patch b/tmp-4.19/extcon-fix-kernel-doc-of-property-capability-fields-.patch new file mode 100644 index 00000000000..cea1a623c9d --- /dev/null +++ b/tmp-4.19/extcon-fix-kernel-doc-of-property-capability-fields-.patch @@ -0,0 +1,46 @@ +From cc6bac4f6afd26a471e06f23c295864ecbdeab10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 16:39:53 +0200 +Subject: extcon: Fix kernel doc of property capability fields to avoid + warnings + +From: Andy Shevchenko + +[ Upstream commit 73346b9965ebda2feb7fef8629e9b28baee820e3 ] + +Kernel documentation has to be synchronized with a code, otherwise +the validator is not happy: + + Function parameter or member 'usb_bits' not described in 'extcon_cable' + Function parameter or member 'chg_bits' not described in 'extcon_cable' + Function parameter or member 'jack_bits' not described in 'extcon_cable' + Function parameter or member 'disp_bits' not described in 'extcon_cable' + +Describe the fields added in the past. + +Fixes: ceaa98f442cf ("extcon: Add the support for the capability of each property") +Signed-off-by: Andy Shevchenko +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c +index 0607806ad46e8..84fc0e48bb0e8 100644 +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -208,6 +208,10 @@ static const struct __extcon_info { + * @chg_propval: the array of charger connector properties + * @jack_propval: the array of jack connector properties + * @disp_propval: the array of display connector properties ++ * @usb_bits: the bit array of the USB connector property capabilities ++ * @chg_bits: the bit array of the charger connector property capabilities ++ * @jack_bits: the bit array of the jack connector property capabilities ++ * @disp_bits: the bit array of the display connector property capabilities + */ + struct extcon_cable { + struct extcon_dev *edev; +-- +2.39.2 + diff --git a/tmp-4.19/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch b/tmp-4.19/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch new file mode 100644 index 00000000000..1f88a64309b --- /dev/null +++ b/tmp-4.19/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch @@ -0,0 +1,45 @@ +From 707d4d01424345740571236ea3f2ca010fa11d75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 16:39:52 +0200 +Subject: extcon: Fix kernel doc of property fields to avoid warnings + +From: Andy Shevchenko + +[ Upstream commit 7e77e0b7a9f4cdf91cb0950749b40c840ea63efc ] + +Kernel documentation has to be synchronized with a code, otherwise +the validator is not happy: + + Function parameter or member 'usb_propval' not described in 'extcon_cable' + Function parameter or member 'chg_propval' not described in 'extcon_cable' + Function parameter or member 'jack_propval' not described in 'extcon_cable' + Function parameter or member 'disp_propval' not described in 'extcon_cable' + +Describe the fields added in the past. + +Fixes: 067c1652e7a7 ("extcon: Add the support for extcon property according to extcon type") +Signed-off-by: Andy Shevchenko +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c +index 4c70136c7aa3c..0607806ad46e8 100644 +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -204,6 +204,10 @@ static const struct __extcon_info { + * @attr_name: "name" sysfs entry + * @attr_state: "state" sysfs entry + * @attrs: the array pointing to attr_name and attr_state for attr_g ++ * @usb_propval: the array of USB connector properties ++ * @chg_propval: the array of charger connector properties ++ * @jack_propval: the array of jack connector properties ++ * @disp_propval: the array of display connector properties + */ + struct extcon_cable { + struct extcon_dev *edev; +-- +2.39.2 + diff --git a/tmp-4.19/f2fs-fix-error-path-handling-in-truncate_dnode.patch b/tmp-4.19/f2fs-fix-error-path-handling-in-truncate_dnode.patch new file mode 100644 index 00000000000..ae4b5d7e41c --- /dev/null +++ b/tmp-4.19/f2fs-fix-error-path-handling-in-truncate_dnode.patch @@ -0,0 +1,39 @@ +From 2b0762ff7262e714b210e68c9b732895f8db7f29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:41:02 +0800 +Subject: f2fs: fix error path handling in truncate_dnode() + +From: Chao Yu + +[ Upstream commit 0135c482fa97e2fd8245cb462784112a00ed1211 ] + +If truncate_node() fails in truncate_dnode(), it missed to call +f2fs_put_page(), fix it. + +Fixes: 7735730d39d7 ("f2fs: fix to propagate error from __get_meta_page()") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/node.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index 2c28f488ac2f0..9911f780e0136 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -879,8 +879,10 @@ static int truncate_dnode(struct dnode_of_data *dn) + dn->ofs_in_node = 0; + f2fs_truncate_data_blocks(dn); + err = truncate_node(dn); +- if (err) ++ if (err) { ++ f2fs_put_page(page, 1); + return err; ++ } + + return 1; + } +-- +2.39.2 + diff --git a/tmp-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/tmp-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch new file mode 100644 index 00000000000..5f7e9d8e903 --- /dev/null +++ b/tmp-4.19/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch @@ -0,0 +1,40 @@ +From d95706927c87029a0dd3db53f6b360d5e0fc788a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 16:16:56 +0800 +Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe + +From: Zhang Shurong + +[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] + +This func misses checking for platform_get_irq()'s call and may passes the +negative error codes to request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. + +Fix this by stop calling request_irq() with invalid IRQ #s. + +Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") +Signed-off-by: Zhang Shurong +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index f8e83a9519189..593c390e98629 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1744,6 +1744,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) + + /* Now hook interrupt too */ + irq = platform_get_irq(dev, 0); ++ if (irq < 0) ++ return irq; ++ + ret = request_irq(irq, au1200fb_handle_irq, + IRQF_SHARED, "lcd", (void *)dev); + if (ret) { +-- +2.39.2 + diff --git a/tmp-4.19/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch b/tmp-4.19/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch new file mode 100644 index 00000000000..1b145794a8b --- /dev/null +++ b/tmp-4.19/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch @@ -0,0 +1,75 @@ +From c75f5a55061091030a13fef71b9995b89bc86213 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Thu, 27 Apr 2023 11:08:41 +0800 +Subject: fbdev: imsttfb: Fix use after free bug in imsttfb_probe + +From: Zheng Wang + +commit c75f5a55061091030a13fef71b9995b89bc86213 upstream. + +A use-after-free bug may occur if init_imstt invokes framebuffer_release +and free the info ptr. The caller, imsttfb_probe didn't notice that and +still keep the ptr as private data in pdev. + +If we remove the driver which will call imsttfb_remove to make cleanup, +UAF happens. + +Fix it by return error code if bad case happens in init_imstt. + +Signed-off-by: Zheng Wang +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/imsttfb.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/video/fbdev/imsttfb.c ++++ b/drivers/video/fbdev/imsttfb.c +@@ -1348,7 +1348,7 @@ static struct fb_ops imsttfb_ops = { + .fb_ioctl = imsttfb_ioctl, + }; + +-static void init_imstt(struct fb_info *info) ++static int init_imstt(struct fb_info *info) + { + struct imstt_par *par = info->par; + __u32 i, tmp, *ip, *end; +@@ -1420,7 +1420,7 @@ static void init_imstt(struct fb_info *i + || !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) { + printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel); + framebuffer_release(info); +- return; ++ return -ENODEV; + } + + sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP"); +@@ -1456,12 +1456,13 @@ static void init_imstt(struct fb_info *i + + if (register_framebuffer(info) < 0) { + framebuffer_release(info); +- return; ++ return -ENODEV; + } + + tmp = (read_reg_le32(par->dc_regs, SSTATUS) & 0x0f00) >> 8; + fb_info(info, "%s frame buffer; %uMB vram; chip version %u\n", + info->fix.id, info->fix.smem_len >> 20, tmp); ++ return 0; + } + + static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) +@@ -1527,10 +1528,10 @@ static int imsttfb_probe(struct pci_dev + if (!par->cmap_regs) + goto error; + info->pseudo_palette = par->palette; +- init_imstt(info); +- +- pci_set_drvdata(pdev, info); +- return 0; ++ ret = init_imstt(info); ++ if (!ret) ++ pci_set_drvdata(pdev, info); ++ return ret; + + error: + if (par->dc_regs) diff --git a/tmp-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/tmp-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch new file mode 100644 index 00000000000..ddfec6a5be9 --- /dev/null +++ b/tmp-4.19/fbdev-imxfb-warn-about-invalid-left-right-margin.patch @@ -0,0 +1,43 @@ +From 579bc81ba8cb2dd46b633e39130cee0e0828597b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 15:24:37 +0200 +Subject: fbdev: imxfb: warn about invalid left/right margin + +From: Martin Kaiser + +[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] + +Warn about invalid var->left_margin or var->right_margin. Their values +are read from the device tree. + +We store var->left_margin-3 and var->right_margin-1 in register +fields. These fields should be >= 0. + +Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") +Signed-off-by: Martin Kaiser +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index c4eb8661f7516..8ec260ed9a6f6 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -601,10 +601,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf + if (var->hsync_len < 1 || var->hsync_len > 64) + printk(KERN_ERR "%s: invalid hsync_len %d\n", + info->fix.id, var->hsync_len); +- if (var->left_margin > 255) ++ if (var->left_margin < 3 || var->left_margin > 255) + printk(KERN_ERR "%s: invalid left_margin %d\n", + info->fix.id, var->left_margin); +- if (var->right_margin > 255) ++ if (var->right_margin < 1 || var->right_margin > 255) + printk(KERN_ERR "%s: invalid right_margin %d\n", + info->fix.id, var->right_margin); + if (var->yres < 1 || var->yres > ymax_mask) +-- +2.39.2 + diff --git a/tmp-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch b/tmp-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch new file mode 100644 index 00000000000..0fa55d2e7b1 --- /dev/null +++ b/tmp-4.19/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch @@ -0,0 +1,44 @@ +From 45589c7b202f7e510d68e9201eb4d378e0be55f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 17:42:28 +0200 +Subject: fbdev: omapfb: lcd_mipid: Fix an error handling path in + mipid_spi_probe() + +From: Christophe JAILLET + +[ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ] + +If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak. + +Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap/lcd_mipid.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/omap/lcd_mipid.c b/drivers/video/fbdev/omap/lcd_mipid.c +index e3a85432f9266..5730355ee5986 100644 +--- a/drivers/video/fbdev/omap/lcd_mipid.c ++++ b/drivers/video/fbdev/omap/lcd_mipid.c +@@ -576,11 +576,15 @@ static int mipid_spi_probe(struct spi_device *spi) + + r = mipid_detect(md); + if (r < 0) +- return r; ++ goto free_md; + + omapfb_register_panel(&md->panel); + + return 0; ++ ++free_md: ++ kfree(md); ++ return r; + } + + static int mipid_spi_remove(struct spi_device *spi) +-- +2.39.2 + diff --git a/tmp-4.19/fs-dlm-return-positive-pid-value-for-f_getlk.patch b/tmp-4.19/fs-dlm-return-positive-pid-value-for-f_getlk.patch new file mode 100644 index 00000000000..deaa99d2a2f --- /dev/null +++ b/tmp-4.19/fs-dlm-return-positive-pid-value-for-f_getlk.patch @@ -0,0 +1,36 @@ +From 92655fbda5c05950a411eaabc19e025e86e2a291 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Fri, 19 May 2023 11:21:24 -0400 +Subject: fs: dlm: return positive pid value for F_GETLK + +From: Alexander Aring + +commit 92655fbda5c05950a411eaabc19e025e86e2a291 upstream. + +The GETLK pid values have all been negated since commit 9d5b86ac13c5 +("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks"). +Revert this for local pids, and leave in place negative pids for remote +owners. + +Cc: stable@vger.kernel.org +Fixes: 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/plock.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/dlm/plock.c ++++ b/fs/dlm/plock.c +@@ -366,7 +366,9 @@ int dlm_posix_get(dlm_lockspace_t *locks + locks_init_lock(fl); + fl->fl_type = (op->info.ex) ? F_WRLCK : F_RDLCK; + fl->fl_flags = FL_POSIX; +- fl->fl_pid = -op->info.pid; ++ fl->fl_pid = op->info.pid; ++ if (op->info.nodeid != dlm_our_nodeid()) ++ fl->fl_pid = -fl->fl_pid; + fl->fl_start = op->info.start; + fl->fl_end = op->info.end; + rv = 0; diff --git a/tmp-4.19/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/tmp-4.19/fuse-revalidate-don-t-invalidate-if-interrupted.patch new file mode 100644 index 00000000000..c8e0c5efb28 --- /dev/null +++ b/tmp-4.19/fuse-revalidate-don-t-invalidate-if-interrupted.patch @@ -0,0 +1,34 @@ +From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:20 +0200 +Subject: fuse: revalidate: don't invalidate if interrupted + +From: Miklos Szeredi + +commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream. + +If the LOOKUP request triggered from fuse_dentry_revalidate() is +interrupted, then the dentry will be invalidated, possibly resulting in +submounts being unmounted. + +Reported-by: Xu Rongbo +Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/ +Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -232,7 +232,7 @@ static int fuse_dentry_revalidate(struct + spin_unlock(&fc->lock); + } + kfree(forget); +- if (ret == -ENOMEM) ++ if (ret == -ENOMEM || ret == -EINTR) + goto out; + if (ret || fuse_invalid_attr(&outarg.attr) || + (outarg.attr.mode ^ inode->i_mode) & S_IFMT) diff --git a/tmp-4.19/gfs2-don-t-deref-jdesc-in-evict.patch b/tmp-4.19/gfs2-don-t-deref-jdesc-in-evict.patch new file mode 100644 index 00000000000..57ffd085898 --- /dev/null +++ b/tmp-4.19/gfs2-don-t-deref-jdesc-in-evict.patch @@ -0,0 +1,63 @@ +From 504a10d9e46bc37b23d0a1ae2f28973c8516e636 Mon Sep 17 00:00:00 2001 +From: Bob Peterson +Date: Fri, 28 Apr 2023 12:07:46 -0400 +Subject: gfs2: Don't deref jdesc in evict + +From: Bob Peterson + +commit 504a10d9e46bc37b23d0a1ae2f28973c8516e636 upstream. + +On corrupt gfs2 file systems the evict code can try to reference the +journal descriptor structure, jdesc, after it has been freed and set to +NULL. The sequence of events is: + +init_journal() +... +fail_jindex: + gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL + if (gfs2_holder_initialized(&ji_gh)) + gfs2_glock_dq_uninit(&ji_gh); +fail: + iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode + evict() + gfs2_evict_inode() + evict_linked_inode() + ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks); +<------references the now freed/zeroed sd_jdesc pointer. + +The call to gfs2_trans_begin is done because the truncate_inode_pages +call can cause gfs2 events that require a transaction, such as removing +journaled data (jdata) blocks from the journal. + +This patch fixes the problem by adding a check for sdp->sd_jdesc to +function gfs2_evict_inode. In theory, this should only happen to corrupt +gfs2 file systems, when gfs2 detects the problem, reports it, then tries +to evict all the system inodes it has read in up to that point. + +Reported-by: Yang Lan +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +[DP: adjusted context] +Signed-off-by: Dragos-Marian Panait +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/super.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -1586,6 +1586,14 @@ static void gfs2_evict_inode(struct inod + if (inode->i_nlink || sb_rdonly(sb)) + goto out; + ++ /* ++ * In case of an incomplete mount, gfs2_evict_inode() may be called for ++ * system files without having an active journal to write to. In that ++ * case, skip the filesystem evict. ++ */ ++ if (!sdp->sd_jdesc) ++ goto out; ++ + if (test_bit(GIF_ALLOC_FAILED, &ip->i_flags)) { + BUG_ON(!gfs2_glock_is_locked_by_me(ip->i_gl)); + gfs2_holder_mark_uninitialized(&gh); diff --git a/tmp-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch b/tmp-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch new file mode 100644 index 00000000000..ba0263f58f8 --- /dev/null +++ b/tmp-4.19/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch @@ -0,0 +1,190 @@ +From f8db8de33b48afe5ae3f57f6e8cba66c1e9aa6a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 14:32:31 -0700 +Subject: gtp: Fix use-after-free in __gtp_encap_destroy(). + +From: Kuniyuki Iwashima + +[ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ] + +syzkaller reported use-after-free in __gtp_encap_destroy(). [0] + +It shows the same process freed sk and touched it illegally. + +Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() +and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, +but release_sock() is called after sock_put() releases the last refcnt. + +[0]: +BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] +BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] +BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] +BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] +BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 +Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 + +CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:351 [inline] + print_report+0xcc/0x620 mm/kasan/report.c:462 + kasan_report+0xb2/0xe0 mm/kasan/report.c:572 + check_region_inline mm/kasan/generic.c:181 [inline] + kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 + instrument_atomic_read_write include/linux/instrumented.h:96 [inline] + atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] + queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] + do_raw_spin_lock include/linux/spinlock.h:186 [inline] + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] + _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:355 [inline] + release_sock+0x1f/0x1a0 net/core/sock.c:3526 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f1168b1fe5d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 +RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d +RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 + + +Allocated by task 1483: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:186 [inline] + slab_post_alloc_hook mm/slab.h:711 [inline] + slab_alloc_node mm/slub.c:3451 [inline] + slab_alloc mm/slub.c:3459 [inline] + __kmem_cache_alloc_lru mm/slub.c:3466 [inline] + kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475 + sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073 + sk_alloc+0x34/0x6c0 net/core/sock.c:2132 + inet6_create net/ipv6/af_inet6.c:192 [inline] + inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119 + __sock_create+0x2a1/0x530 net/socket.c:1535 + sock_create net/socket.c:1586 [inline] + __sys_socket_create net/socket.c:1623 [inline] + __sys_socket_create net/socket.c:1608 [inline] + __sys_socket+0x137/0x250 net/socket.c:1651 + __do_sys_socket net/socket.c:1664 [inline] + __se_sys_socket net/socket.c:1662 [inline] + __x64_sys_socket+0x72/0xb0 net/socket.c:1662 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 2401: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free mm/kasan/common.c:200 [inline] + __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:162 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook mm/slub.c:1807 [inline] + slab_free mm/slub.c:3786 [inline] + kmem_cache_free+0xb4/0x490 mm/slub.c:3808 + sk_prot_free net/core/sock.c:2113 [inline] + __sk_destruct+0x500/0x720 net/core/sock.c:2207 + sk_destruct+0xc1/0xe0 net/core/sock.c:2222 + __sk_free+0xed/0x3d0 net/core/sock.c:2233 + sk_free+0x7c/0xa0 net/core/sock.c:2244 + sock_put include/net/sock.h:1981 [inline] + __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The buggy address belongs to the object at ffff88800dbef300 + which belongs to the cache UDPv6 of size 1344 +The buggy address is located 152 bytes inside of + freed 1344-byte region [ffff88800dbef300, ffff88800dbef840) + +The buggy address belongs to the physical page: +page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8 +head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +memcg:ffff888008ee0801 +flags: 0x100000000010200(slab|head|node=0|zone=1) +page_type: 0xffffffff() +raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000 +raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Pablo Neira Ayuso +Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index e18d06cb2173c..2718b0507f713 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -301,7 +301,9 @@ static void __gtp_encap_destroy(struct sock *sk) + gtp->sk1u = NULL; + udp_sk(sk)->encap_type = 0; + rcu_assign_sk_user_data(sk, NULL); ++ release_sock(sk); + sock_put(sk); ++ return; + } + release_sock(sk); + } +-- +2.39.2 + diff --git a/tmp-4.19/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch b/tmp-4.19/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch new file mode 100644 index 00000000000..4ccb0b31056 --- /dev/null +++ b/tmp-4.19/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch @@ -0,0 +1,45 @@ +From d744ae7477190967a3ddc289e2cd4ae59e8b1237 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Thu, 15 Jun 2023 15:49:59 +0100 +Subject: hwrng: imx-rngc - fix the timeout for init and self check + +From: Martin Kaiser + +commit d744ae7477190967a3ddc289e2cd4ae59e8b1237 upstream. + +Fix the timeout that is used for the initialisation and for the self +test. wait_for_completion_timeout expects a timeout in jiffies, but +RNGC_TIMEOUT is in milliseconds. Call msecs_to_jiffies to do the +conversion. + +Cc: stable@vger.kernel.org +Fixes: 1d5449445bd0 ("hwrng: mx-rngc - add a driver for Freescale RNGC") +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/imx-rngc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/char/hw_random/imx-rngc.c ++++ b/drivers/char/hw_random/imx-rngc.c +@@ -105,7 +105,7 @@ static int imx_rngc_self_test(struct imx + cmd = readl(rngc->base + RNGC_COMMAND); + writel(cmd | RNGC_CMD_SELF_TEST, rngc->base + RNGC_COMMAND); + +- ret = wait_for_completion_timeout(&rngc->rng_op_done, RNGC_TIMEOUT); ++ ret = wait_for_completion_timeout(&rngc->rng_op_done, msecs_to_jiffies(RNGC_TIMEOUT)); + if (!ret) { + imx_rngc_irq_mask_clear(rngc); + return -ETIMEDOUT; +@@ -188,9 +188,7 @@ static int imx_rngc_init(struct hwrng *r + cmd = readl(rngc->base + RNGC_COMMAND); + writel(cmd | RNGC_CMD_SEED, rngc->base + RNGC_COMMAND); + +- ret = wait_for_completion_timeout(&rngc->rng_op_done, +- RNGC_TIMEOUT); +- ++ ret = wait_for_completion_timeout(&rngc->rng_op_done, msecs_to_jiffies(RNGC_TIMEOUT)); + if (!ret) { + imx_rngc_irq_mask_clear(rngc); + return -ETIMEDOUT; diff --git a/tmp-4.19/hwrng-virtio-add-an-internal-buffer.patch b/tmp-4.19/hwrng-virtio-add-an-internal-buffer.patch new file mode 100644 index 00000000000..2b441ee2227 --- /dev/null +++ b/tmp-4.19/hwrng-virtio-add-an-internal-buffer.patch @@ -0,0 +1,127 @@ +From afa4aa51e6f9ff115b1cefcc5f7274340691a1f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:08 +0200 +Subject: hwrng: virtio - add an internal buffer + +From: Laurent Vivier + +[ Upstream commit bf3175bc50a3754dc427e2f5046e17a9fafc8be7 ] + +hwrng core uses two buffers that can be mixed in the +virtio-rng queue. + +If the buffer is provided with wait=0 it is enqueued in the +virtio-rng queue but unused by the caller. +On the next call, core provides another buffer but the +first one is filled instead and the new one queued. +And the caller reads the data from the new one that is not +updated, and the data in the first one are lost. + +To avoid this mix, virtio-rng needs to use its own unique +internal buffer at a cost of a data copy to the caller buffer. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-2-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 43 ++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 10 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 7abd604e938c2..999f523c80c1e 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -30,13 +30,20 @@ static DEFINE_IDA(rng_index_ida); + struct virtrng_info { + struct hwrng hwrng; + struct virtqueue *vq; +- struct completion have_data; + char name[25]; +- unsigned int data_avail; + int index; + bool busy; + bool hwrng_register_done; + bool hwrng_removed; ++ /* data transfer */ ++ struct completion have_data; ++ unsigned int data_avail; ++ /* minimal size returned by rng_buffer_size() */ ++#if SMP_CACHE_BYTES < 32 ++ u8 data[32]; ++#else ++ u8 data[SMP_CACHE_BYTES]; ++#endif + }; + + static void random_recv_done(struct virtqueue *vq) +@@ -51,14 +58,14 @@ static void random_recv_done(struct virtqueue *vq) + } + + /* The host will fill any buffer we give it with sweet, sweet randomness. */ +-static void register_buffer(struct virtrng_info *vi, u8 *buf, size_t size) ++static void register_buffer(struct virtrng_info *vi) + { + struct scatterlist sg; + +- sg_init_one(&sg, buf, size); ++ sg_init_one(&sg, vi->data, sizeof(vi->data)); + + /* There should always be room for one buffer. */ +- virtqueue_add_inbuf(vi->vq, &sg, 1, buf, GFP_KERNEL); ++ virtqueue_add_inbuf(vi->vq, &sg, 1, vi->data, GFP_KERNEL); + + virtqueue_kick(vi->vq); + } +@@ -67,6 +74,8 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + { + int ret; + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; ++ unsigned int chunk; ++ size_t read; + + if (vi->hwrng_removed) + return -ENODEV; +@@ -74,19 +83,33 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (!vi->busy) { + vi->busy = true; + reinit_completion(&vi->have_data); +- register_buffer(vi, buf, size); ++ register_buffer(vi); + } + + if (!wait) + return 0; + +- ret = wait_for_completion_killable(&vi->have_data); +- if (ret < 0) +- return ret; ++ read = 0; ++ while (size != 0) { ++ ret = wait_for_completion_killable(&vi->have_data); ++ if (ret < 0) ++ return ret; ++ ++ chunk = min_t(unsigned int, size, vi->data_avail); ++ memcpy(buf + read, vi->data, chunk); ++ read += chunk; ++ size -= chunk; ++ vi->data_avail = 0; ++ ++ if (size != 0) { ++ reinit_completion(&vi->have_data); ++ register_buffer(vi); ++ } ++ } + + vi->busy = false; + +- return vi->data_avail; ++ return read; + } + + static void virtio_cleanup(struct hwrng *rng) +-- +2.39.2 + diff --git a/tmp-4.19/hwrng-virtio-always-add-a-pending-request.patch b/tmp-4.19/hwrng-virtio-always-add-a-pending-request.patch new file mode 100644 index 00000000000..07ef2583852 --- /dev/null +++ b/tmp-4.19/hwrng-virtio-always-add-a-pending-request.patch @@ -0,0 +1,111 @@ +From 7ae21313b4da71d05544089d1fdb20bab025446e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:11 +0200 +Subject: hwrng: virtio - always add a pending request + +From: Laurent Vivier + +[ Upstream commit 9a4b612d675b03f7fc9fa1957ca399c8223f3954 ] + +If we ensure we have already some data available by enqueuing +again the buffer once data are exhausted, we can return what we +have without waiting for the device answer. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-5-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index c88f175e60a4c..a84248c26fd7f 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -32,7 +32,6 @@ struct virtrng_info { + struct virtqueue *vq; + char name[25]; + int index; +- bool busy; + bool hwrng_register_done; + bool hwrng_removed; + /* data transfer */ +@@ -56,16 +55,18 @@ static void random_recv_done(struct virtqueue *vq) + return; + + vi->data_idx = 0; +- vi->busy = false; + + complete(&vi->have_data); + } + +-/* The host will fill any buffer we give it with sweet, sweet randomness. */ +-static void register_buffer(struct virtrng_info *vi) ++static void request_entropy(struct virtrng_info *vi) + { + struct scatterlist sg; + ++ reinit_completion(&vi->have_data); ++ vi->data_avail = 0; ++ vi->data_idx = 0; ++ + sg_init_one(&sg, vi->data, sizeof(vi->data)); + + /* There should always be room for one buffer. */ +@@ -81,6 +82,8 @@ static unsigned int copy_data(struct virtrng_info *vi, void *buf, + memcpy(buf, vi->data + vi->data_idx, size); + vi->data_idx += size; + vi->data_avail -= size; ++ if (vi->data_avail == 0) ++ request_entropy(vi); + return size; + } + +@@ -110,13 +113,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + * so either size is 0 or data_avail is 0 + */ + while (size != 0) { +- /* data_avail is 0 */ +- if (!vi->busy) { +- /* no pending request, ask for more */ +- vi->busy = true; +- reinit_completion(&vi->have_data); +- register_buffer(vi); +- } ++ /* data_avail is 0 but a request is pending */ + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; +@@ -138,8 +135,7 @@ static void virtio_cleanup(struct hwrng *rng) + { + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; + +- if (vi->busy) +- complete(&vi->have_data); ++ complete(&vi->have_data); + } + + static int probe_common(struct virtio_device *vdev) +@@ -175,6 +171,9 @@ static int probe_common(struct virtio_device *vdev) + goto err_find; + } + ++ /* we always have a pending entropy request */ ++ request_entropy(vi); ++ + return 0; + + err_find: +@@ -193,7 +192,6 @@ static void remove_common(struct virtio_device *vdev) + vi->data_idx = 0; + complete(&vi->have_data); + vdev->config->reset(vdev); +- vi->busy = false; + if (vi->hwrng_register_done) + hwrng_unregister(&vi->hwrng); + vdev->config->del_vqs(vdev); +-- +2.39.2 + diff --git a/tmp-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch b/tmp-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch new file mode 100644 index 00000000000..f0b00394a59 --- /dev/null +++ b/tmp-4.19/hwrng-virtio-don-t-wait-on-cleanup.patch @@ -0,0 +1,58 @@ +From 9c50a382f8e13e6db7abbe15241a4a9c88d4fc4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:09 +0200 +Subject: hwrng: virtio - don't wait on cleanup + +From: Laurent Vivier + +[ Upstream commit 2bb31abdbe55742c89f4dc0cc26fcbc8467364f6 ] + +When virtio-rng device was dropped by the hwrng core we were forced +to wait the buffer to come back from the device to not have +remaining ongoing operation that could spoil the buffer. + +But now, as the buffer is internal to the virtio-rng we can release +the waiting loop immediately, the buffer will be retrieve and use +when the virtio-rng driver will be selected again. + +This avoids to hang on an rng_current write command if the virtio-rng +device is blocked by a lack of entropy. This allows to select +another entropy source if the current one is empty. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-3-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 999f523c80c1e..9a3fbd2b41107 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -94,6 +94,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; ++ /* if vi->data_avail is 0, we have been interrupted ++ * by a cleanup, but buffer stays in the queue ++ */ ++ if (vi->data_avail == 0) ++ return read; + + chunk = min_t(unsigned int, size, vi->data_avail); + memcpy(buf + read, vi->data, chunk); +@@ -117,7 +122,7 @@ static void virtio_cleanup(struct hwrng *rng) + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; + + if (vi->busy) +- wait_for_completion(&vi->have_data); ++ complete(&vi->have_data); + } + + static int probe_common(struct virtio_device *vdev) +-- +2.39.2 + diff --git a/tmp-4.19/hwrng-virtio-don-t-waste-entropy.patch b/tmp-4.19/hwrng-virtio-don-t-waste-entropy.patch new file mode 100644 index 00000000000..37836241dfd --- /dev/null +++ b/tmp-4.19/hwrng-virtio-don-t-waste-entropy.patch @@ -0,0 +1,130 @@ +From 92b8d417f897b6b2b12a75862caf03ab756af0c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:10 +0200 +Subject: hwrng: virtio - don't waste entropy + +From: Laurent Vivier + +[ Upstream commit 5c8e933050044d6dd2a000f9a5756ae73cbe7c44 ] + +if we don't use all the entropy available in the buffer, keep it +and use it later. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-4-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 52 +++++++++++++++++++---------- + 1 file changed, 35 insertions(+), 17 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 9a3fbd2b41107..c88f175e60a4c 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -38,6 +38,7 @@ struct virtrng_info { + /* data transfer */ + struct completion have_data; + unsigned int data_avail; ++ unsigned int data_idx; + /* minimal size returned by rng_buffer_size() */ + #if SMP_CACHE_BYTES < 32 + u8 data[32]; +@@ -54,6 +55,9 @@ static void random_recv_done(struct virtqueue *vq) + if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) + return; + ++ vi->data_idx = 0; ++ vi->busy = false; ++ + complete(&vi->have_data); + } + +@@ -70,6 +74,16 @@ static void register_buffer(struct virtrng_info *vi) + virtqueue_kick(vi->vq); + } + ++static unsigned int copy_data(struct virtrng_info *vi, void *buf, ++ unsigned int size) ++{ ++ size = min_t(unsigned int, size, vi->data_avail); ++ memcpy(buf, vi->data + vi->data_idx, size); ++ vi->data_idx += size; ++ vi->data_avail -= size; ++ return size; ++} ++ + static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + { + int ret; +@@ -80,17 +94,29 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (vi->hwrng_removed) + return -ENODEV; + +- if (!vi->busy) { +- vi->busy = true; +- reinit_completion(&vi->have_data); +- register_buffer(vi); ++ read = 0; ++ ++ /* copy available data */ ++ if (vi->data_avail) { ++ chunk = copy_data(vi, buf, size); ++ size -= chunk; ++ read += chunk; + } + + if (!wait) +- return 0; ++ return read; + +- read = 0; ++ /* We have already copied available entropy, ++ * so either size is 0 or data_avail is 0 ++ */ + while (size != 0) { ++ /* data_avail is 0 */ ++ if (!vi->busy) { ++ /* no pending request, ask for more */ ++ vi->busy = true; ++ reinit_completion(&vi->have_data); ++ register_buffer(vi); ++ } + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; +@@ -100,20 +126,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (vi->data_avail == 0) + return read; + +- chunk = min_t(unsigned int, size, vi->data_avail); +- memcpy(buf + read, vi->data, chunk); +- read += chunk; ++ chunk = copy_data(vi, buf + read, size); + size -= chunk; +- vi->data_avail = 0; +- +- if (size != 0) { +- reinit_completion(&vi->have_data); +- register_buffer(vi); +- } ++ read += chunk; + } + +- vi->busy = false; +- + return read; + } + +@@ -173,6 +190,7 @@ static void remove_common(struct virtio_device *vdev) + + vi->hwrng_removed = true; + vi->data_avail = 0; ++ vi->data_idx = 0; + complete(&vi->have_data); + vdev->config->reset(vdev); + vi->busy = false; +-- +2.39.2 + diff --git a/tmp-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch b/tmp-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch new file mode 100644 index 00000000000..76a65769e3d --- /dev/null +++ b/tmp-4.19/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch @@ -0,0 +1,86 @@ +From 939a58b0fd48531e7170994e9836b43eb6a96c4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 11:59:32 +0800 +Subject: hwrng: virtio - Fix race on data_avail and actual data + +From: Herbert Xu + +[ Upstream commit ac52578d6e8d300dd50f790f29a24169b1edd26c ] + +The virtio rng device kicks off a new entropy request whenever the +data available reaches zero. When a new request occurs at the end +of a read operation, that is, when the result of that request is +only needed by the next reader, then there is a race between the +writing of the new data and the next reader. + +This is because there is no synchronisation whatsoever between the +writer and the reader. + +Fix this by writing data_avail with smp_store_release and reading +it with smp_load_acquire when we first enter read. The subsequent +reads are safe because they're either protected by the first load +acquire, or by the completion mechanism. + +Also remove the redundant zeroing of data_idx in random_recv_done +(data_idx must already be zero at this point) and data_avail in +request_entropy (ditto). + +Reported-by: syzbot+726dc8c62c3536431ceb@syzkaller.appspotmail.com +Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.") +Signed-off-by: Herbert Xu +Acked-by: Michael S. Tsirkin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index a84248c26fd7f..58884d8752011 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -17,6 +17,7 @@ + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + ++#include + #include + #include + #include +@@ -49,13 +50,13 @@ struct virtrng_info { + static void random_recv_done(struct virtqueue *vq) + { + struct virtrng_info *vi = vq->vdev->priv; ++ unsigned int len; + + /* We can get spurious callbacks, e.g. shared IRQs + virtio_pci. */ +- if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) ++ if (!virtqueue_get_buf(vi->vq, &len)) + return; + +- vi->data_idx = 0; +- ++ smp_store_release(&vi->data_avail, len); + complete(&vi->have_data); + } + +@@ -64,7 +65,6 @@ static void request_entropy(struct virtrng_info *vi) + struct scatterlist sg; + + reinit_completion(&vi->have_data); +- vi->data_avail = 0; + vi->data_idx = 0; + + sg_init_one(&sg, vi->data, sizeof(vi->data)); +@@ -100,7 +100,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + read = 0; + + /* copy available data */ +- if (vi->data_avail) { ++ if (smp_load_acquire(&vi->data_avail)) { + chunk = copy_data(vi, buf, size); + size -= chunk; + read += chunk; +-- +2.39.2 + diff --git a/tmp-4.19/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch b/tmp-4.19/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch new file mode 100644 index 00000000000..053c4a62215 --- /dev/null +++ b/tmp-4.19/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch @@ -0,0 +1,112 @@ +From 0a46aee6b7cf29789b550cefcd60aa2427d87866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Aug 2021 23:41:42 +0200 +Subject: i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in + xiic_process() + +From: Marek Vasut + +[ Upstream commit 743e227a895923c37a333eb2ebf3e391f00c406d ] + +The __xiic_start_xfer() manipulates the interrupt flags, xiic_wakeup() +may result in return from xiic_xfer() early. Defer both to the end of +the xiic_process() interrupt thread, so that they are executed after +all the other interrupt bits handling completed and once it completely +safe to perform changes to the interrupt bits in the hardware. + +Signed-off-by: Marek Vasut +Acked-by: Michal Simek +Signed-off-by: Wolfram Sang +Stable-dep-of: cb6e45c9a0ad ("i2c: xiic: Don't try to handle more interrupt events after error") +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 37 ++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index 03ce9b7d6456a..c7f74687282ea 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -362,6 +362,9 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + struct xiic_i2c *i2c = dev_id; + u32 pend, isr, ier; + u32 clr = 0; ++ int xfer_more = 0; ++ int wakeup_req = 0; ++ int wakeup_code = 0; + + /* Get the interrupt Status from the IPIF. There is no clearing of + * interrupts in the IPIF. Interrupts must be cleared at the source. +@@ -398,10 +401,14 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + */ + xiic_reinit(i2c); + +- if (i2c->rx_msg) +- xiic_wakeup(i2c, STATE_ERROR); +- if (i2c->tx_msg) +- xiic_wakeup(i2c, STATE_ERROR); ++ if (i2c->rx_msg) { ++ wakeup_req = 1; ++ wakeup_code = STATE_ERROR; ++ } ++ if (i2c->tx_msg) { ++ wakeup_req = 1; ++ wakeup_code = STATE_ERROR; ++ } + } + if (pend & XIIC_INTR_RX_FULL_MASK) { + /* Receive register/FIFO is full */ +@@ -435,8 +442,7 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + i2c->tx_msg++; + dev_dbg(i2c->adap.dev.parent, + "%s will start next...\n", __func__); +- +- __xiic_start_xfer(i2c); ++ xfer_more = 1; + } + } + } +@@ -450,11 +456,13 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + if (!i2c->tx_msg) + goto out; + +- if ((i2c->nmsgs == 1) && !i2c->rx_msg && +- xiic_tx_space(i2c) == 0) +- xiic_wakeup(i2c, STATE_DONE); ++ wakeup_req = 1; ++ ++ if (i2c->nmsgs == 1 && !i2c->rx_msg && ++ xiic_tx_space(i2c) == 0) ++ wakeup_code = STATE_DONE; + else +- xiic_wakeup(i2c, STATE_ERROR); ++ wakeup_code = STATE_ERROR; + } + if (pend & (XIIC_INTR_TX_EMPTY_MASK | XIIC_INTR_TX_HALF_MASK)) { + /* Transmit register/FIFO is empty or ½ empty */ +@@ -478,7 +486,7 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + if (i2c->nmsgs > 1) { + i2c->nmsgs--; + i2c->tx_msg++; +- __xiic_start_xfer(i2c); ++ xfer_more = 1; + } else { + xiic_irq_dis(i2c, XIIC_INTR_TX_HALF_MASK); + +@@ -496,6 +504,13 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + dev_dbg(i2c->adap.dev.parent, "%s clr: 0x%x\n", __func__, clr); + + xiic_setreg32(i2c, XIIC_IISR_OFFSET, clr); ++ if (xfer_more) ++ __xiic_start_xfer(i2c); ++ if (wakeup_req) ++ xiic_wakeup(i2c, wakeup_code); ++ ++ WARN_ON(xfer_more && wakeup_req); ++ + mutex_unlock(&i2c->lock); + return IRQ_HANDLED; + } +-- +2.39.2 + diff --git a/tmp-4.19/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch b/tmp-4.19/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch new file mode 100644 index 00000000000..a3169a5e72b --- /dev/null +++ b/tmp-4.19/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch @@ -0,0 +1,60 @@ +From 54f6886655a814ccc6bedd7924acfb2796ace463 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 12:25:58 -0600 +Subject: i2c: xiic: Don't try to handle more interrupt events after error + +From: Robert Hancock + +[ Upstream commit cb6e45c9a0ad9e0f8664fd06db0227d185dc76ab ] + +In xiic_process, it is possible that error events such as arbitration +lost or TX error can be raised in conjunction with other interrupt flags +such as TX FIFO empty or bus not busy. Error events result in the +controller being reset and the error returned to the calling request, +but the function could potentially try to keep handling the other +events, such as by writing more messages into the TX FIFO. Since the +transaction has already failed, this is not helpful and will just cause +issues. + +This problem has been present ever since: + +commit 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr") + +which allowed non-error events to be handled after errors, but became +more obvious after: + +commit 743e227a8959 ("i2c: xiic: Defer xiic_wakeup() and +__xiic_start_xfer() in xiic_process()") + +which reworked the code to add a WARN_ON which triggers if both the +xfer_more and wakeup_req flags were set, since this combination is +not supposed to happen, but was occurring in this scenario. + +Skip further interrupt handling after error flags are detected to avoid +this problem. + +Fixes: 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr") +Signed-off-by: Robert Hancock +Acked-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index c7f74687282ea..c1f85114ab812 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -409,6 +409,8 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + wakeup_req = 1; + wakeup_code = STATE_ERROR; + } ++ /* don't try to handle other events */ ++ goto out; + } + if (pend & XIIC_INTR_RX_FULL_MASK) { + /* Receive register/FIFO is full */ +-- +2.39.2 + diff --git a/tmp-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch b/tmp-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch new file mode 100644 index 00000000000..38793da2e06 --- /dev/null +++ b/tmp-4.19/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch @@ -0,0 +1,110 @@ +From 58240f64a0be015e60403b558eac9ea7b1483365 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 11:56:28 -0500 +Subject: IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors + +From: Patrick Kelsey + +[ Upstream commit fd8958efe8779d3db19c9124fce593ce681ac709 ] + +Fix three sources of error involving struct sdma_txreq.num_descs. + +When _extend_sdma_tx_descs() extends the descriptor array, it uses the +value of tx->num_descs to determine how many existing entries from the +tx's original, internal descriptor array to copy to the newly allocated +one. As this value was incremented before the call, the copy loop will +access one entry past the internal descriptor array, copying its contents +into the corresponding slot in the new array. + +If the call to _extend_sdma_tx_descs() fails, _pad_smda_tx_descs() then +invokes __sdma_tx_clean() which uses the value of tx->num_desc to drive a +loop that unmaps all descriptor entries in use. As this value was +incremented before the call, the unmap loop will invoke sdma_unmap_desc() +on a descriptor entry whose contents consist of whatever random data was +copied into it during (1), leading to cascading further calls into the +kernel and driver using arbitrary data. + +_sdma_close_tx() was using tx->num_descs instead of tx->num_descs - 1. + +Fix all of the above by: +- Only increment .num_descs after .descp is extended. +- Use .num_descs - 1 instead of .num_descs for last .descp entry. + +Fixes: f4d26d81ad7f ("staging/rdma/hfi1: Add coalescing support for SDMA TX descriptors") +Link: https://lore.kernel.org/r/167656658879.2223096.10026561343022570690.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Brendan Cunningham +Signed-off-by: Patrick Kelsey +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/sdma.c | 4 ++-- + drivers/infiniband/hw/hfi1/sdma.h | 15 +++++++-------- + 2 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index 33ff9eca28f69..245f9505a9aca 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -3202,8 +3202,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + { + int rval = 0; + +- tx->num_desc++; +- if ((unlikely(tx->num_desc == tx->desc_limit))) { ++ if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) { + rval = _extend_sdma_tx_descs(dd, tx); + if (rval) { + __sdma_txclean(dd, tx); +@@ -3216,6 +3215,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + SDMA_MAP_NONE, + dd->sdma_pad_phys, + sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1))); ++ tx->num_desc++; + _sdma_close_tx(dd, tx); + return rval; + } +diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h +index 46c775f255d14..a3dd2f3d56cca 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.h ++++ b/drivers/infiniband/hw/hfi1/sdma.h +@@ -680,14 +680,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx) + static inline void _sdma_close_tx(struct hfi1_devdata *dd, + struct sdma_txreq *tx) + { +- tx->descp[tx->num_desc].qw[0] |= +- SDMA_DESC0_LAST_DESC_FLAG; +- tx->descp[tx->num_desc].qw[1] |= +- dd->default_desc1; ++ u16 last_desc = tx->num_desc - 1; ++ ++ tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; ++ tx->descp[last_desc].qw[1] |= dd->default_desc1; + if (tx->flags & SDMA_TXREQ_F_URGENT) +- tx->descp[tx->num_desc].qw[1] |= +- (SDMA_DESC1_HEAD_TO_HOST_FLAG | +- SDMA_DESC1_INT_REQ_FLAG); ++ tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | ++ SDMA_DESC1_INT_REQ_FLAG); + } + + static inline int _sdma_txadd_daddr( +@@ -704,6 +703,7 @@ static inline int _sdma_txadd_daddr( + type, + addr, len); + WARN_ON(len > tx->tlen); ++ tx->num_desc++; + tx->tlen -= len; + /* special cases for last */ + if (!tx->tlen) { +@@ -715,7 +715,6 @@ static inline int _sdma_txadd_daddr( + _sdma_close_tx(dd, tx); + } + } +- tx->num_desc++; + return rval; + } + +-- +2.39.2 + diff --git a/tmp-4.19/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch b/tmp-4.19/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch new file mode 100644 index 00000000000..3227658c36f --- /dev/null +++ b/tmp-4.19/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch @@ -0,0 +1,145 @@ +From 46ae827efd8dbae05deb396bf8beb1545f27f411 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 18:43:27 -0700 +Subject: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in + icmp6_dev(). + +From: Kuniyuki Iwashima + +[ Upstream commit 2aaa8a15de73874847d62eb595c6683bface80fd ] + +With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that +has the link-local address as src and dst IP and will be forwarded to +an external IP in the IPv6 Ext Hdr. + +For example, the script below generates a packet whose src IP is the +link-local address and dst is updated to 11::. + + # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done + # python3 + >>> from socket import * + >>> from scapy.all import * + >>> + >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456" + >>> + >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) + >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1) + >>> + >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) + >>> sk.sendto(bytes(pkt), (DST_ADDR, 0)) + +For such a packet, we call ip6_route_input() to look up a route for the +next destination in these three functions depending on the header type. + + * ipv6_rthdr_rcv() + * ipv6_rpl_srh_rcv() + * ipv6_srh_rcv() + +If no route is found, ip6_null_entry is set to skb, and the following +dst_input(skb) calls ip6_pkt_drop(). + +Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev +as the input device is the loopback interface. Then, we have to check if +skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref +for ip6_null_entry. + +BUG: kernel NULL pointer dereference, address: 0000000000000000 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Call Trace: + + ip6_pkt_drop (net/ipv6/route.c:4513) + ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686) + ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) + ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483) + __netif_receive_skb_one_core (net/core/dev.c:5455) + process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895) + __napi_poll (net/core/dev.c:6460) + net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660) + __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) + do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) + + + __local_bh_enable_ip (kernel/softirq.c:381) + __dev_queue_xmit (net/core/dev.c:4231) + ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135) + rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) + sock_sendmsg (net/socket.c:725 net/socket.c:748) + __sys_sendto (net/socket.c:2134) + __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +RIP: 0033:0x7f9dc751baea +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffe98712c38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007ffe98712cf8 RCX: 00007f9dc751baea +RDX: 0000000000000060 RSI: 00007f9dc6460b90 RDI: 0000000000000003 +RBP: 00007f9dc56e8be0 R08: 00007ffe98712d70 R09: 000000000000001c +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f9dc6af5d1b + +Modules linked in: +CR2: 0000000000000000 + ---[ end trace 0000000000000000 ]--- +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception in interrupt +Kernel Offset: disabled + +Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address") +Reported-by: Wang Yufen +Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index 1b86a2e03d049..bfafd7649ccb3 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -407,7 +407,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb) + if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { + const struct rt6_info *rt6 = skb_rt6_info(skb); + +- if (rt6) ++ /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.), ++ * and ip6_null_entry could be set to skb if no route is found. ++ */ ++ if (rt6 && rt6->rt6i_idev) + dev = rt6->rt6i_idev->dev; + } + +-- +2.39.2 + diff --git a/tmp-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch b/tmp-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch new file mode 100644 index 00000000000..cd1d107835f --- /dev/null +++ b/tmp-4.19/igb-fix-igb_down-hung-on-surprise-removal.patch @@ -0,0 +1,89 @@ +From d31c957cc8ca0a46d225cbe69724ba5a83276a67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 10:47:32 -0700 +Subject: igb: Fix igb_down hung on surprise removal + +From: Ying Hsu + +[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] + +In a setup where a Thunderbolt hub connects to Ethernet and a display +through USB Type-C, users may experience a hung task timeout when they +remove the cable between the PC and the Thunderbolt hub. +This is because the igb_down function is called multiple times when +the Thunderbolt hub is unplugged. For example, the igb_io_error_detected +triggers the first call, and the igb_remove triggers the second call. +The second call to igb_down will block at napi_synchronize. +Here's the call trace: + __schedule+0x3b0/0xddb + ? __mod_timer+0x164/0x5d3 + schedule+0x44/0xa8 + schedule_timeout+0xb2/0x2a4 + ? run_local_timers+0x4e/0x4e + msleep+0x31/0x38 + igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] + __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] + igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] + __dev_close_many+0x95/0xec + dev_close_many+0x6e/0x103 + unregister_netdevice_many+0x105/0x5b1 + unregister_netdevice_queue+0xc2/0x10d + unregister_netdev+0x1c/0x23 + igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] + pci_device_remove+0x3f/0x9c + device_release_driver_internal+0xfe/0x1b4 + pci_stop_bus_device+0x5b/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_and_remove_bus_device+0x12/0x19 + pciehp_unconfigure_device+0x76/0xe9 + pciehp_disable_slot+0x6e/0x131 + pciehp_handle_presence_or_link_change+0x7a/0x3f7 + pciehp_ist+0xbe/0x194 + irq_thread_fn+0x22/0x4d + ? irq_thread+0x1fd/0x1fd + irq_thread+0x17b/0x1fd + ? irq_forced_thread_fn+0x5f/0x5f + kthread+0x142/0x153 + ? __irq_get_irqchip_state+0x46/0x46 + ? kthread_associate_blkcg+0x71/0x71 + ret_from_fork+0x1f/0x30 + +In this case, igb_io_error_detected detaches the network interface +and requests a PCIE slot reset, however, the PCIE reset callback is +not being invoked and thus the Ethernet connection breaks down. +As the PCIE error in this case is a non-fatal one, requesting a +slot reset can be avoided. +This patch fixes the task hung issue and preserves Ethernet +connection by ignoring non-fatal PCIE errors. + +Signed-off-by: Ying Hsu +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 6f9d563deb6ba..be51179089852 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9059,6 +9059,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, + struct net_device *netdev = pci_get_drvdata(pdev); + struct igb_adapter *adapter = netdev_priv(netdev); + ++ if (state == pci_channel_io_normal) { ++ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); ++ return PCI_ERS_RESULT_CAN_RECOVER; ++ } ++ + netif_device_detach(netdev); + + if (state == pci_channel_io_perm_failure) +-- +2.39.2 + diff --git a/tmp-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch b/tmp-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch new file mode 100644 index 00000000000..7b8245fb995 --- /dev/null +++ b/tmp-4.19/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch @@ -0,0 +1,39 @@ +From 51b90364f500ae4b586dc32e18e61f232983cb55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 17:27:55 -0700 +Subject: Input: adxl34x - do not hardcode interrupt trigger type + +From: Marek Vasut + +[ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ] + +Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's +respect the settings specified in the firmware description. + +Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") +Signed-off-by: Marek Vasut +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/adxl34x.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c +index 3695dd7dbb9b4..ec0c91ec52277 100644 +--- a/drivers/input/misc/adxl34x.c ++++ b/drivers/input/misc/adxl34x.c +@@ -811,8 +811,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq, + AC_WRITE(ac, POWER_CTL, 0); + + err = request_threaded_irq(ac->irq, NULL, adxl34x_irq, +- IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +- dev_name(dev), ac); ++ IRQF_ONESHOT, dev_name(dev), ac); + if (err) { + dev_err(dev, "irq %d busy?\n", ac->irq); + goto err_free_mem; +-- +2.39.2 + diff --git a/tmp-4.19/input-drv260x-sleep-between-polling-go-bit.patch b/tmp-4.19/input-drv260x-sleep-between-polling-go-bit.patch new file mode 100644 index 00000000000..15813280a47 --- /dev/null +++ b/tmp-4.19/input-drv260x-sleep-between-polling-go-bit.patch @@ -0,0 +1,39 @@ +From 569e4104a6ffce321ca0b44f7bcb5c522b3a082f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 May 2023 17:01:45 -0700 +Subject: Input: drv260x - sleep between polling GO bit + +From: Luca Weiss + +[ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ] + +When doing the initial startup there's no need to poll without any +delay and spam the I2C bus. + +Let's sleep 15ms between each attempt, which is the same time as used +in the vendor driver. + +Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver") +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/drv260x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c +index 17eb84ab4c0b7..fe3fbde989be2 100644 +--- a/drivers/input/misc/drv260x.c ++++ b/drivers/input/misc/drv260x.c +@@ -443,6 +443,7 @@ static int drv260x_init(struct drv260x_data *haptics) + } + + do { ++ usleep_range(15000, 15500); + error = regmap_read(haptics->regmap, DRV260X_GO, &cal_buf); + if (error) { + dev_err(&haptics->client->dev, +-- +2.39.2 + diff --git a/tmp-4.19/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch b/tmp-4.19/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch new file mode 100644 index 00000000000..d9c79567954 --- /dev/null +++ b/tmp-4.19/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch @@ -0,0 +1,62 @@ +From 9df6a4870dc371136e90330cfbbc51464ee66993 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Thu, 1 Jun 2023 14:42:44 +0800 +Subject: integrity: Fix possible multiple allocation in integrity_inode_get() + +From: Tianjia Zhang + +commit 9df6a4870dc371136e90330cfbbc51464ee66993 upstream. + +When integrity_inode_get() is querying and inserting the cache, there +is a conditional race in the concurrent environment. + +The race condition is the result of not properly implementing +"double-checked locking". In this case, it first checks to see if the +iint cache record exists before taking the lock, but doesn't check +again after taking the integrity_iint_lock. + +Fixes: bf2276d10ce5 ("ima: allocating iint improvements") +Signed-off-by: Tianjia Zhang +Cc: Dmitry Kasatkin +Cc: # v3.10+ +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/iint.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/security/integrity/iint.c ++++ b/security/integrity/iint.c +@@ -46,12 +46,10 @@ static struct integrity_iint_cache *__in + else if (inode > iint->inode) + n = n->rb_right; + else +- break; ++ return iint; + } +- if (!n) +- return NULL; + +- return iint; ++ return NULL; + } + + /* +@@ -116,10 +114,15 @@ struct integrity_iint_cache *integrity_i + parent = *p; + test_iint = rb_entry(parent, struct integrity_iint_cache, + rb_node); +- if (inode < test_iint->inode) ++ if (inode < test_iint->inode) { + p = &(*p)->rb_left; +- else ++ } else if (inode > test_iint->inode) { + p = &(*p)->rb_right; ++ } else { ++ write_unlock(&integrity_iint_lock); ++ kmem_cache_free(iint_cache, iint); ++ return test_iint; ++ } + } + + iint->inode = inode; diff --git a/tmp-4.19/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch b/tmp-4.19/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch new file mode 100644 index 00000000000..eeacf645c73 --- /dev/null +++ b/tmp-4.19/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch @@ -0,0 +1,53 @@ +From b6b485d5880cefb054197d49b212532df8ee9263 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 14:59:10 +0800 +Subject: ipv6/addrconf: fix a potential refcount underflow for idev + +From: Ziyang Xuan + +[ Upstream commit 06a0716949c22e2aefb648526580671197151acc ] + +Now in addrconf_mod_rs_timer(), reference idev depends on whether +rs_timer is not pending. Then modify rs_timer timeout. + +There is a time gap in [1], during which if the pending rs_timer +becomes not pending. It will miss to hold idev, but the rs_timer +is activated. Thus rs_timer callback function addrconf_rs_timer() +will be executed and put idev later without holding idev. A refcount +underflow issue for idev can be caused by this. + + if (!timer_pending(&idev->rs_timer)) + in6_dev_hold(idev); + <--------------[1] + mod_timer(&idev->rs_timer, jiffies + when); + +To fix the issue, hold idev if mod_timer() return 0. + +Fixes: b7b1bfce0bb6 ("ipv6: split duplicate address detection and router solicitation timer") +Suggested-by: Eric Dumazet +Signed-off-by: Ziyang Xuan +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index f261c6d7f1f28..23edc325f70be 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -316,9 +316,8 @@ static void addrconf_del_dad_work(struct inet6_ifaddr *ifp) + static void addrconf_mod_rs_timer(struct inet6_dev *idev, + unsigned long when) + { +- if (!timer_pending(&idev->rs_timer)) ++ if (!mod_timer(&idev->rs_timer, jiffies + when)) + in6_dev_hold(idev); +- mod_timer(&idev->rs_timer, jiffies + when); + } + + static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, +-- +2.39.2 + diff --git a/tmp-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch b/tmp-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch new file mode 100644 index 00000000000..10fb05e24a0 --- /dev/null +++ b/tmp-4.19/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch @@ -0,0 +1,66 @@ +From fb27984c7b464c888b054effdf720e797025a50e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 17:33:47 +0800 +Subject: ipvlan: Fix return value of ipvlan_queue_xmit() + +From: Cambda Zhu + +[ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ] + +ipvlan_queue_xmit() should return NET_XMIT_XXX, but +ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX +in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED +in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to +NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or +NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase +both ipvlan and ipvlan->phy_dev drops counter. + +The skb to forward can be treated as xmitted successfully. This patch +makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb. + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Cambda Zhu +Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index eb80d277b56f5..6b6c5a7250a65 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -592,7 +592,8 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + return NET_XMIT_DROP; + } +- return ipvlan_rcv_frame(addr, &skb, true); ++ ipvlan_rcv_frame(addr, &skb, true); ++ return NET_XMIT_SUCCESS; + } + } + out: +@@ -618,7 +619,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + return NET_XMIT_DROP; + } +- return ipvlan_rcv_frame(addr, &skb, true); ++ ipvlan_rcv_frame(addr, &skb, true); ++ return NET_XMIT_SUCCESS; + } + } + skb = skb_share_check(skb, GFP_ATOMIC); +@@ -630,7 +632,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + * the skb for the main-dev. At the RX side we just return + * RX_PASS for it to be processed further on the stack. + */ +- return dev_forward_skb(ipvlan->phy_dev, skb); ++ dev_forward_skb(ipvlan->phy_dev, skb); ++ return NET_XMIT_SUCCESS; + + } else if (is_multicast_ether_addr(eth->h_dest)) { + skb_reset_mac_header(skb); +-- +2.39.2 + diff --git a/tmp-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch b/tmp-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch new file mode 100644 index 00000000000..bb6269bb90b --- /dev/null +++ b/tmp-4.19/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch @@ -0,0 +1,53 @@ +From 4ccd3be2ccc9fa9c3b14d259dc5e795c7d90db2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 18:33:42 +0200 +Subject: irqchip/jcore-aic: Fix missing allocation of IRQ descriptors + +From: John Paul Adrian Glaubitz + +[ Upstream commit 4848229494a323eeaab62eee5574ef9f7de80374 ] + +The initialization function for the J-Core AIC aic_irq_of_init() is +currently missing the call to irq_alloc_descs() which allocates and +initializes all the IRQ descriptors. Add missing function call and +return the error code from irq_alloc_descs() in case the allocation +fails. + +Fixes: 981b58f66cfc ("irqchip/jcore-aic: Add J-Core AIC driver") +Signed-off-by: John Paul Adrian Glaubitz +Tested-by: Rob Landley +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230510163343.43090-1-glaubitz@physik.fu-berlin.de +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-jcore-aic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c +index 5f47d8ee4ae39..b9dcc8e78c750 100644 +--- a/drivers/irqchip/irq-jcore-aic.c ++++ b/drivers/irqchip/irq-jcore-aic.c +@@ -68,6 +68,7 @@ static int __init aic_irq_of_init(struct device_node *node, + unsigned min_irq = JCORE_AIC2_MIN_HWIRQ; + unsigned dom_sz = JCORE_AIC_MAX_HWIRQ+1; + struct irq_domain *domain; ++ int ret; + + pr_info("Initializing J-Core AIC\n"); + +@@ -100,6 +101,12 @@ static int __init aic_irq_of_init(struct device_node *node, + jcore_aic.irq_unmask = noop; + jcore_aic.name = "AIC"; + ++ ret = irq_alloc_descs(-1, min_irq, dom_sz - min_irq, ++ of_node_to_nid(node)); ++ ++ if (ret < 0) ++ return ret; ++ + domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, + &jcore_aic_irqdomain_ops, + &jcore_aic); +-- +2.39.2 + diff --git a/tmp-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch b/tmp-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch new file mode 100644 index 00000000000..a9ea1fb0971 --- /dev/null +++ b/tmp-4.19/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch @@ -0,0 +1,41 @@ +From a0040d3dcb0b479ed0a896c972942db0a435106b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 10:35:51 +0100 +Subject: irqchip/jcore-aic: Kill use of irq_create_strict_mappings() + +From: Marc Zyngier + +[ Upstream commit 5f8b938bd790cff6542c7fe3c1495c71f89fef1b ] + +irq_create_strict_mappings() is a poor way to allow the use of +a linear IRQ domain as a legacy one. Let's be upfront about it. + +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210406093557.1073423-4-maz@kernel.org +Stable-dep-of: 4848229494a3 ("irqchip/jcore-aic: Fix missing allocation of IRQ descriptors") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-jcore-aic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c +index 033bccb41455c..5f47d8ee4ae39 100644 +--- a/drivers/irqchip/irq-jcore-aic.c ++++ b/drivers/irqchip/irq-jcore-aic.c +@@ -100,11 +100,11 @@ static int __init aic_irq_of_init(struct device_node *node, + jcore_aic.irq_unmask = noop; + jcore_aic.name = "AIC"; + +- domain = irq_domain_add_linear(node, dom_sz, &jcore_aic_irqdomain_ops, ++ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, ++ &jcore_aic_irqdomain_ops, + &jcore_aic); + if (!domain) + return -ENOMEM; +- irq_create_strict_mappings(domain, min_irq, min_irq, dom_sz - min_irq); + + return 0; + } +-- +2.39.2 + diff --git a/tmp-4.19/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch b/tmp-4.19/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch new file mode 100644 index 00000000000..7ffa2036cfa --- /dev/null +++ b/tmp-4.19/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch @@ -0,0 +1,128 @@ +From 1168f095417643f663caa341211e117db552989f Mon Sep 17 00:00:00 2001 +From: Fabian Frederick +Date: Sat, 6 May 2023 06:56:12 +0200 +Subject: jffs2: reduce stack usage in jffs2_build_xattr_subsystem() + +From: Fabian Frederick + +commit 1168f095417643f663caa341211e117db552989f upstream. + +Use kcalloc() for allocation/flush of 128 pointers table to +reduce stack usage. + +Function now returns -ENOMEM or 0 on success. + +stackusage +Before: +./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 1208 +dynamic,bounded + +After: +./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 192 +dynamic,bounded + +Also update definition when CONFIG_JFFS2_FS_XATTR is not enabled + +Tested with an MTD mount point and some user set/getfattr. + +Many current target on OpenWRT also suffer from a compilation warning +(that become an error with CONFIG_WERROR) with the following output: + +fs/jffs2/xattr.c: In function 'jffs2_build_xattr_subsystem': +fs/jffs2/xattr.c:887:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] + 887 | } + | ^ + +Using dynamic allocation fix this compilation warning. + +Fixes: c9f700f840bd ("[JFFS2][XATTR] using 'delete marker' for xdatum/xref deletion") +Reported-by: Tim Gardner +Reported-by: kernel test robot +Reported-by: Ron Economos +Reported-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Fabian Frederick +Signed-off-by: Christian Marangi +Cc: stable@vger.kernel.org +Message-Id: <20230506045612.16616-1-ansuelsmth@gmail.com> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/build.c | 5 ++++- + fs/jffs2/xattr.c | 13 +++++++++---- + fs/jffs2/xattr.h | 4 ++-- + 3 files changed, 15 insertions(+), 7 deletions(-) + +--- a/fs/jffs2/build.c ++++ b/fs/jffs2/build.c +@@ -211,7 +211,10 @@ static int jffs2_build_filesystem(struct + ic->scan_dents = NULL; + cond_resched(); + } +- jffs2_build_xattr_subsystem(c); ++ ret = jffs2_build_xattr_subsystem(c); ++ if (ret) ++ goto exit; ++ + c->flags &= ~JFFS2_SB_FLAG_BUILDING; + + dbg_fsbuild("FS build complete\n"); +--- a/fs/jffs2/xattr.c ++++ b/fs/jffs2/xattr.c +@@ -772,10 +772,10 @@ void jffs2_clear_xattr_subsystem(struct + } + + #define XREF_TMPHASH_SIZE (128) +-void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c) ++int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c) + { + struct jffs2_xattr_ref *ref, *_ref; +- struct jffs2_xattr_ref *xref_tmphash[XREF_TMPHASH_SIZE]; ++ struct jffs2_xattr_ref **xref_tmphash; + struct jffs2_xattr_datum *xd, *_xd; + struct jffs2_inode_cache *ic; + struct jffs2_raw_node_ref *raw; +@@ -784,9 +784,12 @@ void jffs2_build_xattr_subsystem(struct + + BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING)); + ++ xref_tmphash = kcalloc(XREF_TMPHASH_SIZE, ++ sizeof(struct jffs2_xattr_ref *), GFP_KERNEL); ++ if (!xref_tmphash) ++ return -ENOMEM; ++ + /* Phase.1 : Merge same xref */ +- for (i=0; i < XREF_TMPHASH_SIZE; i++) +- xref_tmphash[i] = NULL; + for (ref=c->xref_temp; ref; ref=_ref) { + struct jffs2_xattr_ref *tmp; + +@@ -884,6 +887,8 @@ void jffs2_build_xattr_subsystem(struct + "%u of xref (%u dead, %u orphan) found.\n", + xdatum_count, xdatum_unchecked_count, xdatum_orphan_count, + xref_count, xref_dead_count, xref_orphan_count); ++ kfree(xref_tmphash); ++ return 0; + } + + struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c, +--- a/fs/jffs2/xattr.h ++++ b/fs/jffs2/xattr.h +@@ -71,7 +71,7 @@ static inline int is_xattr_ref_dead(stru + #ifdef CONFIG_JFFS2_FS_XATTR + + extern void jffs2_init_xattr_subsystem(struct jffs2_sb_info *c); +-extern void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c); ++extern int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c); + extern void jffs2_clear_xattr_subsystem(struct jffs2_sb_info *c); + + extern struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c, +@@ -103,7 +103,7 @@ extern ssize_t jffs2_listxattr(struct de + #else + + #define jffs2_init_xattr_subsystem(c) +-#define jffs2_build_xattr_subsystem(c) ++#define jffs2_build_xattr_subsystem(c) (0) + #define jffs2_clear_xattr_subsystem(c) + + #define jffs2_xattr_do_crccheck_inode(c, ic) diff --git a/tmp-4.19/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch b/tmp-4.19/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch new file mode 100644 index 00000000000..a53faad56d0 --- /dev/null +++ b/tmp-4.19/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch @@ -0,0 +1,66 @@ +From 11509910c599cbd04585ec35a6d5e1a0053d84c1 Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant +Date: Tue, 20 Jun 2023 22:17:00 +0530 +Subject: jfs: jfs_dmap: Validate db_l2nbperpage while mounting + +From: Siddh Raman Pant + +commit 11509910c599cbd04585ec35a6d5e1a0053d84c1 upstream. + +In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block +number inside dbFree(). db_l2nbperpage, which is the log2 number of +blocks per page, is passed as an argument to BLKTODMAP which uses it +for shifting. + +Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is +too big. This happens because the large value is set without any +validation in dbMount() at line 181. + +Thus, make sure that db_l2nbperpage is correct while mounting. + +Max number of blocks per page = Page size / Min block size +=> log2(Max num_block per page) = log2(Page size / Min block size) + = log2(Page size) - log2(Min block size) + +=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE + +Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715 +Cc: stable@vger.kernel.org +Suggested-by: Dave Kleikamp +Signed-off-by: Siddh Raman Pant +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dmap.c | 6 ++++++ + fs/jfs/jfs_filsys.h | 2 ++ + 2 files changed, 8 insertions(+) + +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -191,7 +191,13 @@ int dbMount(struct inode *ipbmap) + dbmp_le = (struct dbmap_disk *) mp->data; + bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize); + bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); ++ + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); ++ if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) { ++ err = -EINVAL; ++ goto err_release_metapage; ++ } ++ + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); + if (!bmp->db_numag) { + err = -EINVAL; +--- a/fs/jfs/jfs_filsys.h ++++ b/fs/jfs/jfs_filsys.h +@@ -135,7 +135,9 @@ + #define NUM_INODE_PER_IAG INOSPERIAG + + #define MINBLOCKSIZE 512 ++#define L2MINBLOCKSIZE 9 + #define MAXBLOCKSIZE 4096 ++#define L2MAXBLOCKSIZE 12 + #define MAXFILESIZE ((s64)1 << 52) + + #define JFS_LINK_MAX 0xffffffff diff --git a/tmp-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch b/tmp-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch new file mode 100644 index 00000000000..59f26261be7 --- /dev/null +++ b/tmp-4.19/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch @@ -0,0 +1,93 @@ +From 8b2db998a10f3e10565a0bcd7135e3b686532fed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 20:34:34 +0800 +Subject: kexec: fix a memory leak in crash_shrink_memory() + +From: Zhen Lei + +[ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ] + +Patch series "kexec: enable kexec_crash_size to support two crash kernel +regions". + +When crashkernel=X fails to reserve region under 4G, it will fall back to +reserve region above 4G and a region of the default size will also be +reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only +supports one crash kernel region now, the user cannot sense the low memory +reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot +be freed by writing this file. + +For example: +resource_size(crashk_res) = 512M +resource_size(crashk_low_res) = 256M + +The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be +768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size +of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB, +which is incorrect. + +Since crashk_res manages the memory with high address and crashk_low_res +manages the memory with low address, crashk_low_res is shrunken only when +all crashk_res is shrunken. And because when there is only one crash +kernel region, crashk_res is always used. Therefore, if all crashk_res is +shrunken and crashk_low_res still exists, swap them. + +This patch (of 6): + +If the value of parameter 'new_size' is in the semi-open and semi-closed +interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the +calculation result of ram_res is: + + ram_res->start = crashk_res.end + 1 + ram_res->end = crashk_res.end + +The operation of insert_resource() fails, and ram_res is not added to +iomem_resource. As a result, the memory of the control block ram_res is +leaked. + +In fact, on all architectures, the start address and size of crashk_res +are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need +to round up crashk_res.start again. Instead, we should round up +'new_size' in advance. + +Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com +Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com +Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()") +Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size") +Signed-off-by: Zhen Lei +Acked-by: Baoquan He +Cc: Cong Wang +Cc: Eric W. Biederman +Cc: Michael Holzheu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kexec_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c +index 6b3d7f7211dd6..3666d434a8f59 100644 +--- a/kernel/kexec_core.c ++++ b/kernel/kexec_core.c +@@ -1020,6 +1020,7 @@ int crash_shrink_memory(unsigned long new_size) + start = crashk_res.start; + end = crashk_res.end; + old_size = (end == 0) ? 0 : end - start + 1; ++ new_size = roundup(new_size, KEXEC_CRASH_MEM_ALIGN); + if (new_size >= old_size) { + ret = (new_size == old_size) ? 0 : -EINVAL; + goto unlock; +@@ -1031,9 +1032,7 @@ int crash_shrink_memory(unsigned long new_size) + goto unlock; + } + +- start = roundup(start, KEXEC_CRASH_MEM_ALIGN); +- end = roundup(start + new_size, KEXEC_CRASH_MEM_ALIGN); +- ++ end = start + new_size; + crash_free_reserved_phys_range(end, crashk_res.end); + + if ((start == end) && (crashk_res.parent != NULL)) +-- +2.39.2 + diff --git a/tmp-4.19/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch b/tmp-4.19/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch new file mode 100644 index 00000000000..cf5b3b1536d --- /dev/null +++ b/tmp-4.19/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch @@ -0,0 +1,74 @@ +From 52429ee7c466fa39578a37aba04f8ef0265f1457 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 15:54:23 +0100 +Subject: KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes + +From: Nico Boehr + +[ Upstream commit 285cff4c0454340a4dc53f46e67f2cb1c293bd74 ] + +The KVM_S390_GET_CMMA_BITS ioctl may return incorrect values when userspace +specifies a start_gfn outside of memslots. + +This can occur when a VM has multiple memslots with a hole in between: + ++-----+----------+--------+--------+ +| ... | Slot N-1 | | Slot N | ++-----+----------+--------+--------+ + ^ ^ ^ ^ + | | | | +GFN A A+B | | + A+B+C | + A+B+C+D + +When userspace specifies a GFN in [A+B, A+B+C), it would expect to get the +CMMA values of the first dirty page in Slot N. However, userspace may get a +start_gfn of A+B+C+D with a count of 0, hence completely skipping over any +dirty pages in slot N. + +The error is in kvm_s390_next_dirty_cmma(), which assumes +gfn_to_memslot_approx() will return the memslot _below_ the specified GFN +when the specified GFN lies outside a memslot. In reality it may return +either the memslot below or above the specified GFN. + +When a memslot above the specified GFN is returned this happens: + +- ofs is calculated, but since the memslot's base_gfn is larger than the + specified cur_gfn, ofs will underflow to a huge number. +- ofs is passed to find_next_bit(). Since ofs will exceed the memslot's + number of pages, the number of pages in the memslot is returned, + completely skipping over all bits in the memslot userspace would be + interested in. + +Fix this by resetting ofs to zero when a memslot _above_ cur_gfn is +returned (cur_gfn < ms->base_gfn). + +Signed-off-by: Nico Boehr +Reviewed-by: Claudio Imbrenda +Fixes: afdad61615cc ("KVM: s390: Fix storage attributes migration with memory slots") +Message-Id: <20230324145424.293889-2-nrb@linux.ibm.com> +Signed-off-by: Claudio Imbrenda +Signed-off-by: Janosch Frank +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/kvm-s390.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 3aade928c18dd..92041d442d2e6 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -1716,6 +1716,10 @@ static unsigned long kvm_s390_next_dirty_cmma(struct kvm_memslots *slots, + ms = slots->memslots + slotidx; + ofs = 0; + } ++ ++ if (cur_gfn < ms->base_gfn) ++ ofs = 0; ++ + ofs = find_next_bit(kvm_second_dirty_bitmap(ms), ms->npages, ofs); + while ((slotidx > 0) && (ofs >= ms->npages)) { + slotidx--; +-- +2.39.2 + diff --git a/tmp-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch b/tmp-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch new file mode 100644 index 00000000000..1207b6478c1 --- /dev/null +++ b/tmp-4.19/lib-ts_bm-reset-initial-match-offset-for-every-block.patch @@ -0,0 +1,59 @@ +From 87da1904b8c1c4030f88ea104f42f0a2d6b7bce8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 20:06:57 +0100 +Subject: lib/ts_bm: reset initial match offset for every block of text + +From: Jeremy Sowden + +[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ] + +The `shift` variable which indicates the offset in the string at which +to start matching the pattern is initialized to `bm->patlen - 1`, but it +is not reset when a new block is retrieved. This means the implemen- +tation may start looking at later and later positions in each successive +block and miss occurrences of the pattern at the beginning. E.g., +consider a HTTP packet held in a non-linear skb, where the HTTP request +line occurs in the second block: + + [... 52 bytes of packet headers ...] + GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n + +and the pattern is "GET /bmtest". + +Once the first block comprising the packet headers has been examined, +`shift` will be pointing to somewhere near the end of the block, and so +when the second block is examined the request line at the beginning will +be missed. + +Reinitialize the variable for each new block. + +Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2") +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390 +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + lib/ts_bm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/ts_bm.c b/lib/ts_bm.c +index 9e66ee4020e90..5de382e79a45a 100644 +--- a/lib/ts_bm.c ++++ b/lib/ts_bm.c +@@ -64,10 +64,12 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state) + struct ts_bm *bm = ts_config_priv(conf); + unsigned int i, text_len, consumed = state->offset; + const u8 *text; +- int shift = bm->patlen - 1, bs; ++ int bs; + const u8 icase = conf->flags & TS_IGNORECASE; + + for (;;) { ++ int shift = bm->patlen - 1; ++ + text_len = conf->get_next_block(consumed, &text, conf, state); + + if (unlikely(text_len == 0)) +-- +2.39.2 + diff --git a/tmp-4.19/llc-don-t-drop-packet-from-non-root-netns.patch b/tmp-4.19/llc-don-t-drop-packet-from-non-root-netns.patch new file mode 100644 index 00000000000..2ae40426913 --- /dev/null +++ b/tmp-4.19/llc-don-t-drop-packet-from-non-root-netns.patch @@ -0,0 +1,50 @@ +From 3be5e9a7e94dd56e5d1ec735d5f11d991fd11606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:41:51 -0700 +Subject: llc: Don't drop packet from non-root netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] + +Now these upper layer protocol handlers can be called from llc_rcv() +as sap->rcv_func(), which is registered by llc_sap_open(). + + * function which is passed to register_8022_client() + -> no in-kernel user calls register_8022_client(). + + * snap_rcv() + `- proto->rcvfunc() : registered by register_snap_client() + -> aarp_rcv() and atalk_rcv() drop packets from non-root netns + + * stp_pdu_rcv() + `- garp_protos[]->rcv() : registered by stp_proto_register() + -> garp_pdu_rcv() and br_stp_rcv() are netns-aware + +So, we can safely remove the netns restriction in llc_rcv(). + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index 82cb93f66b9bd..f9e801cc50f5e 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -162,9 +162,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, + void (*sta_handler)(struct sk_buff *skb); + void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); + +- if (!net_eq(dev_net(dev), &init_net)) +- goto drop; +- + /* + * When the interface is in promisc. mode, drop all the crap that it + * receives, do not try to analyse it. +-- +2.39.2 + diff --git a/tmp-4.19/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch b/tmp-4.19/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch new file mode 100644 index 00000000000..eab438beeaa --- /dev/null +++ b/tmp-4.19/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch @@ -0,0 +1,75 @@ +From 9d3c47985bd35b602eb28d2eff0fef510ba3ff20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 20:00:22 -0500 +Subject: mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 + +From: Nishanth Menon + +[ Upstream commit 1b712f18c461bd75f018033a15cf381e712806b5 ] + +Sec proxy/message manager data buffer is 60 bytes with the last of the +registers indicating transmission completion. This however poses a bit +of a challenge. + +The backing memory for sec_proxy / message manager is regular memory, +and all sec proxy does is to trigger a burst of all 60 bytes of data +over to the target thread backing ring accelerator. It doesn't do a +memory scrub when it moves data out in the burst. When we transmit +multiple messages, remnants of previous message is also transmitted +which results in some random data being set in TISCI fields of +messages that have been expanded forward. + +The entire concept of backward compatibility hinges on the fact that +the unused message fields remain 0x0 allowing for 0x0 value to be +specially considered when backward compatibility of message extension +is done. + +So, instead of just writing the completion register, we continue +to fill the message buffer up with 0x0 (note: for partial message +involving completion, we already do this). + +This allows us to scale and introduce ABI changes back also work with +other boot stages that may have left data in the internal memory. + +While at this, be consistent and explicit with the data_reg pointer +increment. + +Fixes: aace66b170ce ("mailbox: Introduce TI message manager driver") +Signed-off-by: Nishanth Menon +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/ti-msgmgr.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/mailbox/ti-msgmgr.c b/drivers/mailbox/ti-msgmgr.c +index 01e9e462512b7..eb1e9771037f2 100644 +--- a/drivers/mailbox/ti-msgmgr.c ++++ b/drivers/mailbox/ti-msgmgr.c +@@ -385,14 +385,20 @@ static int ti_msgmgr_send_data(struct mbox_chan *chan, void *data) + /* Ensure all unused data is 0 */ + data_trail &= 0xFFFFFFFF >> (8 * (sizeof(u32) - trail_bytes)); + writel(data_trail, data_reg); +- data_reg++; ++ data_reg += sizeof(u32); + } ++ + /* + * 'data_reg' indicates next register to write. If we did not already + * write on tx complete reg(last reg), we must do so for transmit ++ * In addition, we also need to make sure all intermediate data ++ * registers(if any required), are reset to 0 for TISCI backward ++ * compatibility to be maintained. + */ +- if (data_reg <= qinst->queue_buff_end) +- writel(0, qinst->queue_buff_end); ++ while (data_reg <= qinst->queue_buff_end) { ++ writel(0, data_reg); ++ data_reg += sizeof(u32); ++ } + + return 0; + } +-- +2.39.2 + diff --git a/tmp-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch b/tmp-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch new file mode 100644 index 00000000000..dfb8b2d7957 --- /dev/null +++ b/tmp-4.19/md-fix-data-corruption-for-raid456-when-reshape-rest.patch @@ -0,0 +1,60 @@ +From 8c977d8f9a4252e9b335230eb09b5cc3f52e6db1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:56:07 +0800 +Subject: md: fix data corruption for raid456 when reshape restart while grow + up + +From: Yu Kuai + +[ Upstream commit 873f50ece41aad5c4f788a340960c53774b5526e ] + +Currently, if reshape is interrupted, echo "reshape" to sync_action will +restart reshape from scratch, for example: + +echo frozen > sync_action +echo reshape > sync_action + +This will corrupt data before reshape_position if the array is growing, +fix the problem by continue reshape from reshape_position. + +Reported-by: Peter Neuwirth +Link: https://lore.kernel.org/linux-raid/e2f96772-bfbc-f43b-6da1-f520e5164536@online.de/ +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230512015610.821290-3-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 2e23a898fc978..6b074c2202d5a 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4639,11 +4639,21 @@ action_store(struct mddev *mddev, const char *page, size_t len) + return -EINVAL; + err = mddev_lock(mddev); + if (!err) { +- if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) ++ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) { + err = -EBUSY; +- else { ++ } else if (mddev->reshape_position == MaxSector || ++ mddev->pers->check_reshape == NULL || ++ mddev->pers->check_reshape(mddev)) { + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + err = mddev->pers->start_reshape(mddev); ++ } else { ++ /* ++ * If reshape is still in progress, and ++ * md_check_recovery() can continue to reshape, ++ * don't restart reshape because data can be ++ * corrupted for raid456. ++ */ ++ clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + } + mddev_unlock(mddev); + } +-- +2.39.2 + diff --git a/tmp-4.19/md-raid0-add-discard-support-for-the-original-layout.patch b/tmp-4.19/md-raid0-add-discard-support-for-the-original-layout.patch new file mode 100644 index 00000000000..8f1c4a01d52 --- /dev/null +++ b/tmp-4.19/md-raid0-add-discard-support-for-the-original-layout.patch @@ -0,0 +1,203 @@ +From e836007089ba8fdf24e636ef2b007651fb4582e6 Mon Sep 17 00:00:00 2001 +From: Jason Baron +Date: Fri, 23 Jun 2023 14:05:23 -0400 +Subject: md/raid0: add discard support for the 'original' layout + +From: Jason Baron + +commit e836007089ba8fdf24e636ef2b007651fb4582e6 upstream. + +We've found that using raid0 with the 'original' layout and discard +enabled with different disk sizes (such that at least two zones are +created) can result in data corruption. This is due to the fact that +the discard handling in 'raid0_handle_discard()' assumes the 'alternate' +layout. We've seen this corruption using ext4 but other filesystems are +likely susceptible as well. + +More specifically, while multiple zones are necessary to create the +corruption, the corruption may not occur with multiple zones if they +layout in such a way the layout matches what the 'alternate' layout +would have produced. Thus, not all raid0 devices with the 'original' +layout, different size disks and discard enabled will encounter this +corruption. + +The 3.14 kernel inadvertently changed the raid0 disk layout for different +size disks. Thus, running a pre-3.14 kernel and post-3.14 kernel on the +same raid0 array could corrupt data. This lead to the creation of the +'original' layout (to match the pre-3.14 layout) and the 'alternate' layout +(to match the post 3.14 layout) in the 5.4 kernel time frame and an option +to tell the kernel which layout to use (since it couldn't be autodetected). +However, when the 'original' layout was added back to 5.4 discard support +for the 'original' layout was not added leading this issue. + +I've been able to reliably reproduce the corruption with the following +test case: + +1. create raid0 array with different size disks using original layout +2. mkfs +3. mount -o discard +4. create lots of files +5. remove 1/2 the files +6. fstrim -a (or just the mount point for the raid0 array) +7. umount +8. fsck -fn /dev/md0 (spews all sorts of corruptions) + +Let's fix this by adding proper discard support to the 'original' layout. +The fix 'maps' the 'original' layout disks to the order in which they are +read/written such that we can compare the disks in the same way that the +current 'alternate' layout does. A 'disk_shift' field is added to +'struct strip_zone'. This could be computed on the fly in +raid0_handle_discard() but by adding this field, we save some computation +in the discard path. + +Note we could also potentially fix this by re-ordering the disks in the +zones that follow the first one, and then always read/writing them using +the 'alternate' layout. However, that is seen as a more substantial change, +and we are attempting the least invasive fix at this time to remedy the +corruption. + +I've verified the change using the reproducer mentioned above. Typically, +the corruption is seen after less than 3 iterations, while the patch has +run 500+ iterations. + +Cc: NeilBrown +Cc: Song Liu +Fixes: c84a1372df92 ("md/raid0: avoid RAID0 data corruption due to layout confusion.") +Cc: stable@vger.kernel.org +Signed-off-by: Jason Baron +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230623180523.1901230-1-jbaron@akamai.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid0.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++------- + drivers/md/raid0.h | 1 + 2 files changed, 55 insertions(+), 8 deletions(-) + +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -296,6 +296,18 @@ static int create_strip_zones(struct mdd + goto abort; + } + ++ if (conf->layout == RAID0_ORIG_LAYOUT) { ++ for (i = 1; i < conf->nr_strip_zones; i++) { ++ sector_t first_sector = conf->strip_zone[i-1].zone_end; ++ ++ sector_div(first_sector, mddev->chunk_sectors); ++ zone = conf->strip_zone + i; ++ /* disk_shift is first disk index used in the zone */ ++ zone->disk_shift = sector_div(first_sector, ++ zone->nb_dev); ++ } ++ } ++ + pr_debug("md/raid0:%s: done.\n", mdname(mddev)); + *private_conf = conf; + +@@ -482,6 +494,20 @@ static inline int is_io_in_chunk_boundar + } + } + ++/* ++ * Convert disk_index to the disk order in which it is read/written. ++ * For example, if we have 4 disks, they are numbered 0,1,2,3. If we ++ * write the disks starting at disk 3, then the read/write order would ++ * be disk 3, then 0, then 1, and then disk 2 and we want map_disk_shift() ++ * to map the disks as follows 0,1,2,3 => 1,2,3,0. So disk 0 would map ++ * to 1, 1 to 2, 2 to 3, and 3 to 0. That way we can compare disks in ++ * that 'output' space to understand the read/write disk ordering. ++ */ ++static int map_disk_shift(int disk_index, int num_disks, int disk_shift) ++{ ++ return ((disk_index + num_disks - disk_shift) % num_disks); ++} ++ + static void raid0_handle_discard(struct mddev *mddev, struct bio *bio) + { + struct r0conf *conf = mddev->private; +@@ -495,7 +521,9 @@ static void raid0_handle_discard(struct + sector_t end_disk_offset; + unsigned int end_disk_index; + unsigned int disk; ++ sector_t orig_start, orig_end; + ++ orig_start = start; + zone = find_zone(conf, &start); + + if (bio_end_sector(bio) > zone->zone_end) { +@@ -509,6 +537,7 @@ static void raid0_handle_discard(struct + } else + end = bio_end_sector(bio); + ++ orig_end = end; + if (zone != conf->strip_zone) + end = end - zone[-1].zone_end; + +@@ -520,13 +549,26 @@ static void raid0_handle_discard(struct + last_stripe_index = end; + sector_div(last_stripe_index, stripe_size); + +- start_disk_index = (int)(start - first_stripe_index * stripe_size) / +- mddev->chunk_sectors; ++ /* In the first zone the original and alternate layouts are the same */ ++ if ((conf->layout == RAID0_ORIG_LAYOUT) && (zone != conf->strip_zone)) { ++ sector_div(orig_start, mddev->chunk_sectors); ++ start_disk_index = sector_div(orig_start, zone->nb_dev); ++ start_disk_index = map_disk_shift(start_disk_index, ++ zone->nb_dev, ++ zone->disk_shift); ++ sector_div(orig_end, mddev->chunk_sectors); ++ end_disk_index = sector_div(orig_end, zone->nb_dev); ++ end_disk_index = map_disk_shift(end_disk_index, ++ zone->nb_dev, zone->disk_shift); ++ } else { ++ start_disk_index = (int)(start - first_stripe_index * stripe_size) / ++ mddev->chunk_sectors; ++ end_disk_index = (int)(end - last_stripe_index * stripe_size) / ++ mddev->chunk_sectors; ++ } + start_disk_offset = ((int)(start - first_stripe_index * stripe_size) % + mddev->chunk_sectors) + + first_stripe_index * mddev->chunk_sectors; +- end_disk_index = (int)(end - last_stripe_index * stripe_size) / +- mddev->chunk_sectors; + end_disk_offset = ((int)(end - last_stripe_index * stripe_size) % + mddev->chunk_sectors) + + last_stripe_index * mddev->chunk_sectors; +@@ -535,18 +577,22 @@ static void raid0_handle_discard(struct + sector_t dev_start, dev_end; + struct bio *discard_bio = NULL; + struct md_rdev *rdev; ++ int compare_disk; ++ ++ compare_disk = map_disk_shift(disk, zone->nb_dev, ++ zone->disk_shift); + +- if (disk < start_disk_index) ++ if (compare_disk < start_disk_index) + dev_start = (first_stripe_index + 1) * + mddev->chunk_sectors; +- else if (disk > start_disk_index) ++ else if (compare_disk > start_disk_index) + dev_start = first_stripe_index * mddev->chunk_sectors; + else + dev_start = start_disk_offset; + +- if (disk < end_disk_index) ++ if (compare_disk < end_disk_index) + dev_end = (last_stripe_index + 1) * mddev->chunk_sectors; +- else if (disk > end_disk_index) ++ else if (compare_disk > end_disk_index) + dev_end = last_stripe_index * mddev->chunk_sectors; + else + dev_end = end_disk_offset; +--- a/drivers/md/raid0.h ++++ b/drivers/md/raid0.h +@@ -6,6 +6,7 @@ struct strip_zone { + sector_t zone_end; /* Start of the next zone (in sectors) */ + sector_t dev_start; /* Zone offset in real dev (in sectors) */ + int nb_dev; /* # of devices attached to the zone */ ++ int disk_shift; /* start disk for the original layout */ + }; + + /* Linux 3.14 (20d0189b101) made an unintended change to diff --git a/tmp-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch b/tmp-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch new file mode 100644 index 00000000000..b2d63a56285 --- /dev/null +++ b/tmp-4.19/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch @@ -0,0 +1,65 @@ +From c42045a300917bf19d72afa28c7485a1e242ad54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:48:05 +0800 +Subject: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter + +From: Li Nan + +[ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ] + +If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() +will return -EINVAL because 'page >= bitmap->pages', but the return value +was not checked immediately in md_bitmap_get_counter() in order to set +*blocks value and slab-out-of-bounds occurs. + +Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and +return directly if true. + +Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 1c4c462787198..7ca81e917aef4 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -53,14 +53,7 @@ __acquires(bitmap->lock) + { + unsigned char *mappage; + +- if (page >= bitmap->pages) { +- /* This can happen if bitmap_start_sync goes beyond +- * End-of-device while looking for a whole page. +- * It is harmless. +- */ +- return -EINVAL; +- } +- ++ WARN_ON_ONCE(page >= bitmap->pages); + if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */ + return 0; + +@@ -1368,6 +1361,14 @@ __acquires(bitmap->lock) + sector_t csize; + int err; + ++ if (page >= bitmap->pages) { ++ /* ++ * This can happen if bitmap_start_sync goes beyond ++ * End-of-device while looking for a whole page or ++ * user set a huge number to sysfs bitmap_set_bits. ++ */ ++ return NULL; ++ } + err = md_bitmap_checkpage(bitmap, page, create, 0); + + if (bitmap->bp[page].hijacked || +-- +2.39.2 + diff --git a/tmp-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch b/tmp-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch new file mode 100644 index 00000000000..325b0cb9437 --- /dev/null +++ b/tmp-4.19/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch @@ -0,0 +1,79 @@ +From 259441acc7d9499e917ec4612b2d9d732e643a53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 17:18:39 +0800 +Subject: md/raid10: fix io loss while replacement replace rdev + +From: Li Nan + +[ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ] + +When removing a disk with replacement, the replacement will be used to +replace rdev. During this process, there is a brief window in which both +rdev and replacement are read as NULL in raid10_write_request(). This +will result in io not being submitted but it should be. + + //remove //write + raid10_remove_disk raid10_write_request + mirror->rdev = NULL + read rdev -> NULL + mirror->rdev = mirror->replacement + mirror->replacement = NULL + read replacement -> NULL + +Fix it by reading replacement first and rdev later, meanwhile, use smp_mb() +to prevent memory reordering. + +Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index f6d2be1d23864..d46056b07c079 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -781,8 +781,16 @@ static struct md_rdev *read_balance(struct r10conf *conf, + disk = r10_bio->devs[slot].devnum; + rdev = rcu_dereference(conf->mirrors[disk].replacement); + if (rdev == NULL || test_bit(Faulty, &rdev->flags) || +- r10_bio->devs[slot].addr + sectors > rdev->recovery_offset) ++ r10_bio->devs[slot].addr + sectors > ++ rdev->recovery_offset) { ++ /* ++ * Read replacement first to prevent reading both rdev ++ * and replacement as NULL during replacement replace ++ * rdev. ++ */ ++ smp_mb(); + rdev = rcu_dereference(conf->mirrors[disk].rdev); ++ } + if (rdev == NULL || + test_bit(Faulty, &rdev->flags)) + continue; +@@ -1400,9 +1408,15 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, + + for (i = 0; i < conf->copies; i++) { + int d = r10_bio->devs[i].devnum; +- struct md_rdev *rdev = rcu_dereference(conf->mirrors[d].rdev); +- struct md_rdev *rrdev = rcu_dereference( +- conf->mirrors[d].replacement); ++ struct md_rdev *rdev, *rrdev; ++ ++ rrdev = rcu_dereference(conf->mirrors[d].replacement); ++ /* ++ * Read replacement first to prevent reading both rdev and ++ * replacement as NULL during replacement replace rdev. ++ */ ++ smp_mb(); ++ rdev = rcu_dereference(conf->mirrors[d].rdev); + if (rdev == rrdev) + rrdev = NULL; + if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) { +-- +2.39.2 + diff --git a/tmp-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch b/tmp-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch new file mode 100644 index 00000000000..68be8949886 --- /dev/null +++ b/tmp-4.19/md-raid10-fix-overflow-of-md-safe_mode_delay.patch @@ -0,0 +1,51 @@ +From 06023f86c6d335ab7cbc42c39fdf4677bddab0d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:33 +0800 +Subject: md/raid10: fix overflow of md/safe_mode_delay + +From: Li Nan + +[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ] + +There is no input check when echo md/safe_mode_delay in safe_delay_store(). +And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by +checking overflow in safe_delay_store() and use unsigned long conversion in +safe_delay_show(). + +Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers") +Signed-off-by: Li Nan +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index f8c111b369928..ad3e666b9d735 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3671,8 +3671,9 @@ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale) + static ssize_t + safe_delay_show(struct mddev *mddev, char *page) + { +- int msec = (mddev->safemode_delay*1000)/HZ; +- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000); ++ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ; ++ ++ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000); + } + static ssize_t + safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) +@@ -3684,7 +3685,7 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) + return -EINVAL; + } + +- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0) ++ if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 || msec > UINT_MAX / HZ) + return -EINVAL; + if (msec == 0) + mddev->safemode_delay = 0; +-- +2.39.2 + diff --git a/tmp-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch b/tmp-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch new file mode 100644 index 00000000000..92a048b1d02 --- /dev/null +++ b/tmp-4.19/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch @@ -0,0 +1,38 @@ +From 3ac2cda1e64e9661ec83abeb47a94e2514a776f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:34 +0800 +Subject: md/raid10: fix wrong setting of max_corr_read_errors + +From: Li Nan + +[ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ] + +There is no input check when echo md/max_read_errors and overflow might +occur. Add check of input number. + +Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index ad3e666b9d735..2e23a898fc978 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4337,6 +4337,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len + rv = kstrtouint(buf, 10, &n); + if (rv < 0) + return rv; ++ if (n > INT_MAX) ++ return -EINVAL; + atomic_set(&mddev->max_corr_read_errors, n); + return len; + } +-- +2.39.2 + diff --git a/tmp-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch b/tmp-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch new file mode 100644 index 00000000000..f2b33679d76 --- /dev/null +++ b/tmp-4.19/md-raid10-prevent-soft-lockup-while-flush-writes.patch @@ -0,0 +1,79 @@ +From 1028f0b7c80c5262aa6683b18d6334476dd55f25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 21:11:00 +0800 +Subject: md/raid10: prevent soft lockup while flush writes + +From: Yu Kuai + +[ Upstream commit 010444623e7f4da6b4a4dd603a7da7469981e293 ] + +Currently, there is no limit for raid1/raid10 plugged bio. While flushing +writes, raid1 has cond_resched() while raid10 doesn't, and too many +writes can cause soft lockup. + +Follow up soft lockup can be triggered easily with writeback test for +raid10 with ramdisks: + +watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293] +Call Trace: + + call_rcu+0x16/0x20 + put_object+0x41/0x80 + __delete_object+0x50/0x90 + delete_object_full+0x2b/0x40 + kmemleak_free+0x46/0xa0 + slab_free_freelist_hook.constprop.0+0xed/0x1a0 + kmem_cache_free+0xfd/0x300 + mempool_free_slab+0x1f/0x30 + mempool_free+0x3a/0x100 + bio_free+0x59/0x80 + bio_put+0xcf/0x2c0 + free_r10bio+0xbf/0xf0 + raid_end_bio_io+0x78/0xb0 + one_write_done+0x8a/0xa0 + raid10_end_write_request+0x1b4/0x430 + bio_endio+0x175/0x320 + brd_submit_bio+0x3b9/0x9b7 [brd] + __submit_bio+0x69/0xe0 + submit_bio_noacct_nocheck+0x1e6/0x5a0 + submit_bio_noacct+0x38c/0x7e0 + flush_pending_writes+0xf0/0x240 + raid10d+0xac/0x1ed0 + +Fix the problem by adding cond_resched() to raid10 like what raid1 did. + +Note that unlimited plugged bio still need to be optimized, for example, +in the case of lots of dirty pages writeback, this will take lots of +memory and io will spend a long time in plug, hence io latency is bad. + +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230529131106.2123367-2-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index d46056b07c079..bee694be20132 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -942,6 +942,7 @@ static void flush_pending_writes(struct r10conf *conf) + else + generic_make_request(bio); + bio = next; ++ cond_resched(); + } + blk_finish_plug(&plug); + } else +@@ -1127,6 +1128,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule) + else + generic_make_request(bio); + bio = next; ++ cond_resched(); + } + kfree(plug); + } +-- +2.39.2 + diff --git a/tmp-4.19/media-usb-check-az6007_read-return-value.patch b/tmp-4.19/media-usb-check-az6007_read-return-value.patch new file mode 100644 index 00000000000..f05565620a3 --- /dev/null +++ b/tmp-4.19/media-usb-check-az6007_read-return-value.patch @@ -0,0 +1,38 @@ +From d012063f1e944dad67033cc0cd1fde30da0e3268 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 10:04:49 -0700 +Subject: media: usb: Check az6007_read() return value + +From: Daniil Dulov + +[ Upstream commit fdaca63186f59fc664b346c45b76576624b48e57 ] + +If az6007_read() returns error, there is no sence to continue. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 3af2f4f15a61 ("[media] az6007: Change the az6007 read/write routine parameter") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c +index 746926364535d..8e914be5b7c5e 100644 +--- a/drivers/media/usb/dvb-usb-v2/az6007.c ++++ b/drivers/media/usb/dvb-usb-v2/az6007.c +@@ -210,7 +210,8 @@ static int az6007_rc_query(struct dvb_usb_device *d) + unsigned code; + enum rc_proto proto; + +- az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10); ++ if (az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10) < 0) ++ return -EIO; + + if (st->data[1] == 0x44) + return 0; +-- +2.39.2 + diff --git a/tmp-4.19/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch b/tmp-4.19/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch new file mode 100644 index 00000000000..1eeacc4c3b3 --- /dev/null +++ b/tmp-4.19/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch @@ -0,0 +1,83 @@ +From 0bfc643423d21b0d842787fc278020696fbfc558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 07:59:32 +0800 +Subject: media: usb: siano: Fix warning due to null work_func_t function + pointer + +From: Duoming Zhou + +[ Upstream commit 6f489a966fbeb0da63d45c2c66a8957eab604bf6 ] + +The previous commit ebad8e731c1c ("media: usb: siano: Fix use after +free bugs caused by do_submit_urb") adds cancel_work_sync() in +smsusb_stop_streaming(). But smsusb_stop_streaming() may be called, +even if the work_struct surb->wq has not been initialized. As a result, +the warning will occur. One of the processes that could lead to warning +is shown below: + +smsusb_probe() + smsusb_init_device() + if (!dev->in_ep || !dev->out_ep || align < 0) { + smsusb_term_device(intf); + smsusb_stop_streaming() + cancel_work_sync(&dev->surbs[i].wq); + __cancel_work_timer() + __flush_work() + if (WARN_ON(!work->func)) // work->func is null + +The log reported by syzbot is shown below: + +WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063 +Modules linked in: +CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0 +RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066 +... +RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246 +RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e +RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8 +RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f +R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8 +R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160 + smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline] + smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344 + smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419 + smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567 +... + +This patch adds check before cancel_work_sync(). If surb->wq has not +been initialized, the cancel_work_sync() will not be executed. + +Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com +Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/siano/smsusb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 2df3d730ea768..cd706874899c3 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -190,7 +190,8 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev) + + for (i = 0; i < MAX_URBS; i++) { + usb_kill_urb(&dev->surbs[i].urb); +- cancel_work_sync(&dev->surbs[i].wq); ++ if (dev->surbs[i].wq.func) ++ cancel_work_sync(&dev->surbs[i].wq); + + if (dev->surbs[i].cb) { + smscore_putbuffer(dev->coredev, dev->surbs[i].cb); +-- +2.39.2 + diff --git a/tmp-4.19/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch b/tmp-4.19/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch new file mode 100644 index 00000000000..bd304440a75 --- /dev/null +++ b/tmp-4.19/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch @@ -0,0 +1,62 @@ +From e893f0ec9971c9347a2a0414e40093f005b71e03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 15:36:49 +0200 +Subject: media: videodev2.h: Fix struct v4l2_input tuner index comment + +From: Marek Vasut + +[ Upstream commit 26ae58f65e64fa7ba61d64bae752e59e08380c6a ] + +VIDIOC_ENUMINPUT documentation describes the tuner field of +struct v4l2_input as index: + +Documentation/userspace-api/media/v4l/vidioc-enuminput.rst +" +* - __u32 + - ``tuner`` + - Capture devices can have zero or more tuners (RF demodulators). + When the ``type`` is set to ``V4L2_INPUT_TYPE_TUNER`` this is an + RF connector and this field identifies the tuner. It corresponds + to struct :c:type:`v4l2_tuner` field ``index``. For + details on tuners see :ref:`tuner`. +" + +Drivers I could find also use the 'tuner' field as an index, e.g.: +drivers/media/pci/bt8xx/bttv-driver.c bttv_enum_input() +drivers/media/usb/go7007/go7007-v4l2.c vidioc_enum_input() + +However, the UAPI comment claims this field is 'enum v4l2_tuner_type': +include/uapi/linux/videodev2.h + +This field being 'enum v4l2_tuner_type' is unlikely as it seems to be +never used that way in drivers, and documentation confirms it. It seem +this comment got in accidentally in the commit which this patch fixes. +Fix the UAPI comment to stop confusion. + +This was pointed out by Dmitry while reviewing VIDIOC_ENUMINPUT +support for strace. + +Fixes: 6016af82eafc ("[media] v4l2: use __u32 rather than enums in ioctl() structs") +Signed-off-by: Marek Vasut +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + include/uapi/linux/videodev2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h +index ad6a633f5848a..ac22e7f062399 100644 +--- a/include/uapi/linux/videodev2.h ++++ b/include/uapi/linux/videodev2.h +@@ -1510,7 +1510,7 @@ struct v4l2_input { + __u8 name[32]; /* Label */ + __u32 type; /* Type of input */ + __u32 audioset; /* Associated audios (bitfield) */ +- __u32 tuner; /* enum v4l2_tuner_type */ ++ __u32 tuner; /* Tuner index */ + v4l2_std_id std; + __u32 status; + __u32 capabilities; +-- +2.39.2 + diff --git a/tmp-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch b/tmp-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch new file mode 100644 index 00000000000..f489c149c25 --- /dev/null +++ b/tmp-4.19/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch @@ -0,0 +1,49 @@ +From e30b96869547af066175585c4913bfb9bbf5e916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:27:04 +0200 +Subject: memstick r592: make memstick_debug_get_tpc_name() static + +From: Arnd Bergmann + +[ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ] + +There are no other files referencing this function, apparently +it was left global to avoid an 'unused function' warning when +the only caller is left out. With a 'W=1' build, it causes +a 'missing prototype' warning though: + +drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes] + +Annotate the function as 'static __maybe_unused' to avoid both +problems. + +Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index edb1b5588b7a0..6360f5c6d3958 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -47,12 +47,10 @@ static const char *tpc_names[] = { + * memstick_debug_get_tpc_name - debug helper that returns string for + * a TPC number + */ +-const char *memstick_debug_get_tpc_name(int tpc) ++static __maybe_unused const char *memstick_debug_get_tpc_name(int tpc) + { + return tpc_names[tpc-1]; + } +-EXPORT_SYMBOL(memstick_debug_get_tpc_name); +- + + /* Read a register*/ + static inline u32 r592_read_reg(struct r592_device *dev, int address) +-- +2.39.2 + diff --git a/tmp-4.19/meson-saradc-fix-clock-divider-mask-length.patch b/tmp-4.19/meson-saradc-fix-clock-divider-mask-length.patch new file mode 100644 index 00000000000..4d6df65e8d9 --- /dev/null +++ b/tmp-4.19/meson-saradc-fix-clock-divider-mask-length.patch @@ -0,0 +1,37 @@ +From c57fa0037024c92c2ca34243e79e857da5d2c0a9 Mon Sep 17 00:00:00 2001 +From: George Stark +Date: Tue, 6 Jun 2023 19:53:57 +0300 +Subject: meson saradc: fix clock divider mask length + +From: George Stark + +commit c57fa0037024c92c2ca34243e79e857da5d2c0a9 upstream. + +According to the datasheets of supported meson SoCs length of ADC_CLK_DIV +field is 6-bit. Although all supported SoCs have the register +with that field documented later SoCs use external clock rather than +ADC internal clock so this patch affects only meson8 family (S8* SoCs). + +Fixes: 3adbf3427330 ("iio: adc: add a driver for the SAR ADC found in Amlogic Meson SoCs") +Signed-off-by: George Stark +Reviewed-by: Andy Shevchenko +Reviewed-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20230606165357.42417-1-gnstark@sberdevices.ru +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/meson_saradc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/meson_saradc.c ++++ b/drivers/iio/adc/meson_saradc.c +@@ -75,7 +75,7 @@ + #define MESON_SAR_ADC_REG3_PANEL_DETECT_COUNT_MASK GENMASK(20, 18) + #define MESON_SAR_ADC_REG3_PANEL_DETECT_FILTER_TB_MASK GENMASK(17, 16) + #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_SHIFT 10 +- #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_WIDTH 5 ++ #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_WIDTH 6 + #define MESON_SAR_ADC_REG3_BLOCK_DLY_SEL_MASK GENMASK(9, 8) + #define MESON_SAR_ADC_REG3_BLOCK_DLY_MASK GENMASK(7, 0) + diff --git a/tmp-4.19/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch b/tmp-4.19/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch new file mode 100644 index 00000000000..be8b6f28a98 --- /dev/null +++ b/tmp-4.19/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch @@ -0,0 +1,38 @@ +From d3266ffb81d44b80b833b11b52aa251047fa1ba4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 09:48:18 +0800 +Subject: mfd: intel-lpss: Add missing check for platform_get_resource + +From: Jiasheng Jiang + +[ Upstream commit d918e0d5824495a75d00b879118b098fcab36fdb ] + +Add the missing check for platform_get_resource and return error +if it fails. + +Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20230609014818.28475-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel-lpss-acpi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mfd/intel-lpss-acpi.c b/drivers/mfd/intel-lpss-acpi.c +index fc44fb7c595bc..281ef5f52eb55 100644 +--- a/drivers/mfd/intel-lpss-acpi.c ++++ b/drivers/mfd/intel-lpss-acpi.c +@@ -92,6 +92,9 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev) + return -ENOMEM; + + info->mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!info->mem) ++ return -ENODEV; ++ + info->irq = platform_get_irq(pdev, 0); + + ret = intel_lpss_probe(&pdev->dev, info); +-- +2.39.2 + diff --git a/tmp-4.19/mfd-rt5033-drop-rt5033-battery-sub-device.patch b/tmp-4.19/mfd-rt5033-drop-rt5033-battery-sub-device.patch new file mode 100644 index 00000000000..e8a07f96464 --- /dev/null +++ b/tmp-4.19/mfd-rt5033-drop-rt5033-battery-sub-device.patch @@ -0,0 +1,41 @@ +From 135ecabb089f9739c90fcfc093e4fca81157e8f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 22:57:10 +0200 +Subject: mfd: rt5033: Drop rt5033-battery sub-device + +From: Stephan Gerhold + +[ Upstream commit 43db1344e0f8c1eb687a1d6cd5b0de3009ab66cb ] + +The fuel gauge in the RT5033 PMIC (rt5033-battery) has its own I2C bus +and interrupt lines. Therefore, it is not part of the MFD device +and needs to be specified separately in the device tree. + +Fixes: 0b271258544b ("mfd: rt5033: Add Richtek RT5033 driver core.") +Signed-off-by: Stephan Gerhold +Signed-off-by: Jakob Hauser +Reviewed-by: Linus Walleij +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/6a8a19bc67b5be3732882e8131ad2ffcb546ac03.1684182964.git.jahau@rocketmail.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/rt5033.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/mfd/rt5033.c b/drivers/mfd/rt5033.c +index 9bd089c563753..94cdad91c0657 100644 +--- a/drivers/mfd/rt5033.c ++++ b/drivers/mfd/rt5033.c +@@ -44,9 +44,6 @@ static const struct mfd_cell rt5033_devs[] = { + { + .name = "rt5033-charger", + .of_compatible = "richtek,rt5033-charger", +- }, { +- .name = "rt5033-battery", +- .of_compatible = "richtek,rt5033-battery", + }, { + .name = "rt5033-led", + .of_compatible = "richtek,rt5033-led", +-- +2.39.2 + diff --git a/tmp-4.19/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch b/tmp-4.19/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch new file mode 100644 index 00000000000..2bc8ba83b53 --- /dev/null +++ b/tmp-4.19/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch @@ -0,0 +1,45 @@ +From 85501700b904c3cc48cc73d347156cfc1c525962 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 12:43:16 +0200 +Subject: mfd: stmpe: Only disable the regulators if they are enabled + +From: Christophe JAILLET + +[ Upstream commit 104d32bd81f620bb9f67fbf7d1159c414e89f05f ] + +In stmpe_probe(), if some regulator_enable() calls fail, probing continues +and there is only a dev_warn(). + +So, if stmpe_probe() is called the regulator may not be enabled. It is +cleaner to test it before calling regulator_disable() in the remove +function. + +Fixes: 9c9e321455fb ("mfd: stmpe: add optional regulators") +Signed-off-by: Christophe JAILLET +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/8de3aaf297931d655b9ad6aed548f4de8b85425a.1686998575.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stmpe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/stmpe.c b/drivers/mfd/stmpe.c +index 722ad2c368a56..d752c56d60e42 100644 +--- a/drivers/mfd/stmpe.c ++++ b/drivers/mfd/stmpe.c +@@ -1428,9 +1428,9 @@ int stmpe_probe(struct stmpe_client_info *ci, enum stmpe_partnum partnum) + + int stmpe_remove(struct stmpe *stmpe) + { +- if (!IS_ERR(stmpe->vio)) ++ if (!IS_ERR(stmpe->vio) && regulator_is_enabled(stmpe->vio)) + regulator_disable(stmpe->vio); +- if (!IS_ERR(stmpe->vcc)) ++ if (!IS_ERR(stmpe->vcc) && regulator_is_enabled(stmpe->vcc)) + regulator_disable(stmpe->vcc); + + mfd_remove_devices(stmpe->dev); +-- +2.39.2 + diff --git a/tmp-4.19/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch b/tmp-4.19/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch new file mode 100644 index 00000000000..53c0fffe7e8 --- /dev/null +++ b/tmp-4.19/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch @@ -0,0 +1,50 @@ +From f61b7634a3249d12b9daa36ffbdb9965b6f24c6c Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 15 Apr 2023 11:35:39 +0900 +Subject: misc: pci_endpoint_test: Free IRQs before removing the device + +From: Damien Le Moal + +commit f61b7634a3249d12b9daa36ffbdb9965b6f24c6c upstream. + +In pci_endpoint_test_remove(), freeing the IRQs after removing the device +creates a small race window for IRQs to be received with the test device +memory already released, causing the IRQ handler to access invalid memory, +resulting in an oops. + +Free the device IRQs before removing the device to avoid this issue. + +Link: https://lore.kernel.org/r/20230415023542.77601-15-dlemoal@kernel.org +Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands") +Signed-off-by: Damien Le Moal +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -785,6 +785,9 @@ static void pci_endpoint_test_remove(str + if (id < 0) + return; + ++ pci_endpoint_test_release_irq(test); ++ pci_endpoint_test_free_irq_vectors(test); ++ + misc_deregister(&test->miscdev); + kfree(misc_device->name); + ida_simple_remove(&pci_endpoint_test_ida, id); +@@ -793,9 +796,6 @@ static void pci_endpoint_test_remove(str + pci_iounmap(pdev, test->bar[bar]); + } + +- pci_endpoint_test_release_irq(test); +- pci_endpoint_test_free_irq_vectors(test); +- + pci_release_regions(pdev); + pci_disable_device(pdev); + } diff --git a/tmp-4.19/misc-pci_endpoint_test-re-init-completion-for-every-test.patch b/tmp-4.19/misc-pci_endpoint_test-re-init-completion-for-every-test.patch new file mode 100644 index 00000000000..e61770d6df5 --- /dev/null +++ b/tmp-4.19/misc-pci_endpoint_test-re-init-completion-for-every-test.patch @@ -0,0 +1,44 @@ +From fb620ae73b70c2f57b9d3e911fc24c024ba2324f Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 15 Apr 2023 11:35:40 +0900 +Subject: misc: pci_endpoint_test: Re-init completion for every test + +From: Damien Le Moal + +commit fb620ae73b70c2f57b9d3e911fc24c024ba2324f upstream. + +The irq_raised completion used to detect the end of a test case is +initialized when the test device is probed, but never reinitialized again +before a test case. As a result, the irq_raised completion synchronization +is effective only for the first ioctl test case executed. Any subsequent +call to wait_for_completion() by another ioctl() call will immediately +return, potentially too early, leading to false positive failures. + +Fix this by reinitializing the irq_raised completion before starting a new +ioctl() test command. + +Link: https://lore.kernel.org/r/20230415023542.77601-16-dlemoal@kernel.org +Fixes: 2c156ac71c6b ("misc: Add host side PCI driver for PCI test function device") +Signed-off-by: Damien Le Moal +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -601,6 +601,10 @@ static long pci_endpoint_test_ioctl(stru + struct pci_dev *pdev = test->pdev; + + mutex_lock(&test->mutex); ++ ++ reinit_completion(&test->irq_raised); ++ test->last_irq = -ENODATA; ++ + switch (cmd) { + case PCITEST_BAR: + bar = arg; diff --git a/tmp-4.19/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch b/tmp-4.19/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch new file mode 100644 index 00000000000..c77405ac358 --- /dev/null +++ b/tmp-4.19/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch @@ -0,0 +1,46 @@ +From f1738a1f816233e6dfc2407f24a31d596643fd90 Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Mon, 19 Jun 2023 21:35:58 +0200 +Subject: mmc: core: disable TRIM on Kingston EMMC04G-M627 + +From: Robert Marko + +commit f1738a1f816233e6dfc2407f24a31d596643fd90 upstream. + +It seems that Kingston EMMC04G-M627 despite advertising TRIM support does +not work when the core is trying to use REQ_OP_WRITE_ZEROES. + +We are seeing I/O errors in OpenWrt under 6.1 on Zyxel NBG7815 that we did +not previously have and tracked it down to REQ_OP_WRITE_ZEROES. + +Trying to use fstrim seems to also throw errors like: +[93010.835112] I/O error, dev loop0, sector 16902 op 0x3:(DISCARD) flags 0x800 phys_seg 1 prio class 2 + +Disabling TRIM makes the error go away, so lets add a quirk for this eMMC +to disable TRIM. + +Signed-off-by: Robert Marko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230619193621.437358-1-robimarko@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/quirks.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -91,6 +91,13 @@ static const struct mmc_fixup mmc_blk_fi + MMC_QUIRK_SEC_ERASE_TRIM_BROKEN), + + /* ++ * Kingston EMMC04G-M627 advertises TRIM but it does not seems to ++ * support being used to offload WRITE_ZEROES. ++ */ ++ MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc, ++ MMC_QUIRK_TRIM_BROKEN), ++ ++ /* + * On Some Kingston eMMCs, performing trim can result in + * unrecoverable data conrruption occasionally due to a firmware bug. + */ diff --git a/tmp-4.19/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch b/tmp-4.19/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch new file mode 100644 index 00000000000..6730eea968d --- /dev/null +++ b/tmp-4.19/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch @@ -0,0 +1,44 @@ +From dbfbddcddcebc9ce8a08757708d4e4a99d238e44 Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Tue, 30 May 2023 23:32:59 +0200 +Subject: mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M + +From: Robert Marko + +commit dbfbddcddcebc9ce8a08757708d4e4a99d238e44 upstream. + +It seems that Micron MTFC4GACAJCN-1M despite advertising TRIM support does +not work when the core is trying to use REQ_OP_WRITE_ZEROES. + +We are seeing the following errors in OpenWrt under 6.1 on Qnap Qhora 301W +that we did not previously have and tracked it down to REQ_OP_WRITE_ZEROES: +[ 18.085950] I/O error, dev loop0, sector 596 op 0x9:(WRITE_ZEROES) flags 0x800 phys_seg 0 prio class 2 + +Disabling TRIM makes the error go away, so lets add a quirk for this eMMC +to disable TRIM. + +Signed-off-by: Robert Marko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230530213259.1776512-1-robimarko@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/quirks.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -98,6 +98,13 @@ static const struct mmc_fixup mmc_blk_fi + MMC_QUIRK_TRIM_BROKEN), + + /* ++ * Micron MTFC4GACAJCN-1M advertises TRIM but it does not seems to ++ * support being used to offload WRITE_ZEROES. ++ */ ++ MMC_FIXUP("Q2J54A", CID_MANFID_MICRON, 0x014e, add_quirk_mmc, ++ MMC_QUIRK_TRIM_BROKEN), ++ ++ /* + * On Some Kingston eMMCs, performing trim can result in + * unrecoverable data conrruption occasionally due to a firmware bug. + */ diff --git a/tmp-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch b/tmp-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch new file mode 100644 index 00000000000..19ffd3bb20f --- /dev/null +++ b/tmp-4.19/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch @@ -0,0 +1,106 @@ +From 900af37b23eddbb3069809f016b46b3a70a539a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:56 +0900 +Subject: modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} + +From: Masahiro Yamada + +[ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ] + +addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a +wrong way. + +Here, test code. + +[test code for R_ARM_JUMP24] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + b bar + +[test code for R_ARM_CALL] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + push {lr} + bl bar + pop {pc} + +If you compile it with ARM multi_v7_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text) + +(You need to use GNU linker instead of LLD to reproduce it.) + +Fix the code to make modpost show the correct symbol name. + +I imported (with adjustment) sign_extend32() from include/linux/bitops.h. + +The '+8' is the compensation for pc-relative instruction. It is +documented in "ELF for the Arm Architecture" [1]. + + "If the relocation is pc-relative then compensation for the PC bias + (the PC value is 8 bytes ahead of the executing instruction in Arm + state and 4 bytes in Thumb state) must be encoded in the relocation + by the object producer." + +[1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 41b1791a9463b..2060a3fe9691d 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1751,12 +1751,20 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + #define R_ARM_THM_JUMP19 51 + #endif + ++static int32_t sign_extend32(int32_t value, int index) ++{ ++ uint8_t shift = 31 - index; ++ ++ return (int32_t)(value << shift) >> shift; ++} ++ + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); + Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); + void *loc = reloc_location(elf, sechdr, r); + uint32_t inst; ++ int32_t offset; + + switch (r_typ) { + case R_ARM_ABS32: +@@ -1766,6 +1774,10 @@ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + case R_ARM_PC24: + case R_ARM_CALL: + case R_ARM_JUMP24: ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ offset = sign_extend32((inst & 0x00ffffff) << 2, 25); ++ r->r_addend = offset + sym->st_value + 8; ++ break; + case R_ARM_THM_CALL: + case R_ARM_THM_JUMP24: + case R_ARM_THM_JUMP19: +-- +2.39.2 + diff --git a/tmp-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch b/tmp-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch new file mode 100644 index 00000000000..947c7ff4bbe --- /dev/null +++ b/tmp-4.19/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch @@ -0,0 +1,133 @@ +From 0d510b44c12ef373d8102b1be1652f7e485f1bf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:55 +0900 +Subject: modpost: fix section mismatch message for R_ARM_ABS32 + +From: Masahiro Yamada + +[ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ] + +addend_arm_rel() processes R_ARM_ABS32 in a wrong way. + +Here, test code. + + [test code 1] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + +If you compile it with ARM versatile_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data) + +(You need to use GNU linker instead of LLD to reproduce it.) + +If you compile it for other architectures, modpost will show the correct +symbol name. + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + +For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value. + +I just mimicked the code in arch/arm/kernel/module.c. + +However, there is more difficulty for ARM. + +Here, test code. + + [test code 2] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + + int __initdata bar; + int get_bar(void) { return bar; } + +With this commit applied, modpost will show the following messages +for ARM versatile_defconfig: + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data) + +The reference from 'get_bar' to 'foo' seems wrong. + +I have no solution for this because it is true in assembly level. + +In the following output, relocation at 0x1c is no longer associated +with 'bar'. The two relocation entries point to the same symbol, and +the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'. + + Disassembly of section .text: + + 00000000 : + 0: e59f3004 ldr r3, [pc, #4] @ c + 4: e5930000 ldr r0, [r3] + 8: e12fff1e bx lr + c: 00000000 .word 0x00000000 + + 00000010 : + 10: e59f3004 ldr r3, [pc, #4] @ 1c + 14: e5930004 ldr r0, [r3, #4] + 18: e12fff1e bx lr + 1c: 00000000 .word 0x00000000 + + Relocation section '.rel.text' at offset 0x244 contains 2 entries: + Offset Info Type Sym.Value Sym. Name + 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data + 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data + +When find_elf_symbol() gets into a situation where relsym->st_name is +zero, there is no guarantee to get the symbol name as written in C. + +I am keeping the current logic because it is useful in many architectures, +but the symbol name is not always correct depending on the optimization. +I left some comments in find_tosym(). + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 8c2847ef4e422..41b1791a9463b 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1260,6 +1260,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + if (relsym->st_name != 0) + return relsym; + ++ /* ++ * Strive to find a better symbol name, but the resulting name may not ++ * match the symbol referenced in the original code. ++ */ + relsym_secindex = get_secindex(elf, relsym); + for (sym = elf->symtab_start; sym < elf->symtab_stop; sym++) { + if (get_secindex(elf, sym) != relsym_secindex) +@@ -1750,12 +1754,14 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); ++ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); ++ void *loc = reloc_location(elf, sechdr, r); ++ uint32_t inst; + + switch (r_typ) { + case R_ARM_ABS32: +- /* From ARM ABI: (S + A) | T */ +- r->r_addend = (int)(long) +- (elf->symtab_start + ELF_R_SYM(r->r_info)); ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ r->r_addend = inst + sym->st_value; + break; + case R_ARM_PC24: + case R_ARM_CALL: +-- +2.39.2 + diff --git a/tmp-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch b/tmp-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch new file mode 100644 index 00000000000..83da249fff2 --- /dev/null +++ b/tmp-4.19/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch @@ -0,0 +1,41 @@ +From 7acd50017017a72aa1c54911c3e2fd8386dc3c3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 20:21:59 +0800 +Subject: nbd: Add the maximum limit of allocated index in nbd_dev_add + +From: Zhong Jinghua + +[ Upstream commit f12bc113ce904777fd6ca003b473b427782b3dde ] + +If the index allocated by idr_alloc greater than MINORMASK >> part_shift, +the device number will overflow, resulting in failure to create a block +device. + +Fix it by imiting the size of the max allocation. + +Signed-off-by: Zhong Jinghua +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230605122159.2134384-1-zhongjinghua@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 28024248a7b53..5a07964a1e676 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1646,7 +1646,8 @@ static int nbd_dev_add(int index) + if (err == -ENOSPC) + err = -EEXIST; + } else { +- err = idr_alloc(&nbd_index_idr, nbd, 0, 0, GFP_KERNEL); ++ err = idr_alloc(&nbd_index_idr, nbd, 0, ++ (MINORMASK >> part_shift) + 1, GFP_KERNEL); + if (err >= 0) + index = err; + } +-- +2.39.2 + diff --git a/tmp-4.19/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch b/tmp-4.19/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch new file mode 100644 index 00000000000..733983a5ff2 --- /dev/null +++ b/tmp-4.19/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch @@ -0,0 +1,39 @@ +From 1b5ea7ffb7a3bdfffb4b7f40ce0d20a3372ee405 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 22 Jun 2023 03:31:07 -0700 +Subject: net: bcmgenet: Ensure MDIO unregistration has clocks enabled + +From: Florian Fainelli + +commit 1b5ea7ffb7a3bdfffb4b7f40ce0d20a3372ee405 upstream. + +With support for Ethernet PHY LEDs having been added, while +unregistering a MDIO bus and its child device liks PHYs there may be +"late" accesses to the MDIO bus. One typical use case is setting the PHY +LEDs brightness to OFF for instance. + +We need to ensure that the MDIO bus controller remains entirely +functional since it runs off the main GENET adapter clock. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20230617155500.4005881-1-andrew@lunn.ch/ +Fixes: 9a4e79697009 ("net: bcmgenet: utilize generic Broadcom UniMAC MDIO controller driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230622103107.1760280-1-florian.fainelli@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -620,5 +620,7 @@ void bcmgenet_mii_exit(struct net_device + if (of_phy_is_fixed_link(dn)) + of_phy_deregister_fixed_link(dn); + of_node_put(priv->phy_dn); ++ clk_prepare_enable(priv->clk); + platform_device_unregister(priv->mii_pdev); ++ clk_disable_unprepare(priv->clk); + } diff --git a/tmp-4.19/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch b/tmp-4.19/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch new file mode 100644 index 00000000000..5dcecec5102 --- /dev/null +++ b/tmp-4.19/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch @@ -0,0 +1,198 @@ +From d66c29881b68da5523baa978e1c93d3e344ead2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:41:18 +0300 +Subject: net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode + +From: Vladimir Oltean + +[ Upstream commit 6ca3c005d0604e8d2b439366e3923ea58db99641 ] + +According to the synchronization rules for .ndo_get_stats() as seen in +Documentation/networking/netdevices.rst, acquiring a plain spin_lock() +should not be illegal, but the bridge driver implementation makes it so. + +After running these commands, I am being faced with the following +lockdep splat: + +$ ip link add link swp0 name macsec0 type macsec encrypt on && ip link set swp0 up +$ ip link add dev br0 type bridge vlan_filtering 1 && ip link set br0 up +$ ip link set macsec0 master br0 && ip link set macsec0 up + + ======================================================== + WARNING: possible irq lock inversion dependency detected + 6.4.0-04295-g31b577b4bd4a #603 Not tainted + -------------------------------------------------------- + swapper/1/0 just changed the state of lock: + ffff6bd348724cd8 (&br->lock){+.-.}-{3:3}, at: br_forward_delay_timer_expired+0x34/0x198 + but this lock took another, SOFTIRQ-unsafe lock in the past: + (&ocelot->stats_lock){+.+.}-{3:3} + + and interrupts could create inverse lock ordering between them. + + other info that might help us debug this: + Chain exists of: + &br->lock --> &br->hash_lock --> &ocelot->stats_lock + + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&ocelot->stats_lock); + local_irq_disable(); + lock(&br->lock); + lock(&br->hash_lock); + + lock(&br->lock); + + *** DEADLOCK *** + +(details about the 3 locks skipped) + +swp0 is instantiated by drivers/net/dsa/ocelot/felix.c, and this +only matters to the extent that its .ndo_get_stats64() method calls +spin_lock(&ocelot->stats_lock). + +Documentation/locking/lockdep-design.rst says: + +| A lock is irq-safe means it was ever used in an irq context, while a lock +| is irq-unsafe means it was ever acquired with irq enabled. + +(...) + +| Furthermore, the following usage based lock dependencies are not allowed +| between any two lock-classes:: +| +| -> +| -> + +Lockdep marks br->hash_lock as softirq-safe, because it is sometimes +taken in softirq context (for example br_fdb_update() which runs in +NET_RX softirq), and when it's not in softirq context it blocks softirqs +by using spin_lock_bh(). + +Lockdep marks ocelot->stats_lock as softirq-unsafe, because it never +blocks softirqs from running, and it is never taken from softirq +context. So it can always be interrupted by softirqs. + +There is a call path through which a function that holds br->hash_lock: +fdb_add_hw_addr() will call a function that acquires ocelot->stats_lock: +ocelot_port_get_stats64(). This can be seen below: + +ocelot_port_get_stats64+0x3c/0x1e0 +felix_get_stats64+0x20/0x38 +dsa_slave_get_stats64+0x3c/0x60 +dev_get_stats+0x74/0x2c8 +rtnl_fill_stats+0x4c/0x150 +rtnl_fill_ifinfo+0x5cc/0x7b8 +rtmsg_ifinfo_build_skb+0xe4/0x150 +rtmsg_ifinfo+0x5c/0xb0 +__dev_notify_flags+0x58/0x200 +__dev_set_promiscuity+0xa0/0x1f8 +dev_set_promiscuity+0x30/0x70 +macsec_dev_change_rx_flags+0x68/0x88 +__dev_set_promiscuity+0x1a8/0x1f8 +__dev_set_rx_mode+0x74/0xa8 +dev_uc_add+0x74/0xa0 +fdb_add_hw_addr+0x68/0xd8 +fdb_add_local+0xc4/0x110 +br_fdb_add_local+0x54/0x88 +br_add_if+0x338/0x4a0 +br_add_slave+0x20/0x38 +do_setlink+0x3a4/0xcb8 +rtnl_newlink+0x758/0x9d0 +rtnetlink_rcv_msg+0x2f0/0x550 +netlink_rcv_skb+0x128/0x148 +rtnetlink_rcv+0x24/0x38 + +the plain English explanation for it is: + +The macsec0 bridge port is created without p->flags & BR_PROMISC, +because it is what br_manage_promisc() decides for a VLAN filtering +bridge with a single auto port. + +As part of the br_add_if() procedure, br_fdb_add_local() is called for +the MAC address of the device, and this results in a call to +dev_uc_add() for macsec0 while the softirq-safe br->hash_lock is taken. + +Because macsec0 does not have IFF_UNICAST_FLT, dev_uc_add() ends up +calling __dev_set_promiscuity() for macsec0, which is propagated by its +implementation, macsec_dev_change_rx_flags(), to the lower device: swp0. +This triggers the call path: + +dev_set_promiscuity(swp0) +-> rtmsg_ifinfo() + -> dev_get_stats() + -> ocelot_port_get_stats64() + +with a calling context that lockdep doesn't like (br->hash_lock held). + +Normally we don't see this, because even though many drivers that can be +bridge ports don't support IFF_UNICAST_FLT, we need a driver that + +(a) doesn't support IFF_UNICAST_FLT, *and* +(b) it forwards the IFF_PROMISC flag to another driver, and +(c) *that* driver implements ndo_get_stats64() using a softirq-unsafe + spinlock. + +Condition (b) is necessary because the first __dev_set_rx_mode() calls +__dev_set_promiscuity() with "bool notify=false", and thus, the +rtmsg_ifinfo() code path won't be entered. + +The same criteria also hold true for DSA switches which don't report +IFF_UNICAST_FLT. When the DSA master uses a spin_lock() in its +ndo_get_stats64() method, the same lockdep splat can be seen. + +I think the deadlock possibility is real, even though I didn't reproduce +it, and I'm thinking of the following situation to support that claim: + +fdb_add_hw_addr() runs on a CPU A, in a context with softirqs locally +disabled and br->hash_lock held, and may end up attempting to acquire +ocelot->stats_lock. + +In parallel, ocelot->stats_lock is currently held by a thread B (say, +ocelot_check_stats_work()), which is interrupted while holding it by a +softirq which attempts to lock br->hash_lock. + +Thread B cannot make progress because br->hash_lock is held by A. Whereas +thread A cannot make progress because ocelot->stats_lock is held by B. + +When taking the issue at face value, the bridge can avoid that problem +by simply making the ports promiscuous from a code path with a saner +calling context (br->hash_lock not held). A bridge port without +IFF_UNICAST_FLT is going to become promiscuous as soon as we call +dev_uc_add() on it (which we do unconditionally), so why not be +preemptive and make it promiscuous right from the beginning, so as to +not be taken by surprise. + +With this, we've broken the links between code that holds br->hash_lock +or br->lock and code that calls into the ndo_change_rx_flags() or +ndo_get_stats64() ops of the bridge port. + +Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.") +Signed-off-by: Vladimir Oltean +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_if.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index b5fb2b682e191..ab539551b7d39 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -161,8 +161,9 @@ void br_manage_promisc(struct net_bridge *br) + * This lets us disable promiscuous mode and write + * this config to hw. + */ +- if (br->auto_cnt == 0 || +- (br->auto_cnt == 1 && br_auto_port(p))) ++ if ((p->dev->priv_flags & IFF_UNICAST_FLT) && ++ (br->auto_cnt == 0 || ++ (br->auto_cnt == 1 && br_auto_port(p)))) + br_port_clear_promisc(p); + else + br_port_set_promisc(p); +-- +2.39.2 + diff --git a/tmp-4.19/net-create-netdev-dev_addr-assignment-helpers.patch b/tmp-4.19/net-create-netdev-dev_addr-assignment-helpers.patch new file mode 100644 index 00000000000..297db3ad7ca --- /dev/null +++ b/tmp-4.19/net-create-netdev-dev_addr-assignment-helpers.patch @@ -0,0 +1,82 @@ +From e30a64ceb7b11cf6fcd324236f5de49d836f811d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 11:10:37 -0700 +Subject: net: create netdev->dev_addr assignment helpers + +From: Jakub Kicinski + +[ Upstream commit 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 ] + +Recent work on converting address list to a tree made it obvious +we need an abstraction around writing netdev->dev_addr. Without +such abstraction updating the main device address is invisible +to the core. + +Introduce a number of helpers which for now just wrap memcpy() +but in the future can make necessary changes to the address +tree. + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + include/linux/etherdevice.h | 12 ++++++++++++ + include/linux/netdevice.h | 18 ++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index e1e9eff096d05..2932a40060c1d 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -291,6 +291,18 @@ static inline void ether_addr_copy(u8 *dst, const u8 *src) + #endif + } + ++/** ++ * eth_hw_addr_set - Assign Ethernet address to a net_device ++ * @dev: pointer to net_device structure ++ * @addr: address to assign ++ * ++ * Assign given address to the net_device, addr_assign_type is not changed. ++ */ ++static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ ether_addr_copy(dev->dev_addr, addr); ++} ++ + /** + * eth_hw_addr_inherit - Copy dev_addr from another net_device + * @dst: pointer to net_device to copy dev_addr to +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 90827d85265b0..7e9df3854420a 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4079,6 +4079,24 @@ void __hw_addr_unsync_dev(struct netdev_hw_addr_list *list, + void __hw_addr_init(struct netdev_hw_addr_list *list); + + /* Functions used for device addresses handling */ ++static inline void ++__dev_addr_set(struct net_device *dev, const u8 *addr, size_t len) ++{ ++ memcpy(dev->dev_addr, addr, len); ++} ++ ++static inline void dev_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ __dev_addr_set(dev, addr, dev->addr_len); ++} ++ ++static inline void ++dev_addr_mod(struct net_device *dev, unsigned int offset, ++ const u8 *addr, size_t len) ++{ ++ memcpy(&dev->dev_addr[offset], addr, len); ++} ++ + int dev_addr_add(struct net_device *dev, const unsigned char *addr, + unsigned char addr_type); + int dev_addr_del(struct net_device *dev, const unsigned char *addr, +-- +2.39.2 + diff --git a/tmp-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/tmp-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch new file mode 100644 index 00000000000..f22db08d7b4 --- /dev/null +++ b/tmp-4.19/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch @@ -0,0 +1,78 @@ +From 4b1ceed57aa791f16d3264dae3b1a75703df6675 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 16:36:57 +0530 +Subject: net: ethernet: ti: cpsw_ale: Fix + cpsw_ale_get_field()/cpsw_ale_set_field() + +From: Tanmay Patil + +[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] + +CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. +The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the +field will be strictly contained within one word. However, this is not +guaranteed to be the case and it is possible for ALE field entries to span +across up to two words at the most. + +Fix the methods to handle getting/setting fields spanning up to two words. + +Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") +Signed-off-by: Tanmay Patil +[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] +Signed-off-by: Siddharth Vadapalli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index c245629a38c76..6cb98760bc84e 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -67,23 +67,37 @@ + + static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + { +- int idx; ++ int idx, idx2; ++ u32 hi_val = 0; + + idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be fetched exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); ++ } + start -= idx * 32; + idx = 2 - idx; /* flip */ +- return (ale_entry[idx] >> start) & BITMASK(bits); ++ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); + } + + static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, + u32 value) + { +- int idx; ++ int idx, idx2; + + value &= BITMASK(bits); +- idx = start / 32; ++ idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be set exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); ++ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); ++ } + start -= idx * 32; +- idx = 2 - idx; /* flip */ ++ idx = 2 - idx; /* flip */ + ale_entry[idx] &= ~(BITMASK(bits) << start); + ale_entry[idx] |= (value << start); + } +-- +2.39.2 + diff --git a/tmp-4.19/net-ipv6-check-return-value-of-pskb_trim.patch b/tmp-4.19/net-ipv6-check-return-value-of-pskb_trim.patch new file mode 100644 index 00000000000..096de135394 --- /dev/null +++ b/tmp-4.19/net-ipv6-check-return-value-of-pskb_trim.patch @@ -0,0 +1,39 @@ +From 4f1ea261d5545d222edbe3ee226f6423f76ff7e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 22:45:19 +0800 +Subject: net:ipv6: check return value of pskb_trim() + +From: Yuanjun Gong + +[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] + +goto tx_err if an unexpected result is returned by pskb_tirm() +in ip6erspan_tunnel_xmit(). + +Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") +Signed-off-by: Yuanjun Gong +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 45c304b51b2b7..aa8ada354a399 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -960,7 +960,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + goto tx_err; + + if (skb->len > dev->mtu + dev->hard_header_len) { +- pskb_trim(skb, dev->mtu + dev->hard_header_len); ++ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) ++ goto tx_err; + truncate = true; + } + +-- +2.39.2 + diff --git a/tmp-4.19/net-lan743x-don-t-sleep-in-atomic-context.patch b/tmp-4.19/net-lan743x-don-t-sleep-in-atomic-context.patch new file mode 100644 index 00000000000..90db667a7af --- /dev/null +++ b/tmp-4.19/net-lan743x-don-t-sleep-in-atomic-context.patch @@ -0,0 +1,72 @@ +From 7a8227b2e76be506b2ac64d2beac950ca04892a5 Mon Sep 17 00:00:00 2001 +From: Moritz Fischer +Date: Tue, 27 Jun 2023 03:50:00 +0000 +Subject: net: lan743x: Don't sleep in atomic context + +From: Moritz Fischer + +commit 7a8227b2e76be506b2ac64d2beac950ca04892a5 upstream. + +dev_set_rx_mode() grabs a spin_lock, and the lan743x implementation +proceeds subsequently to go to sleep using readx_poll_timeout(). + +Introduce a helper wrapping the readx_poll_timeout_atomic() function +and use it to replace the calls to readx_polL_timeout(). + +Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") +Cc: stable@vger.kernel.org +Cc: Bryan Whitehead +Cc: UNGLinuxDriver@microchip.com +Signed-off-by: Moritz Fischer +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230627035000.1295254-1-moritzf@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan743x_main.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -80,6 +80,18 @@ static int lan743x_csr_light_reset(struc + !(data & HW_CFG_LRST_), 100000, 10000000); + } + ++static int lan743x_csr_wait_for_bit_atomic(struct lan743x_adapter *adapter, ++ int offset, u32 bit_mask, ++ int target_value, int udelay_min, ++ int udelay_max, int count) ++{ ++ u32 data; ++ ++ return readx_poll_timeout_atomic(LAN743X_CSR_READ_OP, offset, data, ++ target_value == !!(data & bit_mask), ++ udelay_max, udelay_min * count); ++} ++ + static int lan743x_csr_wait_for_bit(struct lan743x_adapter *adapter, + int offset, u32 bit_mask, + int target_value, int usleep_min, +@@ -675,8 +687,8 @@ static int lan743x_dp_write(struct lan74 + u32 dp_sel; + int i; + +- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_, +- 1, 40, 100, 100)) ++ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, DP_SEL_DPRDY_, ++ 1, 40, 100, 100)) + return -EIO; + dp_sel = lan743x_csr_read(adapter, DP_SEL); + dp_sel &= ~DP_SEL_MASK_; +@@ -687,8 +699,9 @@ static int lan743x_dp_write(struct lan74 + lan743x_csr_write(adapter, DP_ADDR, addr + i); + lan743x_csr_write(adapter, DP_DATA_0, buf[i]); + lan743x_csr_write(adapter, DP_CMD, DP_CMD_WRITE_); +- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_, +- 1, 40, 100, 100)) ++ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, ++ DP_SEL_DPRDY_, ++ 1, 40, 100, 100)) + return -EIO; + } + diff --git a/tmp-4.19/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch b/tmp-4.19/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch new file mode 100644 index 00000000000..987b2a40ed8 --- /dev/null +++ b/tmp-4.19/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch @@ -0,0 +1,48 @@ +From f9e8a622e20536ae06e72b75b9d71051521991fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 07:37:12 +0200 +Subject: net: mvneta: fix txq_map in case of txq_number==1 + +From: Klaus Kudielka + +[ Upstream commit 21327f81db6337c8843ce755b01523c7d3df715b ] + +If we boot with mvneta.txq_number=1, the txq_map is set incorrectly: +MVNETA_CPU_TXQ_ACCESS(1) refers to TX queue 1, but only TX queue 0 is +initialized. Fix this. + +Fixes: 50bf8cb6fc9c ("net: mvneta: Configure XPS support") +Signed-off-by: Klaus Kudielka +Reviewed-by: Michal Kubiak +Link: https://lore.kernel.org/r/20230705053712.3914-1-klaus.kudielka@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index f1a4b11ce0d19..512f9cd68070a 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1415,7 +1415,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == pp->rxq_def) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + + } else { + txq_map = MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +@@ -3665,7 +3665,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == elected_cpu) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + else + txq_map = mvreg_read(pp, MVNETA_CPU_MAP(cpu)) & + MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +-- +2.39.2 + diff --git a/tmp-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch b/tmp-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch new file mode 100644 index 00000000000..fa550b7fb0f --- /dev/null +++ b/tmp-4.19/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch @@ -0,0 +1,73 @@ +From b1ff776eeefc168d9e591f6d3c7d58f3c7ac80f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 16:06:16 +0800 +Subject: net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX + +From: Cambda Zhu + +[ Upstream commit f0628c524fd188c3f9418e12478dfdfadacba815 ] + +This patch changes the behavior of TCP_LINGER2 about its limit. The +sysctl_tcp_fin_timeout used to be the limit of TCP_LINGER2 but now it's +only the default value. A new macro named TCP_FIN_TIMEOUT_MAX is added +as the limit of TCP_LINGER2, which is 2 minutes. + +Since TCP_LINGER2 used sysctl_tcp_fin_timeout as the default value +and the limit in the past, the system administrator cannot set the +default value for most of sockets and let some sockets have a greater +timeout. It might be a mistake that let the sysctl to be the limit of +the TCP_LINGER2. Maybe we can add a new sysctl to set the max of +TCP_LINGER2, but FIN-WAIT-2 timeout is usually no need to be too long +and 2 minutes are legal considering TCP specs. + +Changes in v3: +- Remove the new socket option and change the TCP_LINGER2 behavior so + that the timeout can be set to value between sysctl_tcp_fin_timeout + and 2 minutes. + +Changes in v2: +- Add int overflow check for the new socket option. + +Changes in v1: +- Add a new socket option to set timeout greater than + sysctl_tcp_fin_timeout. + +Signed-off-by: Cambda Zhu +Signed-off-by: David S. Miller +Stable-dep-of: 9df5335ca974 ("tcp: annotate data-races around tp->linger2") +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 1 + + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 81300a04b5808..22cca858f2678 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -128,6 +128,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); + * to combine FIN-WAIT-2 timeout with + * TIME-WAIT timer. + */ ++#define TCP_FIN_TIMEOUT_MAX (120 * HZ) /* max TCP_LINGER2 value (two minutes) */ + + #define TCP_DELACK_MAX ((unsigned)(HZ/5)) /* maximal time to delay before sending an ACK */ + #if HZ >= 100 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index cb96775fc86f6..9f3cdcbbb7590 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3001,8 +3001,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + case TCP_LINGER2: + if (val < 0) + tp->linger2 = -1; +- else if (val > net->ipv4.sysctl_tcp_fin_timeout / HZ) +- tp->linger2 = 0; ++ else if (val > TCP_FIN_TIMEOUT_MAX / HZ) ++ tp->linger2 = TCP_FIN_TIMEOUT_MAX; + else + tp->linger2 = val * HZ; + break; +-- +2.39.2 + diff --git a/tmp-4.19/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch b/tmp-4.19/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch new file mode 100644 index 00000000000..c8efee46236 --- /dev/null +++ b/tmp-4.19/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch @@ -0,0 +1,57 @@ +From df9234bee325290818da8d5735cbfcf37bb2115b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 19:08:42 +0800 +Subject: net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX + +From: Lin Ma + +[ Upstream commit 30c45b5361d39b4b793780ffac5538090b9e2eb1 ] + +The attribute TCA_PEDIT_PARMS_EX is not be included in pedit_policy and +one malicious user could fake a TCA_PEDIT_PARMS_EX whose length is +smaller than the intended sizeof(struct tc_pedit). Hence, the +dereference in tcf_pedit_init() could access dirty heap data. + +static int tcf_pedit_init(...) +{ + // ... + pattr = tb[TCA_PEDIT_PARMS]; // TCA_PEDIT_PARMS is included + if (!pattr) + pattr = tb[TCA_PEDIT_PARMS_EX]; // but this is not + + // ... + parm = nla_data(pattr); + + index = parm->index; // parm is able to be smaller than 4 bytes + // and this dereference gets dirty skb_buff + // data created in netlink_sendmsg +} + +This commit adds TCA_PEDIT_PARMS_EX length in pedit_policy which avoid +the above case, just like the TCA_PEDIT_PARMS. + +Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers") +Signed-off-by: Lin Ma +Reviewed-by: Pedro Tammela +Link: https://lore.kernel.org/r/20230703110842.590282-1-linma@zju.edu.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/act_pedit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c +index aeb8f84cbd9e2..255d4ecf62522 100644 +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -29,6 +29,7 @@ static struct tc_action_ops act_pedit_ops; + + static const struct nla_policy pedit_policy[TCA_PEDIT_MAX + 1] = { + [TCA_PEDIT_PARMS] = { .len = sizeof(struct tc_pedit) }, ++ [TCA_PEDIT_PARMS_EX] = { .len = sizeof(struct tc_pedit) }, + [TCA_PEDIT_KEYS_EX] = { .type = NLA_NESTED }, + }; + +-- +2.39.2 + diff --git a/tmp-4.19/net-sched-make-psched_mtu-rtnl-less-safe.patch b/tmp-4.19/net-sched-make-psched_mtu-rtnl-less-safe.patch new file mode 100644 index 00000000000..0b060652053 --- /dev/null +++ b/tmp-4.19/net-sched-make-psched_mtu-rtnl-less-safe.patch @@ -0,0 +1,49 @@ +From 19bfe7281d835cff53c41f2059bbd4222c112960 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 23:16:34 -0300 +Subject: net/sched: make psched_mtu() RTNL-less safe + +From: Pedro Tammela + +[ Upstream commit 150e33e62c1fa4af5aaab02776b6c3812711d478 ] + +Eric Dumazet says[1]: +------- +Speaking of psched_mtu(), I see that net/sched/sch_pie.c is using it +without holding RTNL, so dev->mtu can be changed underneath. +KCSAN could issue a warning. +------- + +Annotate dev->mtu with READ_ONCE() so KCSAN don't issue a warning. + +[1] https://lore.kernel.org/all/CANn89iJoJO5VtaJ-2=_d2aOQhb0Xw8iBT_Cxqp2HyuS-zj6azw@mail.gmail.com/ + +v1 -> v2: Fix commit message + +Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme") +Suggested-by: Eric Dumazet +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230711021634.561598-1-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/pkt_sched.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h +index e09ea6917c061..83a16f3bd6e6a 100644 +--- a/include/net/pkt_sched.h ++++ b/include/net/pkt_sched.h +@@ -131,7 +131,7 @@ extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1]; + */ + static inline unsigned int psched_mtu(const struct net_device *dev) + { +- return dev->mtu + dev->hard_header_len; ++ return READ_ONCE(dev->mtu) + dev->hard_header_len; + } + + static inline struct net *qdisc_net(struct Qdisc *q) +-- +2.39.2 + diff --git a/tmp-4.19/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch b/tmp-4.19/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch new file mode 100644 index 00000000000..df60b163b1a --- /dev/null +++ b/tmp-4.19/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch @@ -0,0 +1,704 @@ +From pablo@netfilter.org Wed Jul 5 18:55:24 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:55:10 +0200 +Subject: netfilter: add helper function to set up the nfnetlink header and use it +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165516.50145-5-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 19c28b1374fb1073a9ec873a6c10bf5f16b10b9d ] + +This patch adds a helper function to set up the netlink and nfnetlink headers. +Update existing codebase to use it. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netfilter/nfnetlink.h | 27 +++++++++ + net/netfilter/ipset/ip_set_core.c | 17 +---- + net/netfilter/nf_conntrack_netlink.c | 77 +++++++------------------- + net/netfilter/nf_tables_api.c | 102 +++++++++-------------------------- + net/netfilter/nf_tables_trace.c | 9 --- + net/netfilter/nfnetlink_acct.c | 11 +-- + net/netfilter/nfnetlink_cthelper.c | 11 +-- + net/netfilter/nfnetlink_cttimeout.c | 22 ++----- + net/netfilter/nfnetlink_log.c | 11 +-- + net/netfilter/nfnetlink_queue.c | 12 +--- + net/netfilter/nft_compat.c | 11 +-- + 11 files changed, 102 insertions(+), 208 deletions(-) + +--- a/include/linux/netfilter/nfnetlink.h ++++ b/include/linux/netfilter/nfnetlink.h +@@ -49,6 +49,33 @@ static inline u16 nfnl_msg_type(u8 subsy + return subsys << 8 | msg_type; + } + ++static inline void nfnl_fill_hdr(struct nlmsghdr *nlh, u8 family, u8 version, ++ __be16 res_id) ++{ ++ struct nfgenmsg *nfmsg; ++ ++ nfmsg = nlmsg_data(nlh); ++ nfmsg->nfgen_family = family; ++ nfmsg->version = version; ++ nfmsg->res_id = res_id; ++} ++ ++static inline struct nlmsghdr *nfnl_msg_put(struct sk_buff *skb, u32 portid, ++ u32 seq, int type, int flags, ++ u8 family, u8 version, ++ __be16 res_id) ++{ ++ struct nlmsghdr *nlh; ++ ++ nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); ++ if (!nlh) ++ return NULL; ++ ++ nfnl_fill_hdr(nlh, family, version, res_id); ++ ++ return nlh; ++} ++ + void nfnl_lock(__u8 subsys_id); + void nfnl_unlock(__u8 subsys_id); + #ifdef CONFIG_PROVE_LOCKING +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -791,20 +791,9 @@ static struct nlmsghdr * + start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags, + enum ipset_cmd cmd) + { +- struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; +- +- nlh = nlmsg_put(skb, portid, seq, nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd), +- sizeof(*nfmsg), flags); +- if (!nlh) +- return NULL; +- +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = NFPROTO_IPV4; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- +- return nlh; ++ return nfnl_msg_put(skb, portid, seq, ++ nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd), flags, ++ NFPROTO_IPV4, NFNETLINK_V0, 0); + } + + /* Create a set */ +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -517,20 +517,15 @@ ctnetlink_fill_info(struct sk_buff *skb, + { + const struct nf_conntrack_zone *zone; + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + struct nlattr *nest_parms; + unsigned int flags = portid ? NLM_F_MULTI : 0, event; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct), ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = nf_ct_l3num(ct); +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + zone = nf_ct_zone(ct); + + nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); +@@ -687,7 +682,6 @@ ctnetlink_conntrack_event(unsigned int e + const struct nf_conntrack_zone *zone; + struct net *net; + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + struct nlattr *nest_parms; + struct nf_conn *ct = item->ct; + struct sk_buff *skb; +@@ -717,15 +711,11 @@ ctnetlink_conntrack_event(unsigned int e + goto errout; + + type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type); +- nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct), ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = nf_ct_l3num(ct); +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + zone = nf_ct_zone(ct); + + nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); +@@ -2170,20 +2160,15 @@ ctnetlink_ct_stat_cpu_fill_info(struct s + __u16 cpu, const struct ip_conntrack_stat *st) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0, event; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, + IPCTNL_MSG_CT_GET_STATS_CPU); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, htons(cpu)); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(cpu); +- + if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || + nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || + nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) || +@@ -2254,20 +2239,15 @@ ctnetlink_stat_ct_fill_info(struct sk_bu + struct net *net) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0, event; + unsigned int nr_conntracks = atomic_read(&net->ct.count); + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) + goto nla_put_failure; + +@@ -2780,19 +2760,14 @@ ctnetlink_exp_fill_info(struct sk_buff * + int event, const struct nf_conntrack_expect *exp) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, ++ exp->tuple.src.l3num, NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = exp->tuple.src.l3num; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (ctnetlink_exp_dump_expect(skb, exp) < 0) + goto nla_put_failure; + +@@ -2812,7 +2787,6 @@ ctnetlink_expect_event(unsigned int even + struct nf_conntrack_expect *exp = item->exp; + struct net *net = nf_ct_exp_net(exp); + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + struct sk_buff *skb; + unsigned int type, group; + int flags = 0; +@@ -2835,15 +2809,11 @@ ctnetlink_expect_event(unsigned int even + goto errout; + + type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type); +- nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, ++ exp->tuple.src.l3num, NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = exp->tuple.src.l3num; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (ctnetlink_exp_dump_expect(skb, exp) < 0) + goto nla_put_failure; + +@@ -3413,20 +3383,15 @@ ctnetlink_exp_stat_fill_info(struct sk_b + const struct ip_conntrack_stat *st) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0, event; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, + IPCTNL_MSG_EXP_GET_STATS_CPU); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, htons(cpu)); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(cpu); +- + if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || + nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) || + nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete))) +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -578,18 +578,13 @@ static int nf_tables_fill_table_info(str + int family, const struct nft_table *table) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, ++ NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || + nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || + nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || +@@ -1213,18 +1208,13 @@ static int nf_tables_fill_chain_info(str + const struct nft_chain *chain) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, ++ NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) + goto nla_put_failure; + if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), +@@ -2257,21 +2247,16 @@ static int nf_tables_fill_rule_info(stru + const struct nft_rule *rule) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + const struct nft_expr *expr, *next; + struct nlattr *list; + const struct nft_rule *prule; + u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); + +- nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, ++ nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) + goto nla_put_failure; + if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) +@@ -3166,23 +3151,17 @@ static __be64 nf_jiffies64_to_msecs(u64 + static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, + const struct nft_set *set, u16 event, u16 flags) + { +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + struct nlattr *desc; + u32 portid = ctx->portid; + u32 seq = ctx->seq; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), +- flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, ++ NFNETLINK_V0, nft_base_seq(ctx->net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = ctx->family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(ctx->net); +- + if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) + goto nla_put_failure; + if (nla_put_string(skb, NFTA_SET_NAME, set->name)) +@@ -3996,7 +3975,6 @@ static int nf_tables_dump_set(struct sk_ + struct nft_set *set; + struct nft_set_dump_args args; + bool set_found = false; +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + struct nlattr *nest; + u32 portid, seq; +@@ -4029,16 +4007,11 @@ static int nf_tables_dump_set(struct sk_ + portid = NETLINK_CB(cb->skb).portid; + seq = cb->nlh->nlmsg_seq; + +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), +- NLM_F_MULTI); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, ++ table->family, NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = table->family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) + goto nla_put_failure; + if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) +@@ -4095,22 +4068,16 @@ static int nf_tables_fill_setelem_info(s + const struct nft_set *set, + const struct nft_set_elem *elem) + { +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + struct nlattr *nest; + int err; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), +- flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, ++ NFNETLINK_V0, nft_base_seq(ctx->net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = ctx->family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(ctx->net); +- + if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) + goto nla_put_failure; + if (nla_put_string(skb, NFTA_SET_NAME, set->name)) +@@ -5146,19 +5113,14 @@ static int nf_tables_fill_obj_info(struc + int family, const struct nft_table *table, + struct nft_object *obj, bool reset) + { +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, ++ NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || + nla_put_string(skb, NFTA_OBJ_NAME, obj->name) || + nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || +@@ -5806,20 +5768,15 @@ static int nf_tables_fill_flowtable_info + struct nft_flowtable *flowtable) + { + struct nlattr *nest, *nest_devs; +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + int i; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, ++ NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || + nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || + nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || +@@ -6045,19 +6002,14 @@ static int nf_tables_fill_gen_info(struc + u32 portid, u32 seq) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + char buf[TASK_COMM_LEN]; + int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); + +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, ++ NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || + nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || + nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) +--- a/net/netfilter/nf_tables_trace.c ++++ b/net/netfilter/nf_tables_trace.c +@@ -186,7 +186,6 @@ static bool nft_trace_have_verdict_chain + void nft_trace_notify(struct nft_traceinfo *info) + { + const struct nft_pktinfo *pkt = info->pkt; +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + struct sk_buff *skb; + unsigned int size; +@@ -222,15 +221,11 @@ void nft_trace_notify(struct nft_tracein + return; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_TRACE); +- nlh = nlmsg_put(skb, 0, 0, event, sizeof(struct nfgenmsg), 0); ++ nlh = nfnl_msg_put(skb, 0, 0, event, 0, info->basechain->type->family, ++ NFNETLINK_V0, 0); + if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = info->basechain->type->family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_be32(skb, NFTA_TRACE_NFPROTO, htonl(nft_pf(pkt)))) + goto nla_put_failure; + +--- a/net/netfilter/nfnetlink_acct.c ++++ b/net/netfilter/nfnetlink_acct.c +@@ -135,21 +135,16 @@ nfnl_acct_fill_info(struct sk_buff *skb, + int event, struct nf_acct *acct) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + u64 pkts, bytes; + u32 old_flags; + + event = nfnl_msg_type(NFNL_SUBSYS_ACCT, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_string(skb, NFACCT_NAME, acct->name)) + goto nla_put_failure; + +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -532,20 +532,15 @@ nfnl_cthelper_fill_info(struct sk_buff * + int event, struct nf_conntrack_helper *helper) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + int status; + + event = nfnl_msg_type(NFNL_SUBSYS_CTHELPER, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_string(skb, NFCTH_NAME, helper->name)) + goto nla_put_failure; + +--- a/net/netfilter/nfnetlink_cttimeout.c ++++ b/net/netfilter/nfnetlink_cttimeout.c +@@ -164,20 +164,15 @@ ctnl_timeout_fill_info(struct sk_buff *s + int event, struct ctnl_timeout *timeout) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + const struct nf_conntrack_l4proto *l4proto = timeout->timeout.l4proto; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_string(skb, CTA_TIMEOUT_NAME, timeout->name) || + nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, + htons(timeout->timeout.l3num)) || +@@ -396,19 +391,14 @@ cttimeout_default_fill_info(struct net * + const unsigned int *timeouts) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(l4proto->l3proto)) || + nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto)) + goto nla_put_failure; +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -404,20 +404,15 @@ __build_packet_message(struct nfnl_log_n + { + struct nfulnl_msg_packet_hdr pmsg; + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + sk_buff_data_t old_tail = inst->skb->tail; + struct sock *sk; + const unsigned char *hwhdrp; + +- nlh = nlmsg_put(inst->skb, 0, 0, +- nfnl_msg_type(NFNL_SUBSYS_ULOG, NFULNL_MSG_PACKET), +- sizeof(struct nfgenmsg), 0); ++ nlh = nfnl_msg_put(inst->skb, 0, 0, ++ nfnl_msg_type(NFNL_SUBSYS_ULOG, NFULNL_MSG_PACKET), ++ 0, pf, NFNETLINK_V0, htons(inst->group_num)); + if (!nlh) + return -1; +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = pf; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(inst->group_num); + + memset(&pmsg, 0, sizeof(pmsg)); + pmsg.hw_protocol = skb->protocol; +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -387,7 +387,6 @@ nfqnl_build_packet_message(struct net *n + struct nlattr *nla; + struct nfqnl_msg_packet_hdr *pmsg; + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + struct sk_buff *entskb = entry->skb; + struct net_device *indev; + struct net_device *outdev; +@@ -473,18 +472,15 @@ nfqnl_build_packet_message(struct net *n + goto nlmsg_failure; + } + +- nlh = nlmsg_put(skb, 0, 0, +- nfnl_msg_type(NFNL_SUBSYS_QUEUE, NFQNL_MSG_PACKET), +- sizeof(struct nfgenmsg), 0); ++ nlh = nfnl_msg_put(skb, 0, 0, ++ nfnl_msg_type(NFNL_SUBSYS_QUEUE, NFQNL_MSG_PACKET), ++ 0, entry->state.pf, NFNETLINK_V0, ++ htons(queue->queue_num)); + if (!nlh) { + skb_tx_error(entskb); + kfree_skb(skb); + goto nlmsg_failure; + } +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = entry->state.pf; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(queue->queue_num); + + nla = __nla_reserve(skb, NFQA_PACKET_HDR, sizeof(*pmsg)); + pmsg = nla_data(nla); +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -575,19 +575,14 @@ nfnl_compat_fill_info(struct sk_buff *sk + int rev, int target) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + + event = nfnl_msg_type(NFNL_SUBSYS_NFT_COMPAT, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_string(skb, NFTA_COMPAT_NAME, name) || + nla_put_be32(skb, NFTA_COMPAT_REV, htonl(rev)) || + nla_put_be32(skb, NFTA_COMPAT_TYPE, htonl(target))) diff --git a/tmp-4.19/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch b/tmp-4.19/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch new file mode 100644 index 00000000000..2b568387a22 --- /dev/null +++ b/tmp-4.19/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch @@ -0,0 +1,51 @@ +From 6eef7a2b933885a17679eb8ed0796ddf0ee5309b Mon Sep 17 00:00:00 2001 +From: Florent Revest +Date: Mon, 3 Jul 2023 16:52:16 +0200 +Subject: netfilter: conntrack: Avoid nf_ct_helper_hash uses after free + +From: Florent Revest + +commit 6eef7a2b933885a17679eb8ed0796ddf0ee5309b upstream. + +If nf_conntrack_init_start() fails (for example due to a +register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini() +clean-up path frees the nf_ct_helper_hash map. + +When built with NF_CONNTRACK=y, further netfilter modules (e.g: +netfilter_conntrack_ftp) can still be loaded and call +nf_conntrack_helpers_register(), independently of whether nf_conntrack +initialized correctly. This accesses the nf_ct_helper_hash dangling +pointer and causes a uaf, possibly leading to random memory corruption. + +This patch guards nf_conntrack_helper_register() from accessing a freed +or uninitialized nf_ct_helper_hash pointer and fixes possible +uses-after-free when loading a conntrack module. + +Cc: stable@vger.kernel.org +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Florent Revest +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_helper.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -400,6 +400,9 @@ int nf_conntrack_helper_register(struct + BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES); + BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1); + ++ if (!nf_ct_helper_hash) ++ return -ENOENT; ++ + if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT) + return -EINVAL; + +@@ -570,4 +573,5 @@ void nf_conntrack_helper_fini(void) + { + nf_ct_extend_unregister(&helper_extend); + kvfree(nf_ct_helper_hash); ++ nf_ct_helper_hash = NULL; + } diff --git a/tmp-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch b/tmp-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch new file mode 100644 index 00000000000..92b7e6541a3 --- /dev/null +++ b/tmp-4.19/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch @@ -0,0 +1,53 @@ +From c40874c71ae6f5e26f1958101a5a7dd1d049899f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jun 2023 11:23:46 +0000 +Subject: netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() + return value. + +From: Ilia.Gavrilov + +[ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ] + +ct_sip_parse_numerical_param() returns only 0 or 1 now. +But process_register_request() and process_register_response() imply +checking for a negative value if parsing of a numerical header parameter +failed. +The invocation in nf_nat_sip() looks correct: + if (ct_sip_parse_numerical_param(...) > 0 && + ...) { ... } + +Make the return value of the function ct_sip_parse_numerical_param() +a tristate to fix all the cases +a) return 1 if value is found; *val is set +b) return 0 if value is not found; *val is unchanged +c) return -1 on error; *val is undefined + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations") +Signed-off-by: Ilia.Gavrilov +Reviewed-by: Simon Horman +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index 046f118dea06b..d16aa43ebd4d6 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -605,7 +605,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr, + start += strlen(name); + *val = simple_strtoul(start, &end, 0); + if (start == end) +- return 0; ++ return -1; + if (matchoff && matchlen) { + *matchoff = start - dptr; + *matchlen = end - start; +-- +2.39.2 + diff --git a/tmp-4.19/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch b/tmp-4.19/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch new file mode 100644 index 00000000000..cdbeda5cb43 --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch @@ -0,0 +1,101 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:55:57 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:55:13 +0200 +Subject: netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165516.50145-8-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 26b5a5712eb85e253724e56a54c17f8519bd8e4e ] + +Add a new state to deal with rule expressions deactivation from the +newrule error path, otherwise the anonymous set remains in the list in +inactive state for the next generation. Mark the set/chain transaction +as unbound so the abort path releases this object, set it as inactive in +the next generation so it is not reachable anymore from this transaction +and reference counter is dropped. + +Fixes: 1240eb93f061 ("netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 1 + + net/netfilter/nf_tables_api.c | 26 ++++++++++++++++++++++---- + 2 files changed, 23 insertions(+), 4 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -736,6 +736,7 @@ struct nft_expr_type { + + enum nft_trans_phase { + NFT_TRANS_PREPARE, ++ NFT_TRANS_PREPARE_ERROR, + NFT_TRANS_ABORT, + NFT_TRANS_COMMIT, + NFT_TRANS_RELEASE +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -120,7 +120,8 @@ static void nft_trans_destroy(struct nft + kfree(trans); + } + +-static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, ++ bool bind) + { + struct nftables_pernet *nft_net; + struct net *net = ctx->net; +@@ -134,16 +135,26 @@ static void nft_set_trans_bind(const str + switch (trans->msg_type) { + case NFT_MSG_NEWSET: + if (nft_trans_set(trans) == set) +- nft_trans_set_bound(trans) = true; ++ nft_trans_set_bound(trans) = bind; + break; + case NFT_MSG_NEWSETELEM: + if (nft_trans_elem_set(trans) == set) +- nft_trans_elem_set_bound(trans) = true; ++ nft_trans_elem_set_bound(trans) = bind; + break; + } + } + } + ++static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ return __nft_set_trans_bind(ctx, set, true); ++} ++ ++static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ return __nft_set_trans_bind(ctx, set, false); ++} ++ + static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) + { + struct nftables_pernet *nft_net; +@@ -2784,7 +2795,7 @@ static int nf_tables_newrule(struct net + + return 0; + err2: +- nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); ++ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR); + nf_tables_rule_destroy(&ctx, rule); + err1: + for (i = 0; i < n; i++) { +@@ -3809,6 +3820,13 @@ void nf_tables_deactivate_set(const stru + enum nft_trans_phase phase) + { + switch (phase) { ++ case NFT_TRANS_PREPARE_ERROR: ++ nft_set_trans_unbind(ctx, set); ++ if (nft_set_is_anonymous(set)) ++ nft_deactivate_next(ctx->net, set); ++ ++ set->use--; ++ break; + case NFT_TRANS_PREPARE: + if (nft_set_is_anonymous(set)) + nft_deactivate_next(ctx->net, set); diff --git a/tmp-4.19/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch b/tmp-4.19/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch new file mode 100644 index 00000000000..9c21fe87b00 --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch @@ -0,0 +1,50 @@ +From pablo@netfilter.org Wed Jul 5 18:55:22 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:55:08 +0200 +Subject: netfilter: nf_tables: add rescheduling points during loop detection walks +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165516.50145-3-pablo@netfilter.org> + +From: Florian Westphal + +[ 81ea010667417ef3f218dfd99b69769fe66c2b67 ] + +Add explicit rescheduling points during ruleset walk. + +Switching to a faster algorithm is possible but this is a much +smaller change, suitable for nf tree. + +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1460 +Signed-off-by: Florian Westphal +Acked-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2552,6 +2552,8 @@ int nft_chain_validate(const struct nft_ + if (err < 0) + return err; + } ++ ++ cond_resched(); + } + + return 0; +@@ -6956,9 +6958,13 @@ static int nf_tables_check_loops(const s + break; + } + } ++ ++ cond_resched(); + } + + list_for_each_entry(set, &ctx->table->sets, list) { ++ cond_resched(); ++ + if (!nft_is_active_next(ctx->net, set)) + continue; + if (!(set->flags & NFT_SET_MAP) || diff --git a/tmp-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/tmp-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch new file mode 100644 index 00000000000..c27fe0b50ff --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch @@ -0,0 +1,64 @@ +From 519800f3b9e064d6eec3b22116785effa817ba10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 01:30:33 +0200 +Subject: netfilter: nf_tables: can't schedule in nft_chain_validate + +From: Florian Westphal + +[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] + +Can be called via nft set element list iteration, which may acquire +rcu and/or bh read lock (depends on set type). + +BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 +in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft +preempt_count: 0, expected: 0 +RCU nest depth: 1, expected: 0 +2 locks held by nft/1232: + #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid + #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire +Call Trace: + nft_chain_validate + nft_lookup_validate_setelem + nft_pipapo_walk + nft_lookup_validate + nft_chain_validate + nft_immediate_validate + nft_chain_validate + nf_tables_validate + nf_tables_abort + +No choice but to move it to nf_tables_validate(). + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f25b6337f150a..115bc79ec9055 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2602,8 +2602,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) + if (err < 0) + return err; + } +- +- cond_resched(); + } + + return 0; +@@ -2627,6 +2625,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) + err = nft_chain_validate(&ctx, chain); + if (err < 0) + return err; ++ ++ cond_resched(); + } + + return 0; +-- +2.39.2 + diff --git a/tmp-4.19/netfilter-nf_tables-fix-nat-hook-table-deletion.patch b/tmp-4.19/netfilter-nf_tables-fix-nat-hook-table-deletion.patch new file mode 100644 index 00000000000..a88acd35192 --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-fix-nat-hook-table-deletion.patch @@ -0,0 +1,104 @@ +From pablo@netfilter.org Wed Jul 5 18:55:22 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:55:07 +0200 +Subject: netfilter: nf_tables: fix nat hook table deletion +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165516.50145-2-pablo@netfilter.org> + +From: Florian Westphal + +[ 1e9451cbda456a170518b2bfd643e2cb980880bf ] + +sybot came up with following transaction: + add table ip syz0 + add chain ip syz0 syz2 { type nat hook prerouting priority 0; policy accept; } + add table ip syz0 { flags dormant; } + delete chain ip syz0 syz2 + delete table ip syz0 + +which yields: +hook not found, pf 2 num 0 +WARNING: CPU: 0 PID: 6775 at net/netfilter/core.c:413 __nf_unregister_net_hook+0x3e6/0x4a0 net/netfilter/core.c:413 +[..] + nft_unregister_basechain_hooks net/netfilter/nf_tables_api.c:206 [inline] + nft_table_disable net/netfilter/nf_tables_api.c:835 [inline] + nf_tables_table_disable net/netfilter/nf_tables_api.c:868 [inline] + nf_tables_commit+0x32d3/0x4d70 net/netfilter/nf_tables_api.c:7550 + nfnetlink_rcv_batch net/netfilter/nfnetlink.c:486 [inline] + nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:544 [inline] + nfnetlink_rcv+0x14a5/0x1e50 net/netfilter/nfnetlink.c:562 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + +Problem is that when I added ability to override base hook registration +to make nat basechains register with the nat core instead of netfilter +core, I forgot to update nft_table_disable() to use that instead of +the 'raw' hook register interface. + +In syzbot transaction, the basechain is of 'nat' type. Its registered +with the nat core. The switch to 'dormant mode' attempts to delete from +netfilter core instead. + +After updating nft_table_disable/enable to use the correct helper, +nft_(un)register_basechain_hooks can be folded into the only remaining +caller. + +Because nft_trans_table_enable() won't do anything when the DORMANT flag +is set, remove the flag first, then re-add it in case re-enablement +fails, else this patch breaks sequence: + +add table ip x { flags dormant; } +/* add base chains */ +add table ip x + +The last 'add' will remove the dormant flags, but won't have any other +effect -- base chains are not registered. +Then, next 'set dormant flag' will create another 'hook not found' +splat. + +Reported-by: syzbot+2570f2c036e3da5db176@syzkaller.appspotmail.com +Fixes: 4e25ceb80b58 ("netfilter: nf_tables: allow chain type to override hook register") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 1e9451cbda456a170518b2bfd643e2cb980880bf) +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -743,7 +743,7 @@ static void nft_table_disable(struct net + if (cnt && i++ == cnt) + break; + +- nf_unregister_net_hook(net, &nft_base_chain(chain)->ops); ++ nf_tables_unregister_hook(net, table, chain); + } + } + +@@ -758,7 +758,7 @@ static int nf_tables_table_enable(struct + if (!nft_is_base_chain(chain)) + continue; + +- err = nf_register_net_hook(net, &nft_base_chain(chain)->ops); ++ err = nf_tables_register_hook(net, table, chain); + if (err < 0) + goto err; + +@@ -802,11 +802,12 @@ static int nf_tables_updtable(struct nft + nft_trans_table_enable(trans) = false; + } else if (!(flags & NFT_TABLE_F_DORMANT) && + ctx->table->flags & NFT_TABLE_F_DORMANT) { ++ ctx->table->flags &= ~NFT_TABLE_F_DORMANT; + ret = nf_tables_table_enable(ctx->net, ctx->table); +- if (ret >= 0) { +- ctx->table->flags &= ~NFT_TABLE_F_DORMANT; ++ if (ret >= 0) + nft_trans_table_enable(trans) = true; +- } ++ else ++ ctx->table->flags |= NFT_TABLE_F_DORMANT; + } + if (ret < 0) + goto err; diff --git a/tmp-4.19/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch b/tmp-4.19/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch new file mode 100644 index 00000000000..c69f0b54718 --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch @@ -0,0 +1,39 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:56:03 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:55:16 +0200 +Subject: netfilter: nf_tables: fix scheduling-while-atomic splat +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165516.50145-11-pablo@netfilter.org> + +From: Florian Westphal + +[ 2024439bd5ceb145eeeb428b2a59e9b905153ac3 ] + +nf_tables_check_loops() can be called from rhashtable list +walk so cond_resched() cannot be used here. + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7021,13 +7021,9 @@ static int nf_tables_check_loops(const s + break; + } + } +- +- cond_resched(); + } + + list_for_each_entry(set, &ctx->table->sets, list) { +- cond_resched(); +- + if (!nft_is_active_next(ctx->net, set)) + continue; + if (!(set->flags & NFT_SET_MAP) || diff --git a/tmp-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/tmp-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch new file mode 100644 index 00000000000..868adf8b9e3 --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-fix-spurious-set-element-inserti.patch @@ -0,0 +1,49 @@ +From 976b926cc5c9ddd0dd5caf4c7b577052477d78eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 00:29:58 +0200 +Subject: netfilter: nf_tables: fix spurious set element insertion failure + +From: Florian Westphal + +[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] + +On some platforms there is a padding hole in the nft_verdict +structure, between the verdict code and the chain pointer. + +On element insertion, if the new element clashes with an existing one and +NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as +the data associated with duplicated element is the same as the existing +one. The data equality check uses memcmp. + +For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT +padding area leads to spurious failure even if the verdict data is the +same. + +This then makes the insertion fail with 'already exists' error, even +though the new "key : data" matches an existing entry and userspace +told the kernel that it doesn't want to receive an error indication. + +Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 16405e71a6780..f25b6337f150a 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7248,6 +7248,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + + if (!tb[NFTA_VERDICT_CODE]) + return -EINVAL; ++ ++ /* zero padding hole for memcmp */ ++ memset(data, 0, sizeof(*data)); + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +-- +2.39.2 + diff --git a/tmp-4.19/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch b/tmp-4.19/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch new file mode 100644 index 00000000000..4e43421384f --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch @@ -0,0 +1,73 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:55:56 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:55:12 +0200 +Subject: netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165516.50145-7-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 1240eb93f0616b21c675416516ff3d74798fdc97 ] + +In case of error when adding a new rule that refers to an anonymous set, +deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE. +Thus, the lookup expression marks anonymous sets as inactive in the next +generation to ensure it is not reachable in this transaction anymore and +decrement the set refcount as introduced by c1592a89942e ("netfilter: +nf_tables: deactivate anonymous set from preparation phase"). The abort +step takes care of undoing the anonymous set. + +This is also consistent with rule deletion, where NFT_TRANS_PREPARE is +used. Note that this error path is exercised in the preparation step of +the commit protocol. This patch replaces nf_tables_rule_release() by the +deactivate and destroy calls, this time with NFT_TRANS_PREPARE. + +Due to this incorrect error handling, it is possible to access a +dangling pointer to the anonymous set that remains in the transaction +list. + +[1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110 +[1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256 +[1009.379128] Call Trace: +[1009.379132] +[1009.379135] dump_stack_lvl+0x33/0x50 +[1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379191] print_address_description.constprop.0+0x27/0x300 +[1009.379201] kasan_report+0x107/0x120 +[1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables] +[1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables] +[1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables] +[1009.379441] ? kasan_unpoison+0x23/0x50 +[1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink] +[1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] +[1009.379485] ? __alloc_skb+0xb8/0x1e0 +[1009.379493] ? __alloc_skb+0xb8/0x1e0 +[1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 +[1009.379509] ? unwind_get_return_address+0x2a/0x40 +[1009.379517] ? write_profile+0xc0/0xc0 +[1009.379524] ? avc_lookup+0x8f/0xc0 +[1009.379532] ? __rcu_read_unlock+0x43/0x60 + +Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2784,7 +2784,8 @@ static int nf_tables_newrule(struct net + + return 0; + err2: +- nf_tables_rule_release(&ctx, rule); ++ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); ++ nf_tables_rule_destroy(&ctx, rule); + err1: + for (i = 0; i < n; i++) { + if (info[i].ops) { diff --git a/tmp-4.19/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch b/tmp-4.19/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch new file mode 100644 index 00000000000..bca9bf74f78 --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch @@ -0,0 +1,211 @@ +From caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Wed, 5 Jul 2023 18:05:35 -0300 +Subject: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval + +From: Thadeu Lima de Souza Cascardo + +commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd upstream. + +When evaluating byteorder expressions with size 2, a union with 32-bit and +16-bit members is used. Since the 16-bit members are aligned to 32-bit, +the array accesses will be out-of-bounds. + +It may lead to a stack-out-of-bounds access like the one below: + +[ 23.095215] ================================================================== +[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 +[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 +[ 23.096358] +[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 +[ 23.096770] Call Trace: +[ 23.096910] +[ 23.097030] dump_stack_lvl+0x60/0xc0 +[ 23.097218] print_report+0xcf/0x630 +[ 23.097388] ? nft_byteorder_eval+0x13c/0x320 +[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 +[ 23.097760] ? nft_byteorder_eval+0x13c/0x320 +[ 23.097949] kasan_report+0xc9/0x110 +[ 23.098106] ? nft_byteorder_eval+0x13c/0x320 +[ 23.098298] __asan_load2+0x83/0xd0 +[ 23.098453] nft_byteorder_eval+0x13c/0x320 +[ 23.098659] nft_do_chain+0x1c8/0xc50 +[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 +[ 23.099078] ? __kasan_check_read+0x11/0x20 +[ 23.099295] ? __pfx___lock_acquire+0x10/0x10 +[ 23.099535] ? __pfx___lock_acquire+0x10/0x10 +[ 23.099745] ? __kasan_check_read+0x11/0x20 +[ 23.099929] nft_do_chain_ipv4+0xfe/0x140 +[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 +[ 23.100327] ? lock_release+0x204/0x400 +[ 23.100515] ? nf_hook.constprop.0+0x340/0x550 +[ 23.100779] nf_hook_slow+0x6c/0x100 +[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 +[ 23.101223] nf_hook.constprop.0+0x334/0x550 +[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 +[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 +[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 +[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 +[ 23.102291] ? rcu_read_lock_held+0x4b/0x70 +[ 23.102481] ip_local_deliver+0xbb/0x110 +[ 23.102665] ? __pfx_ip_rcv+0x10/0x10 +[ 23.102839] ip_rcv+0x199/0x2a0 +[ 23.102980] ? __pfx_ip_rcv+0x10/0x10 +[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 +[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 +[ 23.103647] ? mark_held_locks+0x48/0xa0 +[ 23.103819] ? process_backlog+0x36c/0x380 +[ 23.103999] __netif_receive_skb+0x23/0xc0 +[ 23.104179] process_backlog+0x91/0x380 +[ 23.104350] __napi_poll.constprop.0+0x66/0x360 +[ 23.104589] ? net_rx_action+0x1cb/0x610 +[ 23.104811] net_rx_action+0x33e/0x610 +[ 23.105024] ? _raw_spin_unlock+0x23/0x50 +[ 23.105257] ? __pfx_net_rx_action+0x10/0x10 +[ 23.105485] ? mark_held_locks+0x48/0xa0 +[ 23.105741] __do_softirq+0xfa/0x5ab +[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 +[ 23.106193] do_softirq.part.0+0x49/0xc0 +[ 23.106423] +[ 23.106547] +[ 23.106670] __local_bh_enable_ip+0xf5/0x120 +[ 23.106903] __dev_queue_xmit+0x789/0x1c00 +[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 +[ 23.107381] ? find_held_lock+0x8e/0xb0 +[ 23.107585] ? lock_release+0x204/0x400 +[ 23.107798] ? neigh_resolve_output+0x185/0x350 +[ 23.108049] ? mark_held_locks+0x48/0xa0 +[ 23.108265] ? neigh_resolve_output+0x185/0x350 +[ 23.108514] neigh_resolve_output+0x246/0x350 +[ 23.108753] ? neigh_resolve_output+0x246/0x350 +[ 23.109003] ip_finish_output2+0x3c3/0x10b0 +[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 +[ 23.109510] ? __pfx_nf_hook+0x10/0x10 +[ 23.109732] __ip_finish_output+0x217/0x390 +[ 23.109978] ip_finish_output+0x2f/0x130 +[ 23.110207] ip_output+0xc9/0x170 +[ 23.110404] ip_push_pending_frames+0x1a0/0x240 +[ 23.110652] raw_sendmsg+0x102e/0x19e0 +[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 +[ 23.111093] ? lock_release+0x204/0x400 +[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 +[ 23.111567] ? find_held_lock+0x8e/0xb0 +[ 23.111777] ? find_held_lock+0x8e/0xb0 +[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 +[ 23.112225] ? aa_sk_perm+0x18a/0x550 +[ 23.112431] ? filemap_map_pages+0x4f1/0x900 +[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 +[ 23.112880] ? find_held_lock+0x8e/0xb0 +[ 23.113098] inet_sendmsg+0xa0/0xb0 +[ 23.113297] ? inet_sendmsg+0xa0/0xb0 +[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 +[ 23.113727] sock_sendmsg+0xf4/0x100 +[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 +[ 23.114190] __sys_sendto+0x1d4/0x290 +[ 23.114391] ? __pfx___sys_sendto+0x10/0x10 +[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 +[ 23.114869] ? lock_release+0x204/0x400 +[ 23.115076] ? find_held_lock+0x8e/0xb0 +[ 23.115287] ? rcu_is_watching+0x23/0x60 +[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 +[ 23.115778] ? __kasan_check_write+0x14/0x30 +[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 +[ 23.116285] ? mark_held_locks+0x28/0xa0 +[ 23.116503] ? do_syscall_64+0x37/0x90 +[ 23.116713] __x64_sys_sendto+0x7f/0xb0 +[ 23.116924] do_syscall_64+0x59/0x90 +[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 +[ 23.117387] ? irqentry_exit+0x77/0xb0 +[ 23.117593] ? exc_page_fault+0x92/0x140 +[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 23.118081] RIP: 0033:0x7f744aee2bba +[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba +[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 +[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 +[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 +[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 +[ 23.121617] +[ 23.121749] +[ 23.121845] The buggy address belongs to the virtual mapping at +[ 23.121845] [ffffc90000000000, ffffc90000009000) created by: +[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 +[ 23.122707] +[ 23.122803] The buggy address belongs to the physical page: +[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 +[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) +[ 23.123998] page_type: 0xffffffff() +[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 +[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 +[ 23.125023] page dumped because: kasan: bad access detected +[ 23.125326] +[ 23.125421] Memory state around the buggy address: +[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 +[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 +[ 23.126840] ^ +[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 +[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 +[ 23.127906] ================================================================== +[ 23.128324] Disabling lock debugging due to kernel taint + +Using simple s16 pointers for the 16-bit accesses fixes the problem. For +the 32-bit accesses, src and dst can be used directly. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Cc: stable@vger.kernel.org +Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_byteorder.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/netfilter/nft_byteorder.c ++++ b/net/netfilter/nft_byteorder.c +@@ -33,11 +33,11 @@ static void nft_byteorder_eval(const str + const struct nft_byteorder *priv = nft_expr_priv(expr); + u32 *src = ®s->data[priv->sreg]; + u32 *dst = ®s->data[priv->dreg]; +- union { u32 u32; u16 u16; } *s, *d; ++ u16 *s16, *d16; + unsigned int i; + +- s = (void *)src; +- d = (void *)dst; ++ s16 = (void *)src; ++ d16 = (void *)dst; + + switch (priv->size) { + case 8: { +@@ -63,11 +63,11 @@ static void nft_byteorder_eval(const str + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = ntohl((__force __be32)s[i].u32); ++ dst[i] = ntohl((__force __be32)src[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = (__force __u32)htonl(s[i].u32); ++ dst[i] = (__force __u32)htonl(src[i]); + break; + } + break; +@@ -75,11 +75,11 @@ static void nft_byteorder_eval(const str + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = ntohs((__force __be16)s[i].u16); ++ d16[i] = ntohs((__force __be16)s16[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = (__force __u16)htons(s[i].u16); ++ d16[i] = (__force __u16)htons(s16[i]); + break; + } + break; diff --git a/tmp-4.19/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch b/tmp-4.19/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch new file mode 100644 index 00000000000..19d00b12cd4 --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch @@ -0,0 +1,137 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:55:57 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:55:14 +0200 +Subject: netfilter: nf_tables: reject unbound anonymous set before commit phase +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165516.50145-9-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 938154b93be8cd611ddfd7bafc1849f3c4355201 ] + +Add a new list to track set transaction and to check for unbound +anonymous sets before entering the commit phase. + +Bail out at the end of the transaction handling if an anonymous set +remains unbound. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 3 +++ + net/netfilter/nf_tables_api.c | 33 ++++++++++++++++++++++++++++++--- + 2 files changed, 33 insertions(+), 3 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1320,12 +1320,14 @@ static inline void nft_set_elem_clear_bu + * struct nft_trans - nf_tables object update in transaction + * + * @list: used internally ++ * @binding_list: list of objects with possible bindings + * @msg_type: message type + * @ctx: transaction context + * @data: internal information related to the transaction + */ + struct nft_trans { + struct list_head list; ++ struct list_head binding_list; + int msg_type; + struct nft_ctx ctx; + char data[0]; +@@ -1413,6 +1415,7 @@ void nft_chain_filter_fini(void); + struct nftables_pernet { + struct list_head tables; + struct list_head commit_list; ++ struct list_head binding_list; + struct list_head module_list; + struct list_head notify_list; + struct mutex commit_mutex; +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -102,6 +102,7 @@ static struct nft_trans *nft_trans_alloc + return NULL; + + INIT_LIST_HEAD(&trans->list); ++ INIT_LIST_HEAD(&trans->binding_list); + trans->msg_type = msg_type; + trans->ctx = *ctx; + +@@ -114,9 +115,15 @@ static struct nft_trans *nft_trans_alloc + return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); + } + +-static void nft_trans_destroy(struct nft_trans *trans) ++static void nft_trans_list_del(struct nft_trans *trans) + { + list_del(&trans->list); ++ list_del(&trans->binding_list); ++} ++ ++static void nft_trans_destroy(struct nft_trans *trans) ++{ ++ nft_trans_list_del(trans); + kfree(trans); + } + +@@ -160,6 +167,13 @@ static void nft_trans_commit_list_add_ta + struct nftables_pernet *nft_net; + + nft_net = net_generic(net, nf_tables_net_id); ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWSET: ++ if (nft_set_is_anonymous(nft_trans_set(trans))) ++ list_add_tail(&trans->binding_list, &nft_net->binding_list); ++ break; ++ } ++ + list_add_tail(&trans->list, &nft_net->commit_list); + } + +@@ -6403,7 +6417,7 @@ static void nf_tables_commit_release(str + synchronize_rcu(); + + list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { +- list_del(&trans->list); ++ nft_trans_list_del(trans); + nft_commit_release(trans); + } + } +@@ -6542,6 +6556,18 @@ static int nf_tables_commit(struct net * + struct nft_chain *chain; + struct nft_table *table; + ++ list_for_each_entry(trans, &nft_net->binding_list, binding_list) { ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWSET: ++ if (nft_set_is_anonymous(nft_trans_set(trans)) && ++ !nft_trans_set_bound(trans)) { ++ pr_warn_once("nftables ruleset with unbound set\n"); ++ return -EINVAL; ++ } ++ break; ++ } ++ } ++ + /* 0. Validate ruleset, otherwise roll back for error reporting. */ + if (nf_tables_validate(net) < 0) + return -EAGAIN; +@@ -6847,7 +6873,7 @@ static int __nf_tables_abort(struct net + + list_for_each_entry_safe_reverse(trans, next, + &nft_net->commit_list, list) { +- list_del(&trans->list); ++ nft_trans_list_del(trans); + nf_tables_abort_release(trans); + } + +@@ -7497,6 +7523,7 @@ static int __net_init nf_tables_init_net + + INIT_LIST_HEAD(&nft_net->tables); + INIT_LIST_HEAD(&nft_net->commit_list); ++ INIT_LIST_HEAD(&nft_net->binding_list); + mutex_init(&nft_net->commit_mutex); + nft_net->base_seq = 1; + nft_net->validate_state = NFT_VALIDATE_SKIP; diff --git a/tmp-4.19/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch b/tmp-4.19/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch new file mode 100644 index 00000000000..874be6923b5 --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch @@ -0,0 +1,33 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:56:29 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:55:15 +0200 +Subject: netfilter: nf_tables: unbind non-anonymous set if rule construction fails +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165516.50145-10-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 3e70489721b6c870252c9082c496703677240f53 ] + +Otherwise a dangling reference to a rule object that is gone remains +in the set binding list. + +Fixes: 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3838,6 +3838,8 @@ void nf_tables_deactivate_set(const stru + nft_set_trans_unbind(ctx, set); + if (nft_set_is_anonymous(set)) + nft_deactivate_next(ctx->net, set); ++ else ++ list_del_rcu(&binding->list); + + set->use--; + break; diff --git a/tmp-4.19/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch b/tmp-4.19/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch new file mode 100644 index 00000000000..2938e7b9ca9 --- /dev/null +++ b/tmp-4.19/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch @@ -0,0 +1,1032 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:56:03 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:55:11 +0200 +Subject: netfilter: nf_tables: use net_generic infra for transaction data +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165516.50145-6-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 0854db2aaef3fcdd3498a9d299c60adea2aa3dc6 ] + +This moves all nf_tables pernet data from struct net to a net_generic +extension, with the exception of the gencursor. + +The latter is used in the data path and also outside of the nf_tables +core. All others are only used from the configuration plane. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 10 + + include/net/netns/nftables.h | 5 + net/netfilter/nf_tables_api.c | 303 +++++++++++++++++++++++--------------- + net/netfilter/nft_chain_filter.c | 11 + + net/netfilter/nft_dynset.c | 6 + 5 files changed, 210 insertions(+), 125 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1409,4 +1409,14 @@ struct nft_trans_flowtable { + int __init nft_chain_filter_init(void); + void nft_chain_filter_fini(void); + ++struct nftables_pernet { ++ struct list_head tables; ++ struct list_head commit_list; ++ struct list_head module_list; ++ struct list_head notify_list; ++ struct mutex commit_mutex; ++ unsigned int base_seq; ++ u8 validate_state; ++}; ++ + #endif /* _NET_NF_TABLES_H */ +--- a/include/net/netns/nftables.h ++++ b/include/net/netns/nftables.h +@@ -5,12 +5,7 @@ + #include + + struct netns_nftables { +- struct list_head tables; +- struct list_head commit_list; +- struct mutex commit_mutex; +- unsigned int base_seq; + u8 gencursor; +- u8 validate_state; + }; + + #endif +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -22,10 +22,13 @@ + #include + #include + #include ++#include + #include + + #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) + ++unsigned int nf_tables_net_id __read_mostly; ++ + static LIST_HEAD(nf_tables_expressions); + static LIST_HEAD(nf_tables_objects); + static LIST_HEAD(nf_tables_flowtables); +@@ -53,7 +56,9 @@ static const struct rhashtable_params nf + + static void nft_validate_state_update(struct net *net, u8 new_validate_state) + { +- switch (net->nft.validate_state) { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ switch (nft_net->validate_state) { + case NFT_VALIDATE_SKIP: + WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); + break; +@@ -64,7 +69,7 @@ static void nft_validate_state_update(st + return; + } + +- net->nft.validate_state = new_validate_state; ++ nft_net->validate_state = new_validate_state; + } + + static void nft_ctx_init(struct nft_ctx *ctx, +@@ -117,13 +122,15 @@ static void nft_trans_destroy(struct nft + + static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) + { ++ struct nftables_pernet *nft_net; + struct net *net = ctx->net; + struct nft_trans *trans; + + if (!nft_set_is_anonymous(set)) + return; + +- list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { + switch (trans->msg_type) { + case NFT_MSG_NEWSET: + if (nft_trans_set(trans) == set) +@@ -137,6 +144,14 @@ static void nft_set_trans_bind(const str + } + } + ++static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) ++{ ++ struct nftables_pernet *nft_net; ++ ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_add_tail(&trans->list, &nft_net->commit_list); ++} ++ + static int nf_tables_register_hook(struct net *net, + const struct nft_table *table, + struct nft_chain *chain) +@@ -187,7 +202,7 @@ static int nft_trans_table_add(struct nf + if (msg_type == NFT_MSG_NEWTABLE) + nft_activate_next(ctx->net, ctx->table); + +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + } + +@@ -214,7 +229,7 @@ static int nft_trans_chain_add(struct nf + if (msg_type == NFT_MSG_NEWCHAIN) + nft_activate_next(ctx->net, ctx->chain); + +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + } + +@@ -287,7 +302,7 @@ static struct nft_trans *nft_trans_rule_ + ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); + } + nft_trans_rule(trans) = rule; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return trans; + } +@@ -342,7 +357,7 @@ static int nft_trans_set_add(const struc + nft_activate_next(ctx->net, set); + } + nft_trans_set(trans) = set; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + } +@@ -374,7 +389,7 @@ static int nft_trans_obj_add(struct nft_ + nft_activate_next(ctx->net, obj); + + nft_trans_obj(trans) = obj; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + } +@@ -407,7 +422,7 @@ static int nft_trans_flowtable_add(struc + nft_activate_next(ctx->net, flowtable); + + nft_trans_flowtable(trans) = flowtable; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + } +@@ -435,12 +450,14 @@ static struct nft_table *nft_table_looku + const struct nlattr *nla, + u8 family, u8 genmask) + { ++ struct nftables_pernet *nft_net; + struct nft_table *table; + + if (nla == NULL) + return ERR_PTR(-EINVAL); + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (!nla_strcmp(nla, table->name) && + table->family == family && + nft_active_genmask(table, genmask)) +@@ -454,9 +471,11 @@ static struct nft_table *nft_table_looku + const struct nlattr *nla, + u8 genmask) + { ++ struct nftables_pernet *nft_net; + struct nft_table *table; + +- list_for_each_entry(table, &net->nft.tables, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry(table, &nft_net->tables, list) { + if (be64_to_cpu(nla_get_be64(nla)) == table->handle && + nft_active_genmask(table, genmask)) + return table; +@@ -509,11 +528,13 @@ __nf_tables_chain_type_lookup(const stru + static void nft_request_module(struct net *net, const char *fmt, ...) + { + char module_name[MODULE_NAME_LEN]; ++ struct nftables_pernet *nft_net; + LIST_HEAD(commit_list); + va_list args; + int ret; + +- list_splice_init(&net->nft.commit_list, &commit_list); ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_splice_init(&nft_net->commit_list, &commit_list); + + va_start(args, fmt); + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); +@@ -521,12 +542,12 @@ static void nft_request_module(struct ne + if (ret >= MODULE_NAME_LEN) + return; + +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + request_module("%s", module_name); +- mutex_lock(&net->nft.commit_mutex); ++ mutex_lock(&nft_net->commit_mutex); + +- WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); +- list_splice(&commit_list, &net->nft.commit_list); ++ WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); ++ list_splice(&commit_list, &nft_net->commit_list); + } + #endif + +@@ -563,7 +584,9 @@ nf_tables_chain_type_lookup(struct net * + + static __be16 nft_base_seq(const struct net *net) + { +- return htons(net->nft.base_seq & 0xffff); ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ return htons(nft_net->base_seq & 0xffff); + } + + static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { +@@ -631,15 +654,17 @@ static int nf_tables_dump_tables(struct + struct netlink_callback *cb) + { + const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); ++ struct nftables_pernet *nft_net; + const struct nft_table *table; + unsigned int idx = 0, s_idx = cb->args[0]; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -813,7 +838,7 @@ static int nf_tables_updtable(struct nft + goto err; + + nft_trans_table_update(trans) = true; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + err: + nft_trans_destroy(trans); +@@ -848,6 +873,7 @@ static int nf_tables_newtable(struct net + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + const struct nfgenmsg *nfmsg = nlmsg_data(nlh); + u8 genmask = nft_genmask_next(net); + int family = nfmsg->nfgen_family; +@@ -857,7 +883,7 @@ static int nf_tables_newtable(struct net + struct nft_ctx ctx; + int err; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + attr = nla[NFTA_TABLE_NAME]; + table = nft_table_lookup(net, attr, family, genmask); + if (IS_ERR(table)) { +@@ -907,7 +933,7 @@ static int nf_tables_newtable(struct net + if (err < 0) + goto err_trans; + +- list_add_tail_rcu(&table->list, &net->nft.tables); ++ list_add_tail_rcu(&table->list, &nft_net->tables); + return 0; + err_trans: + rhltable_destroy(&table->chains_ht); +@@ -987,11 +1013,12 @@ out: + + static int nft_flush(struct nft_ctx *ctx, int family) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct nft_table *table, *nt; + const struct nlattr * const *nla = ctx->nla; + int err = 0; + +- list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { ++ list_for_each_entry_safe(table, nt, &nft_net->tables, list) { + if (family != AF_UNSPEC && table->family != family) + continue; + +@@ -1105,7 +1132,9 @@ nft_chain_lookup_byhandle(const struct n + static bool lockdep_commit_lock_is_held(struct net *net) + { + #ifdef CONFIG_PROVE_LOCKING +- return lockdep_is_held(&net->nft.commit_mutex); ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ return lockdep_is_held(&nft_net->commit_mutex); + #else + return true; + #endif +@@ -1302,11 +1331,13 @@ static int nf_tables_dump_chains(struct + unsigned int idx = 0, s_idx = cb->args[0]; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; ++ struct nftables_pernet *nft_net; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -1499,12 +1530,13 @@ static int nft_chain_parse_hook(struct n + struct nft_chain_hook *hook, u8 family, + bool autoload) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nlattr *ha[NFTA_HOOK_MAX + 1]; + const struct nft_chain_type *type; + struct net_device *dev; + int err; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + lockdep_nfnl_nft_mutex_not_held(); + + err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK], +@@ -1773,6 +1805,7 @@ static int nf_tables_updchain(struct nft + + if (nla[NFTA_CHAIN_HANDLE] && + nla[NFTA_CHAIN_NAME]) { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct nft_trans *tmp; + char *name; + +@@ -1782,7 +1815,7 @@ static int nf_tables_updchain(struct nft + goto err; + + err = -EEXIST; +- list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { ++ list_for_each_entry(tmp, &nft_net->commit_list, list) { + if (tmp->msg_type == NFT_MSG_NEWCHAIN && + tmp->ctx.table == table && + nft_trans_chain_update(tmp) && +@@ -1795,7 +1828,7 @@ static int nf_tables_updchain(struct nft + + nft_trans_chain_name(trans) = name; + } +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + err: +@@ -1809,6 +1842,7 @@ static int nf_tables_newchain(struct net + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + const struct nfgenmsg *nfmsg = nlmsg_data(nlh); + u8 genmask = nft_genmask_next(net); + int family = nfmsg->nfgen_family; +@@ -1819,7 +1853,7 @@ static int nf_tables_newchain(struct net + struct nft_ctx ctx; + u64 handle = 0; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + + table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); + if (IS_ERR(table)) { +@@ -2342,11 +2376,13 @@ static int nf_tables_dump_rules(struct s + unsigned int idx = 0, s_idx = cb->args[0]; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; ++ struct nftables_pernet *nft_net; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -2499,7 +2535,6 @@ static void nf_tables_rule_destroy(const + { + struct nft_expr *expr, *next; + +- lockdep_assert_held(&ctx->net->nft.commit_mutex); + /* + * Careful: some expressions might not be initialized in case this + * is called on error from nf_tables_newrule(). +@@ -2579,6 +2614,7 @@ static int nf_tables_newrule(struct net + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + const struct nfgenmsg *nfmsg = nlmsg_data(nlh); + u8 genmask = nft_genmask_next(net); + struct nft_expr_info *info = NULL; +@@ -2595,7 +2631,7 @@ static int nf_tables_newrule(struct net + int err, rem; + u64 handle, pos_handle; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + + table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); + if (IS_ERR(table)) { +@@ -2743,7 +2779,7 @@ static int nf_tables_newrule(struct net + kvfree(info); + chain->use++; + +- if (net->nft.validate_state == NFT_VALIDATE_DO) ++ if (nft_net->validate_state == NFT_VALIDATE_DO) + return nft_table_validate(net, table); + + return 0; +@@ -2765,10 +2801,11 @@ static struct nft_rule *nft_rule_lookup_ + const struct nft_chain *chain, + const struct nlattr *nla) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + u32 id = ntohl(nla_get_be32(nla)); + struct nft_trans *trans; + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + struct nft_rule *rule = nft_trans_rule(trans); + + if (trans->msg_type == NFT_MSG_NEWRULE && +@@ -2887,12 +2924,13 @@ nft_select_set_ops(const struct nft_ctx + const struct nft_set_desc *desc, + enum nft_set_policies policy) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + const struct nft_set_ops *ops, *bops; + struct nft_set_estimate est, best; + const struct nft_set_type *type; + u32 flags = 0; + +- lockdep_assert_held(&ctx->net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + lockdep_nfnl_nft_mutex_not_held(); + #ifdef CONFIG_MODULES + if (list_empty(&nf_tables_set_types)) { +@@ -3038,10 +3076,11 @@ static struct nft_set *nft_set_lookup_by + const struct nft_table *table, + const struct nlattr *nla, u8 genmask) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans; + u32 id = ntohl(nla_get_be32(nla)); + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + if (trans->msg_type == NFT_MSG_NEWSET) { + struct nft_set *set = nft_trans_set(trans); + +@@ -3257,14 +3296,16 @@ static int nf_tables_dump_sets(struct sk + struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; + struct net *net = sock_net(skb->sk); + struct nft_ctx *ctx = cb->data, ctx_set; ++ struct nftables_pernet *nft_net; + + if (cb->args[1]) + return skb->len; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (ctx->family != NFPROTO_UNSPEC && + ctx->family != table->family) + continue; +@@ -3971,6 +4012,7 @@ static int nf_tables_dump_set(struct sk_ + { + struct nft_set_dump_ctx *dump_ctx = cb->data; + struct net *net = sock_net(skb->sk); ++ struct nftables_pernet *nft_net; + struct nft_table *table; + struct nft_set *set; + struct nft_set_dump_args args; +@@ -3981,7 +4023,8 @@ static int nf_tables_dump_set(struct sk_ + int event; + + rcu_read_lock(); +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (dump_ctx->ctx.family != NFPROTO_UNSPEC && + dump_ctx->ctx.family != table->family) + continue; +@@ -4571,7 +4614,7 @@ static int nft_add_set_elem(struct nft_c + } + + nft_trans_elem(trans) = elem; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + + err6: +@@ -4596,6 +4639,7 @@ static int nf_tables_newsetelem(struct n + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + u8 genmask = nft_genmask_next(net); + const struct nlattr *attr; + struct nft_set *set; +@@ -4625,7 +4669,7 @@ static int nf_tables_newsetelem(struct n + return err; + } + +- if (net->nft.validate_state == NFT_VALIDATE_DO) ++ if (nft_net->validate_state == NFT_VALIDATE_DO) + return nft_table_validate(net, ctx.table); + + return 0; +@@ -4738,7 +4782,7 @@ static int nft_del_setelem(struct nft_ct + nft_set_elem_deactivate(ctx->net, set, &elem); + + nft_trans_elem(trans) = elem; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + + fail_ops: +@@ -4772,7 +4816,7 @@ static int nft_flush_set(const struct nf + nft_set_elem_deactivate(ctx->net, set, elem); + nft_trans_elem_set(trans) = set; + nft_trans_elem(trans) = *elem; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + err1: +@@ -5151,6 +5195,7 @@ static int nf_tables_dump_obj(struct sk_ + struct nft_obj_filter *filter = cb->data; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; ++ struct nftables_pernet *nft_net; + struct nft_object *obj; + bool reset = false; + +@@ -5158,9 +5203,10 @@ static int nf_tables_dump_obj(struct sk_ + reset = true; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -5826,12 +5872,14 @@ static int nf_tables_dump_flowtable(stru + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; + struct nft_flowtable *flowtable; ++ struct nftables_pernet *nft_net; + const struct nft_table *table; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -6001,6 +6049,7 @@ static void nf_tables_flowtable_destroy( + static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, + u32 portid, u32 seq) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nlmsghdr *nlh; + char buf[TASK_COMM_LEN]; + int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); +@@ -6010,7 +6059,7 @@ static int nf_tables_fill_gen_info(struc + if (!nlh) + goto nla_put_failure; + +- if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || ++ if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || + nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || + nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) + goto nla_put_failure; +@@ -6043,6 +6092,7 @@ static int nf_tables_flowtable_event(str + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); + struct nft_flowtable *flowtable; ++ struct nftables_pernet *nft_net; + struct nft_table *table; + struct net *net; + +@@ -6050,13 +6100,14 @@ static int nf_tables_flowtable_event(str + return 0; + + net = dev_net(dev); +- mutex_lock(&net->nft.commit_mutex); +- list_for_each_entry(table, &net->nft.tables, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ mutex_lock(&nft_net->commit_mutex); ++ list_for_each_entry(table, &nft_net->tables, list) { + list_for_each_entry(flowtable, &table->flowtables, list) { + nft_flowtable_event(event, dev, flowtable); + } + } +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return NOTIFY_DONE; + } +@@ -6237,16 +6288,17 @@ static const struct nfnl_callback nf_tab + + static int nf_tables_validate(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_table *table; + +- switch (net->nft.validate_state) { ++ switch (nft_net->validate_state) { + case NFT_VALIDATE_SKIP: + break; + case NFT_VALIDATE_NEED: + nft_validate_state_update(net, NFT_VALIDATE_DO); + /* fall through */ + case NFT_VALIDATE_DO: +- list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(table, &nft_net->tables, list) { + if (nft_table_validate(net, table) < 0) + return -EAGAIN; + } +@@ -6323,14 +6375,15 @@ static void nft_commit_release(struct nf + + static void nf_tables_commit_release(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + +- if (list_empty(&net->nft.commit_list)) ++ if (list_empty(&nft_net->commit_list)) + return; + + synchronize_rcu(); + +- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { ++ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { + list_del(&trans->list); + nft_commit_release(trans); + } +@@ -6369,9 +6422,10 @@ static int nf_tables_commit_chain_prepar + + static void nf_tables_commit_chain_prepare_cancel(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + +- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { ++ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { + struct nft_chain *chain = trans->ctx.chain; + + if (trans->msg_type == NFT_MSG_NEWRULE || +@@ -6463,6 +6517,7 @@ static void nft_chain_del(struct nft_cha + + static int nf_tables_commit(struct net *net, struct sk_buff *skb) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + struct nft_trans_elem *te; + struct nft_chain *chain; +@@ -6473,7 +6528,7 @@ static int nf_tables_commit(struct net * + return -EAGAIN; + + /* 1. Allocate space for next generation rules_gen_X[] */ +- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { ++ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { + int ret; + + if (trans->msg_type == NFT_MSG_NEWRULE || +@@ -6489,7 +6544,7 @@ static int nf_tables_commit(struct net * + } + + /* step 2. Make rules_gen_X visible to packet path */ +- list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(table, &nft_net->tables, list) { + list_for_each_entry(chain, &table->chains, list) + nf_tables_commit_chain(net, chain); + } +@@ -6498,12 +6553,13 @@ static int nf_tables_commit(struct net * + * Bump generation counter, invalidate any dump in progress. + * Cannot fail after this point. + */ +- while (++net->nft.base_seq == 0); ++ while (++nft_net->base_seq == 0) ++ ; + + /* step 3. Start new generation, rules_gen_X now in use. */ + net->nft.gencursor = nft_gencursor_next(net); + +- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { ++ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { + switch (trans->msg_type) { + case NFT_MSG_NEWTABLE: + if (nft_trans_table_update(trans)) { +@@ -6624,7 +6680,7 @@ static int nf_tables_commit(struct net * + + nf_tables_commit_release(net); + nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return 0; + } +@@ -6660,10 +6716,11 @@ static void nf_tables_abort_release(stru + + static int __nf_tables_abort(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + struct nft_trans_elem *te; + +- list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, ++ list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, + list) { + switch (trans->msg_type) { + case NFT_MSG_NEWTABLE: +@@ -6770,7 +6827,7 @@ static int __nf_tables_abort(struct net + synchronize_rcu(); + + list_for_each_entry_safe_reverse(trans, next, +- &net->nft.commit_list, list) { ++ &nft_net->commit_list, list) { + list_del(&trans->list); + nf_tables_abort_release(trans); + } +@@ -6780,22 +6837,24 @@ static int __nf_tables_abort(struct net + + static int nf_tables_abort(struct net *net, struct sk_buff *skb) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + int ret = __nf_tables_abort(net); + +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return ret; + } + + static bool nf_tables_valid_genid(struct net *net, u32 genid) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + bool genid_ok; + +- mutex_lock(&net->nft.commit_mutex); ++ mutex_lock(&nft_net->commit_mutex); + +- genid_ok = genid == 0 || net->nft.base_seq == genid; ++ genid_ok = genid == 0 || nft_net->base_seq == genid; + if (!genid_ok) +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + /* else, commit mutex has to be released by commit or abort function */ + return genid_ok; +@@ -7353,10 +7412,9 @@ int __nft_release_basechain(struct nft_c + } + EXPORT_SYMBOL_GPL(__nft_release_basechain); + +-static void __nft_release_tables(struct net *net) ++static void __nft_release_table(struct net *net, struct nft_table *table) + { + struct nft_flowtable *flowtable, *nf; +- struct nft_table *table, *nt; + struct nft_chain *chain, *nc; + struct nft_object *obj, *ne; + struct nft_rule *rule, *nr; +@@ -7366,71 +7424,84 @@ static void __nft_release_tables(struct + .family = NFPROTO_NETDEV, + }; + +- list_for_each_entry_safe(table, nt, &net->nft.tables, list) { +- ctx.family = table->family; ++ ctx.family = table->family; + +- list_for_each_entry(chain, &table->chains, list) +- nf_tables_unregister_hook(net, table, chain); +- /* No packets are walking on these chains anymore. */ +- ctx.table = table; +- list_for_each_entry(chain, &table->chains, list) { +- ctx.chain = chain; +- list_for_each_entry_safe(rule, nr, &chain->rules, list) { +- list_del(&rule->list); +- chain->use--; +- nf_tables_rule_release(&ctx, rule); +- } +- } +- list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { +- list_del(&flowtable->list); +- table->use--; +- nf_tables_flowtable_destroy(flowtable); +- } +- list_for_each_entry_safe(set, ns, &table->sets, list) { +- list_del(&set->list); +- table->use--; +- nft_set_destroy(set); +- } +- list_for_each_entry_safe(obj, ne, &table->objects, list) { +- list_del(&obj->list); +- table->use--; +- nft_obj_destroy(&ctx, obj); +- } +- list_for_each_entry_safe(chain, nc, &table->chains, list) { +- ctx.chain = chain; +- nft_chain_del(chain); +- table->use--; +- nf_tables_chain_destroy(&ctx); ++ list_for_each_entry(chain, &table->chains, list) ++ nf_tables_unregister_hook(net, table, chain); ++ /* No packets are walking on these chains anymore. */ ++ ctx.table = table; ++ list_for_each_entry(chain, &table->chains, list) { ++ ctx.chain = chain; ++ list_for_each_entry_safe(rule, nr, &chain->rules, list) { ++ list_del(&rule->list); ++ chain->use--; ++ nf_tables_rule_release(&ctx, rule); + } +- list_del(&table->list); +- nf_tables_table_destroy(&ctx); + } ++ list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { ++ list_del(&flowtable->list); ++ table->use--; ++ nf_tables_flowtable_destroy(flowtable); ++ } ++ list_for_each_entry_safe(set, ns, &table->sets, list) { ++ list_del(&set->list); ++ table->use--; ++ nft_set_destroy(set); ++ } ++ list_for_each_entry_safe(obj, ne, &table->objects, list) { ++ list_del(&obj->list); ++ table->use--; ++ nft_obj_destroy(&ctx, obj); ++ } ++ list_for_each_entry_safe(chain, nc, &table->chains, list) { ++ ctx.chain = chain; ++ nft_chain_del(chain); ++ table->use--; ++ nf_tables_chain_destroy(&ctx); ++ } ++ list_del(&table->list); ++ nf_tables_table_destroy(&ctx); ++} ++ ++static void __nft_release_tables(struct net *net) ++{ ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ struct nft_table *table, *nt; ++ ++ list_for_each_entry_safe(table, nt, &nft_net->tables, list) ++ __nft_release_table(net, table); + } + + static int __net_init nf_tables_init_net(struct net *net) + { +- INIT_LIST_HEAD(&net->nft.tables); +- INIT_LIST_HEAD(&net->nft.commit_list); +- mutex_init(&net->nft.commit_mutex); +- net->nft.base_seq = 1; +- net->nft.validate_state = NFT_VALIDATE_SKIP; ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ INIT_LIST_HEAD(&nft_net->tables); ++ INIT_LIST_HEAD(&nft_net->commit_list); ++ mutex_init(&nft_net->commit_mutex); ++ nft_net->base_seq = 1; ++ nft_net->validate_state = NFT_VALIDATE_SKIP; + + return 0; + } + + static void __net_exit nf_tables_exit_net(struct net *net) + { +- mutex_lock(&net->nft.commit_mutex); +- if (!list_empty(&net->nft.commit_list)) ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ mutex_lock(&nft_net->commit_mutex); ++ if (!list_empty(&nft_net->commit_list)) + __nf_tables_abort(net); + __nft_release_tables(net); +- mutex_unlock(&net->nft.commit_mutex); +- WARN_ON_ONCE(!list_empty(&net->nft.tables)); ++ mutex_unlock(&nft_net->commit_mutex); ++ WARN_ON_ONCE(!list_empty(&nft_net->tables)); + } + + static struct pernet_operations nf_tables_net_ops = { + .init = nf_tables_init_net, + .exit = nf_tables_exit_net, ++ .id = &nf_tables_net_id, ++ .size = sizeof(struct nftables_pernet), + }; + + static int __init nf_tables_module_init(void) +--- a/net/netfilter/nft_chain_filter.c ++++ b/net/netfilter/nft_chain_filter.c +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -10,6 +11,8 @@ + #include + #include + ++extern unsigned int nf_tables_net_id; ++ + #ifdef CONFIG_NF_TABLES_IPV4 + static unsigned int nft_do_chain_ipv4(void *priv, + struct sk_buff *skb, +@@ -315,6 +318,7 @@ static int nf_tables_netdev_event(struct + unsigned long event, void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct nftables_pernet *nft_net; + struct nft_table *table; + struct nft_chain *chain, *nr; + struct nft_ctx ctx = { +@@ -325,8 +329,9 @@ static int nf_tables_netdev_event(struct + event != NETDEV_CHANGENAME) + return NOTIFY_DONE; + +- mutex_lock(&ctx.net->nft.commit_mutex); +- list_for_each_entry(table, &ctx.net->nft.tables, list) { ++ nft_net = net_generic(ctx.net, nf_tables_net_id); ++ mutex_lock(&nft_net->commit_mutex); ++ list_for_each_entry(table, &nft_net->tables, list) { + if (table->family != NFPROTO_NETDEV) + continue; + +@@ -340,7 +345,7 @@ static int nf_tables_netdev_event(struct + nft_netdev_event(event, dev, &ctx); + } + } +- mutex_unlock(&ctx.net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return NOTIFY_DONE; + } +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -15,6 +15,9 @@ + #include + #include + #include ++#include ++ ++extern unsigned int nf_tables_net_id; + + struct nft_dynset { + struct nft_set *set; +@@ -112,13 +115,14 @@ static int nft_dynset_init(const struct + const struct nft_expr *expr, + const struct nlattr * const tb[]) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct nft_dynset *priv = nft_expr_priv(expr); + u8 genmask = nft_genmask_next(ctx->net); + struct nft_set *set; + u64 timeout; + int err; + +- lockdep_assert_held(&ctx->net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + + if (tb[NFTA_DYNSET_SET_NAME] == NULL || + tb[NFTA_DYNSET_OP] == NULL || diff --git a/tmp-4.19/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch b/tmp-4.19/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch new file mode 100644 index 00000000000..e15f9a44432 --- /dev/null +++ b/tmp-4.19/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch @@ -0,0 +1,117 @@ +From pablo@netfilter.org Wed Jul 5 18:55:23 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:55:09 +0200 +Subject: netfilter: nftables: add helper function to set the base sequence number +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165516.50145-4-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 802b805162a1b7d8391c40ac8a878e9e63287aff ] + +This patch adds a helper function to calculate the base sequence number +field that is stored in the nfnetlink header. Use the helper function +whenever possible. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -561,6 +561,11 @@ nf_tables_chain_type_lookup(struct net * + return ERR_PTR(-ENOENT); + } + ++static __be16 nft_base_seq(const struct net *net) ++{ ++ return htons(net->nft.base_seq & 0xffff); ++} ++ + static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { + [NFTA_TABLE_NAME] = { .type = NLA_STRING, + .len = NFT_TABLE_MAXNAMELEN - 1 }, +@@ -583,7 +588,7 @@ static int nf_tables_fill_table_info(str + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || + nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || +@@ -1218,7 +1223,7 @@ static int nf_tables_fill_chain_info(str + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) + goto nla_put_failure; +@@ -2265,7 +2270,7 @@ static int nf_tables_fill_rule_info(stru + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) + goto nla_put_failure; +@@ -3176,7 +3181,7 @@ static int nf_tables_fill_set(struct sk_ + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = ctx->family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(ctx->net); + + if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) + goto nla_put_failure; +@@ -4032,7 +4037,7 @@ static int nf_tables_dump_set(struct sk_ + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = table->family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) + goto nla_put_failure; +@@ -4104,7 +4109,7 @@ static int nf_tables_fill_setelem_info(s + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = ctx->family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(ctx->net); + + if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) + goto nla_put_failure; +@@ -5152,7 +5157,7 @@ static int nf_tables_fill_obj_info(struc + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || + nla_put_string(skb, NFTA_OBJ_NAME, obj->name) || +@@ -5813,7 +5818,7 @@ static int nf_tables_fill_flowtable_info + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || + nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || +@@ -6051,7 +6056,7 @@ static int nf_tables_fill_gen_info(struc + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = AF_UNSPEC; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || + nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || diff --git a/tmp-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch b/tmp-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch new file mode 100644 index 00000000000..6e8e545f52f --- /dev/null +++ b/tmp-4.19/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch @@ -0,0 +1,152 @@ +From 3a75a252bcf5592f5b27882ccbb7d44ddafb7763 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 09:43:13 -0700 +Subject: netlink: Add __sock_i_ino() for __netlink_diag_dump(). + +From: Kuniyuki Iwashima + +[ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ] + +syzbot reported a warning in __local_bh_enable_ip(). [0] + +Commit 8d61f926d420 ("netlink: fix potential deadlock in +netlink_set_err()") converted read_lock(&nl_table_lock) to +read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock. + +However, __netlink_diag_dump() calls sock_i_ino() that uses +read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y, +read_unlock_bh() finally enables IRQ even though it should stay +disabled until the following read_unlock_irqrestore(). + +Using read_lock() in sock_i_ino() would trigger a lockdep splat +in another place that was fixed in commit f064af1e500a ("net: fix +a lockdep splat"), so let's add __sock_i_ino() that would be safe +to use under BH disabled. + +[0]: +WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Modules linked in: +CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f +RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996 +RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3 +RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3 +R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4 +R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000 +FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sock_i_ino+0x83/0xa0 net/core/sock.c:2559 + __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171 + netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207 + netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269 + __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374 + netlink_dump_start include/linux/netlink.h:329 [inline] + netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238 + __sock_diag_cmd net/core/sock_diag.c:238 [inline] + sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269 + netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547 + sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0xde/0x190 net/socket.c:747 + ____sys_sendmsg+0x71c/0x900 net/socket.c:2503 + ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557 + __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f5303aaabb9 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()") +Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422 +Suggested-by: Eric Dumazet +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 1 + + net/core/sock.c | 17 ++++++++++++++--- + net/netlink/diag.c | 2 +- + 3 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 616e84d1670df..72739f72e4b90 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1840,6 +1840,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) + } + + kuid_t sock_i_uid(struct sock *sk); ++unsigned long __sock_i_ino(struct sock *sk); + unsigned long sock_i_ino(struct sock *sk); + + static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk) +diff --git a/net/core/sock.c b/net/core/sock.c +index 347a55519d0a5..5b31f3446fc7a 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -1939,13 +1939,24 @@ kuid_t sock_i_uid(struct sock *sk) + } + EXPORT_SYMBOL(sock_i_uid); + +-unsigned long sock_i_ino(struct sock *sk) ++unsigned long __sock_i_ino(struct sock *sk) + { + unsigned long ino; + +- read_lock_bh(&sk->sk_callback_lock); ++ read_lock(&sk->sk_callback_lock); + ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0; +- read_unlock_bh(&sk->sk_callback_lock); ++ read_unlock(&sk->sk_callback_lock); ++ return ino; ++} ++EXPORT_SYMBOL(__sock_i_ino); ++ ++unsigned long sock_i_ino(struct sock *sk) ++{ ++ unsigned long ino; ++ ++ local_bh_disable(); ++ ino = __sock_i_ino(sk); ++ local_bh_enable(); + return ino; + } + EXPORT_SYMBOL(sock_i_ino); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index 83a0429805e9d..85ee4891c2c7f 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -167,7 +167,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, + NLM_F_MULTI, +- sock_i_ino(sk)) < 0) { ++ __sock_i_ino(sk)) < 0) { + ret = 1; + break; + } +-- +2.39.2 + diff --git a/tmp-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch b/tmp-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch new file mode 100644 index 00000000000..d17adc884c3 --- /dev/null +++ b/tmp-4.19/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch @@ -0,0 +1,157 @@ +From 459b47414fc29c8475bd27d3af1b1a4f95fb993f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 17:47:20 +0000 +Subject: netlink: do not hard code device address lenth in fdb dumps + +From: Eric Dumazet + +[ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ] + +syzbot reports that some netdev devices do not have a six bytes +address [1] + +Replace ETH_ALEN by dev->addr_len. + +[1] (Case of a device where dev->addr_len = 4) + +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 +instrument_copy_to_user include/linux/instrumented.h:114 [inline] +copyout+0xb8/0x100 lib/iov_iter.c:169 +_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 +copy_to_iter include/linux/uio.h:206 [inline] +simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 +__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 +skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 +skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] +netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 +sock_recvmsg_nosec net/socket.c:1019 [inline] +sock_recvmsg net/socket.c:1040 [inline] +____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was stored to memory at: +__nla_put lib/nlattr.c:1009 [inline] +nla_put+0x1c6/0x230 lib/nlattr.c:1067 +nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 +nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] +ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 +rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 +netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 +netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 +sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 +____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 +slab_alloc_node mm/slub.c:3451 [inline] +__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 +kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 +kmalloc include/linux/slab.h:559 [inline] +__hw_addr_create net/core/dev_addr_lists.c:60 [inline] +__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 +__dev_mc_add net/core/dev_addr_lists.c:867 [inline] +dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 +igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 +ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 +ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 +addrconf_type_change net/ipv6/addrconf.c:3731 [inline] +addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 +notifier_call_chain kernel/notifier.c:93 [inline] +raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1935 [inline] +call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] +call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 +bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 +do_set_master net/core/rtnetlink.c:2626 [inline] +rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] +__rtnl_newlink net/core/rtnetlink.c:3660 [inline] +rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 +rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 +netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 +rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0x999/0xd50 net/socket.c:2503 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557 +__sys_sendmsg net/socket.c:2586 [inline] +__do_sys_sendmsg net/socket.c:2595 [inline] +__se_sys_sendmsg net/socket.c:2593 [inline] +__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Bytes 2856-2857 of 3500 are uninitialized +Memory access of size 3500 starts at ffff888018d99104 +Data copied to user address 0000000020000480 + +Fixes: d83b06036048 ("net: add fdb generic dump routine") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 2837cc03f69e2..79f62517e24a5 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3436,7 +3436,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + ndm->ndm_ifindex = dev->ifindex; + ndm->ndm_state = ndm_state; + +- if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr)) ++ if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr)) + goto nla_put_failure; + if (vid) + if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid)) +@@ -3450,10 +3450,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + return -EMSGSIZE; + } + +-static inline size_t rtnl_fdb_nlmsg_size(void) ++static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev) + { + return NLMSG_ALIGN(sizeof(struct ndmsg)) + +- nla_total_size(ETH_ALEN) + /* NDA_LLADDR */ ++ nla_total_size(dev->addr_len) + /* NDA_LLADDR */ + nla_total_size(sizeof(u16)) + /* NDA_VLAN */ + 0; + } +@@ -3465,7 +3465,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type, + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC); ++ skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC); + if (!skb) + goto errout; + +-- +2.39.2 + diff --git a/tmp-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch b/tmp-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch new file mode 100644 index 00000000000..ed4e1963a67 --- /dev/null +++ b/tmp-4.19/netlink-fix-potential-deadlock-in-netlink_set_err.patch @@ -0,0 +1,117 @@ +From 6845ece794e1aeaadab2f5f1b10d1d35bc668d1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 15:43:37 +0000 +Subject: netlink: fix potential deadlock in netlink_set_err() + +From: Eric Dumazet + +[ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ] + +syzbot reported a possible deadlock in netlink_set_err() [1] + +A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs +for netlink_lock_table()") in netlink_lock_table() + +This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump() +which were not covered by cited commit. + +[1] + +WARNING: possible irq lock inversion dependency detected +6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted + +syz-executor.2/23011 just changed the state of lock: +ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612 +but this lock was taken by another, SOFTIRQ-safe lock in the past: + (&local->queue_stop_reason_lock){..-.}-{2:2} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(nl_table_lock); + local_irq_disable(); + lock(&local->queue_stop_reason_lock); + lock(nl_table_lock); + + lock(&local->queue_stop_reason_lock); + + *** DEADLOCK *** + +Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()") +Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c +Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Johannes Berg +Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 5 +++-- + net/netlink/diag.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 57fd9b7cfc75f..35ecaa93f213a 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1603,6 +1603,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p) + int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + { + struct netlink_set_err_data info; ++ unsigned long flags; + struct sock *sk; + int ret = 0; + +@@ -1612,12 +1613,12 @@ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + /* sk->sk_err wants a positive error value */ + info.code = -code; + +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + + sk_for_each_bound(sk, &nl_table[ssk->sk_protocol].mc_list) + ret += do_one_set_err(sk, &info); + +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + return ret; + } + EXPORT_SYMBOL(netlink_set_err); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index 7dda33b9b7849..83a0429805e9d 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -93,6 +93,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + struct net *net = sock_net(skb->sk); + struct netlink_diag_req *req; + struct netlink_sock *nlsk; ++ unsigned long flags; + struct sock *sk; + int num = 2; + int ret = 0; +@@ -151,7 +152,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + num++; + + mc_list: +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + sk_for_each_bound(sk, &tbl->mc_list) { + if (sk_hashed(sk)) + continue; +@@ -172,7 +173,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + } + num++; + } +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + + done: + cb->args[0] = num; +-- +2.39.2 + diff --git a/tmp-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch b/tmp-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch new file mode 100644 index 00000000000..e9f0509bfca --- /dev/null +++ b/tmp-4.19/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch @@ -0,0 +1,465 @@ +From f2fd3340eff76d7c5d0b33c8a89cb746bb836c1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 16:41:59 +0200 +Subject: nfc: constify several pointers to u8, char and sk_buff + +From: Krzysztof Kozlowski + +[ Upstream commit 3df40eb3a2ea58bf404a38f15a7a2768e4762cb0 ] + +Several functions receive pointers to u8, char or sk_buff but do not +modify the contents so make them const. This allows doing the same for +local variables and in total makes the code a little bit safer. + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Stable-dep-of: 0d9b41daa590 ("nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()") +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 4 ++-- + net/nfc/core.c | 4 ++-- + net/nfc/hci/llc_shdlc.c | 10 ++++----- + net/nfc/llcp.h | 8 +++---- + net/nfc/llcp_commands.c | 46 ++++++++++++++++++++++------------------- + net/nfc/llcp_core.c | 44 +++++++++++++++++++++------------------ + net/nfc/nfc.h | 2 +- + 7 files changed, 63 insertions(+), 55 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index bbdc73a3239df..8b86560b5cfb1 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -278,7 +278,7 @@ struct sk_buff *nfc_alloc_send_skb(struct nfc_dev *dev, struct sock *sk, + struct sk_buff *nfc_alloc_recv_skb(unsigned int size, gfp_t gfp); + + int nfc_set_remote_general_bytes(struct nfc_dev *dev, +- u8 *gt, u8 gt_len); ++ const u8 *gt, u8 gt_len); + u8 *nfc_get_local_general_bytes(struct nfc_dev *dev, size_t *gb_len); + + int nfc_fw_download_done(struct nfc_dev *dev, const char *firmware_name, +@@ -292,7 +292,7 @@ int nfc_dep_link_is_up(struct nfc_dev *dev, u32 target_idx, + u8 comm_mode, u8 rf_mode); + + int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, +- u8 *gb, size_t gb_len); ++ const u8 *gb, size_t gb_len); + int nfc_tm_deactivated(struct nfc_dev *dev); + int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb); + +diff --git a/net/nfc/core.c b/net/nfc/core.c +index a84f824da051d..dd12ee46ac730 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -646,7 +646,7 @@ int nfc_disable_se(struct nfc_dev *dev, u32 se_idx) + return rc; + } + +-int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len) ++int nfc_set_remote_general_bytes(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len); + +@@ -675,7 +675,7 @@ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb) + EXPORT_SYMBOL(nfc_tm_data_received); + + int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, +- u8 *gb, size_t gb_len) ++ const u8 *gb, size_t gb_len) + { + int rc; + +diff --git a/net/nfc/hci/llc_shdlc.c b/net/nfc/hci/llc_shdlc.c +index fe988936ad923..e6863c71f566d 100644 +--- a/net/nfc/hci/llc_shdlc.c ++++ b/net/nfc/hci/llc_shdlc.c +@@ -134,7 +134,7 @@ static bool llc_shdlc_x_lteq_y_lt_z(int x, int y, int z) + return ((y >= x) || (y < z)) ? true : false; + } + +-static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, ++static struct sk_buff *llc_shdlc_alloc_skb(const struct llc_shdlc *shdlc, + int payload_len) + { + struct sk_buff *skb; +@@ -148,7 +148,7 @@ static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, + } + + /* immediately sends an S frame. */ +-static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, ++static int llc_shdlc_send_s_frame(const struct llc_shdlc *shdlc, + enum sframe_type sframe_type, int nr) + { + int r; +@@ -170,7 +170,7 @@ static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, + } + + /* immediately sends an U frame. skb may contain optional payload */ +-static int llc_shdlc_send_u_frame(struct llc_shdlc *shdlc, ++static int llc_shdlc_send_u_frame(const struct llc_shdlc *shdlc, + struct sk_buff *skb, + enum uframe_modifier uframe_modifier) + { +@@ -372,7 +372,7 @@ static void llc_shdlc_connect_complete(struct llc_shdlc *shdlc, int r) + wake_up(shdlc->connect_wq); + } + +-static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) ++static int llc_shdlc_connect_initiate(const struct llc_shdlc *shdlc) + { + struct sk_buff *skb; + +@@ -388,7 +388,7 @@ static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) + return llc_shdlc_send_u_frame(shdlc, skb, U_FRAME_RSET); + } + +-static int llc_shdlc_connect_send_ua(struct llc_shdlc *shdlc) ++static int llc_shdlc_connect_send_ua(const struct llc_shdlc *shdlc) + { + struct sk_buff *skb; + +diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h +index 1f68724d44d3b..a070a57fc1516 100644 +--- a/net/nfc/llcp.h ++++ b/net/nfc/llcp.h +@@ -233,15 +233,15 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *sk, struct socket *newsock); + + /* TLV API */ + int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, +- u8 *tlv_array, u16 tlv_array_len); ++ const u8 *tlv_array, u16 tlv_array_len); + int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, +- u8 *tlv_array, u16 tlv_array_len); ++ const u8 *tlv_array, u16 tlv_array_len); + + /* Commands API */ + void nfc_llcp_recv(void *data, struct sk_buff *skb, int err); +-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length); ++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length); + struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap); +-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, ++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, + size_t uri_len); + void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp); + void nfc_llcp_free_sdp_tlv_list(struct hlist_head *sdp_head); +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index d1fc019e932e0..6dcad7bcf20bb 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -27,7 +27,7 @@ + #include "nfc.h" + #include "llcp.h" + +-static u8 llcp_tlv_length[LLCP_TLV_MAX] = { ++static const u8 llcp_tlv_length[LLCP_TLV_MAX] = { + 0, + 1, /* VERSION */ + 2, /* MIUX */ +@@ -41,7 +41,7 @@ static u8 llcp_tlv_length[LLCP_TLV_MAX] = { + + }; + +-static u8 llcp_tlv8(u8 *tlv, u8 type) ++static u8 llcp_tlv8(const u8 *tlv, u8 type) + { + if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) + return 0; +@@ -49,7 +49,7 @@ static u8 llcp_tlv8(u8 *tlv, u8 type) + return tlv[2]; + } + +-static u16 llcp_tlv16(u8 *tlv, u8 type) ++static u16 llcp_tlv16(const u8 *tlv, u8 type) + { + if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) + return 0; +@@ -58,37 +58,37 @@ static u16 llcp_tlv16(u8 *tlv, u8 type) + } + + +-static u8 llcp_tlv_version(u8 *tlv) ++static u8 llcp_tlv_version(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_VERSION); + } + +-static u16 llcp_tlv_miux(u8 *tlv) ++static u16 llcp_tlv_miux(const u8 *tlv) + { + return llcp_tlv16(tlv, LLCP_TLV_MIUX) & 0x7ff; + } + +-static u16 llcp_tlv_wks(u8 *tlv) ++static u16 llcp_tlv_wks(const u8 *tlv) + { + return llcp_tlv16(tlv, LLCP_TLV_WKS); + } + +-static u16 llcp_tlv_lto(u8 *tlv) ++static u16 llcp_tlv_lto(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_LTO); + } + +-static u8 llcp_tlv_opt(u8 *tlv) ++static u8 llcp_tlv_opt(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_OPT); + } + +-static u8 llcp_tlv_rw(u8 *tlv) ++static u8 llcp_tlv_rw(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_RW) & 0xf; + } + +-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length) ++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length) + { + u8 *tlv, length; + +@@ -142,7 +142,7 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap) + return sdres; + } + +-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, ++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, + size_t uri_len) + { + struct nfc_llcp_sdp_tlv *sdreq; +@@ -202,9 +202,10 @@ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *head) + } + + int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, +- u8 *tlv_array, u16 tlv_array_len) ++ const u8 *tlv_array, u16 tlv_array_len) + { +- u8 *tlv = tlv_array, type, length, offset = 0; ++ const u8 *tlv = tlv_array; ++ u8 type, length, offset = 0; + + pr_debug("TLV array length %d\n", tlv_array_len); + +@@ -251,9 +252,10 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, + } + + int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, +- u8 *tlv_array, u16 tlv_array_len) ++ const u8 *tlv_array, u16 tlv_array_len) + { +- u8 *tlv = tlv_array, type, length, offset = 0; ++ const u8 *tlv = tlv_array; ++ u8 type, length, offset = 0; + + pr_debug("TLV array length %d\n", tlv_array_len); + +@@ -307,7 +309,7 @@ static struct sk_buff *llcp_add_header(struct sk_buff *pdu, + return pdu; + } + +-static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, u8 *tlv, ++static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, const u8 *tlv, + u8 tlv_length) + { + /* XXX Add an skb length check */ +@@ -401,9 +403,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + { + struct nfc_llcp_local *local; + struct sk_buff *skb; +- u8 *service_name_tlv = NULL, service_name_tlv_length; +- u8 *miux_tlv = NULL, miux_tlv_length; +- u8 *rw_tlv = NULL, rw_tlv_length, rw; ++ const u8 *service_name_tlv = NULL; ++ const u8 *miux_tlv = NULL; ++ const u8 *rw_tlv = NULL; ++ u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +@@ -477,8 +480,9 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock) + { + struct nfc_llcp_local *local; + struct sk_buff *skb; +- u8 *miux_tlv = NULL, miux_tlv_length; +- u8 *rw_tlv = NULL, rw_tlv_length, rw; ++ const u8 *miux_tlv = NULL; ++ const u8 *rw_tlv = NULL; ++ u8 miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index 3290f2275b857..bdc1a9d0965af 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -314,7 +314,7 @@ static char *wks[] = { + "urn:nfc:sn:snep", + }; + +-static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) ++static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len) + { + int sap, num_wks; + +@@ -338,7 +338,7 @@ static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) + + static + struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, +- u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len) + { + struct sock *sk; + struct nfc_llcp_sock *llcp_sock, *tmp_sock; +@@ -535,7 +535,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local) + { + u8 *gb_cur, version, version_length; + u8 lto_length, wks_length, miux_length; +- u8 *version_tlv = NULL, *lto_tlv = NULL, ++ const u8 *version_tlv = NULL, *lto_tlv = NULL, + *wks_tlv = NULL, *miux_tlv = NULL; + __be16 wks = cpu_to_be16(local->local_wks); + u8 gb_len = 0; +@@ -625,7 +625,7 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len) + return local->gb; + } + +-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) ++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + struct nfc_llcp_local *local; + +@@ -652,27 +652,27 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) + local->remote_gb_len - 3); + } + +-static u8 nfc_llcp_dsap(struct sk_buff *pdu) ++static u8 nfc_llcp_dsap(const struct sk_buff *pdu) + { + return (pdu->data[0] & 0xfc) >> 2; + } + +-static u8 nfc_llcp_ptype(struct sk_buff *pdu) ++static u8 nfc_llcp_ptype(const struct sk_buff *pdu) + { + return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6); + } + +-static u8 nfc_llcp_ssap(struct sk_buff *pdu) ++static u8 nfc_llcp_ssap(const struct sk_buff *pdu) + { + return pdu->data[1] & 0x3f; + } + +-static u8 nfc_llcp_ns(struct sk_buff *pdu) ++static u8 nfc_llcp_ns(const struct sk_buff *pdu) + { + return pdu->data[2] >> 4; + } + +-static u8 nfc_llcp_nr(struct sk_buff *pdu) ++static u8 nfc_llcp_nr(const struct sk_buff *pdu) + { + return pdu->data[2] & 0xf; + } +@@ -814,7 +814,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local + } + + static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, +- u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len) + { + struct nfc_llcp_sock *llcp_sock; + +@@ -828,9 +828,10 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, + return llcp_sock; + } + +-static u8 *nfc_llcp_connect_sn(struct sk_buff *skb, size_t *sn_len) ++static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len) + { +- u8 *tlv = &skb->data[2], type, length; ++ u8 type, length; ++ const u8 *tlv = &skb->data[2]; + size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0; + + while (offset < tlv_array_len) { +@@ -888,7 +889,7 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local, + } + + static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct sock *new_sk, *parent; + struct nfc_llcp_sock *sock, *new_sock; +@@ -906,7 +907,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, + goto fail; + } + } else { +- u8 *sn; ++ const u8 *sn; + size_t sn_len; + + sn = nfc_llcp_connect_sn(skb, &sn_len); +@@ -1125,7 +1126,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local, + } + + static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1168,7 +1169,8 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, + nfc_llcp_sock_put(llcp_sock); + } + +-static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) ++static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1201,7 +1203,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) + nfc_llcp_sock_put(llcp_sock); + } + +-static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) ++static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1239,12 +1242,13 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) + } + + static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; +- u8 dsap, ssap, *tlv, type, length, tid, sap; ++ u8 dsap, ssap, type, length, tid, sap; ++ const u8 *tlv; + u16 tlv_len, offset; +- char *service_name; ++ const char *service_name; + size_t service_name_len; + struct nfc_llcp_sdp_tlv *sdp; + HLIST_HEAD(llc_sdres_list); +diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h +index 6c6f76b370b1e..c792165f523f1 100644 +--- a/net/nfc/nfc.h ++++ b/net/nfc/nfc.h +@@ -60,7 +60,7 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, + u8 comm_mode, u8 rf_mode); + int nfc_llcp_register_device(struct nfc_dev *dev); + void nfc_llcp_unregister_device(struct nfc_dev *dev); +-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len); ++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len); + u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len); + int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); +-- +2.39.2 + diff --git a/tmp-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch b/tmp-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch new file mode 100644 index 00000000000..11ed79bf3e6 --- /dev/null +++ b/tmp-4.19/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch @@ -0,0 +1,41 @@ +From 994bdd8700413b10cf79b929542fa04709405edc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 May 2023 13:52:04 +0200 +Subject: nfc: llcp: fix possible use of uninitialized variable in + nfc_llcp_send_connect() + +From: Krzysztof Kozlowski + +[ Upstream commit 0d9b41daa5907756a31772d8af8ac5ff25cf17c1 ] + +If sock->service_name is NULL, the local variable +service_name_tlv_length will not be assigned by nfc_llcp_build_tlv(), +later leading to using value frmo the stack. Smatch warning: + + net/nfc/llcp_commands.c:442 nfc_llcp_send_connect() error: uninitialized symbol 'service_name_tlv_length'. + +Fixes: de9e5aeb4f40 ("NFC: llcp: Fix usage of llcp_add_tlv()") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 6dcad7bcf20bb..737c7aa384f44 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -406,7 +406,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + const u8 *service_name_tlv = NULL; + const u8 *miux_tlv = NULL; + const u8 *rw_tlv = NULL; +- u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; ++ u8 service_name_tlv_length = 0; ++ u8 miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +-- +2.39.2 + diff --git a/tmp-4.19/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch b/tmp-4.19/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch new file mode 100644 index 00000000000..2b26b53577f --- /dev/null +++ b/tmp-4.19/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch @@ -0,0 +1,32 @@ +From 58f5d894006d82ed7335e1c37182fbc5f08c2f51 Mon Sep 17 00:00:00 2001 +From: Dai Ngo +Date: Tue, 6 Jun 2023 16:41:02 -0700 +Subject: NFSD: add encoding of op_recall flag for write delegation + +From: Dai Ngo + +commit 58f5d894006d82ed7335e1c37182fbc5f08c2f51 upstream. + +Modified nfsd4_encode_open to encode the op_recall flag properly +for OPEN result with write delegation granted. + +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3403,7 +3403,7 @@ nfsd4_encode_open(struct nfsd4_compoundr + p = xdr_reserve_space(xdr, 32); + if (!p) + return nfserr_resource; +- *p++ = cpu_to_be32(0); ++ *p++ = cpu_to_be32(open->op_recall); + + /* + * TODO: space_limit's in delegations diff --git a/tmp-4.19/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch b/tmp-4.19/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch new file mode 100644 index 00000000000..50404b9a780 --- /dev/null +++ b/tmp-4.19/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch @@ -0,0 +1,64 @@ +From 5d7e064f00a219bea355726f35ad8949bc616514 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:09 +0000 +Subject: NTB: amd: Fix error handling in amd_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 ] + +A problem about ntb_hw_amd create debugfs failed is triggered with the +following log given: + + [ 618.431232] AMD(R) PCI-E Non-Transparent Bridge Driver 1.0 + [ 618.433284] debugfs: Directory 'ntb_hw_amd' with parent '/' already present! + +The reason is that amd_ntb_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_amd can never be created later. + + amd_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index 0b1fbb5dba9b6..7de7616803935 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1139,12 +1139,17 @@ static struct pci_driver amd_ntb_pci_driver = { + + static int __init amd_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&amd_ntb_pci_driver); ++ ret = pci_register_driver(&amd_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(amd_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/tmp-4.19/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch b/tmp-4.19/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch new file mode 100644 index 00000000000..2613d7d0cfa --- /dev/null +++ b/tmp-4.19/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch @@ -0,0 +1,66 @@ +From 6c414abbd187488cca9dedbfb323305e19628e74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:01 +0000 +Subject: ntb: idt: Fix error handling in idt_pci_driver_init() + +From: Yuan Can + +[ Upstream commit c012968259b451dc4db407f2310fe131eaefd800 ] + +A problem about ntb_hw_idt create debugfs failed is triggered with the +following log given: + + [ 1236.637636] IDT PCI-E Non-Transparent Bridge Driver 2.0 + [ 1236.639292] debugfs: Directory 'ntb_hw_idt' with parent '/' already present! + +The reason is that idt_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_idt can never be created later. + + idt_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: bf2a952d31d2 ("NTB: Add IDT 89HPESxNTx PCIe-switches support") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/idt/ntb_hw_idt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c +index a67ef23e81bca..82e08f583980b 100644 +--- a/drivers/ntb/hw/idt/ntb_hw_idt.c ++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c +@@ -2692,6 +2692,7 @@ static struct pci_driver idt_pci_driver = { + + static int __init idt_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + /* Create the top DebugFS directory if the FS is initialized */ +@@ -2699,7 +2700,11 @@ static int __init idt_pci_driver_init(void) + dbgfs_topdir = debugfs_create_dir(KBUILD_MODNAME, NULL); + + /* Register the NTB hardware driver to handle the PCI device */ +- return pci_register_driver(&idt_pci_driver); ++ ret = pci_register_driver(&idt_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(dbgfs_topdir); ++ ++ return ret; + } + module_init(idt_pci_driver_init); + +-- +2.39.2 + diff --git a/tmp-4.19/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch b/tmp-4.19/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch new file mode 100644 index 00000000000..e1e8747c123 --- /dev/null +++ b/tmp-4.19/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch @@ -0,0 +1,65 @@ +From 358aa040c10230eb3cb6ebcf84c9dfe99ded0948 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:22 +0000 +Subject: ntb: intel: Fix error handling in intel_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 4c3c796aca02883ad35bb117468938cc4022ca41 ] + +A problem about ntb_hw_intel create debugfs failed is triggered with the +following log given: + + [ 273.112733] Intel(R) PCI-E Non-Transparent Bridge Driver 2.0 + [ 273.115342] debugfs: Directory 'ntb_hw_intel' with parent '/' already present! + +The reason is that intel_ntb_pci_driver_init() returns +pci_register_driver() directly without checking its return value, if +pci_register_driver() failed, it returns without destroy the newly created +debugfs, resulting the debugfs of ntb_hw_intel can never be created later. + + intel_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Yuan Can +Acked-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen1.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c +index 2ad263f708da7..084bd1d1ac1dc 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c +@@ -2052,12 +2052,17 @@ static struct pci_driver intel_ntb_pci_driver = { + + static int __init intel_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&intel_ntb_pci_driver); ++ ret = pci_register_driver(&intel_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(intel_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/tmp-4.19/ntb-ntb_tool-add-check-for-devm_kcalloc.patch b/tmp-4.19/ntb-ntb_tool-add-check-for-devm_kcalloc.patch new file mode 100644 index 00000000000..eb80d5ff7cf --- /dev/null +++ b/tmp-4.19/ntb-ntb_tool-add-check-for-devm_kcalloc.patch @@ -0,0 +1,39 @@ +From f72bc20308a55f4ea33714c839246367d246b89d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 11:32:44 +0800 +Subject: NTB: ntb_tool: Add check for devm_kcalloc + +From: Jiasheng Jiang + +[ Upstream commit 2790143f09938776a3b4f69685b380bae8fd06c7 ] + +As the devm_kcalloc may return NULL pointer, +it should be better to add check for the return +value, as same as the others. + +Fixes: 7f46c8b3a552 ("NTB: ntb_tool: Add full multi-port NTB API support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Serge Semin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/test/ntb_tool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c +index 6301aa413c3b8..1f64146546221 100644 +--- a/drivers/ntb/test/ntb_tool.c ++++ b/drivers/ntb/test/ntb_tool.c +@@ -998,6 +998,8 @@ static int tool_init_mws(struct tool_ctx *tc) + tc->peers[pidx].outmws = + devm_kcalloc(&tc->ntb->dev, tc->peers[pidx].outmw_cnt, + sizeof(*tc->peers[pidx].outmws), GFP_KERNEL); ++ if (tc->peers[pidx].outmws == NULL) ++ return -ENOMEM; + + for (widx = 0; widx < tc->peers[pidx].outmw_cnt; widx++) { + tc->peers[pidx].outmws[widx].pidx = pidx; +-- +2.39.2 + diff --git a/tmp-4.19/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch b/tmp-4.19/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch new file mode 100644 index 00000000000..8fd7c5128b6 --- /dev/null +++ b/tmp-4.19/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch @@ -0,0 +1,42 @@ +From 7b07412afefa9dcd30ba063fc844a1f2104b6fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 23:19:17 +0800 +Subject: NTB: ntb_transport: fix possible memory leak while device_register() + fails + +From: Yang Yingliang + +[ Upstream commit 8623ccbfc55d962e19a3537652803676ad7acb90 ] + +If device_register() returns error, the name allocated by +dev_set_name() need be freed. As comment of device_register() +says, it should use put_device() to give up the reference in +the error path. So fix this by calling put_device(), then the +name can be freed in kobject_cleanup(), and client_dev is freed +in ntb_transport_client_release(). + +Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support") +Signed-off-by: Yang Yingliang +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/ntb_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c +index 9398959664769..2d647a1cd0ee5 100644 +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -393,7 +393,7 @@ int ntb_transport_register_client_dev(char *device_name) + + rc = device_register(dev); + if (rc) { +- kfree(client_dev); ++ put_device(dev); + goto err; + } + +-- +2.39.2 + diff --git a/tmp-4.19/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch b/tmp-4.19/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch new file mode 100644 index 00000000000..31ae4684215 --- /dev/null +++ b/tmp-4.19/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch @@ -0,0 +1,36 @@ +From 88d341716b83abd355558523186ca488918627ee Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Wed, 7 Jun 2023 18:18:47 +0100 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9235 + +From: Robin Murphy + +commit 88d341716b83abd355558523186ca488918627ee upstream. + +Marvell's own product brief implies the 92xx series are a closely related +family, and sure enough it turns out that 9235 seems to need the same quirk +as the other three, although possibly only when certain ports are used. + +Link: https://lore.kernel.org/linux-iommu/2a699a99-545c-1324-e052-7d2f41fed1ae@yahoo.co.uk/ +Link: https://lore.kernel.org/r/731507e05d70239aec96fcbfab6e65d8ce00edd2.1686157165.git.robin.murphy@arm.com +Reported-by: Jason Adriaanse +Signed-off-by: Robin Murphy +Signed-off-by: Bjorn Helgaas +Reviewed-by: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4074,6 +4074,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9235, ++ quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642, + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645, diff --git a/tmp-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch b/tmp-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch new file mode 100644 index 00000000000..d1f2b4cef8e --- /dev/null +++ b/tmp-4.19/pci-add-pci_clear_master-stub-for-non-config_pci.patch @@ -0,0 +1,39 @@ +From 6c18e9d066dee0688410a364ac9344b0379068e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 18:27:44 +0800 +Subject: PCI: Add pci_clear_master() stub for non-CONFIG_PCI + +From: Sui Jingfeng + +[ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ] + +Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that +support both PCI and platform devices don't need #ifdefs or extra Kconfig +symbols for the PCI parts. + +[bhelgaas: commit log] +Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()") +Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn +Signed-off-by: Sui Jingfeng +Signed-off-by: Bjorn Helgaas +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + include/linux/pci.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/pci.h b/include/linux/pci.h +index 3e06e9790c255..1d1b0bfd51968 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1643,6 +1643,7 @@ static inline struct pci_dev *pci_get_class(unsigned int class, + #define pci_dev_put(dev) do { } while (0) + + static inline void pci_set_master(struct pci_dev *dev) { } ++static inline void pci_clear_master(struct pci_dev *dev) { } + static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; } + static inline void pci_disable_device(struct pci_dev *dev) { } + static inline int pci_assign_resource(struct pci_dev *dev, int i) +-- +2.39.2 + diff --git a/tmp-4.19/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch b/tmp-4.19/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch new file mode 100644 index 00000000000..2a67c529051 --- /dev/null +++ b/tmp-4.19/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch @@ -0,0 +1,46 @@ +From 9e30fd26f43b89cb6b4e850a86caa2e50dedb454 Mon Sep 17 00:00:00 2001 +From: Ondrej Zary +Date: Wed, 14 Jun 2023 09:42:53 +0200 +Subject: PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold + +From: Ondrej Zary + +commit 9e30fd26f43b89cb6b4e850a86caa2e50dedb454 upstream. + +The quirk for Elo i2 introduced in commit 92597f97a40b ("PCI/PM: Avoid +putting Elo i2 PCIe Ports in D3cold") is also needed by EloPOS E2/S2/H2 +which uses the same Continental Z2 board. + +Change the quirk to match the board instead of system. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215715 +Link: https://lore.kernel.org/r/20230614074253.22318-1-linux@zary.sk +Signed-off-by: Ondrej Zary +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2521,13 +2521,13 @@ static const struct dmi_system_id bridge + { + /* + * Downstream device is not accessible after putting a root port +- * into D3cold and back into D0 on Elo i2. ++ * into D3cold and back into D0 on Elo Continental Z2 board + */ +- .ident = "Elo i2", ++ .ident = "Elo Continental Z2", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Elo Touch Solutions"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Elo i2"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "RevB"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "Elo Touch Solutions"), ++ DMI_MATCH(DMI_BOARD_NAME, "Geminilake"), ++ DMI_MATCH(DMI_BOARD_VERSION, "Continental Z2"), + }, + }, + #endif diff --git a/tmp-4.19/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch b/tmp-4.19/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch new file mode 100644 index 00000000000..5279a396ce6 --- /dev/null +++ b/tmp-4.19/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch @@ -0,0 +1,34 @@ +From a33d700e8eea76c62120cb3dbf5e01328f18319a Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 19 Jun 2023 20:34:00 +0530 +Subject: PCI: qcom: Disable write access to read only registers for IP v2.3.3 + +From: Manivannan Sadhasivam + +commit a33d700e8eea76c62120cb3dbf5e01328f18319a upstream. + +In the post init sequence of v2.9.0, write access to read only registers +are not disabled after updating the registers. Fix it by disabling the +access after register update. + +Link: https://lore.kernel.org/r/20230619150408.8468-2-manivannan.sadhasivam@linaro.org +Fixes: 5d76117f070d ("PCI: qcom: Add support for IPQ8074 PCIe controller") +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Lorenzo Pieralisi +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-qcom.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -758,6 +758,8 @@ static int qcom_pcie_get_resources_2_4_0 + if (IS_ERR(res->phy_ahb_reset)) + return PTR_ERR(res->phy_ahb_reset); + ++ dw_pcie_dbi_ro_wr_dis(pci); ++ + return 0; + } + diff --git a/tmp-4.19/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch b/tmp-4.19/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch new file mode 100644 index 00000000000..4dfcd00274a --- /dev/null +++ b/tmp-4.19/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch @@ -0,0 +1,81 @@ +From 9dd3c7c4c8c3f7f010d9cdb7c3f42506d93c9527 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:51 +0200 +Subject: PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked + +From: Rick Wertenbroek + +commit 9dd3c7c4c8c3f7f010d9cdb7c3f42506d93c9527 upstream. + +The RK3399 PCIe controller should wait until the PHY PLLs are locked. +Add poll and timeout to wait for PHY PLLs to be locked. If they cannot +be locked generate error message and jump to error handler. Accessing +registers in the PHY clock domain when PLLs are not locked causes hang +The PHY PLLs status is checked through a side channel register. +This is documented in the TRM section 17.5.8.1 "PCIe Initialization +Sequence". + +Link: https://lore.kernel.org/r/20230418074700.1083505-5-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip.c | 17 +++++++++++++++++ + drivers/pci/controller/pcie-rockchip.h | 2 ++ + 2 files changed, 19 insertions(+) + +--- a/drivers/pci/controller/pcie-rockchip.c ++++ b/drivers/pci/controller/pcie-rockchip.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -154,6 +155,12 @@ int rockchip_pcie_parse_dt(struct rockch + } + EXPORT_SYMBOL_GPL(rockchip_pcie_parse_dt); + ++#define rockchip_pcie_read_addr(addr) rockchip_pcie_read(rockchip, addr) ++/* 100 ms max wait time for PHY PLLs to lock */ ++#define RK_PHY_PLL_LOCK_TIMEOUT_US 100000 ++/* Sleep should be less than 20ms */ ++#define RK_PHY_PLL_LOCK_SLEEP_US 1000 ++ + int rockchip_pcie_init_port(struct rockchip_pcie *rockchip) + { + struct device *dev = rockchip->dev; +@@ -255,6 +262,16 @@ int rockchip_pcie_init_port(struct rockc + } + } + ++ err = readx_poll_timeout(rockchip_pcie_read_addr, ++ PCIE_CLIENT_SIDE_BAND_STATUS, ++ regs, !(regs & PCIE_CLIENT_PHY_ST), ++ RK_PHY_PLL_LOCK_SLEEP_US, ++ RK_PHY_PLL_LOCK_TIMEOUT_US); ++ if (err) { ++ dev_err(dev, "PHY PLLs could not lock, %d\n", err); ++ goto err_power_off_phy; ++ } ++ + /* + * Please don't reorder the deassert sequence of the following + * four reset pins. +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -37,6 +37,8 @@ + #define PCIE_CLIENT_MODE_EP HIWORD_UPDATE(0x0040, 0) + #define PCIE_CLIENT_GEN_SEL_1 HIWORD_UPDATE(0x0080, 0) + #define PCIE_CLIENT_GEN_SEL_2 HIWORD_UPDATE_BIT(0x0080) ++#define PCIE_CLIENT_SIDE_BAND_STATUS (PCIE_CLIENT_BASE + 0x20) ++#define PCIE_CLIENT_PHY_ST BIT(12) + #define PCIE_CLIENT_DEBUG_OUT_0 (PCIE_CLIENT_BASE + 0x3c) + #define PCIE_CLIENT_DEBUG_LTSSM_MASK GENMASK(5, 0) + #define PCIE_CLIENT_DEBUG_LTSSM_L1 0x18 diff --git a/tmp-4.19/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch b/tmp-4.19/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch new file mode 100644 index 00000000000..40b24130c7a --- /dev/null +++ b/tmp-4.19/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch @@ -0,0 +1,40 @@ +From f397fd4ac1fa3afcabd8cee030f953ccaed2a364 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:50 +0200 +Subject: PCI: rockchip: Assert PCI Configuration Enable bit after probe + +From: Rick Wertenbroek + +commit f397fd4ac1fa3afcabd8cee030f953ccaed2a364 upstream. + +Assert PCI Configuration Enable bit after probe. When this bit is left to +0 in the endpoint mode, the RK3399 PCIe endpoint core will generate +configuration request retry status (CRS) messages back to the root complex. +Assert this bit after probe to allow the RK3399 PCIe endpoint core to reply +to configuration requests from the root complex. +This is documented in section 17.5.8.1.2 of the RK3399 TRM. + +Link: https://lore.kernel.org/r/20230418074700.1083505-4-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -620,6 +620,9 @@ static int rockchip_pcie_ep_probe(struct + + ep->irq_pci_addr = ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR; + ++ rockchip_pcie_write(rockchip, PCIE_CLIENT_CONF_ENABLE, ++ PCIE_CLIENT_CONFIG); ++ + return 0; + err_epc_mem_exit: + pci_epc_mem_exit(epc); diff --git a/tmp-4.19/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch b/tmp-4.19/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch new file mode 100644 index 00000000000..91128349f15 --- /dev/null +++ b/tmp-4.19/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch @@ -0,0 +1,113 @@ +From 166e89d99dd85a856343cca51eee781b793801f2 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:54 +0200 +Subject: PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core + +From: Rick Wertenbroek + +commit 166e89d99dd85a856343cca51eee781b793801f2 upstream. + +Fix legacy IRQ generation for RK3399 PCIe endpoint core according to +the technical reference manual (TRM). Assert and deassert legacy +interrupt (INTx) through the legacy interrupt control register +("PCIE_CLIENT_LEGACY_INT_CTRL") instead of manually generating a PCIe +message. The generation of the legacy interrupt was tested and validated +with the PCIe endpoint test driver. + +Link: https://lore.kernel.org/r/20230418074700.1083505-8-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 45 +++++++----------------------- + drivers/pci/controller/pcie-rockchip.h | 6 +++- + 2 files changed, 16 insertions(+), 35 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -346,48 +346,25 @@ static int rockchip_pcie_ep_get_msi(stru + } + + static void rockchip_pcie_ep_assert_intx(struct rockchip_pcie_ep *ep, u8 fn, +- u8 intx, bool is_asserted) ++ u8 intx, bool do_assert) + { + struct rockchip_pcie *rockchip = &ep->rockchip; +- u32 r = ep->max_regions - 1; +- u32 offset; +- u32 status; +- u8 msg_code; +- +- if (unlikely(ep->irq_pci_addr != ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR || +- ep->irq_pci_fn != fn)) { +- rockchip_pcie_prog_ep_ob_atu(rockchip, fn, r, +- AXI_WRAPPER_NOR_MSG, +- ep->irq_phys_addr, 0, 0); +- ep->irq_pci_addr = ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR; +- ep->irq_pci_fn = fn; +- } + + intx &= 3; +- if (is_asserted) { ++ ++ if (do_assert) { + ep->irq_pending |= BIT(intx); +- msg_code = ROCKCHIP_PCIE_MSG_CODE_ASSERT_INTA + intx; ++ rockchip_pcie_write(rockchip, ++ PCIE_CLIENT_INT_IN_ASSERT | ++ PCIE_CLIENT_INT_PEND_ST_PEND, ++ PCIE_CLIENT_LEGACY_INT_CTRL); + } else { + ep->irq_pending &= ~BIT(intx); +- msg_code = ROCKCHIP_PCIE_MSG_CODE_DEASSERT_INTA + intx; ++ rockchip_pcie_write(rockchip, ++ PCIE_CLIENT_INT_IN_DEASSERT | ++ PCIE_CLIENT_INT_PEND_ST_NORMAL, ++ PCIE_CLIENT_LEGACY_INT_CTRL); + } +- +- status = rockchip_pcie_read(rockchip, +- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +- ROCKCHIP_PCIE_EP_CMD_STATUS); +- status &= ROCKCHIP_PCIE_EP_CMD_STATUS_IS; +- +- if ((status != 0) ^ (ep->irq_pending != 0)) { +- status ^= ROCKCHIP_PCIE_EP_CMD_STATUS_IS; +- rockchip_pcie_write(rockchip, status, +- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +- ROCKCHIP_PCIE_EP_CMD_STATUS); +- } +- +- offset = +- ROCKCHIP_PCIE_MSG_ROUTING(ROCKCHIP_PCIE_MSG_ROUTING_LOCAL_INTX) | +- ROCKCHIP_PCIE_MSG_CODE(msg_code) | ROCKCHIP_PCIE_MSG_NO_DATA; +- writel(0, ep->irq_cpu_addr + offset); + } + + static int rockchip_pcie_ep_send_legacy_irq(struct rockchip_pcie_ep *ep, u8 fn, +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -37,6 +37,11 @@ + #define PCIE_CLIENT_MODE_EP HIWORD_UPDATE(0x0040, 0) + #define PCIE_CLIENT_GEN_SEL_1 HIWORD_UPDATE(0x0080, 0) + #define PCIE_CLIENT_GEN_SEL_2 HIWORD_UPDATE_BIT(0x0080) ++#define PCIE_CLIENT_LEGACY_INT_CTRL (PCIE_CLIENT_BASE + 0x0c) ++#define PCIE_CLIENT_INT_IN_ASSERT HIWORD_UPDATE_BIT(0x0002) ++#define PCIE_CLIENT_INT_IN_DEASSERT HIWORD_UPDATE(0x0002, 0) ++#define PCIE_CLIENT_INT_PEND_ST_PEND HIWORD_UPDATE_BIT(0x0001) ++#define PCIE_CLIENT_INT_PEND_ST_NORMAL HIWORD_UPDATE(0x0001, 0) + #define PCIE_CLIENT_SIDE_BAND_STATUS (PCIE_CLIENT_BASE + 0x20) + #define PCIE_CLIENT_PHY_ST BIT(12) + #define PCIE_CLIENT_DEBUG_OUT_0 (PCIE_CLIENT_BASE + 0x3c) +@@ -234,7 +239,6 @@ + #define ROCKCHIP_PCIE_EP_MSI_CTRL_ME BIT(16) + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP BIT(24) + #define ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR 0x1 +-#define ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR 0x3 + #define ROCKCHIP_PCIE_EP_FUNC_BASE(fn) (((fn) << 12) & GENMASK(19, 12)) + #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR0(fn, bar) \ + (PCIE_RC_RP_ATS_BASE + 0x0840 + (fn) * 0x0040 + (bar) * 0x0008) diff --git a/tmp-4.19/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch b/tmp-4.19/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch new file mode 100644 index 00000000000..8efd0dcdc05 --- /dev/null +++ b/tmp-4.19/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch @@ -0,0 +1,76 @@ +From 8962b2cb39119cbda4fc69a1f83957824f102f81 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:56 +0200 +Subject: PCI: rockchip: Use u32 variable to access 32-bit registers + +From: Rick Wertenbroek + +commit 8962b2cb39119cbda4fc69a1f83957824f102f81 upstream. + +Previously u16 variables were used to access 32-bit registers, this +resulted in not all of the data being read from the registers. Also +the left shift of more than 16-bits would result in moving data out +of the variable. Use u32 variables to access 32-bit registers + +Link: https://lore.kernel.org/r/20230418074700.1083505-10-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 10 +++++----- + drivers/pci/controller/pcie-rockchip.h | 1 + + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -313,15 +313,15 @@ static int rockchip_pcie_ep_set_msi(stru + { + struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); + struct rockchip_pcie *rockchip = &ep->rockchip; +- u16 flags; ++ u32 flags; + + flags = rockchip_pcie_read(rockchip, + ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + + ROCKCHIP_PCIE_EP_MSI_CTRL_REG); + flags &= ~ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_MASK; + flags |= +- ((multi_msg_cap << 1) << ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET) | +- PCI_MSI_FLAGS_64BIT; ++ (multi_msg_cap << ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET) | ++ (PCI_MSI_FLAGS_64BIT << ROCKCHIP_PCIE_EP_MSI_FLAGS_OFFSET); + flags &= ~ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP; + rockchip_pcie_write(rockchip, flags, + ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +@@ -333,7 +333,7 @@ static int rockchip_pcie_ep_get_msi(stru + { + struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); + struct rockchip_pcie *rockchip = &ep->rockchip; +- u16 flags; ++ u32 flags; + + flags = rockchip_pcie_read(rockchip, + ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +@@ -394,7 +394,7 @@ static int rockchip_pcie_ep_send_msi_irq + u8 interrupt_num) + { + struct rockchip_pcie *rockchip = &ep->rockchip; +- u16 flags, mme, data, data_mask; ++ u32 flags, mme, data, data_mask; + u8 msi_count; + u64 pci_addr, pci_addr_mask = 0xff; + +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -232,6 +232,7 @@ + #define ROCKCHIP_PCIE_EP_CMD_STATUS 0x4 + #define ROCKCHIP_PCIE_EP_CMD_STATUS_IS BIT(19) + #define ROCKCHIP_PCIE_EP_MSI_CTRL_REG 0x90 ++#define ROCKCHIP_PCIE_EP_MSI_FLAGS_OFFSET 16 + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET 17 + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_MASK GENMASK(19, 17) + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MME_OFFSET 20 diff --git a/tmp-4.19/pci-rockchip-write-pci-device-id-to-correct-register.patch b/tmp-4.19/pci-rockchip-write-pci-device-id-to-correct-register.patch new file mode 100644 index 00000000000..e0393daa2ca --- /dev/null +++ b/tmp-4.19/pci-rockchip-write-pci-device-id-to-correct-register.patch @@ -0,0 +1,60 @@ +From 1f1c42ece18de365c976a060f3c8eb481b038e3a Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:49 +0200 +Subject: PCI: rockchip: Write PCI Device ID to correct register + +From: Rick Wertenbroek + +commit 1f1c42ece18de365c976a060f3c8eb481b038e3a upstream. + +Write PCI Device ID (DID) to the correct register. The Device ID was not +updated through the correct register. Device ID was written to a read-only +register and therefore did not work. The Device ID is now set through the +correct register. This is documented in the RK3399 TRM section 17.6.6.1.1 + +Link: https://lore.kernel.org/r/20230418074700.1083505-3-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 6 ++++-- + drivers/pci/controller/pcie-rockchip.h | 2 ++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -124,6 +124,7 @@ static void rockchip_pcie_prog_ep_ob_atu + static int rockchip_pcie_ep_write_header(struct pci_epc *epc, u8 fn, + struct pci_epf_header *hdr) + { ++ u32 reg; + struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); + struct rockchip_pcie *rockchip = &ep->rockchip; + +@@ -136,8 +137,9 @@ static int rockchip_pcie_ep_write_header + PCIE_CORE_CONFIG_VENDOR); + } + +- rockchip_pcie_write(rockchip, hdr->deviceid << 16, +- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + PCI_VENDOR_ID); ++ reg = rockchip_pcie_read(rockchip, PCIE_EP_CONFIG_DID_VID); ++ reg = (reg & 0xFFFF) | (hdr->deviceid << 16); ++ rockchip_pcie_write(rockchip, reg, PCIE_EP_CONFIG_DID_VID); + + rockchip_pcie_write(rockchip, + hdr->revid | +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -132,6 +132,8 @@ + #define PCIE_RC_RP_ATS_BASE 0x400000 + #define PCIE_RC_CONFIG_NORMAL_BASE 0x800000 + #define PCIE_RC_CONFIG_BASE 0xa00000 ++#define PCIE_EP_CONFIG_BASE 0xa00000 ++#define PCIE_EP_CONFIG_DID_VID (PCIE_EP_CONFIG_BASE + 0x00) + #define PCIE_RC_CONFIG_RID_CCR (PCIE_RC_CONFIG_BASE + 0x08) + #define PCIE_RC_CONFIG_SCC_SHIFT 16 + #define PCIE_RC_CONFIG_DCR (PCIE_RC_CONFIG_BASE + 0xc4) diff --git a/tmp-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch b/tmp-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch new file mode 100644 index 00000000000..8e17d476da1 --- /dev/null +++ b/tmp-4.19/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch @@ -0,0 +1,45 @@ +From 1305047881df831eb992b45f8488e5dbc824694f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 16:41:01 -0700 +Subject: perf dwarf-aux: Fix off-by-one in die_get_varname() + +From: Namhyung Kim + +[ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ] + +The die_get_varname() returns "(unknown_type)" string if it failed to +find a type for the variable. But it had a space before the opening +parenthesis and it made the closing parenthesis cut off due to the +off-by-one in the string length (14). + +Signed-off-by: Namhyung Kim +Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index 6de57d9ee7cc2..db099dc20a682 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -1020,7 +1020,7 @@ int die_get_varname(Dwarf_Die *vr_die, struct strbuf *buf) + ret = die_get_typename(vr_die, buf); + if (ret < 0) { + pr_debug("Failed to get type, make it unknown.\n"); +- ret = strbuf_add(buf, " (unknown_type)", 14); ++ ret = strbuf_add(buf, "(unknown_type)", 14); + } + + return ret < 0 ? ret : strbuf_addf(buf, "\t%s", dwarf_diename(vr_die)); +-- +2.39.2 + diff --git a/tmp-4.19/perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch b/tmp-4.19/perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch new file mode 100644 index 00000000000..5170066b0de --- /dev/null +++ b/tmp-4.19/perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch @@ -0,0 +1,39 @@ +From 430635a0ef1ce958b7b4311f172694ece2c692b8 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 3 Apr 2023 18:48:31 +0300 +Subject: perf intel-pt: Fix CYC timestamps after standalone CBR + +From: Adrian Hunter + +commit 430635a0ef1ce958b7b4311f172694ece2c692b8 upstream. + +After a standalone CBR (not associated with TSC), update the cycles +reference timestamp and reset the cycle count, so that CYC timestamps +are calculated relative to that point with the new frequency. + +Fixes: cc33618619cefc6d ("perf tools: Add Intel PT support for decoding CYC packets") +Signed-off-by: Adrian Hunter +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230403154831.8651-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Adrian Hunter +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c ++++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c +@@ -1499,6 +1499,8 @@ static void intel_pt_calc_cbr(struct int + + decoder->cbr = cbr; + decoder->cbr_cyc_to_tsc = decoder->max_non_turbo_ratio_fp / cbr; ++ decoder->cyc_ref_timestamp = decoder->timestamp; ++ decoder->cycle_cnt = 0; + } + + static void intel_pt_calc_cyc_timestamp(struct intel_pt_decoder *decoder) diff --git a/tmp-4.19/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/tmp-4.19/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch new file mode 100644 index 00000000000..ac282bd2634 --- /dev/null +++ b/tmp-4.19/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch @@ -0,0 +1,115 @@ +From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Georg=20M=C3=BCller?= +Date: Wed, 28 Jun 2023 10:45:50 +0200 +Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Georg Müller + +commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream. + +This patch adds a test to validate that 'perf probe' works for binaries +where DWARF info is split into multiple CUs + +Signed-off-by: Georg Müller +Acked-by: Masami Hiramatsu (Google) +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: regressions@lists.linux.dev +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++ + 1 file changed, 77 insertions(+) + create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh + +--- /dev/null ++++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +@@ -0,0 +1,77 @@ ++#!/bin/bash ++# test perf probe of function from different CU ++# SPDX-License-Identifier: GPL-2.0 ++ ++set -e ++ ++temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) ++ ++cleanup() ++{ ++ trap - EXIT TERM INT ++ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then ++ echo "--- Cleaning up ---" ++ perf probe -x ${temp_dir}/testfile -d foo ++ rm -f "${temp_dir}/"* ++ rmdir "${temp_dir}" ++ fi ++} ++ ++trap_cleanup() ++{ ++ cleanup ++ exit 1 ++} ++ ++trap trap_cleanup EXIT TERM INT ++ ++cat > ${temp_dir}/testfile-foo.h << EOF ++struct t ++{ ++ int *p; ++ int c; ++}; ++ ++extern int foo (int i, struct t *t); ++EOF ++ ++cat > ${temp_dir}/testfile-foo.c << EOF ++#include "testfile-foo.h" ++ ++int ++foo (int i, struct t *t) ++{ ++ int j, res = 0; ++ for (j = 0; j < i && j < t->c; j++) ++ res += t->p[j]; ++ ++ return res; ++} ++EOF ++ ++cat > ${temp_dir}/testfile-main.c << EOF ++#include "testfile-foo.h" ++ ++static struct t g; ++ ++int ++main (int argc, char **argv) ++{ ++ int i; ++ int j[argc]; ++ g.c = argc; ++ g.p = j; ++ for (i = 0; i < argc; i++) ++ j[i] = (int) argv[i][0]; ++ return foo (3, &g); ++} ++EOF ++ ++gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o ++gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o ++gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o ++ ++perf probe -x ${temp_dir}/testfile --funcs foo ++perf probe -x ${temp_dir}/testfile foo ++ ++cleanup diff --git a/tmp-4.19/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch b/tmp-4.19/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch new file mode 100644 index 00000000000..00a6ce430b2 --- /dev/null +++ b/tmp-4.19/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch @@ -0,0 +1,77 @@ +From 968ab9261627fa305307e3935ca1a32fcddd36cb Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 21 Apr 2023 07:06:21 -0500 +Subject: pinctrl: amd: Detect internal GPIO0 debounce handling + +From: Mario Limonciello + +commit 968ab9261627fa305307e3935ca1a32fcddd36cb upstream. + +commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe") +had a mistake in loop iteration 63 that it would clear offset 0xFC instead +of 0x100. Offset 0xFC is actually `WAKE_INT_MASTER_REG`. This was +clearing bits 13 and 15 from the register which significantly changed the +expected handling for some platforms for GPIO0. + +commit b26cd9325be4 ("pinctrl: amd: Disable and mask interrupts on resume") +actually fixed this bug, but lead to regressions on Lenovo Z13 and some +other systems. This is because there was no handling in the driver for bit +15 debounce behavior. + +Quoting a public BKDG: +``` +EnWinBlueBtn. Read-write. Reset: 0. 0=GPIO0 detect debounced power button; +Power button override is 4 seconds. 1=GPIO0 detect debounced power button +in S3/S5/S0i3, and detect "pressed less than 2 seconds" and "pressed 2~10 +seconds" in S0; Power button override is 10 seconds +``` + +Cross referencing the same master register in Windows it's obvious that +Windows doesn't use debounce values in this configuration. So align the +Linux driver to do this as well. This fixes wake on lid when +WAKE_INT_MASTER_REG is properly programmed. + +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217315 +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20230421120625.3366-2-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 7 +++++++ + drivers/pinctrl/pinctrl-amd.h | 1 + + 2 files changed, 8 insertions(+) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -127,6 +127,12 @@ static int amd_gpio_set_debounce(struct + struct amd_gpio *gpio_dev = gpiochip_get_data(gc); + + raw_spin_lock_irqsave(&gpio_dev->lock, flags); ++ ++ /* Use special handling for Pin0 debounce */ ++ pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); ++ if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) ++ debounce = 0; ++ + pin_reg = readl(gpio_dev->base + offset * 4); + + if (debounce) { +@@ -216,6 +222,7 @@ static void amd_gpio_dbg_show(struct seq + char *output_value; + char *output_enable; + ++ seq_printf(s, "WAKE_INT_MASTER_REG: 0x%08x\n", readl(gpio_dev->base + WAKE_INT_MASTER_REG)); + for (bank = 0; bank < gpio_dev->hwbank_num; bank++) { + seq_printf(s, "GPIO bank%d\t", bank); + +--- a/drivers/pinctrl/pinctrl-amd.h ++++ b/drivers/pinctrl/pinctrl-amd.h +@@ -21,6 +21,7 @@ + #define AMD_GPIO_PINS_BANK3 32 + + #define WAKE_INT_MASTER_REG 0xfc ++#define INTERNAL_GPIO0_DEBOUNCE (1 << 15) + #define EOI_MASK (1 << 29) + + #define WAKE_INT_STATUS_REG0 0x2f8 diff --git a/tmp-4.19/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch b/tmp-4.19/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch new file mode 100644 index 00000000000..1e30bf1de1c --- /dev/null +++ b/tmp-4.19/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch @@ -0,0 +1,39 @@ +From a855724dc08b8cb0c13ab1e065a4922f1e5a7552 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 21 Apr 2023 07:06:22 -0500 +Subject: pinctrl: amd: Fix mistake in handling clearing pins at startup + +From: Mario Limonciello + +commit a855724dc08b8cb0c13ab1e065a4922f1e5a7552 upstream. + +commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe") +had a mistake in loop iteration 63 that it would clear offset 0xFC instead +of 0x100. Offset 0xFC is actually `WAKE_INT_MASTER_REG`. This was +clearing bits 13 and 15 from the register which significantly changed the +expected handling for some platforms for GPIO0. + +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217315 +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20230421120625.3366-3-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -794,9 +794,9 @@ static void amd_gpio_irq_init(struct amd + + raw_spin_lock_irqsave(&gpio_dev->lock, flags); + +- pin_reg = readl(gpio_dev->base + i * 4); ++ pin_reg = readl(gpio_dev->base + pin * 4); + pin_reg &= ~mask; +- writel(pin_reg, gpio_dev->base + i * 4); ++ writel(pin_reg, gpio_dev->base + pin * 4); + + raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); + } diff --git a/tmp-4.19/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch b/tmp-4.19/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch new file mode 100644 index 00000000000..c45deee6c66 --- /dev/null +++ b/tmp-4.19/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch @@ -0,0 +1,40 @@ +From 0d5ace1a07f7e846d0f6d972af60d05515599d0b Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 5 Jul 2023 08:30:02 -0500 +Subject: pinctrl: amd: Only use special debounce behavior for GPIO 0 + +From: Mario Limonciello + +commit 0d5ace1a07f7e846d0f6d972af60d05515599d0b upstream. + +It's uncommon to use debounce on any other pin, but technically +we should only set debounce to 0 when working off GPIO0. + +Cc: stable@vger.kernel.org +Tested-by: Jan Visser +Fixes: 968ab9261627 ("pinctrl: amd: Detect internal GPIO0 debounce handling") +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20230705133005.577-2-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -129,9 +129,11 @@ static int amd_gpio_set_debounce(struct + raw_spin_lock_irqsave(&gpio_dev->lock, flags); + + /* Use special handling for Pin0 debounce */ +- pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); +- if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) +- debounce = 0; ++ if (offset == 0) { ++ pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); ++ if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) ++ debounce = 0; ++ } + + pin_reg = readl(gpio_dev->base + offset * 4); + diff --git a/tmp-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch b/tmp-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch new file mode 100644 index 00000000000..9b216e957f3 --- /dev/null +++ b/tmp-4.19/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch @@ -0,0 +1,108 @@ +From c6a53f20f6bffc5450fcb9e1b763e8c839407eb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 08:30:03 -0500 +Subject: pinctrl: amd: Use amd_pinconf_set() for all config options + +From: Mario Limonciello + +[ Upstream commit 635a750d958e158e17af0f524bedc484b27fbb93 ] + +On ASUS TUF A16 it is reported that the ITE5570 ACPI device connected to +GPIO 7 is causing an interrupt storm. This issue doesn't happen on +Windows. + +Comparing the GPIO register configuration between Windows and Linux +bit 20 has been configured as a pull up on Windows, but not on Linux. +Checking GPIO declaration from the firmware it is clear it *should* have +been a pull up on Linux as well. + +``` +GpioInt (Level, ActiveLow, Exclusive, PullUp, 0x0000, + "\\_SB.GPIO", 0x00, ResourceConsumer, ,) +{ // Pin list +0x0007 +} +``` + +On Linux amd_gpio_set_config() is currently only used for programming +the debounce. Actually the GPIO core calls it with all the arguments +that are supported by a GPIO, pinctrl-amd just responds `-ENOTSUPP`. + +To solve this issue expand amd_gpio_set_config() to support the other +arguments amd_pinconf_set() supports, namely `PIN_CONFIG_BIAS_PULL_DOWN`, +`PIN_CONFIG_BIAS_PULL_UP`, and `PIN_CONFIG_DRIVE_STRENGTH`. + +Reported-by: Nik P +Reported-by: Nathan Schulte +Reported-by: Friedrich Vock +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217336 +Reported-by: dridri85@gmail.com +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217493 +Link: https://lore.kernel.org/linux-input/20230530154058.17594-1-friedrich.vock@gmx.de/ +Tested-by: Jan Visser +Fixes: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") +Signed-off-by: Mario Limonciello +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230705133005.577-3-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-amd.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c +index d5f5661de13c6..c140ee16fe7c8 100644 +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -190,18 +190,6 @@ static int amd_gpio_set_debounce(struct gpio_chip *gc, unsigned offset, + return ret; + } + +-static int amd_gpio_set_config(struct gpio_chip *gc, unsigned offset, +- unsigned long config) +-{ +- u32 debounce; +- +- if (pinconf_to_config_param(config) != PIN_CONFIG_INPUT_DEBOUNCE) +- return -ENOTSUPP; +- +- debounce = pinconf_to_config_argument(config); +- return amd_gpio_set_debounce(gc, offset, debounce); +-} +- + #ifdef CONFIG_DEBUG_FS + static void amd_gpio_dbg_show(struct seq_file *s, struct gpio_chip *gc) + { +@@ -686,7 +674,7 @@ static int amd_pinconf_get(struct pinctrl_dev *pctldev, + } + + static int amd_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin, +- unsigned long *configs, unsigned num_configs) ++ unsigned long *configs, unsigned int num_configs) + { + int i; + u32 arg; +@@ -776,6 +764,20 @@ static int amd_pinconf_group_set(struct pinctrl_dev *pctldev, + return 0; + } + ++static int amd_gpio_set_config(struct gpio_chip *gc, unsigned int pin, ++ unsigned long config) ++{ ++ struct amd_gpio *gpio_dev = gpiochip_get_data(gc); ++ ++ if (pinconf_to_config_param(config) == PIN_CONFIG_INPUT_DEBOUNCE) { ++ u32 debounce = pinconf_to_config_argument(config); ++ ++ return amd_gpio_set_debounce(gc, pin, debounce); ++ } ++ ++ return amd_pinconf_set(gpio_dev->pctrl, pin, &config, 1); ++} ++ + static const struct pinconf_ops amd_pinconf_ops = { + .pin_config_get = amd_pinconf_get, + .pin_config_set = amd_pinconf_set, +-- +2.39.2 + diff --git a/tmp-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch b/tmp-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch new file mode 100644 index 00000000000..f887cbf1584 --- /dev/null +++ b/tmp-4.19/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch @@ -0,0 +1,41 @@ +From 8cc3629d359b1617fe9c7a963a43fb802602ce1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 13:53:33 +0300 +Subject: pinctrl: at91-pio4: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller") +Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") +Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") +Signed-off-by: Claudiu Beznea +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c +index 5b883eb49ce92..cbbda24bf6a80 100644 +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -1024,6 +1024,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev) + /* Pin naming convention: P(bank_name)(bank_pin_number). */ + pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d", + bank + 'A', line); ++ if (!pin_desc[i].name) ++ return -ENOMEM; + + group->name = group_names[i] = pin_desc[i].name; + group->pin = pin_desc[i].number; +-- +2.39.2 + diff --git a/tmp-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch b/tmp-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch new file mode 100644 index 00000000000..297f675b95f --- /dev/null +++ b/tmp-4.19/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch @@ -0,0 +1,57 @@ +From 1dab81b0371c72df1a682c0bb10383010b482841 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 17:37:34 +0300 +Subject: pinctrl: cherryview: Return correct value if pin in push-pull mode + +From: Andy Shevchenko + +[ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ] + +Currently the getter returns ENOTSUPP on pin configured in +the push-pull mode. Fix this by adding the missed switch case. + +Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config") +Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support") +Acked-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c +index 25932d2a71547..ef8eb42e4d383 100644 +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1032,11 +1032,6 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin, + + break; + +- case PIN_CONFIG_DRIVE_OPEN_DRAIN: +- if (!(ctrl1 & CHV_PADCTRL1_ODEN)) +- return -EINVAL; +- break; +- + case PIN_CONFIG_BIAS_HIGH_IMPEDANCE: { + u32 cfg; + +@@ -1046,6 +1041,16 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned pin, + return -EINVAL; + + break; ++ ++ case PIN_CONFIG_DRIVE_PUSH_PULL: ++ if (ctrl1 & CHV_PADCTRL1_ODEN) ++ return -EINVAL; ++ break; ++ ++ case PIN_CONFIG_DRIVE_OPEN_DRAIN: ++ if (!(ctrl1 & CHV_PADCTRL1_ODEN)) ++ return -EINVAL; ++ break; + } + + default: +-- +2.39.2 + diff --git a/tmp-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch b/tmp-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch new file mode 100644 index 00000000000..fd4ada2152b --- /dev/null +++ b/tmp-4.19/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch @@ -0,0 +1,48 @@ +From ef15279e88446b0b4c31771ab1aca4bdc6714705 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 06:07:43 -0700 +Subject: PM: domains: fix integer overflow issues in genpd_parse_state() + +From: Nikita Zhandarovich + +[ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ] + +Currently, while calculating residency and latency values, right +operands may overflow if resulting values are big enough. + +To prevent this, albeit unlikely case, play it safe and convert +right operands to left ones' type s64. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT") +Signed-off-by: Nikita Zhandarovich +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/domain.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index e865aa4b25047..b32d3cf4f670d 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2433,10 +2433,10 @@ static int genpd_parse_state(struct genpd_power_state *genpd_state, + + err = of_property_read_u32(state_node, "min-residency-us", &residency); + if (!err) +- genpd_state->residency_ns = 1000 * residency; ++ genpd_state->residency_ns = 1000LL * residency; + +- genpd_state->power_on_latency_ns = 1000 * exit_latency; +- genpd_state->power_off_latency_ns = 1000 * entry_latency; ++ genpd_state->power_on_latency_ns = 1000LL * exit_latency; ++ genpd_state->power_off_latency_ns = 1000LL * entry_latency; + genpd_state->fwnode = &state_node->fwnode; + + return 0; +-- +2.39.2 + diff --git a/tmp-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch b/tmp-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch new file mode 100644 index 00000000000..1d7b8e95a2c --- /dev/null +++ b/tmp-4.19/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch @@ -0,0 +1,115 @@ +From deabead3b46d4d115d9fd90afe2b7dbebe10919a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 20:58:47 +0200 +Subject: posix-timers: Ensure timer ID search-loop limit is valid + +From: Thomas Gleixner + +[ Upstream commit 8ce8849dd1e78dadcee0ec9acbd259d239b7069f ] + +posix_timer_add() tries to allocate a posix timer ID by starting from the +cached ID which was stored by the last successful allocation. + +This is done in a loop searching the ID space for a free slot one by +one. The loop has to terminate when the search wrapped around to the +starting point. + +But that's racy vs. establishing the starting point. That is read out +lockless, which leads to the following problem: + +CPU0 CPU1 +posix_timer_add() + start = sig->posix_timer_id; + lock(hash_lock); + ... posix_timer_add() + if (++sig->posix_timer_id < 0) + start = sig->posix_timer_id; + sig->posix_timer_id = 0; + +So CPU1 can observe a negative start value, i.e. -1, and the loop break +never happens because the condition can never be true: + + if (sig->posix_timer_id == start) + break; + +While this is unlikely to ever turn into an endless loop as the ID space is +huge (INT_MAX), the racy read of the start value caught the attention of +KCSAN and Dmitry unearthed that incorrectness. + +Rewrite it so that all id operations are under the hash lock. + +Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com +Reported-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/87bkhzdn6g.ffs@tglx +Signed-off-by: Sasha Levin +--- + include/linux/sched/signal.h | 2 +- + kernel/time/posix-timers.c | 31 ++++++++++++++++++------------- + 2 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h +index 660d78c9af6c8..6a55b30ae742b 100644 +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -127,7 +127,7 @@ struct signal_struct { + #ifdef CONFIG_POSIX_TIMERS + + /* POSIX.1b Interval Timers */ +- int posix_timer_id; ++ unsigned int next_posix_timer_id; + struct list_head posix_timers; + + /* ITIMER_REAL timer for the process */ +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index 1234868b3b03e..8768ce2c4bf52 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -159,25 +159,30 @@ static struct k_itimer *posix_timer_by_id(timer_t id) + static int posix_timer_add(struct k_itimer *timer) + { + struct signal_struct *sig = current->signal; +- int first_free_id = sig->posix_timer_id; + struct hlist_head *head; +- int ret = -ENOENT; ++ unsigned int cnt, id; + +- do { ++ /* ++ * FIXME: Replace this by a per signal struct xarray once there is ++ * a plan to handle the resulting CRIU regression gracefully. ++ */ ++ for (cnt = 0; cnt <= INT_MAX; cnt++) { + spin_lock(&hash_lock); +- head = &posix_timers_hashtable[hash(sig, sig->posix_timer_id)]; +- if (!__posix_timers_find(head, sig, sig->posix_timer_id)) { ++ id = sig->next_posix_timer_id; ++ ++ /* Write the next ID back. Clamp it to the positive space */ ++ sig->next_posix_timer_id = (id + 1) & INT_MAX; ++ ++ head = &posix_timers_hashtable[hash(sig, id)]; ++ if (!__posix_timers_find(head, sig, id)) { + hlist_add_head_rcu(&timer->t_hash, head); +- ret = sig->posix_timer_id; ++ spin_unlock(&hash_lock); ++ return id; + } +- if (++sig->posix_timer_id < 0) +- sig->posix_timer_id = 0; +- if ((sig->posix_timer_id == first_free_id) && (ret == -ENOENT)) +- /* Loop over all possible ids completed */ +- ret = -EAGAIN; + spin_unlock(&hash_lock); +- } while (ret == -ENOENT); +- return ret; ++ } ++ /* POSIX return code when no timer ID could be allocated */ ++ return -EAGAIN; + } + + static inline void unlock_timer(struct k_itimer *timr, unsigned long flags) +-- +2.39.2 + diff --git a/tmp-4.19/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch b/tmp-4.19/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch new file mode 100644 index 00000000000..edb29963600 --- /dev/null +++ b/tmp-4.19/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch @@ -0,0 +1,46 @@ +From a91683b99e01be25196c16b35ce56179ca1665f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 22:47:12 -0700 +Subject: powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 39f49684036d24af800ff194c33c7b2653c591d7 ] + +In a randconfig with CONFIG_SERIAL_CPM=m and +CONFIG_PPC_EARLY_DEBUG_CPM=y, there is a build error: +ERROR: modpost: "udbg_putc" [drivers/tty/serial/cpm_uart/cpm_uart.ko] undefined! + +Prevent the build error by allowing PPC_EARLY_DEBUG_CPM only when +SERIAL_CPM=y. + +Fixes: c374e00e17f1 ("[POWERPC] Add early debug console for CPM serial ports.") +Signed-off-by: Randy Dunlap +Reviewed-by: Pali Rohár +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230701054714.30512-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug +index ffe0cf0f0bea2..923b3b794d13f 100644 +--- a/arch/powerpc/Kconfig.debug ++++ b/arch/powerpc/Kconfig.debug +@@ -232,7 +232,7 @@ config PPC_EARLY_DEBUG_40x + + config PPC_EARLY_DEBUG_CPM + bool "Early serial debugging for Freescale CPM-based serial ports" +- depends on SERIAL_CPM ++ depends on SERIAL_CPM=y + help + Select this to enable early debugging for Freescale chips + using a CPM-based serial port. This assumes that the bootwrapper +-- +2.39.2 + diff --git a/tmp-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch b/tmp-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch new file mode 100644 index 00000000000..6c81cb6efdb --- /dev/null +++ b/tmp-4.19/radeon-avoid-double-free-in-ci_dpm_init.patch @@ -0,0 +1,110 @@ +From 538cb4b674cd354c9bbdaaf06670cfdf71f72bca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 08:12:28 -0700 +Subject: radeon: avoid double free in ci_dpm_init() + +From: Nikita Zhandarovich + +[ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ] + +Several calls to ci_dpm_fini() will attempt to free resources that +either have been freed before or haven't been allocated yet. This +may lead to undefined or dangerous behaviour. + +For instance, if r600_parse_extended_power_table() fails, it might +call r600_free_extended_power_table() as will ci_dpm_fini() later +during error handling. + +Fix this by only freeing pointers to objects previously allocated. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") +Co-developed-by: Natalia Petrova +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ci_dpm.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index 90c1afe498bea..ce8b14592b69b 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -5552,6 +5552,7 @@ static int ci_parse_power_table(struct radeon_device *rdev) + u8 frev, crev; + u8 *power_state_offset; + struct ci_ps *ps; ++ int ret; + + if (!atom_parse_data_header(mode_info->atom_context, index, NULL, + &frev, &crev, &data_offset)) +@@ -5581,11 +5582,15 @@ static int ci_parse_power_table(struct radeon_device *rdev) + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; +- if (!rdev->pm.power_state[i].clock_info) +- return -EINVAL; ++ if (!rdev->pm.power_state[i].clock_info) { ++ ret = -EINVAL; ++ goto err_free_ps; ++ } + ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL); +- if (ps == NULL) +- return -ENOMEM; ++ if (ps == NULL) { ++ ret = -ENOMEM; ++ goto err_free_ps; ++ } + rdev->pm.dpm.ps[i].ps_priv = ps; + ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i], + non_clock_info, +@@ -5625,6 +5630,12 @@ static int ci_parse_power_table(struct radeon_device *rdev) + } + + return 0; ++ ++err_free_ps: ++ for (i = 0; i < rdev->pm.dpm.num_ps; i++) ++ kfree(rdev->pm.dpm.ps[i].ps_priv); ++ kfree(rdev->pm.dpm.ps); ++ return ret; + } + + static int ci_get_vbios_boot_values(struct radeon_device *rdev, +@@ -5713,25 +5724,26 @@ int ci_dpm_init(struct radeon_device *rdev) + + ret = ci_get_vbios_boot_values(rdev, &pi->vbios_boot_state); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_get_platform_caps(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_parse_extended_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = ci_parse_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); ++ r600_free_extended_power_table(rdev); + return ret; + } + +-- +2.39.2 + diff --git a/tmp-4.19/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch b/tmp-4.19/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch new file mode 100644 index 00000000000..26cabe77651 --- /dev/null +++ b/tmp-4.19/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch @@ -0,0 +1,139 @@ +From a82d62f708545d22859584e0e0620da8e3759bbc Mon Sep 17 00:00:00 2001 +From: Jiaqing Zhao +Date: Mon, 19 Jun 2023 15:57:44 +0000 +Subject: Revert "8250: add support for ASIX devices with a FIFO bug" + +From: Jiaqing Zhao + +commit a82d62f708545d22859584e0e0620da8e3759bbc upstream. + +This reverts commit eb26dfe8aa7eeb5a5aa0b7574550125f8aa4c3b3. + +Commit eb26dfe8aa7e ("8250: add support for ASIX devices with a FIFO +bug") merged on Jul 13, 2012 adds a quirk for PCI_VENDOR_ID_ASIX +(0x9710). But that ID is the same as PCI_VENDOR_ID_NETMOS defined in +1f8b061050c7 ("[PATCH] Netmos parallel/serial/combo support") merged +on Mar 28, 2005. In pci_serial_quirks array, the NetMos entry always +takes precedence over the ASIX entry even since it was initially +merged, code in that commit is always unreachable. + +In my tests, adding the FIFO workaround to pci_netmos_init() makes no +difference, and the vendor driver also does not have such workaround. +Given that the code was never used for over a decade, it's safe to +revert it. + +Also, the real PCI_VENDOR_ID_ASIX should be 0x125b, which is used on +their newer AX99100 PCIe serial controllers released on 2016. The FIFO +workaround should not be intended for these newer controllers, and it +was never implemented in vendor driver. + +Fixes: eb26dfe8aa7e ("8250: add support for ASIX devices with a FIFO bug") +Cc: stable +Signed-off-by: Jiaqing Zhao +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230619155743.827859-1-jiaqing.zhao@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250.h | 1 - + drivers/tty/serial/8250/8250_pci.c | 19 ------------------- + drivers/tty/serial/8250/8250_port.c | 11 +++-------- + include/linux/serial_8250.h | 1 - + 4 files changed, 3 insertions(+), 29 deletions(-) + +--- a/drivers/tty/serial/8250/8250.h ++++ b/drivers/tty/serial/8250/8250.h +@@ -85,7 +85,6 @@ struct serial8250_config { + #define UART_BUG_TXEN (1 << 1) /* UART has buggy TX IIR status */ + #define UART_BUG_NOMSR (1 << 2) /* UART has buggy MSR status bits (Au1x00) */ + #define UART_BUG_THRE (1 << 3) /* UART has buggy THRE reassertion */ +-#define UART_BUG_PARITY (1 << 4) /* UART mishandles parity if FIFO enabled */ + + + #ifdef CONFIG_SERIAL_8250_SHARE_IRQ +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1049,14 +1049,6 @@ static int pci_oxsemi_tornado_init(struc + return number_uarts; + } + +-static int pci_asix_setup(struct serial_private *priv, +- const struct pciserial_board *board, +- struct uart_8250_port *port, int idx) +-{ +- port->bugs |= UART_BUG_PARITY; +- return pci_default_setup(priv, board, port, idx); +-} +- + /* Quatech devices have their own extra interface features */ + + struct quatech_feature { +@@ -1683,7 +1675,6 @@ pci_wch_ch38x_setup(struct serial_privat + #define PCI_DEVICE_ID_WCH_CH355_4S 0x7173 + #define PCI_VENDOR_ID_AGESTAR 0x5372 + #define PCI_DEVICE_ID_AGESTAR_9375 0x6872 +-#define PCI_VENDOR_ID_ASIX 0x9710 + #define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a + #define PCI_DEVICE_ID_AMCC_ADDIDATA_APCI7800 0x818e + +@@ -2455,16 +2446,6 @@ static struct pci_serial_quirk pci_seria + .setup = pci_wch_ch38x_setup, + }, + /* +- * ASIX devices with FIFO bug +- */ +- { +- .vendor = PCI_VENDOR_ID_ASIX, +- .device = PCI_ANY_ID, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .setup = pci_asix_setup, +- }, +- /* + * Broadcom TruManage (NetXtreme) + */ + { +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2617,11 +2617,8 @@ static unsigned char serial8250_compute_ + + if (c_cflag & CSTOPB) + cval |= UART_LCR_STOP; +- if (c_cflag & PARENB) { ++ if (c_cflag & PARENB) + cval |= UART_LCR_PARITY; +- if (up->bugs & UART_BUG_PARITY) +- up->fifo_bug = true; +- } + if (!(c_cflag & PARODD)) + cval |= UART_LCR_EPAR; + #ifdef CMSPAR +@@ -2735,8 +2732,7 @@ serial8250_do_set_termios(struct uart_po + up->lcr = cval; /* Save computed LCR */ + + if (up->capabilities & UART_CAP_FIFO && port->fifosize > 1) { +- /* NOTE: If fifo_bug is not set, a user can set RX_trigger. */ +- if ((baud < 2400 && !up->dma) || up->fifo_bug) { ++ if (baud < 2400 && !up->dma) { + up->fcr &= ~UART_FCR_TRIGGER_MASK; + up->fcr |= UART_FCR_TRIGGER_1; + } +@@ -3072,8 +3068,7 @@ static int do_set_rxtrig(struct tty_port + struct uart_8250_port *up = up_to_u8250p(uport); + int rxtrig; + +- if (!(up->capabilities & UART_CAP_FIFO) || uport->fifosize <= 1 || +- up->fifo_bug) ++ if (!(up->capabilities & UART_CAP_FIFO) || uport->fifosize <= 1) + return -EINVAL; + + rxtrig = bytes_to_fcr_rxtrig(up, bytes); +--- a/include/linux/serial_8250.h ++++ b/include/linux/serial_8250.h +@@ -99,7 +99,6 @@ struct uart_8250_port { + struct list_head list; /* ports on this IRQ */ + u32 capabilities; /* port capabilities */ + unsigned short bugs; /* port bugs */ +- bool fifo_bug; /* min RX trigger if enabled */ + unsigned int tx_loadsz; /* transmit fifo load size */ + unsigned char acr; + unsigned char fcr; diff --git a/tmp-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/tmp-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch new file mode 100644 index 00000000000..75611e500a9 --- /dev/null +++ b/tmp-4.19/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch @@ -0,0 +1,113 @@ +From 0891c3b57a9ceed9c4e331ce92a2edea7581fc11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:59:18 -0700 +Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash + table" + +From: Kuniyuki Iwashima + +[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] + +This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. + +Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in +ehash table") reversed the order in how a socket is inserted into ehash +to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are +swapped. However, it introduced another lookup failure. + +The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU +and does not have SOCK_RCU_FREE, so the socket could be reused even while +it is being referenced on another CPU doing RCU lookup. + +Let's say a socket is reused and inserted into the same hash bucket during +lookup. After the blamed commit, a new socket is inserted at the end of +the list. If that happens, we will skip sockets placed after the previous +position of the reused socket, resulting in ehash lookup failure. + +As described in Documentation/RCU/rculist_nulls.rst, we should insert a +new socket at the head of the list to avoid such an issue. + +This issue, the swap-lookup-failure, and another variant reported in [0] +can all be handled properly by adding a locked ehash lookup suggested by +Eric Dumazet [1]. + +However, this issue could occur for every packet, thus more likely than +the other two races, so let's revert the change for now. + +Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] +Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] +Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 ++--------------- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 6 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 5a272d09b8248..c6d670cd872f0 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -579,20 +579,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_hashed(osk); +- if (ret) { +- /* Before deleting the node, we insert a new one to make +- * sure that the look-up-sk process would not miss either +- * of them and that at least one node would exist in ehash +- * table all the time. Otherwise there's a tiny chance +- * that lookup process could find nothing in ehash table. +- */ +- __sk_nulls_add_node_tail_rcu(sk, list); +- sk_nulls_del_node_init_rcu(osk); +- } +- goto unlock; +- } +- if (found_dup_sk) { ++ ret = sk_nulls_del_node_init_rcu(osk); ++ } else if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -601,7 +589,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + +-unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index fedd19c22b392..88c5069b5d20c 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -80,10 +80,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_tail_rcu(&tw->tw_node, list); ++ hlist_nulls_add_head_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -119,7 +119,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.2 + diff --git a/tmp-4.19/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch b/tmp-4.19/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch new file mode 100644 index 00000000000..63a5a49ea1e --- /dev/null +++ b/tmp-4.19/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch @@ -0,0 +1,128 @@ +From 7e42907f3a7b4ce3a2d1757f6d78336984daf8f5 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Sun, 9 Jul 2023 06:51:44 +0800 +Subject: ring-buffer: Fix deadloop issue on reading trace_pipe + +From: Zheng Yejian + +commit 7e42907f3a7b4ce3a2d1757f6d78336984daf8f5 upstream. + +Soft lockup occurs when reading file 'trace_pipe': + + watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488] + [...] + RIP: 0010:ring_buffer_empty_cpu+0xed/0x170 + RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246 + RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb + RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218 + RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f + R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901 + R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000 + [...] + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + __find_next_entry+0x1a8/0x4b0 + ? peek_next_entry+0x250/0x250 + ? down_write+0xa5/0x120 + ? down_write_killable+0x130/0x130 + trace_find_next_entry_inc+0x3b/0x1d0 + tracing_read_pipe+0x423/0xae0 + ? tracing_splice_read_pipe+0xcb0/0xcb0 + vfs_read+0x16b/0x490 + ksys_read+0x105/0x210 + ? __ia32_sys_pwrite64+0x200/0x200 + ? switch_fpu_return+0x108/0x220 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +Through the vmcore, I found it's because in tracing_read_pipe(), +ring_buffer_empty_cpu() found some buffer is not empty but then it +cannot read anything due to "rb_num_of_entries() == 0" always true, +Then it infinitely loop the procedure due to user buffer not been +filled, see following code path: + + tracing_read_pipe() { + ... ... + waitagain: + tracing_wait_pipe() // 1. find non-empty buffer here + trace_find_next_entry_inc() // 2. loop here try to find an entry + __find_next_entry() + ring_buffer_empty_cpu(); // 3. find non-empty buffer + peek_next_entry() // 4. but peek always return NULL + ring_buffer_peek() + rb_buffer_peek() + rb_get_reader_page() + // 5. because rb_num_of_entries() == 0 always true here + // then return NULL + // 6. user buffer not been filled so goto 'waitgain' + // and eventually leads to an deadloop in kernel!!! + } + +By some analyzing, I found that when resetting ringbuffer, the 'entries' +of its pages are not all cleared (see rb_reset_cpu()). Then when reducing +the ringbuffer, and if some reduced pages exist dirty 'entries' data, they +will be added into 'cpu_buffer->overrun' (see rb_remove_pages()), which +cause wrong 'overrun' count and eventually cause the deadloop issue. + +To fix it, we need to clear every pages in rb_reset_cpu(). + +Link: https://lore.kernel.org/linux-trace-kernel/20230708225144.3785600-1-zhengyejian1@huawei.com + +Cc: stable@vger.kernel.org +Fixes: a5fb833172eca ("ring-buffer: Fix uninitialized read_stamp") +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4408,28 +4408,34 @@ unsigned long ring_buffer_size(struct ri + } + EXPORT_SYMBOL_GPL(ring_buffer_size); + ++static void rb_clear_buffer_page(struct buffer_page *page) ++{ ++ local_set(&page->write, 0); ++ local_set(&page->entries, 0); ++ rb_init_page(page->page); ++ page->read = 0; ++} ++ + static void + rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) + { ++ struct buffer_page *page; ++ + rb_head_page_deactivate(cpu_buffer); + + cpu_buffer->head_page + = list_entry(cpu_buffer->pages, struct buffer_page, list); +- local_set(&cpu_buffer->head_page->write, 0); +- local_set(&cpu_buffer->head_page->entries, 0); +- local_set(&cpu_buffer->head_page->page->commit, 0); +- +- cpu_buffer->head_page->read = 0; ++ rb_clear_buffer_page(cpu_buffer->head_page); ++ list_for_each_entry(page, cpu_buffer->pages, list) { ++ rb_clear_buffer_page(page); ++ } + + cpu_buffer->tail_page = cpu_buffer->head_page; + cpu_buffer->commit_page = cpu_buffer->head_page; + + INIT_LIST_HEAD(&cpu_buffer->reader_page->list); + INIT_LIST_HEAD(&cpu_buffer->new_pages); +- local_set(&cpu_buffer->reader_page->write, 0); +- local_set(&cpu_buffer->reader_page->entries, 0); +- local_set(&cpu_buffer->reader_page->page->commit, 0); +- cpu_buffer->reader_page->read = 0; ++ rb_clear_buffer_page(cpu_buffer->reader_page); + + local_set(&cpu_buffer->entries_bytes, 0); + local_set(&cpu_buffer->overrun, 0); diff --git a/tmp-4.19/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch b/tmp-4.19/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch new file mode 100644 index 00000000000..d0194733391 --- /dev/null +++ b/tmp-4.19/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch @@ -0,0 +1,40 @@ +From d374daa9cdec916607584105f5d15a6cd42696a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 21:11:42 +0200 +Subject: rtc: st-lpc: Release some resources in st_rtc_probe() in case of + error + +From: Christophe JAILLET + +[ Upstream commit 06c6e1b01d9261f03629cefd1f3553503291e6cf ] + +If an error occurs after clk_get(), the corresponding resources should be +released. + +Use devm_clk_get() to fix it. + +Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/866af6adbc7454a7b4505eb6c28fbdc86ccff39e.1686251455.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-st-lpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c +index e66439b6247a4..e8a8ca3545f00 100644 +--- a/drivers/rtc/rtc-st-lpc.c ++++ b/drivers/rtc/rtc-st-lpc.c +@@ -239,7 +239,7 @@ static int st_rtc_probe(struct platform_device *pdev) + enable_irq_wake(rtc->irq); + disable_irq(rtc->irq); + +- rtc->clk = clk_get(&pdev->dev, NULL); ++ rtc->clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(rtc->clk)) { + dev_err(&pdev->dev, "Unable to request clock\n"); + return PTR_ERR(rtc->clk); +-- +2.39.2 + diff --git a/tmp-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch b/tmp-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch new file mode 100644 index 00000000000..109b15337ed --- /dev/null +++ b/tmp-4.19/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch @@ -0,0 +1,36 @@ +From 1bc2f94406b03808f08a0f4b770a725753a34849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 16:50:58 +0800 +Subject: samples/bpf: Fix buffer overflow in tcp_basertt + +From: Pengcheng Yang + +[ Upstream commit f4dea9689c5fea3d07170c2cb0703e216f1a0922 ] + +Using sizeof(nv) or strlen(nv)+1 is correct. + +Fixes: c890063e4404 ("bpf: sample BPF_SOCKET_OPS_BASE_RTT program") +Signed-off-by: Pengcheng Yang +Link: https://lore.kernel.org/r/1683276658-2860-1-git-send-email-yangpc@wangsu.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + samples/bpf/tcp_basertt_kern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/bpf/tcp_basertt_kern.c b/samples/bpf/tcp_basertt_kern.c +index 4bf4fc597db9a..653d233714ad0 100644 +--- a/samples/bpf/tcp_basertt_kern.c ++++ b/samples/bpf/tcp_basertt_kern.c +@@ -54,7 +54,7 @@ int bpf_basertt(struct bpf_sock_ops *skops) + case BPF_SOCK_OPS_BASE_RTT: + n = bpf_getsockopt(skops, SOL_TCP, TCP_CONGESTION, + cong, sizeof(cong)); +- if (!n && !__builtin_memcmp(cong, nv, sizeof(nv)+1)) { ++ if (!n && !__builtin_memcmp(cong, nv, sizeof(nv))) { + /* Set base_rtt to 80us */ + rv = 80; + } else if (n) { +-- +2.39.2 + diff --git a/tmp-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch b/tmp-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch new file mode 100644 index 00000000000..10c3af2ae82 --- /dev/null +++ b/tmp-4.19/sched-fair-don-t-balance-task-to-its-current-running.patch @@ -0,0 +1,96 @@ +From 29445fe25db278af2e1f337c9529eeae5d380b35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 16:25:07 +0800 +Subject: sched/fair: Don't balance task to its current running CPU + +From: Yicong Yang + +[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] + +We've run into the case that the balancer tries to balance a migration +disabled task and trigger the warning in set_task_cpu() like below: + + ------------[ cut here ]------------ + WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 + Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> + CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 + Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 + pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : set_task_cpu+0x188/0x240 + lr : load_balance+0x5d0/0xc60 + sp : ffff80000803bc70 + x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 + x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 + x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 + x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 + x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 + x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 + x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e + x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a + x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 + Call trace: + set_task_cpu+0x188/0x240 + load_balance+0x5d0/0xc60 + rebalance_domains+0x26c/0x380 + _nohz_idle_balance.isra.0+0x1e0/0x370 + run_rebalance_domains+0x6c/0x80 + __do_softirq+0x128/0x3d8 + ____do_softirq+0x18/0x24 + call_on_irq_stack+0x2c/0x38 + do_softirq_own_stack+0x24/0x3c + __irq_exit_rcu+0xcc/0xf4 + irq_exit_rcu+0x18/0x24 + el1_interrupt+0x4c/0xe4 + el1h_64_irq_handler+0x18/0x2c + el1h_64_irq+0x74/0x78 + arch_cpu_idle+0x18/0x4c + default_idle_call+0x58/0x194 + do_idle+0x244/0x2b0 + cpu_startup_entry+0x30/0x3c + secondary_start_kernel+0x14c/0x190 + __secondary_switched+0xb0/0xb4 + ---[ end trace 0000000000000000 ]--- + +Further investigation shows that the warning is superfluous, the migration +disabled task is just going to be migrated to its current running CPU. +This is because that on load balance if the dst_cpu is not allowed by the +task, we'll re-select a new_dst_cpu as a candidate. If no task can be +balanced to dst_cpu we'll try to balance the task to the new_dst_cpu +instead. In this case when the migration disabled task is not on CPU it +only allows to run on its current CPU, load balance will select its +current CPU as new_dst_cpu and later triggers the warning above. + +The new_dst_cpu is chosen from the env->dst_grpmask. Currently it +contains CPUs in sched_group_span() and if we have overlapped groups it's +possible to run into this case. This patch makes env->dst_grpmask of +group_balance_mask() which exclude any CPUs from the busiest group and +solve the issue. For balancing in a domain with no overlapped groups +the behaviour keeps same as before. + +Suggested-by: Vincent Guittot +Signed-off-by: Yicong Yang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index eb67f42fb96ba..09f82c84474b8 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -8721,7 +8721,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, + .sd = sd, + .dst_cpu = this_cpu, + .dst_rq = this_rq, +- .dst_grpmask = sched_group_span(sd->groups), ++ .dst_grpmask = group_balance_mask(sd->groups), + .idle = idle, + .loop_break = sched_nr_migrate_break, + .cpus = cpus, +-- +2.39.2 + diff --git a/tmp-4.19/scripts-tags.sh-resolve-gtags-empty-index-generation.patch b/tmp-4.19/scripts-tags.sh-resolve-gtags-empty-index-generation.patch new file mode 100644 index 00000000000..051af99d720 --- /dev/null +++ b/tmp-4.19/scripts-tags.sh-resolve-gtags-empty-index-generation.patch @@ -0,0 +1,65 @@ +From e1b37563caffc410bb4b55f153ccb14dede66815 Mon Sep 17 00:00:00 2001 +From: "Ahmed S. Darwish" +Date: Mon, 15 May 2023 19:32:16 +0200 +Subject: scripts/tags.sh: Resolve gtags empty index generation + +From: Ahmed S. Darwish + +commit e1b37563caffc410bb4b55f153ccb14dede66815 upstream. + +gtags considers any file outside of its current working directory +"outside the source tree" and refuses to index it. For O= kernel builds, +or when "make" is invoked from a directory other then the kernel source +tree, gtags ignores the entire kernel source and generates an empty +index. + +Force-set gtags current working directory to the kernel source tree. + +Due to commit 9da0763bdd82 ("kbuild: Use relative path when building in +a subdir of the source tree"), if the kernel build is done in a +sub-directory of the kernel source tree, the kernel Makefile will set +the kernel's $srctree to ".." for shorter compile-time and run-time +warnings. Consequently, the list of files to be indexed will be in the +"../*" form, rendering all such paths invalid once gtags switches to the +kernel source tree as its current working directory. + +If gtags indexing is requested and the build directory is not the kernel +source tree, index all files in absolute-path form. + +Note, indexing in absolute-path form will not affect the generated +index, as paths in gtags indices are always relative to the gtags "root +directory" anyway (as evidenced by "gtags --dump"). + +Signed-off-by: Ahmed S. Darwish +Cc: +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/tags.sh | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/scripts/tags.sh ++++ b/scripts/tags.sh +@@ -28,6 +28,13 @@ fi + # ignore userspace tools + ignore="$ignore ( -path ${tree}tools ) -prune -o" + ++# gtags(1) refuses to index any file outside of its current working dir. ++# If gtags indexing is requested and the build output directory is not ++# the kernel source tree, index all files in absolute-path form. ++if [[ "$1" == "gtags" && -n "${tree}" ]]; then ++ tree=$(realpath "$tree")/ ++fi ++ + # Detect if ALLSOURCE_ARCHS is set. If not, we assume SRCARCH + if [ "${ALLSOURCE_ARCHS}" = "" ]; then + ALLSOURCE_ARCHS=${SRCARCH} +@@ -136,7 +143,7 @@ docscope() + + dogtags() + { +- all_target_sources | gtags -i -f - ++ all_target_sources | gtags -i -C "${tree:-.}" -f - "$PWD" + } + + # Basic regular expressions with an optional /kind-spec/ for ctags and diff --git a/tmp-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch b/tmp-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch new file mode 100644 index 00000000000..bb38bc4df30 --- /dev/null +++ b/tmp-4.19/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch @@ -0,0 +1,47 @@ +From a2a994777eca5a7c0463e65c84a199840479c744 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 22:12:55 +0800 +Subject: scsi: 3w-xxxx: Add error handling for initialization failure in + tw_probe() + +From: Yuchen Yang + +[ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ] + +Smatch complains that: + +tw_probe() warn: missing error code 'retval' + +This patch adds error checking to tw_probe() to handle initialization +failure. If tw_reset_sequence() function returns a non-zero value, the +function will return -EINVAL to indicate initialization failure. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yuchen Yang +Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/3w-xxxx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c +index 471366945bd4f..8a61e832607eb 100644 +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -2303,8 +2303,10 @@ static int tw_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id) + TW_DISABLE_INTERRUPTS(tw_dev); + + /* Initialize the card */ +- if (tw_reset_sequence(tw_dev)) ++ if (tw_reset_sequence(tw_dev)) { ++ retval = -EINVAL; + goto out_release_mem_region; ++ } + + /* Set host specific parameters */ + host->max_id = TW_MAX_UNITS; +-- +2.39.2 + diff --git a/tmp-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch b/tmp-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch new file mode 100644 index 00000000000..5f6202254b3 --- /dev/null +++ b/tmp-4.19/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch @@ -0,0 +1,37 @@ +From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 7 Jun 2023 17:08:39 +0530 +Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() + +From: Nilesh Javali + +commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream. + +Klocwork reported warning of rport maybe NULL and will be dereferenced. +rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. + +Check valid rport returned by fc_bsg_to_rport(). + +Cc: stable@vger.kernel.org +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -264,6 +264,10 @@ qla2x00_process_els(struct bsg_job *bsg_ + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { + rport = fc_bsg_to_rport(bsg_job); ++ if (!rport) { ++ rval = -ENOMEM; ++ goto done; ++ } + fcport = *(fc_port_t **) rport->dd_data; + host = rport_to_shost(rport); + vha = shost_priv(host); diff --git a/tmp-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch b/tmp-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..fc83ca5c714 --- /dev/null +++ b/tmp-4.19/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,35 @@ +From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001 +From: Bikash Hazarika +Date: Wed, 7 Jun 2023 17:08:37 +0530 +Subject: scsi: qla2xxx: Fix potential NULL pointer dereference + +From: Bikash Hazarika + +commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream. + +Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate +pointer before dereferencing the pointer. + +Cc: stable@vger.kernel.org +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_iocb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -603,7 +603,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s + *((uint32_t *)(&cmd_pkt->entry_type)) = cpu_to_le32(COMMAND_TYPE_6); + + /* No data transfer */ +- if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) { ++ if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE || ++ tot_dsds == 0) { + cmd_pkt->byte_count = cpu_to_le32(0); + return 0; + } diff --git a/tmp-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch b/tmp-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch new file mode 100644 index 00000000000..bac98cf9cbc --- /dev/null +++ b/tmp-4.19/scsi-qla2xxx-pointer-may-be-dereferenced.patch @@ -0,0 +1,36 @@ +From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001 +From: Shreyas Deodhar +Date: Wed, 7 Jun 2023 17:08:41 +0530 +Subject: scsi: qla2xxx: Pointer may be dereferenced + +From: Shreyas Deodhar + +commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream. + +Klocwork tool reported pointer 'rport' returned from call to function +fc_bsg_to_rport() may be NULL and will be dereferenced. + +Add a fix to validate rport before dereferencing. + +Cc: stable@vger.kernel.org +Signed-off-by: Shreyas Deodhar +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -2488,6 +2488,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_ + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { + rport = fc_bsg_to_rport(bsg_job); ++ if (!rport) ++ return ret; + host = rport_to_shost(rport); + vha = shost_priv(host); + } else { diff --git a/tmp-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch b/tmp-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch new file mode 100644 index 00000000000..045198311f1 --- /dev/null +++ b/tmp-4.19/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch @@ -0,0 +1,71 @@ +From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 28 Apr 2023 00:53:38 -0700 +Subject: scsi: qla2xxx: Wait for io return on terminate rport + +From: Quinn Tran + +commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream. + +System crash due to use after free. +Current code allows terminate_rport_io to exit before making +sure all IOs has returned. For FCP-2 device, IO's can hang +on in HW because driver has not tear down the session in FW at +first sign of cable pull. When dev_loss_tmo timer pops, +terminate_rport_io is called and upper layer is about to +free various resources. Terminate_rport_io trigger qla to do +the final cleanup, but the cleanup might not be fast enough where it +leave qla still holding on to the same resource. + +Wait for IO's to return to upper layer before resources are freed. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_attr.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -1800,6 +1800,7 @@ static void + qla2x00_terminate_rport_io(struct fc_rport *rport) + { + fc_port_t *fcport = *(fc_port_t **)rport->dd_data; ++ scsi_qla_host_t *vha; + + if (!fcport) + return; +@@ -1809,9 +1810,12 @@ qla2x00_terminate_rport_io(struct fc_rpo + + if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags)) + return; ++ vha = fcport->vha; + + if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) { + qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16); ++ qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, ++ 0, WAIT_TARGET); + return; + } + /* +@@ -1826,6 +1830,15 @@ qla2x00_terminate_rport_io(struct fc_rpo + else + qla2x00_port_logout(fcport->vha, fcport); + } ++ ++ /* check for any straggling io left behind */ ++ if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) { ++ ql_log(ql_log_warn, vha, 0x300b, ++ "IO not return. Resetting. \n"); ++ set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags); ++ qla2xxx_wake_dpc(vha); ++ qla2x00_wait_for_chip_reset(vha); ++ } + } + + static int diff --git a/tmp-4.19/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch b/tmp-4.19/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch new file mode 100644 index 00000000000..520d8f9c9d2 --- /dev/null +++ b/tmp-4.19/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch @@ -0,0 +1,57 @@ +From 046a3289610ded808adcf4dea37c0170b26f779e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 12:03:40 +0000 +Subject: sctp: fix potential deadlock on &net->sctp.addr_wq_lock + +From: Chengfeng Ye + +[ Upstream commit 6feb37b3b06e9049e20dcf7e23998f92c9c5be9a ] + +As &net->sctp.addr_wq_lock is also acquired by the timer +sctp_addr_wq_timeout_handler() in protocal.c, the same lock acquisition +at sctp_auto_asconf_init() seems should disable irq since it is called +from sctp_accept() under process context. + +Possible deadlock scenario: +sctp_accept() + -> sctp_sock_migrate() + -> sctp_auto_asconf_init() + -> spin_lock(&net->sctp.addr_wq_lock) + + -> sctp_addr_wq_timeout_handler() + -> spin_lock_bh(&net->sctp.addr_wq_lock); (deadlock here) + +This flaw was found using an experimental static analysis tool we are +developing for irq-related deadlock. + +The tentative patch fix the potential deadlock by spin_lock_bh(). + +Signed-off-by: Chengfeng Ye +Fixes: 34e5b0118685 ("sctp: delay auto_asconf init until binding the first addr") +Acked-by: Xin Long +Link: https://lore.kernel.org/r/20230627120340.19432-1-dg573847474@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index a68f3d6b72335..baa825751c393 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -380,9 +380,9 @@ static void sctp_auto_asconf_init(struct sctp_sock *sp) + struct net *net = sock_net(&sp->inet.sk); + + if (net->sctp.default_auto_asconf) { +- spin_lock(&net->sctp.addr_wq_lock); ++ spin_lock_bh(&net->sctp.addr_wq_lock); + list_add_tail(&sp->auto_asconf_list, &net->sctp.auto_asconf_splist); +- spin_unlock(&net->sctp.addr_wq_lock); ++ spin_unlock_bh(&net->sctp.addr_wq_lock); + sp->do_auto_asconf = 1; + } + } +-- +2.39.2 + diff --git a/tmp-4.19/serial-atmel-don-t-enable-irqs-prematurely.patch b/tmp-4.19/serial-atmel-don-t-enable-irqs-prematurely.patch new file mode 100644 index 00000000000..039f8368a29 --- /dev/null +++ b/tmp-4.19/serial-atmel-don-t-enable-irqs-prematurely.patch @@ -0,0 +1,45 @@ +From 27a826837ec9a3e94cc44bd9328b8289b0fcecd7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 19 Jun 2023 12:45:17 +0300 +Subject: serial: atmel: don't enable IRQs prematurely + +From: Dan Carpenter + +commit 27a826837ec9a3e94cc44bd9328b8289b0fcecd7 upstream. + +The atmel_complete_tx_dma() function disables IRQs at the start +of the function by calling spin_lock_irqsave(&port->lock, flags); +There is no need to disable them a second time using the +spin_lock_irq() function and, in fact, doing so is a bug because +it will enable IRQs prematurely when we call spin_unlock_irq(). + +Just use spin_lock/unlock() instead without disabling or enabling +IRQs. + +Fixes: 08f738be88bb ("serial: at91: add tx dma support") +Signed-off-by: Dan Carpenter +Reviewed-by: Jiri Slaby +Acked-by: Richard Genoud +Link: https://lore.kernel.org/r/cb7c39a9-c004-4673-92e1-be4e34b85368@moroto.mountain +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/atmel_serial.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -791,11 +791,11 @@ static void atmel_complete_tx_dma(void * + + port->icount.tx += atmel_port->tx_len; + +- spin_lock_irq(&atmel_port->lock_tx); ++ spin_lock(&atmel_port->lock_tx); + async_tx_ack(atmel_port->desc_tx); + atmel_port->cookie_tx = -EINVAL; + atmel_port->desc_tx = NULL; +- spin_unlock_irq(&atmel_port->lock_tx); ++ spin_unlock(&atmel_port->lock_tx); + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) + uart_write_wakeup(port); diff --git a/tmp-4.19/series b/tmp-4.19/series new file mode 100644 index 00000000000..1227dca86ae --- /dev/null +++ b/tmp-4.19/series @@ -0,0 +1,220 @@ +gfs2-don-t-deref-jdesc-in-evict.patch +x86-microcode-amd-load-late-on-both-threads-too.patch +x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch +video-imsttfb-check-for-ioremap-failures.patch +fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch +drm-edid-fix-uninitialized-variable-in-drm_cvt_modes.patch +scripts-tags.sh-resolve-gtags-empty-index-generation.patch +drm-amdgpu-validate-vm-ioctl-flags.patch +treewide-remove-uninitialized_var-usage.patch +md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch +md-raid10-fix-overflow-of-md-safe_mode_delay.patch +md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch +md-raid10-fix-io-loss-while-replacement-replace-rdev.patch +irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch +irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch +clocksource-drivers-unify-the-names-to-timer-format.patch +clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch +clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch +pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch +arm-9303-1-kprobes-avoid-missing-declaration-warning.patch +evm-complete-description-of-evm_inode_setattr.patch +wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch +wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch +samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch +wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch +nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch +nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch +wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch +wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch +wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch +wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch +wl3501_cs-remove-unnecessary-null-check.patch +wl3501_cs-fix-misspelling-and-provide-missing-docume.patch +net-create-netdev-dev_addr-assignment-helpers.patch +wl3501_cs-use-eth_hw_addr_set.patch +wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch +wifi-ray_cs-utilize-strnlen-in-parse_addr.patch +wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch +wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch +wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch +wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch +watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch +watchdog-perf-more-properly-prevent-false-positives-.patch +kexec-fix-a-memory-leak-in-crash_shrink_memory.patch +memstick-r592-make-memstick_debug_get_tpc_name-stati.patch +wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch +wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch +netlink-fix-potential-deadlock-in-netlink_set_err.patch +netlink-do-not-hard-code-device-address-lenth-in-fdb.patch +gtp-fix-use-after-free-in-__gtp_encap_destroy.patch +lib-ts_bm-reset-initial-match-offset-for-every-block.patch +netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch +ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch +netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch +radeon-avoid-double-free-in-ci_dpm_init.patch +input-drv260x-sleep-between-polling-go-bit.patch +arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch +input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch +drm-panel-simple-fix-active-size-for-ampire-am-48027.patch +arm-ep93xx-fix-missing-prototype-warnings.patch +asoc-es8316-increment-max-value-for-alc-capture-targ.patch +soc-fsl-qe-fix-usb.c-build-errors.patch +ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch +arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch +fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch +drm-radeon-fix-possible-division-by-zero-errors.patch +alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch +scsi-3w-xxxx-add-error-handling-for-initialization-f.patch +pci-add-pci_clear_master-stub-for-non-config_pci.patch +pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch +perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch +pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch +hwrng-virtio-add-an-internal-buffer.patch +hwrng-virtio-don-t-wait-on-cleanup.patch +hwrng-virtio-don-t-waste-entropy.patch +hwrng-virtio-always-add-a-pending-request.patch +hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch +crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch +modpost-fix-section-mismatch-message-for-r_arm_abs32.patch +modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch +arcv2-entry-comments-about-hardware-auto-save-on-tak.patch +arcv2-entry-push-out-the-z-flag-unclobber-from-commo.patch +arcv2-entry-avoid-a-branch.patch +arcv2-entry-rewrite-to-enable-use-of-double-load-sto.patch +arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch +usb-serial-option-add-lara-r6-01b-pids.patch +block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch +w1-fix-loop-in-w1_fini.patch +sh-j2-use-ioremap-to-translate-device-tree-address-i.patch +media-usb-check-az6007_read-return-value.patch +media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch +media-usb-siano-fix-warning-due-to-null-work_func_t-.patch +extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch +extcon-fix-kernel-doc-of-property-capability-fields-.patch +usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch +mfd-rt5033-drop-rt5033-battery-sub-device.patch +kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch +mfd-intel-lpss-add-missing-check-for-platform_get_re.patch +mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch +rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch +sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch +add-module_firmware-for-firmware_tg357766.patch +spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch +mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch +f2fs-fix-error-path-handling-in-truncate_dnode.patch +powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch +net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch +tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch +net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch +sh-dma-fix-dma-channel-offset-calculation.patch +i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch +i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch +alsa-jack-fix-mutex-call-in-snd_jack_report.patch +nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch +mmc-core-disable-trim-on-kingston-emmc04g-m627.patch +mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch +bcache-remove-unnecessary-null-point-check-in-node-allocations.patch +integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch +jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch +btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch +arm-orion5x-fix-d2net-gpio-initialization.patch +spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch +spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch +spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch +netfilter-nf_tables-fix-nat-hook-table-deletion.patch +netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch +netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch +netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch +netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch +netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch +netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch +netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch +netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch +netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch +netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch +netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch +net-lan743x-don-t-sleep-in-atomic-context.patch +workqueue-clean-up-work_-constant-types-clarify-masking.patch +net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch +vrf-increment-icmp6inmsgs-on-the-original-netdev.patch +icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch +udp6-fix-udp6_ehashfn-typo.patch +ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch +ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch +ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch +ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch +ntb-ntb_tool-add-check-for-devm_kcalloc.patch +ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch +wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch +net-sched-make-psched_mtu-rtnl-less-safe.patch +pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch +pinctrl-amd-detect-internal-gpio0-debounce-handling.patch +pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch +tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch +net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch +sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch +perf-intel-pt-fix-cyc-timestamps-after-standalone-cbr.patch +ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch +ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch +ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch +jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch +pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch +pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch +pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch +pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch +pci-rockchip-write-pci-device-id-to-correct-register.patch +pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch +pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch +pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch +misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch +misc-pci_endpoint_test-re-init-completion-for-every-test.patch +md-raid0-add-discard-support-for-the-original-layout.patch +fs-dlm-return-positive-pid-value-for-f_getlk.patch +serial-atmel-don-t-enable-irqs-prematurely.patch +hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch +ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch +meson-saradc-fix-clock-divider-mask-length.patch +revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch +tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch +tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch +ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch +xtensa-iss-fix-call-to-split_if_spec.patch +scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch +scsi-qla2xxx-fix-potential-null-pointer-dereference.patch +scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch +scsi-qla2xxx-pointer-may-be-dereferenced.patch +drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch +tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch +perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch +fuse-revalidate-don-t-invalidate-if-interrupted.patch +can-bcm-fix-uaf-in-bcm_proc_show.patch +ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +debugobjects-recheck-debug_objects_enabled-before-re.patch +nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch +md-fix-data-corruption-for-raid456-when-reshape-rest.patch +md-raid10-prevent-soft-lockup-while-flush-writes.patch +posix-timers-ensure-timer-id-search-loop-limit-is-va.patch +sched-fair-don-t-balance-task-to-its-current-running.patch +bpf-address-kcsan-report-on-bpf_lru_list.patch +wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +igb-fix-igb_down-hung-on-surprise-removal.patch +spi-bcm63xx-fix-max-prepend-length.patch +fbdev-imxfb-warn-about-invalid-left-right-margin.patch +pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch +net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +net-ipv6-check-return-value-of-pskb_trim.patch +revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +llc-don-t-drop-packet-from-non-root-netns.patch +netfilter-nf_tables-fix-spurious-set-element-inserti.patch +netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch +tcp-annotate-data-races-around-tp-linger2.patch +tcp-annotate-data-races-around-rskq_defer_accept.patch +tcp-annotate-data-races-around-tp-notsent_lowat.patch +tcp-annotate-data-races-around-fastopenq.max_qlen.patch +tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch +x86-cpu-amd-move-the-errata-checking-functionality-up.patch +x86-cpu-amd-add-a-zenbleed-fix.patch diff --git a/tmp-4.19/sh-dma-fix-dma-channel-offset-calculation.patch b/tmp-4.19/sh-dma-fix-dma-channel-offset-calculation.patch new file mode 100644 index 00000000000..4bbc56d6a09 --- /dev/null +++ b/tmp-4.19/sh-dma-fix-dma-channel-offset-calculation.patch @@ -0,0 +1,103 @@ +From 19649fbbfd10504ba897ed154b1459a13e5128e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 18:44:50 +0200 +Subject: sh: dma: Fix DMA channel offset calculation + +From: Artur Rojek + +[ Upstream commit e82e47584847129a20b8c9f4a1dcde09374fb0e0 ] + +Various SoCs of the SH3, SH4 and SH4A family, which use this driver, +feature a differing number of DMA channels, which can be distributed +between up to two DMAC modules. The existing implementation fails to +correctly accommodate for all those variations, resulting in wrong +channel offset calculations and leading to kernel panics. + +Rewrite dma_base_addr() in order to properly calculate channel offsets +in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that +the correct DMAC module base is selected for the DMAOR register. + +Fixes: 7f47c7189b3e8f19 ("sh: dma: More legacy cpu dma chainsawing.") +Signed-off-by: Artur Rojek +Reviewed-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/20230527164452.64797-2-contact@artur-rojek.eu +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/drivers/dma/dma-sh.c | 37 +++++++++++++++++++++++------------- + 1 file changed, 24 insertions(+), 13 deletions(-) + +diff --git a/arch/sh/drivers/dma/dma-sh.c b/arch/sh/drivers/dma/dma-sh.c +index afde2a7d3eb35..e0679d8a9b34b 100644 +--- a/arch/sh/drivers/dma/dma-sh.c ++++ b/arch/sh/drivers/dma/dma-sh.c +@@ -21,6 +21,18 @@ + #include + #include + ++/* ++ * Some of the SoCs feature two DMAC modules. In such a case, the channels are ++ * distributed equally among them. ++ */ ++#ifdef SH_DMAC_BASE1 ++#define SH_DMAC_NR_MD_CH (CONFIG_NR_ONCHIP_DMA_CHANNELS / 2) ++#else ++#define SH_DMAC_NR_MD_CH CONFIG_NR_ONCHIP_DMA_CHANNELS ++#endif ++ ++#define SH_DMAC_CH_SZ 0x10 ++ + /* + * Define the default configuration for dual address memory-memory transfer. + * The 0x400 value represents auto-request, external->external. +@@ -32,7 +44,7 @@ static unsigned long dma_find_base(unsigned int chan) + unsigned long base = SH_DMAC_BASE0; + + #ifdef SH_DMAC_BASE1 +- if (chan >= 6) ++ if (chan >= SH_DMAC_NR_MD_CH) + base = SH_DMAC_BASE1; + #endif + +@@ -43,13 +55,13 @@ static unsigned long dma_base_addr(unsigned int chan) + { + unsigned long base = dma_find_base(chan); + +- /* Normalize offset calculation */ +- if (chan >= 9) +- chan -= 6; +- if (chan >= 4) +- base += 0x10; ++ chan = (chan % SH_DMAC_NR_MD_CH) * SH_DMAC_CH_SZ; ++ ++ /* DMAOR is placed inside the channel register space. Step over it. */ ++ if (chan >= DMAOR) ++ base += SH_DMAC_CH_SZ; + +- return base + (chan * 0x10); ++ return base + chan; + } + + #ifdef CONFIG_SH_DMA_IRQ_MULTI +@@ -253,12 +265,11 @@ static int sh_dmac_get_dma_residue(struct dma_channel *chan) + #define NR_DMAOR 1 + #endif + +-/* +- * DMAOR bases are broken out amongst channel groups. DMAOR0 manages +- * channels 0 - 5, DMAOR1 6 - 11 (optional). +- */ +-#define dmaor_read_reg(n) __raw_readw(dma_find_base((n)*6)) +-#define dmaor_write_reg(n, data) __raw_writew(data, dma_find_base(n)*6) ++#define dmaor_read_reg(n) __raw_readw(dma_find_base((n) * \ ++ SH_DMAC_NR_MD_CH) + DMAOR) ++#define dmaor_write_reg(n, data) __raw_writew(data, \ ++ dma_find_base((n) * \ ++ SH_DMAC_NR_MD_CH) + DMAOR) + + static inline int dmaor_reset(int no) + { +-- +2.39.2 + diff --git a/tmp-4.19/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch b/tmp-4.19/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch new file mode 100644 index 00000000000..e74e4ba7c97 --- /dev/null +++ b/tmp-4.19/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch @@ -0,0 +1,44 @@ +From 92844b02e3e40efbd969ec03d51cd1bfd9530cdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 14:57:41 +0200 +Subject: sh: j2: Use ioremap() to translate device tree address into kernel + memory + +From: John Paul Adrian Glaubitz + +[ Upstream commit bc9d1f0cecd2407cfb2364a7d4be2f52d1d46a9d ] + +Addresses the following warning when building j2_defconfig: + +arch/sh/kernel/cpu/sh2/probe.c: In function 'scan_cache': +arch/sh/kernel/cpu/sh2/probe.c:24:16: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] + 24 | j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node); + | + +Fixes: 5a846abad07f ("sh: add support for J-Core J2 processor") +Reviewed-by: Geert Uytterhoeven +Tested-by: Rob Landley +Signed-off-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/20230503125746.331835-1-glaubitz@physik.fu-berlin.de +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/kernel/cpu/sh2/probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sh/kernel/cpu/sh2/probe.c b/arch/sh/kernel/cpu/sh2/probe.c +index a5bd036426789..75dcb1d6bc62f 100644 +--- a/arch/sh/kernel/cpu/sh2/probe.c ++++ b/arch/sh/kernel/cpu/sh2/probe.c +@@ -24,7 +24,7 @@ static int __init scan_cache(unsigned long node, const char *uname, + if (!of_flat_dt_is_compatible(node, "jcore,cache")) + return 0; + +- j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node); ++ j2_ccr_base = ioremap(of_flat_dt_translate_address(node), 4); + + return 1; + } +-- +2.39.2 + diff --git a/tmp-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch b/tmp-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch new file mode 100644 index 00000000000..05a3eb69638 --- /dev/null +++ b/tmp-4.19/soc-fsl-qe-fix-usb.c-build-errors.patch @@ -0,0 +1,60 @@ +From 71e654502cd063aaefe7768e183dbd8e7732fa18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 May 2023 15:52:16 -0700 +Subject: soc/fsl/qe: fix usb.c build errors + +From: Randy Dunlap + +[ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ] + +Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set. +This happens when PPC_EP88XC is set, which selects CPM1 & CPM. +When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE +being set. When USB_FSL_QE is set, QE_USB deafults to y, which +causes build errors when QUICC_ENGINE is not set. Making +QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y. + +Fixes these build errors: + +drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set': +usb.c:(.text+0x1e): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg' +powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock' +powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock' + +Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/ +Suggested-by: Michael Ellerman +Cc: Christophe Leroy +Cc: Leo Li +Cc: Masahiro Yamada +Cc: Nicolas Schier +Cc: Qiang Zhao +Cc: linuxppc-dev +Cc: linux-arm-kernel@lists.infradead.org +Cc: Kumar Gala +Acked-by: Nicolas Schier +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/fsl/qe/Kconfig b/drivers/soc/fsl/qe/Kconfig +index fabba17e9d65b..7ec158e2acf91 100644 +--- a/drivers/soc/fsl/qe/Kconfig ++++ b/drivers/soc/fsl/qe/Kconfig +@@ -37,6 +37,7 @@ config QE_TDM + + config QE_USB + bool ++ depends on QUICC_ENGINE + default y if USB_FSL_QE + help + QE USB Controller support +-- +2.39.2 + diff --git a/tmp-4.19/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch b/tmp-4.19/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch new file mode 100644 index 00000000000..4fa4b5a78a2 --- /dev/null +++ b/tmp-4.19/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch @@ -0,0 +1,58 @@ +From 9edf06e0871337e5889ae663fcedb3b34c2e4225 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 15:43:05 +0200 +Subject: spi: bcm-qspi: return error if neither hif_mspi nor mspi is available + +From: Jonas Gorski + +[ Upstream commit 7c1f23ad34fcdace50275a6aa1e1969b41c6233f ] + +If neither a "hif_mspi" nor "mspi" resource is present, the driver will +just early exit in probe but still return success. Apart from not doing +anything meaningful, this would then also lead to a null pointer access +on removal, as platform_get_drvdata() would return NULL, which it would +then try to dereference when trying to unregister the spi master. + +Fix this by unconditionally calling devm_ioremap_resource(), as it can +handle a NULL res and will then return a viable ERR_PTR() if we get one. + +The "return 0;" was previously a "goto qspi_resource_err;" where then +ret was returned, but since ret was still initialized to 0 at this place +this was a valid conversion in 63c5395bb7a9 ("spi: bcm-qspi: Fix +use-after-free on unbind"). The issue was not introduced by this commit, +only made more obvious. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Jonas Gorski +Reviewed-by: Kamal Dasu +Link: https://lore.kernel.org/r/20230629134306.95823-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm-qspi.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index 3f291db7b39a0..e3c69b6237708 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1255,13 +1255,9 @@ int bcm_qspi_probe(struct platform_device *pdev, + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, + "mspi"); + +- if (res) { +- qspi->base[MSPI] = devm_ioremap_resource(dev, res); +- if (IS_ERR(qspi->base[MSPI])) +- return PTR_ERR(qspi->base[MSPI]); +- } else { +- return 0; +- } ++ qspi->base[MSPI] = devm_ioremap_resource(dev, res); ++ if (IS_ERR(qspi->base[MSPI])) ++ return PTR_ERR(qspi->base[MSPI]); + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi"); + if (res) { +-- +2.39.2 + diff --git a/tmp-4.19/spi-bcm63xx-fix-max-prepend-length.patch b/tmp-4.19/spi-bcm63xx-fix-max-prepend-length.patch new file mode 100644 index 00000000000..6138009c47d --- /dev/null +++ b/tmp-4.19/spi-bcm63xx-fix-max-prepend-length.patch @@ -0,0 +1,47 @@ +From 05d73b5b40011e55975b3dbf8e12a4af4bc43847 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:14:52 +0200 +Subject: spi: bcm63xx: fix max prepend length + +From: Jonas Gorski + +[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] + +The command word is defined as following: + + /* Command */ + #define SPI_CMD_COMMAND_SHIFT 0 + #define SPI_CMD_DEVICE_ID_SHIFT 4 + #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 + #define SPI_CMD_ONE_BYTE_SHIFT 11 + #define SPI_CMD_ONE_WIRE_SHIFT 12 + +If the prepend byte count field starts at bit 8, and the next defined +bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and +thus the max value is 7, not 15. + +Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") +Signed-off-by: Jonas Gorski +Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index bfe5754768f97..cc6ec3fb5bfdf 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -134,7 +134,7 @@ enum bcm63xx_regs_spi { + SPI_MSG_DATA_SIZE, + }; + +-#define BCM63XX_SPI_MAX_PREPEND 15 ++#define BCM63XX_SPI_MAX_PREPEND 7 + + #define BCM63XX_SPI_MAX_CS 8 + #define BCM63XX_SPI_BUS_NUM 0 +-- +2.39.2 + diff --git a/tmp-4.19/spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch b/tmp-4.19/spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch new file mode 100644 index 00000000000..e408cdd52bc --- /dev/null +++ b/tmp-4.19/spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch @@ -0,0 +1,72 @@ +From a798a7086c38d91d304132c194cff9f02197f5cd Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Wed, 27 Mar 2019 14:30:51 +0000 +Subject: spi: spi-fsl-spi: allow changing bits_per_word while CS is still active + +From: Rasmus Villemoes + +commit a798a7086c38d91d304132c194cff9f02197f5cd upstream. + +Commit c9bfcb315104 (spi_mpc83xx: much improved driver) introduced +logic to ensure bits_per_word and speed_hz stay the same for a series +of spi_transfers with CS active, arguing that + + The current driver may cause glitches on SPI CLK line since one + must disable the SPI controller before changing any HW settings. + +This sounds quite reasonable. So this is a quite naive attempt at +relaxing this sanity checking to only ensure that speed_hz is +constant - in the faint hope that if we do not causes changes to the +clock-related fields of the SPMODE register (DIV16 and PM), those +glitches won't appear. + +The purpose of this change is to allow automatically optimizing large +transfers to use 32 bits-per-word; taking one interrupt for every byte +is extremely slow. + +Signed-off-by: Rasmus Villemoes +Signed-off-by: Mark Brown +Cc: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-fsl-spi.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -339,7 +339,7 @@ static int fsl_spi_do_one_msg(struct spi + struct spi_transfer *t, *first; + unsigned int cs_change; + const int nsecs = 50; +- int status; ++ int status, last_bpw; + + /* + * In CPU mode, optimize large byte transfers to use larger +@@ -378,21 +378,22 @@ static int fsl_spi_do_one_msg(struct spi + if (cs_change) + first = t; + cs_change = t->cs_change; +- if ((first->bits_per_word != t->bits_per_word) || +- (first->speed_hz != t->speed_hz)) { ++ if (first->speed_hz != t->speed_hz) { + dev_err(&spi->dev, +- "bits_per_word/speed_hz cannot change while CS is active\n"); ++ "speed_hz cannot change while CS is active\n"); + return -EINVAL; + } + } + ++ last_bpw = -1; + cs_change = 1; + status = -EINVAL; + list_for_each_entry(t, &m->transfers, transfer_list) { +- if (cs_change) ++ if (cs_change || last_bpw != t->bits_per_word) + status = fsl_spi_setup_transfer(spi, t); + if (status < 0) + break; ++ last_bpw = t->bits_per_word; + + if (cs_change) { + fsl_spi_chipselect(spi, BITBANG_CS_ACTIVE); diff --git a/tmp-4.19/spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch b/tmp-4.19/spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch new file mode 100644 index 00000000000..0b001f6556d --- /dev/null +++ b/tmp-4.19/spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch @@ -0,0 +1,46 @@ +From 17ecffa289489e8442306bbc62ebb964e235cdad Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Wed, 27 Mar 2019 14:30:51 +0000 +Subject: spi: spi-fsl-spi: relax message sanity checking a little + +From: Rasmus Villemoes + +commit 17ecffa289489e8442306bbc62ebb964e235cdad upstream. + +The comment says that we should not allow changes (to +bits_per_word/speed_hz) while CS is active, and indeed the code below +does fsl_spi_setup_transfer() when the ->cs_change of the previous +spi_transfer was set (and for the very first transfer). + +So the sanity checking is a bit too strict - we can change it to +follow the same logic as is used by the actual transfer loop. + +Signed-off-by: Rasmus Villemoes +Signed-off-by: Mark Brown +Cc: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-fsl-spi.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -373,13 +373,15 @@ static int fsl_spi_do_one_msg(struct spi + } + + /* Don't allow changes if CS is active */ +- first = list_first_entry(&m->transfers, struct spi_transfer, +- transfer_list); ++ cs_change = 1; + list_for_each_entry(t, &m->transfers, transfer_list) { ++ if (cs_change) ++ first = t; ++ cs_change = t->cs_change; + if ((first->bits_per_word != t->bits_per_word) || + (first->speed_hz != t->speed_hz)) { + dev_err(&spi->dev, +- "bits_per_word/speed_hz should be same for the same SPI transfer\n"); ++ "bits_per_word/speed_hz cannot change while CS is active\n"); + return -EINVAL; + } + } diff --git a/tmp-4.19/spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch b/tmp-4.19/spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch new file mode 100644 index 00000000000..92a1a73ed6e --- /dev/null +++ b/tmp-4.19/spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch @@ -0,0 +1,39 @@ +From 24c363623361b430fb79459ca922e816e6f48603 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Wed, 27 Mar 2019 14:30:50 +0000 +Subject: spi: spi-fsl-spi: remove always-true conditional in fsl_spi_do_one_msg + +From: Rasmus Villemoes + +commit 24c363623361b430fb79459ca922e816e6f48603 upstream. + +__spi_validate() in the generic SPI code sets ->speed_hz and +->bits_per_word to non-zero values, so this condition is always true. + +Signed-off-by: Rasmus Villemoes +Signed-off-by: Mark Brown +Cc: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-fsl-spi.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -387,12 +387,10 @@ static int fsl_spi_do_one_msg(struct spi + cs_change = 1; + status = -EINVAL; + list_for_each_entry(t, &m->transfers, transfer_list) { +- if (t->bits_per_word || t->speed_hz) { +- if (cs_change) +- status = fsl_spi_setup_transfer(spi, t); +- if (status < 0) +- break; +- } ++ if (cs_change) ++ status = fsl_spi_setup_transfer(spi, t); ++ if (status < 0) ++ break; + + if (cs_change) { + fsl_spi_chipselect(spi, BITBANG_CS_ACTIVE); diff --git a/tmp-4.19/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch b/tmp-4.19/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch new file mode 100644 index 00000000000..7f0f03aa824 --- /dev/null +++ b/tmp-4.19/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch @@ -0,0 +1,142 @@ +From fc80fc2d4e39137869da3150ee169b40bf879287 Mon Sep 17 00:00:00 2001 +From: Ding Hui +Date: Mon, 15 May 2023 10:13:07 +0800 +Subject: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() + +From: Ding Hui + +commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream. + +After the listener svc_sock is freed, and before invoking svc_tcp_accept() +for the established child sock, there is a window that the newsock +retaining a freed listener svc_sock in sk_user_data which cloning from +parent. In the race window, if data is received on the newsock, we will +observe use-after-free report in svc_tcp_listen_data_ready(). + +Reproduce by two tasks: + +1. while :; do rpc.nfsd 0 ; rpc.nfsd; done +2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done + +KASAN report: + + ================================================================== + BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + Read of size 8 at addr ffff888139d96228 by task nc/102553 + CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 + Call Trace: + + dump_stack_lvl+0x33/0x50 + print_address_description.constprop.0+0x27/0x310 + print_report+0x3e/0x70 + kasan_report+0xae/0xe0 + svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + tcp_data_queue+0x9f4/0x20e0 + tcp_rcv_established+0x666/0x1f60 + tcp_v4_do_rcv+0x51c/0x850 + tcp_v4_rcv+0x23fc/0x2e80 + ip_protocol_deliver_rcu+0x62/0x300 + ip_local_deliver_finish+0x267/0x350 + ip_local_deliver+0x18b/0x2d0 + ip_rcv+0x2fb/0x370 + __netif_receive_skb_one_core+0x166/0x1b0 + process_backlog+0x24c/0x5e0 + __napi_poll+0xa2/0x500 + net_rx_action+0x854/0xc90 + __do_softirq+0x1bb/0x5de + do_softirq+0xcb/0x100 + + + ... + + + Allocated by task 102371: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x7b/0x90 + svc_setup_socket+0x52/0x4f0 [sunrpc] + svc_addsock+0x20d/0x400 [sunrpc] + __write_ports_addfd+0x209/0x390 [nfsd] + write_ports+0x239/0x2c0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + + Freed by task 102551: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0x106/0x190 + __kmem_cache_free+0x133/0x270 + svc_xprt_free+0x1e2/0x350 [sunrpc] + svc_xprt_destroy_all+0x25a/0x440 [sunrpc] + nfsd_put+0x125/0x240 [nfsd] + nfsd_svc+0x2cb/0x3c0 [nfsd] + write_threads+0x1ac/0x2a0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() +if state != TCP_LISTEN, that will avoid dereferencing svsk for all +child socket. + +Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/ +Fixes: fa9251afc33c ("SUNRPC: Call the default socket callbacks instead of open coding") +Signed-off-by: Ding Hui +Cc: +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/svcsock.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -757,12 +757,6 @@ static void svc_tcp_listen_data_ready(st + dprintk("svc: socket %p TCP (listen) state change %d\n", + sk, sk->sk_state); + +- if (svsk) { +- /* Refer to svc_setup_socket() for details. */ +- rmb(); +- svsk->sk_odata(sk); +- } +- + /* + * This callback may called twice when a new connection + * is established as a child socket inherits everything +@@ -771,15 +765,20 @@ static void svc_tcp_listen_data_ready(st + * when one of child sockets become ESTABLISHED. + * 2) data_ready method of the child socket may be called + * when it receives data before the socket is accepted. +- * In case of 2, we should ignore it silently. ++ * In case of 2, we should ignore it silently and DO NOT ++ * dereference svsk. + */ +- if (sk->sk_state == TCP_LISTEN) { +- if (svsk) { +- set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); +- svc_xprt_enqueue(&svsk->sk_xprt); +- } else +- printk("svc: socket %p: no user data\n", sk); +- } ++ if (sk->sk_state != TCP_LISTEN) ++ return; ++ ++ if (svsk) { ++ /* Refer to svc_setup_socket() for details. */ ++ rmb(); ++ svsk->sk_odata(sk); ++ set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); ++ svc_xprt_enqueue(&svsk->sk_xprt); ++ } else ++ printk("svc: socket %p: no user data\n", sk); + } + + /* diff --git a/tmp-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/tmp-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch new file mode 100644 index 00000000000..a4b0f0d61b7 --- /dev/null +++ b/tmp-4.19/tcp-annotate-data-races-around-fastopenq.max_qlen.patch @@ -0,0 +1,77 @@ +From c6189e65ece39fd095d8e0458ccd06c8f3fde811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:57 +0000 +Subject: tcp: annotate data-races around fastopenq.max_qlen + +From: Eric Dumazet + +[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] + +This field can be read locklessly. + +Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_fastopen.c | 6 ++++-- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index 621ab5a7fb8fa..0d63a428e6f9c 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -460,7 +460,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) + struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; + int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); + +- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); ++ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); + } + + static inline void tcp_move_syn(struct tcp_sock *tp, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 373bf3d3be592..00648a478c6a5 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3554,7 +3554,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_FASTOPEN: +- val = icsk->icsk_accept_queue.fastopenq.max_qlen; ++ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); + break; + + case TCP_FASTOPEN_CONNECT: +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index f726591de7c7a..f7bb78b443fa9 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -276,6 +276,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, + static bool tcp_fastopen_queue_check(struct sock *sk) + { + struct fastopen_queue *fastopenq; ++ int max_qlen; + + /* Make sure the listener has enabled fastopen, and we don't + * exceed the max # of pending TFO requests allowed before trying +@@ -288,10 +289,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) + * temporarily vs a server not supporting Fast Open at all. + */ + fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; +- if (fastopenq->max_qlen == 0) ++ max_qlen = READ_ONCE(fastopenq->max_qlen); ++ if (max_qlen == 0) + return false; + +- if (fastopenq->qlen >= fastopenq->max_qlen) { ++ if (fastopenq->qlen >= max_qlen) { + struct request_sock *req1; + spin_lock(&fastopenq->lock); + req1 = fastopenq->rskq_rst_head; +-- +2.39.2 + diff --git a/tmp-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch b/tmp-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch new file mode 100644 index 00000000000..1961d19d871 --- /dev/null +++ b/tmp-4.19/tcp-annotate-data-races-around-rskq_defer_accept.patch @@ -0,0 +1,53 @@ +From d86223ba68246e87777a5988576f296dc862d1ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:54 +0000 +Subject: tcp: annotate data-races around rskq_defer_accept + +From: Eric Dumazet + +[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] + +do_tcp_getsockopt() reads rskq_defer_accept while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 4711963413a49..853a33bf8863e 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3009,9 +3009,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + + case TCP_DEFER_ACCEPT: + /* Translate value in seconds to number of retransmits */ +- icsk->icsk_accept_queue.rskq_defer_accept = +- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, +- TCP_RTO_MAX / HZ); ++ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, ++ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ)); + break; + + case TCP_WINDOW_CLAMP: +@@ -3406,8 +3406,9 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; + case TCP_DEFER_ACCEPT: +- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, +- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); ++ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); ++ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ); + break; + case TCP_WINDOW_CLAMP: + val = tp->window_clamp; +-- +2.39.2 + diff --git a/tmp-4.19/tcp-annotate-data-races-around-tp-linger2.patch b/tmp-4.19/tcp-annotate-data-races-around-tp-linger2.patch new file mode 100644 index 00000000000..1e8d8c4071d --- /dev/null +++ b/tmp-4.19/tcp-annotate-data-races-around-tp-linger2.patch @@ -0,0 +1,52 @@ +From e94e0409f44504d34b6f41dc533d8c1ae777761e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:53 +0000 +Subject: tcp: annotate data-races around tp->linger2 + +From: Eric Dumazet + +[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] + +do_tcp_getsockopt() reads tp->linger2 while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 9f3cdcbbb7590..4711963413a49 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3000,11 +3000,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + + case TCP_LINGER2: + if (val < 0) +- tp->linger2 = -1; ++ WRITE_ONCE(tp->linger2, -1); + else if (val > TCP_FIN_TIMEOUT_MAX / HZ) +- tp->linger2 = TCP_FIN_TIMEOUT_MAX; ++ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); + else +- tp->linger2 = val * HZ; ++ WRITE_ONCE(tp->linger2, val * HZ); + break; + + case TCP_DEFER_ACCEPT: +@@ -3401,7 +3401,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; + break; + case TCP_LINGER2: +- val = tp->linger2; ++ val = READ_ONCE(tp->linger2); + if (val >= 0) + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; +-- +2.39.2 + diff --git a/tmp-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/tmp-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch new file mode 100644 index 00000000000..fb325041f30 --- /dev/null +++ b/tmp-4.19/tcp-annotate-data-races-around-tp-notsent_lowat.patch @@ -0,0 +1,64 @@ +From f3ce1b988ff336ba962b41f0b9a23603d714b5de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:55 +0000 +Subject: tcp: annotate data-races around tp->notsent_lowat + +From: Eric Dumazet + +[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] + +tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() +and tcp_poll(). + +Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 6 +++++- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 22cca858f2678..c6c48409e7b42 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1883,7 +1883,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); +- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); ++ u32 val; ++ ++ val = READ_ONCE(tp->notsent_lowat); ++ ++ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); + } + + /* @wake is one when sk_stream_write_space() calls us. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 853a33bf8863e..373bf3d3be592 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3099,7 +3099,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + err = tcp_repair_set_window(tp, optval, optlen); + break; + case TCP_NOTSENT_LOWAT: +- tp->notsent_lowat = val; ++ WRITE_ONCE(tp->notsent_lowat, val); + sk->sk_write_space(sk); + break; + case TCP_INQ: +@@ -3569,7 +3569,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = tcp_time_stamp_raw() + tp->tsoffset; + break; + case TCP_NOTSENT_LOWAT: +- val = tp->notsent_lowat; ++ val = READ_ONCE(tp->notsent_lowat); + break; + case TCP_INQ: + val = tp->recvmsg_inq; +-- +2.39.2 + diff --git a/tmp-4.19/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch b/tmp-4.19/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch new file mode 100644 index 00000000000..138e434ac20 --- /dev/null +++ b/tmp-4.19/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch @@ -0,0 +1,55 @@ +From 36d7bf742ab5800923fe42f090516a1a2792401c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 16:41:50 +0000 +Subject: tcp: annotate data races in __tcp_oow_rate_limited() + +From: Eric Dumazet + +[ Upstream commit 998127cdb4699b9d470a9348ffe9f1154346be5f ] + +request sockets are lockless, __tcp_oow_rate_limited() could be called +on the same object from different cpus. This is harmless. + +Add READ_ONCE()/WRITE_ONCE() annotations to avoid a KCSAN report. + +Fixes: 4ce7e93cb3fe ("tcp: rate limit ACK sent by SYN_RECV request sockets") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index bd921fa7b9ab4..281f7799aeafc 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3429,8 +3429,11 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32 + static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, + u32 *last_oow_ack_time) + { +- if (*last_oow_ack_time) { +- s32 elapsed = (s32)(tcp_jiffies32 - *last_oow_ack_time); ++ /* Paired with the WRITE_ONCE() in this function. */ ++ u32 val = READ_ONCE(*last_oow_ack_time); ++ ++ if (val) { ++ s32 elapsed = (s32)(tcp_jiffies32 - val); + + if (0 <= elapsed && + elapsed < READ_ONCE(net->ipv4.sysctl_tcp_invalid_ratelimit)) { +@@ -3439,7 +3442,10 @@ static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, + } + } + +- *last_oow_ack_time = tcp_jiffies32; ++ /* Paired with the prior READ_ONCE() and with itself, ++ * as we might be lockless. ++ */ ++ WRITE_ONCE(*last_oow_ack_time, tcp_jiffies32); + + return false; /* not rate-limited: go ahead, send dupack now! */ + } +-- +2.39.2 + diff --git a/tmp-4.19/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch b/tmp-4.19/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch new file mode 100644 index 00000000000..8174771d615 --- /dev/null +++ b/tmp-4.19/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch @@ -0,0 +1,80 @@ +From f4032d615f90970d6c3ac1d9c0bce3351eb4445c Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Tue, 16 May 2023 01:25:54 +0300 +Subject: tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation + +From: Jarkko Sakkinen + +commit f4032d615f90970d6c3ac1d9c0bce3351eb4445c upstream. + +/dev/vtpmx is made visible before 'workqueue' is initialized, which can +lead to a memory corruption in the worst case scenario. + +Address this by initializing 'workqueue' as the very first step of the +driver initialization. + +Cc: stable@vger.kernel.org +Fixes: 6f99612e2500 ("tpm: Proxy driver for supporting multiple emulated TPMs") +Reviewed-by: Stefan Berger +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_vtpm_proxy.c | 30 +++++++----------------------- + 1 file changed, 7 insertions(+), 23 deletions(-) + +--- a/drivers/char/tpm/tpm_vtpm_proxy.c ++++ b/drivers/char/tpm/tpm_vtpm_proxy.c +@@ -700,37 +700,21 @@ static struct miscdevice vtpmx_miscdev = + .fops = &vtpmx_fops, + }; + +-static int vtpmx_init(void) +-{ +- return misc_register(&vtpmx_miscdev); +-} +- +-static void vtpmx_cleanup(void) +-{ +- misc_deregister(&vtpmx_miscdev); +-} +- + static int __init vtpm_module_init(void) + { + int rc; + +- rc = vtpmx_init(); +- if (rc) { +- pr_err("couldn't create vtpmx device\n"); +- return rc; +- } +- + workqueue = create_workqueue("tpm-vtpm"); + if (!workqueue) { + pr_err("couldn't create workqueue\n"); +- rc = -ENOMEM; +- goto err_vtpmx_cleanup; ++ return -ENOMEM; + } + +- return 0; +- +-err_vtpmx_cleanup: +- vtpmx_cleanup(); ++ rc = misc_register(&vtpmx_miscdev); ++ if (rc) { ++ pr_err("couldn't create vtpmx device\n"); ++ destroy_workqueue(workqueue); ++ } + + return rc; + } +@@ -738,7 +722,7 @@ err_vtpmx_cleanup: + static void __exit vtpm_module_exit(void) + { + destroy_workqueue(workqueue); +- vtpmx_cleanup(); ++ misc_deregister(&vtpmx_miscdev); + } + + module_init(vtpm_module_init); diff --git a/tmp-4.19/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch b/tmp-4.19/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch new file mode 100644 index 00000000000..e236b4b7a49 --- /dev/null +++ b/tmp-4.19/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch @@ -0,0 +1,127 @@ +From 6018b585e8c6fa7d85d4b38d9ce49a5b67be7078 Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Wed, 12 Jul 2023 22:30:21 +0000 +Subject: tracing/histograms: Add histograms to hist_vars if they have referenced variables + +From: Mohamed Khalfella + +commit 6018b585e8c6fa7d85d4b38d9ce49a5b67be7078 upstream. + +Hist triggers can have referenced variables without having direct +variables fields. This can be the case if referenced variables are added +for trigger actions. In this case the newly added references will not +have field variables. Not taking such referenced variables into +consideration can result in a bug where it would be possible to remove +hist trigger with variables being refenced. This will result in a bug +that is easily reproducable like so + +$ cd /sys/kernel/tracing +$ echo 'synthetic_sys_enter char[] comm; long id' >> synthetic_events +$ echo 'hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger +$ echo 'hist:keys=common_pid.execname,id.syscall:onmatch(raw_syscalls.sys_enter).synthetic_sys_enter($comm, id)' >> events/raw_syscalls/sys_enter/trigger +$ echo '!hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger + +[ 100.263533] ================================================================== +[ 100.264634] BUG: KASAN: slab-use-after-free in resolve_var_refs+0xc7/0x180 +[ 100.265520] Read of size 8 at addr ffff88810375d0f0 by task bash/439 +[ 100.266320] +[ 100.266533] CPU: 2 PID: 439 Comm: bash Not tainted 6.5.0-rc1 #4 +[ 100.267277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 +[ 100.268561] Call Trace: +[ 100.268902] +[ 100.269189] dump_stack_lvl+0x4c/0x70 +[ 100.269680] print_report+0xc5/0x600 +[ 100.270165] ? resolve_var_refs+0xc7/0x180 +[ 100.270697] ? kasan_complete_mode_report_info+0x80/0x1f0 +[ 100.271389] ? resolve_var_refs+0xc7/0x180 +[ 100.271913] kasan_report+0xbd/0x100 +[ 100.272380] ? resolve_var_refs+0xc7/0x180 +[ 100.272920] __asan_load8+0x71/0xa0 +[ 100.273377] resolve_var_refs+0xc7/0x180 +[ 100.273888] event_hist_trigger+0x749/0x860 +[ 100.274505] ? kasan_save_stack+0x2a/0x50 +[ 100.275024] ? kasan_set_track+0x29/0x40 +[ 100.275536] ? __pfx_event_hist_trigger+0x10/0x10 +[ 100.276138] ? ksys_write+0xd1/0x170 +[ 100.276607] ? do_syscall_64+0x3c/0x90 +[ 100.277099] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 100.277771] ? destroy_hist_data+0x446/0x470 +[ 100.278324] ? event_hist_trigger_parse+0xa6c/0x3860 +[ 100.278962] ? __pfx_event_hist_trigger_parse+0x10/0x10 +[ 100.279627] ? __kasan_check_write+0x18/0x20 +[ 100.280177] ? mutex_unlock+0x85/0xd0 +[ 100.280660] ? __pfx_mutex_unlock+0x10/0x10 +[ 100.281200] ? kfree+0x7b/0x120 +[ 100.281619] ? ____kasan_slab_free+0x15d/0x1d0 +[ 100.282197] ? event_trigger_write+0xac/0x100 +[ 100.282764] ? __kasan_slab_free+0x16/0x20 +[ 100.283293] ? __kmem_cache_free+0x153/0x2f0 +[ 100.283844] ? sched_mm_cid_remote_clear+0xb1/0x250 +[ 100.284550] ? __pfx_sched_mm_cid_remote_clear+0x10/0x10 +[ 100.285221] ? event_trigger_write+0xbc/0x100 +[ 100.285781] ? __kasan_check_read+0x15/0x20 +[ 100.286321] ? __bitmap_weight+0x66/0xa0 +[ 100.286833] ? _find_next_bit+0x46/0xe0 +[ 100.287334] ? task_mm_cid_work+0x37f/0x450 +[ 100.287872] event_triggers_call+0x84/0x150 +[ 100.288408] trace_event_buffer_commit+0x339/0x430 +[ 100.289073] ? ring_buffer_event_data+0x3f/0x60 +[ 100.292189] trace_event_raw_event_sys_enter+0x8b/0xe0 +[ 100.295434] syscall_trace_enter.constprop.0+0x18f/0x1b0 +[ 100.298653] syscall_enter_from_user_mode+0x32/0x40 +[ 100.301808] do_syscall_64+0x1a/0x90 +[ 100.304748] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 100.307775] RIP: 0033:0x7f686c75c1cb +[ 100.310617] Code: 73 01 c3 48 8b 0d 65 3c 10 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 21 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 3c 10 00 f7 d8 64 89 01 48 +[ 100.317847] RSP: 002b:00007ffc60137a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000021 +[ 100.321200] RAX: ffffffffffffffda RBX: 000055f566469ea0 RCX: 00007f686c75c1cb +[ 100.324631] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 000000000000000a +[ 100.328104] RBP: 00007ffc60137ac0 R08: 00007f686c818460 R09: 000000000000000a +[ 100.331509] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 +[ 100.334992] R13: 0000000000000007 R14: 000000000000000a R15: 0000000000000007 +[ 100.338381] + +We hit the bug because when second hist trigger has was created +has_hist_vars() returned false because hist trigger did not have +variables. As a result of that save_hist_vars() was not called to add +the trigger to trace_array->hist_vars. Later on when we attempted to +remove the first histogram find_any_var_ref() failed to detect it is +being used because it did not find the second trigger in hist_vars list. + +With this change we wait until trigger actions are created so we can take +into consideration if hist trigger has variable references. Also, now we +check the return value of save_hist_vars() and fail trigger creation if +save_hist_vars() fails. + +Link: https://lore.kernel.org/linux-trace-kernel/20230712223021.636335-1-mkhalfella@purestorage.com + +Cc: stable@vger.kernel.org +Fixes: 067fe038e70f6 ("tracing: Add variable reference handling to hist triggers") +Signed-off-by: Mohamed Khalfella +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -5787,13 +5787,15 @@ static int event_hist_trigger_func(struc + if (get_named_trigger_data(trigger_data)) + goto enable; + +- if (has_hist_vars(hist_data)) +- save_hist_vars(hist_data); +- + ret = create_actions(hist_data, file); + if (ret) + goto out_unreg; + ++ if (has_hist_vars(hist_data) || hist_data->n_var_refs) { ++ if (save_hist_vars(hist_data)) ++ goto out_unreg; ++ } ++ + ret = tracing_map_init(hist_data->map); + if (ret) + goto out_unreg; diff --git a/tmp-4.19/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch b/tmp-4.19/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch new file mode 100644 index 00000000000..515fff4633c --- /dev/null +++ b/tmp-4.19/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch @@ -0,0 +1,38 @@ +From 4b8b3905165ef98386a3c06f196c85d21292d029 Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Fri, 14 Jul 2023 20:33:41 +0000 +Subject: tracing/histograms: Return an error if we fail to add histogram to hist_vars list + +From: Mohamed Khalfella + +commit 4b8b3905165ef98386a3c06f196c85d21292d029 upstream. + +Commit 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if +they have referenced variables") added a check to fail histogram creation +if save_hist_vars() failed to add histogram to hist_vars list. But the +commit failed to set ret to failed return code before jumping to +unregister histogram, fix it. + +Link: https://lore.kernel.org/linux-trace-kernel/20230714203341.51396-1-mkhalfella@purestorage.com + +Cc: stable@vger.kernel.org +Fixes: 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if they have referenced variables") +Signed-off-by: Mohamed Khalfella +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -5792,7 +5792,8 @@ static int event_hist_trigger_func(struc + goto out_unreg; + + if (has_hist_vars(hist_data) || hist_data->n_var_refs) { +- if (save_hist_vars(hist_data)) ++ ret = save_hist_vars(hist_data); ++ if (ret) + goto out_unreg; + } + diff --git a/tmp-4.19/treewide-remove-uninitialized_var-usage.patch b/tmp-4.19/treewide-remove-uninitialized_var-usage.patch new file mode 100644 index 00000000000..46b33c4fa46 --- /dev/null +++ b/tmp-4.19/treewide-remove-uninitialized_var-usage.patch @@ -0,0 +1,2204 @@ +From 0638dcc7e75fbb766761e7b4694d0f0f141bbbd1 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 3 Jun 2020 13:09:38 -0700 +Subject: treewide: Remove uninitialized_var() usage + +From: Kees Cook + +commit 3f649ab728cda8038259d8f14492fe400fbab911 upstream. + +Using uninitialized_var() is dangerous as it papers over real bugs[1] +(or can in the future), and suppresses unrelated compiler warnings +(e.g. "unused variable"). If the compiler thinks it is uninitialized, +either simply initialize the variable or make compiler changes. + +In preparation for removing[2] the[3] macro[4], remove all remaining +needless uses with the following script: + +git grep '\buninitialized_var\b' | cut -d: -f1 | sort -u | \ + xargs perl -pi -e \ + 's/\buninitialized_var\(([^\)]+)\)/\1/g; + s:\s*/\* (GCC be quiet|to make compiler happy) \*/$::g;' + +drivers/video/fbdev/riva/riva_hw.c was manually tweaked to avoid +pathological white-space. + +No outstanding warnings were found building allmodconfig with GCC 9.3.0 +for x86_64, i386, arm64, arm, powerpc, powerpc64le, s390x, mips, sparc64, +alpha, and m68k. + +[1] https://lore.kernel.org/lkml/20200603174714.192027-1-glider@google.com/ +[2] https://lore.kernel.org/lkml/CA+55aFw+Vbj0i=1TGqCR5vQkCzWJ0QxK6CernOU6eedsudAixw@mail.gmail.com/ +[3] https://lore.kernel.org/lkml/CA+55aFwgbgqhbp1fkxvRKEpzyR5J8n1vKT1VZdz9knmPuXhOeg@mail.gmail.com/ +[4] https://lore.kernel.org/lkml/CA+55aFz2500WfbKXAx8s67wrm9=yVJu65TpLgN_ybYNv0VEOKA@mail.gmail.com/ + +Reviewed-by: Leon Romanovsky # drivers/infiniband and mlx4/mlx5 +Acked-by: Jason Gunthorpe # IB +Acked-by: Kalle Valo # wireless drivers +Reviewed-by: Chao Yu # erofs +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-sa1100/assabet.c | 2 +- + arch/ia64/kernel/process.c | 2 +- + arch/ia64/mm/discontig.c | 2 +- + arch/ia64/mm/tlb.c | 2 +- + arch/powerpc/platforms/52xx/mpc52xx_pic.c | 2 +- + arch/s390/kernel/smp.c | 2 +- + arch/x86/kernel/quirks.c | 10 +++++----- + drivers/acpi/acpi_pad.c | 2 +- + drivers/ata/libata-scsi.c | 2 +- + drivers/atm/zatm.c | 2 +- + drivers/block/drbd/drbd_nl.c | 6 +++--- + drivers/clk/clk-gate.c | 2 +- + drivers/firewire/ohci.c | 14 +++++++------- + drivers/gpu/drm/bridge/sil-sii8620.c | 2 +- + drivers/gpu/drm/drm_edid.c | 2 +- + drivers/gpu/drm/exynos/exynos_drm_dsi.c | 6 +++--- + drivers/i2c/busses/i2c-rk3x.c | 2 +- + drivers/ide/ide-acpi.c | 2 +- + drivers/ide/ide-atapi.c | 2 +- + drivers/ide/ide-io-std.c | 4 ++-- + drivers/ide/ide-io.c | 8 ++++---- + drivers/ide/ide-sysfs.c | 2 +- + drivers/ide/umc8672.c | 2 +- + drivers/infiniband/core/uverbs_cmd.c | 4 ++-- + drivers/infiniband/hw/cxgb4/cm.c | 2 +- + drivers/infiniband/hw/cxgb4/cq.c | 2 +- + drivers/infiniband/hw/mlx4/qp.c | 6 +++--- + drivers/infiniband/hw/mlx5/cq.c | 2 +- + drivers/infiniband/hw/mthca/mthca_qp.c | 10 +++++----- + drivers/input/serio/serio_raw.c | 2 +- + drivers/md/dm-io.c | 2 +- + drivers/md/dm-ioctl.c | 2 +- + drivers/md/dm-snap-persistent.c | 2 +- + drivers/md/dm-table.c | 2 +- + drivers/md/raid5.c | 2 +- + drivers/media/dvb-frontends/rtl2832.c | 2 +- + drivers/media/tuners/qt1010.c | 4 ++-- + drivers/media/usb/gspca/vicam.c | 2 +- + drivers/media/usb/uvc/uvc_video.c | 8 ++++---- + drivers/memstick/host/jmb38x_ms.c | 2 +- + drivers/memstick/host/tifm_ms.c | 2 +- + drivers/mmc/host/sdhci.c | 2 +- + drivers/mtd/nand/raw/nand_ecc.c | 2 +- + drivers/mtd/nand/raw/s3c2410.c | 2 +- + drivers/mtd/ubi/eba.c | 2 +- + drivers/net/can/janz-ican3.c | 2 +- + drivers/net/ethernet/broadcom/bnx2.c | 4 ++-- + drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 4 ++-- + drivers/net/ethernet/neterion/s2io.c | 2 +- + drivers/net/ethernet/qlogic/qla3xxx.c | 2 +- + drivers/net/ethernet/sun/cassini.c | 2 +- + drivers/net/ethernet/sun/niu.c | 6 +++--- + drivers/net/wan/z85230.c | 2 +- + drivers/net/wireless/ath/ath10k/core.c | 2 +- + drivers/net/wireless/ath/ath6kl/init.c | 2 +- + drivers/net/wireless/ath/ath9k/init.c | 2 +- + drivers/net/wireless/broadcom/b43/debugfs.c | 2 +- + drivers/net/wireless/broadcom/b43/dma.c | 2 +- + drivers/net/wireless/broadcom/b43/lo.c | 2 +- + drivers/net/wireless/broadcom/b43/phy_n.c | 2 +- + drivers/net/wireless/broadcom/b43/xmit.c | 12 ++++++------ + drivers/net/wireless/broadcom/b43legacy/debugfs.c | 2 +- + drivers/net/wireless/broadcom/b43legacy/main.c | 2 +- + drivers/net/wireless/intel/iwlegacy/3945.c | 2 +- + drivers/net/wireless/intel/iwlegacy/4965-mac.c | 2 +- + drivers/platform/x86/hdaps.c | 4 ++-- + drivers/scsi/dc395x.c | 2 +- + drivers/scsi/pm8001/pm8001_hwi.c | 2 +- + drivers/scsi/pm8001/pm80xx_hwi.c | 2 +- + drivers/ssb/driver_chipcommon.c | 4 ++-- + drivers/tty/cyclades.c | 2 +- + drivers/tty/isicom.c | 2 +- + drivers/usb/musb/cppi_dma.c | 2 +- + drivers/usb/storage/sddr55.c | 4 ++-- + drivers/vhost/net.c | 4 ++-- + drivers/video/fbdev/matrox/matroxfb_maven.c | 6 +++--- + drivers/video/fbdev/pm3fb.c | 6 +++--- + drivers/video/fbdev/riva/riva_hw.c | 3 +-- + drivers/virtio/virtio_ring.c | 2 +- + fs/afs/dir.c | 2 +- + fs/afs/security.c | 2 +- + fs/dlm/netlink.c | 2 +- + fs/fat/dir.c | 2 +- + fs/fuse/control.c | 2 +- + fs/fuse/cuse.c | 2 +- + fs/fuse/file.c | 2 +- + fs/gfs2/aops.c | 2 +- + fs/gfs2/bmap.c | 2 +- + fs/hfsplus/unicode.c | 2 +- + fs/isofs/namei.c | 4 ++-- + fs/jffs2/erase.c | 2 +- + fs/nfsd/nfsctl.c | 2 +- + fs/ocfs2/alloc.c | 4 ++-- + fs/ocfs2/dir.c | 14 +++++++------- + fs/ocfs2/extent_map.c | 4 ++-- + fs/ocfs2/namei.c | 2 +- + fs/ocfs2/refcounttree.c | 2 +- + fs/ocfs2/xattr.c | 2 +- + fs/omfs/file.c | 2 +- + fs/overlayfs/copy_up.c | 2 +- + fs/ubifs/commit.c | 6 +++--- + fs/ubifs/dir.c | 2 +- + fs/ubifs/file.c | 4 ++-- + fs/ubifs/journal.c | 2 +- + fs/ubifs/lpt.c | 2 +- + fs/ubifs/tnc.c | 6 +++--- + fs/ubifs/tnc_misc.c | 4 ++-- + fs/udf/balloc.c | 2 +- + fs/xfs/xfs_bmap_util.c | 2 +- + kernel/async.c | 4 ++-- + kernel/audit.c | 2 +- + kernel/dma/debug.c | 2 +- + kernel/events/core.c | 2 +- + kernel/events/uprobes.c | 2 +- + kernel/exit.c | 2 +- + kernel/futex.c | 12 ++++++------ + kernel/locking/lockdep.c | 6 +++--- + kernel/trace/ring_buffer.c | 2 +- + lib/radix-tree.c | 2 +- + mm/frontswap.c | 2 +- + mm/ksm.c | 2 +- + mm/memcontrol.c | 2 +- + mm/mempolicy.c | 4 ++-- + mm/percpu.c | 2 +- + mm/slub.c | 4 ++-- + mm/swap.c | 4 ++-- + net/dccp/options.c | 2 +- + net/ipv4/netfilter/nf_socket_ipv4.c | 6 +++--- + net/ipv6/ip6_flowlabel.c | 2 +- + net/ipv6/netfilter/nf_socket_ipv6.c | 2 +- + net/netfilter/nf_conntrack_ftp.c | 2 +- + net/netfilter/nfnetlink_log.c | 2 +- + net/netfilter/nfnetlink_queue.c | 4 ++-- + net/sched/cls_flow.c | 2 +- + net/sched/sch_cake.c | 2 +- + net/sched/sch_cbq.c | 2 +- + net/sched/sch_fq_codel.c | 2 +- + net/sched/sch_sfq.c | 2 +- + sound/core/control_compat.c | 2 +- + sound/isa/sb/sb16_csp.c | 2 +- + sound/usb/endpoint.c | 2 +- + 141 files changed, 216 insertions(+), 217 deletions(-) + +--- a/arch/arm/mach-sa1100/assabet.c ++++ b/arch/arm/mach-sa1100/assabet.c +@@ -570,7 +570,7 @@ static void __init map_sa1100_gpio_regs( + */ + static void __init get_assabet_scr(void) + { +- unsigned long uninitialized_var(scr), i; ++ unsigned long scr, i; + + GPDR |= 0x3fc; /* Configure GPIO 9:2 as outputs */ + GPSR = 0x3fc; /* Write 0xFF to GPIO 9:2 */ +--- a/arch/ia64/kernel/process.c ++++ b/arch/ia64/kernel/process.c +@@ -444,7 +444,7 @@ static void + do_copy_task_regs (struct task_struct *task, struct unw_frame_info *info, void *arg) + { + unsigned long mask, sp, nat_bits = 0, ar_rnat, urbs_end, cfm; +- unsigned long uninitialized_var(ip); /* GCC be quiet */ ++ unsigned long ip; + elf_greg_t *dst = arg; + struct pt_regs *pt; + char nat; +--- a/arch/ia64/mm/discontig.c ++++ b/arch/ia64/mm/discontig.c +@@ -181,7 +181,7 @@ static void *per_cpu_node_setup(void *cp + void __init setup_per_cpu_areas(void) + { + struct pcpu_alloc_info *ai; +- struct pcpu_group_info *uninitialized_var(gi); ++ struct pcpu_group_info *gi; + unsigned int *cpu_map; + void *base; + unsigned long base_offset; +--- a/arch/ia64/mm/tlb.c ++++ b/arch/ia64/mm/tlb.c +@@ -339,7 +339,7 @@ EXPORT_SYMBOL(flush_tlb_range); + + void ia64_tlb_init(void) + { +- ia64_ptce_info_t uninitialized_var(ptce_info); /* GCC be quiet */ ++ ia64_ptce_info_t ptce_info; + u64 tr_pgbits; + long status; + pal_vm_info_1_u_t vm_info_1; +--- a/arch/powerpc/platforms/52xx/mpc52xx_pic.c ++++ b/arch/powerpc/platforms/52xx/mpc52xx_pic.c +@@ -340,7 +340,7 @@ static int mpc52xx_irqhost_map(struct ir + { + int l1irq; + int l2irq; +- struct irq_chip *uninitialized_var(irqchip); ++ struct irq_chip *irqchip; + void *hndlr; + int type; + u32 reg; +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -145,7 +145,7 @@ static int pcpu_sigp_retry(struct pcpu * + + static inline int pcpu_stopped(struct pcpu *pcpu) + { +- u32 uninitialized_var(status); ++ u32 status; + + if (__pcpu_sigp(pcpu->address, SIGP_SENSE, + 0, &status) != SIGP_CC_STATUS_STORED) +--- a/arch/x86/kernel/quirks.c ++++ b/arch/x86/kernel/quirks.c +@@ -96,7 +96,7 @@ static void ich_force_hpet_resume(void) + static void ich_force_enable_hpet(struct pci_dev *dev) + { + u32 val; +- u32 uninitialized_var(rcba); ++ u32 rcba; + int err = 0; + + if (hpet_address || force_hpet_address) +@@ -186,7 +186,7 @@ static void hpet_print_force_info(void) + static void old_ich_force_hpet_resume(void) + { + u32 val; +- u32 uninitialized_var(gen_cntl); ++ u32 gen_cntl; + + if (!force_hpet_address || !cached_dev) + return; +@@ -208,7 +208,7 @@ static void old_ich_force_hpet_resume(vo + static void old_ich_force_enable_hpet(struct pci_dev *dev) + { + u32 val; +- u32 uninitialized_var(gen_cntl); ++ u32 gen_cntl; + + if (hpet_address || force_hpet_address) + return; +@@ -299,7 +299,7 @@ static void vt8237_force_hpet_resume(voi + + static void vt8237_force_enable_hpet(struct pci_dev *dev) + { +- u32 uninitialized_var(val); ++ u32 val; + + if (hpet_address || force_hpet_address) + return; +@@ -430,7 +430,7 @@ static void nvidia_force_hpet_resume(voi + + static void nvidia_force_enable_hpet(struct pci_dev *dev) + { +- u32 uninitialized_var(val); ++ u32 val; + + if (hpet_address || force_hpet_address) + return; +--- a/drivers/acpi/acpi_pad.c ++++ b/drivers/acpi/acpi_pad.c +@@ -95,7 +95,7 @@ static void round_robin_cpu(unsigned int + cpumask_var_t tmp; + int cpu; + unsigned long min_weight = -1; +- unsigned long uninitialized_var(preferred_cpu); ++ unsigned long preferred_cpu; + + if (!alloc_cpumask_var(&tmp, GFP_KERNEL)) + return; +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -178,7 +178,7 @@ static ssize_t ata_scsi_park_show(struct + struct ata_link *link; + struct ata_device *dev; + unsigned long now; +- unsigned int uninitialized_var(msecs); ++ unsigned int msecs; + int rc = 0; + + ap = ata_shost_to_port(sdev->host); +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -939,7 +939,7 @@ static int open_tx_first(struct atm_vcc + vcc->qos.txtp.max_pcr >= ATM_OC3_PCR); + if (unlimited && zatm_dev->ubr != -1) zatm_vcc->shaper = zatm_dev->ubr; + else { +- int uninitialized_var(pcr); ++ int pcr; + + if (unlimited) vcc->qos.txtp.max_sdu = ATM_MAX_AAL5_PDU; + if ((zatm_vcc->shaper = alloc_shaper(vcc->dev,&pcr, +--- a/drivers/block/drbd/drbd_nl.c ++++ b/drivers/block/drbd/drbd_nl.c +@@ -3394,7 +3394,7 @@ int drbd_adm_dump_devices(struct sk_buff + { + struct nlattr *resource_filter; + struct drbd_resource *resource; +- struct drbd_device *uninitialized_var(device); ++ struct drbd_device *device; + int minor, err, retcode; + struct drbd_genlmsghdr *dh; + struct device_info device_info; +@@ -3483,7 +3483,7 @@ int drbd_adm_dump_connections(struct sk_ + { + struct nlattr *resource_filter; + struct drbd_resource *resource = NULL, *next_resource; +- struct drbd_connection *uninitialized_var(connection); ++ struct drbd_connection *connection; + int err = 0, retcode; + struct drbd_genlmsghdr *dh; + struct connection_info connection_info; +@@ -3645,7 +3645,7 @@ int drbd_adm_dump_peer_devices(struct sk + { + struct nlattr *resource_filter; + struct drbd_resource *resource; +- struct drbd_device *uninitialized_var(device); ++ struct drbd_device *device; + struct drbd_peer_device *peer_device = NULL; + int minor, err, retcode; + struct drbd_genlmsghdr *dh; +--- a/drivers/clk/clk-gate.c ++++ b/drivers/clk/clk-gate.c +@@ -43,7 +43,7 @@ static void clk_gate_endisable(struct cl + { + struct clk_gate *gate = to_clk_gate(hw); + int set = gate->flags & CLK_GATE_SET_TO_DISABLE ? 1 : 0; +- unsigned long uninitialized_var(flags); ++ unsigned long flags; + u32 reg; + + set ^= enable; +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -1112,7 +1112,7 @@ static void context_tasklet(unsigned lon + static int context_add_buffer(struct context *ctx) + { + struct descriptor_buffer *desc; +- dma_addr_t uninitialized_var(bus_addr); ++ dma_addr_t bus_addr; + int offset; + + /* +@@ -1302,7 +1302,7 @@ static int at_context_queue_packet(struc + struct fw_packet *packet) + { + struct fw_ohci *ohci = ctx->ohci; +- dma_addr_t d_bus, uninitialized_var(payload_bus); ++ dma_addr_t d_bus, payload_bus; + struct driver_data *driver_data; + struct descriptor *d, *last; + __le32 *header; +@@ -2458,7 +2458,7 @@ static int ohci_set_config_rom(struct fw + { + struct fw_ohci *ohci; + __be32 *next_config_rom; +- dma_addr_t uninitialized_var(next_config_rom_bus); ++ dma_addr_t next_config_rom_bus; + + ohci = fw_ohci(card); + +@@ -2947,10 +2947,10 @@ static struct fw_iso_context *ohci_alloc + int type, int channel, size_t header_size) + { + struct fw_ohci *ohci = fw_ohci(card); +- struct iso_context *uninitialized_var(ctx); +- descriptor_callback_t uninitialized_var(callback); +- u64 *uninitialized_var(channels); +- u32 *uninitialized_var(mask), uninitialized_var(regs); ++ struct iso_context *ctx; ++ descriptor_callback_t callback; ++ u64 *channels; ++ u32 *mask, regs; + int index, ret = -EBUSY; + + spin_lock_irq(&ohci->lock); +--- a/drivers/gpu/drm/bridge/sil-sii8620.c ++++ b/drivers/gpu/drm/bridge/sil-sii8620.c +@@ -988,7 +988,7 @@ static void sii8620_set_auto_zone(struct + + static void sii8620_stop_video(struct sii8620 *ctx) + { +- u8 uninitialized_var(val); ++ u8 val; + + sii8620_write_seq_static(ctx, + REG_TPI_INTR_EN, 0, +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -2778,7 +2778,7 @@ static int drm_cvt_modes(struct drm_conn + const u8 empty[3] = { 0, 0, 0 }; + + for (i = 0; i < 4; i++) { +- int uninitialized_var(width), height; ++ int width, height; + cvt = &(timing->data.other_data.data.cvt[i]); + + if (!memcmp(cvt->code, empty, 3)) +--- a/drivers/gpu/drm/exynos/exynos_drm_dsi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_dsi.c +@@ -544,9 +544,9 @@ static unsigned long exynos_dsi_pll_find + unsigned long best_freq = 0; + u32 min_delta = 0xffffffff; + u8 p_min, p_max; +- u8 _p, uninitialized_var(best_p); +- u16 _m, uninitialized_var(best_m); +- u8 _s, uninitialized_var(best_s); ++ u8 _p, best_p; ++ u16 _m, best_m; ++ u8 _s, best_s; + + p_min = DIV_ROUND_UP(fin, (12 * MHZ)); + p_max = fin / (6 * MHZ); +--- a/drivers/i2c/busses/i2c-rk3x.c ++++ b/drivers/i2c/busses/i2c-rk3x.c +@@ -421,7 +421,7 @@ static void rk3x_i2c_handle_read(struct + { + unsigned int i; + unsigned int len = i2c->msg->len - i2c->processed; +- u32 uninitialized_var(val); ++ u32 val; + u8 byte; + + /* we only care for MBRF here. */ +--- a/drivers/ide/ide-acpi.c ++++ b/drivers/ide/ide-acpi.c +@@ -180,7 +180,7 @@ err: + static acpi_handle ide_acpi_hwif_get_handle(ide_hwif_t *hwif) + { + struct device *dev = hwif->gendev.parent; +- acpi_handle uninitialized_var(dev_handle); ++ acpi_handle dev_handle; + u64 pcidevfn; + acpi_handle chan_handle; + int err; +--- a/drivers/ide/ide-atapi.c ++++ b/drivers/ide/ide-atapi.c +@@ -591,7 +591,7 @@ static int ide_delayed_transfer_pc(ide_d + + static ide_startstop_t ide_transfer_pc(ide_drive_t *drive) + { +- struct ide_atapi_pc *uninitialized_var(pc); ++ struct ide_atapi_pc *pc; + ide_hwif_t *hwif = drive->hwif; + struct request *rq = hwif->rq; + ide_expiry_t *expiry; +--- a/drivers/ide/ide-io-std.c ++++ b/drivers/ide/ide-io-std.c +@@ -172,7 +172,7 @@ void ide_input_data(ide_drive_t *drive, + u8 mmio = (hwif->host_flags & IDE_HFLAG_MMIO) ? 1 : 0; + + if (io_32bit) { +- unsigned long uninitialized_var(flags); ++ unsigned long flags; + + if ((io_32bit & 2) && !mmio) { + local_irq_save(flags); +@@ -216,7 +216,7 @@ void ide_output_data(ide_drive_t *drive, + u8 mmio = (hwif->host_flags & IDE_HFLAG_MMIO) ? 1 : 0; + + if (io_32bit) { +- unsigned long uninitialized_var(flags); ++ unsigned long flags; + + if ((io_32bit & 2) && !mmio) { + local_irq_save(flags); +--- a/drivers/ide/ide-io.c ++++ b/drivers/ide/ide-io.c +@@ -605,12 +605,12 @@ static int drive_is_ready(ide_drive_t *d + void ide_timer_expiry (struct timer_list *t) + { + ide_hwif_t *hwif = from_timer(hwif, t, timer); +- ide_drive_t *uninitialized_var(drive); ++ ide_drive_t *drive; + ide_handler_t *handler; + unsigned long flags; + int wait = -1; + int plug_device = 0; +- struct request *uninitialized_var(rq_in_flight); ++ struct request *rq_in_flight; + + spin_lock_irqsave(&hwif->lock, flags); + +@@ -763,13 +763,13 @@ irqreturn_t ide_intr (int irq, void *dev + { + ide_hwif_t *hwif = (ide_hwif_t *)dev_id; + struct ide_host *host = hwif->host; +- ide_drive_t *uninitialized_var(drive); ++ ide_drive_t *drive; + ide_handler_t *handler; + unsigned long flags; + ide_startstop_t startstop; + irqreturn_t irq_ret = IRQ_NONE; + int plug_device = 0; +- struct request *uninitialized_var(rq_in_flight); ++ struct request *rq_in_flight; + + if (host->host_flags & IDE_HFLAG_SERIALIZE) { + if (hwif != host->cur_port) +--- a/drivers/ide/ide-sysfs.c ++++ b/drivers/ide/ide-sysfs.c +@@ -131,7 +131,7 @@ static struct device_attribute *ide_port + + int ide_sysfs_register_port(ide_hwif_t *hwif) + { +- int i, uninitialized_var(rc); ++ int i, rc; + + for (i = 0; ide_port_attrs[i]; i++) { + rc = device_create_file(hwif->portdev, ide_port_attrs[i]); +--- a/drivers/ide/umc8672.c ++++ b/drivers/ide/umc8672.c +@@ -107,7 +107,7 @@ static void umc_set_speeds(u8 speeds[]) + static void umc_set_pio_mode(ide_hwif_t *hwif, ide_drive_t *drive) + { + ide_hwif_t *mate = hwif->mate; +- unsigned long uninitialized_var(flags); ++ unsigned long flags; + const u8 pio = drive->pio_mode - XFER_PIO_0; + + printk("%s: setting umc8672 to PIO mode%d (speed %d)\n", +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -1726,7 +1726,7 @@ ssize_t ib_uverbs_open_qp(struct ib_uver + struct ib_udata udata; + struct ib_uqp_object *obj; + struct ib_xrcd *xrcd; +- struct ib_uobject *uninitialized_var(xrcd_uobj); ++ struct ib_uobject *xrcd_uobj; + struct ib_qp *qp; + struct ib_qp_open_attr attr; + int ret; +@@ -3694,7 +3694,7 @@ static int __uverbs_create_xsrq(struct i + struct ib_usrq_object *obj; + struct ib_pd *pd; + struct ib_srq *srq; +- struct ib_uobject *uninitialized_var(xrcd_uobj); ++ struct ib_uobject *xrcd_uobj; + struct ib_srq_init_attr attr; + int ret; + struct ib_device *ib_dev; +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -3195,7 +3195,7 @@ static int get_lladdr(struct net_device + + static int pick_local_ip6addrs(struct c4iw_dev *dev, struct iw_cm_id *cm_id) + { +- struct in6_addr uninitialized_var(addr); ++ struct in6_addr addr; + struct sockaddr_in6 *la6 = (struct sockaddr_in6 *)&cm_id->m_local_addr; + struct sockaddr_in6 *ra6 = (struct sockaddr_in6 *)&cm_id->m_remote_addr; + +--- a/drivers/infiniband/hw/cxgb4/cq.c ++++ b/drivers/infiniband/hw/cxgb4/cq.c +@@ -755,7 +755,7 @@ skip_cqe: + static int __c4iw_poll_cq_one(struct c4iw_cq *chp, struct c4iw_qp *qhp, + struct ib_wc *wc, struct c4iw_srq *srq) + { +- struct t4_cqe uninitialized_var(cqe); ++ struct t4_cqe cqe; + struct t4_wq *wq = qhp ? &qhp->wq : NULL; + u32 credit = 0; + u8 cqe_flushed; +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -3463,11 +3463,11 @@ static int _mlx4_ib_post_send(struct ib_ + int nreq; + int err = 0; + unsigned ind; +- int uninitialized_var(size); +- unsigned uninitialized_var(seglen); ++ int size; ++ unsigned seglen; + __be32 dummy; + __be32 *lso_wqe; +- __be32 uninitialized_var(lso_hdr_sz); ++ __be32 lso_hdr_sz; + __be32 blh; + int i; + struct mlx4_ib_dev *mdev = to_mdev(ibqp->device); +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -1333,7 +1333,7 @@ int mlx5_ib_resize_cq(struct ib_cq *ibcq + __be64 *pas; + int page_shift; + int inlen; +- int uninitialized_var(cqe_size); ++ int cqe_size; + unsigned long flags; + + if (!MLX5_CAP_GEN(dev->mdev, cq_resize)) { +--- a/drivers/infiniband/hw/mthca/mthca_qp.c ++++ b/drivers/infiniband/hw/mthca/mthca_qp.c +@@ -1630,8 +1630,8 @@ int mthca_tavor_post_send(struct ib_qp * + * without initializing f0 and size0, and they are in fact + * never used uninitialized. + */ +- int uninitialized_var(size0); +- u32 uninitialized_var(f0); ++ int size0; ++ u32 f0; + int ind; + u8 op0 = 0; + +@@ -1831,7 +1831,7 @@ int mthca_tavor_post_receive(struct ib_q + * without initializing size0, and it is in fact never used + * uninitialized. + */ +- int uninitialized_var(size0); ++ int size0; + int ind; + void *wqe; + void *prev_wqe; +@@ -1945,8 +1945,8 @@ int mthca_arbel_post_send(struct ib_qp * + * without initializing f0 and size0, and they are in fact + * never used uninitialized. + */ +- int uninitialized_var(size0); +- u32 uninitialized_var(f0); ++ int size0; ++ u32 f0; + int ind; + u8 op0 = 0; + +--- a/drivers/input/serio/serio_raw.c ++++ b/drivers/input/serio/serio_raw.c +@@ -162,7 +162,7 @@ static ssize_t serio_raw_read(struct fil + { + struct serio_raw_client *client = file->private_data; + struct serio_raw *serio_raw = client->serio_raw; +- char uninitialized_var(c); ++ char c; + ssize_t read = 0; + int error; + +--- a/drivers/md/dm-io.c ++++ b/drivers/md/dm-io.c +@@ -306,7 +306,7 @@ static void do_region(int op, int op_fla + struct request_queue *q = bdev_get_queue(where->bdev); + unsigned short logical_block_size = queue_logical_block_size(q); + sector_t num_sectors; +- unsigned int uninitialized_var(special_cmd_max_sectors); ++ unsigned int special_cmd_max_sectors; + + /* + * Reject unsupported discard and write same requests. +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1822,7 +1822,7 @@ static int ctl_ioctl(struct file *file, + int ioctl_flags; + int param_flags; + unsigned int cmd; +- struct dm_ioctl *uninitialized_var(param); ++ struct dm_ioctl *param; + ioctl_fn fn = NULL; + size_t input_param_size; + struct dm_ioctl param_kernel; +--- a/drivers/md/dm-snap-persistent.c ++++ b/drivers/md/dm-snap-persistent.c +@@ -613,7 +613,7 @@ static int persistent_read_metadata(stru + chunk_t old, chunk_t new), + void *callback_context) + { +- int r, uninitialized_var(new_snapshot); ++ int r, new_snapshot; + struct pstore *ps = get_info(store); + + /* +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -671,7 +671,7 @@ static int validate_hardware_logical_blo + */ + unsigned short remaining = 0; + +- struct dm_target *uninitialized_var(ti); ++ struct dm_target *ti; + struct queue_limits ti_limits; + unsigned i; + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2603,7 +2603,7 @@ static void raid5_end_write_request(stru + struct stripe_head *sh = bi->bi_private; + struct r5conf *conf = sh->raid_conf; + int disks = sh->disks, i; +- struct md_rdev *uninitialized_var(rdev); ++ struct md_rdev *rdev; + sector_t first_bad; + int bad_sectors; + int replacement = 0; +--- a/drivers/media/dvb-frontends/rtl2832.c ++++ b/drivers/media/dvb-frontends/rtl2832.c +@@ -653,7 +653,7 @@ static int rtl2832_read_status(struct dv + struct i2c_client *client = dev->client; + struct dtv_frontend_properties *c = &fe->dtv_property_cache; + int ret; +- u32 uninitialized_var(tmp); ++ u32 tmp; + u8 u8tmp, buf[2]; + u16 u16tmp; + +--- a/drivers/media/tuners/qt1010.c ++++ b/drivers/media/tuners/qt1010.c +@@ -224,7 +224,7 @@ static int qt1010_set_params(struct dvb_ + static int qt1010_init_meas1(struct qt1010_priv *priv, + u8 oper, u8 reg, u8 reg_init_val, u8 *retval) + { +- u8 i, val1, uninitialized_var(val2); ++ u8 i, val1, val2; + int err; + + qt1010_i2c_oper_t i2c_data[] = { +@@ -259,7 +259,7 @@ static int qt1010_init_meas1(struct qt10 + static int qt1010_init_meas2(struct qt1010_priv *priv, + u8 reg_init_val, u8 *retval) + { +- u8 i, uninitialized_var(val); ++ u8 i, val; + int err; + qt1010_i2c_oper_t i2c_data[] = { + { QT1010_WR, 0x07, reg_init_val }, +--- a/drivers/media/usb/gspca/vicam.c ++++ b/drivers/media/usb/gspca/vicam.c +@@ -234,7 +234,7 @@ static int sd_init(struct gspca_dev *gsp + { + int ret; + const struct ihex_binrec *rec; +- const struct firmware *uninitialized_var(fw); ++ const struct firmware *fw; + u8 *firmware_buf; + + ret = request_ihex_firmware(&fw, VICAM_FIRMWARE, +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -802,9 +802,9 @@ static void uvc_video_stats_decode(struc + unsigned int header_size; + bool has_pts = false; + bool has_scr = false; +- u16 uninitialized_var(scr_sof); +- u32 uninitialized_var(scr_stc); +- u32 uninitialized_var(pts); ++ u16 scr_sof; ++ u32 scr_stc; ++ u32 pts; + + if (stream->stats.stream.nb_frames == 0 && + stream->stats.frame.nb_packets == 0) +@@ -1801,7 +1801,7 @@ static int uvc_init_video(struct uvc_str + struct usb_host_endpoint *best_ep = NULL; + unsigned int best_psize = UINT_MAX; + unsigned int bandwidth; +- unsigned int uninitialized_var(altsetting); ++ unsigned int altsetting; + int intfnum = stream->intfnum; + + /* Isochronous endpoint, select the alternate setting. */ +--- a/drivers/memstick/host/jmb38x_ms.c ++++ b/drivers/memstick/host/jmb38x_ms.c +@@ -316,7 +316,7 @@ static int jmb38x_ms_transfer_data(struc + } + + while (length) { +- unsigned int uninitialized_var(p_off); ++ unsigned int p_off; + + if (host->req->long_data) { + pg = nth_page(sg_page(&host->req->sg), +--- a/drivers/memstick/host/tifm_ms.c ++++ b/drivers/memstick/host/tifm_ms.c +@@ -200,7 +200,7 @@ static unsigned int tifm_ms_transfer_dat + host->block_pos); + + while (length) { +- unsigned int uninitialized_var(p_off); ++ unsigned int p_off; + + if (host->req->long_data) { + pg = nth_page(sg_page(&host->req->sg), +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -374,7 +374,7 @@ static void sdhci_read_block_pio(struct + { + unsigned long flags; + size_t blksize, len, chunk; +- u32 uninitialized_var(scratch); ++ u32 scratch; + u8 *buf; + + DBG("PIO reading\n"); +--- a/drivers/mtd/nand/raw/nand_ecc.c ++++ b/drivers/mtd/nand/raw/nand_ecc.c +@@ -144,7 +144,7 @@ void __nand_calculate_ecc(const unsigned + /* rp0..rp15..rp17 are the various accumulated parities (per byte) */ + uint32_t rp0, rp1, rp2, rp3, rp4, rp5, rp6, rp7; + uint32_t rp8, rp9, rp10, rp11, rp12, rp13, rp14, rp15, rp16; +- uint32_t uninitialized_var(rp17); /* to make compiler happy */ ++ uint32_t rp17; + uint32_t par; /* the cumulative parity for all data */ + uint32_t tmppar; /* the cumulative parity for this iteration; + for rp12, rp14 and rp16 at the end of the +--- a/drivers/mtd/nand/raw/s3c2410.c ++++ b/drivers/mtd/nand/raw/s3c2410.c +@@ -304,7 +304,7 @@ static int s3c2410_nand_setrate(struct s + int tacls_max = (info->cpu_type == TYPE_S3C2412) ? 8 : 4; + int tacls, twrph0, twrph1; + unsigned long clkrate = clk_get_rate(info->clk); +- unsigned long uninitialized_var(set), cfg, uninitialized_var(mask); ++ unsigned long set, cfg, mask; + unsigned long flags; + + /* calculate the timing information for the controller */ +--- a/drivers/mtd/ubi/eba.c ++++ b/drivers/mtd/ubi/eba.c +@@ -612,7 +612,7 @@ int ubi_eba_read_leb(struct ubi_device * + int err, pnum, scrub = 0, vol_id = vol->vol_id; + struct ubi_vid_io_buf *vidb; + struct ubi_vid_hdr *vid_hdr; +- uint32_t uninitialized_var(crc); ++ uint32_t crc; + + err = leb_read_lock(ubi, vol_id, lnum); + if (err) +--- a/drivers/net/can/janz-ican3.c ++++ b/drivers/net/can/janz-ican3.c +@@ -1455,7 +1455,7 @@ static int ican3_napi(struct napi_struct + + /* process all communication messages */ + while (true) { +- struct ican3_msg uninitialized_var(msg); ++ struct ican3_msg msg; + ret = ican3_recv_msg(mod, &msg); + if (ret) + break; +--- a/drivers/net/ethernet/broadcom/bnx2.c ++++ b/drivers/net/ethernet/broadcom/bnx2.c +@@ -1461,7 +1461,7 @@ bnx2_test_and_disable_2g5(struct bnx2 *b + static void + bnx2_enable_forced_2g5(struct bnx2 *bp) + { +- u32 uninitialized_var(bmcr); ++ u32 bmcr; + int err; + + if (!(bp->phy_flags & BNX2_PHY_FLAG_2_5G_CAPABLE)) +@@ -1505,7 +1505,7 @@ bnx2_enable_forced_2g5(struct bnx2 *bp) + static void + bnx2_disable_forced_2g5(struct bnx2 *bp) + { +- u32 uninitialized_var(bmcr); ++ u32 bmcr; + int err; + + if (!(bp->phy_flags & BNX2_PHY_FLAG_2_5G_CAPABLE)) +--- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c +@@ -471,8 +471,8 @@ void mlx5_core_req_pages_handler(struct + + int mlx5_satisfy_startup_pages(struct mlx5_core_dev *dev, int boot) + { +- u16 uninitialized_var(func_id); +- s32 uninitialized_var(npages); ++ u16 func_id; ++ s32 npages; + int err; + + err = mlx5_cmd_query_pages(dev, &func_id, &npages, boot); +--- a/drivers/net/ethernet/neterion/s2io.c ++++ b/drivers/net/ethernet/neterion/s2io.c +@@ -7291,7 +7291,7 @@ static int rx_osm_handler(struct ring_in + int ring_no = ring_data->ring_no; + u16 l3_csum, l4_csum; + unsigned long long err = rxdp->Control_1 & RXD_T_CODE; +- struct lro *uninitialized_var(lro); ++ struct lro *lro; + u8 err_mask; + struct swStat *swstats = &sp->mac_control.stats_info->sw_stat; + +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -3771,7 +3771,7 @@ static int ql3xxx_probe(struct pci_dev * + struct net_device *ndev = NULL; + struct ql3_adapter *qdev = NULL; + static int cards_found; +- int uninitialized_var(pci_using_dac), err; ++ int pci_using_dac, err; + + err = pci_enable_device(pdev); + if (err) { +--- a/drivers/net/ethernet/sun/cassini.c ++++ b/drivers/net/ethernet/sun/cassini.c +@@ -2291,7 +2291,7 @@ static int cas_rx_ringN(struct cas *cp, + drops = 0; + while (1) { + struct cas_rx_comp *rxc = rxcs + entry; +- struct sk_buff *uninitialized_var(skb); ++ struct sk_buff *skb; + int type, len; + u64 words[4]; + int i, dring; +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -429,7 +429,7 @@ static int serdes_init_niu_1g_serdes(str + struct niu_link_config *lp = &np->link_config; + u16 pll_cfg, pll_sts; + int max_retry = 100; +- u64 uninitialized_var(sig), mask, val; ++ u64 sig, mask, val; + u32 tx_cfg, rx_cfg; + unsigned long i; + int err; +@@ -526,7 +526,7 @@ static int serdes_init_niu_10g_serdes(st + struct niu_link_config *lp = &np->link_config; + u32 tx_cfg, rx_cfg, pll_cfg, pll_sts; + int max_retry = 100; +- u64 uninitialized_var(sig), mask, val; ++ u64 sig, mask, val; + unsigned long i; + int err; + +@@ -714,7 +714,7 @@ static int esr_write_glue0(struct niu *n + + static int esr_reset(struct niu *np) + { +- u32 uninitialized_var(reset); ++ u32 reset; + int err; + + err = mdio_write(np, np->port, NIU_ESR_DEV_ADDR, +--- a/drivers/net/wan/z85230.c ++++ b/drivers/net/wan/z85230.c +@@ -705,7 +705,7 @@ EXPORT_SYMBOL(z8530_nop); + irqreturn_t z8530_interrupt(int irq, void *dev_id) + { + struct z8530_dev *dev=dev_id; +- u8 uninitialized_var(intr); ++ u8 intr; + static volatile int locker=0; + int work=0; + struct z8530_irqhandler *irqs; +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -1891,7 +1891,7 @@ static int ath10k_init_uart(struct ath10 + + static int ath10k_init_hw_params(struct ath10k *ar) + { +- const struct ath10k_hw_params *uninitialized_var(hw_params); ++ const struct ath10k_hw_params *hw_params; + int i; + + for (i = 0; i < ARRAY_SIZE(ath10k_hw_params_list); i++) { +--- a/drivers/net/wireless/ath/ath6kl/init.c ++++ b/drivers/net/wireless/ath/ath6kl/init.c +@@ -1575,7 +1575,7 @@ static int ath6kl_init_upload(struct ath + + int ath6kl_init_hw_params(struct ath6kl *ar) + { +- const struct ath6kl_hw *uninitialized_var(hw); ++ const struct ath6kl_hw *hw; + int i; + + for (i = 0; i < ARRAY_SIZE(hw_list); i++) { +--- a/drivers/net/wireless/ath/ath9k/init.c ++++ b/drivers/net/wireless/ath/ath9k/init.c +@@ -230,7 +230,7 @@ static unsigned int ath9k_reg_rmw(void * + struct ath_hw *ah = hw_priv; + struct ath_common *common = ath9k_hw_common(ah); + struct ath_softc *sc = (struct ath_softc *) common->priv; +- unsigned long uninitialized_var(flags); ++ unsigned long flags; + u32 val; + + if (NR_CPUS > 1 && ah->config.serialize_regmode == SER_REG_MODE_ON) { +--- a/drivers/net/wireless/broadcom/b43/debugfs.c ++++ b/drivers/net/wireless/broadcom/b43/debugfs.c +@@ -506,7 +506,7 @@ static ssize_t b43_debugfs_read(struct f + struct b43_wldev *dev; + struct b43_debugfs_fops *dfops; + struct b43_dfs_file *dfile; +- ssize_t uninitialized_var(ret); ++ ssize_t ret; + char *buf; + const size_t bufsize = 1024 * 16; /* 16 kiB buffer */ + const size_t buforder = get_order(bufsize); +--- a/drivers/net/wireless/broadcom/b43/dma.c ++++ b/drivers/net/wireless/broadcom/b43/dma.c +@@ -50,7 +50,7 @@ + static u32 b43_dma_address(struct b43_dma *dma, dma_addr_t dmaaddr, + enum b43_addrtype addrtype) + { +- u32 uninitialized_var(addr); ++ u32 addr; + + switch (addrtype) { + case B43_DMA_ADDR_LOW: +--- a/drivers/net/wireless/broadcom/b43/lo.c ++++ b/drivers/net/wireless/broadcom/b43/lo.c +@@ -742,7 +742,7 @@ struct b43_lo_calib *b43_calibrate_lo_se + }; + int max_rx_gain; + struct b43_lo_calib *cal; +- struct lo_g_saved_values uninitialized_var(saved_regs); ++ struct lo_g_saved_values saved_regs; + /* Values from the "TXCTL Register and Value Table" */ + u16 txctl_reg; + u16 txctl_value; +--- a/drivers/net/wireless/broadcom/b43/phy_n.c ++++ b/drivers/net/wireless/broadcom/b43/phy_n.c +@@ -5655,7 +5655,7 @@ static int b43_nphy_rev2_cal_rx_iq(struc + u8 rfctl[2]; + u8 afectl_core; + u16 tmp[6]; +- u16 uninitialized_var(cur_hpf1), uninitialized_var(cur_hpf2), cur_lna; ++ u16 cur_hpf1, cur_hpf2, cur_lna; + u32 real, imag; + enum nl80211_band band; + +--- a/drivers/net/wireless/broadcom/b43/xmit.c ++++ b/drivers/net/wireless/broadcom/b43/xmit.c +@@ -435,10 +435,10 @@ int b43_generate_txhdr(struct b43_wldev + if ((rates[0].flags & IEEE80211_TX_RC_USE_RTS_CTS) || + (rates[0].flags & IEEE80211_TX_RC_USE_CTS_PROTECT)) { + unsigned int len; +- struct ieee80211_hdr *uninitialized_var(hdr); ++ struct ieee80211_hdr *hdr; + int rts_rate, rts_rate_fb; + int rts_rate_ofdm, rts_rate_fb_ofdm; +- struct b43_plcp_hdr6 *uninitialized_var(plcp); ++ struct b43_plcp_hdr6 *plcp; + struct ieee80211_rate *rts_cts_rate; + + rts_cts_rate = ieee80211_get_rts_cts_rate(dev->wl->hw, info); +@@ -449,7 +449,7 @@ int b43_generate_txhdr(struct b43_wldev + rts_rate_fb_ofdm = b43_is_ofdm_rate(rts_rate_fb); + + if (rates[0].flags & IEEE80211_TX_RC_USE_CTS_PROTECT) { +- struct ieee80211_cts *uninitialized_var(cts); ++ struct ieee80211_cts *cts; + + switch (dev->fw.hdr_format) { + case B43_FW_HDR_598: +@@ -471,7 +471,7 @@ int b43_generate_txhdr(struct b43_wldev + mac_ctl |= B43_TXH_MAC_SENDCTS; + len = sizeof(struct ieee80211_cts); + } else { +- struct ieee80211_rts *uninitialized_var(rts); ++ struct ieee80211_rts *rts; + + switch (dev->fw.hdr_format) { + case B43_FW_HDR_598: +@@ -663,8 +663,8 @@ void b43_rx(struct b43_wldev *dev, struc + const struct b43_rxhdr_fw4 *rxhdr = _rxhdr; + __le16 fctl; + u16 phystat0, phystat3; +- u16 uninitialized_var(chanstat), uninitialized_var(mactime); +- u32 uninitialized_var(macstat); ++ u16 chanstat, mactime; ++ u32 macstat; + u16 chanid; + int padding, rate_idx; + +--- a/drivers/net/wireless/broadcom/b43legacy/debugfs.c ++++ b/drivers/net/wireless/broadcom/b43legacy/debugfs.c +@@ -203,7 +203,7 @@ static ssize_t b43legacy_debugfs_read(st + struct b43legacy_wldev *dev; + struct b43legacy_debugfs_fops *dfops; + struct b43legacy_dfs_file *dfile; +- ssize_t uninitialized_var(ret); ++ ssize_t ret; + char *buf; + const size_t bufsize = 1024 * 16; /* 16 KiB buffer */ + const size_t buforder = get_order(bufsize); +--- a/drivers/net/wireless/broadcom/b43legacy/main.c ++++ b/drivers/net/wireless/broadcom/b43legacy/main.c +@@ -2612,7 +2612,7 @@ static void b43legacy_put_phy_into_reset + static int b43legacy_switch_phymode(struct b43legacy_wl *wl, + unsigned int new_mode) + { +- struct b43legacy_wldev *uninitialized_var(up_dev); ++ struct b43legacy_wldev *up_dev; + struct b43legacy_wldev *down_dev; + int err; + bool gmode = false; +--- a/drivers/net/wireless/intel/iwlegacy/3945.c ++++ b/drivers/net/wireless/intel/iwlegacy/3945.c +@@ -2115,7 +2115,7 @@ il3945_txpower_set_from_eeprom(struct il + + /* set tx power value for all OFDM rates */ + for (rate_idx = 0; rate_idx < IL_OFDM_RATES; rate_idx++) { +- s32 uninitialized_var(power_idx); ++ s32 power_idx; + int rc; + + /* use channel group's clip-power table, +--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +@@ -2784,7 +2784,7 @@ il4965_hdl_tx(struct il_priv *il, struct + struct ieee80211_tx_info *info; + struct il4965_tx_resp *tx_resp = (void *)&pkt->u.raw[0]; + u32 status = le32_to_cpu(tx_resp->u.status); +- int uninitialized_var(tid); ++ int tid; + int sta_id; + int freed; + u8 *qc = NULL; +--- a/drivers/platform/x86/hdaps.c ++++ b/drivers/platform/x86/hdaps.c +@@ -378,7 +378,7 @@ static ssize_t hdaps_variance_show(struc + static ssize_t hdaps_temp1_show(struct device *dev, + struct device_attribute *attr, char *buf) + { +- u8 uninitialized_var(temp); ++ u8 temp; + int ret; + + ret = hdaps_readb_one(HDAPS_PORT_TEMP1, &temp); +@@ -391,7 +391,7 @@ static ssize_t hdaps_temp1_show(struct d + static ssize_t hdaps_temp2_show(struct device *dev, + struct device_attribute *attr, char *buf) + { +- u8 uninitialized_var(temp); ++ u8 temp; + int ret; + + ret = hdaps_readb_one(HDAPS_PORT_TEMP2, &temp); +--- a/drivers/scsi/dc395x.c ++++ b/drivers/scsi/dc395x.c +@@ -4275,7 +4275,7 @@ static int adapter_sg_tables_alloc(struc + const unsigned srbs_per_page = PAGE_SIZE/SEGMENTX_LEN; + int srb_idx = 0; + unsigned i = 0; +- struct SGentry *uninitialized_var(ptr); ++ struct SGentry *ptr; + + for (i = 0; i < DC395x_MAX_SRB_CNT; i++) + acb->srb_array[i].segment_x = NULL; +--- a/drivers/scsi/pm8001/pm8001_hwi.c ++++ b/drivers/scsi/pm8001/pm8001_hwi.c +@@ -4174,7 +4174,7 @@ static int process_oq(struct pm8001_hba_ + { + struct outbound_queue_table *circularQ; + void *pMsg1 = NULL; +- u8 uninitialized_var(bc); ++ u8 bc; + u32 ret = MPI_IO_STATUS_FAIL; + unsigned long flags; + +--- a/drivers/scsi/pm8001/pm80xx_hwi.c ++++ b/drivers/scsi/pm8001/pm80xx_hwi.c +@@ -3811,7 +3811,7 @@ static int process_oq(struct pm8001_hba_ + { + struct outbound_queue_table *circularQ; + void *pMsg1 = NULL; +- u8 uninitialized_var(bc); ++ u8 bc; + u32 ret = MPI_IO_STATUS_FAIL; + unsigned long flags; + u32 regval; +--- a/drivers/ssb/driver_chipcommon.c ++++ b/drivers/ssb/driver_chipcommon.c +@@ -119,7 +119,7 @@ void ssb_chipco_set_clockmode(struct ssb + static enum ssb_clksrc chipco_pctl_get_slowclksrc(struct ssb_chipcommon *cc) + { + struct ssb_bus *bus = cc->dev->bus; +- u32 uninitialized_var(tmp); ++ u32 tmp; + + if (cc->dev->id.revision < 6) { + if (bus->bustype == SSB_BUSTYPE_SSB || +@@ -149,7 +149,7 @@ static enum ssb_clksrc chipco_pctl_get_s + /* Get maximum or minimum (depending on get_max flag) slowclock frequency. */ + static int chipco_pctl_clockfreqlimit(struct ssb_chipcommon *cc, int get_max) + { +- int uninitialized_var(limit); ++ int limit; + enum ssb_clksrc clocksrc; + int divisor = 1; + u32 tmp; +--- a/drivers/tty/cyclades.c ++++ b/drivers/tty/cyclades.c +@@ -3648,7 +3648,7 @@ static int cy_pci_probe(struct pci_dev * + struct cyclades_card *card; + void __iomem *addr0 = NULL, *addr2 = NULL; + char *card_name = NULL; +- u32 uninitialized_var(mailbox); ++ u32 mailbox; + unsigned int device_id, nchan = 0, card_no, i, j; + unsigned char plx_ver; + int retval, irq; +--- a/drivers/tty/isicom.c ++++ b/drivers/tty/isicom.c +@@ -1537,7 +1537,7 @@ static unsigned int card_count; + static int isicom_probe(struct pci_dev *pdev, + const struct pci_device_id *ent) + { +- unsigned int uninitialized_var(signature), index; ++ unsigned int signature, index; + int retval = -EPERM; + struct isi_board *board = NULL; + +--- a/drivers/usb/musb/cppi_dma.c ++++ b/drivers/usb/musb/cppi_dma.c +@@ -1146,7 +1146,7 @@ irqreturn_t cppi_interrupt(int irq, void + struct musb_hw_ep *hw_ep = NULL; + u32 rx, tx; + int i, index; +- unsigned long uninitialized_var(flags); ++ unsigned long flags; + + cppi = container_of(musb->dma_controller, struct cppi, controller); + if (cppi->irq) +--- a/drivers/usb/storage/sddr55.c ++++ b/drivers/usb/storage/sddr55.c +@@ -553,8 +553,8 @@ static int sddr55_reset(struct us_data * + + static unsigned long sddr55_get_capacity(struct us_data *us) { + +- unsigned char uninitialized_var(manufacturerID); +- unsigned char uninitialized_var(deviceID); ++ unsigned char manufacturerID; ++ unsigned char deviceID; + int result; + struct sddr55_card_info *info = (struct sddr55_card_info *)us->extra; + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -828,7 +828,7 @@ static int get_rx_bufs(struct vhost_virt + /* len is always initialized before use since we are always called with + * datalen > 0. + */ +- u32 uninitialized_var(len); ++ u32 len; + + while (datalen > 0 && headcount < quota) { + if (unlikely(seg >= UIO_MAXIOV)) { +@@ -885,7 +885,7 @@ static void handle_rx(struct vhost_net * + { + struct vhost_net_virtqueue *nvq = &net->vqs[VHOST_NET_VQ_RX]; + struct vhost_virtqueue *vq = &nvq->vq; +- unsigned uninitialized_var(in), log; ++ unsigned in, log; + struct vhost_log *vq_log; + struct msghdr msg = { + .msg_name = NULL, +--- a/drivers/video/fbdev/matrox/matroxfb_maven.c ++++ b/drivers/video/fbdev/matrox/matroxfb_maven.c +@@ -299,7 +299,7 @@ static int matroxfb_mavenclock(const str + unsigned int* in, unsigned int* feed, unsigned int* post, + unsigned int* htotal2) { + unsigned int fvco; +- unsigned int uninitialized_var(p); ++ unsigned int p; + + fvco = matroxfb_PLL_mavenclock(&maven1000_pll, ctl, htotal, vtotal, in, feed, &p, htotal2); + if (!fvco) +@@ -731,8 +731,8 @@ static int maven_find_exact_clocks(unsig + + for (x = 0; x < 8; x++) { + unsigned int c; +- unsigned int uninitialized_var(a), uninitialized_var(b), +- uninitialized_var(h2); ++ unsigned int a, b, ++ h2; + unsigned int h = ht + 2 + x; + + if (!matroxfb_mavenclock((m->mode == MATROXFB_OUTPUT_MODE_PAL) ? &maven_PAL : &maven_NTSC, h, vt, &a, &b, &c, &h2)) { +--- a/drivers/video/fbdev/pm3fb.c ++++ b/drivers/video/fbdev/pm3fb.c +@@ -821,9 +821,9 @@ static void pm3fb_write_mode(struct fb_i + + wmb(); + { +- unsigned char uninitialized_var(m); /* ClkPreScale */ +- unsigned char uninitialized_var(n); /* ClkFeedBackScale */ +- unsigned char uninitialized_var(p); /* ClkPostScale */ ++ unsigned char m; /* ClkPreScale */ ++ unsigned char n; /* ClkFeedBackScale */ ++ unsigned char p; /* ClkPostScale */ + unsigned long pixclock = PICOS2KHZ(info->var.pixclock); + + (void)pm3fb_calculate_clock(pixclock, &m, &n, &p); +--- a/drivers/video/fbdev/riva/riva_hw.c ++++ b/drivers/video/fbdev/riva/riva_hw.c +@@ -1245,8 +1245,7 @@ int CalcStateExt + ) + { + int pixelDepth; +- int uninitialized_var(VClk),uninitialized_var(m), +- uninitialized_var(n), uninitialized_var(p); ++ int VClk, m, n, p; + + /* + * Save mode parameters. +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -268,7 +268,7 @@ static inline int virtqueue_add(struct v + struct vring_virtqueue *vq = to_vvq(_vq); + struct scatterlist *sg; + struct vring_desc *desc; +- unsigned int i, n, avail, descs_used, uninitialized_var(prev), err_idx; ++ unsigned int i, n, avail, descs_used, prev, err_idx; + int head; + bool indirect; + +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -887,7 +887,7 @@ static struct dentry *afs_lookup(struct + static int afs_d_revalidate(struct dentry *dentry, unsigned int flags) + { + struct afs_vnode *vnode, *dir; +- struct afs_fid uninitialized_var(fid); ++ struct afs_fid fid; + struct dentry *parent; + struct inode *inode; + struct key *key; +--- a/fs/afs/security.c ++++ b/fs/afs/security.c +@@ -340,7 +340,7 @@ int afs_check_permit(struct afs_vnode *v + int afs_permission(struct inode *inode, int mask) + { + struct afs_vnode *vnode = AFS_FS_I(inode); +- afs_access_t uninitialized_var(access); ++ afs_access_t access; + struct key *key; + int ret; + +--- a/fs/dlm/netlink.c ++++ b/fs/dlm/netlink.c +@@ -115,7 +115,7 @@ static void fill_data(struct dlm_lock_da + + void dlm_timeout_warn(struct dlm_lkb *lkb) + { +- struct sk_buff *uninitialized_var(send_skb); ++ struct sk_buff *send_skb; + struct dlm_lock_data *data; + size_t size; + int rv; +--- a/fs/fat/dir.c ++++ b/fs/fat/dir.c +@@ -1287,7 +1287,7 @@ int fat_add_entries(struct inode *dir, v + struct super_block *sb = dir->i_sb; + struct msdos_sb_info *sbi = MSDOS_SB(sb); + struct buffer_head *bh, *prev, *bhs[3]; /* 32*slots (672bytes) */ +- struct msdos_dir_entry *uninitialized_var(de); ++ struct msdos_dir_entry *de; + int err, free_slots, i, nr_bhs; + loff_t pos, i_pos; + +--- a/fs/fuse/control.c ++++ b/fs/fuse/control.c +@@ -117,7 +117,7 @@ static ssize_t fuse_conn_max_background_ + const char __user *buf, + size_t count, loff_t *ppos) + { +- unsigned uninitialized_var(val); ++ unsigned val; + ssize_t ret; + + ret = fuse_conn_limit_write(file, buf, count, ppos, &val, +--- a/fs/fuse/cuse.c ++++ b/fs/fuse/cuse.c +@@ -269,7 +269,7 @@ static int cuse_parse_one(char **pp, cha + static int cuse_parse_devinfo(char *p, size_t len, struct cuse_devinfo *devinfo) + { + char *end = p + len; +- char *uninitialized_var(key), *uninitialized_var(val); ++ char *key, *val; + int rc; + + while (true) { +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -2774,7 +2774,7 @@ static void fuse_register_polled_file(st + { + spin_lock(&fc->lock); + if (RB_EMPTY_NODE(&ff->polled_node)) { +- struct rb_node **link, *uninitialized_var(parent); ++ struct rb_node **link, *parent; + + link = fuse_find_polled_node(fc, ff->kh, &parent); + BUG_ON(*link); +--- a/fs/gfs2/aops.c ++++ b/fs/gfs2/aops.c +@@ -359,7 +359,7 @@ static int gfs2_write_cache_jdata(struct + int done = 0; + struct pagevec pvec; + int nr_pages; +- pgoff_t uninitialized_var(writeback_index); ++ pgoff_t writeback_index; + pgoff_t index; + pgoff_t end; + pgoff_t done_index; +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -1754,7 +1754,7 @@ static int punch_hole(struct gfs2_inode + u64 lblock = (offset + (1 << bsize_shift) - 1) >> bsize_shift; + __u16 start_list[GFS2_MAX_META_HEIGHT]; + __u16 __end_list[GFS2_MAX_META_HEIGHT], *end_list = NULL; +- unsigned int start_aligned, uninitialized_var(end_aligned); ++ unsigned int start_aligned, end_aligned; + unsigned int strip_h = ip->i_height - 1; + u32 btotal = 0; + int ret, state; +--- a/fs/hfsplus/unicode.c ++++ b/fs/hfsplus/unicode.c +@@ -398,7 +398,7 @@ int hfsplus_hash_dentry(const struct den + astr = str->name; + len = str->len; + while (len > 0) { +- int uninitialized_var(dsize); ++ int dsize; + size = asc2unichar(sb, astr, len, &c); + astr += size; + len -= size; +--- a/fs/isofs/namei.c ++++ b/fs/isofs/namei.c +@@ -153,8 +153,8 @@ isofs_find_entry(struct inode *dir, stru + struct dentry *isofs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags) + { + int found; +- unsigned long uninitialized_var(block); +- unsigned long uninitialized_var(offset); ++ unsigned long block; ++ unsigned long offset; + struct inode *inode; + struct page *page; + +--- a/fs/jffs2/erase.c ++++ b/fs/jffs2/erase.c +@@ -401,7 +401,7 @@ static void jffs2_mark_erased_block(stru + { + size_t retlen; + int ret; +- uint32_t uninitialized_var(bad_offset); ++ uint32_t bad_offset; + + switch (jffs2_block_check_erase(c, jeb, &bad_offset)) { + case -EAGAIN: goto refile; +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -347,7 +347,7 @@ static ssize_t write_unlock_fs(struct fi + static ssize_t write_filehandle(struct file *file, char *buf, size_t size) + { + char *dname, *path; +- int uninitialized_var(maxsize); ++ int maxsize; + char *mesg = buf; + int len; + struct auth_domain *dom; +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -4722,7 +4722,7 @@ int ocfs2_insert_extent(handle_t *handle + struct ocfs2_alloc_context *meta_ac) + { + int status; +- int uninitialized_var(free_records); ++ int free_records; + struct buffer_head *last_eb_bh = NULL; + struct ocfs2_insert_type insert = {0, }; + struct ocfs2_extent_rec rec; +@@ -7052,7 +7052,7 @@ int ocfs2_convert_inline_data_to_extents + int need_free = 0; + u32 bit_off, num; + handle_t *handle; +- u64 uninitialized_var(block); ++ u64 block; + struct ocfs2_inode_info *oi = OCFS2_I(inode); + struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); + struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data; +--- a/fs/ocfs2/dir.c ++++ b/fs/ocfs2/dir.c +@@ -866,9 +866,9 @@ static int ocfs2_dx_dir_lookup(struct in + u64 *ret_phys_blkno) + { + int ret = 0; +- unsigned int cend, uninitialized_var(clen); +- u32 uninitialized_var(cpos); +- u64 uninitialized_var(blkno); ++ unsigned int cend, clen; ++ u32 cpos; ++ u64 blkno; + u32 name_hash = hinfo->major_hash; + + ret = ocfs2_dx_dir_lookup_rec(inode, el, name_hash, &cpos, &blkno, +@@ -912,7 +912,7 @@ static int ocfs2_dx_dir_search(const cha + struct ocfs2_dir_lookup_result *res) + { + int ret, i, found; +- u64 uninitialized_var(phys); ++ u64 phys; + struct buffer_head *dx_leaf_bh = NULL; + struct ocfs2_dx_leaf *dx_leaf; + struct ocfs2_dx_entry *dx_entry = NULL; +@@ -4420,9 +4420,9 @@ out: + int ocfs2_dx_dir_truncate(struct inode *dir, struct buffer_head *di_bh) + { + int ret; +- unsigned int uninitialized_var(clen); +- u32 major_hash = UINT_MAX, p_cpos, uninitialized_var(cpos); +- u64 uninitialized_var(blkno); ++ unsigned int clen; ++ u32 major_hash = UINT_MAX, p_cpos, cpos; ++ u64 blkno; + struct ocfs2_super *osb = OCFS2_SB(dir->i_sb); + struct buffer_head *dx_root_bh = NULL; + struct ocfs2_dx_root_block *dx_root; +--- a/fs/ocfs2/extent_map.c ++++ b/fs/ocfs2/extent_map.c +@@ -416,7 +416,7 @@ static int ocfs2_get_clusters_nocache(st + { + int i, ret, tree_height, len; + struct ocfs2_dinode *di; +- struct ocfs2_extent_block *uninitialized_var(eb); ++ struct ocfs2_extent_block *eb; + struct ocfs2_extent_list *el; + struct ocfs2_extent_rec *rec; + struct buffer_head *eb_bh = NULL; +@@ -613,7 +613,7 @@ int ocfs2_get_clusters(struct inode *ino + unsigned int *extent_flags) + { + int ret; +- unsigned int uninitialized_var(hole_len), flags = 0; ++ unsigned int hole_len, flags = 0; + struct buffer_head *di_bh = NULL; + struct ocfs2_extent_rec rec; + +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -2506,7 +2506,7 @@ int ocfs2_create_inode_in_orphan(struct + struct buffer_head *new_di_bh = NULL; + struct ocfs2_alloc_context *inode_ac = NULL; + struct ocfs2_dir_lookup_result orphan_insert = { NULL, }; +- u64 uninitialized_var(di_blkno), suballoc_loc; ++ u64 di_blkno, suballoc_loc; + u16 suballoc_bit; + + status = ocfs2_inode_lock(dir, &parent_di_bh, 1); +--- a/fs/ocfs2/refcounttree.c ++++ b/fs/ocfs2/refcounttree.c +@@ -1069,7 +1069,7 @@ static int ocfs2_get_refcount_rec(struct + struct buffer_head **ret_bh) + { + int ret = 0, i, found; +- u32 low_cpos, uninitialized_var(cpos_end); ++ u32 low_cpos, cpos_end; + struct ocfs2_extent_list *el; + struct ocfs2_extent_rec *rec = NULL; + struct ocfs2_extent_block *eb = NULL; +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -1219,7 +1219,7 @@ static int ocfs2_xattr_block_get(struct + struct ocfs2_xattr_value_root *xv; + size_t size; + int ret = -ENODATA, name_offset, name_len, i; +- int uninitialized_var(block_off); ++ int block_off; + + xs->bucket = ocfs2_xattr_bucket_new(inode); + if (!xs->bucket) { +--- a/fs/omfs/file.c ++++ b/fs/omfs/file.c +@@ -220,7 +220,7 @@ static int omfs_get_block(struct inode * + struct buffer_head *bh; + sector_t next, offset; + int ret; +- u64 uninitialized_var(new_block); ++ u64 new_block; + u32 max_extents; + int extent_count; + struct omfs_extent *oe; +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -713,7 +713,7 @@ static int ovl_copy_up_meta_inode_data(s + struct path upperpath, datapath; + int err; + char *capability = NULL; +- ssize_t uninitialized_var(cap_size); ++ ssize_t cap_size; + + ovl_path_upper(c->dentry, &upperpath); + if (WARN_ON(upperpath.dentry == NULL)) +--- a/fs/ubifs/commit.c ++++ b/fs/ubifs/commit.c +@@ -564,11 +564,11 @@ out: + */ + int dbg_check_old_index(struct ubifs_info *c, struct ubifs_zbranch *zroot) + { +- int lnum, offs, len, err = 0, uninitialized_var(last_level), child_cnt; ++ int lnum, offs, len, err = 0, last_level, child_cnt; + int first = 1, iip; + struct ubifs_debug_info *d = c->dbg; +- union ubifs_key uninitialized_var(lower_key), upper_key, l_key, u_key; +- unsigned long long uninitialized_var(last_sqnum); ++ union ubifs_key lower_key, upper_key, l_key, u_key; ++ unsigned long long last_sqnum; + struct ubifs_idx_node *idx; + struct list_head list; + struct idx_node *i; +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -1294,7 +1294,7 @@ static int do_rename(struct inode *old_d + struct ubifs_budget_req ino_req = { .dirtied_ino = 1, + .dirtied_ino_d = ALIGN(old_inode_ui->data_len, 8) }; + struct timespec64 time; +- unsigned int uninitialized_var(saved_nlink); ++ unsigned int saved_nlink; + struct fscrypt_name old_nm, new_nm; + + /* +--- a/fs/ubifs/file.c ++++ b/fs/ubifs/file.c +@@ -234,7 +234,7 @@ static int write_begin_slow(struct addre + struct ubifs_info *c = inode->i_sb->s_fs_info; + pgoff_t index = pos >> PAGE_SHIFT; + struct ubifs_budget_req req = { .new_page = 1 }; +- int uninitialized_var(err), appending = !!(pos + len > inode->i_size); ++ int err, appending = !!(pos + len > inode->i_size); + struct page *page; + + dbg_gen("ino %lu, pos %llu, len %u, i_size %lld", +@@ -438,7 +438,7 @@ static int ubifs_write_begin(struct file + struct ubifs_info *c = inode->i_sb->s_fs_info; + struct ubifs_inode *ui = ubifs_inode(inode); + pgoff_t index = pos >> PAGE_SHIFT; +- int uninitialized_var(err), appending = !!(pos + len > inode->i_size); ++ int err, appending = !!(pos + len > inode->i_size); + int skipped_read = 0; + struct page *page; + +--- a/fs/ubifs/journal.c ++++ b/fs/ubifs/journal.c +@@ -1355,7 +1355,7 @@ int ubifs_jnl_truncate(struct ubifs_info + union ubifs_key key, to_key; + struct ubifs_ino_node *ino; + struct ubifs_trun_node *trun; +- struct ubifs_data_node *uninitialized_var(dn); ++ struct ubifs_data_node *dn; + int err, dlen, len, lnum, offs, bit, sz, sync = IS_SYNC(inode); + struct ubifs_inode *ui = ubifs_inode(inode); + ino_t inum = inode->i_ino; +--- a/fs/ubifs/lpt.c ++++ b/fs/ubifs/lpt.c +@@ -287,7 +287,7 @@ uint32_t ubifs_unpack_bits(const struct + const int k = 32 - nrbits; + uint8_t *p = *addr; + int b = *pos; +- uint32_t uninitialized_var(val); ++ uint32_t val; + const int bytes = (nrbits + b + 7) >> 3; + + ubifs_assert(c, nrbits > 0); +--- a/fs/ubifs/tnc.c ++++ b/fs/ubifs/tnc.c +@@ -936,7 +936,7 @@ static int fallible_resolve_collision(st + int adding) + { + struct ubifs_znode *o_znode = NULL, *znode = *zn; +- int uninitialized_var(o_n), err, cmp, unsure = 0, nn = *n; ++ int o_n, err, cmp, unsure = 0, nn = *n; + + cmp = fallible_matches_name(c, &znode->zbranch[nn], nm); + if (unlikely(cmp < 0)) +@@ -1558,8 +1558,8 @@ out: + */ + int ubifs_tnc_get_bu_keys(struct ubifs_info *c, struct bu_info *bu) + { +- int n, err = 0, lnum = -1, uninitialized_var(offs); +- int uninitialized_var(len); ++ int n, err = 0, lnum = -1, offs; ++ int len; + unsigned int block = key_block(c, &bu->key); + struct ubifs_znode *znode; + +--- a/fs/ubifs/tnc_misc.c ++++ b/fs/ubifs/tnc_misc.c +@@ -138,8 +138,8 @@ int ubifs_search_zbranch(const struct ub + const struct ubifs_znode *znode, + const union ubifs_key *key, int *n) + { +- int beg = 0, end = znode->child_cnt, uninitialized_var(mid); +- int uninitialized_var(cmp); ++ int beg = 0, end = znode->child_cnt, mid; ++ int cmp; + const struct ubifs_zbranch *zbr = &znode->zbranch[0]; + + ubifs_assert(c, end > beg); +--- a/fs/udf/balloc.c ++++ b/fs/udf/balloc.c +@@ -555,7 +555,7 @@ static udf_pblk_t udf_table_new_block(st + udf_pblk_t newblock = 0; + uint32_t adsize; + uint32_t elen, goal_elen = 0; +- struct kernel_lb_addr eloc, uninitialized_var(goal_eloc); ++ struct kernel_lb_addr eloc, goal_eloc; + struct extent_position epos, goal_epos; + int8_t etype; + struct udf_inode_info *iinfo = UDF_I(table); +--- a/fs/xfs/xfs_bmap_util.c ++++ b/fs/xfs/xfs_bmap_util.c +@@ -130,7 +130,7 @@ xfs_bmap_rtalloc( + * pick an extent that will space things out in the rt area. + */ + if (ap->eof && ap->offset == 0) { +- xfs_rtblock_t uninitialized_var(rtx); /* realtime extent no */ ++ xfs_rtblock_t rtx; /* realtime extent no */ + + error = xfs_rtpick_extent(mp, ap->tp, ralen, &rtx); + if (error) +--- a/kernel/async.c ++++ b/kernel/async.c +@@ -115,7 +115,7 @@ static void async_run_entry_fn(struct wo + struct async_entry *entry = + container_of(work, struct async_entry, work); + unsigned long flags; +- ktime_t uninitialized_var(calltime), delta, rettime; ++ ktime_t calltime, delta, rettime; + + /* 1) run (and print duration) */ + if (initcall_debug && system_state < SYSTEM_RUNNING) { +@@ -283,7 +283,7 @@ EXPORT_SYMBOL_GPL(async_synchronize_full + */ + void async_synchronize_cookie_domain(async_cookie_t cookie, struct async_domain *domain) + { +- ktime_t uninitialized_var(starttime), delta, endtime; ++ ktime_t starttime, delta, endtime; + + if (initcall_debug && system_state < SYSTEM_RUNNING) { + pr_debug("async_waiting @ %i\n", task_pid_nr(current)); +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1796,7 +1796,7 @@ struct audit_buffer *audit_log_start(str + { + struct audit_buffer *ab; + struct timespec64 t; +- unsigned int uninitialized_var(serial); ++ unsigned int serial; + + if (audit_initialized != AUDIT_INITIALIZED) + return NULL; +--- a/kernel/dma/debug.c ++++ b/kernel/dma/debug.c +@@ -963,7 +963,7 @@ static int device_dma_allocations(struct + static int dma_debug_device_change(struct notifier_block *nb, unsigned long action, void *data) + { + struct device *dev = data; +- struct dma_debug_entry *uninitialized_var(entry); ++ struct dma_debug_entry *entry; + int count; + + if (dma_debug_disabled()) +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10575,7 +10575,7 @@ SYSCALL_DEFINE5(perf_event_open, + struct perf_event *group_leader = NULL, *output_event = NULL; + struct perf_event *event, *sibling; + struct perf_event_attr attr; +- struct perf_event_context *ctx, *uninitialized_var(gctx); ++ struct perf_event_context *ctx, *gctx; + struct file *event_file = NULL; + struct fd group = {NULL, 0}; + struct task_struct *task = NULL; +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1887,7 +1887,7 @@ static void handle_swbp(struct pt_regs * + { + struct uprobe *uprobe; + unsigned long bp_vaddr; +- int uninitialized_var(is_swbp); ++ int is_swbp; + + bp_vaddr = uprobe_get_swbp_addr(regs); + if (bp_vaddr == get_trampoline_vaddr()) +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -140,7 +140,7 @@ static void __exit_signal(struct task_st + struct signal_struct *sig = tsk->signal; + bool group_dead = thread_group_leader(tsk); + struct sighand_struct *sighand; +- struct tty_struct *uninitialized_var(tty); ++ struct tty_struct *tty; + u64 utime, stime; + + sighand = rcu_dereference_check(tsk->sighand, +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1398,7 +1398,7 @@ static int lookup_pi_state(u32 __user *u + static int lock_pi_update_atomic(u32 __user *uaddr, u32 uval, u32 newval) + { + int err; +- u32 uninitialized_var(curval); ++ u32 curval; + + if (unlikely(should_fail_futex(true))) + return -EFAULT; +@@ -1569,7 +1569,7 @@ static void mark_wake_futex(struct wake_ + */ + static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_pi_state *pi_state) + { +- u32 uninitialized_var(curval), newval; ++ u32 curval, newval; + struct task_struct *new_owner; + bool postunlock = false; + DEFINE_WAKE_Q(wake_q); +@@ -3083,7 +3083,7 @@ uaddr_faulted: + */ + static int futex_unlock_pi(u32 __user *uaddr, unsigned int flags) + { +- u32 uninitialized_var(curval), uval, vpid = task_pid_vnr(current); ++ u32 curval, uval, vpid = task_pid_vnr(current); + union futex_key key = FUTEX_KEY_INIT; + struct futex_hash_bucket *hb; + struct futex_q *top_waiter; +@@ -3558,7 +3558,7 @@ err_unlock: + static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr, + bool pi, bool pending_op) + { +- u32 uval, uninitialized_var(nval), mval; ++ u32 uval, nval, mval; + int err; + + /* Futex address must be 32bit aligned */ +@@ -3688,7 +3688,7 @@ static void exit_robust_list(struct task + struct robust_list_head __user *head = curr->robust_list; + struct robust_list __user *entry, *next_entry, *pending; + unsigned int limit = ROBUST_LIST_LIMIT, pi, pip; +- unsigned int uninitialized_var(next_pi); ++ unsigned int next_pi; + unsigned long futex_offset; + int rc; + +@@ -3987,7 +3987,7 @@ static void compat_exit_robust_list(stru + struct compat_robust_list_head __user *head = curr->compat_robust_list; + struct robust_list __user *entry, *next_entry, *pending; + unsigned int limit = ROBUST_LIST_LIMIT, pi, pip; +- unsigned int uninitialized_var(next_pi); ++ unsigned int next_pi; + compat_uptr_t uentry, next_uentry, upending; + compat_long_t futex_offset; + int rc; +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -1246,7 +1246,7 @@ static int noop_count(struct lock_list * + static unsigned long __lockdep_count_forward_deps(struct lock_list *this) + { + unsigned long count = 0; +- struct lock_list *uninitialized_var(target_entry); ++ struct lock_list *target_entry; + + __bfs_forwards(this, (void *)&count, noop_count, &target_entry); + +@@ -1274,7 +1274,7 @@ unsigned long lockdep_count_forward_deps + static unsigned long __lockdep_count_backward_deps(struct lock_list *this) + { + unsigned long count = 0; +- struct lock_list *uninitialized_var(target_entry); ++ struct lock_list *target_entry; + + __bfs_backwards(this, (void *)&count, noop_count, &target_entry); + +@@ -2662,7 +2662,7 @@ check_usage_backwards(struct task_struct + { + int ret; + struct lock_list root; +- struct lock_list *uninitialized_var(target_entry); ++ struct lock_list *target_entry; + + root.parent = NULL; + root.class = hlock_class(this); +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -561,7 +561,7 @@ static void rb_wake_up_waiters(struct ir + */ + int ring_buffer_wait(struct ring_buffer *buffer, int cpu, bool full) + { +- struct ring_buffer_per_cpu *uninitialized_var(cpu_buffer); ++ struct ring_buffer_per_cpu *cpu_buffer; + DEFINE_WAIT(wait); + struct rb_irq_work *work; + int ret = 0; +--- a/lib/radix-tree.c ++++ b/lib/radix-tree.c +@@ -1498,7 +1498,7 @@ void *radix_tree_tag_clear(struct radix_ + { + struct radix_tree_node *node, *parent; + unsigned long maxindex; +- int uninitialized_var(offset); ++ int offset; + + radix_tree_load_root(root, &node, &maxindex); + if (index > maxindex) +--- a/mm/frontswap.c ++++ b/mm/frontswap.c +@@ -447,7 +447,7 @@ static int __frontswap_shrink(unsigned l + void frontswap_shrink(unsigned long target_pages) + { + unsigned long pages_to_unuse = 0; +- int uninitialized_var(type), ret; ++ int type, ret; + + /* + * we don't want to hold swap_lock while doing a very +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -2381,7 +2381,7 @@ next_mm: + static void ksm_do_scan(unsigned int scan_npages) + { + struct rmap_item *rmap_item; +- struct page *uninitialized_var(page); ++ struct page *page; + + while (scan_npages-- && likely(!freezing(current))) { + cond_resched(); +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -919,7 +919,7 @@ struct mem_cgroup *mem_cgroup_iter(struc + struct mem_cgroup *prev, + struct mem_cgroup_reclaim_cookie *reclaim) + { +- struct mem_cgroup_reclaim_iter *uninitialized_var(iter); ++ struct mem_cgroup_reclaim_iter *iter; + struct cgroup_subsys_state *css = NULL; + struct mem_cgroup *memcg = NULL; + struct mem_cgroup *pos = NULL; +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1147,7 +1147,7 @@ int do_migrate_pages(struct mm_struct *m + static struct page *new_page(struct page *page, unsigned long start) + { + struct vm_area_struct *vma; +- unsigned long uninitialized_var(address); ++ unsigned long address; + + vma = find_vma(current->mm, start); + while (vma) { +@@ -1545,7 +1545,7 @@ static int kernel_get_mempolicy(int __us + unsigned long flags) + { + int err; +- int uninitialized_var(pval); ++ int pval; + nodemask_t nodes; + + if (nmask != NULL && maxnode < nr_node_ids) +--- a/mm/percpu.c ++++ b/mm/percpu.c +@@ -2283,7 +2283,7 @@ static struct pcpu_alloc_info * __init p + const size_t static_size = __per_cpu_end - __per_cpu_start; + int nr_groups = 1, nr_units = 0; + size_t size_sum, min_unit_size, alloc_size; +- int upa, max_upa, uninitialized_var(best_upa); /* units_per_alloc */ ++ int upa, max_upa, best_upa; /* units_per_alloc */ + int last_allocs, group, unit; + unsigned int cpu, tcpu; + struct pcpu_alloc_info *ai; +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1179,7 +1179,7 @@ static noinline int free_debug_processin + struct kmem_cache_node *n = get_node(s, page_to_nid(page)); + void *object = head; + int cnt = 0; +- unsigned long uninitialized_var(flags); ++ unsigned long flags; + int ret = 0; + + spin_lock_irqsave(&n->list_lock, flags); +@@ -2826,7 +2826,7 @@ static void __slab_free(struct kmem_cach + struct page new; + unsigned long counters; + struct kmem_cache_node *n = NULL; +- unsigned long uninitialized_var(flags); ++ unsigned long flags; + + stat(s, FREE_SLOWPATH); + +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -721,8 +721,8 @@ void release_pages(struct page **pages, + LIST_HEAD(pages_to_free); + struct pglist_data *locked_pgdat = NULL; + struct lruvec *lruvec; +- unsigned long uninitialized_var(flags); +- unsigned int uninitialized_var(lock_batch); ++ unsigned long flags; ++ unsigned int lock_batch; + + for (i = 0; i < nr; i++) { + struct page *page = pages[i]; +--- a/net/dccp/options.c ++++ b/net/dccp/options.c +@@ -60,7 +60,7 @@ int dccp_parse_options(struct sock *sk, + (dh->dccph_doff * 4); + struct dccp_options_received *opt_recv = &dp->dccps_options_received; + unsigned char opt, len; +- unsigned char *uninitialized_var(value); ++ unsigned char *value; + u32 elapsed_time; + __be32 opt_val; + int rc; +--- a/net/ipv4/netfilter/nf_socket_ipv4.c ++++ b/net/ipv4/netfilter/nf_socket_ipv4.c +@@ -96,11 +96,11 @@ nf_socket_get_sock_v4(struct net *net, s + struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb, + const struct net_device *indev) + { +- __be32 uninitialized_var(daddr), uninitialized_var(saddr); +- __be16 uninitialized_var(dport), uninitialized_var(sport); ++ __be32 daddr, saddr; ++ __be16 dport, sport; + const struct iphdr *iph = ip_hdr(skb); + struct sk_buff *data_skb = NULL; +- u8 uninitialized_var(protocol); ++ u8 protocol; + #if IS_ENABLED(CONFIG_NF_CONNTRACK) + enum ip_conntrack_info ctinfo; + struct nf_conn const *ct; +--- a/net/ipv6/ip6_flowlabel.c ++++ b/net/ipv6/ip6_flowlabel.c +@@ -518,7 +518,7 @@ int ipv6_flowlabel_opt_get(struct sock * + + int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen) + { +- int uninitialized_var(err); ++ int err; + struct net *net = sock_net(sk); + struct ipv6_pinfo *np = inet6_sk(sk); + struct in6_flowlabel_req freq; +--- a/net/ipv6/netfilter/nf_socket_ipv6.c ++++ b/net/ipv6/netfilter/nf_socket_ipv6.c +@@ -102,7 +102,7 @@ nf_socket_get_sock_v6(struct net *net, s + struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb, + const struct net_device *indev) + { +- __be16 uninitialized_var(dport), uninitialized_var(sport); ++ __be16 dport, sport; + const struct in6_addr *daddr = NULL, *saddr = NULL; + struct ipv6hdr *iph = ipv6_hdr(skb), ipv6_var; + struct sk_buff *data_skb = NULL; +--- a/net/netfilter/nf_conntrack_ftp.c ++++ b/net/netfilter/nf_conntrack_ftp.c +@@ -383,7 +383,7 @@ static int help(struct sk_buff *skb, + int ret; + u32 seq; + int dir = CTINFO2DIR(ctinfo); +- unsigned int uninitialized_var(matchlen), uninitialized_var(matchoff); ++ unsigned int matchlen, matchoff; + struct nf_ct_ftp_master *ct_ftp_info = nfct_help_data(ct); + struct nf_conntrack_expect *exp; + union nf_inet_addr *daddr; +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -637,7 +637,7 @@ nfulnl_log_packet(struct net *net, + struct nfnl_log_net *log = nfnl_log_pernet(net); + const struct nfnl_ct_hook *nfnl_ct = NULL; + struct nf_conn *ct = NULL; +- enum ip_conntrack_info uninitialized_var(ctinfo); ++ enum ip_conntrack_info ctinfo; + + if (li_user && li_user->type == NF_LOG_TYPE_ULOG) + li = li_user; +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -392,7 +392,7 @@ nfqnl_build_packet_message(struct net *n + struct net_device *indev; + struct net_device *outdev; + struct nf_conn *ct = NULL; +- enum ip_conntrack_info uninitialized_var(ctinfo); ++ enum ip_conntrack_info ctinfo; + struct nfnl_ct_hook *nfnl_ct; + bool csum_verify; + char *secdata = NULL; +@@ -1191,7 +1191,7 @@ static int nfqnl_recv_verdict(struct net + struct nfqnl_instance *queue; + unsigned int verdict; + struct nf_queue_entry *entry; +- enum ip_conntrack_info uninitialized_var(ctinfo); ++ enum ip_conntrack_info ctinfo; + struct nfnl_ct_hook *nfnl_ct; + struct nf_conn *ct = NULL; + struct nfnl_queue_net *q = nfnl_queue_pernet(net); +--- a/net/sched/cls_flow.c ++++ b/net/sched/cls_flow.c +@@ -229,7 +229,7 @@ static u32 flow_get_skgid(const struct s + + static u32 flow_get_vlan_tag(const struct sk_buff *skb) + { +- u16 uninitialized_var(tag); ++ u16 tag; + + if (vlan_get_tag(skb, &tag) < 0) + return 0; +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -1649,7 +1649,7 @@ static s32 cake_enqueue(struct sk_buff * + { + struct cake_sched_data *q = qdisc_priv(sch); + int len = qdisc_pkt_len(skb); +- int uninitialized_var(ret); ++ int ret; + struct sk_buff *ack = NULL; + ktime_t now = ktime_get(); + struct cake_tin_data *b; +--- a/net/sched/sch_cbq.c ++++ b/net/sched/sch_cbq.c +@@ -365,7 +365,7 @@ cbq_enqueue(struct sk_buff *skb, struct + struct sk_buff **to_free) + { + struct cbq_sched_data *q = qdisc_priv(sch); +- int uninitialized_var(ret); ++ int ret; + struct cbq_class *cl = cbq_classify(skb, sch, &ret); + + #ifdef CONFIG_NET_CLS_ACT +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -192,7 +192,7 @@ static int fq_codel_enqueue(struct sk_bu + struct fq_codel_sched_data *q = qdisc_priv(sch); + unsigned int idx, prev_backlog, prev_qlen; + struct fq_codel_flow *flow; +- int uninitialized_var(ret); ++ int ret; + unsigned int pkt_len; + bool memory_limited; + +--- a/net/sched/sch_sfq.c ++++ b/net/sched/sch_sfq.c +@@ -353,7 +353,7 @@ sfq_enqueue(struct sk_buff *skb, struct + unsigned int hash, dropped; + sfq_index x, qlen; + struct sfq_slot *slot; +- int uninitialized_var(ret); ++ int ret; + struct sk_buff *head; + int delta; + +--- a/sound/core/control_compat.c ++++ b/sound/core/control_compat.c +@@ -236,7 +236,7 @@ static int copy_ctl_value_from_user(stru + { + struct snd_ctl_elem_value32 __user *data32 = userdata; + int i, type, size; +- int uninitialized_var(count); ++ int count; + unsigned int indirect; + + if (copy_from_user(&data->id, &data32->id, sizeof(data->id))) +--- a/sound/isa/sb/sb16_csp.c ++++ b/sound/isa/sb/sb16_csp.c +@@ -116,7 +116,7 @@ static void info_read(struct snd_info_en + int snd_sb_csp_new(struct snd_sb *chip, int device, struct snd_hwdep ** rhwdep) + { + struct snd_sb_csp *p; +- int uninitialized_var(version); ++ int version; + int err; + struct snd_hwdep *hw; + +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -324,7 +324,7 @@ static void queue_pending_output_urbs(st + while (test_bit(EP_FLAG_RUNNING, &ep->flags)) { + + unsigned long flags; +- struct snd_usb_packet_info *uninitialized_var(packet); ++ struct snd_usb_packet_info *packet; + struct snd_urb_ctx *ctx = NULL; + int err, i; + diff --git a/tmp-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch b/tmp-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch new file mode 100644 index 00000000000..c25ee1b0cf2 --- /dev/null +++ b/tmp-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch @@ -0,0 +1,40 @@ +From a9c09546e903f1068acfa38e1ee18bded7114b37 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 10 Jun 2023 17:59:25 +0200 +Subject: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error + +From: Christophe JAILLET + +commit a9c09546e903f1068acfa38e1ee18bded7114b37 upstream. + +If clk_get_rate() fails, the clk that has just been allocated needs to be +freed. + +Cc: # v3.3+ +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Andi Shyti +Fixes: 5f5a7a5578c5 ("serial: samsung: switch to clkdev based clock lookup") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jiri Slaby +Message-ID: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/samsung.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1199,8 +1199,12 @@ static unsigned int s3c24xx_serial_getcl + continue; + + rate = clk_get_rate(clk); +- if (!rate) ++ if (!rate) { ++ dev_err(ourport->port.dev, ++ "Failed to get clock rate for %s.\n", clkname); ++ clk_put(clk); + continue; ++ } + + if (ourport->info->has_divslot) { + unsigned long div = rate / req_baud; diff --git a/tmp-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch b/tmp-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch new file mode 100644 index 00000000000..7c7198883ca --- /dev/null +++ b/tmp-4.19/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch @@ -0,0 +1,48 @@ +From 832e231cff476102e8204a9e7bddfe5c6154a375 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 10 Jun 2023 17:59:26 +0200 +Subject: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk + +From: Christophe JAILLET + +commit 832e231cff476102e8204a9e7bddfe5c6154a375 upstream. + +When the best clk is searched, we iterate over all possible clk. + +If we find a better match, the previous one, if any, needs to be freed. +If a better match has already been found, we still need to free the new +one, otherwise it leaks. + +Cc: # v3.3+ +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Andi Shyti +Fixes: 5f5a7a5578c5 ("serial: samsung: switch to clkdev based clock lookup") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jiri Slaby +Message-ID: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/samsung.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1230,10 +1230,18 @@ static unsigned int s3c24xx_serial_getcl + calc_deviation = -calc_deviation; + + if (calc_deviation < deviation) { ++ /* ++ * If we find a better clk, release the previous one, if ++ * any. ++ */ ++ if (!IS_ERR(*best_clk)) ++ clk_put(*best_clk); + *best_clk = clk; + best_quot = quot; + *clk_num = cnt; + deviation = calc_deviation; ++ } else { ++ clk_put(clk); + } + } + diff --git a/tmp-4.19/udp6-fix-udp6_ehashfn-typo.patch b/tmp-4.19/udp6-fix-udp6_ehashfn-typo.patch new file mode 100644 index 00000000000..83cd000c763 --- /dev/null +++ b/tmp-4.19/udp6-fix-udp6_ehashfn-typo.patch @@ -0,0 +1,40 @@ +From dd4780f2e582e32ee8f5c8c08d03b8b73e369d5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 08:29:58 +0000 +Subject: udp6: fix udp6_ehashfn() typo + +From: Eric Dumazet + +[ Upstream commit 51d03e2f2203e76ed02d33fb5ffbb5fc85ffaf54 ] + +Amit Klein reported that udp6_ehash_secret was initialized but never used. + +Fixes: 1bbdceef1e53 ("inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once") +Reported-by: Amit Klein +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Cc: Willem de Bruijn +Cc: David Ahern +Cc: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 9274603514e54..cf0bbe2e3a79f 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -99,7 +99,7 @@ static u32 udp6_ehashfn(const struct net *net, + fhash = __ipv6_addr_jhash(faddr, udp_ipv6_hash_secret); + + return __inet6_ehashfn(lhash, lport, fhash, fport, +- udp_ipv6_hash_secret + net_hash_mix(net)); ++ udp6_ehash_secret + net_hash_mix(net)); + } + + int udp_v6_get_port(struct sock *sk, unsigned short snum) +-- +2.39.2 + diff --git a/tmp-4.19/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch b/tmp-4.19/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch new file mode 100644 index 00000000000..d4f38580ba4 --- /dev/null +++ b/tmp-4.19/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch @@ -0,0 +1,43 @@ +From a73ed729a0242b99c1c9a5c6e71a75e01fff18e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 22:08:31 +0800 +Subject: usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() + +From: Li Yang + +[ Upstream commit 342161c11403ea00e9febc16baab1d883d589d04 ] + +Smatch reports: +drivers/usb/phy/phy-tahvo.c: tahvo_usb_probe() +warn: missing unwind goto? + +After geting irq, if ret < 0, it will return without error handling to +free memory. +Just add error handling to fix this problem. + +Fixes: 0d45a1373e66 ("usb: phy: tahvo: add IRQ check") +Signed-off-by: Li Yang +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230420140832.9110-1-lidaxian@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-tahvo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/phy/phy-tahvo.c b/drivers/usb/phy/phy-tahvo.c +index 60d390e28289f..2923a7f6952dc 100644 +--- a/drivers/usb/phy/phy-tahvo.c ++++ b/drivers/usb/phy/phy-tahvo.c +@@ -398,7 +398,7 @@ static int tahvo_usb_probe(struct platform_device *pdev) + + tu->irq = ret = platform_get_irq(pdev, 0); + if (ret < 0) +- return ret; ++ goto err_remove_phy; + ret = request_threaded_irq(tu->irq, NULL, tahvo_usb_vbus_interrupt, + IRQF_ONESHOT, + "tahvo-vbus", tu); +-- +2.39.2 + diff --git a/tmp-4.19/usb-serial-option-add-lara-r6-01b-pids.patch b/tmp-4.19/usb-serial-option-add-lara-r6-01b-pids.patch new file mode 100644 index 00000000000..2e014e97597 --- /dev/null +++ b/tmp-4.19/usb-serial-option-add-lara-r6-01b-pids.patch @@ -0,0 +1,65 @@ +From ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Thu, 22 Jun 2023 11:29:21 +0200 +Subject: USB: serial: option: add LARA-R6 01B PIDs + +From: Davide Tronchin + +commit ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 upstream. + +The new LARA-R6 product variant identified by the "01B" string can be +configured (by AT interface) in three different USB modes: + +* Default mode (Vendor ID: 0x1546 Product ID: 0x1311) with 4 serial +interfaces + +* RmNet mode (Vendor ID: 0x1546 Product ID: 0x1312) with 4 serial +interfaces and 1 RmNet virtual network interface + +* CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1313) with 4 serial +interface and 1 CDC-ECM virtual network interface +The first 4 interfaces of all the 3 USB configurations (default, RmNet, +CDC-ECM) are the same. + +In default mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions + +In RmNet mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions +If 4: RMNET interface + +In CDC-ECM mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions +If 4: CDC-ECM interface + +Signed-off-by: Davide Tronchin +Link: https://lore.kernel.org/r/20230622092921.12651-1-davide.tronchin.94@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1151,6 +1151,10 @@ static const struct usb_device_id option + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, + /* u-blox products */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1311) }, /* u-blox LARA-R6 01B */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1312), /* u-blox LARA-R6 01B (RMNET) */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(UBLOX_VENDOR_ID, 0x1313, 0xff) }, /* u-blox LARA-R6 01B (ECM) */ + { USB_DEVICE(UBLOX_VENDOR_ID, 0x1341) }, /* u-blox LARA-L6 */ + { USB_DEVICE(UBLOX_VENDOR_ID, 0x1342), /* u-blox LARA-L6 (RMNET) */ + .driver_info = RSVD(4) }, diff --git a/tmp-4.19/video-imsttfb-check-for-ioremap-failures.patch b/tmp-4.19/video-imsttfb-check-for-ioremap-failures.patch new file mode 100644 index 00000000000..89a1c7cc0f3 --- /dev/null +++ b/tmp-4.19/video-imsttfb-check-for-ioremap-failures.patch @@ -0,0 +1,78 @@ +From 13b7c0390a5d3840e1e2cda8f44a310fdbb982de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 3 May 2021 13:57:34 +0200 +Subject: video: imsttfb: check for ioremap() failures + +From: Greg Kroah-Hartman + +commit 13b7c0390a5d3840e1e2cda8f44a310fdbb982de upstream. + +We should check if ioremap() were to somehow fail in imsttfb_probe() and +handle the unwinding of the resources allocated here properly. + +Ideally if anyone cares about this driver (it's for a PowerMac era PCI +display card), they wouldn't even be using fbdev anymore. Or the devm_* +apis could be used, but that's just extra work for diminishing +returns... + +Cc: Finn Thain +Cc: Bartlomiej Zolnierkiewicz +Reviewed-by: Rob Herring +Link: https://lore.kernel.org/r/20210503115736.2104747-68-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/imsttfb.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/video/fbdev/imsttfb.c ++++ b/drivers/video/fbdev/imsttfb.c +@@ -1470,6 +1470,7 @@ static int imsttfb_probe(struct pci_dev + struct imstt_par *par; + struct fb_info *info; + struct device_node *dp; ++ int ret = -ENOMEM; + + dp = pci_device_to_OF_node(pdev); + if(dp) +@@ -1508,23 +1509,37 @@ static int imsttfb_probe(struct pci_dev + default: + printk(KERN_INFO "imsttfb: Device 0x%x unknown, " + "contact maintainer.\n", pdev->device); +- release_mem_region(addr, size); +- framebuffer_release(info); +- return -ENODEV; ++ ret = -ENODEV; ++ goto error; + } + + info->fix.smem_start = addr; + info->screen_base = (__u8 *)ioremap(addr, par->ramdac == IBM ? + 0x400000 : 0x800000); ++ if (!info->screen_base) ++ goto error; + info->fix.mmio_start = addr + 0x800000; + par->dc_regs = ioremap(addr + 0x800000, 0x1000); ++ if (!par->dc_regs) ++ goto error; + par->cmap_regs_phys = addr + 0x840000; + par->cmap_regs = (__u8 *)ioremap(addr + 0x840000, 0x1000); ++ if (!par->cmap_regs) ++ goto error; + info->pseudo_palette = par->palette; + init_imstt(info); + + pci_set_drvdata(pdev, info); + return 0; ++ ++error: ++ if (par->dc_regs) ++ iounmap(par->dc_regs); ++ if (info->screen_base) ++ iounmap(info->screen_base); ++ release_mem_region(addr, size); ++ framebuffer_release(info); ++ return ret; + } + + static void imsttfb_remove(struct pci_dev *pdev) diff --git a/tmp-4.19/vrf-increment-icmp6inmsgs-on-the-original-netdev.patch b/tmp-4.19/vrf-increment-icmp6inmsgs-on-the-original-netdev.patch new file mode 100644 index 00000000000..fd7f5edd549 --- /dev/null +++ b/tmp-4.19/vrf-increment-icmp6inmsgs-on-the-original-netdev.patch @@ -0,0 +1,127 @@ +From ca9b3ac6d3bbb8860c544487324e18a6481a20d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jun 2019 10:32:50 -0400 +Subject: vrf: Increment Icmp6InMsgs on the original netdev + +From: Stephen Suryaputra + +[ Upstream commit e1ae5c2ea4783b1fd87be250f9fcc9d9e1a6ba3f ] + +Get the ingress interface and increment ICMP counters based on that +instead of skb->dev when the the dev is a VRF device. + +This is a follow up on the following message: +https://www.spinics.net/lists/netdev/msg560268.html + +v2: Avoid changing skb->dev since it has unintended effect for local + delivery (David Ahern). +Signed-off-by: Stephen Suryaputra +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Stable-dep-of: 2aaa8a15de73 ("icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().") +Signed-off-by: Sasha Levin +--- + include/net/addrconf.h | 16 ++++++++++++++++ + net/ipv6/icmp.c | 17 +++++++++++------ + net/ipv6/reassembly.c | 4 ++-- + 3 files changed, 29 insertions(+), 8 deletions(-) + +diff --git a/include/net/addrconf.h b/include/net/addrconf.h +index db2a87981dd46..9583d3bbab039 100644 +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -340,6 +340,22 @@ static inline struct inet6_dev *__in6_dev_get(const struct net_device *dev) + return rcu_dereference_rtnl(dev->ip6_ptr); + } + ++/** ++ * __in6_dev_stats_get - get inet6_dev pointer for stats ++ * @dev: network device ++ * @skb: skb for original incoming interface if neeeded ++ * ++ * Caller must hold rcu_read_lock or RTNL, because this function ++ * does not take a reference on the inet6_dev. ++ */ ++static inline struct inet6_dev *__in6_dev_stats_get(const struct net_device *dev, ++ const struct sk_buff *skb) ++{ ++ if (netif_is_l3_master(dev)) ++ dev = dev_get_by_index_rcu(dev_net(dev), inet6_iif(skb)); ++ return __in6_dev_get(dev); ++} ++ + /** + * __in6_dev_get_safely - get inet6_dev pointer from netdevice + * @dev: network device +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index fbc8746371b6d..1b86a2e03d049 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -395,23 +395,28 @@ static struct dst_entry *icmpv6_route_lookup(struct net *net, + return ERR_PTR(err); + } + +-static int icmp6_iif(const struct sk_buff *skb) ++static struct net_device *icmp6_dev(const struct sk_buff *skb) + { +- int iif = skb->dev->ifindex; ++ struct net_device *dev = skb->dev; + + /* for local traffic to local address, skb dev is the loopback + * device. Check if there is a dst attached to the skb and if so + * get the real device index. Same is needed for replies to a link + * local address on a device enslaved to an L3 master device + */ +- if (unlikely(iif == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { ++ if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { + const struct rt6_info *rt6 = skb_rt6_info(skb); + + if (rt6) +- iif = rt6->rt6i_idev->dev->ifindex; ++ dev = rt6->rt6i_idev->dev; + } + +- return iif; ++ return dev; ++} ++ ++static int icmp6_iif(const struct sk_buff *skb) ++{ ++ return icmp6_dev(skb)->ifindex; + } + + /* +@@ -800,7 +805,7 @@ void icmpv6_notify(struct sk_buff *skb, u8 type, u8 code, __be32 info) + static int icmpv6_rcv(struct sk_buff *skb) + { + struct net *net = dev_net(skb->dev); +- struct net_device *dev = skb->dev; ++ struct net_device *dev = icmp6_dev(skb); + struct inet6_dev *idev = __in6_dev_get(dev); + const struct in6_addr *saddr, *daddr; + struct icmp6hdr *hdr; +diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c +index 60dfd0d118512..b596727f04978 100644 +--- a/net/ipv6/reassembly.c ++++ b/net/ipv6/reassembly.c +@@ -302,7 +302,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb, + skb_network_header_len(skb)); + + rcu_read_lock(); +- __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMOKS); ++ __IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMOKS); + rcu_read_unlock(); + fq->q.fragments = NULL; + fq->q.rb_fragments = RB_ROOT; +@@ -317,7 +317,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *skb, + net_dbg_ratelimited("ip6_frag_reasm: no memory for reassembly\n"); + out_fail: + rcu_read_lock(); +- __IP6_INC_STATS(net, __in6_dev_get(dev), IPSTATS_MIB_REASMFAILS); ++ __IP6_INC_STATS(net, __in6_dev_stats_get(dev, skb), IPSTATS_MIB_REASMFAILS); + rcu_read_unlock(); + inet_frag_kill(&fq->q); + return -1; +-- +2.39.2 + diff --git a/tmp-4.19/w1-fix-loop-in-w1_fini.patch b/tmp-4.19/w1-fix-loop-in-w1_fini.patch new file mode 100644 index 00000000000..eee3b608e92 --- /dev/null +++ b/tmp-4.19/w1-fix-loop-in-w1_fini.patch @@ -0,0 +1,43 @@ +From 7fab2a6bde29ee9a8cf5b2eea008b078d8e3aac2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 17:17:45 +0300 +Subject: w1: fix loop in w1_fini() + +From: Dan Carpenter + +[ Upstream commit 83f3fcf96fcc7e5405b37d9424c7ef26bfa203f8 ] + +The __w1_remove_master_device() function calls: + + list_del(&dev->w1_master_entry); + +So presumably this can cause an endless loop. + +Fixes: 7785925dd8e0 ("[PATCH] w1: cleanups.") +Signed-off-by: Dan Carpenter +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/w1/w1.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index cb3650efc29cd..8db9ca241d99c 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -1237,10 +1237,10 @@ static int __init w1_init(void) + + static void __exit w1_fini(void) + { +- struct w1_master *dev; ++ struct w1_master *dev, *n; + + /* Set netlink removal messages and some cleanup */ +- list_for_each_entry(dev, &w1_masters, w1_master_entry) ++ list_for_each_entry_safe(dev, n, &w1_masters, w1_master_entry) + __w1_remove_master_device(dev); + + w1_fini_netlink(); +-- +2.39.2 + diff --git a/tmp-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch b/tmp-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch new file mode 100644 index 00000000000..dc4e15c9859 --- /dev/null +++ b/tmp-4.19/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch @@ -0,0 +1,89 @@ +From 0c282f6c0842390de9ae2a22490760732c735d15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:25 -0700 +Subject: watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on + correct config + +From: Douglas Anderson + +[ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ] + +Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5. + +This patch series adds the "buddy" hardlockup detector. In brief, the +buddy hardlockup detector can detect hardlockups without arch-level +support by having CPUs checkup on a "buddy" CPU periodically. + +Given the new design of this patch series, testing all combinations is +fairly difficult. I've attempted to make sure that all combinations of +CONFIG_ options are good, but it wouldn't surprise me if I missed +something. I apologize in advance and I'll do my best to fix any +problems that are found. + +This patch (of 18): + +The real watchdog_update_hrtimer_threshold() is defined in +kernel/watchdog_hld.c. That file is included if +CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file +if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP. + +The dummy version of the function in "nmi.h" didn't get that quite right. +While this doesn't appear to be a huge deal, it's nice to make it +consistent. + +It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so +others don't get a double definition, and x86 uses perf lockup detector, +so it gets the out of line version. + +Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid +Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Reviewed-by: Nicholas Piggin +Reviewed-by: Petr Mladek +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Cc: Colin Cross +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/nmi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/nmi.h b/include/linux/nmi.h +index e972d1ae1ee63..6cb593d9ed08a 100644 +--- a/include/linux/nmi.h ++++ b/include/linux/nmi.h +@@ -197,7 +197,7 @@ u64 hw_nmi_get_sample_period(int watchdog_thresh); + #endif + + #if defined(CONFIG_HARDLOCKUP_CHECK_TIMESTAMP) && \ +- defined(CONFIG_HARDLOCKUP_DETECTOR) ++ defined(CONFIG_HARDLOCKUP_DETECTOR_PERF) + void watchdog_update_hrtimer_threshold(u64 period); + #else + static inline void watchdog_update_hrtimer_threshold(u64 period) { } +-- +2.39.2 + diff --git a/tmp-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch b/tmp-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch new file mode 100644 index 00000000000..58fc7eac1b9 --- /dev/null +++ b/tmp-4.19/watchdog-perf-more-properly-prevent-false-positives-.patch @@ -0,0 +1,84 @@ +From 3c6dc6af3bc7f2705b7a426759a9837e74c2a453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:26 -0700 +Subject: watchdog/perf: more properly prevent false positives with turbo modes + +From: Douglas Anderson + +[ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ] + +Currently, in the watchdog_overflow_callback() we first check to see if +the watchdog had been touched and _then_ we handle the workaround for +turbo mode. This order should be reversed. + +Specifically, "touching" the hardlockup detector's watchdog should avoid +lockups being detected for one period that should be roughly the same +regardless of whether we're running turbo or not. That means that we +should do the extra accounting for turbo _before_ we look at (and clear) +the global indicating that we've been touched. + +NOTE: this fix is made based on code inspection. I am not aware of any +reports where the old code would have generated false positives. That +being said, this order seems more correct and also makes it easier down +the line to share code with the "buddy" hardlockup detector. + +Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Colin Cross +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Petr Mladek +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/watchdog_hld.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c +index 71381168dedef..f8e460b4a59d5 100644 +--- a/kernel/watchdog_hld.c ++++ b/kernel/watchdog_hld.c +@@ -114,14 +114,14 @@ static void watchdog_overflow_callback(struct perf_event *event, + /* Ensure the watchdog never gets throttled */ + event->hw.interrupts = 0; + ++ if (!watchdog_check_timestamp()) ++ return; ++ + if (__this_cpu_read(watchdog_nmi_touch) == true) { + __this_cpu_write(watchdog_nmi_touch, false); + return; + } + +- if (!watchdog_check_timestamp()) +- return; +- + /* check for a hardlockup + * This is done by making sure our timer interrupt + * is incrementing. The timer interrupt should have +-- +2.39.2 + diff --git a/tmp-4.19/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch b/tmp-4.19/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch new file mode 100644 index 00000000000..e6a83160c61 --- /dev/null +++ b/tmp-4.19/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch @@ -0,0 +1,47 @@ +From 5f65296a9458994473a1830d34aed8a66606adf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 06:31:54 -0700 +Subject: wifi: airo: avoid uninitialized warning in airo_get_rate() + +From: Randy Dunlap + +[ Upstream commit 9373771aaed17f5c2c38485f785568abe3a9f8c1 ] + +Quieten a gcc (11.3.0) build error or warning by checking the function +call status and returning -EBUSY if the function call failed. +This is similar to what several other wireless drivers do for the +SIOCGIWRATE ioctl call when there is a locking problem. + +drivers/net/wireless/cisco/airo.c: error: 'status_rid.currentXmitRate' is used uninitialized [-Werror=uninitialized] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Randy Dunlap +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/39abf2c7-24a-f167-91da-ed4c5435d1c4@linux-m68k.org +Link: https://lore.kernel.org/r/20230709133154.26206-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/cisco/airo.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c +index 5a6ee0b014da0..a01b42c7c07ac 100644 +--- a/drivers/net/wireless/cisco/airo.c ++++ b/drivers/net/wireless/cisco/airo.c +@@ -6100,8 +6100,11 @@ static int airo_get_rate(struct net_device *dev, + { + struct airo_info *local = dev->ml_priv; + StatusRid status_rid; /* Card status info */ ++ int ret; + +- readStatusRid(local, &status_rid, 1); ++ ret = readStatusRid(local, &status_rid, 1); ++ if (ret) ++ return -EBUSY; + + vwrq->value = le16_to_cpu(status_rid.currentXmitRate) * 500000; + /* If more than one rate, set auto */ +-- +2.39.2 + diff --git a/tmp-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch b/tmp-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch new file mode 100644 index 00000000000..12eb40f6c19 --- /dev/null +++ b/tmp-4.19/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch @@ -0,0 +1,58 @@ +From cf65e68abf8e7ab7b1fbd232bbdf201720676629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:01 +0300 +Subject: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ] + +For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid +uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should +validate pkt_len before accessing the SKB. + +For example, the obtained SKB may have been badly constructed with +pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr +but after being processed in ath9k_htc_rx_msg() and passed to +ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI +command header which should be located inside its data payload. + +Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit +memory can be referenced. + +Tested on Qualcomm Atheros Communications AR9271 802.11n . + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index e4ea6f5cc78ab..5e2a610df61cf 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -218,6 +218,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, + if (unlikely(wmi->stopped)) + goto free_skb; + ++ /* Validate the obtained SKB. */ ++ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr))) ++ goto free_skb; ++ + hdr = (struct wmi_cmd_hdr *) skb->data; + cmd_id = be16_to_cpu(hdr->command_id); + +-- +2.39.2 + diff --git a/tmp-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch b/tmp-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch new file mode 100644 index 00000000000..62f1c572c60 --- /dev/null +++ b/tmp-4.19/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch @@ -0,0 +1,51 @@ +From bbf82c3def2c11aee88ff24f3b0c8cf9599e0071 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 16:46:55 +0300 +Subject: wifi: ath9k: convert msecs to jiffies where needed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ] + +Since 'ieee80211_queue_delayed_work()' expects timeout in +jiffies and not milliseconds, 'msecs_to_jiffies()' should +be used in 'ath_restart_work()' and '__ath9k_flush()'. + +Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work") +Signed-off-by: Dmitry Antipov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index e8e297a04d360..2fdf9858a73d9 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -200,7 +200,7 @@ void ath_cancel_work(struct ath_softc *sc) + void ath_restart_work(struct ath_softc *sc) + { + ieee80211_queue_delayed_work(sc->hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + + if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah)) + ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work, +@@ -2228,7 +2228,7 @@ void __ath9k_flush(struct ieee80211_hw *hw, u32 queues, bool drop, + } + + ieee80211_queue_delayed_work(hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + } + + static bool ath9k_tx_frames_pending(struct ieee80211_hw *hw) +-- +2.39.2 + diff --git a/tmp-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch b/tmp-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch new file mode 100644 index 00000000000..39849183e97 --- /dev/null +++ b/tmp-4.19/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch @@ -0,0 +1,54 @@ +From cbdd7ba95d47d114975b51072b4265f8344abe37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 18:03:17 +0300 +Subject: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ] + +A bad USB device is able to construct a service connection response +message with target endpoint being ENDPOINT0 which is reserved for +HTC_CTRL_RSVD_SVC and should not be modified to be used for any other +services. + +Reject such service connection responses. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 6331c98088e03..d5e5f9cf4ca86 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target, + + if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) { + epid = svc_rspmsg->endpoint_id; +- if (epid < 0 || epid >= ENDPOINT_MAX) ++ ++ /* Check that the received epid for the endpoint to attach ++ * a new service is valid. ENDPOINT0 can't be used here as it ++ * is already reserved for HTC_CTRL_RSVD_SVC service and thus ++ * should not be modified. ++ */ ++ if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX) + return; + + service_id = be16_to_cpu(svc_rspmsg->service_id); +-- +2.39.2 + diff --git a/tmp-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch b/tmp-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch new file mode 100644 index 00000000000..49302b4acf5 --- /dev/null +++ b/tmp-4.19/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch @@ -0,0 +1,95 @@ +From 16cb131de7a54b775ccf43c5fa130d76ee3a1901 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:00 +0300 +Subject: wifi: ath9k: fix AR9003 mac hardware hang check register offset + calculation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Seiderer + +[ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ] + +Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset +calculation (do not overflow the shift for the second register/queues +above five, use the register layout described in the comments above +ath9k_hw_verify_hang() instead). + +Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003") + +Reported-by: Gregg Wonderly +Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/ +Signed-off-by: Peter Seiderer +Acked-by: Toke Høiland-Jørgensen +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 ++++++++++++++-------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +index 2fe12b0de5b4f..dea8a998fb622 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +@@ -1099,17 +1099,22 @@ static bool ath9k_hw_verify_hang(struct ath_hw *ah, unsigned int queue) + { + u32 dma_dbg_chain, dma_dbg_complete; + u8 dcu_chain_state, dcu_complete_state; ++ unsigned int dbg_reg, reg_offset; + int i; + +- for (i = 0; i < NUM_STATUS_READS; i++) { +- if (queue < 6) +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_4); +- else +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_5); ++ if (queue < 6) { ++ dbg_reg = AR_DMADBG_4; ++ reg_offset = queue * 5; ++ } else { ++ dbg_reg = AR_DMADBG_5; ++ reg_offset = (queue - 6) * 5; ++ } + ++ for (i = 0; i < NUM_STATUS_READS; i++) { ++ dma_dbg_chain = REG_READ(ah, dbg_reg); + dma_dbg_complete = REG_READ(ah, AR_DMADBG_6); + +- dcu_chain_state = (dma_dbg_chain >> (5 * queue)) & 0x1f; ++ dcu_chain_state = (dma_dbg_chain >> reg_offset) & 0x1f; + dcu_complete_state = dma_dbg_complete & 0x3; + + if ((dcu_chain_state != 0x6) || (dcu_complete_state != 0x1)) +@@ -1128,6 +1133,7 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + u8 dcu_chain_state, dcu_complete_state; + bool dcu_wait_frdone = false; + unsigned long chk_dcu = 0; ++ unsigned int reg_offset; + unsigned int i = 0; + + dma_dbg_4 = REG_READ(ah, AR_DMADBG_4); +@@ -1139,12 +1145,15 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + goto exit; + + for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) { +- if (i < 6) ++ if (i < 6) { + chk_dbg = dma_dbg_4; +- else ++ reg_offset = i * 5; ++ } else { + chk_dbg = dma_dbg_5; ++ reg_offset = (i - 6) * 5; ++ } + +- dcu_chain_state = (chk_dbg >> (5 * i)) & 0x1f; ++ dcu_chain_state = (chk_dbg >> reg_offset) & 0x1f; + if (dcu_chain_state == 0x6) { + dcu_wait_frdone = true; + chk_dcu |= BIT(i); +-- +2.39.2 + diff --git a/tmp-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch b/tmp-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch new file mode 100644 index 00000000000..60b7d4e55bd --- /dev/null +++ b/tmp-4.19/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch @@ -0,0 +1,111 @@ +From 43e3a8b56606fdc140f08245ff49796f93f86e88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 11:37:44 +0200 +Subject: wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Remi Pommarel + +[ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ] + +On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite +loop if it is called while all txq_fifos have packets that use different +key that the one we are looking for. Fix it by exiting the loop if all +txq_fifos have been checked already. + +Because this loop is called under spin_lock_bh() (see ath_txq_lock) it +causes the following rcu stall: + +rcu: INFO: rcu_sched self-detected stall on CPU +ath10k_pci 0000:01:00.0: failed to read temperature -11 +rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579 + (t=5257 jiffies g=17983297 q=334) +Task dump for CPU 1: +task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a +Call trace: + dump_backtrace+0x0/0x170 + show_stack+0x1c/0x24 + sched_show_task+0x140/0x170 + dump_cpu_task+0x48/0x54 + rcu_dump_cpu_stacks+0xf0/0x134 + rcu_sched_clock_irq+0x8d8/0x9fc + update_process_times+0xa0/0xec + tick_sched_timer+0x5c/0xd0 + __hrtimer_run_queues+0x154/0x320 + hrtimer_interrupt+0x120/0x2f0 + arch_timer_handler_virt+0x38/0x44 + handle_percpu_devid_irq+0x9c/0x1e0 + handle_domain_irq+0x64/0x90 + gic_handle_irq+0x78/0xb0 + call_on_irq_stack+0x28/0x38 + do_interrupt_handler+0x54/0x5c + el1_interrupt+0x2c/0x4c + el1h_64_irq_handler+0x14/0x1c + el1h_64_irq+0x74/0x78 + ath9k_txq_has_key+0x1bc/0x250 [ath9k] + ath9k_set_key+0x1cc/0x3dc [ath9k] + drv_set_key+0x78/0x170 + ieee80211_key_replace+0x564/0x6cc + ieee80211_key_link+0x174/0x220 + ieee80211_add_key+0x11c/0x300 + nl80211_new_key+0x12c/0x330 + genl_family_rcv_msg_doit+0xbc/0x11c + genl_rcv_msg+0xd8/0x1c4 + netlink_rcv_skb+0x40/0x100 + genl_rcv+0x3c/0x50 + netlink_unicast+0x1ec/0x2c0 + netlink_sendmsg+0x198/0x3c0 + ____sys_sendmsg+0x210/0x250 + ___sys_sendmsg+0x78/0xc4 + __sys_sendmsg+0x4c/0x90 + __arm64_sys_sendmsg+0x28/0x30 + invoke_syscall.constprop.0+0x60/0x100 + do_el0_svc+0x48/0xd0 + el0_svc+0x14/0x50 + el0t_64_sync_handler+0xa8/0xb0 + el0t_64_sync+0x158/0x15c + +This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH +from 8 to 2 makes it reasonably easy to reproduce. + +Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it") +Signed-off-by: Remi Pommarel +Tested-by: Nicolas Escande +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index ee1b9c39bad7a..e8e297a04d360 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -847,7 +847,7 @@ static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix) + static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + { + struct ath_hw *ah = sc->sc_ah; +- int i; ++ int i, j; + struct ath_txq *txq; + bool key_in_use = false; + +@@ -865,8 +865,9 @@ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { + int idx = txq->txq_tailidx; + +- while (!key_in_use && +- !list_empty(&txq->txq_fifo[idx])) { ++ for (j = 0; !key_in_use && ++ !list_empty(&txq->txq_fifo[idx]) && ++ j < ATH_TXFIFO_DEPTH; j++) { + key_in_use = ath9k_txq_list_has_key( + &txq->txq_fifo[idx], keyix); + INCR(idx, ATH_TXFIFO_DEPTH); +-- +2.39.2 + diff --git a/tmp-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch b/tmp-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch new file mode 100644 index 00000000000..c4c2160eea1 --- /dev/null +++ b/tmp-4.19/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch @@ -0,0 +1,59 @@ +From c11669e78c6279d4eb42e332fdcbd353a753cffd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:53:14 +0200 +Subject: wifi: atmel: Fix an error handling path in atmel_probe() + +From: Christophe JAILLET + +[ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ] + +Should atmel_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +atmel_probe(), not atmel_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/atmel/atmel_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/atmel/atmel_cs.c b/drivers/net/wireless/atmel/atmel_cs.c +index 7afc9c5329fb1..f5fa1a95b0c15 100644 +--- a/drivers/net/wireless/atmel/atmel_cs.c ++++ b/drivers/net/wireless/atmel/atmel_cs.c +@@ -73,6 +73,7 @@ struct local_info { + static int atmel_probe(struct pcmcia_device *p_dev) + { + struct local_info *local; ++ int ret; + + dev_dbg(&p_dev->dev, "atmel_attach()\n"); + +@@ -83,8 +84,16 @@ static int atmel_probe(struct pcmcia_device *p_dev) + + p_dev->priv = local; + +- return atmel_config(p_dev); +-} /* atmel_attach */ ++ ret = atmel_config(p_dev); ++ if (ret) ++ goto err_free_priv; ++ ++ return 0; ++ ++err_free_priv: ++ kfree(p_dev->priv); ++ return ret; ++} + + static void atmel_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/tmp-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch new file mode 100644 index 00000000000..3e182aa876b --- /dev/null +++ b/tmp-4.19/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch @@ -0,0 +1,47 @@ +From 7fa7b97844f258140628a39210c44fd2dd1b7c21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:04:02 +0300 +Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow + +From: Johannes Berg + +[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] + +Roee reported various hard-to-debug crashes with pings in +EHT aggregation scenarios. Enabling KASAN showed that we +access the BAID allocation out of bounds, and looking at +the code a bit shows that since the reorder buffer entry +(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug +such as lockdep is enabled, then staring from an agg size +512 we overflow the size calculation, and allocate a much +smaller structure than we should, causing slab corruption +once we initialize this. + +Fix this by simply using u32 instead of u16. + +Reported-by: Roee Goldfiner +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index 373ace38edab7..83883ce7f55dc 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2237,7 +2237,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + } + + if (iwl_mvm_has_new_rx_api(mvm) && start) { +- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); ++ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); + + /* sparse doesn't like the __align() so don't check */ + #ifndef __CHECKER__ +-- +2.39.2 + diff --git a/tmp-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch b/tmp-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch new file mode 100644 index 00000000000..8f183f74d19 --- /dev/null +++ b/tmp-4.19/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch @@ -0,0 +1,48 @@ +From d6fb7a006f008102f2c65907ae4ba8fed02b5d0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 May 2023 15:53:15 +0200 +Subject: wifi: mwifiex: Fix the size of a memory allocation in + mwifiex_ret_802_11_scan() + +From: Christophe JAILLET + +[ Upstream commit d9aef04fcfa81ee4fb2804a21a3712b7bbd936af ] + +The type of "mwifiex_adapter->nd_info" is "struct cfg80211_wowlan_nd_info", +not "struct cfg80211_wowlan_nd_match". + +Use struct_size() to ease the computation of the needed size. + +The current code over-allocates some memory, so is safe. +But it wastes 32 bytes. + +Fixes: 7d7f07d8c5d3 ("mwifiex: add wowlan net-detect support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7a6074fb056d2181e058a3cc6048d8155c20aec7.1683371982.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index c9f6cd2919699..4f0e78ae3dbd0 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2208,9 +2208,9 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv, + + if (nd_config) { + adapter->nd_info = +- kzalloc(sizeof(struct cfg80211_wowlan_nd_match) + +- sizeof(struct cfg80211_wowlan_nd_match *) * +- scan_rsp->number_of_sets, GFP_ATOMIC); ++ kzalloc(struct_size(adapter->nd_info, matches, ++ scan_rsp->number_of_sets), ++ GFP_ATOMIC); + + if (adapter->nd_info) + adapter->nd_info->n_matches = scan_rsp->number_of_sets; +-- +2.39.2 + diff --git a/tmp-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch b/tmp-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch new file mode 100644 index 00000000000..5f229dd40a4 --- /dev/null +++ b/tmp-4.19/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch @@ -0,0 +1,58 @@ +From fdea8bce372ab31562ece0fb8bf706052166a8c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:38:22 +0200 +Subject: wifi: orinoco: Fix an error handling path in orinoco_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ] + +Should orinoco_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +orinoco_cs_probe(), not orinoco_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +index a956f965a1e5e..03bfd2482656c 100644 +--- a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +@@ -96,6 +96,7 @@ orinoco_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + orinoco_cs_hard_reset, NULL); +@@ -107,8 +108,16 @@ orinoco_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return orinoco_cs_config(link); +-} /* orinoco_cs_attach */ ++ ret = orinoco_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void orinoco_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch b/tmp-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch new file mode 100644 index 00000000000..83af7fbc629 --- /dev/null +++ b/tmp-4.19/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch @@ -0,0 +1,59 @@ +From 7a359d8680a5bf516024b7d91b9bde70a5f1ef76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:29:46 +0200 +Subject: wifi: orinoco: Fix an error handling path in spectrum_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ] + +Should spectrum_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +spectrum_cs_probe(), not spectrum_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/spectrum_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +index b60048c95e0a8..011c86e55923e 100644 +--- a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +@@ -157,6 +157,7 @@ spectrum_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + spectrum_cs_hard_reset, +@@ -169,8 +170,16 @@ spectrum_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return spectrum_cs_config(link); +-} /* spectrum_cs_attach */ ++ ret = spectrum_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void spectrum_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch b/tmp-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch new file mode 100644 index 00000000000..4f8adcf5954 --- /dev/null +++ b/tmp-4.19/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch @@ -0,0 +1,53 @@ +From 7d705b4ddd98b5603dec26cc74030feea2eebf60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 19:44:14 +0300 +Subject: wifi: ray_cs: Drop useless status variable in parse_addr() + +From: Andy Shevchenko + +[ Upstream commit 4dfc63c002a555a2c3c34d89009532ad803be876 ] + +The status variable assigned only once and used also only once. +Replace it's usage by actual value. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164414.48436-2-andriy.shevchenko@linux.intel.com +Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index f15714f19d0ff..e5cdcee04615f 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -1653,7 +1653,6 @@ static int parse_addr(char *in_str, UCHAR *out) + { + int i, k; + int len; +- int status; + + if (in_str == NULL) + return 0; +@@ -1662,7 +1661,6 @@ static int parse_addr(char *in_str, UCHAR *out) + return 0; + memset(out, 0, ADDRLEN); + +- status = 1; + i = 5; + + while (len > 0) { +@@ -1680,7 +1678,7 @@ static int parse_addr(char *in_str, UCHAR *out) + if (!i--) + break; + } +- return status; ++ return 1; + } + + /*===========================================================================*/ +-- +2.39.2 + diff --git a/tmp-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch b/tmp-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch new file mode 100644 index 00000000000..a6ad78e58ad --- /dev/null +++ b/tmp-4.19/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch @@ -0,0 +1,69 @@ +From c56ebaf56992bd5ad91919e1bdb623475a1bc379 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:13:22 +0200 +Subject: wifi: ray_cs: Fix an error handling path in ray_probe() + +From: Christophe JAILLET + +[ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ] + +Should ray_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +ray_probe(), not ray_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index e5cdcee04615f..edc990d099789 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -282,13 +282,14 @@ static int ray_probe(struct pcmcia_device *p_dev) + { + ray_dev_t *local; + struct net_device *dev; ++ int ret; + + dev_dbg(&p_dev->dev, "ray_attach()\n"); + + /* Allocate space for private device-specific data */ + dev = alloc_etherdev(sizeof(ray_dev_t)); + if (!dev) +- goto fail_alloc_dev; ++ return -ENOMEM; + + local = netdev_priv(dev); + local->finder = p_dev; +@@ -325,11 +326,16 @@ static int ray_probe(struct pcmcia_device *p_dev) + timer_setup(&local->timer, NULL, 0); + + this_device = p_dev; +- return ray_config(p_dev); ++ ret = ray_config(p_dev); ++ if (ret) ++ goto err_free_dev; ++ ++ return 0; + +-fail_alloc_dev: +- return -ENOMEM; +-} /* ray_attach */ ++err_free_dev: ++ free_netdev(dev); ++ return ret; ++} + + static void ray_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch b/tmp-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch new file mode 100644 index 00000000000..df7e1dad046 --- /dev/null +++ b/tmp-4.19/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch @@ -0,0 +1,67 @@ +From 39183f28dd2fa490bf43101f1f9693db74661545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 19:44:13 +0300 +Subject: wifi: ray_cs: Utilize strnlen() in parse_addr() + +From: Andy Shevchenko + +[ Upstream commit 9e8e9187673cb24324f9165dd47b2b28f60b0b10 ] + +Instead of doing simple operations and using an additional variable on stack, +utilize strnlen() and reuse len variable. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164414.48436-1-andriy.shevchenko@linux.intel.com +Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 8704bae39e1bf..f15714f19d0ff 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -1651,31 +1651,29 @@ static void authenticate_timeout(struct timer_list *t) + /*===========================================================================*/ + static int parse_addr(char *in_str, UCHAR *out) + { ++ int i, k; + int len; +- int i, j, k; + int status; + + if (in_str == NULL) + return 0; +- if ((len = strlen(in_str)) < 2) ++ len = strnlen(in_str, ADDRLEN * 2 + 1) - 1; ++ if (len < 1) + return 0; + memset(out, 0, ADDRLEN); + + status = 1; +- j = len - 1; +- if (j > 12) +- j = 12; + i = 5; + +- while (j > 0) { +- if ((k = hex_to_bin(in_str[j--])) != -1) ++ while (len > 0) { ++ if ((k = hex_to_bin(in_str[len--])) != -1) + out[i] = k; + else + return 0; + +- if (j == 0) ++ if (len == 0) + break; +- if ((k = hex_to_bin(in_str[j--])) != -1) ++ if ((k = hex_to_bin(in_str[len--])) != -1) + out[i] += k << 4; + else + return 0; +-- +2.39.2 + diff --git a/tmp-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch b/tmp-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch new file mode 100644 index 00000000000..4ff8e9f0d4c --- /dev/null +++ b/tmp-4.19/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch @@ -0,0 +1,41 @@ +From 2a7df1bf66097f12bf14a803010334fd8c7d3260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 May 2023 00:28:59 +0200 +Subject: wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown + +From: Marek Vasut + +[ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ] + +It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag +indicates to the MMC subsystem to keep the slot powered on during +suspend, but in shutdown the slot should actually be powered off. +Drop this call. + +Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state") +Signed-off-by: Marek Vasut +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c +index 48efe83c58d89..409a3e8305763 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -1368,9 +1368,6 @@ static void rsi_shutdown(struct device *dev) + if (sdev->write_fail) + rsi_dbg(INFO_ZONE, "###### Device is not ready #######\n"); + +- if (rsi_set_sdio_pm_caps(adapter)) +- rsi_dbg(INFO_ZONE, "Setting power management caps failed\n"); +- + rsi_dbg(INFO_ZONE, "***** RSI module shut down *****\n"); + } + +-- +2.39.2 + diff --git a/tmp-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/tmp-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch new file mode 100644 index 00000000000..42aaf2a63a3 --- /dev/null +++ b/tmp-4.19/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch @@ -0,0 +1,71 @@ +From eec6c0631c177e946a67d88280585b6f80934407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:04:07 -0600 +Subject: wifi: wext-core: Fix -Wstringop-overflow warning in + ioctl_standard_iw_point() + +From: Gustavo A. R. Silva + +[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] + +-Wstringop-overflow is legitimately warning us about extra_size +pontentially being zero at some point, hence potenially ending +up _allocating_ zero bytes of memory for extra pointer and then +trying to access such object in a call to copy_from_user(). + +Fix this by adding a sanity check to ensure we never end up +trying to allocate zero bytes of data for extra pointer, before +continue executing the rest of the code in the function. + +Address the following -Wstringop-overflow warning seen when built +m68k architecture with allyesconfig configuration: + from net/wireless/wext-core.c:11: +In function '_copy_from_user', + inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: +arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] + 48 | #define memset(d, c, n) __builtin_memset(d, c, n) + | ^~~~~~~~~~~~~~~~~~~~~~~~~ +include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' + 153 | memset(to + (n - res), 0, res); + | ^~~~~~ +In function 'kmalloc', + inlined from 'kzalloc' at include/linux/slab.h:694:9, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: +include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' + 577 | return __kmalloc(size, flags); + | ^~~~~~~~~~~~~~~~~~~~~~ + +This help with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/315 +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/wext-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index 76a80a41615be..a57f54bc0e1a7 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -796,6 +796,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, + } + } + ++ /* Sanity-check to ensure we never end up _allocating_ zero ++ * bytes of data for extra. ++ */ ++ if (extra_size <= 0) ++ return -EFAULT; ++ + /* kzalloc() ensures NULL-termination for essid_compat. */ + extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) +-- +2.39.2 + diff --git a/tmp-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch b/tmp-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch new file mode 100644 index 00000000000..a1abfa639d1 --- /dev/null +++ b/tmp-4.19/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch @@ -0,0 +1,66 @@ +From 0ca96611eabb69439dd098fe35b02e57573d5f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:05:08 +0200 +Subject: wifi: wl3501_cs: Fix an error handling path in wl3501_probe() + +From: Christophe JAILLET + +[ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ] + +Should wl3501_config() fail, some resources need to be released as already +done in the remove function. + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 46188a83d8be8..4380c5d8fdd27 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1863,6 +1863,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + { + struct net_device *dev; + struct wl3501_card *this; ++ int ret; + + /* The io structure describes IO port mapping */ + p_dev->resource[0]->end = 16; +@@ -1874,8 +1875,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + + dev = alloc_etherdev(sizeof(struct wl3501_card)); + if (!dev) +- goto out_link; +- ++ return -ENOMEM; + + dev->netdev_ops = &wl3501_netdev_ops; + dev->watchdog_timeo = 5 * HZ; +@@ -1888,9 +1888,15 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + netif_stop_queue(dev); + p_dev->priv = dev; + +- return wl3501_config(p_dev); +-out_link: +- return -ENOMEM; ++ ret = wl3501_config(p_dev); ++ if (ret) ++ goto out_free_etherdev; ++ ++ return 0; ++ ++out_free_etherdev: ++ free_netdev(dev); ++ return ret; + } + + static int wl3501_config(struct pcmcia_device *link) +-- +2.39.2 + diff --git a/tmp-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch b/tmp-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch new file mode 100644 index 00000000000..6c04e488320 --- /dev/null +++ b/tmp-4.19/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch @@ -0,0 +1,143 @@ +From 547b7019051a368a9dc01f5544d6bb44912e690b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 10:33:51 +0100 +Subject: wl3501_cs: Fix a bunch of formatting issues related to function docs + +From: Lee Jones + +[ Upstream commit 2307d0bc9d8b60299f255d1771ce0d997162a957 ] + +Fixes the following W=1 kernel build warning(s): + + In file included from drivers/net/wireless/wl3501_cs.c:57: + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'channel' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:162: warning: Function parameter or member 'reg_domain' not described in 'iw_default_channel' + drivers/net/wireless/wl3501_cs.c:248: warning: Function parameter or member 'this' not described in 'wl3501_set_to_wla' + drivers/net/wireless/wl3501_cs.c:270: warning: Function parameter or member 'this' not described in 'wl3501_get_from_wla' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'this' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:729: warning: Function parameter or member 'this' not described in 'wl3501_block_interrupt' + drivers/net/wireless/wl3501_cs.c:746: warning: Function parameter or member 'this' not described in 'wl3501_unblock_interrupt' + drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'irq' not described in 'wl3501_interrupt' + drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'dev_id' not described in 'wl3501_interrupt' + drivers/net/wireless/wl3501_cs.c:1257: warning: Function parameter or member 'dev' not described in 'wl3501_reset' + drivers/net/wireless/wl3501_cs.c:1420: warning: Function parameter or member 'link' not described in 'wl3501_detach' + +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Fox Chen +Cc: de Melo +Cc: Gustavo Niemeyer +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200826093401.1458456-21-lee.jones@linaro.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index cfde9b94b4b60..78c89e6421f97 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -133,8 +133,8 @@ static const struct { + + /** + * iw_valid_channel - validate channel in regulatory domain +- * @reg_comain - regulatory domain +- * @channel - channel to validate ++ * @reg_comain: regulatory domain ++ * @channel: channel to validate + * + * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. + */ +@@ -153,7 +153,7 @@ static int iw_valid_channel(int reg_domain, int channel) + + /** + * iw_default_channel - get default channel for a regulatory domain +- * @reg_comain - regulatory domain ++ * @reg_domain: regulatory domain + * + * Returns the default channel for a regulatory domain + */ +@@ -236,6 +236,7 @@ static int wl3501_get_flash_mac_addr(struct wl3501_card *this) + + /** + * wl3501_set_to_wla - Move 'size' bytes from PC to card ++ * @this: Card + * @dest: Card addressing space + * @src: PC addressing space + * @size: Bytes to move +@@ -258,6 +259,7 @@ static void wl3501_set_to_wla(struct wl3501_card *this, u16 dest, void *src, + + /** + * wl3501_get_from_wla - Move 'size' bytes from card to PC ++ * @this: Card + * @src: Card addressing space + * @dest: PC addressing space + * @size: Bytes to move +@@ -454,7 +456,7 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) + + /** + * wl3501_send_pkt - Send a packet. +- * @this - card ++ * @this: Card + * + * Send a packet. + * +@@ -722,7 +724,7 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr) + + /** + * wl3501_block_interrupt - Mask interrupt from SUTRO +- * @this - card ++ * @this: Card + * + * Mask interrupt from SUTRO. (i.e. SUTRO cannot interrupt the HOST) + * Return: 1 if interrupt is originally enabled +@@ -739,7 +741,7 @@ static int wl3501_block_interrupt(struct wl3501_card *this) + + /** + * wl3501_unblock_interrupt - Enable interrupt from SUTRO +- * @this - card ++ * @this: Card + * + * Enable interrupt from SUTRO. (i.e. SUTRO can interrupt the HOST) + * Return: 1 if interrupt is originally enabled +@@ -1113,8 +1115,8 @@ static inline void wl3501_ack_interrupt(struct wl3501_card *this) + + /** + * wl3501_interrupt - Hardware interrupt from card. +- * @irq - Interrupt number +- * @dev_id - net_device ++ * @irq: Interrupt number ++ * @dev_id: net_device + * + * We must acknowledge the interrupt as soon as possible, and block the + * interrupt from the same card immediately to prevent re-entry. +@@ -1252,7 +1254,7 @@ static int wl3501_close(struct net_device *dev) + + /** + * wl3501_reset - Reset the SUTRO. +- * @dev - network device ++ * @dev: network device + * + * It is almost the same as wl3501_open(). In fact, we may just wl3501_close() + * and wl3501_open() again, but I wouldn't like to free_irq() when the driver +@@ -1415,7 +1417,7 @@ static struct iw_statistics *wl3501_get_wireless_stats(struct net_device *dev) + + /** + * wl3501_detach - deletes a driver "instance" +- * @link - FILL_IN ++ * @link: FILL_IN + * + * This deletes a driver "instance". The device is de-registered with Card + * Services. If it has been released, all local data structures are freed. +-- +2.39.2 + diff --git a/tmp-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch b/tmp-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch new file mode 100644 index 00000000000..56f0c147769 --- /dev/null +++ b/tmp-4.19/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch @@ -0,0 +1,64 @@ +From 95fa0eae9a65ac7aa9641b6c3e2e2baa5a405801 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 11:23:53 +0000 +Subject: wl3501_cs: Fix misspelling and provide missing documentation + +From: Lee Jones + +[ Upstream commit 8b8a6f8c3b50193d161c598a6784e721128d6dc3 ] + +Fixes the following W=1 kernel build warning(s): + + In file included from drivers/net/wireless/wl3501_cs.c:57: + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:143: warning: Excess function parameter 'reg_comain' description in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' + +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Fox Chen +Cc: de Melo +Cc: Gustavo Niemeyer +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201102112410.1049272-25-lee.jones@linaro.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 5b2383270627c..c6d1a320e244f 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -133,7 +133,7 @@ static const struct { + + /** + * iw_valid_channel - validate channel in regulatory domain +- * @reg_comain: regulatory domain ++ * @reg_domain: regulatory domain + * @channel: channel to validate + * + * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. +@@ -457,11 +457,9 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) + /** + * wl3501_send_pkt - Send a packet. + * @this: Card +- * +- * Send a packet. +- * +- * data = Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, ++ * @data: Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, + * data[6] - data[11] is Src MAC Addr) ++ * @len: Packet length + * Ref: IEEE 802.11 + */ + static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) +-- +2.39.2 + diff --git a/tmp-4.19/wl3501_cs-remove-unnecessary-null-check.patch b/tmp-4.19/wl3501_cs-remove-unnecessary-null-check.patch new file mode 100644 index 00000000000..dcbf81babcd --- /dev/null +++ b/tmp-4.19/wl3501_cs-remove-unnecessary-null-check.patch @@ -0,0 +1,41 @@ +From 21a78f971fc1457d7cca18d3b669df8c9ebe7e89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Sep 2020 18:45:58 +0100 +Subject: wl3501_cs: Remove unnecessary NULL check + +From: Alex Dewar + +[ Upstream commit 1d2a85382282e7c77cbde5650335c3ffc6073fa1 ] + +In wl3501_detach(), link->priv is checked for a NULL value before being +passed to free_netdev(). However, it cannot be NULL at this point as it +has already been passed to other functions, so just remove the check. + +Addresses-Coverity: CID 710499: Null pointer dereferences (REVERSE_INULL) +Signed-off-by: Alex Dewar +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200926174558.9436-1-alex.dewar90@gmail.com +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 78c89e6421f97..5b2383270627c 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1438,9 +1438,7 @@ static void wl3501_detach(struct pcmcia_device *link) + wl3501_release(link); + + unregister_netdev(dev); +- +- if (link->priv) +- free_netdev(link->priv); ++ free_netdev(dev); + } + + static int wl3501_get_name(struct net_device *dev, struct iw_request_info *info, +-- +2.39.2 + diff --git a/tmp-4.19/wl3501_cs-use-eth_hw_addr_set.patch b/tmp-4.19/wl3501_cs-use-eth_hw_addr_set.patch new file mode 100644 index 00000000000..9e978595232 --- /dev/null +++ b/tmp-4.19/wl3501_cs-use-eth_hw_addr_set.patch @@ -0,0 +1,40 @@ +From 377134b648d92ee9684576ff1522558cbf0c7a5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 16:50:20 -0700 +Subject: wl3501_cs: use eth_hw_addr_set() + +From: Jakub Kicinski + +[ Upstream commit 18774612246d036c04ce9fee7f67192f96f48725 ] + +Commit 406f42fa0d3c ("net-next: When a bond have a massive amount +of VLANs...") introduced a rbtree for faster Ethernet address look +up. To maintain netdev->dev_addr in this tree we need to make all +the writes to it got through appropriate helpers. + +Signed-off-by: Jakub Kicinski +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211018235021.1279697-15-kuba@kernel.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index c6d1a320e244f..46188a83d8be8 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1946,8 +1946,7 @@ static int wl3501_config(struct pcmcia_device *link) + goto failed; + } + +- for (i = 0; i < 6; i++) +- dev->dev_addr[i] = ((char *)&this->mac_addr)[i]; ++ eth_hw_addr_set(dev, this->mac_addr); + + /* print probe information */ + printk(KERN_INFO "%s: wl3501 @ 0x%3.3x, IRQ %d, " +-- +2.39.2 + diff --git a/tmp-4.19/workqueue-clean-up-work_-constant-types-clarify-masking.patch b/tmp-4.19/workqueue-clean-up-work_-constant-types-clarify-masking.patch new file mode 100644 index 00000000000..3d6a67fa0d2 --- /dev/null +++ b/tmp-4.19/workqueue-clean-up-work_-constant-types-clarify-masking.patch @@ -0,0 +1,140 @@ +From afa4bb778e48d79e4a642ed41e3b4e0de7489a6c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 23 Jun 2023 12:08:14 -0700 +Subject: workqueue: clean up WORK_* constant types, clarify masking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit afa4bb778e48d79e4a642ed41e3b4e0de7489a6c upstream. + +Dave Airlie reports that gcc-13.1.1 has started complaining about some +of the workqueue code in 32-bit arm builds: + + kernel/workqueue.c: In function ‘get_work_pwq’: + kernel/workqueue.c:713:24: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] + 713 | return (void *)(data & WORK_STRUCT_WQ_DATA_MASK); + | ^ + [ ... a couple of other cases ... ] + +and while it's not immediately clear exactly why gcc started complaining +about it now, I suspect it's some C23-induced enum type handlign fixup in +gcc-13 is the cause. + +Whatever the reason for starting to complain, the code and data types +are indeed disgusting enough that the complaint is warranted. + +The wq code ends up creating various "helper constants" (like that +WORK_STRUCT_WQ_DATA_MASK) using an enum type, which is all kinds of +confused. The mask needs to be 'unsigned long', not some unspecified +enum type. + +To make matters worse, the actual "mask and cast to a pointer" is +repeated a couple of times, and the cast isn't even always done to the +right pointer, but - as the error case above - to a 'void *' with then +the compiler finishing the job. + +That's now how we roll in the kernel. + +So create the masks using the proper types rather than some ambiguous +enumeration, and use a nice helper that actually does the type +conversion in one well-defined place. + +Incidentally, this magically makes clang generate better code. That, +admittedly, is really just a sign of clang having been seriously +confused before, and cleaning up the typing unconfuses the compiler too. + +Reported-by: Dave Airlie +Link: https://lore.kernel.org/lkml/CAPM=9twNnV4zMCvrPkw3H-ajZOH-01JVh_kDrxdPYQErz8ZTdA@mail.gmail.com/ +Cc: Arnd Bergmann +Cc: Tejun Heo +Cc: Nick Desaulniers +Cc: Nathan Chancellor +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/workqueue.h | 15 ++++++++------- + kernel/workqueue.c | 13 ++++++++----- + 2 files changed, 16 insertions(+), 12 deletions(-) + +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -73,7 +73,6 @@ enum { + WORK_OFFQ_FLAG_BASE = WORK_STRUCT_COLOR_SHIFT, + + __WORK_OFFQ_CANCELING = WORK_OFFQ_FLAG_BASE, +- WORK_OFFQ_CANCELING = (1 << __WORK_OFFQ_CANCELING), + + /* + * When a work item is off queue, its high bits point to the last +@@ -84,12 +83,6 @@ enum { + WORK_OFFQ_POOL_SHIFT = WORK_OFFQ_FLAG_BASE + WORK_OFFQ_FLAG_BITS, + WORK_OFFQ_LEFT = BITS_PER_LONG - WORK_OFFQ_POOL_SHIFT, + WORK_OFFQ_POOL_BITS = WORK_OFFQ_LEFT <= 31 ? WORK_OFFQ_LEFT : 31, +- WORK_OFFQ_POOL_NONE = (1LU << WORK_OFFQ_POOL_BITS) - 1, +- +- /* convenience constants */ +- WORK_STRUCT_FLAG_MASK = (1UL << WORK_STRUCT_FLAG_BITS) - 1, +- WORK_STRUCT_WQ_DATA_MASK = ~WORK_STRUCT_FLAG_MASK, +- WORK_STRUCT_NO_POOL = (unsigned long)WORK_OFFQ_POOL_NONE << WORK_OFFQ_POOL_SHIFT, + + /* bit mask for work_busy() return values */ + WORK_BUSY_PENDING = 1 << 0, +@@ -99,6 +92,14 @@ enum { + WORKER_DESC_LEN = 24, + }; + ++/* Convenience constants - of type 'unsigned long', not 'enum'! */ ++#define WORK_OFFQ_CANCELING (1ul << __WORK_OFFQ_CANCELING) ++#define WORK_OFFQ_POOL_NONE ((1ul << WORK_OFFQ_POOL_BITS) - 1) ++#define WORK_STRUCT_NO_POOL (WORK_OFFQ_POOL_NONE << WORK_OFFQ_POOL_SHIFT) ++ ++#define WORK_STRUCT_FLAG_MASK ((1ul << WORK_STRUCT_FLAG_BITS) - 1) ++#define WORK_STRUCT_WQ_DATA_MASK (~WORK_STRUCT_FLAG_MASK) ++ + struct work_struct { + atomic_long_t data; + struct list_head entry; +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -680,12 +680,17 @@ static void clear_work_data(struct work_ + set_work_data(work, WORK_STRUCT_NO_POOL, 0); + } + ++static inline struct pool_workqueue *work_struct_pwq(unsigned long data) ++{ ++ return (struct pool_workqueue *)(data & WORK_STRUCT_WQ_DATA_MASK); ++} ++ + static struct pool_workqueue *get_work_pwq(struct work_struct *work) + { + unsigned long data = atomic_long_read(&work->data); + + if (data & WORK_STRUCT_PWQ) +- return (void *)(data & WORK_STRUCT_WQ_DATA_MASK); ++ return work_struct_pwq(data); + else + return NULL; + } +@@ -713,8 +718,7 @@ static struct worker_pool *get_work_pool + assert_rcu_or_pool_mutex(); + + if (data & WORK_STRUCT_PWQ) +- return ((struct pool_workqueue *) +- (data & WORK_STRUCT_WQ_DATA_MASK))->pool; ++ return work_struct_pwq(data)->pool; + + pool_id = data >> WORK_OFFQ_POOL_SHIFT; + if (pool_id == WORK_OFFQ_POOL_NONE) +@@ -735,8 +739,7 @@ static int get_work_pool_id(struct work_ + unsigned long data = atomic_long_read(&work->data); + + if (data & WORK_STRUCT_PWQ) +- return ((struct pool_workqueue *) +- (data & WORK_STRUCT_WQ_DATA_MASK))->pool->id; ++ return work_struct_pwq(data)->pool->id; + + return data >> WORK_OFFQ_POOL_SHIFT; + } diff --git a/tmp-4.19/x86-cpu-amd-add-a-zenbleed-fix.patch b/tmp-4.19/x86-cpu-amd-add-a-zenbleed-fix.patch new file mode 100644 index 00000000000..a84874a5024 --- /dev/null +++ b/tmp-4.19/x86-cpu-amd-add-a-zenbleed-fix.patch @@ -0,0 +1,161 @@ +From b2d362e150f1a48e95b4224e6ad860948f48c158 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:41:28 +0200 +Subject: x86/cpu/amd: Add a Zenbleed fix + +From: "Borislav Petkov (AMD)" + +Upstream commit: 522b1d69219d8f083173819fde04f994aa051a98 + +Add a fix for the Zen2 VZEROUPPER data corruption bug where under +certain circumstances executing VZEROUPPER can cause register +corruption or leak data. + +The optimal fix is through microcode but in the case the proper +microcode revision has not been applied, enable a fallback fix using +a chicken bit. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/microcode.h | 1 + arch/x86/include/asm/microcode_amd.h | 2 + + arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 60 +++++++++++++++++++++++++++++++++++ + arch/x86/kernel/cpu/common.c | 2 + + 5 files changed, 66 insertions(+) + +--- a/arch/x86/include/asm/microcode.h ++++ b/arch/x86/include/asm/microcode.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + struct ucode_patch { + struct list_head plist; +--- a/arch/x86/include/asm/microcode_amd.h ++++ b/arch/x86/include/asm/microcode_amd.h +@@ -48,11 +48,13 @@ extern void __init load_ucode_amd_bsp(un + extern void load_ucode_amd_ap(unsigned int family); + extern int __init save_microcode_in_initrd_amd(unsigned int family); + void reload_ucode_amd(unsigned int cpu); ++extern void amd_check_microcode(void); + #else + static inline void __init load_ucode_amd_bsp(unsigned int family) {} + static inline void load_ucode_amd_ap(unsigned int family) {} + static inline int __init + save_microcode_in_initrd_amd(unsigned int family) { return -EINVAL; } + static inline void reload_ucode_amd(unsigned int cpu) {} ++static inline void amd_check_microcode(void) {} + #endif + #endif /* _ASM_X86_MICROCODE_AMD_H */ +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -407,6 +407,7 @@ + #define MSR_AMD64_DE_CFG 0xc0011029 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT 1 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE BIT_ULL(MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT) ++#define MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT 9 + + #define MSR_AMD64_BU_CFG2 0xc001102a + #define MSR_AMD64_IBSFETCHCTL 0xc0011030 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -66,6 +66,11 @@ static const int amd_erratum_383[] = + static const int amd_erratum_1054[] = + AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); + ++static const int amd_zenbleed[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x30, 0x0, 0x4f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0x60, 0x0, 0x7f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0xa0, 0x0, 0xaf, 0xf)); ++ + static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) + { + int osvw_id = *erratum++; +@@ -971,6 +976,47 @@ static void init_amd_zn(struct cpuinfo_x + } + } + ++static bool cpu_has_zenbleed_microcode(void) ++{ ++ u32 good_rev = 0; ++ ++ switch (boot_cpu_data.x86_model) { ++ case 0x30 ... 0x3f: good_rev = 0x0830107a; break; ++ case 0x60 ... 0x67: good_rev = 0x0860010b; break; ++ case 0x68 ... 0x6f: good_rev = 0x08608105; break; ++ case 0x70 ... 0x7f: good_rev = 0x08701032; break; ++ case 0xa0 ... 0xaf: good_rev = 0x08a00008; break; ++ ++ default: ++ return false; ++ break; ++ } ++ ++ if (boot_cpu_data.microcode < good_rev) ++ return false; ++ ++ return true; ++} ++ ++static void zenbleed_check(struct cpuinfo_x86 *c) ++{ ++ if (!cpu_has_amd_erratum(c, amd_zenbleed)) ++ return; ++ ++ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ return; ++ ++ if (!cpu_has(c, X86_FEATURE_AVX)) ++ return; ++ ++ if (!cpu_has_zenbleed_microcode()) { ++ pr_notice_once("Zenbleed: please update your microcode for the most optimal fix\n"); ++ msr_set_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } else { ++ msr_clear_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + early_init_amd(c); +@@ -1073,6 +1119,8 @@ static void init_amd(struct cpuinfo_x86 + msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT); + + check_null_seg_clears_base(c); ++ ++ zenbleed_check(c); + } + + #ifdef CONFIG_X86_32 +@@ -1186,3 +1234,15 @@ void set_dr_addr_mask(unsigned long mask + break; + } + } ++ ++static void zenbleed_check_cpu(void *unused) ++{ ++ struct cpuinfo_x86 *c = &cpu_data(smp_processor_id()); ++ ++ zenbleed_check(c); ++} ++ ++void amd_check_microcode(void) ++{ ++ on_each_cpu(zenbleed_check_cpu, NULL, 1); ++} +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -2077,6 +2077,8 @@ void microcode_check(void) + + perf_check_microcode(); + ++ amd_check_microcode(); ++ + /* Reload CPUID max function as it might've changed. */ + info.cpuid_level = cpuid_eax(0); + diff --git a/tmp-4.19/x86-cpu-amd-move-the-errata-checking-functionality-up.patch b/tmp-4.19/x86-cpu-amd-move-the-errata-checking-functionality-up.patch new file mode 100644 index 00000000000..78a4e9bba1c --- /dev/null +++ b/tmp-4.19/x86-cpu-amd-move-the-errata-checking-functionality-up.patch @@ -0,0 +1,181 @@ +From 334baad709246598bfd30587a0e98b0d90f3f596 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:31:32 +0200 +Subject: x86/cpu/amd: Move the errata checking functionality up + +From: "Borislav Petkov (AMD)" + +Upstream commit: 8b6f687743dacce83dbb0c7cfacf88bab00f808a + +Avoid new and remove old forward declarations. + +No functional changes. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 139 ++++++++++++++++++++++------------------------ + 1 file changed, 67 insertions(+), 72 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -23,11 +23,6 @@ + + #include "cpu.h" + +-static const int amd_erratum_383[]; +-static const int amd_erratum_400[]; +-static const int amd_erratum_1054[]; +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); +- + /* + * nodes_per_socket: Stores the number of nodes per socket. + * Refer to Fam15h Models 00-0fh BKDG - CPUID Fn8000_001E_ECX +@@ -35,6 +30,73 @@ static bool cpu_has_amd_erratum(struct c + */ + static u32 nodes_per_socket = 1; + ++/* ++ * AMD errata checking ++ * ++ * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or ++ * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that ++ * have an OSVW id assigned, which it takes as first argument. Both take a ++ * variable number of family-specific model-stepping ranges created by ++ * AMD_MODEL_RANGE(). ++ * ++ * Example: ++ * ++ * const int amd_erratum_319[] = ++ * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), ++ * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), ++ * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); ++ */ ++ ++#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } ++#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } ++#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ ++ ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) ++#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) ++#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) ++#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) ++ ++static const int amd_erratum_400[] = ++ AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), ++ AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); ++ ++static const int amd_erratum_383[] = ++ AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); ++ ++/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ ++static const int amd_erratum_1054[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); ++ ++static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) ++{ ++ int osvw_id = *erratum++; ++ u32 range; ++ u32 ms; ++ ++ if (osvw_id >= 0 && osvw_id < 65536 && ++ cpu_has(cpu, X86_FEATURE_OSVW)) { ++ u64 osvw_len; ++ ++ rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); ++ if (osvw_id < osvw_len) { ++ u64 osvw_bits; ++ ++ rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), ++ osvw_bits); ++ return osvw_bits & (1ULL << (osvw_id & 0x3f)); ++ } ++ } ++ ++ /* OSVW unavailable or ID unknown, match family-model-stepping range */ ++ ms = (cpu->x86_model << 4) | cpu->x86_stepping; ++ while ((range = *erratum++)) ++ if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && ++ (ms >= AMD_MODEL_RANGE_START(range)) && ++ (ms <= AMD_MODEL_RANGE_END(range))) ++ return true; ++ ++ return false; ++} ++ + static inline int rdmsrl_amd_safe(unsigned msr, unsigned long long *p) + { + u32 gprs[8] = { 0 }; +@@ -1106,73 +1168,6 @@ static const struct cpu_dev amd_cpu_dev + + cpu_dev_register(amd_cpu_dev); + +-/* +- * AMD errata checking +- * +- * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or +- * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that +- * have an OSVW id assigned, which it takes as first argument. Both take a +- * variable number of family-specific model-stepping ranges created by +- * AMD_MODEL_RANGE(). +- * +- * Example: +- * +- * const int amd_erratum_319[] = +- * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), +- * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), +- * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); +- */ +- +-#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } +-#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } +-#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ +- ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) +-#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) +-#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) +-#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) +- +-static const int amd_erratum_400[] = +- AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), +- AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); +- +-static const int amd_erratum_383[] = +- AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); +- +-/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ +-static const int amd_erratum_1054[] = +- AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); +- +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) +-{ +- int osvw_id = *erratum++; +- u32 range; +- u32 ms; +- +- if (osvw_id >= 0 && osvw_id < 65536 && +- cpu_has(cpu, X86_FEATURE_OSVW)) { +- u64 osvw_len; +- +- rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); +- if (osvw_id < osvw_len) { +- u64 osvw_bits; +- +- rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), +- osvw_bits); +- return osvw_bits & (1ULL << (osvw_id & 0x3f)); +- } +- } +- +- /* OSVW unavailable or ID unknown, match family-model-stepping range */ +- ms = (cpu->x86_model << 4) | cpu->x86_stepping; +- while ((range = *erratum++)) +- if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && +- (ms >= AMD_MODEL_RANGE_START(range)) && +- (ms <= AMD_MODEL_RANGE_END(range))) +- return true; +- +- return false; +-} +- + void set_dr_addr_mask(unsigned long mask, int dr) + { + if (!boot_cpu_has(X86_FEATURE_BPEXT)) diff --git a/tmp-4.19/x86-microcode-amd-load-late-on-both-threads-too.patch b/tmp-4.19/x86-microcode-amd-load-late-on-both-threads-too.patch new file mode 100644 index 00000000000..e53a68b05d3 --- /dev/null +++ b/tmp-4.19/x86-microcode-amd-load-late-on-both-threads-too.patch @@ -0,0 +1,30 @@ +From a32b0f0db3f396f1c9be2fe621e77c09ec3d8e7d Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Tue, 2 May 2023 19:53:50 +0200 +Subject: x86/microcode/AMD: Load late on both threads too + +From: Borislav Petkov (AMD) + +commit a32b0f0db3f396f1c9be2fe621e77c09ec3d8e7d upstream. + +Do the same as early loading - load on both threads. + +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/r/20230605141332.25948-1-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/microcode/amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -532,7 +532,7 @@ static enum ucode_state apply_microcode_ + rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy); + + /* need to apply patch? */ +- if (rev >= mc_amd->hdr.patch_id) { ++ if (rev > mc_amd->hdr.patch_id) { + ret = UCODE_OK; + goto out; + } diff --git a/tmp-4.19/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch b/tmp-4.19/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch new file mode 100644 index 00000000000..631b2772a18 --- /dev/null +++ b/tmp-4.19/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch @@ -0,0 +1,91 @@ +From f9c9987bf52f4e42e940ae217333ebb5a4c3b506 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 15 Jun 2023 22:33:55 +0200 +Subject: x86/smp: Use dedicated cache-line for mwait_play_dead() + +From: Thomas Gleixner + +commit f9c9987bf52f4e42e940ae217333ebb5a4c3b506 upstream. + +Monitoring idletask::thread_info::flags in mwait_play_dead() has been an +obvious choice as all what is needed is a cache line which is not written +by other CPUs. + +But there is a use case where a "dead" CPU needs to be brought out of +MWAIT: kexec(). + +This is required as kexec() can overwrite text, pagetables, stacks and the +monitored cacheline of the original kernel. The latter causes MWAIT to +resume execution which obviously causes havoc on the kexec kernel which +results usually in triple faults. + +Use a dedicated per CPU storage to prepare for that. + +Signed-off-by: Thomas Gleixner +Reviewed-by: Ashok Raj +Reviewed-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230615193330.434553750@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/smpboot.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -96,6 +96,17 @@ DEFINE_PER_CPU_READ_MOSTLY(cpumask_var_t + DEFINE_PER_CPU_READ_MOSTLY(struct cpuinfo_x86, cpu_info); + EXPORT_PER_CPU_SYMBOL(cpu_info); + ++struct mwait_cpu_dead { ++ unsigned int control; ++ unsigned int status; ++}; ++ ++/* ++ * Cache line aligned data for mwait_play_dead(). Separate on purpose so ++ * that it's unlikely to be touched by other CPUs. ++ */ ++static DEFINE_PER_CPU_ALIGNED(struct mwait_cpu_dead, mwait_cpu_dead); ++ + /* Logical package management. We might want to allocate that dynamically */ + unsigned int __max_logical_packages __read_mostly; + EXPORT_SYMBOL(__max_logical_packages); +@@ -1594,10 +1605,10 @@ static bool wakeup_cpu0(void) + */ + static inline void mwait_play_dead(void) + { ++ struct mwait_cpu_dead *md = this_cpu_ptr(&mwait_cpu_dead); + unsigned int eax, ebx, ecx, edx; + unsigned int highest_cstate = 0; + unsigned int highest_subcstate = 0; +- void *mwait_ptr; + int i; + + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD) +@@ -1631,13 +1642,6 @@ static inline void mwait_play_dead(void) + (highest_subcstate - 1); + } + +- /* +- * This should be a memory location in a cache line which is +- * unlikely to be touched by other processors. The actual +- * content is immaterial as it is not actually modified in any way. +- */ +- mwait_ptr = ¤t_thread_info()->flags; +- + wbinvd(); + + while (1) { +@@ -1649,9 +1653,9 @@ static inline void mwait_play_dead(void) + * case where we return around the loop. + */ + mb(); +- clflush(mwait_ptr); ++ clflush(md); + mb(); +- __monitor(mwait_ptr, 0, 0); ++ __monitor(md, 0, 0); + mb(); + __mwait(eax, 0); + /* diff --git a/tmp-4.19/xtensa-iss-fix-call-to-split_if_spec.patch b/tmp-4.19/xtensa-iss-fix-call-to-split_if_spec.patch new file mode 100644 index 00000000000..6eb37bc12de --- /dev/null +++ b/tmp-4.19/xtensa-iss-fix-call-to-split_if_spec.patch @@ -0,0 +1,34 @@ +From bc8d5916541fa19ca5bc598eb51a5f78eb891a36 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Mon, 3 Jul 2023 11:01:42 -0700 +Subject: xtensa: ISS: fix call to split_if_spec + +From: Max Filippov + +commit bc8d5916541fa19ca5bc598eb51a5f78eb891a36 upstream. + +split_if_spec expects a NULL-pointer as an end marker for the argument +list, but tuntap_probe never supplied that terminating NULL. As a result +incorrectly formatted interface specification string may cause a crash +because of the random memory access. Fix that by adding NULL terminator +to the split_if_spec argument list. + +Cc: stable@vger.kernel.org +Fixes: 7282bee78798 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 8") +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + arch/xtensa/platforms/iss/network.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/xtensa/platforms/iss/network.c ++++ b/arch/xtensa/platforms/iss/network.c +@@ -236,7 +236,7 @@ static int tuntap_probe(struct iss_net_p + + init += sizeof(TRANSPORT_TUNTAP_NAME) - 1; + if (*init == ',') { +- rem = split_if_spec(init + 1, &mac_str, &dev_name); ++ rem = split_if_spec(init + 1, &mac_str, &dev_name, NULL); + if (rem != NULL) { + pr_err("%s: extra garbage on specification : '%s'\n", + dev->name, rem); diff --git a/tmp-5.10/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch b/tmp-5.10/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch new file mode 100644 index 00000000000..73ffdc1002f --- /dev/null +++ b/tmp-5.10/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch @@ -0,0 +1,45 @@ +From 902cac1c6b803c5a450ddbc2ebbe6d6bd82b0f0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 12:38:41 +0200 +Subject: ACPI: button: Add lid disable DMI quirk for Nextbook Ares 8A + +From: Hans de Goede + +[ Upstream commit 4fd5556608bfa9c2bf276fc115ef04288331aded ] + +The LID0 device on the Nextbook Ares 8A tablet always reports lid +closed causing userspace to suspend the device as soon as booting +is complete. + +Add a DMI quirk to disable the broken lid functionality. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/button.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/acpi/button.c b/drivers/acpi/button.c +index 0d93a5ef4d071..4861aad1a9e93 100644 +--- a/drivers/acpi/button.c ++++ b/drivers/acpi/button.c +@@ -82,6 +82,15 @@ static const struct dmi_system_id dmi_lid_quirks[] = { + }, + .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_DISABLED, + }, ++ { ++ /* Nextbook Ares 8A tablet, _LID device always reports lid closed */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"), ++ DMI_MATCH(DMI_BIOS_VERSION, "M882"), ++ }, ++ .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_DISABLED, ++ }, + { + /* + * Medion Akoya E2215T, notification of the LID device only +-- +2.39.2 + diff --git a/tmp-5.10/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch b/tmp-5.10/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch new file mode 100644 index 00000000000..ae71ec7cf65 --- /dev/null +++ b/tmp-5.10/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch @@ -0,0 +1,43 @@ +From 01075c6cf6a48d97ca8aac446b25865c095c8170 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 11:23:58 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Apple iMac11,3 + +From: Hans de Goede + +[ Upstream commit 48436f2e9834b46b47b038b605c8142a1c07bc85 ] + +Linux defaults to picking the non-working ACPI video backlight interface +on the Apple iMac11,3 . + +Add a DMI quirk to pick the working native radeon_bl0 interface instead. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 038542b3a80a7..872b5351f0d8f 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -332,6 +332,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Apple iMac11,3 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac11,3"), ++ }, ++ }, + { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1217249 */ + .callback = video_detect_force_native, +-- +2.39.2 + diff --git a/tmp-5.10/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch b/tmp-5.10/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch new file mode 100644 index 00000000000..f888234733e --- /dev/null +++ b/tmp-5.10/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch @@ -0,0 +1,44 @@ +From 2e3c70e11d2fee621784ace25e7fdb1e6d130542 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 11:23:59 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Lenovo ThinkPad X131e + (3371 AMD version) + +From: Hans de Goede + +[ Upstream commit bd5d93df86a7ddf98a2a37e9c3751e3cb334a66c ] + +Linux defaults to picking the non-working ACPI video backlight interface +on the Lenovo ThinkPad X131e (3371 AMD version). + +Add a DMI quirk to pick the working native radeon_bl0 interface instead. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 872b5351f0d8f..b02d381e78483 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -332,6 +332,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Lenovo ThinkPad X131e (3371 AMD version) */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "3371"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* Apple iMac11,3 */ +-- +2.39.2 + diff --git a/tmp-5.10/add-module_firmware-for-firmware_tg357766.patch b/tmp-5.10/add-module_firmware-for-firmware_tg357766.patch new file mode 100644 index 00000000000..2cde604c9e1 --- /dev/null +++ b/tmp-5.10/add-module_firmware-for-firmware_tg357766.patch @@ -0,0 +1,37 @@ +From 5005bbef55c3425fc8bd9a808e24298096e7dedf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 02:13:32 +0200 +Subject: Add MODULE_FIRMWARE() for FIRMWARE_TG357766. + +From: Tobias Heider + +[ Upstream commit 046f753da6143ee16452966915087ec8b0de3c70 ] + +Fixes a bug where on the M1 mac mini initramfs-tools fails to +include the necessary firmware into the initrd. + +Fixes: c4dab50697ff ("tg3: Download 57766 EEE service patch firmware") +Signed-off-by: Tobias Heider +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/ZJt7LKzjdz8+dClx@tobhe.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index 613ca6124e3ce..d14f37be1eb3e 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -224,6 +224,7 @@ MODULE_AUTHOR("David S. Miller (davem@redhat.com) and Jeff Garzik (jgarzik@pobox + MODULE_DESCRIPTION("Broadcom Tigon3 ethernet driver"); + MODULE_LICENSE("GPL"); + MODULE_FIRMWARE(FIRMWARE_TG3); ++MODULE_FIRMWARE(FIRMWARE_TG357766); + MODULE_FIRMWARE(FIRMWARE_TG3TSO); + MODULE_FIRMWARE(FIRMWARE_TG3TSO5); + +-- +2.39.2 + diff --git a/tmp-5.10/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch b/tmp-5.10/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch new file mode 100644 index 00000000000..b03b71c5baa --- /dev/null +++ b/tmp-5.10/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch @@ -0,0 +1,42 @@ +From 0af6a1b9044476e5ad9c34d741e5741709f84afd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 10:17:32 +0800 +Subject: ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer + +From: Su Hui + +[ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ] + +smatch error: +sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error: +we previously assumed 'rac97' could be null (see line 2072) + +remove redundant assignment, return error if rac97 is NULL. + +Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*") +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/ac97/ac97_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c +index cd66632bf1c37..e18572eae5e01 100644 +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -2007,8 +2007,8 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template, + .dev_disconnect = snd_ac97_dev_disconnect, + }; + +- if (rac97) +- *rac97 = NULL; ++ if (!rac97) ++ return -EINVAL; + if (snd_BUG_ON(!bus || !template)) + return -EINVAL; + if (snd_BUG_ON(template->num >= 4)) +-- +2.39.2 + diff --git a/tmp-5.10/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch b/tmp-5.10/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch new file mode 100644 index 00000000000..f59806f6556 --- /dev/null +++ b/tmp-5.10/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch @@ -0,0 +1,73 @@ +From 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Tue, 18 Jul 2023 18:12:41 +0200 +Subject: ALSA: hda/realtek: Enable Mute LED on HP Laptop 15s-eq2xxx + +From: Luka Guzenko + +commit 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 upstream. + +The HP Laptop 15s-eq2xxx uses ALC236 codec and controls the mute LED using +COEF 0x07 index 1. No existing quirk covers this configuration. +Adds a new quirk and enables it for the device. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20230718161241.393181-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4559,6 +4559,21 @@ static void alc236_fixup_hp_mute_led_coe + } + } + ++static void alc236_fixup_hp_mute_led_coefbit2(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ spec->mute_led_polarity = 0; ++ spec->mute_led_coef.idx = 0x07; ++ spec->mute_led_coef.mask = 1; ++ spec->mute_led_coef.on = 1; ++ spec->mute_led_coef.off = 0; ++ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set); ++ } ++} ++ + /* turn on/off mic-mute LED per capture hook by coef bit */ + static int coef_micmute_led_set(struct led_classdev *led_cdev, + enum led_brightness brightness) +@@ -6878,6 +6893,7 @@ enum { + ALC285_FIXUP_HP_GPIO_LED, + ALC285_FIXUP_HP_MUTE_LED, + ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED, ++ ALC236_FIXUP_HP_MUTE_LED_COEFBIT2, + ALC236_FIXUP_HP_GPIO_LED, + ALC236_FIXUP_HP_MUTE_LED, + ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, +@@ -8250,6 +8266,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_hp_spectre_x360_mute_led, + }, ++ [ALC236_FIXUP_HP_MUTE_LED_COEFBIT2] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc236_fixup_hp_mute_led_coefbit2, ++ }, + [ALC236_FIXUP_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc236_fixup_hp_gpio_led, +@@ -9004,6 +9024,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x887a, "HP Laptop 15s-eq2xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x888d, "HP ZBook Power 15.6 inch G8 Mobile Workstation PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8895, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED), diff --git a/tmp-5.10/alsa-hda-realtek-remove-3k-pull-low-procedure.patch b/tmp-5.10/alsa-hda-realtek-remove-3k-pull-low-procedure.patch new file mode 100644 index 00000000000..d18993f9ae9 --- /dev/null +++ b/tmp-5.10/alsa-hda-realtek-remove-3k-pull-low-procedure.patch @@ -0,0 +1,66 @@ +From 69ea4c9d02b7947cdd612335a61cc1a02e544ccd Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Thu, 13 Jul 2023 15:57:13 +0800 +Subject: ALSA: hda/realtek - remove 3k pull low procedure + +From: Kailang Yang + +commit 69ea4c9d02b7947cdd612335a61cc1a02e544ccd upstream. + +This was the ALC283 depop procedure. +Maybe this procedure wasn't suitable with new codec. +So, let us remove it. But HP 15z-fc000 must do 3k pull low. If it +reboot with plugged headset, +it will have errors show don't find codec error messages. Run 3k pull +low will solve issues. +So, let AMD chipset will run this for workarround. + +Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue") +Signed-off-by: Kailang Yang +Cc: +Reported-by: Joseph C. Sible +Closes: https://lore.kernel.org/r/CABpewhE4REgn9RJZduuEU6Z_ijXNeQWnrxO1tg70Gkw=F8qNYg@mail.gmail.com/ +Link: https://lore.kernel.org/r/4678992299664babac4403d9978e7ba7@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -121,6 +121,7 @@ struct alc_spec { + unsigned int ultra_low_power:1; + unsigned int has_hs_key:1; + unsigned int no_internal_mic_pin:1; ++ unsigned int en_3kpull_low:1; + + /* for PLL fix */ + hda_nid_t pll_nid; +@@ -3617,6 +3618,7 @@ static void alc256_shutup(struct hda_cod + if (!hp_pin) + hp_pin = 0x21; + ++ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ + hp_pin_sense = snd_hda_jack_detect(codec, hp_pin); + + if (hp_pin_sense) +@@ -3633,8 +3635,7 @@ static void alc256_shutup(struct hda_cod + /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly + * when booting with headset plugged. So skip setting it for the codec alc257 + */ +- if (codec->core.vendor_id != 0x10ec0236 && +- codec->core.vendor_id != 0x10ec0257) ++ if (spec->en_3kpull_low) + alc_update_coef_idx(codec, 0x46, 0, 3 << 12); + + if (!spec->no_shutup_pins) +@@ -10065,6 +10066,8 @@ static int patch_alc269(struct hda_codec + spec->shutup = alc256_shutup; + spec->init_hook = alc256_init; + spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ ++ if (codec->bus->pci->vendor == PCI_VENDOR_ID_AMD) ++ spec->en_3kpull_low = true; + break; + case 0x10ec0257: + spec->codec_variant = ALC269_TYPE_ALC257; diff --git a/tmp-5.10/alsa-jack-fix-mutex-call-in-snd_jack_report.patch b/tmp-5.10/alsa-jack-fix-mutex-call-in-snd_jack_report.patch new file mode 100644 index 00000000000..6baa95484c8 --- /dev/null +++ b/tmp-5.10/alsa-jack-fix-mutex-call-in-snd_jack_report.patch @@ -0,0 +1,91 @@ +From 42ada51b21a1d74cab694d8963a0185bcb2956e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 17:53:57 +0200 +Subject: ALSA: jack: Fix mutex call in snd_jack_report() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +[ Upstream commit 89dbb335cb6a627a4067bc42caa09c8bc3326d40 ] + +snd_jack_report() is supposed to be callable from an IRQ context, too, +and it's indeed used in that way from virtsnd driver. The fix for +input_dev race in commit 1b6a6fc5280e ("ALSA: jack: Access input_dev +under mutex"), however, introduced a mutex lock in snd_jack_report(), +and this resulted in a potential sleep-in-atomic. + +For addressing that problem, this patch changes the relevant code to +use the object get/put and removes the mutex usage. That is, +snd_jack_report(), it takes input_get_device() and leaves with +input_put_device() for assuring the input_dev being assigned. + +Although the whole mutex could be reduced, we keep it because it can +be still a protection for potential races between creation and +deletion. + +Fixes: 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/cf95f7fe-a748-4990-8378-000491b40329@moroto.mountain +Tested-by: Amadeusz Sławiński +Cc: +Link: https://lore.kernel.org/r/20230706155357.3470-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/jack.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/sound/core/jack.c b/sound/core/jack.c +index 45e28db6ea38d..8a9baa084191f 100644 +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -364,6 +364,7 @@ void snd_jack_report(struct snd_jack *jack, int status) + { + struct snd_jack_kctl *jack_kctl; + #ifdef CONFIG_SND_JACK_INPUT_DEV ++ struct input_dev *idev; + int i; + #endif + +@@ -375,30 +376,28 @@ void snd_jack_report(struct snd_jack *jack, int status) + status & jack_kctl->mask_bits); + + #ifdef CONFIG_SND_JACK_INPUT_DEV +- mutex_lock(&jack->input_dev_lock); +- if (!jack->input_dev) { +- mutex_unlock(&jack->input_dev_lock); ++ idev = input_get_device(jack->input_dev); ++ if (!idev) + return; +- } + + for (i = 0; i < ARRAY_SIZE(jack->key); i++) { + int testbit = SND_JACK_BTN_0 >> i; + + if (jack->type & testbit) +- input_report_key(jack->input_dev, jack->key[i], ++ input_report_key(idev, jack->key[i], + status & testbit); + } + + for (i = 0; i < ARRAY_SIZE(jack_switch_types); i++) { + int testbit = 1 << i; + if (jack->type & testbit) +- input_report_switch(jack->input_dev, ++ input_report_switch(idev, + jack_switch_types[i], + status & testbit); + } + +- input_sync(jack->input_dev); +- mutex_unlock(&jack->input_dev_lock); ++ input_sync(idev); ++ input_put_device(idev); + #endif /* CONFIG_SND_JACK_INPUT_DEV */ + } + EXPORT_SYMBOL(snd_jack_report); +-- +2.39.2 + diff --git a/tmp-5.10/amdgpu-validate-offset_in_bo-of-drm_amdgpu_gem_va.patch b/tmp-5.10/amdgpu-validate-offset_in_bo-of-drm_amdgpu_gem_va.patch new file mode 100644 index 00000000000..6e14be9109e --- /dev/null +++ b/tmp-5.10/amdgpu-validate-offset_in_bo-of-drm_amdgpu_gem_va.patch @@ -0,0 +1,73 @@ +From 1ed239d912921f435b657c5d88bd0cc7922ec0a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 15:44:12 -0700 +Subject: amdgpu: validate offset_in_bo of drm_amdgpu_gem_va +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chia-I Wu + +[ Upstream commit 9f0bcf49e9895cb005d78b33a5eebfa11711b425 ] + +This is motivated by OOB access in amdgpu_vm_update_range when +offset_in_bo+map_size overflows. + +v2: keep the validations in amdgpu_vm_bo_map +v3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map + rather than to amdgpu_gem_va_ioctl + +Fixes: 9f7eb5367d00 ("drm/amdgpu: actually use the VM map parameters") +Reviewed-by: Christian König +Signed-off-by: Chia-I Wu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +index c705ce11c436f..8445bb7ae06ab 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -2229,14 +2229,14 @@ int amdgpu_vm_bo_map(struct amdgpu_device *adev, + uint64_t eaddr; + + /* validate the parameters */ +- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || +- size == 0 || size & ~PAGE_MASK) ++ if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || size & ~PAGE_MASK) ++ return -EINVAL; ++ if (saddr + size <= saddr || offset + size <= offset) + return -EINVAL; + + /* make sure object fit at this offset */ + eaddr = saddr + size - 1; +- if (saddr >= eaddr || +- (bo && offset + size > amdgpu_bo_size(bo)) || ++ if ((bo && offset + size > amdgpu_bo_size(bo)) || + (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT)) + return -EINVAL; + +@@ -2295,14 +2295,14 @@ int amdgpu_vm_bo_replace_map(struct amdgpu_device *adev, + int r; + + /* validate the parameters */ +- if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || +- size == 0 || size & ~PAGE_MASK) ++ if (saddr & ~PAGE_MASK || offset & ~PAGE_MASK || size & ~PAGE_MASK) ++ return -EINVAL; ++ if (saddr + size <= saddr || offset + size <= offset) + return -EINVAL; + + /* make sure object fit at this offset */ + eaddr = saddr + size - 1; +- if (saddr >= eaddr || +- (bo && offset + size > amdgpu_bo_size(bo)) || ++ if ((bo && offset + size > amdgpu_bo_size(bo)) || + (eaddr >= adev->vm_manager.max_pfn << AMDGPU_GPU_PAGE_SHIFT)) + return -EINVAL; + +-- +2.39.2 + diff --git a/tmp-5.10/apparmor-fix-missing-error-check-for-rhashtable_inse.patch b/tmp-5.10/apparmor-fix-missing-error-check-for-rhashtable_inse.patch new file mode 100644 index 00000000000..bb2b0630546 --- /dev/null +++ b/tmp-5.10/apparmor-fix-missing-error-check-for-rhashtable_inse.patch @@ -0,0 +1,47 @@ +From 83648bdd4f9ee3aa360ef100d1de10c6f6a9df47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 19:05:49 +0000 +Subject: apparmor: fix missing error check for rhashtable_insert_fast + +From: Danila Chernetsov + +[ Upstream commit 000518bc5aef25d3f703592a0296d578c98b1517 ] + + rhashtable_insert_fast() could return err value when memory allocation is + failed. but unpack_profile() do not check values and this always returns + success value. This patch just adds error check code. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e025be0f26d5 ("apparmor: support querying extended trusted helper extra data") + +Signed-off-by: Danila Chernetsov +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/policy_unpack.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c +index 519656e685822..10896d69c442a 100644 +--- a/security/apparmor/policy_unpack.c ++++ b/security/apparmor/policy_unpack.c +@@ -909,8 +909,13 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) + goto fail; + } + +- rhashtable_insert_fast(profile->data, &data->head, +- profile->data->p); ++ if (rhashtable_insert_fast(profile->data, &data->head, ++ profile->data->p)) { ++ kfree_sensitive(data->key); ++ kfree_sensitive(data); ++ info = "failed to insert data to table"; ++ goto fail; ++ } + } + + if (!unpack_nameX(e, AA_STRUCTEND, NULL)) { +-- +2.39.2 + diff --git a/tmp-5.10/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch b/tmp-5.10/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch new file mode 100644 index 00000000000..2c823ef7986 --- /dev/null +++ b/tmp-5.10/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch @@ -0,0 +1,62 @@ +From 7314034f30c496f14f37bf02080bc0cfd2b1702f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 00:50:50 +0900 +Subject: ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ + guard + +From: Masahiro Yamada + +[ Upstream commit 92e2921eeafdfca9acd9b83f07d2b7ca099bac24 ] + +ASM_NL is useful not only in *.S files but also in .c files for using +inline assembler in C code. + +On ARC, however, ASM_NL is evaluated inconsistently. It is expanded to +a backquote (`) in *.S files, but a semicolon (;) in *.c files because +arch/arc/include/asm/linkage.h defines it inside #ifdef __ASSEMBLY__, +so the definition for C code falls back to the default value defined in +include/linux/linkage.h. + +If ASM_NL is used in inline assembler in .c files, it will result in +wrong assembly code because a semicolon is not an instruction separator, +but the start of a comment for ARC. + +Move ASM_NL (also __ALIGN and __ALIGN_STR) out of the #ifdef. + +Fixes: 9df62f054406 ("arch: use ASM_NL instead of ';' for assembler new line character in the macro") +Fixes: 8d92e992a785 ("ARC: define __ALIGN_STR and __ALIGN symbols for ARC") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/linkage.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h +index c9434ff3aa4ce..8a3fb71e9cfad 100644 +--- a/arch/arc/include/asm/linkage.h ++++ b/arch/arc/include/asm/linkage.h +@@ -8,6 +8,10 @@ + + #include + ++#define ASM_NL ` /* use '`' to mark new line in macro */ ++#define __ALIGN .align 4 ++#define __ALIGN_STR __stringify(__ALIGN) ++ + #ifdef __ASSEMBLY__ + + .macro ST2 e, o, off +@@ -28,10 +32,6 @@ + #endif + .endm + +-#define ASM_NL ` /* use '`' to mark new line in macro */ +-#define __ALIGN .align 4 +-#define __ALIGN_STR __stringify(__ALIGN) +- + /* annotation for data we want in DCCM - if enabled in .config */ + .macro ARCFP_DATA nm + #ifdef CONFIG_ARC_HAS_DCCM +-- +2.39.2 + diff --git a/tmp-5.10/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch b/tmp-5.10/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch new file mode 100644 index 00000000000..7a43d904aaa --- /dev/null +++ b/tmp-5.10/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch @@ -0,0 +1,103 @@ +From fc3a16cdbee65e0e36cb30850783dad860098922 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 19:28:42 +0100 +Subject: ARM: 9303/1: kprobes: avoid missing-declaration warnings + +From: Arnd Bergmann + +[ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ] + +checker_stack_use_t32strd() and kprobe_handler() can be made static since +they are not used from other files, while coverage_start_registers() +and __kprobes_test_case() are used from assembler code, and just need +a declaration to avoid a warning with the global definition. + +arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd' +arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler' +arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers' +arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start' +arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16' +arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32' + +Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions") +Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation") +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Kees Cook +Signed-off-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/probes/kprobes/checkers-common.c | 2 +- + arch/arm/probes/kprobes/core.c | 2 +- + arch/arm/probes/kprobes/opt-arm.c | 2 -- + arch/arm/probes/kprobes/test-core.c | 2 +- + arch/arm/probes/kprobes/test-core.h | 4 ++++ + 5 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/probes/kprobes/checkers-common.c b/arch/arm/probes/kprobes/checkers-common.c +index 4d720990cf2a3..eba7ac4725c02 100644 +--- a/arch/arm/probes/kprobes/checkers-common.c ++++ b/arch/arm/probes/kprobes/checkers-common.c +@@ -40,7 +40,7 @@ enum probes_insn checker_stack_use_imm_0xx(probes_opcode_t insn, + * Different from other insn uses imm8, the real addressing offset of + * STRD in T32 encoding should be imm8 * 4. See ARMARM description. + */ +-enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, ++static enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, + struct arch_probes_insn *asi, + const struct decode_header *h) + { +diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c +index e513d8a467760..c0ed172893787 100644 +--- a/arch/arm/probes/kprobes/core.c ++++ b/arch/arm/probes/kprobes/core.c +@@ -231,7 +231,7 @@ singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) + * kprobe, and that level is reserved for user kprobe handlers, so we can't + * risk encountering a new kprobe in an interrupt handler. + */ +-void __kprobes kprobe_handler(struct pt_regs *regs) ++static void __kprobes kprobe_handler(struct pt_regs *regs) + { + struct kprobe *p, *cur; + struct kprobe_ctlblk *kcb; +diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c +index c78180172120f..e20304f1d8bc9 100644 +--- a/arch/arm/probes/kprobes/opt-arm.c ++++ b/arch/arm/probes/kprobes/opt-arm.c +@@ -145,8 +145,6 @@ __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty) + } + } + +-extern void kprobe_handler(struct pt_regs *regs); +- + static void + optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs) + { +diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c +index c562832b86272..171c7076b89f4 100644 +--- a/arch/arm/probes/kprobes/test-core.c ++++ b/arch/arm/probes/kprobes/test-core.c +@@ -720,7 +720,7 @@ static const char coverage_register_lookup[16] = { + [REG_TYPE_NOSPPCX] = COVERAGE_ANY_REG | COVERAGE_SP, + }; + +-unsigned coverage_start_registers(const struct decode_header *h) ++static unsigned coverage_start_registers(const struct decode_header *h) + { + unsigned regs = 0; + int i; +diff --git a/arch/arm/probes/kprobes/test-core.h b/arch/arm/probes/kprobes/test-core.h +index 19a5b2add41e1..805116c2ec27c 100644 +--- a/arch/arm/probes/kprobes/test-core.h ++++ b/arch/arm/probes/kprobes/test-core.h +@@ -453,3 +453,7 @@ void kprobe_thumb32_test_cases(void); + #else + void kprobe_arm_test_cases(void); + #endif ++ ++void __kprobes_test_case_start(void); ++void __kprobes_test_case_end_16(void); ++void __kprobes_test_case_end_32(void); +-- +2.39.2 + diff --git a/tmp-5.10/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch b/tmp-5.10/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch new file mode 100644 index 00000000000..1bed977a18a --- /dev/null +++ b/tmp-5.10/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch @@ -0,0 +1,42 @@ +From baf7c9520a86c610580f05f4cae54be25411b863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 14:28:30 +0200 +Subject: ARM: dts: BCM5301X: Drop "clock-names" from the SPI node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ] + +There is no such property in the SPI controller binding documentation. +Also Linux driver doesn't look for it. + +This fixes: +arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected) + From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm5301x.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi +index 9fdad20c40d17..4e9bb10f37d0f 100644 +--- a/arch/arm/boot/dts/bcm5301x.dtsi ++++ b/arch/arm/boot/dts/bcm5301x.dtsi +@@ -532,7 +532,6 @@ spi@18029200 { + "spi_lr_session_done", + "spi_lr_overread"; + clocks = <&iprocmed>; +- clock-names = "iprocmed"; + num-cs = <2>; + #address-cells = <1>; + #size-cells = <0>; +-- +2.39.2 + diff --git a/tmp-5.10/arm-dts-bcm5301x-fix-duplex-full-full-duplex.patch b/tmp-5.10/arm-dts-bcm5301x-fix-duplex-full-full-duplex.patch new file mode 100644 index 00000000000..178c6796ff2 --- /dev/null +++ b/tmp-5.10/arm-dts-bcm5301x-fix-duplex-full-full-duplex.patch @@ -0,0 +1,56 @@ +From fd40889163228b90e7bfca9c062a8318660eadf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 17:36:29 +0200 +Subject: ARM: dts: BCM5301X: fix duplex-full => full-duplex + +From: Christian Lamparter + +[ Upstream commit fd274b733bfdde3ca72f0fa2a37f032f3a8c402c ] + +this typo was found by the dtbs_check +| ports:port@5:fixed-link: 'oneOf' conditional failed, +| {'speed': [[1000]], 'duplex-full': True} is not of type 'array' +| 'duplex-full' does not match any of the regexes: 'pinctrl-[0-]..." + +this should have been full-duplex; + +Fixes: 935327a73553 ("ARM: dts: BCM5301X: Add DT for Meraki MR26") +Fixes: ec88a9c344d9 ("ARM: BCM5301X: Add DT for Meraki MR32") +Signed-off-by: Christian Lamparter +Link: https://lore.kernel.org/r/50522f45566951a9eabd22820647924cc6b4a264.1686238550.git.chunkeey@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm53015-meraki-mr26.dts | 2 +- + arch/arm/boot/dts/bcm53016-meraki-mr32.dts | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm53015-meraki-mr26.dts b/arch/arm/boot/dts/bcm53015-meraki-mr26.dts +index 14f58033efeb9..ca2266b936ee2 100644 +--- a/arch/arm/boot/dts/bcm53015-meraki-mr26.dts ++++ b/arch/arm/boot/dts/bcm53015-meraki-mr26.dts +@@ -128,7 +128,7 @@ port@5 { + + fixed-link { + speed = <1000>; +- duplex-full; ++ full-duplex; + }; + }; + }; +diff --git a/arch/arm/boot/dts/bcm53016-meraki-mr32.dts b/arch/arm/boot/dts/bcm53016-meraki-mr32.dts +index 577a4dc604d93..edf9910100b02 100644 +--- a/arch/arm/boot/dts/bcm53016-meraki-mr32.dts ++++ b/arch/arm/boot/dts/bcm53016-meraki-mr32.dts +@@ -212,7 +212,7 @@ port@5 { + + fixed-link { + speed = <1000>; +- duplex-full; ++ full-duplex; + }; + }; + }; +-- +2.39.2 + diff --git a/tmp-5.10/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch b/tmp-5.10/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch new file mode 100644 index 00000000000..2316555798f --- /dev/null +++ b/tmp-5.10/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch @@ -0,0 +1,41 @@ +From d0fe8327a81ceb5ee6aa2aad320725b3ead8933c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 13:32:25 +0300 +Subject: ARM: dts: gta04: Move model property out of pinctrl node + +From: Tony Lindgren + +[ Upstream commit 4ffec92e70ac5097b9f67ec154065305b16a3b46 ] + +The model property should be at the top level, let's move it out +of the pinctrl node. + +Fixes: d2eaf949d2c3 ("ARM: dts: omap3-gta04a5one: define GTA04A5 variant with OneNAND") +Cc: Andreas Kemnade +Cc: H. Nikolaus Schaller +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap3-gta04a5one.dts | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/omap3-gta04a5one.dts b/arch/arm/boot/dts/omap3-gta04a5one.dts +index 9db9fe67cd63b..95df45cc70c09 100644 +--- a/arch/arm/boot/dts/omap3-gta04a5one.dts ++++ b/arch/arm/boot/dts/omap3-gta04a5one.dts +@@ -5,9 +5,11 @@ + + #include "omap3-gta04a5.dts" + +-&omap3_pmx_core { ++/ { + model = "Goldelico GTA04A5/Letux 2804 with OneNAND"; ++}; + ++&omap3_pmx_core { + gpmc_pins: pinmux_gpmc_pins { + pinctrl-single,pins = < + +-- +2.39.2 + diff --git a/tmp-5.10/arm-dts-iwg20d-q7-common-fix-backlight-pwm-specifier.patch b/tmp-5.10/arm-dts-iwg20d-q7-common-fix-backlight-pwm-specifier.patch new file mode 100644 index 00000000000..0f261effd81 --- /dev/null +++ b/tmp-5.10/arm-dts-iwg20d-q7-common-fix-backlight-pwm-specifier.patch @@ -0,0 +1,49 @@ +From e3e315614609204c57a5787c1db753b9080191b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 17:35:16 +0200 +Subject: ARM: dts: iwg20d-q7-common: Fix backlight pwm specifier + +From: Geert Uytterhoeven + +[ Upstream commit 0501fdec106a291c43b3c1b525cf22ab4c24b2d8 ] + +make dtbs_check: + + arch/arm/boot/dts/renesas/r8a7743-iwg20d-q7.dtb: backlight: pwms: [[58, 0, 5000000], [0]] is too long + From schema: Documentation/devicetree/bindings/leds/backlight/pwm-backlight.yaml + arch/arm/boot/dts/renesas/r8a7743-iwg20d-q7-dbcm-ca.dtb: backlight: pwms: [[67, 0, 5000000], [0]] is too long + From schema: Documentation/devicetree/bindings/leds/backlight/pwm-backlight.yaml + arch/arm/boot/dts/renesas/r8a7744-iwg20d-q7-dbcm-ca.dtb: backlight: pwms: [[67, 0, 5000000], [0]] is too long + From schema: Documentation/devicetree/bindings/leds/backlight/pwm-backlight.yaml + arch/arm/boot/dts/renesas/r8a7744-iwg20d-q7.dtb: backlight: pwms: [[58, 0, 5000000], [0]] is too long + From schema: Documentation/devicetree/bindings/leds/backlight/pwm-backlight.yaml + +PWM specifiers referring to R-Car PWM Timer Controllers should contain +only two cells. + +Fix this by dropping the bogus third cell. + +Fixes: 6f89dd9e9325d05b ("ARM: dts: iwg20d-q7-common: Add LCD support") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/6e5c3167424a43faf8c1fa68d9667b3d87dc86d8.1684855911.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/iwg20d-q7-common.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/iwg20d-q7-common.dtsi b/arch/arm/boot/dts/iwg20d-q7-common.dtsi +index 63cafd220dba1..358f5477deef6 100644 +--- a/arch/arm/boot/dts/iwg20d-q7-common.dtsi ++++ b/arch/arm/boot/dts/iwg20d-q7-common.dtsi +@@ -49,7 +49,7 @@ audio_clock: audio_clock { + lcd_backlight: backlight { + compatible = "pwm-backlight"; + +- pwms = <&pwm3 0 5000000 0>; ++ pwms = <&pwm3 0 5000000>; + brightness-levels = <0 4 8 16 32 64 128 255>; + default-brightness-level = <7>; + enable-gpios = <&gpio5 14 GPIO_ACTIVE_HIGH>; +-- +2.39.2 + diff --git a/tmp-5.10/arm-dts-meson8-correct-uart_b-and-uart_c-clock-refer.patch b/tmp-5.10/arm-dts-meson8-correct-uart_b-and-uart_c-clock-refer.patch new file mode 100644 index 00000000000..7bdce4b7560 --- /dev/null +++ b/tmp-5.10/arm-dts-meson8-correct-uart_b-and-uart_c-clock-refer.patch @@ -0,0 +1,51 @@ +From 9bda67cb6f5f0f5b9bae89dd2488bee6b473f966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:30:29 +0200 +Subject: ARM: dts: meson8: correct uart_B and uart_C clock references + +From: Martin Blumenstingl + +[ Upstream commit 98b503c7fb13a17a47d8ebf15fa8f7c10118e75c ] + +On Meson8 uart_B and uart_C do not work, because they are relying on +incorrect clocks. Change the references of pclk to the correct CLKID +(UART1 for uart_B and UART2 for uart_C), to allow use of the two uarts. + +This was originally reported by Hans-Frieder Vogt for Meson8b [0], but +the same bug is also present in meson8.dtsi + +[0] https://lore.kernel.org/linux-amlogic/trinity-bf20bcb9-790b-4ab9-99e3-0831ef8257f4-1680878185420@3c-app-gmx-bap55/ + +Fixes: 57007bfb5469 ("ARM: dts: meson8: Fix the UART device-tree schema validation") +Reported-by: Hans-Frieder Vogt # for meson8b.dtsi +Signed-off-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20230516203029.1031174-1-martin.blumenstingl@googlemail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/meson8.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/meson8.dtsi b/arch/arm/boot/dts/meson8.dtsi +index 08533116a39ce..0d045add81658 100644 +--- a/arch/arm/boot/dts/meson8.dtsi ++++ b/arch/arm/boot/dts/meson8.dtsi +@@ -611,13 +611,13 @@ &uart_A { + + &uart_B { + compatible = "amlogic,meson8-uart"; +- clocks = <&xtal>, <&clkc CLKID_UART0>, <&clkc CLKID_CLK81>; ++ clocks = <&xtal>, <&clkc CLKID_UART1>, <&clkc CLKID_CLK81>; + clock-names = "xtal", "pclk", "baud"; + }; + + &uart_C { + compatible = "amlogic,meson8-uart"; +- clocks = <&xtal>, <&clkc CLKID_UART0>, <&clkc CLKID_CLK81>; ++ clocks = <&xtal>, <&clkc CLKID_UART2>, <&clkc CLKID_CLK81>; + clock-names = "xtal", "pclk", "baud"; + }; + +-- +2.39.2 + diff --git a/tmp-5.10/arm-dts-meson8b-correct-uart_b-and-uart_c-clock-refe.patch b/tmp-5.10/arm-dts-meson8b-correct-uart_b-and-uart_c-clock-refe.patch new file mode 100644 index 00000000000..7cffa7e1f92 --- /dev/null +++ b/tmp-5.10/arm-dts-meson8b-correct-uart_b-and-uart_c-clock-refe.patch @@ -0,0 +1,47 @@ +From 9404dffef384060d37931f035a204d95f5bfcd54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Apr 2023 16:36:25 +0200 +Subject: ARM: dts: meson8b: correct uart_B and uart_C clock references + +From: hfdevel@gmx.net + +[ Upstream commit d542ce8d4769cdef6a7bc3437e59cfed9c68f0e4 ] + +With the current device tree for meson8b, uarts B (e.g. available on pins +8/10 on Odroid-C1) and C (pins 3/5 on Odroid-C1) do not work, because they +are relying on incorrect clocks. Change the references of pclk to the +correct CLKID, to allow use of the two uarts. + +Fixes: 3375aa77135f ("ARM: dts: meson8b: Fix the UART device-tree schema validation") +Signed-off-by: Hans-Frieder Vogt +Reviewed-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/trinity-bf20bcb9-790b-4ab9-99e3-0831ef8257f4-1680878185420@3c-app-gmx-bap55 +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/meson8b.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/meson8b.dtsi b/arch/arm/boot/dts/meson8b.dtsi +index f6eb7c803174e..af2454c9f77a4 100644 +--- a/arch/arm/boot/dts/meson8b.dtsi ++++ b/arch/arm/boot/dts/meson8b.dtsi +@@ -599,13 +599,13 @@ &uart_A { + + &uart_B { + compatible = "amlogic,meson8b-uart"; +- clocks = <&xtal>, <&clkc CLKID_UART0>, <&clkc CLKID_CLK81>; ++ clocks = <&xtal>, <&clkc CLKID_UART1>, <&clkc CLKID_CLK81>; + clock-names = "xtal", "pclk", "baud"; + }; + + &uart_C { + compatible = "amlogic,meson8b-uart"; +- clocks = <&xtal>, <&clkc CLKID_UART0>, <&clkc CLKID_CLK81>; ++ clocks = <&xtal>, <&clkc CLKID_UART2>, <&clkc CLKID_CLK81>; + clock-names = "xtal", "pclk", "baud"; + }; + +-- +2.39.2 + diff --git a/tmp-5.10/arm-dts-stm32-fix-audio-routing-on-stm32mp15xx-dhcom.patch b/tmp-5.10/arm-dts-stm32-fix-audio-routing-on-stm32mp15xx-dhcom.patch new file mode 100644 index 00000000000..767a9a558b7 --- /dev/null +++ b/tmp-5.10/arm-dts-stm32-fix-audio-routing-on-stm32mp15xx-dhcom.patch @@ -0,0 +1,52 @@ +From b8857474a15c897b535a459cb4f9530894cbb2d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 20:01:12 +0200 +Subject: ARM: dts: stm32: Fix audio routing on STM32MP15xx DHCOM PDK2 + +From: Marek Vasut + +[ Upstream commit e3f2778b1b6ced649bffdc7cbb05b80bb92f2108 ] + +The audio routing flow is not correct, the flow should be from source +(second element in the pair) to sink (first element in the pair). The +flow now is from "HP_OUT" to "Playback", where "Playback" is source +and "HP_OUT" is sink, i.e. the direction is swapped and there is no +direct link between the two either. + +Fill in the correct routing, where "HP_OUT" supplies the "Headphone Jack", +"Line In Jack" supplies "LINE_IN" input, "Microphone Jack" supplies "MIC_IN" +input and "Mic Bias" supplies "Microphone Jack". + +Fixes: 34e0c7847dcf ("ARM: dts: stm32: Add DH Electronics DHCOM STM32MP1 SoM and PDK2 board") +Signed-off-by: Marek Vasut +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi +index fd0cd10cb0931..2c391065135e3 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi +@@ -120,10 +120,13 @@ lcd_panel_in: endpoint { + + sound { + compatible = "audio-graph-card"; +- routing = +- "MIC_IN", "Capture", +- "Capture", "Mic Bias", +- "Playback", "HP_OUT"; ++ widgets = "Headphone", "Headphone Jack", ++ "Line", "Line In Jack", ++ "Microphone", "Microphone Jack"; ++ routing = "Headphone Jack", "HP_OUT", ++ "LINE_IN", "Line In Jack", ++ "MIC_IN", "Microphone Jack", ++ "Microphone Jack", "Mic Bias"; + dais = <&sai2a_port &sai2b_port>; + status = "okay"; + }; +-- +2.39.2 + diff --git a/tmp-5.10/arm-dts-stm32-fix-i2s-endpoint-format-property-for-s.patch b/tmp-5.10/arm-dts-stm32-fix-i2s-endpoint-format-property-for-s.patch new file mode 100644 index 00000000000..e69d6347267 --- /dev/null +++ b/tmp-5.10/arm-dts-stm32-fix-i2s-endpoint-format-property-for-s.patch @@ -0,0 +1,36 @@ +From b05d681909193bd51074e065d153f90a003504ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 13:56:04 +0200 +Subject: ARM: dts: stm32: fix i2s endpoint format property for stm32mp15xx-dkx + +From: Olivier Moysan + +[ Upstream commit 076c74c592cabe4a47537fe5205b5b678bed010d ] + +Use "dai-format" to configure DAI audio format as specified in +audio-graph-port.yaml bindings. + +Fixes: 144d1ba70548 ("ARM: dts: stm32: Adapt STM32MP157 DK boards to stm32 DT diversity") +Signed-off-by: Olivier Moysan +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15xx-dkx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/stm32mp15xx-dkx.dtsi b/arch/arm/boot/dts/stm32mp15xx-dkx.dtsi +index 47df8ac67cf1a..75869d6a1ab24 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dkx.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dkx.dtsi +@@ -406,7 +406,7 @@ &i2s2 { + i2s2_port: port { + i2s2_endpoint: endpoint { + remote-endpoint = <&sii9022_tx_endpoint>; +- format = "i2s"; ++ dai-format = "i2s"; + mclk-fs = <256>; + }; + }; +-- +2.39.2 + diff --git a/tmp-5.10/arm-dts-stm32-move-ethernet-mac-eeprom-from-som-to-c.patch b/tmp-5.10/arm-dts-stm32-move-ethernet-mac-eeprom-from-som-to-c.patch new file mode 100644 index 00000000000..f5855a13346 --- /dev/null +++ b/tmp-5.10/arm-dts-stm32-move-ethernet-mac-eeprom-from-som-to-c.patch @@ -0,0 +1,59 @@ +From c3dd4ab3693fcf8c7dff8540cf49ad57f2804bfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 23:37:29 +0200 +Subject: ARM: dts: stm32: Move ethernet MAC EEPROM from SoM to carrier boards + +From: Marek Vasut + +[ Upstream commit 9660efc2af37f3c12dc6e6a5511ad99e0addc297 ] + +The ethernet MAC EEPROM is not populated on the SoM itself, it has to be +populated on each carrier board. Move the EEPROM into the correct place +in DTs, i.e. the carrier board DTs. Add label to the EEPROM too. + +Fixes: 7e76f82acd9e1 ("ARM: dts: stm32: Split Avenger96 into DHCOR SoM and Avenger96 board") +Signed-off-by: Marek Vasut +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi | 6 ++++++ + arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi | 6 ------ + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi +index 723b39bb2129c..c43cf62736a6f 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi +@@ -232,6 +232,12 @@ adv7513_i2s0: endpoint { + }; + }; + }; ++ ++ dh_mac_eeprom: eeprom@53 { ++ compatible = "atmel,24c02"; ++ reg = <0x53>; ++ pagesize = <16>; ++ }; + }; + + <dc { +diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi +index 5af32140e128b..7dba02e9ba6da 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi +@@ -167,12 +167,6 @@ watchdog { + status = "disabled"; + }; + }; +- +- eeprom@53 { +- compatible = "atmel,24c02"; +- reg = <0x53>; +- pagesize = <16>; +- }; + }; + + &iwdg2 { +-- +2.39.2 + diff --git a/tmp-5.10/arm-dts-stm32-shorten-the-av96-hdmi-sound-card-name.patch b/tmp-5.10/arm-dts-stm32-shorten-the-av96-hdmi-sound-card-name.patch new file mode 100644 index 00000000000..7ba5d9c61ed --- /dev/null +++ b/tmp-5.10/arm-dts-stm32-shorten-the-av96-hdmi-sound-card-name.patch @@ -0,0 +1,38 @@ +From 53501329971e3103e2dde5d1429b1a075499c011 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 02:42:32 +0200 +Subject: ARM: dts: stm32: Shorten the AV96 HDMI sound card name + +From: Marek Vasut + +[ Upstream commit 0cf765e598712addec34d0208cc1418c151fefb2 ] + +Fix the following error in kernel log due to too long sound card name: +" +asoc-audio-graph-card sound: ASoC: driver name too long 'STM32MP1-AV96-HDMI' -> 'STM32MP1-AV96-H' +" + +Fixes: e027da342772 ("ARM: dts: stm32: Add bindings for audio on AV96") +Signed-off-by: Marek Vasut +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi +index c43cf62736a6f..d8547307a9505 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi +@@ -88,7 +88,7 @@ sd_switch: regulator-sd_switch { + + sound { + compatible = "audio-graph-card"; +- label = "STM32MP1-AV96-HDMI"; ++ label = "STM32-AV96-HDMI"; + dais = <&sai2a_port>; + status = "okay"; + }; +-- +2.39.2 + diff --git a/tmp-5.10/arm-ep93xx-fix-missing-prototype-warnings.patch b/tmp-5.10/arm-ep93xx-fix-missing-prototype-warnings.patch new file mode 100644 index 00000000000..48e52e9b257 --- /dev/null +++ b/tmp-5.10/arm-ep93xx-fix-missing-prototype-warnings.patch @@ -0,0 +1,48 @@ +From 7aae886b3f612ffa04fca5a31b5d7f5d3f6824db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 17:30:58 +0200 +Subject: ARM: ep93xx: fix missing-prototype warnings + +From: Arnd Bergmann + +[ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ] + +ep93xx_clocksource_read() is only called from the file it is declared in, +while ep93xx_timer_init() is declared in a header that is not included here. + +arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init' +arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read' + +Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS") +Acked-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-ep93xx/timer-ep93xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-ep93xx/timer-ep93xx.c b/arch/arm/mach-ep93xx/timer-ep93xx.c +index dd4b164d18317..a9efa7bc2fa12 100644 +--- a/arch/arm/mach-ep93xx/timer-ep93xx.c ++++ b/arch/arm/mach-ep93xx/timer-ep93xx.c +@@ -9,6 +9,7 @@ + #include + #include + #include "soc.h" ++#include "platform.h" + + /************************************************************************* + * Timer handling for EP93xx +@@ -60,7 +61,7 @@ static u64 notrace ep93xx_read_sched_clock(void) + return ret; + } + +-u64 ep93xx_clocksource_read(struct clocksource *c) ++static u64 ep93xx_clocksource_read(struct clocksource *c) + { + u64 ret; + +-- +2.39.2 + diff --git a/tmp-5.10/arm-omap2-fix-missing-tick_broadcast-prototype.patch b/tmp-5.10/arm-omap2-fix-missing-tick_broadcast-prototype.patch new file mode 100644 index 00000000000..bd0cd522c58 --- /dev/null +++ b/tmp-5.10/arm-omap2-fix-missing-tick_broadcast-prototype.patch @@ -0,0 +1,41 @@ +From 6e3d57b85f098052588fbf9c7ad47e8aef55d20d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 17:31:04 +0200 +Subject: ARM: omap2: fix missing tick_broadcast() prototype + +From: Arnd Bergmann + +[ Upstream commit 861bc1d2886d47bd57a2cbf2cda87fdbe3eb9d08 ] + +omap2 contains a hack to define tick_broadcast() on non-SMP +configurations in place of the normal SMP definition. This one +causes a warning because of a missing prototype: + +arch/arm/mach-omap2/board-generic.c:44:6: error: no previous prototype for 'tick_broadcast' + +Make sure to always include the header with the declaration. + +Fixes: d86ad463d670 ("ARM: OMAP2+: Fix regression for using local timer on non-SMP SoCs") +Acked-by: Aaro Koskinen +Link: https://lore.kernel.org/r/20230516153109.514251-9-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/board-generic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-omap2/board-generic.c b/arch/arm/mach-omap2/board-generic.c +index 1610c567a6a3a..10d2f078e4a8e 100644 +--- a/arch/arm/mach-omap2/board-generic.c ++++ b/arch/arm/mach-omap2/board-generic.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + + #include + #include +-- +2.39.2 + diff --git a/tmp-5.10/arm-orion5x-fix-d2net-gpio-initialization.patch b/tmp-5.10/arm-orion5x-fix-d2net-gpio-initialization.patch new file mode 100644 index 00000000000..f0266df5c4e --- /dev/null +++ b/tmp-5.10/arm-orion5x-fix-d2net-gpio-initialization.patch @@ -0,0 +1,55 @@ +From f8ef1233939495c405a9faa4bd1ae7d3f581bae4 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 16 May 2023 17:31:05 +0200 +Subject: ARM: orion5x: fix d2net gpio initialization + +From: Arnd Bergmann + +commit f8ef1233939495c405a9faa4bd1ae7d3f581bae4 upstream. + +The DT version of this board has a custom file with the gpio +device. However, it does nothing because the d2net_init() +has no caller or prototype: + +arch/arm/mach-orion5x/board-d2net.c:101:13: error: no previous prototype for 'd2net_init' + +Call it from the board-dt file as intended. + +Fixes: 94b0bd366e36 ("ARM: orion5x: convert d2net to Device Tree") +Reviewed-by: Andrew Lunn +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230516153109.514251-10-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-orion5x/board-dt.c | 3 +++ + arch/arm/mach-orion5x/common.h | 6 ++++++ + 2 files changed, 9 insertions(+) + +--- a/arch/arm/mach-orion5x/board-dt.c ++++ b/arch/arm/mach-orion5x/board-dt.c +@@ -63,6 +63,9 @@ static void __init orion5x_dt_init(void) + if (of_machine_is_compatible("maxtor,shared-storage-2")) + mss2_init(); + ++ if (of_machine_is_compatible("lacie,d2-network")) ++ d2net_init(); ++ + of_platform_default_populate(NULL, orion5x_auxdata_lookup, NULL); + } + +--- a/arch/arm/mach-orion5x/common.h ++++ b/arch/arm/mach-orion5x/common.h +@@ -75,6 +75,12 @@ extern void mss2_init(void); + static inline void mss2_init(void) {} + #endif + ++#ifdef CONFIG_MACH_D2NET_DT ++void d2net_init(void); ++#else ++static inline void d2net_init(void) {} ++#endif ++ + /***************************************************************************** + * Helpers to access Orion registers + ****************************************************************************/ diff --git a/tmp-5.10/arm64-dts-microchip-sparx5-do-not-use-psci-on-refere.patch b/tmp-5.10/arm64-dts-microchip-sparx5-do-not-use-psci-on-refere.patch new file mode 100644 index 00000000000..9fb9cecf574 --- /dev/null +++ b/tmp-5.10/arm64-dts-microchip-sparx5-do-not-use-psci-on-refere.patch @@ -0,0 +1,74 @@ +From 1a947d6626d6818c1d38c4f92628b2d8e42d66e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Feb 2023 11:50:37 +0100 +Subject: arm64: dts: microchip: sparx5: do not use PSCI on reference boards + +From: Robert Marko + +[ Upstream commit 70be83708c925b3f72c508e4756e48ad2330c830 ] + +PSCI is not implemented on SparX-5 at all, there is no ATF and U-boot that +is shipped does not implement it as well. + +I have tried flashing the latest BSP 2022.12 U-boot which did not work. +After contacting Microchip, they confirmed that there is no ATF for the +SoC nor PSCI implementation which is unfortunate in 2023. + +So, disable PSCI as otherwise kernel crashes as soon as it tries probing +PSCI with, and the crash is only visible if earlycon is used. + +Since PSCI is not implemented, switch core bringup to use spin-tables +which are implemented in the vendor U-boot and actually work. + +Tested on PCB134 with eMMC (VSC5640EV). + +Fixes: 6694aee00a4b ("arm64: dts: sparx5: Add basic cpu support") +Signed-off-by: Robert Marko +Acked-by: Steen Hegelund +Link: https://lore.kernel.org/r/20230221105039.316819-1-robert.marko@sartura.hr +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/microchip/sparx5.dtsi | 2 +- + arch/arm64/boot/dts/microchip/sparx5_pcb_common.dtsi | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/microchip/sparx5.dtsi b/arch/arm64/boot/dts/microchip/sparx5.dtsi +index 3cb01c39c3c80..8dd679fbeed1c 100644 +--- a/arch/arm64/boot/dts/microchip/sparx5.dtsi ++++ b/arch/arm64/boot/dts/microchip/sparx5.dtsi +@@ -61,7 +61,7 @@ arm-pmu { + interrupt-affinity = <&cpu0>, <&cpu1>; + }; + +- psci { ++ psci: psci { + compatible = "arm,psci-0.2"; + method = "smc"; + }; +diff --git a/arch/arm64/boot/dts/microchip/sparx5_pcb_common.dtsi b/arch/arm64/boot/dts/microchip/sparx5_pcb_common.dtsi +index 9d1a082de3e29..32bb76b3202a0 100644 +--- a/arch/arm64/boot/dts/microchip/sparx5_pcb_common.dtsi ++++ b/arch/arm64/boot/dts/microchip/sparx5_pcb_common.dtsi +@@ -6,6 +6,18 @@ + /dts-v1/; + #include "sparx5.dtsi" + ++&psci { ++ status = "disabled"; ++}; ++ ++&cpu0 { ++ enable-method = "spin-table"; ++}; ++ ++&cpu1 { ++ enable-method = "spin-table"; ++}; ++ + &uart0 { + status = "okay"; + }; +-- +2.39.2 + diff --git a/tmp-5.10/arm64-dts-qcom-apq8096-fix-fixed-regulator-name-prop.patch b/tmp-5.10/arm64-dts-qcom-apq8096-fix-fixed-regulator-name-prop.patch new file mode 100644 index 00000000000..1a74673ee9e --- /dev/null +++ b/tmp-5.10/arm64-dts-qcom-apq8096-fix-fixed-regulator-name-prop.patch @@ -0,0 +1,49 @@ +From 62ce48d1057d4ae0796fc65ad7208fe9743be84b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 19:45:16 +0200 +Subject: arm64: dts: qcom: apq8096: fix fixed regulator name property + +From: Krzysztof Kozlowski + +[ Upstream commit c77612a07d18d4425fd8ddd532a8a9b8e1970c53 ] + +Correct the typo in 'regulator-name' property. + + apq8096-ifc6640.dtb: v1p05-regulator: 'regulator-name' is a required property + apq8096-ifc6640.dtb: v1p05-regulator: Unevaluated properties are not allowed ('reglator-name' was unexpected) + +Fixes: 6cbdec2d3ca6 ("arm64: dts: qcom: msm8996: Introduce IFC6640") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230507174516.264936-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts b/arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts +index f6ddf17ada81b..861b356a982b7 100644 +--- a/arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts ++++ b/arch/arm64/boot/dts/qcom/apq8096-ifc6640.dts +@@ -26,7 +26,7 @@ chosen { + + v1p05: v1p05-regulator { + compatible = "regulator-fixed"; +- reglator-name = "v1p05"; ++ regulator-name = "v1p05"; + regulator-always-on; + regulator-boot-on; + +@@ -38,7 +38,7 @@ v1p05: v1p05-regulator { + + v12_poe: v12-poe-regulator { + compatible = "regulator-fixed"; +- reglator-name = "v12_poe"; ++ regulator-name = "v12_poe"; + regulator-always-on; + regulator-boot-on; + +-- +2.39.2 + diff --git a/tmp-5.10/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch b/tmp-5.10/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch new file mode 100644 index 00000000000..10cd61f5a0f --- /dev/null +++ b/tmp-5.10/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch @@ -0,0 +1,39 @@ +From 4fb0c9a2f753870d97e5e56ba840b4737abd159d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 23:18:40 +0200 +Subject: arm64: dts: qcom: msm8916: correct camss unit address + +From: Krzysztof Kozlowski + +[ Upstream commit 48798d992ce276cf0d57bf75318daf8eabd02aa4 ] + +Match unit-address to reg entry to fix dtbs W=1 warnings: + + Warning (simple_bus_reg): /soc@0/camss@1b00000: simple-bus unit address format error, expected "1b0ac00" + +Fixes: 58f479f90a7c ("arm64: dts: qcom: msm8916: Add CAMSS support") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230419211856.79332-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index c32e4a3833f23..5b79e4a373311 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -1006,7 +1006,7 @@ dsi_phy0: dsi-phy@1a98300 { + }; + }; + +- camss: camss@1b00000 { ++ camss: camss@1b0ac00 { + compatible = "qcom,msm8916-camss"; + reg = <0x01b0ac00 0x200>, + <0x01b00030 0x4>, +-- +2.39.2 + diff --git a/tmp-5.10/arm64-dts-qcom-msm8994-correct-spmi-unit-address.patch b/tmp-5.10/arm64-dts-qcom-msm8994-correct-spmi-unit-address.patch new file mode 100644 index 00000000000..dc56e874625 --- /dev/null +++ b/tmp-5.10/arm64-dts-qcom-msm8994-correct-spmi-unit-address.patch @@ -0,0 +1,39 @@ +From 33b79243b2edf485e2f82baf817115544d98d28f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 23:18:46 +0200 +Subject: arm64: dts: qcom: msm8994: correct SPMI unit address + +From: Krzysztof Kozlowski + +[ Upstream commit 24f0f6a8059c7108d4ee3476c95db1e7ff4feb79 ] + +Match unit-address to reg entry to fix dtbs W=1 warnings: + + Warning (simple_bus_reg): /soc/spmi@fc4c0000: simple-bus unit address format error, expected "fc4cf000" + +Fixes: b0ad598f8ec0 ("arm64: dts: qcom: msm8994: Add SPMI PMIC arbiter device") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230419211856.79332-8-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8994.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8994.dtsi b/arch/arm64/boot/dts/qcom/msm8994.dtsi +index aeb5762566e91..caaf7102f5798 100644 +--- a/arch/arm64/boot/dts/qcom/msm8994.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8994.dtsi +@@ -489,7 +489,7 @@ restart@fc4ab000 { + reg = <0xfc4ab000 0x4>; + }; + +- spmi_bus: spmi@fc4c0000 { ++ spmi_bus: spmi@fc4cf000 { + compatible = "qcom,spmi-pmic-arb"; + reg = <0xfc4cf000 0x1000>, + <0xfc4cb000 0x1000>, +-- +2.39.2 + diff --git a/tmp-5.10/arm64-dts-qcom-msm8996-correct-camss-unit-address.patch b/tmp-5.10/arm64-dts-qcom-msm8996-correct-camss-unit-address.patch new file mode 100644 index 00000000000..0c13328be34 --- /dev/null +++ b/tmp-5.10/arm64-dts-qcom-msm8996-correct-camss-unit-address.patch @@ -0,0 +1,39 @@ +From d0821629c9f64b66aa49daaa893f10aa9e457e0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 23:18:47 +0200 +Subject: arm64: dts: qcom: msm8996: correct camss unit address + +From: Krzysztof Kozlowski + +[ Upstream commit e959ced1d0e5ef0b1f66a0c2d0e1ae80790e5ca5 ] + +Match unit-address to reg entry to fix dtbs W=1 warnings: + + Warning (simple_bus_reg): /soc/camss@a00000: simple-bus unit address format error, expected "a34000" + +Fixes: e0531312e78f ("arm64: dts: qcom: msm8996: Add CAMSS support") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230419211856.79332-9-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi +index 159cdd03e7c01..73f7490911c92 100644 +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -956,7 +956,7 @@ ufsphy_lane: lanes@627400 { + }; + }; + +- camss: camss@a00000 { ++ camss: camss@a34000 { + compatible = "qcom,msm8996-camss"; + reg = <0x00a34000 0x1000>, + <0x00a00030 0x4>, +-- +2.39.2 + diff --git a/tmp-5.10/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch b/tmp-5.10/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch new file mode 100644 index 00000000000..7fb49b41741 --- /dev/null +++ b/tmp-5.10/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch @@ -0,0 +1,46 @@ +From 13e3bed1a94f30724d4c5d95df0ccedd229604cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 10:48:22 +0200 +Subject: arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1 + +From: Wolfram Sang + +[ Upstream commit 1a2c4e5635177939a088d22fa35c6a7032725663 ] + +The schematics are misleading, the flow control is for HSCIF1. We need +SCIF1 for GNSS/GPS which does not use flow control. + +Fixes: c6c816e22bc8 ("arm64: dts: ulcb-kf: enable SCIF1") +Signed-off-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230525084823.4195-2-wsa+renesas@sang-engineering.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/ulcb-kf.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi +index 05e64bfad0235..24d0a1337ae1c 100644 +--- a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi ++++ b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi +@@ -270,7 +270,7 @@ hscif0_pins: hscif0 { + }; + + scif1_pins: scif1 { +- groups = "scif1_data_b", "scif1_ctrl"; ++ groups = "scif1_data_b"; + function = "scif1"; + }; + +@@ -330,7 +330,6 @@ rsnd_for_pcm3168a_capture: endpoint { + &scif1 { + pinctrl-0 = <&scif1_pins>; + pinctrl-names = "default"; +- uart-has-rtscts; + + status = "okay"; + }; +-- +2.39.2 + diff --git a/tmp-5.10/arm64-dts-ti-k3-j7200-fix-physical-address-of-pin.patch b/tmp-5.10/arm64-dts-ti-k3-j7200-fix-physical-address-of-pin.patch new file mode 100644 index 00000000000..8885061c12e --- /dev/null +++ b/tmp-5.10/arm64-dts-ti-k3-j7200-fix-physical-address-of-pin.patch @@ -0,0 +1,83 @@ +From 7e38e22db56bffebe882e21234734c1281a78505 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 09:30:06 +0530 +Subject: arm64: dts: ti: k3-j7200: Fix physical address of pin + +From: Keerthy + +[ Upstream commit 3d011933000ed9054c649952d83162d24f020a93 ] + +wkup_pmx splits into multiple regions. Like + + wkup_pmx0 -> 13 pins (WKUP_PADCONFIG 0 - 12) + wkup_pmx1 -> 2 pins (WKUP_PADCONFIG 14 - 15) + wkup_pmx2 -> 59 pins (WKUP_PADCONFIG 26 - 84) + wkup_pmx3 -> 8 pins (WKUP_PADCONFIG 93 - 100) + +With this split, pin offset needs to be adjusted to +match with new pmx for all pins above wkup_pmx0. + +Example a pin under wkup_pmx1 should start from 0 instead of +old offset(0x38 WKUP_PADCONFIG 14 offset) + +J7200 Datasheet (Table 6-106, Section 6.4 Pin Multiplexing) : +https://www.ti.com/lit/ds/symlink/dra821u.pdf + +Fixes: 9ae21ac445e9 ("arm64: dts: ti: k3-j7200: Fix wakeup pinmux range") + +Signed-off-by: Keerthy +Signed-off-by: Udit Kumar +Link: https://lore.kernel.org/r/20230419040007.3022780-2-u-kumar1@ti.com +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Sasha Levin +--- + .../dts/ti/k3-j7200-common-proc-board.dts | 28 +++++++++---------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts b/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts +index 909ab6661aef5..4ec5e955c33c2 100644 +--- a/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts ++++ b/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts +@@ -19,25 +19,25 @@ chosen { + &wkup_pmx2 { + mcu_cpsw_pins_default: mcu-cpsw-pins-default { + pinctrl-single,pins = < +- J721E_WKUP_IOPAD(0x0068, PIN_OUTPUT, 0) /* MCU_RGMII1_TX_CTL */ +- J721E_WKUP_IOPAD(0x006c, PIN_INPUT, 0) /* MCU_RGMII1_RX_CTL */ +- J721E_WKUP_IOPAD(0x0070, PIN_OUTPUT, 0) /* MCU_RGMII1_TD3 */ +- J721E_WKUP_IOPAD(0x0074, PIN_OUTPUT, 0) /* MCU_RGMII1_TD2 */ +- J721E_WKUP_IOPAD(0x0078, PIN_OUTPUT, 0) /* MCU_RGMII1_TD1 */ +- J721E_WKUP_IOPAD(0x007c, PIN_OUTPUT, 0) /* MCU_RGMII1_TD0 */ +- J721E_WKUP_IOPAD(0x0088, PIN_INPUT, 0) /* MCU_RGMII1_RD3 */ +- J721E_WKUP_IOPAD(0x008c, PIN_INPUT, 0) /* MCU_RGMII1_RD2 */ +- J721E_WKUP_IOPAD(0x0090, PIN_INPUT, 0) /* MCU_RGMII1_RD1 */ +- J721E_WKUP_IOPAD(0x0094, PIN_INPUT, 0) /* MCU_RGMII1_RD0 */ +- J721E_WKUP_IOPAD(0x0080, PIN_OUTPUT, 0) /* MCU_RGMII1_TXC */ +- J721E_WKUP_IOPAD(0x0084, PIN_INPUT, 0) /* MCU_RGMII1_RXC */ ++ J721E_WKUP_IOPAD(0x0000, PIN_OUTPUT, 0) /* MCU_RGMII1_TX_CTL */ ++ J721E_WKUP_IOPAD(0x0004, PIN_INPUT, 0) /* MCU_RGMII1_RX_CTL */ ++ J721E_WKUP_IOPAD(0x0008, PIN_OUTPUT, 0) /* MCU_RGMII1_TD3 */ ++ J721E_WKUP_IOPAD(0x000c, PIN_OUTPUT, 0) /* MCU_RGMII1_TD2 */ ++ J721E_WKUP_IOPAD(0x0010, PIN_OUTPUT, 0) /* MCU_RGMII1_TD1 */ ++ J721E_WKUP_IOPAD(0x0014, PIN_OUTPUT, 0) /* MCU_RGMII1_TD0 */ ++ J721E_WKUP_IOPAD(0x0020, PIN_INPUT, 0) /* MCU_RGMII1_RD3 */ ++ J721E_WKUP_IOPAD(0x0024, PIN_INPUT, 0) /* MCU_RGMII1_RD2 */ ++ J721E_WKUP_IOPAD(0x0028, PIN_INPUT, 0) /* MCU_RGMII1_RD1 */ ++ J721E_WKUP_IOPAD(0x002c, PIN_INPUT, 0) /* MCU_RGMII1_RD0 */ ++ J721E_WKUP_IOPAD(0x0018, PIN_OUTPUT, 0) /* MCU_RGMII1_TXC */ ++ J721E_WKUP_IOPAD(0x001c, PIN_INPUT, 0) /* MCU_RGMII1_RXC */ + >; + }; + + mcu_mdio_pins_default: mcu-mdio1-pins-default { + pinctrl-single,pins = < +- J721E_WKUP_IOPAD(0x009c, PIN_OUTPUT, 0) /* (L1) MCU_MDIO0_MDC */ +- J721E_WKUP_IOPAD(0x0098, PIN_INPUT, 0) /* (L4) MCU_MDIO0_MDIO */ ++ J721E_WKUP_IOPAD(0x0034, PIN_OUTPUT, 0) /* (L1) MCU_MDIO0_MDC */ ++ J721E_WKUP_IOPAD(0x0030, PIN_INPUT, 0) /* (L4) MCU_MDIO0_MDIO */ + >; + }; + }; +-- +2.39.2 + diff --git a/tmp-5.10/arm64-mm-fix-va-range-sanity-check.patch b/tmp-5.10/arm64-mm-fix-va-range-sanity-check.patch new file mode 100644 index 00000000000..166e73a5a1c --- /dev/null +++ b/tmp-5.10/arm64-mm-fix-va-range-sanity-check.patch @@ -0,0 +1,106 @@ +From 34a94f8f8024cacbb5c3ba4332d0c5de6e2245d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:26:28 +0100 +Subject: arm64: mm: fix VA-range sanity check + +From: Mark Rutland + +[ Upstream commit ab9b4008092c86dc12497af155a0901cc1156999 ] + +Both create_mapping_noalloc() and update_mapping_prot() sanity-check +their 'virt' parameter, but the check itself doesn't make much sense. +The condition used today appears to be a historical accident. + +The sanity-check condition: + + if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +... can only be true for the KASAN shadow region or the module region, +and there's no reason to exclude these specifically for creating and +updateing mappings. + +When arm64 support was first upstreamed in commit: + + c1cc1552616d0f35 ("arm64: MMU initialisation") + +... the condition was: + + if (virt < VMALLOC_START) { + [ ... warning here ... ] + return; + } + +At the time, VMALLOC_START was the lowest kernel address, and this was +checking whether 'virt' would be translated via TTBR1. + +Subsequently in commit: + + 14c127c957c1c607 ("arm64: mm: Flip kernel VA space") + +... the condition was changed to: + + if ((virt >= VA_START) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +This appear to have been a thinko. The commit moved the linear map to +the bottom of the kernel address space, with VMALLOC_START being at the +halfway point. The old condition would warn for changes to the linear +map below this, and at the time VA_START was the end of the linear map. + +Subsequently we cleaned up the naming of VA_START in commit: + + 77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END") + +... keeping the erroneous condition as: + + if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +Correct the condition to check against the start of the TTBR1 address +space, which is currently PAGE_OFFSET. This simplifies the logic, and +more clearly matches the "outside kernel range" message in the warning. + +Signed-off-by: Mark Rutland +Cc: Russell King +Cc: Steve Capper +Cc: Will Deacon +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20230615102628.1052103-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 3284709ef5676..78f9fb638c9cd 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -421,7 +421,7 @@ static phys_addr_t pgd_pgtable_alloc(int shift) + static void __init create_mapping_noalloc(phys_addr_t phys, unsigned long virt, + phys_addr_t size, pgprot_t prot) + { +- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { ++ if (virt < PAGE_OFFSET) { + pr_warn("BUG: not creating mapping for %pa at 0x%016lx - outside kernel range\n", + &phys, virt); + return; +@@ -448,7 +448,7 @@ void __init create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys, + static void update_mapping_prot(phys_addr_t phys, unsigned long virt, + phys_addr_t size, pgprot_t prot) + { +- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { ++ if (virt < PAGE_OFFSET) { + pr_warn("BUG: not updating mapping for %pa at 0x%016lx - outside kernel range\n", + &phys, virt); + return; +-- +2.39.2 + diff --git a/tmp-5.10/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch b/tmp-5.10/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch new file mode 100644 index 00000000000..bc50e880870 --- /dev/null +++ b/tmp-5.10/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch @@ -0,0 +1,166 @@ +From cd8e5d79cab114791c5b98c2d085dd413f493162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 10:04:36 +0900 +Subject: arm64: set __exception_irq_entry with __irq_entry as a default + +From: Youngmin Nam + +[ Upstream commit f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3 ] + +filter_irq_stacks() is supposed to cut entries which are related irq entries +from its call stack. +And in_irqentry_text() which is called by filter_irq_stacks() +uses __irqentry_text_start/end symbol to find irq entries in callstack. + +But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER", +arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq +between __irqentry_text_start and __irqentry_text_end as we discussed in below link. +https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t + +This problem can makes unintentional deep call stack entries especially +in KASAN enabled situation as below. + +[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity +[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c +[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) +[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c +[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c +[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0 +[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000 +[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd +[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040 +[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000 +[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20 +[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8 +[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800 +[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8 +[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c +[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022 +[ 2479.386231]I[0:launcher-loader: 1719] Call trace: +[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c +[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70 +[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138 +[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24 +[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170 +[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20 +[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c +[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28 +[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0 +[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80 +[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98 +[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c +[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0 +[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 +[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c +[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4 +[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0 +[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 +[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c +[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304 +[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160 +[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194 +[ 2479.386833]I[0:launcher-loader: 1719] scsi_complete+0xcc/0x158 +[ 2479.386859]I[0:launcher-loader: 1719] blk_mq_complete_request+0x4c/0x5c +[ 2479.386885]I[0:launcher-loader: 1719] scsi_done_internal+0xf4/0x1e0 +[ 2479.386910]I[0:launcher-loader: 1719] scsi_done+0x14/0x20 +[ 2479.386935]I[0:launcher-loader: 1719] ufshcd_compl_one_cqe+0x578/0x71c +[ 2479.386963]I[0:launcher-loader: 1719] ufshcd_mcq_poll_cqe_nolock+0xc8/0x150 +[ 2479.386991]I[0:launcher-loader: 1719] ufshcd_intr+0x868/0xc0c +[ 2479.387017]I[0:launcher-loader: 1719] __handle_irq_event_percpu+0xd0/0x348 +[ 2479.387044]I[0:launcher-loader: 1719] handle_irq_event_percpu+0x24/0x74 +[ 2479.387068]I[0:launcher-loader: 1719] handle_irq_event+0x74/0xe0 +[ 2479.387091]I[0:launcher-loader: 1719] handle_fasteoi_irq+0x174/0x240 +[ 2479.387118]I[0:launcher-loader: 1719] handle_irq_desc+0x7c/0x2c0 +[ 2479.387147]I[0:launcher-loader: 1719] generic_handle_domain_irq+0x1c/0x28 +[ 2479.387174]I[0:launcher-loader: 1719] gic_handle_irq+0x64/0x158 +[ 2479.387204]I[0:launcher-loader: 1719] call_on_irq_stack+0x2c/0x54 +[ 2479.387231]I[0:launcher-loader: 1719] do_interrupt_handler+0x70/0xa0 +[ 2479.387258]I[0:launcher-loader: 1719] el1_interrupt+0x34/0x68 +[ 2479.387283]I[0:launcher-loader: 1719] el1h_64_irq_handler+0x18/0x24 +[ 2479.387308]I[0:launcher-loader: 1719] el1h_64_irq+0x68/0x6c +[ 2479.387332]I[0:launcher-loader: 1719] blk_attempt_bio_merge+0x8/0x170 +[ 2479.387356]I[0:launcher-loader: 1719] blk_mq_attempt_bio_merge+0x78/0x98 +[ 2479.387383]I[0:launcher-loader: 1719] blk_mq_submit_bio+0x324/0xa40 +[ 2479.387409]I[0:launcher-loader: 1719] __submit_bio+0x104/0x138 +[ 2479.387436]I[0:launcher-loader: 1719] submit_bio_noacct_nocheck+0x1d0/0x4a0 +[ 2479.387462]I[0:launcher-loader: 1719] submit_bio_noacct+0x618/0x804 +[ 2479.387487]I[0:launcher-loader: 1719] submit_bio+0x164/0x180 +[ 2479.387511]I[0:launcher-loader: 1719] f2fs_submit_read_bio+0xe4/0x1c4 +[ 2479.387537]I[0:launcher-loader: 1719] f2fs_mpage_readpages+0x888/0xa4c +[ 2479.387563]I[0:launcher-loader: 1719] f2fs_readahead+0xd4/0x19c +[ 2479.387587]I[0:launcher-loader: 1719] read_pages+0xb0/0x4ac +[ 2479.387614]I[0:launcher-loader: 1719] page_cache_ra_unbounded+0x238/0x288 +[ 2479.387642]I[0:launcher-loader: 1719] do_page_cache_ra+0x60/0x6c +[ 2479.387669]I[0:launcher-loader: 1719] page_cache_ra_order+0x318/0x364 +[ 2479.387695]I[0:launcher-loader: 1719] ondemand_readahead+0x30c/0x3d8 +[ 2479.387722]I[0:launcher-loader: 1719] page_cache_sync_ra+0xb4/0xc8 +[ 2479.387749]I[0:launcher-loader: 1719] filemap_read+0x268/0xd24 +[ 2479.387777]I[0:launcher-loader: 1719] f2fs_file_read_iter+0x1a0/0x62c +[ 2479.387806]I[0:launcher-loader: 1719] vfs_read+0x258/0x34c +[ 2479.387831]I[0:launcher-loader: 1719] ksys_pread64+0x8c/0xd0 +[ 2479.387857]I[0:launcher-loader: 1719] __arm64_sys_pread64+0x48/0x54 +[ 2479.387881]I[0:launcher-loader: 1719] invoke_syscall+0x58/0x158 +[ 2479.387909]I[0:launcher-loader: 1719] el0_svc_common+0xf0/0x134 +[ 2479.387935]I[0:launcher-loader: 1719] do_el0_svc+0x44/0x114 +[ 2479.387961]I[0:launcher-loader: 1719] el0_svc+0x2c/0x80 +[ 2479.387985]I[0:launcher-loader: 1719] el0t_64_sync_handler+0x48/0x114 +[ 2479.388010]I[0:launcher-loader: 1719] el0t_64_sync+0x190/0x194 +[ 2479.388038]I[0:launcher-loader: 1719] Kernel panic - not syncing: kernel: panic_on_warn set ... + +So let's set __exception_irq_entry with __irq_entry as a default. +Applying this patch, we can see gic_hande_irq is included in Systemp.map as below. + +* Before +ffffffc008010000 T __do_softirq +ffffffc008010000 T __irqentry_text_end +ffffffc008010000 T __irqentry_text_start +ffffffc008010000 T __softirqentry_text_start +ffffffc008010000 T _stext +ffffffc00801066c T __softirqentry_text_end +ffffffc008010670 T __entry_text_start + +* After +ffffffc008010000 T __irqentry_text_start +ffffffc008010000 T _stext +ffffffc008010000 t gic_handle_irq +ffffffc00801013c t gic_handle_irq +ffffffc008010294 T __irqentry_text_end +ffffffc008010298 T __do_softirq +ffffffc008010298 T __softirqentry_text_start +ffffffc008010904 T __softirqentry_text_end +ffffffc008010908 T __entry_text_start + +Signed-off-by: Youngmin Nam +Signed-off-by: SEO HOYOUNG +Reviewed-by: Mark Rutland +Link: https://lore.kernel.org/r/20230424010436.779733-1-youngmin.nam@samsung.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/exception.h | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h +index 0756191f44f64..59c3facb8a560 100644 +--- a/arch/arm64/include/asm/exception.h ++++ b/arch/arm64/include/asm/exception.h +@@ -8,16 +8,11 @@ + #define __ASM_EXCEPTION_H + + #include +-#include + #include + + #include + +-#ifdef CONFIG_FUNCTION_GRAPH_TRACER + #define __exception_irq_entry __irq_entry +-#else +-#define __exception_irq_entry __kprobes +-#endif + + static inline u32 disr_to_esr(u64 disr) + { +-- +2.39.2 + diff --git a/tmp-5.10/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch b/tmp-5.10/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch new file mode 100644 index 00000000000..a5ac2b760f4 --- /dev/null +++ b/tmp-5.10/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch @@ -0,0 +1,91 @@ +From 655481753870665c78cce54b03c30f0105e93f37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 21:11:39 +0300 +Subject: ASoC: es8316: Do not set rate constraints for unsupported MCLKs + +From: Cristian Ciocaltea + +[ Upstream commit 60413129ee2b38a80347489270af7f6e1c1de4d0 ] + +When using the codec through the generic audio graph card, there are at +least two calls of es8316_set_dai_sysclk(), with the effect of limiting +the allowed sample rates according to the MCLK/LRCK ratios supported by +the codec: + +1. During audio card setup, to set the initial MCLK - see + asoc_simple_init_dai(). + +2. Before opening a stream, to update MCLK, according to the stream + sample rate and the multiplication factor - see + asoc_simple_hw_params(). + +In some cases the initial MCLK might be set to a frequency that doesn't +match any of the supported ratios, e.g. 12287999 instead of 12288000, +which is only 1 Hz below the supported clock, as that is what the +hardware reports. This creates an empty list of rate constraints, which +is further passed to snd_pcm_hw_constraint_list() via +es8316_pcm_startup(), and causes the following error on the very first +access of the sound card: + + $ speaker-test -D hw:Analog,0 -F S16_LE -c 2 -t wav + Broken configuration for playback: no configurations available: Invalid argument + Setting of hwparams failed: Invalid argument + +Note that all subsequent retries succeed thanks to the updated MCLK set +at point 2 above, which uses a computed frequency value instead of a +reading from the hardware registers. Normally this would have mitigated +the issue, but es8316_pcm_startup() executes before the 2nd call to +es8316_set_dai_sysclk(), hence it cannot make use of the updated +constraints. + +Since es8316_pcm_hw_params() performs anyway a final validation of MCLK +against the stream sample rate and the supported MCLK/LRCK ratios, fix +the issue by ensuring that sysclk_constraints list is only set when at +least one supported sample rate is autodetected by the codec. + +Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230530181140.483936-3-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8316.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c +index 423d9ce2df266..03ad34a275da2 100644 +--- a/sound/soc/codecs/es8316.c ++++ b/sound/soc/codecs/es8316.c +@@ -369,13 +369,11 @@ static int es8316_set_dai_sysclk(struct snd_soc_dai *codec_dai, + int count = 0; + + es8316->sysclk = freq; ++ es8316->sysclk_constraints.list = NULL; ++ es8316->sysclk_constraints.count = 0; + +- if (freq == 0) { +- es8316->sysclk_constraints.list = NULL; +- es8316->sysclk_constraints.count = 0; +- ++ if (freq == 0) + return 0; +- } + + ret = clk_set_rate(es8316->mclk, freq); + if (ret) +@@ -391,8 +389,10 @@ static int es8316_set_dai_sysclk(struct snd_soc_dai *codec_dai, + es8316->allowed_rates[count++] = freq / ratio; + } + +- es8316->sysclk_constraints.list = es8316->allowed_rates; +- es8316->sysclk_constraints.count = count; ++ if (count) { ++ es8316->sysclk_constraints.list = es8316->allowed_rates; ++ es8316->sysclk_constraints.count = count; ++ } + + return 0; + } +-- +2.39.2 + diff --git a/tmp-5.10/asoc-es8316-increment-max-value-for-alc-capture-targ.patch b/tmp-5.10/asoc-es8316-increment-max-value-for-alc-capture-targ.patch new file mode 100644 index 00000000000..0829b497ac5 --- /dev/null +++ b/tmp-5.10/asoc-es8316-increment-max-value-for-alc-capture-targ.patch @@ -0,0 +1,91 @@ +From c0fee8503ffb0dbaec8bdf6ee059ced74d68ad7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 21:11:38 +0300 +Subject: ASoC: es8316: Increment max value for ALC Capture Target Volume + control + +From: Cristian Ciocaltea + +[ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ] + +The following error occurs when trying to restore a previously saved +ALSA mixer state (tested on a Rock 5B board): + + $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog + $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog + alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument + +According to ES8316 datasheet, the register at address 0x2B, which is +related to the above mixer control, contains by default the value 0xB0. +Considering the corresponding ALC target bits (ALCLVL) are 7:4, the +control is initialized with 11, which is one step above the maximum +value allowed by the driver: + + ALCLVL | dB gain + -------+-------- + 0000 | -16.5 + 0001 | -15.0 + 0010 | -13.5 + .... | ..... + 0111 | -6.0 + 1000 | -4.5 + 1001 | -3.0 + 1010 | -1.5 + .... | ..... + 1111 | -1.5 + +The tests performed using the VU meter feature (--vumeter=TYPE) of +arecord/aplay confirm the specs are correct and there is no measured +gain if the 1011-1111 range would have been mapped to 0 dB: + + dB gain | VU meter % + --------+----------- + -6.0 | 30-31 + -4.5 | 35-36 + -3.0 | 42-43 + -1.5 | 50-51 + 0.0 | 50-51 + +Increment the max value allowed for ALC Capture Target Volume control, +so that it matches the hardware default. Additionally, update the +related TLV to prevent an artificial extension of the dB gain range. + +Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8316.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c +index bc3d46617a113..423d9ce2df266 100644 +--- a/sound/soc/codecs/es8316.c ++++ b/sound/soc/codecs/es8316.c +@@ -52,7 +52,12 @@ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(dac_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(adc_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_max_gain_tlv, -650, 150, 0); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_min_gain_tlv, -1200, 150, 0); +-static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_target_tlv, -1650, 150, 0); ++ ++static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(alc_target_tlv, ++ 0, 10, TLV_DB_SCALE_ITEM(-1650, 150, 0), ++ 11, 11, TLV_DB_SCALE_ITEM(-150, 0, 0), ++); ++ + static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(hpmixer_gain_tlv, + 0, 4, TLV_DB_SCALE_ITEM(-1200, 150, 0), + 8, 11, TLV_DB_SCALE_ITEM(-450, 150, 0), +@@ -115,7 +120,7 @@ static const struct snd_kcontrol_new es8316_snd_controls[] = { + alc_max_gain_tlv), + SOC_SINGLE_TLV("ALC Capture Min Volume", ES8316_ADC_ALC2, 0, 28, 0, + alc_min_gain_tlv), +- SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 10, 0, ++ SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 11, 0, + alc_target_tlv), + SOC_SINGLE("ALC Capture Hold Time", ES8316_ADC_ALC3, 0, 10, 0), + SOC_SINGLE("ALC Capture Decay Time", ES8316_ADC_ALC4, 4, 10, 0), +-- +2.39.2 + diff --git a/tmp-5.10/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch b/tmp-5.10/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch new file mode 100644 index 00000000000..1f341340367 --- /dev/null +++ b/tmp-5.10/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch @@ -0,0 +1,43 @@ +From 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 Mon Sep 17 00:00:00 2001 +From: Matus Gajdos +Date: Wed, 12 Jul 2023 14:49:33 +0200 +Subject: ASoC: fsl_sai: Disable bit clock with transmitter + +From: Matus Gajdos + +commit 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 upstream. + +Otherwise bit clock remains running writing invalid data to the DAC. + +Signed-off-by: Matus Gajdos +Acked-by: Shengjiu Wang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230712124934.32232-1-matuszpd@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_sai.c | 2 +- + sound/soc/fsl/fsl_sai.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -552,7 +552,7 @@ static void fsl_sai_config_disable(struc + u32 xcsr, count = 100; + + regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), +- FSL_SAI_CSR_TERE, 0); ++ FSL_SAI_CSR_TERE | FSL_SAI_CSR_BCE, 0); + + /* TERE will remain set till the end of current frame */ + do { +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -87,6 +87,7 @@ + /* SAI Transmit/Receive Control Register */ + #define FSL_SAI_CSR_TERE BIT(31) + #define FSL_SAI_CSR_SE BIT(30) ++#define FSL_SAI_CSR_BCE BIT(28) + #define FSL_SAI_CSR_FR BIT(25) + #define FSL_SAI_CSR_SR BIT(24) + #define FSL_SAI_CSR_xF_SHIFT 16 diff --git a/tmp-5.10/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch b/tmp-5.10/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch new file mode 100644 index 00000000000..87854f3ee42 --- /dev/null +++ b/tmp-5.10/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch @@ -0,0 +1,66 @@ +From 3eb6dfc1692123ab3d624af63151fa201b2ad317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 15:15:09 +0300 +Subject: ASoC: imx-audmix: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit 2f76e1d6ca524a888d29aafe29f2ad2003857971 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: b86ef5367761 ("ASoC: fsl: Add Audio Mixer machine driver") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230614121509.443926-1-claudiu.beznea@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-audmix.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/soc/fsl/imx-audmix.c b/sound/soc/fsl/imx-audmix.c +index cbdc0a2c09c54..77d8234c7ac49 100644 +--- a/sound/soc/fsl/imx-audmix.c ++++ b/sound/soc/fsl/imx-audmix.c +@@ -230,6 +230,8 @@ static int imx_audmix_probe(struct platform_device *pdev) + + dai_name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s%s", + fe_name_pref, args.np->full_name + 1); ++ if (!dai_name) ++ return -ENOMEM; + + dev_info(pdev->dev.parent, "DAI FE name:%s\n", dai_name); + +@@ -238,6 +240,8 @@ static int imx_audmix_probe(struct platform_device *pdev) + capture_dai_name = + devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s %s", + dai_name, "CPU-Capture"); ++ if (!capture_dai_name) ++ return -ENOMEM; + } + + priv->dai[i].cpus = &dlc[0]; +@@ -268,6 +272,8 @@ static int imx_audmix_probe(struct platform_device *pdev) + "AUDMIX-Playback-%d", i); + be_cp = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "AUDMIX-Capture-%d", i); ++ if (!be_name || !be_pb || !be_cp) ++ return -ENOMEM; + + priv->dai[num_dai + i].cpus = &dlc[3]; + priv->dai[num_dai + i].codecs = &dlc[4]; +@@ -295,6 +301,9 @@ static int imx_audmix_probe(struct platform_device *pdev) + priv->dapm_routes[i].source = + devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s %s", + dai_name, "CPU-Playback"); ++ if (!priv->dapm_routes[i].source) ++ return -ENOMEM; ++ + priv->dapm_routes[i].sink = be_pb; + priv->dapm_routes[num_dai + i].source = be_pb; + priv->dapm_routes[num_dai + i].sink = be_cp; +-- +2.39.2 + diff --git a/tmp-5.10/asoc-mediatek-mt8173-fix-irq-error-path.patch b/tmp-5.10/asoc-mediatek-mt8173-fix-irq-error-path.patch new file mode 100644 index 00000000000..30b4bbc8509 --- /dev/null +++ b/tmp-5.10/asoc-mediatek-mt8173-fix-irq-error-path.patch @@ -0,0 +1,53 @@ +From f9c058d14f4fe23ef523a7ff73734d51c151683c Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda Delgado +Date: Mon, 12 Jun 2023 11:05:32 +0200 +Subject: ASoC: mediatek: mt8173: Fix irq error path + +From: Ricardo Ribalda Delgado + +commit f9c058d14f4fe23ef523a7ff73734d51c151683c upstream. + +After reordering the irq probe, the error path was not properly done. +Lets fix it. + +Reported-by: Dan Carpenter +Cc: stable@kernel.org +Fixes: 4cbb264d4e91 ("ASoC: mediatek: mt8173: Enable IRQ when pdata is ready") +Signed-off-by: Ricardo Ribalda Delgado +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20230612-mt8173-fixup-v2-2-432aa99ce24d@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c ++++ b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c +@@ -1072,6 +1072,10 @@ static int mt8173_afe_pcm_dev_probe(stru + + afe->dev = &pdev->dev; + ++ irq_id = platform_get_irq(pdev, 0); ++ if (irq_id <= 0) ++ return irq_id < 0 ? irq_id : -ENXIO; ++ + afe->base_addr = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(afe->base_addr)) + return PTR_ERR(afe->base_addr); +@@ -1177,14 +1181,11 @@ static int mt8173_afe_pcm_dev_probe(stru + if (ret) + goto err_cleanup_components; + +- irq_id = platform_get_irq(pdev, 0); +- if (irq_id <= 0) +- return irq_id < 0 ? irq_id : -ENXIO; + ret = devm_request_irq(afe->dev, irq_id, mt8173_afe_irq_handler, + 0, "Afe_ISR_Handle", (void *)afe); + if (ret) { + dev_err(afe->dev, "could not request_irq\n"); +- goto err_pm_disable; ++ goto err_cleanup_components; + } + + dev_info(&pdev->dev, "MT8173 AFE driver initialized.\n"); diff --git a/tmp-5.10/asoc-mediatek-mt8173-fix-snd_soc_component_initialize-error-path.patch b/tmp-5.10/asoc-mediatek-mt8173-fix-snd_soc_component_initialize-error-path.patch new file mode 100644 index 00000000000..1f7b668264f --- /dev/null +++ b/tmp-5.10/asoc-mediatek-mt8173-fix-snd_soc_component_initialize-error-path.patch @@ -0,0 +1,42 @@ +From a46d37012a5be1737393b8f82fd35665e4556eee Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda Delgado +Date: Mon, 12 Jun 2023 11:05:31 +0200 +Subject: ASoC: mediatek: mt8173: Fix snd_soc_component_initialize error path + +From: Ricardo Ribalda Delgado + +commit a46d37012a5be1737393b8f82fd35665e4556eee upstream. + +If the second component fails to initialize, cleanup the first on. + +Reported-by: Dan Carpenter +Cc: stable@kernel.org +Fixes: f1b5bf07365d ("ASoC: mt2701/mt8173: replace platform to component") +Signed-off-by: Ricardo Ribalda Delgado +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20230612-mt8173-fixup-v2-1-432aa99ce24d@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c ++++ b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c +@@ -1162,14 +1162,14 @@ static int mt8173_afe_pcm_dev_probe(stru + comp_hdmi = devm_kzalloc(&pdev->dev, sizeof(*comp_hdmi), GFP_KERNEL); + if (!comp_hdmi) { + ret = -ENOMEM; +- goto err_pm_disable; ++ goto err_cleanup_components; + } + + ret = snd_soc_component_initialize(comp_hdmi, + &mt8173_afe_hdmi_dai_component, + &pdev->dev); + if (ret) +- goto err_pm_disable; ++ goto err_cleanup_components; + + #ifdef CONFIG_DEBUG_FS + comp_hdmi->debugfs_prefix = "hdmi"; diff --git a/tmp-5.10/autofs-use-flexible-array-in-ioctl-structure.patch b/tmp-5.10/autofs-use-flexible-array-in-ioctl-structure.patch new file mode 100644 index 00000000000..e9f0849d9ed --- /dev/null +++ b/tmp-5.10/autofs-use-flexible-array-in-ioctl-structure.patch @@ -0,0 +1,80 @@ +From e910c8e3aa02dc456e2f4c32cb479523c326b534 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 23 May 2023 10:19:35 +0200 +Subject: autofs: use flexible array in ioctl structure + +From: Arnd Bergmann + +commit e910c8e3aa02dc456e2f4c32cb479523c326b534 upstream. + +Commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") introduced a warning +for the autofs_dev_ioctl structure: + +In function 'check_name', + inlined from 'validate_dev_ioctl' at fs/autofs/dev-ioctl.c:131:9, + inlined from '_autofs_dev_ioctl' at fs/autofs/dev-ioctl.c:624:8: +fs/autofs/dev-ioctl.c:33:14: error: 'strchr' reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread] + 33 | if (!strchr(name, '/')) + | ^~~~~~~~~~~~~~~~~ +In file included from include/linux/auto_dev-ioctl.h:10, + from fs/autofs/autofs_i.h:10, + from fs/autofs/dev-ioctl.c:14: +include/uapi/linux/auto_dev-ioctl.h: In function '_autofs_dev_ioctl': +include/uapi/linux/auto_dev-ioctl.h:112:14: note: source object 'path' of size 0 + 112 | char path[0]; + | ^~~~ + +This is easily fixed by changing the gnu 0-length array into a c99 +flexible array. Since this is a uapi structure, we have to be careful +about possible regressions but this one should be fine as they are +equivalent here. While it would break building with ancient gcc versions +that predate c99, it helps building with --std=c99 and -Wpedantic builds +in user space, as well as non-gnu compilers. This means we probably +also want it fixed in stable kernels. + +Cc: stable@vger.kernel.org +Cc: Kees Cook +Cc: "Gustavo A. R. Silva" +Signed-off-by: Arnd Bergmann +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230523081944.581710-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/filesystems/autofs-mount-control.rst | 2 +- + Documentation/filesystems/autofs.rst | 2 +- + include/uapi/linux/auto_dev-ioctl.h | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/Documentation/filesystems/autofs-mount-control.rst ++++ b/Documentation/filesystems/autofs-mount-control.rst +@@ -196,7 +196,7 @@ information and return operation results + struct args_ismountpoint ismountpoint; + }; + +- char path[0]; ++ char path[]; + }; + + The ioctlfd field is a mount point file descriptor of an autofs mount +--- a/Documentation/filesystems/autofs.rst ++++ b/Documentation/filesystems/autofs.rst +@@ -467,7 +467,7 @@ Each ioctl is passed a pointer to an `au + struct args_ismountpoint ismountpoint; + }; + +- char path[0]; ++ char path[]; + }; + + For the **OPEN_MOUNT** and **IS_MOUNTPOINT** commands, the target +--- a/include/uapi/linux/auto_dev-ioctl.h ++++ b/include/uapi/linux/auto_dev-ioctl.h +@@ -109,7 +109,7 @@ struct autofs_dev_ioctl { + struct args_ismountpoint ismountpoint; + }; + +- char path[0]; ++ char path[]; + }; + + static inline void init_autofs_dev_ioctl(struct autofs_dev_ioctl *in) diff --git a/tmp-5.10/bcache-fix-__bch_btree_node_alloc-to-make-the-failure-behavior-consistent.patch b/tmp-5.10/bcache-fix-__bch_btree_node_alloc-to-make-the-failure-behavior-consistent.patch new file mode 100644 index 00000000000..548e80e3c7f --- /dev/null +++ b/tmp-5.10/bcache-fix-__bch_btree_node_alloc-to-make-the-failure-behavior-consistent.patch @@ -0,0 +1,43 @@ +From 80fca8a10b604afad6c14213fdfd816c4eda3ee4 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Thu, 15 Jun 2023 20:12:22 +0800 +Subject: bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent + +From: Zheng Wang + +commit 80fca8a10b604afad6c14213fdfd816c4eda3ee4 upstream. + +In some specific situations, the return value of __bch_btree_node_alloc +may be NULL. This may lead to a potential NULL pointer dereference in +caller function like a calling chain : +btree_split->bch_btree_node_alloc->__bch_btree_node_alloc. + +Fix it by initializing the return value in __bch_btree_node_alloc. + +Fixes: cafe56359144 ("bcache: A block layer cache") +Cc: stable@vger.kernel.org +Signed-off-by: Zheng Wang +Signed-off-by: Coly Li +Link: https://lore.kernel.org/r/20230615121223.22502-6-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1090,10 +1090,12 @@ struct btree *__bch_btree_node_alloc(str + struct btree *parent) + { + BKEY_PADDED(key) k; +- struct btree *b = ERR_PTR(-EAGAIN); ++ struct btree *b; + + mutex_lock(&c->bucket_lock); + retry: ++ /* return ERR_PTR(-EAGAIN) when it fails */ ++ b = ERR_PTR(-EAGAIN); + if (__bch_bucket_alloc_set(c, RESERVE_BTREE, &k.key, wait)) + goto err; + diff --git a/tmp-5.10/bcache-fixup-btree_cache_wait-list-damage.patch b/tmp-5.10/bcache-fixup-btree_cache_wait-list-damage.patch new file mode 100644 index 00000000000..2bbc88959a2 --- /dev/null +++ b/tmp-5.10/bcache-fixup-btree_cache_wait-list-damage.patch @@ -0,0 +1,120 @@ +From f0854489fc07d2456f7cc71a63f4faf9c716ffbe Mon Sep 17 00:00:00 2001 +From: Mingzhe Zou +Date: Thu, 15 Jun 2023 20:12:23 +0800 +Subject: bcache: fixup btree_cache_wait list damage + +From: Mingzhe Zou + +commit f0854489fc07d2456f7cc71a63f4faf9c716ffbe upstream. + +We get a kernel crash about "list_add corruption. next->prev should be +prev (ffff9c801bc01210), but was ffff9c77b688237c. +(next=ffffae586d8afe68)." + +crash> struct list_head 0xffff9c801bc01210 +struct list_head { + next = 0xffffae586d8afe68, + prev = 0xffffae586d8afe68 +} +crash> struct list_head 0xffff9c77b688237c +struct list_head { + next = 0x0, + prev = 0x0 +} +crash> struct list_head 0xffffae586d8afe68 +struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback" +Cannot access memory at address 0xffffae586d8afe68 + +[230469.019492] Call Trace: +[230469.032041] prepare_to_wait+0x8a/0xb0 +[230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache] +[230469.056533] mca_cannibalize_lock+0x72/0x90 [escache] +[230469.068788] mca_alloc+0x2ae/0x450 [escache] +[230469.080790] bch_btree_node_get+0x136/0x2d0 [escache] +[230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache] +[230469.104382] ? finish_wait+0x80/0x80 +[230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache] +[230469.127259] kthread+0x112/0x130 +[230469.138448] ? kthread_flush_work_fn+0x10/0x10 +[230469.149477] ret_from_fork+0x35/0x40 + +bch_btree_check_thread() and bch_dirty_init_thread() may call +mca_cannibalize() to cannibalize other cached btree nodes. Only one thread +can do it at a time, so the op of other threads will be added to the +btree_cache_wait list. + +We must call finish_wait() to remove op from btree_cache_wait before free +it's memory address. Otherwise, the list will be damaged. Also should call +bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up +other waiters. + +Fixes: 8e7102273f59 ("bcache: make bch_btree_check() to be multithreaded") +Fixes: b144e45fc576 ("bcache: make bch_sectors_dirty_init() to be multithreaded") +Cc: stable@vger.kernel.org +Signed-off-by: Mingzhe Zou +Signed-off-by: Coly Li +Link: https://lore.kernel.org/r/20230615121223.22502-7-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 11 ++++++++++- + drivers/md/bcache/btree.h | 1 + + drivers/md/bcache/writeback.c | 10 ++++++++++ + 3 files changed, 21 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -885,7 +885,7 @@ static struct btree *mca_cannibalize(str + * cannibalize_bucket() will take. This means every time we unlock the root of + * the btree, we need to release this lock if we have it held. + */ +-static void bch_cannibalize_unlock(struct cache_set *c) ++void bch_cannibalize_unlock(struct cache_set *c) + { + spin_lock(&c->btree_cannibalize_lock); + if (c->btree_cache_alloc_lock == current) { +@@ -1968,6 +1968,15 @@ static int bch_btree_check_thread(void * + c->gc_stats.nodes++; + bch_btree_op_init(&op, 0); + ret = bcache_btree(check_recurse, p, c->root, &op); ++ /* ++ * The op may be added to cache_set's btree_cache_wait ++ * in mca_cannibalize(), must ensure it is removed from ++ * the list and release btree_cache_alloc_lock before ++ * free op memory. ++ * Otherwise, the btree_cache_wait will be damaged. ++ */ ++ bch_cannibalize_unlock(c); ++ finish_wait(&c->btree_cache_wait, &(&op)->wait); + if (ret) + goto out; + } +--- a/drivers/md/bcache/btree.h ++++ b/drivers/md/bcache/btree.h +@@ -282,6 +282,7 @@ void bch_initial_gc_finish(struct cache_ + void bch_moving_gc(struct cache_set *c); + int bch_btree_check(struct cache_set *c); + void bch_initial_mark_key(struct cache_set *c, int level, struct bkey *k); ++void bch_cannibalize_unlock(struct cache_set *c); + + static inline void wake_up_gc(struct cache_set *c) + { +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -834,6 +834,16 @@ static int bch_root_node_dirty_init(stru + if (ret < 0) + pr_warn("sectors dirty init failed, ret=%d!\n", ret); + ++ /* ++ * The op may be added to cache_set's btree_cache_wait ++ * in mca_cannibalize(), must ensure it is removed from ++ * the list and release btree_cache_alloc_lock before ++ * free op memory. ++ * Otherwise, the btree_cache_wait will be damaged. ++ */ ++ bch_cannibalize_unlock(c); ++ finish_wait(&c->btree_cache_wait, &(&op.op)->wait); ++ + return ret; + } + diff --git a/tmp-5.10/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch b/tmp-5.10/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch new file mode 100644 index 00000000000..98839997e78 --- /dev/null +++ b/tmp-5.10/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch @@ -0,0 +1,92 @@ +From 028ddcac477b691dd9205c92f991cc15259d033e Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Thu, 15 Jun 2023 20:12:21 +0800 +Subject: bcache: Remove unnecessary NULL point check in node allocations + +From: Zheng Wang + +commit 028ddcac477b691dd9205c92f991cc15259d033e upstream. + +Due to the previous fix of __bch_btree_node_alloc, the return value will +never be a NULL pointer. So IS_ERR is enough to handle the failure +situation. Fix it by replacing IS_ERR_OR_NULL check by an IS_ERR check. + +Fixes: cafe56359144 ("bcache: A block layer cache") +Cc: stable@vger.kernel.org +Signed-off-by: Zheng Wang +Signed-off-by: Coly Li +Link: https://lore.kernel.org/r/20230615121223.22502-5-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 10 +++++----- + drivers/md/bcache/super.c | 4 ++-- + 2 files changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1138,7 +1138,7 @@ static struct btree *btree_node_alloc_re + { + struct btree *n = bch_btree_node_alloc(b->c, op, b->level, b->parent); + +- if (!IS_ERR_OR_NULL(n)) { ++ if (!IS_ERR(n)) { + mutex_lock(&n->write_lock); + bch_btree_sort_into(&b->keys, &n->keys, &b->c->sort); + bkey_copy_key(&n->key, &b->key); +@@ -1340,7 +1340,7 @@ static int btree_gc_coalesce(struct btre + memset(new_nodes, 0, sizeof(new_nodes)); + closure_init_stack(&cl); + +- while (nodes < GC_MERGE_NODES && !IS_ERR_OR_NULL(r[nodes].b)) ++ while (nodes < GC_MERGE_NODES && !IS_ERR(r[nodes].b)) + keys += r[nodes++].keys; + + blocks = btree_default_blocks(b->c) * 2 / 3; +@@ -1352,7 +1352,7 @@ static int btree_gc_coalesce(struct btre + + for (i = 0; i < nodes; i++) { + new_nodes[i] = btree_node_alloc_replacement(r[i].b, NULL); +- if (IS_ERR_OR_NULL(new_nodes[i])) ++ if (IS_ERR(new_nodes[i])) + goto out_nocoalesce; + } + +@@ -1487,7 +1487,7 @@ out_nocoalesce: + bch_keylist_free(&keylist); + + for (i = 0; i < nodes; i++) +- if (!IS_ERR_OR_NULL(new_nodes[i])) { ++ if (!IS_ERR(new_nodes[i])) { + btree_node_free(new_nodes[i]); + rw_unlock(true, new_nodes[i]); + } +@@ -1669,7 +1669,7 @@ static int bch_btree_gc_root(struct btre + if (should_rewrite) { + n = btree_node_alloc_replacement(b, NULL); + +- if (!IS_ERR_OR_NULL(n)) { ++ if (!IS_ERR(n)) { + bch_btree_node_write_sync(n); + + bch_btree_set_root(n); +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1748,7 +1748,7 @@ static void cache_set_flush(struct closu + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +- if (!IS_ERR_OR_NULL(c->root)) ++ if (!IS_ERR(c->root)) + list_add(&c->root->list, &c->btree_cache); + + /* +@@ -2112,7 +2112,7 @@ static int run_cache_set(struct cache_se + + err = "cannot allocate new btree root"; + c->root = __bch_btree_node_alloc(c, NULL, 0, true, NULL); +- if (IS_ERR_OR_NULL(c->root)) ++ if (IS_ERR(c->root)) + goto err; + + mutex_lock(&c->root->write_lock); diff --git a/tmp-5.10/blk-iocost-use-spin_lock_irqsave-in-adjust_inuse_and.patch b/tmp-5.10/blk-iocost-use-spin_lock_irqsave-in-adjust_inuse_and.patch new file mode 100644 index 00000000000..989d8b73f05 --- /dev/null +++ b/tmp-5.10/blk-iocost-use-spin_lock_irqsave-in-adjust_inuse_and.patch @@ -0,0 +1,150 @@ +From bf9fbf24f51f4d96ce8ee9987e7ffcf8c6b293c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 17:19:04 +0800 +Subject: blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost + +From: Li Nan + +[ Upstream commit 8d211554679d0b23702bd32ba04aeac0c1c4f660 ] + +adjust_inuse_and_calc_cost() use spin_lock_irq() and IRQ will be enabled +when unlock. DEADLOCK might happen if we have held other locks and disabled +IRQ before invoking it. + +Fix it by using spin_lock_irqsave() instead, which can keep IRQ state +consistent with before when unlock. + + ================================ + WARNING: inconsistent lock state + 5.10.0-02758-g8e5f91fd772f #26 Not tainted + -------------------------------- + inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. + kworker/2:3/388 [HC0[0]:SC0[0]:HE0:SE1] takes: + ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq + ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390 + {IN-HARDIRQ-W} state was registered at: + __lock_acquire+0x3d7/0x1070 + lock_acquire+0x197/0x4a0 + __raw_spin_lock_irqsave + _raw_spin_lock_irqsave+0x3b/0x60 + bfq_idle_slice_timer_body + bfq_idle_slice_timer+0x53/0x1d0 + __run_hrtimer+0x477/0xa70 + __hrtimer_run_queues+0x1c6/0x2d0 + hrtimer_interrupt+0x302/0x9e0 + local_apic_timer_interrupt + __sysvec_apic_timer_interrupt+0xfd/0x420 + run_sysvec_on_irqstack_cond + sysvec_apic_timer_interrupt+0x46/0xa0 + asm_sysvec_apic_timer_interrupt+0x12/0x20 + irq event stamp: 837522 + hardirqs last enabled at (837521): [] __raw_spin_unlock_irqrestore + hardirqs last enabled at (837521): [] _raw_spin_unlock_irqrestore+0x3d/0x40 + hardirqs last disabled at (837522): [] __raw_spin_lock_irq + hardirqs last disabled at (837522): [] _raw_spin_lock_irq+0x43/0x50 + softirqs last enabled at (835852): [] __do_softirq+0x558/0x8ec + softirqs last disabled at (835845): [] asm_call_irq_on_stack+0xf/0x20 + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&bfqd->lock); + + lock(&bfqd->lock); + + *** DEADLOCK *** + + 3 locks held by kworker/2:3/388: + #0: ffff888107af0f38 ((wq_completion)kthrotld){+.+.}-{0:0}, at: process_one_work+0x742/0x13f0 + #1: ffff8881176bfdd8 ((work_completion)(&td->dispatch_work)){+.+.}-{0:0}, at: process_one_work+0x777/0x13f0 + #2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq + #2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390 + + stack backtrace: + CPU: 2 PID: 388 Comm: kworker/2:3 Not tainted 5.10.0-02758-g8e5f91fd772f #26 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 + Workqueue: kthrotld blk_throtl_dispatch_work_fn + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x107/0x167 + print_usage_bug + valid_state + mark_lock_irq.cold+0x32/0x3a + mark_lock+0x693/0xbc0 + mark_held_locks+0x9e/0xe0 + __trace_hardirqs_on_caller + lockdep_hardirqs_on_prepare.part.0+0x151/0x360 + trace_hardirqs_on+0x5b/0x180 + __raw_spin_unlock_irq + _raw_spin_unlock_irq+0x24/0x40 + spin_unlock_irq + adjust_inuse_and_calc_cost+0x4fb/0x970 + ioc_rqos_merge+0x277/0x740 + __rq_qos_merge+0x62/0xb0 + rq_qos_merge + bio_attempt_back_merge+0x12c/0x4a0 + blk_mq_sched_try_merge+0x1b6/0x4d0 + bfq_bio_merge+0x24a/0x390 + __blk_mq_sched_bio_merge+0xa6/0x460 + blk_mq_sched_bio_merge + blk_mq_submit_bio+0x2e7/0x1ee0 + __submit_bio_noacct_mq+0x175/0x3b0 + submit_bio_noacct+0x1fb/0x270 + blk_throtl_dispatch_work_fn+0x1ef/0x2b0 + process_one_work+0x83e/0x13f0 + process_scheduled_works + worker_thread+0x7e3/0xd80 + kthread+0x353/0x470 + ret_from_fork+0x1f/0x30 + +Fixes: b0853ab4a238 ("blk-iocost: revamp in-period donation snapbacks") +Signed-off-by: Li Nan +Acked-by: Tejun Heo +Reviewed-by: Yu Kuai +Link: https://lore.kernel.org/r/20230527091904.3001833-1-linan666@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iocost.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/block/blk-iocost.c b/block/blk-iocost.c +index 105ad23dff063..7ba7c4e4e4c93 100644 +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -2426,6 +2426,7 @@ static u64 adjust_inuse_and_calc_cost(struct ioc_gq *iocg, u64 vtime, + u32 hwi, adj_step; + s64 margin; + u64 cost, new_inuse; ++ unsigned long flags; + + current_hweight(iocg, NULL, &hwi); + old_hwi = hwi; +@@ -2444,11 +2445,11 @@ static u64 adjust_inuse_and_calc_cost(struct ioc_gq *iocg, u64 vtime, + iocg->inuse == iocg->active) + return cost; + +- spin_lock_irq(&ioc->lock); ++ spin_lock_irqsave(&ioc->lock, flags); + + /* we own inuse only when @iocg is in the normal active state */ + if (iocg->abs_vdebt || list_empty(&iocg->active_list)) { +- spin_unlock_irq(&ioc->lock); ++ spin_unlock_irqrestore(&ioc->lock, flags); + return cost; + } + +@@ -2469,7 +2470,7 @@ static u64 adjust_inuse_and_calc_cost(struct ioc_gq *iocg, u64 vtime, + } while (time_after64(vtime + cost, now->vnow) && + iocg->inuse != iocg->active); + +- spin_unlock_irq(&ioc->lock); ++ spin_unlock_irqrestore(&ioc->lock, flags); + + TRACE_IOCG_PATH(inuse_adjust, iocg, now, + old_inuse, iocg->inuse, old_hwi, hwi); +-- +2.39.2 + diff --git a/tmp-5.10/block-add-overflow-checks-for-amiga-partition-support.patch b/tmp-5.10/block-add-overflow-checks-for-amiga-partition-support.patch new file mode 100644 index 00000000000..64a6be8ad01 --- /dev/null +++ b/tmp-5.10/block-add-overflow-checks-for-amiga-partition-support.patch @@ -0,0 +1,202 @@ +From b6f3f28f604ba3de4724ad82bea6adb1300c0b5f Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:25 +1200 +Subject: block: add overflow checks for Amiga partition support + +From: Michael Schmitz + +commit b6f3f28f604ba3de4724ad82bea6adb1300c0b5f upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use u64 as type for sector address and size to allow using disks up to +2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD +format allows to specify disk sizes up to 2^128 bytes (though native +OS limitations reduce this somewhat, to max 2^68 bytes), so check for +u64 overflow carefully to protect against overflowing sector_t. + +Bail out if sector addresses overflow 32 bits on kernels without LBD +support. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted (now resubmitted as patch 1 in this series). +This patch adds additional error checking and warning messages. + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230620201725.7020-4-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/amiga.c | 103 ++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 85 insertions(+), 18 deletions(-) + +--- a/block/partitions/amiga.c ++++ b/block/partitions/amiga.c +@@ -11,10 +11,18 @@ + #define pr_fmt(fmt) fmt + + #include ++#include ++#include + #include + + #include "check.h" + ++/* magic offsets in partition DosEnvVec */ ++#define NR_HD 3 ++#define NR_SECT 5 ++#define LO_CYL 9 ++#define HI_CYL 10 ++ + static __inline__ u32 + checksum_block(__be32 *m, int size) + { +@@ -31,9 +39,12 @@ int amiga_partition(struct parsed_partit + unsigned char *data; + struct RigidDiskBlock *rdb; + struct PartitionBlock *pb; +- sector_t start_sect, nr_sects; +- int blk, part, res = 0; +- int blksize = 1; /* Multiplier for disk block size */ ++ u64 start_sect, nr_sects; ++ sector_t blk, end_sect; ++ u32 cylblk; /* rdb_CylBlocks = nr_heads*sect_per_track */ ++ u32 nr_hd, nr_sect, lo_cyl, hi_cyl; ++ int part, res = 0; ++ unsigned int blksize = 1; /* Multiplier for disk block size */ + int slot = 1; + char b[BDEVNAME_SIZE]; + +@@ -42,7 +53,7 @@ int amiga_partition(struct parsed_partit + goto rdb_done; + data = read_part_sector(state, blk, §); + if (!data) { +- pr_err("Dev %s: unable to read RDB block %d\n", ++ pr_err("Dev %s: unable to read RDB block %llu\n", + bdevname(state->bdev, b), blk); + res = -1; + goto rdb_done; +@@ -59,12 +70,12 @@ int amiga_partition(struct parsed_partit + *(__be32 *)(data+0xdc) = 0; + if (checksum_block((__be32 *)data, + be32_to_cpu(rdb->rdb_SummedLongs) & 0x7F)==0) { +- pr_err("Trashed word at 0xd0 in block %d ignored in checksum calculation\n", ++ pr_err("Trashed word at 0xd0 in block %llu ignored in checksum calculation\n", + blk); + break; + } + +- pr_err("Dev %s: RDB in block %d has bad checksum\n", ++ pr_err("Dev %s: RDB in block %llu has bad checksum\n", + bdevname(state->bdev, b), blk); + } + +@@ -81,10 +92,15 @@ int amiga_partition(struct parsed_partit + blk = be32_to_cpu(rdb->rdb_PartitionList); + put_dev_sector(sect); + for (part = 1; blk>0 && part<=16; part++, put_dev_sector(sect)) { +- blk *= blksize; /* Read in terms partition table understands */ ++ /* Read in terms partition table understands */ ++ if (check_mul_overflow(blk, (sector_t) blksize, &blk)) { ++ pr_err("Dev %s: overflow calculating partition block %llu! Skipping partitions %u and beyond\n", ++ bdevname(state->bdev, b), blk, part); ++ break; ++ } + data = read_part_sector(state, blk, §); + if (!data) { +- pr_err("Dev %s: unable to read partition block %d\n", ++ pr_err("Dev %s: unable to read partition block %llu\n", + bdevname(state->bdev, b), blk); + res = -1; + goto rdb_done; +@@ -96,19 +112,70 @@ int amiga_partition(struct parsed_partit + if (checksum_block((__be32 *)pb, be32_to_cpu(pb->pb_SummedLongs) & 0x7F) != 0 ) + continue; + +- /* Tell Kernel about it */ ++ /* RDB gives us more than enough rope to hang ourselves with, ++ * many times over (2^128 bytes if all fields max out). ++ * Some careful checks are in order, so check for potential ++ * overflows. ++ * We are multiplying four 32 bit numbers to one sector_t! ++ */ ++ ++ nr_hd = be32_to_cpu(pb->pb_Environment[NR_HD]); ++ nr_sect = be32_to_cpu(pb->pb_Environment[NR_SECT]); ++ ++ /* CylBlocks is total number of blocks per cylinder */ ++ if (check_mul_overflow(nr_hd, nr_sect, &cylblk)) { ++ pr_err("Dev %s: heads*sects %u overflows u32, skipping partition!\n", ++ bdevname(state->bdev, b), cylblk); ++ continue; ++ } ++ ++ /* check for consistency with RDB defined CylBlocks */ ++ if (cylblk > be32_to_cpu(rdb->rdb_CylBlocks)) { ++ pr_warn("Dev %s: cylblk %u > rdb_CylBlocks %u!\n", ++ bdevname(state->bdev, b), cylblk, ++ be32_to_cpu(rdb->rdb_CylBlocks)); ++ } ++ ++ /* RDB allows for variable logical block size - ++ * normalize to 512 byte blocks and check result. ++ */ ++ ++ if (check_mul_overflow(cylblk, blksize, &cylblk)) { ++ pr_err("Dev %s: partition %u bytes per cyl. overflows u32, skipping partition!\n", ++ bdevname(state->bdev, b), part); ++ continue; ++ } ++ ++ /* Calculate partition start and end. Limit of 32 bit on cylblk ++ * guarantees no overflow occurs if LBD support is enabled. ++ */ ++ ++ lo_cyl = be32_to_cpu(pb->pb_Environment[LO_CYL]); ++ start_sect = ((u64) lo_cyl * cylblk); ++ ++ hi_cyl = be32_to_cpu(pb->pb_Environment[HI_CYL]); ++ nr_sects = (((u64) hi_cyl - lo_cyl + 1) * cylblk); + +- nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 - +- be32_to_cpu(pb->pb_Environment[9])) * +- be32_to_cpu(pb->pb_Environment[3]) * +- be32_to_cpu(pb->pb_Environment[5]) * +- blksize; + if (!nr_sects) + continue; +- start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) * +- be32_to_cpu(pb->pb_Environment[3]) * +- be32_to_cpu(pb->pb_Environment[5]) * +- blksize; ++ ++ /* Warn user if partition end overflows u32 (AmigaDOS limit) */ ++ ++ if ((start_sect + nr_sects) > UINT_MAX) { ++ pr_warn("Dev %s: partition %u (%llu-%llu) needs 64 bit device support!\n", ++ bdevname(state->bdev, b), part, ++ start_sect, start_sect + nr_sects); ++ } ++ ++ if (check_add_overflow(start_sect, nr_sects, &end_sect)) { ++ pr_err("Dev %s: partition %u (%llu-%llu) needs LBD device support, skipping partition!\n", ++ bdevname(state->bdev, b), part, ++ start_sect, end_sect); ++ continue; ++ } ++ ++ /* Tell Kernel about it */ ++ + put_partition(state,slot++,start_sect,nr_sects); + { + /* Be even more informative to aid mounting */ diff --git a/tmp-5.10/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch b/tmp-5.10/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch new file mode 100644 index 00000000000..ca54e71c9d2 --- /dev/null +++ b/tmp-5.10/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch @@ -0,0 +1,142 @@ +From 95a55437dc49fb3342c82e61f5472a71c63d9ed0 Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:24 +1200 +Subject: block: change all __u32 annotations to __be32 in affs_hardblocks.h + +From: Michael Schmitz + +commit 95a55437dc49fb3342c82e61f5472a71c63d9ed0 upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use u64 as type for sector address and size to allow using disks up to +2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD +format allows to specify disk sizes up to 2^128 bytes (though native +OS limitations reduce this somewhat, to max 2^68 bytes), so check for +u64 overflow carefully to protect against overflowing sector_t. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted (now resubmitted as patch 1 of this series). + +Patch 3 (this series) adds additional error checking and warning +messages. One of the error checks now makes use of the previously +unused rdb_CylBlocks field, which causes a 'sparse' warning +(cast to restricted __be32). + +Annotate all 32 bit fields in affs_hardblocks.h as __be32, as the +on-disk format of RDB and partition blocks is always big endian. + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Reviewed-by: Christoph Hellwig +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230620201725.7020-3-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/affs_hardblocks.h | 68 +++++++++++++++++------------------ + 1 file changed, 34 insertions(+), 34 deletions(-) + +--- a/include/uapi/linux/affs_hardblocks.h ++++ b/include/uapi/linux/affs_hardblocks.h +@@ -7,42 +7,42 @@ + /* Just the needed definitions for the RDB of an Amiga HD. */ + + struct RigidDiskBlock { +- __u32 rdb_ID; ++ __be32 rdb_ID; + __be32 rdb_SummedLongs; +- __s32 rdb_ChkSum; +- __u32 rdb_HostID; ++ __be32 rdb_ChkSum; ++ __be32 rdb_HostID; + __be32 rdb_BlockBytes; +- __u32 rdb_Flags; +- __u32 rdb_BadBlockList; ++ __be32 rdb_Flags; ++ __be32 rdb_BadBlockList; + __be32 rdb_PartitionList; +- __u32 rdb_FileSysHeaderList; +- __u32 rdb_DriveInit; +- __u32 rdb_Reserved1[6]; +- __u32 rdb_Cylinders; +- __u32 rdb_Sectors; +- __u32 rdb_Heads; +- __u32 rdb_Interleave; +- __u32 rdb_Park; +- __u32 rdb_Reserved2[3]; +- __u32 rdb_WritePreComp; +- __u32 rdb_ReducedWrite; +- __u32 rdb_StepRate; +- __u32 rdb_Reserved3[5]; +- __u32 rdb_RDBBlocksLo; +- __u32 rdb_RDBBlocksHi; +- __u32 rdb_LoCylinder; +- __u32 rdb_HiCylinder; +- __u32 rdb_CylBlocks; +- __u32 rdb_AutoParkSeconds; +- __u32 rdb_HighRDSKBlock; +- __u32 rdb_Reserved4; ++ __be32 rdb_FileSysHeaderList; ++ __be32 rdb_DriveInit; ++ __be32 rdb_Reserved1[6]; ++ __be32 rdb_Cylinders; ++ __be32 rdb_Sectors; ++ __be32 rdb_Heads; ++ __be32 rdb_Interleave; ++ __be32 rdb_Park; ++ __be32 rdb_Reserved2[3]; ++ __be32 rdb_WritePreComp; ++ __be32 rdb_ReducedWrite; ++ __be32 rdb_StepRate; ++ __be32 rdb_Reserved3[5]; ++ __be32 rdb_RDBBlocksLo; ++ __be32 rdb_RDBBlocksHi; ++ __be32 rdb_LoCylinder; ++ __be32 rdb_HiCylinder; ++ __be32 rdb_CylBlocks; ++ __be32 rdb_AutoParkSeconds; ++ __be32 rdb_HighRDSKBlock; ++ __be32 rdb_Reserved4; + char rdb_DiskVendor[8]; + char rdb_DiskProduct[16]; + char rdb_DiskRevision[4]; + char rdb_ControllerVendor[8]; + char rdb_ControllerProduct[16]; + char rdb_ControllerRevision[4]; +- __u32 rdb_Reserved5[10]; ++ __be32 rdb_Reserved5[10]; + }; + + #define IDNAME_RIGIDDISK 0x5244534B /* "RDSK" */ +@@ -50,16 +50,16 @@ struct RigidDiskBlock { + struct PartitionBlock { + __be32 pb_ID; + __be32 pb_SummedLongs; +- __s32 pb_ChkSum; +- __u32 pb_HostID; ++ __be32 pb_ChkSum; ++ __be32 pb_HostID; + __be32 pb_Next; +- __u32 pb_Flags; +- __u32 pb_Reserved1[2]; +- __u32 pb_DevFlags; ++ __be32 pb_Flags; ++ __be32 pb_Reserved1[2]; ++ __be32 pb_DevFlags; + __u8 pb_DriveName[32]; +- __u32 pb_Reserved2[15]; ++ __be32 pb_Reserved2[15]; + __be32 pb_Environment[17]; +- __u32 pb_EReserved[15]; ++ __be32 pb_EReserved[15]; + }; + + #define IDNAME_PARTITION 0x50415254 /* "PART" */ diff --git a/tmp-5.10/block-fix-signed-int-overflow-in-amiga-partition-support.patch b/tmp-5.10/block-fix-signed-int-overflow-in-amiga-partition-support.patch new file mode 100644 index 00000000000..a0de27ed372 --- /dev/null +++ b/tmp-5.10/block-fix-signed-int-overflow-in-amiga-partition-support.patch @@ -0,0 +1,68 @@ +From fc3d092c6bb48d5865fec15ed5b333c12f36288c Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:23 +1200 +Subject: block: fix signed int overflow in Amiga partition support + +From: Michael Schmitz + +commit fc3d092c6bb48d5865fec15ed5b333c12f36288c upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use sector_t as type for sector address and size to allow using disks +up to 2 TB without LBD support, and disks larger than 2 TB with LBD. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted. This patch differs from Joanne's patch only in its use of +sector_t instead of unsigned int. No checking for overflows is done +(see patch 3 of this series for that). + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Tested-by: Martin Steigerwald +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230620201725.7020-2-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/amiga.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/block/partitions/amiga.c ++++ b/block/partitions/amiga.c +@@ -31,7 +31,8 @@ int amiga_partition(struct parsed_partit + unsigned char *data; + struct RigidDiskBlock *rdb; + struct PartitionBlock *pb; +- int start_sect, nr_sects, blk, part, res = 0; ++ sector_t start_sect, nr_sects; ++ int blk, part, res = 0; + int blksize = 1; /* Multiplier for disk block size */ + int slot = 1; + char b[BDEVNAME_SIZE]; +@@ -97,14 +98,14 @@ int amiga_partition(struct parsed_partit + + /* Tell Kernel about it */ + +- nr_sects = (be32_to_cpu(pb->pb_Environment[10]) + 1 - +- be32_to_cpu(pb->pb_Environment[9])) * ++ nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 - ++ be32_to_cpu(pb->pb_Environment[9])) * + be32_to_cpu(pb->pb_Environment[3]) * + be32_to_cpu(pb->pb_Environment[5]) * + blksize; + if (!nr_sects) + continue; +- start_sect = be32_to_cpu(pb->pb_Environment[9]) * ++ start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) * + be32_to_cpu(pb->pb_Environment[3]) * + be32_to_cpu(pb->pb_Environment[5]) * + blksize; diff --git a/tmp-5.10/block-partition-fix-signedness-issue-for-amiga-partitions.patch b/tmp-5.10/block-partition-fix-signedness-issue-for-amiga-partitions.patch new file mode 100644 index 00000000000..e1ab73233b8 --- /dev/null +++ b/tmp-5.10/block-partition-fix-signedness-issue-for-amiga-partitions.patch @@ -0,0 +1,39 @@ +From 7eb1e47696aa231b1a567846bbe3a1e1befe1854 Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 5 Jul 2023 11:38:08 +1200 +Subject: block/partition: fix signedness issue for Amiga partitions + +From: Michael Schmitz + +commit 7eb1e47696aa231b1a567846bbe3a1e1befe1854 upstream. + +Making 'blk' sector_t (i.e. 64 bit if LBD support is active) fails the +'blk>0' test in the partition block loop if a value of (signed int) -1 is +used to mark the end of the partition block list. + +Explicitly cast 'blk' to signed int to allow use of -1 to terminate the +partition block linked list. + +Fixes: b6f3f28f604b ("block: add overflow checks for Amiga partition support") +Reported-by: Christian Zigotzky +Link: https://lore.kernel.org/r/024ce4fa-cc6d-50a2-9aae-3701d0ebf668@xenosoft.de +Signed-off-by: Michael Schmitz +Reviewed-by: Martin Steigerwald +Tested-by: Christian Zigotzky +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/amiga.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/partitions/amiga.c ++++ b/block/partitions/amiga.c +@@ -91,7 +91,7 @@ int amiga_partition(struct parsed_partit + } + blk = be32_to_cpu(rdb->rdb_PartitionList); + put_dev_sector(sect); +- for (part = 1; blk>0 && part<=16; part++, put_dev_sector(sect)) { ++ for (part = 1; (s32) blk>0 && part<=16; part++, put_dev_sector(sect)) { + /* Read in terms partition table understands */ + if (check_mul_overflow(blk, (sector_t) blksize, &blk)) { + pr_err("Dev %s: overflow calculating partition block %llu! Skipping partitions %u and beyond\n", diff --git a/tmp-5.10/bpf-address-kcsan-report-on-bpf_lru_list.patch b/tmp-5.10/bpf-address-kcsan-report-on-bpf_lru_list.patch new file mode 100644 index 00000000000..ddf2371b569 --- /dev/null +++ b/tmp-5.10/bpf-address-kcsan-report-on-bpf_lru_list.patch @@ -0,0 +1,177 @@ +From 5e0a92ea5cd4596e18185aefba581c0682149ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 21:37:48 -0700 +Subject: bpf: Address KCSAN report on bpf_lru_list + +From: Martin KaFai Lau + +[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] + +KCSAN reported a data-race when accessing node->ref. +Although node->ref does not have to be accurate, +take this chance to use a more common READ_ONCE() and WRITE_ONCE() +pattern instead of data_race(). + +There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). +This patch also adds bpf_lru_node_clear_ref() to do the +WRITE_ONCE(node->ref, 0) also. + +================================================================== +BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem + +write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: +__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] +__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] +__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 +bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] +bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] +bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 +prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] +__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: +bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] +__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x01 -> 0x00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 +================================================================== + +Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com +Signed-off-by: Martin KaFai Lau +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- + kernel/bpf/bpf_lru_list.h | 7 ++----- + 2 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c +index d99e89f113c43..3dabdd137d102 100644 +--- a/kernel/bpf/bpf_lru_list.c ++++ b/kernel/bpf/bpf_lru_list.c +@@ -41,7 +41,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) + /* bpf_lru_node helpers */ + static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) + { +- return node->ref; ++ return READ_ONCE(node->ref); ++} ++ ++static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) ++{ ++ WRITE_ONCE(node->ref, 0); + } + + static void bpf_lru_list_count_inc(struct bpf_lru_list *l, +@@ -89,7 +94,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, + + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, &l->lists[tgt_type]); + } + +@@ -110,7 +115,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; + } +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + + /* If the moving node is the next_inactive_rotation candidate, + * move the next_inactive_rotation pointer also. +@@ -353,7 +358,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, + *(u32 *)((void *)node + lru->hash_offset) = hash; + node->cpu = cpu; + node->type = BPF_LRU_LOCAL_LIST_T_PENDING; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, local_pending_list(loc_l)); + } + +@@ -419,7 +424,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, + if (!list_empty(free_list)) { + node = list_first_entry(free_list, struct bpf_lru_node, list); + *(u32 *)((void *)node + lru->hash_offset) = hash; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); + } + +@@ -522,7 +527,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, + } + + node->type = BPF_LRU_LOCAL_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, local_free_list(loc_l)); + + raw_spin_unlock_irqrestore(&loc_l->lock, flags); +@@ -568,7 +573,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, + + node = (struct bpf_lru_node *)(buf + node_offset); + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + buf += elem_size; + } +@@ -594,7 +599,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, + node = (struct bpf_lru_node *)(buf + node_offset); + node->cpu = cpu; + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + i++; + buf += elem_size; +diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h +index 6b12f06ee18c3..9c12ee453c616 100644 +--- a/kernel/bpf/bpf_lru_list.h ++++ b/kernel/bpf/bpf_lru_list.h +@@ -63,11 +63,8 @@ struct bpf_lru { + + static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) + { +- /* ref is an approximation on access frequency. It does not +- * have to be very accurate. Hence, no protection is used. +- */ +- if (!node->ref) +- node->ref = 1; ++ if (!READ_ONCE(node->ref)) ++ WRITE_ONCE(node->ref, 1); + } + + int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, +-- +2.39.2 + diff --git a/tmp-5.10/bpf-remove-extra-lock_sock-for-tcp_zerocopy_receive.patch b/tmp-5.10/bpf-remove-extra-lock_sock-for-tcp_zerocopy_receive.patch new file mode 100644 index 00000000000..f415e16a267 --- /dev/null +++ b/tmp-5.10/bpf-remove-extra-lock_sock-for-tcp_zerocopy_receive.patch @@ -0,0 +1,788 @@ +From d82326d769a6b7e0c3a9867d90c73f1600134169 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jan 2021 08:34:59 -0800 +Subject: bpf: Remove extra lock_sock for TCP_ZEROCOPY_RECEIVE + +From: Stanislav Fomichev + +[ Upstream commit 9cacf81f8161111db25f98e78a7a0e32ae142b3f ] + +Add custom implementation of getsockopt hook for TCP_ZEROCOPY_RECEIVE. +We skip generic hooks for TCP_ZEROCOPY_RECEIVE and have a custom +call in do_tcp_getsockopt using the on-stack data. This removes +3% overhead for locking/unlocking the socket. + +Without this patch: + 3.38% 0.07% tcp_mmap [kernel.kallsyms] [k] __cgroup_bpf_run_filter_getsockopt + | + --3.30%--__cgroup_bpf_run_filter_getsockopt + | + --0.81%--__kmalloc + +With the patch applied: + 0.52% 0.12% tcp_mmap [kernel.kallsyms] [k] __cgroup_bpf_run_filter_getsockopt_kern + +Note, exporting uapi/tcp.h requires removing netinet/tcp.h +from test_progs.h because those headers have confliciting +definitions. + +Signed-off-by: Stanislav Fomichev +Signed-off-by: Alexei Starovoitov +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20210115163501.805133-2-sdf@google.com +Stable-dep-of: 2598619e012c ("sctp: add bpf_bypass_getsockopt proto callback") +Signed-off-by: Sasha Levin +--- + include/linux/bpf-cgroup.h | 27 +- + include/linux/indirect_call_wrapper.h | 6 + + include/net/sock.h | 2 + + include/net/tcp.h | 1 + + kernel/bpf/cgroup.c | 46 +++ + net/ipv4/tcp.c | 14 + + net/ipv4/tcp_ipv4.c | 1 + + net/ipv6/tcp_ipv6.c | 1 + + net/socket.c | 3 + + tools/include/uapi/linux/tcp.h | 357 ++++++++++++++++++ + .../selftests/bpf/prog_tests/bpf_tcp_ca.c | 1 + + .../selftests/bpf/prog_tests/cls_redirect.c | 1 + + .../selftests/bpf/prog_tests/sockmap_basic.c | 1 + + .../selftests/bpf/prog_tests/sockopt_sk.c | 28 ++ + .../testing/selftests/bpf/progs/sockopt_sk.c | 23 +- + tools/testing/selftests/bpf/test_progs.h | 1 - + 16 files changed, 506 insertions(+), 7 deletions(-) + create mode 100644 tools/include/uapi/linux/tcp.h + +diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h +index 91b9669785418..53702b83ce5f1 100644 +--- a/include/linux/bpf-cgroup.h ++++ b/include/linux/bpf-cgroup.h +@@ -158,6 +158,10 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level, + int __user *optlen, int max_optlen, + int retval); + ++int __cgroup_bpf_run_filter_getsockopt_kern(struct sock *sk, int level, ++ int optname, void *optval, ++ int *optlen, int retval); ++ + static inline enum bpf_cgroup_storage_type cgroup_storage_type( + struct bpf_map *map) + { +@@ -404,10 +408,23 @@ int bpf_percpu_cgroup_storage_update(struct bpf_map *map, void *key, + ({ \ + int __ret = retval; \ + if (cgroup_bpf_enabled) \ +- __ret = __cgroup_bpf_run_filter_getsockopt(sock, level, \ +- optname, optval, \ +- optlen, max_optlen, \ +- retval); \ ++ if (!(sock)->sk_prot->bpf_bypass_getsockopt || \ ++ !INDIRECT_CALL_INET_1((sock)->sk_prot->bpf_bypass_getsockopt, \ ++ tcp_bpf_bypass_getsockopt, \ ++ level, optname)) \ ++ __ret = __cgroup_bpf_run_filter_getsockopt( \ ++ sock, level, optname, optval, optlen, \ ++ max_optlen, retval); \ ++ __ret; \ ++}) ++ ++#define BPF_CGROUP_RUN_PROG_GETSOCKOPT_KERN(sock, level, optname, optval, \ ++ optlen, retval) \ ++({ \ ++ int __ret = retval; \ ++ if (cgroup_bpf_enabled) \ ++ __ret = __cgroup_bpf_run_filter_getsockopt_kern( \ ++ sock, level, optname, optval, optlen, retval); \ + __ret; \ + }) + +@@ -493,6 +510,8 @@ static inline int bpf_percpu_cgroup_storage_update(struct bpf_map *map, + #define BPF_CGROUP_GETSOCKOPT_MAX_OPTLEN(optlen) ({ 0; }) + #define BPF_CGROUP_RUN_PROG_GETSOCKOPT(sock, level, optname, optval, \ + optlen, max_optlen, retval) ({ retval; }) ++#define BPF_CGROUP_RUN_PROG_GETSOCKOPT_KERN(sock, level, optname, optval, \ ++ optlen, retval) ({ retval; }) + #define BPF_CGROUP_RUN_PROG_SETSOCKOPT(sock, level, optname, optval, optlen, \ + kernel_optval) ({ 0; }) + +diff --git a/include/linux/indirect_call_wrapper.h b/include/linux/indirect_call_wrapper.h +index 54c02c84906ab..cfcfef37b2f1a 100644 +--- a/include/linux/indirect_call_wrapper.h ++++ b/include/linux/indirect_call_wrapper.h +@@ -60,4 +60,10 @@ + #define INDIRECT_CALL_INET(f, f2, f1, ...) f(__VA_ARGS__) + #endif + ++#if IS_ENABLED(CONFIG_INET) ++#define INDIRECT_CALL_INET_1(f, f1, ...) INDIRECT_CALL_1(f, f1, __VA_ARGS__) ++#else ++#define INDIRECT_CALL_INET_1(f, f1, ...) f(__VA_ARGS__) ++#endif ++ + #endif +diff --git a/include/net/sock.h b/include/net/sock.h +index 51b499d745499..03e7f7581559d 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1207,6 +1207,8 @@ struct proto { + + int (*backlog_rcv) (struct sock *sk, + struct sk_buff *skb); ++ bool (*bpf_bypass_getsockopt)(int level, ++ int optname); + + void (*release_cb)(struct sock *sk); + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index d213b86a48227..e231101e5001b 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -389,6 +389,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, + struct poll_table_struct *wait); + int tcp_getsockopt(struct sock *sk, int level, int optname, + char __user *optval, int __user *optlen); ++bool tcp_bpf_bypass_getsockopt(int level, int optname); + int tcp_setsockopt(struct sock *sk, int level, int optname, sockptr_t optval, + unsigned int optlen); + void tcp_set_keepalive(struct sock *sk, int val); +diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c +index d3593a520bb72..85927c2aa3433 100644 +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -1546,6 +1546,52 @@ int __cgroup_bpf_run_filter_getsockopt(struct sock *sk, int level, + sockopt_free_buf(&ctx); + return ret; + } ++ ++int __cgroup_bpf_run_filter_getsockopt_kern(struct sock *sk, int level, ++ int optname, void *optval, ++ int *optlen, int retval) ++{ ++ struct cgroup *cgrp = sock_cgroup_ptr(&sk->sk_cgrp_data); ++ struct bpf_sockopt_kern ctx = { ++ .sk = sk, ++ .level = level, ++ .optname = optname, ++ .retval = retval, ++ .optlen = *optlen, ++ .optval = optval, ++ .optval_end = optval + *optlen, ++ }; ++ int ret; ++ ++ /* Note that __cgroup_bpf_run_filter_getsockopt doesn't copy ++ * user data back into BPF buffer when reval != 0. This is ++ * done as an optimization to avoid extra copy, assuming ++ * kernel won't populate the data in case of an error. ++ * Here we always pass the data and memset() should ++ * be called if that data shouldn't be "exported". ++ */ ++ ++ ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[BPF_CGROUP_GETSOCKOPT], ++ &ctx, BPF_PROG_RUN); ++ if (!ret) ++ return -EPERM; ++ ++ if (ctx.optlen > *optlen) ++ return -EFAULT; ++ ++ /* BPF programs only allowed to set retval to 0, not some ++ * arbitrary value. ++ */ ++ if (ctx.retval != 0 && ctx.retval != retval) ++ return -EFAULT; ++ ++ /* BPF programs can shrink the buffer, export the modifications. ++ */ ++ if (ctx.optlen != 0) ++ *optlen = ctx.optlen; ++ ++ return ctx.retval; ++} + #endif + + static ssize_t sysctl_cpy_dir(const struct ctl_dir *dir, char **bufp, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 82abbf1929851..cc42ceadc1127 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3970,6 +3970,8 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + return -EFAULT; + lock_sock(sk); + err = tcp_zerocopy_receive(sk, &zc); ++ err = BPF_CGROUP_RUN_PROG_GETSOCKOPT_KERN(sk, level, optname, ++ &zc, &len, err); + release_sock(sk); + if (len >= offsetofend(struct tcp_zerocopy_receive, err)) + goto zerocopy_rcv_sk_err; +@@ -4004,6 +4006,18 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + return 0; + } + ++bool tcp_bpf_bypass_getsockopt(int level, int optname) ++{ ++ /* TCP do_tcp_getsockopt has optimized getsockopt implementation ++ * to avoid extra socket lock for TCP_ZEROCOPY_RECEIVE. ++ */ ++ if (level == SOL_TCP && optname == TCP_ZEROCOPY_RECEIVE) ++ return true; ++ ++ return false; ++} ++EXPORT_SYMBOL(tcp_bpf_bypass_getsockopt); ++ + int tcp_getsockopt(struct sock *sk, int level, int optname, char __user *optval, + int __user *optlen) + { +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 270b20e0907c2..d62d5d7764ade 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2805,6 +2805,7 @@ struct proto tcp_prot = { + .shutdown = tcp_shutdown, + .setsockopt = tcp_setsockopt, + .getsockopt = tcp_getsockopt, ++ .bpf_bypass_getsockopt = tcp_bpf_bypass_getsockopt, + .keepalive = tcp_set_keepalive, + .recvmsg = tcp_recvmsg, + .sendmsg = tcp_sendmsg, +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index fe29bc66aeac7..5392aebd48f1e 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -2135,6 +2135,7 @@ struct proto tcpv6_prot = { + .shutdown = tcp_shutdown, + .setsockopt = tcp_setsockopt, + .getsockopt = tcp_getsockopt, ++ .bpf_bypass_getsockopt = tcp_bpf_bypass_getsockopt, + .keepalive = tcp_set_keepalive, + .recvmsg = tcp_recvmsg, + .sendmsg = tcp_sendmsg, +diff --git a/net/socket.c b/net/socket.c +index 84223419da862..f2172b756c0f7 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -2137,6 +2137,9 @@ SYSCALL_DEFINE5(setsockopt, int, fd, int, level, int, optname, + return __sys_setsockopt(fd, level, optname, optval, optlen); + } + ++INDIRECT_CALLABLE_DECLARE(bool tcp_bpf_bypass_getsockopt(int level, ++ int optname)); ++ + /* + * Get a socket option. Because we don't know the option lengths we have + * to pass a user mode parameter for the protocols to sort out. +diff --git a/tools/include/uapi/linux/tcp.h b/tools/include/uapi/linux/tcp.h +new file mode 100644 +index 0000000000000..13ceeb395eb8f +--- /dev/null ++++ b/tools/include/uapi/linux/tcp.h +@@ -0,0 +1,357 @@ ++/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */ ++/* ++ * INET An implementation of the TCP/IP protocol suite for the LINUX ++ * operating system. INET is implemented using the BSD Socket ++ * interface as the means of communication with the user level. ++ * ++ * Definitions for the TCP protocol. ++ * ++ * Version: @(#)tcp.h 1.0.2 04/28/93 ++ * ++ * Author: Fred N. van Kempen, ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version ++ * 2 of the License, or (at your option) any later version. ++ */ ++#ifndef _UAPI_LINUX_TCP_H ++#define _UAPI_LINUX_TCP_H ++ ++#include ++#include ++#include ++ ++struct tcphdr { ++ __be16 source; ++ __be16 dest; ++ __be32 seq; ++ __be32 ack_seq; ++#if defined(__LITTLE_ENDIAN_BITFIELD) ++ __u16 res1:4, ++ doff:4, ++ fin:1, ++ syn:1, ++ rst:1, ++ psh:1, ++ ack:1, ++ urg:1, ++ ece:1, ++ cwr:1; ++#elif defined(__BIG_ENDIAN_BITFIELD) ++ __u16 doff:4, ++ res1:4, ++ cwr:1, ++ ece:1, ++ urg:1, ++ ack:1, ++ psh:1, ++ rst:1, ++ syn:1, ++ fin:1; ++#else ++#error "Adjust your defines" ++#endif ++ __be16 window; ++ __sum16 check; ++ __be16 urg_ptr; ++}; ++ ++/* ++ * The union cast uses a gcc extension to avoid aliasing problems ++ * (union is compatible to any of its members) ++ * This means this part of the code is -fstrict-aliasing safe now. ++ */ ++union tcp_word_hdr { ++ struct tcphdr hdr; ++ __be32 words[5]; ++}; ++ ++#define tcp_flag_word(tp) ( ((union tcp_word_hdr *)(tp))->words [3]) ++ ++enum { ++ TCP_FLAG_CWR = __constant_cpu_to_be32(0x00800000), ++ TCP_FLAG_ECE = __constant_cpu_to_be32(0x00400000), ++ TCP_FLAG_URG = __constant_cpu_to_be32(0x00200000), ++ TCP_FLAG_ACK = __constant_cpu_to_be32(0x00100000), ++ TCP_FLAG_PSH = __constant_cpu_to_be32(0x00080000), ++ TCP_FLAG_RST = __constant_cpu_to_be32(0x00040000), ++ TCP_FLAG_SYN = __constant_cpu_to_be32(0x00020000), ++ TCP_FLAG_FIN = __constant_cpu_to_be32(0x00010000), ++ TCP_RESERVED_BITS = __constant_cpu_to_be32(0x0F000000), ++ TCP_DATA_OFFSET = __constant_cpu_to_be32(0xF0000000) ++}; ++ ++/* ++ * TCP general constants ++ */ ++#define TCP_MSS_DEFAULT 536U /* IPv4 (RFC1122, RFC2581) */ ++#define TCP_MSS_DESIRED 1220U /* IPv6 (tunneled), EDNS0 (RFC3226) */ ++ ++/* TCP socket options */ ++#define TCP_NODELAY 1 /* Turn off Nagle's algorithm. */ ++#define TCP_MAXSEG 2 /* Limit MSS */ ++#define TCP_CORK 3 /* Never send partially complete segments */ ++#define TCP_KEEPIDLE 4 /* Start keeplives after this period */ ++#define TCP_KEEPINTVL 5 /* Interval between keepalives */ ++#define TCP_KEEPCNT 6 /* Number of keepalives before death */ ++#define TCP_SYNCNT 7 /* Number of SYN retransmits */ ++#define TCP_LINGER2 8 /* Life time of orphaned FIN-WAIT-2 state */ ++#define TCP_DEFER_ACCEPT 9 /* Wake up listener only when data arrive */ ++#define TCP_WINDOW_CLAMP 10 /* Bound advertised window */ ++#define TCP_INFO 11 /* Information about this connection. */ ++#define TCP_QUICKACK 12 /* Block/reenable quick acks */ ++#define TCP_CONGESTION 13 /* Congestion control algorithm */ ++#define TCP_MD5SIG 14 /* TCP MD5 Signature (RFC2385) */ ++#define TCP_THIN_LINEAR_TIMEOUTS 16 /* Use linear timeouts for thin streams*/ ++#define TCP_THIN_DUPACK 17 /* Fast retrans. after 1 dupack */ ++#define TCP_USER_TIMEOUT 18 /* How long for loss retry before timeout */ ++#define TCP_REPAIR 19 /* TCP sock is under repair right now */ ++#define TCP_REPAIR_QUEUE 20 ++#define TCP_QUEUE_SEQ 21 ++#define TCP_REPAIR_OPTIONS 22 ++#define TCP_FASTOPEN 23 /* Enable FastOpen on listeners */ ++#define TCP_TIMESTAMP 24 ++#define TCP_NOTSENT_LOWAT 25 /* limit number of unsent bytes in write queue */ ++#define TCP_CC_INFO 26 /* Get Congestion Control (optional) info */ ++#define TCP_SAVE_SYN 27 /* Record SYN headers for new connections */ ++#define TCP_SAVED_SYN 28 /* Get SYN headers recorded for connection */ ++#define TCP_REPAIR_WINDOW 29 /* Get/set window parameters */ ++#define TCP_FASTOPEN_CONNECT 30 /* Attempt FastOpen with connect */ ++#define TCP_ULP 31 /* Attach a ULP to a TCP connection */ ++#define TCP_MD5SIG_EXT 32 /* TCP MD5 Signature with extensions */ ++#define TCP_FASTOPEN_KEY 33 /* Set the key for Fast Open (cookie) */ ++#define TCP_FASTOPEN_NO_COOKIE 34 /* Enable TFO without a TFO cookie */ ++#define TCP_ZEROCOPY_RECEIVE 35 ++#define TCP_INQ 36 /* Notify bytes available to read as a cmsg on read */ ++ ++#define TCP_CM_INQ TCP_INQ ++ ++#define TCP_TX_DELAY 37 /* delay outgoing packets by XX usec */ ++ ++ ++#define TCP_REPAIR_ON 1 ++#define TCP_REPAIR_OFF 0 ++#define TCP_REPAIR_OFF_NO_WP -1 /* Turn off without window probes */ ++ ++struct tcp_repair_opt { ++ __u32 opt_code; ++ __u32 opt_val; ++}; ++ ++struct tcp_repair_window { ++ __u32 snd_wl1; ++ __u32 snd_wnd; ++ __u32 max_window; ++ ++ __u32 rcv_wnd; ++ __u32 rcv_wup; ++}; ++ ++enum { ++ TCP_NO_QUEUE, ++ TCP_RECV_QUEUE, ++ TCP_SEND_QUEUE, ++ TCP_QUEUES_NR, ++}; ++ ++/* why fastopen failed from client perspective */ ++enum tcp_fastopen_client_fail { ++ TFO_STATUS_UNSPEC, /* catch-all */ ++ TFO_COOKIE_UNAVAILABLE, /* if not in TFO_CLIENT_NO_COOKIE mode */ ++ TFO_DATA_NOT_ACKED, /* SYN-ACK did not ack SYN data */ ++ TFO_SYN_RETRANSMITTED, /* SYN-ACK did not ack SYN data after timeout */ ++}; ++ ++/* for TCP_INFO socket option */ ++#define TCPI_OPT_TIMESTAMPS 1 ++#define TCPI_OPT_SACK 2 ++#define TCPI_OPT_WSCALE 4 ++#define TCPI_OPT_ECN 8 /* ECN was negociated at TCP session init */ ++#define TCPI_OPT_ECN_SEEN 16 /* we received at least one packet with ECT */ ++#define TCPI_OPT_SYN_DATA 32 /* SYN-ACK acked data in SYN sent or rcvd */ ++ ++/* ++ * Sender's congestion state indicating normal or abnormal situations ++ * in the last round of packets sent. The state is driven by the ACK ++ * information and timer events. ++ */ ++enum tcp_ca_state { ++ /* ++ * Nothing bad has been observed recently. ++ * No apparent reordering, packet loss, or ECN marks. ++ */ ++ TCP_CA_Open = 0, ++#define TCPF_CA_Open (1< ++#include + #include + #include "bpf_dctcp.skel.h" + #include "bpf_cubic.skel.h" +diff --git a/tools/testing/selftests/bpf/prog_tests/cls_redirect.c b/tools/testing/selftests/bpf/prog_tests/cls_redirect.c +index 9781d85cb2239..e075d03ab630a 100644 +--- a/tools/testing/selftests/bpf/prog_tests/cls_redirect.c ++++ b/tools/testing/selftests/bpf/prog_tests/cls_redirect.c +@@ -7,6 +7,7 @@ + #include + + #include ++#include + + #include + +diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c +index 85f73261fab0a..b8b48cac2ac3d 100644 +--- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c ++++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + // Copyright (c) 2020 Cloudflare + #include ++#include + + #include "test_progs.h" + #include "test_skmsg_load_helpers.skel.h" +diff --git a/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c b/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c +index b25c9c45c1484..d5b44b135c00d 100644 +--- a/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c ++++ b/tools/testing/selftests/bpf/prog_tests/sockopt_sk.c +@@ -2,6 +2,12 @@ + #include + #include "cgroup_helpers.h" + ++#include ++ ++#ifndef SOL_TCP ++#define SOL_TCP IPPROTO_TCP ++#endif ++ + #define SOL_CUSTOM 0xdeadbeef + + static int getsetsockopt(void) +@@ -11,6 +17,7 @@ static int getsetsockopt(void) + char u8[4]; + __u32 u32; + char cc[16]; /* TCP_CA_NAME_MAX */ ++ struct tcp_zerocopy_receive zc; + } buf = {}; + socklen_t optlen; + char *big_buf = NULL; +@@ -154,6 +161,27 @@ static int getsetsockopt(void) + goto err; + } + ++ /* TCP_ZEROCOPY_RECEIVE triggers */ ++ memset(&buf, 0, sizeof(buf)); ++ optlen = sizeof(buf.zc); ++ err = getsockopt(fd, SOL_TCP, TCP_ZEROCOPY_RECEIVE, &buf, &optlen); ++ if (err) { ++ log_err("Unexpected getsockopt(TCP_ZEROCOPY_RECEIVE) err=%d errno=%d", ++ err, errno); ++ goto err; ++ } ++ ++ memset(&buf, 0, sizeof(buf)); ++ buf.zc.address = 12345; /* rejected by BPF */ ++ optlen = sizeof(buf.zc); ++ errno = 0; ++ err = getsockopt(fd, SOL_TCP, TCP_ZEROCOPY_RECEIVE, &buf, &optlen); ++ if (errno != EPERM) { ++ log_err("Unexpected getsockopt(TCP_ZEROCOPY_RECEIVE) err=%d errno=%d", ++ err, errno); ++ goto err; ++ } ++ + free(big_buf); + close(fd); + return 0; +diff --git a/tools/testing/selftests/bpf/progs/sockopt_sk.c b/tools/testing/selftests/bpf/progs/sockopt_sk.c +index 712df7b49cb1a..d3597f81e6e94 100644 +--- a/tools/testing/selftests/bpf/progs/sockopt_sk.c ++++ b/tools/testing/selftests/bpf/progs/sockopt_sk.c +@@ -1,8 +1,8 @@ + // SPDX-License-Identifier: GPL-2.0 + #include +-#include +-#include ++#include + #include ++#include + #include + + char _license[] SEC("license") = "GPL"; +@@ -12,6 +12,10 @@ __u32 _version SEC("version") = 1; + #define PAGE_SIZE 4096 + #endif + ++#ifndef SOL_TCP ++#define SOL_TCP IPPROTO_TCP ++#endif ++ + #define SOL_CUSTOM 0xdeadbeef + + struct sockopt_sk { +@@ -57,6 +61,21 @@ int _getsockopt(struct bpf_sockopt *ctx) + return 1; + } + ++ if (ctx->level == SOL_TCP && ctx->optname == TCP_ZEROCOPY_RECEIVE) { ++ /* Verify that TCP_ZEROCOPY_RECEIVE triggers. ++ * It has a custom implementation for performance ++ * reasons. ++ */ ++ ++ if (optval + sizeof(struct tcp_zerocopy_receive) > optval_end) ++ return 0; /* EPERM, bounds check */ ++ ++ if (((struct tcp_zerocopy_receive *)optval)->address != 0) ++ return 0; /* EPERM, unexpected data */ ++ ++ return 1; ++ } ++ + if (ctx->level == SOL_IP && ctx->optname == IP_FREEBIND) { + if (optval + 1 > optval_end) + return 0; /* EPERM, bounds check */ +diff --git a/tools/testing/selftests/bpf/test_progs.h b/tools/testing/selftests/bpf/test_progs.h +index 238f5f61189ee..1d429d67f8ddc 100644 +--- a/tools/testing/selftests/bpf/test_progs.h ++++ b/tools/testing/selftests/bpf/test_progs.h +@@ -16,7 +16,6 @@ typedef __u16 __sum16; + #include + #include + #include +-#include + #include + #include + #include +-- +2.39.2 + diff --git a/tmp-5.10/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch b/tmp-5.10/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch new file mode 100644 index 00000000000..dfa0414e7c7 --- /dev/null +++ b/tmp-5.10/bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch @@ -0,0 +1,75 @@ +From 08e94dd671f1cf66d7c8791d504ecf41c85a776f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 17:28:11 +0800 +Subject: bpf, riscv: Support riscv jit to provide bpf_line_info + +From: Pu Lehui + +[ Upstream commit 3cb70413041fdf028fa1ba3986fd0c6aec9e3dcb ] + +Add support for riscv jit to provide bpf_line_info. We need to +consider the prologue offset in ctx->offset, but unlike x86 and +arm64, ctx->offset of riscv does not provide an extra slot for +the prologue, so here we just calculate the len of prologue and +add it to ctx->offset at the end. Both RV64 and RV32 have been +tested. + +Signed-off-by: Pu Lehui +Signed-off-by: Daniel Borkmann +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220530092815.1112406-3-pulehui@huawei.com +Stable-dep-of: c56fb2aab235 ("riscv, bpf: Fix inconsistent JIT image generation") +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit.h | 1 + + arch/riscv/net/bpf_jit_core.c | 8 +++++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h +index 75c1e99968675..ab0cd6d10ccf3 100644 +--- a/arch/riscv/net/bpf_jit.h ++++ b/arch/riscv/net/bpf_jit.h +@@ -69,6 +69,7 @@ struct rv_jit_context { + struct bpf_prog *prog; + u16 *insns; /* RV insns */ + int ninsns; ++ int body_len; + int epilogue_offset; + int *offset; /* BPF to RV */ + unsigned long flags; +diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c +index 5d247198c30d3..750b15c319d5d 100644 +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -43,7 +43,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + { + bool tmp_blinded = false, extra_pass = false; + struct bpf_prog *tmp, *orig_prog = prog; +- int pass = 0, prev_ninsns = 0, i; ++ int pass = 0, prev_ninsns = 0, prologue_len, i; + struct rv_jit_data *jit_data; + struct rv_jit_context *ctx; + unsigned int image_size = 0; +@@ -95,6 +95,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + prog = orig_prog; + goto out_offset; + } ++ ctx->body_len = ctx->ninsns; + bpf_jit_build_prologue(ctx); + ctx->epilogue_offset = ctx->ninsns; + bpf_jit_build_epilogue(ctx); +@@ -154,6 +155,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + + if (!prog->is_func || extra_pass) { + bpf_jit_binary_lock_ro(jit_data->header); ++ prologue_len = ctx->epilogue_offset - ctx->body_len; ++ for (i = 0; i < prog->len; i++) ++ ctx->offset[i] = ninsns_rvoff(prologue_len + ++ ctx->offset[i]); ++ bpf_prog_fill_jited_linfo(prog, ctx->offset); + out_offset: + kfree(ctx->offset); + kfree(jit_data); +-- +2.39.2 + diff --git a/tmp-5.10/bpftool-jit-limited-misreported-as-negative-value-on.patch b/tmp-5.10/bpftool-jit-limited-misreported-as-negative-value-on.patch new file mode 100644 index 00000000000..32ab203ba20 --- /dev/null +++ b/tmp-5.10/bpftool-jit-limited-misreported-as-negative-value-on.patch @@ -0,0 +1,150 @@ +From 552d2c67c3b8477e01cbb07b789aaae37bd66863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 12:31:34 +0100 +Subject: bpftool: JIT limited misreported as negative value on aarch64 + +From: Alan Maguire + +[ Upstream commit 04cb8453a91c7c22f60ddadb6cef0d19abb33bb5 ] + +On aarch64, "bpftool feature" reports an incorrect BPF JIT limit: + +$ sudo /sbin/bpftool feature +Scanning system configuration... +bpf() syscall restricted to privileged users +JIT compiler is enabled +JIT compiler hardening is disabled +JIT compiler kallsyms exports are enabled for root +skipping kernel config, can't open file: No such file or directory +Global memory limit for JIT compiler for unprivileged users is -201326592 bytes + +This is because /proc/sys/net/core/bpf_jit_limit reports + +$ sudo cat /proc/sys/net/core/bpf_jit_limit +68169519595520 + +...and an int is assumed in read_procfs(). Change read_procfs() +to return a long to avoid negative value reporting. + +Fixes: 7a4522bbef0c ("tools: bpftool: add probes for /proc/ eBPF parameters") +Reported-by: Nicky Veitch +Signed-off-by: Alan Maguire +Signed-off-by: Daniel Borkmann +Acked-by: Jiri Olsa +Acked-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20230512113134.58996-1-alan.maguire@oracle.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/feature.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/tools/bpf/bpftool/feature.c b/tools/bpf/bpftool/feature.c +index 359960a8f1def..5f0b1397798ed 100644 +--- a/tools/bpf/bpftool/feature.c ++++ b/tools/bpf/bpftool/feature.c +@@ -135,12 +135,12 @@ static void print_end_section(void) + + /* Probing functions */ + +-static int read_procfs(const char *path) ++static long read_procfs(const char *path) + { + char *endptr, *line = NULL; + size_t len = 0; + FILE *fd; +- int res; ++ long res; + + fd = fopen(path, "r"); + if (!fd) +@@ -162,7 +162,7 @@ static int read_procfs(const char *path) + + static void probe_unprivileged_disabled(void) + { +- int res; ++ long res; + + /* No support for C-style ouptut */ + +@@ -181,14 +181,14 @@ static void probe_unprivileged_disabled(void) + printf("Unable to retrieve required privileges for bpf() syscall\n"); + break; + default: +- printf("bpf() syscall restriction has unknown value %d\n", res); ++ printf("bpf() syscall restriction has unknown value %ld\n", res); + } + } + } + + static void probe_jit_enable(void) + { +- int res; ++ long res; + + /* No support for C-style ouptut */ + +@@ -210,7 +210,7 @@ static void probe_jit_enable(void) + printf("Unable to retrieve JIT-compiler status\n"); + break; + default: +- printf("JIT-compiler status has unknown value %d\n", ++ printf("JIT-compiler status has unknown value %ld\n", + res); + } + } +@@ -218,7 +218,7 @@ static void probe_jit_enable(void) + + static void probe_jit_harden(void) + { +- int res; ++ long res; + + /* No support for C-style ouptut */ + +@@ -240,7 +240,7 @@ static void probe_jit_harden(void) + printf("Unable to retrieve JIT hardening status\n"); + break; + default: +- printf("JIT hardening status has unknown value %d\n", ++ printf("JIT hardening status has unknown value %ld\n", + res); + } + } +@@ -248,7 +248,7 @@ static void probe_jit_harden(void) + + static void probe_jit_kallsyms(void) + { +- int res; ++ long res; + + /* No support for C-style ouptut */ + +@@ -267,14 +267,14 @@ static void probe_jit_kallsyms(void) + printf("Unable to retrieve JIT kallsyms export status\n"); + break; + default: +- printf("JIT kallsyms exports status has unknown value %d\n", res); ++ printf("JIT kallsyms exports status has unknown value %ld\n", res); + } + } + } + + static void probe_jit_limit(void) + { +- int res; ++ long res; + + /* No support for C-style ouptut */ + +@@ -287,7 +287,7 @@ static void probe_jit_limit(void) + printf("Unable to retrieve global memory limit for JIT compiler for unprivileged users\n"); + break; + default: +- printf("Global memory limit for JIT compiler for unprivileged users is %d bytes\n", res); ++ printf("Global memory limit for JIT compiler for unprivileged users is %ld bytes\n", res); + } + } + } +-- +2.39.2 + diff --git a/tmp-5.10/bridge-add-extack-warning-when-enabling-stp-in-netns.patch b/tmp-5.10/bridge-add-extack-warning-when-enabling-stp-in-netns.patch new file mode 100644 index 00000000000..bffca1287de --- /dev/null +++ b/tmp-5.10/bridge-add-extack-warning-when-enabling-stp-in-netns.patch @@ -0,0 +1,71 @@ +From 6de5f7786c7355b0e715b0576e11f5e207a88a2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 08:44:49 -0700 +Subject: bridge: Add extack warning when enabling STP in netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 56a16035bb6effb37177867cea94c13a8382f745 ] + +When we create an L2 loop on a bridge in netns, we will see packets storm +even if STP is enabled. + + # unshare -n + # ip link add br0 type bridge + # ip link add veth0 type veth peer name veth1 + # ip link set veth0 master br0 up + # ip link set veth1 master br0 up + # ip link set br0 type bridge stp_state 1 + # ip link set br0 up + # sleep 30 + # ip -s link show br0 + 2: br0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 + link/ether b6:61:98:1c:1c:b5 brd ff:ff:ff:ff:ff:ff + RX: bytes packets errors dropped missed mcast + 956553768 12861249 0 0 0 12861249 <-. Keep + TX: bytes packets errors dropped carrier collsns | increasing + 1027834 11951 0 0 0 0 <-' rapidly + +This is because llc_rcv() drops all packets in non-root netns and BPDU +is dropped. + +Let's add extack warning when enabling STP in netns. + + # unshare -n + # ip link add br0 type bridge + # ip link set br0 type bridge stp_state 1 + Warning: bridge: STP does not work in non-root netns. + +Note this commit will be reverted later when we namespacify the whole LLC +infra. + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Suggested-by: Harry Coin +Link: https://lore.kernel.org/netdev/0f531295-e289-022d-5add-5ceffa0df9bc@quietfountain.com/ +Suggested-by: Ido Schimmel +Signed-off-by: Kuniyuki Iwashima +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_stp_if.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index ba55851fe132c..3326dfced68ab 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -201,6 +201,9 @@ int br_stp_set_enabled(struct net_bridge *br, unsigned long val, + { + ASSERT_RTNL(); + ++ if (!net_eq(dev_net(br->dev), &init_net)) ++ NL_SET_ERR_MSG_MOD(extack, "STP does not work in non-root netns"); ++ + if (br_mrp_enabled(br)) { + NL_SET_ERR_MSG_MOD(extack, + "STP can't be enabled if MRP is already enabled"); +-- +2.39.2 + diff --git a/tmp-5.10/btrfs-add-handling-for-raid1c23-dup-to-btrfs_reduce_alloc_profile.patch b/tmp-5.10/btrfs-add-handling-for-raid1c23-dup-to-btrfs_reduce_alloc_profile.patch new file mode 100644 index 00000000000..0ba8800a4d8 --- /dev/null +++ b/tmp-5.10/btrfs-add-handling-for-raid1c23-dup-to-btrfs_reduce_alloc_profile.patch @@ -0,0 +1,140 @@ +From 160fe8f6fdb13da6111677be6263e5d65e875987 Mon Sep 17 00:00:00 2001 +From: Matt Corallo +Date: Mon, 5 Jun 2023 16:49:45 -0700 +Subject: btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile + +From: Matt Corallo + +commit 160fe8f6fdb13da6111677be6263e5d65e875987 upstream. + +Callers of `btrfs_reduce_alloc_profile` expect it to return exactly +one allocation profile flag, and failing to do so may ultimately +result in a WARN_ON and remount-ro when allocating new blocks, like +the below transaction abort on 6.1. + +`btrfs_reduce_alloc_profile` has two ways of determining the profile, +first it checks if a conversion balance is currently running and +uses the profile we're converting to. If no balance is currently +running, it returns the max-redundancy profile which at least one +block in the selected block group has. + +This works by simply checking each known allocation profile bit in +redundancy order. However, `btrfs_reduce_alloc_profile` has not been +updated as new flags have been added - first with the `DUP` profile +and later with the RAID1C34 profiles. + +Because of the way it checks, if we have blocks with different +profiles and at least one is known, that profile will be selected. +However, if none are known we may return a flag set with multiple +allocation profiles set. + +This is currently only possible when a balance from one of the three +unhandled profiles to another of the unhandled profiles is canceled +after allocating at least one block using the new profile. + +In that case, a transaction abort like the below will occur and the +filesystem will need to be mounted with -o skip_balance to get it +mounted rw again (but the balance cannot be resumed without a +similar abort). + + [770.648] ------------[ cut here ]------------ + [770.648] BTRFS: Transaction aborted (error -22) + [770.648] WARNING: CPU: 43 PID: 1159593 at fs/btrfs/extent-tree.c:4122 find_free_extent+0x1d94/0x1e00 [btrfs] + [770.648] CPU: 43 PID: 1159593 Comm: btrfs Tainted: G W 6.1.0-0.deb11.7-powerpc64le #1 Debian 6.1.20-2~bpo11+1a~test + [770.648] Hardware name: T2P9D01 REV 1.00 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV + [770.648] NIP: c00800000f6784fc LR: c00800000f6784f8 CTR: c000000000d746c0 + [770.648] REGS: c000200089afe9a0 TRAP: 0700 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test) + [770.648] MSR: 9000000002029033 CR: 28848282 XER: 20040000 + [770.648] CFAR: c000000000135110 IRQMASK: 0 + GPR00: c00800000f6784f8 c000200089afec40 c00800000f7ea800 0000000000000026 + GPR04: 00000001004820c2 c000200089afea00 c000200089afe9f8 0000000000000027 + GPR08: c000200ffbfe7f98 c000000002127f90 ffffffffffffffd8 0000000026d6a6e8 + GPR12: 0000000028848282 c000200fff7f3800 5deadbeef0000122 c00000002269d000 + GPR16: c0002008c7797c40 c000200089afef17 0000000000000000 0000000000000000 + GPR20: 0000000000000000 0000000000000001 c000200008bc5a98 0000000000000001 + GPR24: 0000000000000000 c0000003c73088d0 c000200089afef17 c000000016d3a800 + GPR28: c0000003c7308800 c00000002269d000 ffffffffffffffea 0000000000000001 + [770.648] NIP [c00800000f6784fc] find_free_extent+0x1d94/0x1e00 [btrfs] + [770.648] LR [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] + [770.648] Call Trace: + [770.648] [c000200089afec40] [c00800000f6784f8] find_free_extent+0x1d90/0x1e00 [btrfs] (unreliable) + [770.648] [c000200089afed30] [c00800000f681398] btrfs_reserve_extent+0x1a0/0x2f0 [btrfs] + [770.648] [c000200089afeea0] [c00800000f681bf0] btrfs_alloc_tree_block+0x108/0x670 [btrfs] + [770.648] [c000200089afeff0] [c00800000f66bd68] __btrfs_cow_block+0x170/0x850 [btrfs] + [770.648] [c000200089aff100] [c00800000f66c58c] btrfs_cow_block+0x144/0x288 [btrfs] + [770.648] [c000200089aff1b0] [c00800000f67113c] btrfs_search_slot+0x6b4/0xcb0 [btrfs] + [770.648] [c000200089aff2a0] [c00800000f679f60] lookup_inline_extent_backref+0x128/0x7c0 [btrfs] + [770.648] [c000200089aff3b0] [c00800000f67b338] lookup_extent_backref+0x70/0x190 [btrfs] + [770.648] [c000200089aff470] [c00800000f67b54c] __btrfs_free_extent+0xf4/0x1490 [btrfs] + [770.648] [c000200089aff5a0] [c00800000f67d770] __btrfs_run_delayed_refs+0x328/0x1530 [btrfs] + [770.648] [c000200089aff740] [c00800000f67ea2c] btrfs_run_delayed_refs+0xb4/0x3e0 [btrfs] + [770.648] [c000200089aff800] [c00800000f699aa4] btrfs_commit_transaction+0x8c/0x12b0 [btrfs] + [770.648] [c000200089aff8f0] [c00800000f6dc628] reset_balance_state+0x1c0/0x290 [btrfs] + [770.648] [c000200089aff9a0] [c00800000f6e2f7c] btrfs_balance+0x1164/0x1500 [btrfs] + [770.648] [c000200089affb40] [c00800000f6f8e4c] btrfs_ioctl+0x2b54/0x3100 [btrfs] + [770.648] [c000200089affc80] [c00000000053be14] sys_ioctl+0x794/0x1310 + [770.648] [c000200089affd70] [c00000000002af98] system_call_exception+0x138/0x250 + [770.648] [c000200089affe10] [c00000000000c654] system_call_common+0xf4/0x258 + [770.648] --- interrupt: c00 at 0x7fff94126800 + [770.648] NIP: 00007fff94126800 LR: 0000000107e0b594 CTR: 0000000000000000 + [770.648] REGS: c000200089affe80 TRAP: 0c00 Tainted: G W (6.1.0-0.deb11.7-powerpc64le Debian 6.1.20-2~bpo11+1a~test) + [770.648] MSR: 900000000000d033 CR: 24002848 XER: 00000000 + [770.648] IRQMASK: 0 + GPR00: 0000000000000036 00007fffc9439da0 00007fff94217100 0000000000000003 + GPR04: 00000000c4009420 00007fffc9439ee8 0000000000000000 0000000000000000 + GPR08: 00000000803c7416 0000000000000000 0000000000000000 0000000000000000 + GPR12: 0000000000000000 00007fff9467d120 0000000107e64c9c 0000000107e64d0a + GPR16: 0000000107e64d06 0000000107e64cf1 0000000107e64cc4 0000000107e64c73 + GPR20: 0000000107e64c31 0000000107e64bf1 0000000107e64be7 0000000000000000 + GPR24: 0000000000000000 00007fffc9439ee0 0000000000000003 0000000000000001 + GPR28: 00007fffc943f713 0000000000000000 00007fffc9439ee8 0000000000000000 + [770.648] NIP [00007fff94126800] 0x7fff94126800 + [770.648] LR [0000000107e0b594] 0x107e0b594 + [770.648] --- interrupt: c00 + [770.648] Instruction dump: + [770.648] 3b00ffe4 e8898828 481175f5 60000000 4bfff4fc 3be00000 4bfff570 3d220000 + [770.648] 7fc4f378 e8698830 4811cd95 e8410018 <0fe00000> f9c10060 f9e10068 fa010070 + [770.648] ---[ end trace 0000000000000000 ]--- + [770.648] BTRFS: error (device dm-2: state A) in find_free_extent_update_loop:4122: errno=-22 unknown + [770.648] BTRFS info (device dm-2: state EA): forced readonly + [770.648] BTRFS: error (device dm-2: state EA) in __btrfs_free_extent:3070: errno=-22 unknown + [770.648] BTRFS error (device dm-2: state EA): failed to run delayed ref for logical 17838685708288 num_bytes 24576 type 184 action 2 ref_mod 1: -22 + [770.648] BTRFS: error (device dm-2: state EA) in btrfs_run_delayed_refs:2144: errno=-22 unknown + [770.648] BTRFS: error (device dm-2: state EA) in reset_balance_state:3599: errno=-22 unknown + +Fixes: 47e6f7423b91 ("btrfs: add support for 3-copy replication (raid1c3)") +Fixes: 8d6fac0087e5 ("btrfs: add support for 4-copy replication (raid1c4)") +CC: stable@vger.kernel.org # 5.10+ +Signed-off-by: Matt Corallo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -77,14 +77,21 @@ static u64 btrfs_reduce_alloc_profile(st + } + allowed &= flags; + +- if (allowed & BTRFS_BLOCK_GROUP_RAID6) ++ /* Select the highest-redundancy RAID level. */ ++ if (allowed & BTRFS_BLOCK_GROUP_RAID1C4) ++ allowed = BTRFS_BLOCK_GROUP_RAID1C4; ++ else if (allowed & BTRFS_BLOCK_GROUP_RAID6) + allowed = BTRFS_BLOCK_GROUP_RAID6; ++ else if (allowed & BTRFS_BLOCK_GROUP_RAID1C3) ++ allowed = BTRFS_BLOCK_GROUP_RAID1C3; + else if (allowed & BTRFS_BLOCK_GROUP_RAID5) + allowed = BTRFS_BLOCK_GROUP_RAID5; + else if (allowed & BTRFS_BLOCK_GROUP_RAID10) + allowed = BTRFS_BLOCK_GROUP_RAID10; + else if (allowed & BTRFS_BLOCK_GROUP_RAID1) + allowed = BTRFS_BLOCK_GROUP_RAID1; ++ else if (allowed & BTRFS_BLOCK_GROUP_DUP) ++ allowed = BTRFS_BLOCK_GROUP_DUP; + else if (allowed & BTRFS_BLOCK_GROUP_RAID0) + allowed = BTRFS_BLOCK_GROUP_RAID0; + diff --git a/tmp-5.10/btrfs-add-xxhash-to-fast-checksum-implementations.patch b/tmp-5.10/btrfs-add-xxhash-to-fast-checksum-implementations.patch new file mode 100644 index 00000000000..e414278a044 --- /dev/null +++ b/tmp-5.10/btrfs-add-xxhash-to-fast-checksum-implementations.patch @@ -0,0 +1,59 @@ +From e5ee8c5207d9f24f23793dfd48a8e455cc585c98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 00:06:02 +0200 +Subject: btrfs: add xxhash to fast checksum implementations + +From: David Sterba + +[ Upstream commit efcfcbc6a36195c42d98e0ee697baba36da94dc8 ] + +The implementation of XXHASH is now CPU only but still fast enough to be +considered for the synchronous checksumming, like non-generic crc32c. + +A userspace benchmark comparing it to various implementations (patched +hash-speedtest from btrfs-progs): + + Block size: 4096 + Iterations: 1000000 + Implementation: builtin + Units: CPU cycles + + NULL-NOP: cycles: 73384294, cycles/i 73 + NULL-MEMCPY: cycles: 228033868, cycles/i 228, 61664.320 MiB/s + CRC32C-ref: cycles: 24758559416, cycles/i 24758, 567.950 MiB/s + CRC32C-NI: cycles: 1194350470, cycles/i 1194, 11773.433 MiB/s + CRC32C-ADLERSW: cycles: 6150186216, cycles/i 6150, 2286.372 MiB/s + CRC32C-ADLERHW: cycles: 626979180, cycles/i 626, 22427.453 MiB/s + CRC32C-PCL: cycles: 466746732, cycles/i 466, 30126.699 MiB/s + XXHASH: cycles: 860656400, cycles/i 860, 16338.188 MiB/s + +Comparing purely software implementation (ref), current outdated +accelerated using crc32q instruction (NI), optimized implementations by +M. Adler (https://stackoverflow.com/questions/17645167/implementing-sse-4-2s-crc32c-in-software/17646775#17646775) +and the best one that was taken from kernel using the PCLMULQDQ +instruction (PCL). + +Reviewed-by: Christoph Hellwig +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 5a114cad988a6..608b939a4d287 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2256,6 +2256,9 @@ static int btrfs_init_csum_hash(struct btrfs_fs_info *fs_info, u16 csum_type) + if (!strstr(crypto_shash_driver_name(csum_shash), "generic")) + set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); + break; ++ case BTRFS_CSUM_TYPE_XXHASH: ++ set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); ++ break; + default: + break; + } +-- +2.39.2 + diff --git a/tmp-5.10/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch b/tmp-5.10/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch new file mode 100644 index 00000000000..cd074599537 --- /dev/null +++ b/tmp-5.10/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch @@ -0,0 +1,84 @@ +From b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 19 Jun 2023 17:21:47 +0100 +Subject: btrfs: fix race when deleting quota root from the dirty cow roots list + +From: Filipe Manana + +commit b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 upstream. + +When disabling quotas we are deleting the quota root from the list +fs_info->dirty_cowonly_roots without taking the lock that protects it, +which is struct btrfs_fs_info::trans_lock. This unsynchronized list +manipulation may cause chaos if there's another concurrent manipulation +of this list, such as when adding a root to it with +ctree.c:add_root_to_dirty_list(). + +This can result in all sorts of weird failures caused by a race, such as +the following crash: + + [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI + [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 + [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] + [337571.279928] Code: 85 38 06 00 (...) + [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 + [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 + [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 + [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b + [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 + [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 + [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 + [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 + [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [337571.282874] Call Trace: + [337571.283101] + [337571.283327] ? __die_body+0x1b/0x60 + [337571.283570] ? die_addr+0x39/0x60 + [337571.283796] ? exc_general_protection+0x22e/0x430 + [337571.284022] ? asm_exc_general_protection+0x22/0x30 + [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] + [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] + [337571.284803] ? _raw_spin_unlock+0x15/0x30 + [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] + [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] + [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] + [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 + [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] + [337571.286358] ? mod_objcg_state+0xd2/0x360 + [337571.286577] ? refill_obj_stock+0xb0/0x160 + [337571.286798] ? seq_release+0x25/0x30 + [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 + [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 + [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 + [337571.287675] __x64_sys_ioctl+0x88/0xc0 + [337571.287901] do_syscall_64+0x38/0x90 + [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc + [337571.288352] RIP: 0033:0x7f478aaffe9b + +So fix this by locking struct btrfs_fs_info::trans_lock before deleting +the quota root from that list. + +Fixes: bed92eae26cc ("Btrfs: qgroup implementation and prototypes") +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -1270,7 +1270,9 @@ int btrfs_quota_disable(struct btrfs_fs_ + goto out; + } + ++ spin_lock(&fs_info->trans_lock); + list_del("a_root->dirty_list); ++ spin_unlock(&fs_info->trans_lock); + + btrfs_tree_lock(quota_root->node); + btrfs_clean_tree_block(quota_root->node); diff --git a/tmp-5.10/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch b/tmp-5.10/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch new file mode 100644 index 00000000000..7d08db87820 --- /dev/null +++ b/tmp-5.10/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch @@ -0,0 +1,89 @@ +From aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 14 Jul 2023 13:42:06 +0100 +Subject: btrfs: fix warning when putting transaction with qgroups enabled after abort + +From: Filipe Manana + +commit aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 upstream. + +If we have a transaction abort with qgroups enabled we get a warning +triggered when doing the final put on the transaction, like this: + + [552.6789] ------------[ cut here ]------------ + [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6817] Modules linked in: btrfs blake2b_generic xor (...) + [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6821] Code: bd a0 01 00 (...) + [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 + [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 + [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 + [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 + [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 + [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 + [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 + [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 + [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [552.6822] Call Trace: + [552.6822] + [552.6822] ? __warn+0x80/0x130 + [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6824] ? report_bug+0x1f4/0x200 + [552.6824] ? handle_bug+0x42/0x70 + [552.6824] ? exc_invalid_op+0x14/0x70 + [552.6824] ? asm_exc_invalid_op+0x16/0x20 + [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] + [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 + [552.6828] ? try_to_wake_up+0x94/0x5e0 + [552.6828] ? __pfx_process_timeout+0x10/0x10 + [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] + [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] + [552.6832] kthread+0xee/0x120 + [552.6832] ? __pfx_kthread+0x10/0x10 + [552.6832] ret_from_fork+0x29/0x50 + [552.6832] + [552.6832] ---[ end trace 0000000000000000 ]--- + +This corresponds to this line of code: + + void btrfs_put_transaction(struct btrfs_transaction *transaction) + { + (...) + WARN_ON(!RB_EMPTY_ROOT( + &transaction->delayed_refs.dirty_extent_root)); + (...) + } + +The warning happens because btrfs_qgroup_destroy_extent_records(), called +in the transaction abort path, we free all entries from the rbtree +"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we +don't actually empty the rbtree - it's still pointing to nodes that were +freed. + +So set the rbtree's root node to NULL to avoid this warning (assign +RB_ROOT). + +Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Josef Bacik +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -4376,4 +4376,5 @@ void btrfs_qgroup_destroy_extent_records + ulist_free(entry->old_roots); + kfree(entry); + } ++ *root = RB_ROOT; + } diff --git a/tmp-5.10/bus-ti-sysc-fix-dispc-quirk-masking-bool-variables.patch b/tmp-5.10/bus-ti-sysc-fix-dispc-quirk-masking-bool-variables.patch new file mode 100644 index 00000000000..18a312f1f30 --- /dev/null +++ b/tmp-5.10/bus-ti-sysc-fix-dispc-quirk-masking-bool-variables.patch @@ -0,0 +1,49 @@ +From ff4847484ae3b5eb9ac1390f182dff68fdaab0aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 10:04:16 +0300 +Subject: bus: ti-sysc: Fix dispc quirk masking bool variables + +From: Tony Lindgren + +[ Upstream commit f620596fa347170852da499e778a5736d79a4b79 ] + +Fix warning drivers/bus/ti-sysc.c:1806 sysc_quirk_dispc() +warn: masking a bool. + +While at it let's add a comment for what were doing to make +the code a bit easier to follow. + +Fixes: 7324a7a0d5e2 ("bus: ti-sysc: Implement display subsystem reset quirk") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-omap/a8ec8a68-9c2c-4076-bf47-09fccce7659f@kili.mountain/ +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 4ee20be76508f..4b1641fe30dba 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -1748,7 +1748,7 @@ static u32 sysc_quirk_dispc(struct sysc *ddata, int dispc_offset, + if (!ddata->module_va) + return -EIO; + +- /* DISP_CONTROL */ ++ /* DISP_CONTROL, shut down lcd and digit on disable if enabled */ + val = sysc_read(ddata, dispc_offset + 0x40); + lcd_en = val & lcd_en_mask; + digit_en = val & digit_en_mask; +@@ -1760,7 +1760,7 @@ static u32 sysc_quirk_dispc(struct sysc *ddata, int dispc_offset, + else + irq_mask |= BIT(2) | BIT(3); /* EVSYNC bits */ + } +- if (disable & (lcd_en | digit_en)) ++ if (disable && (lcd_en || digit_en)) + sysc_write(ddata, dispc_offset + 0x40, + val & ~(lcd_en_mask | digit_en_mask)); + +-- +2.39.2 + diff --git a/tmp-5.10/can-bcm-fix-uaf-in-bcm_proc_show.patch b/tmp-5.10/can-bcm-fix-uaf-in-bcm_proc_show.patch new file mode 100644 index 00000000000..37d47836ec2 --- /dev/null +++ b/tmp-5.10/can-bcm-fix-uaf-in-bcm_proc_show.patch @@ -0,0 +1,92 @@ +From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 15 Jul 2023 17:25:43 +0800 +Subject: can: bcm: Fix UAF in bcm_proc_show() + +From: YueHaibing + +commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream. + +BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 +Read of size 8 at addr ffff888155846230 by task cat/7862 + +CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0xd5/0x150 + print_report+0xc1/0x5e0 + kasan_report+0xba/0xf0 + bcm_proc_show+0x969/0xa80 + seq_read_iter+0x4f6/0x1260 + seq_read+0x165/0x210 + proc_reg_read+0x227/0x300 + vfs_read+0x1d5/0x8d0 + ksys_read+0x11e/0x240 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Allocated by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x9e/0xa0 + bcm_sendmsg+0x264b/0x44e0 + sock_sendmsg+0xda/0x180 + ____sys_sendmsg+0x735/0x920 + ___sys_sendmsg+0x11d/0x1b0 + __sys_sendmsg+0xfa/0x1d0 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x27/0x40 + ____kasan_slab_free+0x161/0x1c0 + slab_free_freelist_hook+0x119/0x220 + __kmem_cache_free+0xb4/0x2e0 + rcu_core+0x809/0x1bd0 + +bcm_op is freed before procfs entry be removed in bcm_release(), +this lead to bcm_proc_show() may read the freed bcm_op. + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Signed-off-by: YueHaibing +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1521,6 +1521,12 @@ static int bcm_release(struct socket *so + + lock_sock(sk); + ++#if IS_ENABLED(CONFIG_PROC_FS) ++ /* remove procfs entry */ ++ if (net->can.bcmproc_dir && bo->bcm_proc_read) ++ remove_proc_entry(bo->procname, net->can.bcmproc_dir); ++#endif /* CONFIG_PROC_FS */ ++ + list_for_each_entry_safe(op, next, &bo->tx_ops, list) + bcm_remove_op(op); + +@@ -1556,12 +1562,6 @@ static int bcm_release(struct socket *so + list_for_each_entry_safe(op, next, &bo->rx_ops, list) + bcm_remove_op(op); + +-#if IS_ENABLED(CONFIG_PROC_FS) +- /* remove procfs entry */ +- if (net->can.bcmproc_dir && bo->bcm_proc_read) +- remove_proc_entry(bo->procname, net->can.bcmproc_dir); +-#endif /* CONFIG_PROC_FS */ +- + /* remove device reference */ + if (bo->bound) { + bo->bound = 0; diff --git a/tmp-5.10/can-isotp-isotp_sendmsg-fix-return-error-fix-on-tx-path.patch b/tmp-5.10/can-isotp-isotp_sendmsg-fix-return-error-fix-on-tx-path.patch new file mode 100644 index 00000000000..d83b14f4fcc --- /dev/null +++ b/tmp-5.10/can-isotp-isotp_sendmsg-fix-return-error-fix-on-tx-path.patch @@ -0,0 +1,44 @@ +From e38910c0072b541a91954682c8b074a93e57c09b Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Wed, 7 Jun 2023 09:27:08 +0200 +Subject: can: isotp: isotp_sendmsg(): fix return error fix on TX path + +From: Oliver Hartkopp + +commit e38910c0072b541a91954682c8b074a93e57c09b upstream. + +With commit d674a8f123b4 ("can: isotp: isotp_sendmsg(): fix return +error on FC timeout on TX path") the missing correct return value in +the case of a protocol error was introduced. + +But the way the error value has been read and sent to the user space +does not follow the common scheme to clear the error after reading +which is provided by the sock_error() function. This leads to an error +report at the following write() attempt although everything should be +working. + +Fixes: d674a8f123b4 ("can: isotp: isotp_sendmsg(): fix return error on FC timeout on TX path") +Reported-by: Carsten Schmidt +Signed-off-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230607072708.38809-1-socketcan@hartkopp.net +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -990,8 +990,9 @@ static int isotp_sendmsg(struct socket * + /* wait for complete transmission of current pdu */ + wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE); + +- if (sk->sk_err) +- return -sk->sk_err; ++ err = sock_error(sk); ++ if (err) ++ return err; + } + + return size; diff --git a/tmp-5.10/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch b/tmp-5.10/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch new file mode 100644 index 00000000000..3295756c95a --- /dev/null +++ b/tmp-5.10/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch @@ -0,0 +1,47 @@ +From 257e6172ab36ebbe295a6c9ee9a9dd0fe54c1dc2 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Wed, 28 Jun 2023 07:57:09 +0800 +Subject: ceph: don't let check_caps skip sending responses for revoke msgs + +From: Xiubo Li + +commit 257e6172ab36ebbe295a6c9ee9a9dd0fe54c1dc2 upstream. + +If a client sends out a cap update dropping caps with the prior 'seq' +just before an incoming cap revoke request, then the client may drop +the revoke because it believes it's already released the requested +capabilities. + +This causes the MDS to wait indefinitely for the client to respond +to the revoke. It's therefore always a good idea to ack the cap +revoke request with the bumped up 'seq'. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/61782 +Signed-off-by: Xiubo Li +Reviewed-by: Milind Changire +Reviewed-by: Patrick Donnelly +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/caps.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -3574,6 +3574,15 @@ static void handle_cap_grant(struct inod + } + BUG_ON(cap->issued & ~cap->implemented); + ++ /* don't let check_caps skip sending a response to MDS for revoke msgs */ ++ if (le32_to_cpu(grant->op) == CEPH_CAP_OP_REVOKE) { ++ cap->mds_wanted = 0; ++ if (cap == ci->i_auth_cap) ++ check_caps = 1; /* check auth cap only */ ++ else ++ check_caps = 2; /* check all caps */ ++ } ++ + if (extra_info->inline_version > 0 && + extra_info->inline_version >= ci->i_inline_version) { + ci->i_inline_version = extra_info->inline_version; diff --git a/tmp-5.10/clk-cdce925-check-return-value-of-kasprintf.patch b/tmp-5.10/clk-cdce925-check-return-value-of-kasprintf.patch new file mode 100644 index 00000000000..fed4c1d6fde --- /dev/null +++ b/tmp-5.10/clk-cdce925-check-return-value-of-kasprintf.patch @@ -0,0 +1,63 @@ +From 044a8ff057a9b3d1ff97ba96cfca052621d1835a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:07 +0300 +Subject: clk: cdce925: check return value of kasprintf() + +From: Claudiu Beznea + +[ Upstream commit bb7d09ddbf361d51eae46f38e7c8a2b85914ea2a ] + +kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 19fbbbbcd3a3 ("Add TI CDCE925 I2C controlled clock synthesizer driver") +Depends-on: e665f029a283 ("clk: Convert to using %pOFn instead of device_node.name") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-3-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-cdce925.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/clk/clk-cdce925.c b/drivers/clk/clk-cdce925.c +index 308b353815e17..470d91d7314db 100644 +--- a/drivers/clk/clk-cdce925.c ++++ b/drivers/clk/clk-cdce925.c +@@ -705,6 +705,10 @@ static int cdce925_probe(struct i2c_client *client, + for (i = 0; i < data->chip_info->num_plls; ++i) { + pll_clk_name[i] = kasprintf(GFP_KERNEL, "%pOFn.pll%d", + client->dev.of_node, i); ++ if (!pll_clk_name[i]) { ++ err = -ENOMEM; ++ goto error; ++ } + init.name = pll_clk_name[i]; + data->pll[i].chip = data; + data->pll[i].hw.init = &init; +@@ -746,6 +750,10 @@ static int cdce925_probe(struct i2c_client *client, + init.num_parents = 1; + init.parent_names = &parent_name; /* Mux Y1 to input */ + init.name = kasprintf(GFP_KERNEL, "%pOFn.Y1", client->dev.of_node); ++ if (!init.name) { ++ err = -ENOMEM; ++ goto error; ++ } + data->clk[0].chip = data; + data->clk[0].hw.init = &init; + data->clk[0].index = 0; +@@ -764,6 +772,10 @@ static int cdce925_probe(struct i2c_client *client, + for (i = 1; i < data->chip_info->num_outputs; ++i) { + init.name = kasprintf(GFP_KERNEL, "%pOFn.Y%d", + client->dev.of_node, i+1); ++ if (!init.name) { ++ err = -ENOMEM; ++ goto error; ++ } + data->clk[i].chip = data; + data->clk[i].hw.init = &init; + data->clk[i].index = i; +-- +2.39.2 + diff --git a/tmp-5.10/clk-imx-clk-imx8mn-fix-memory-leak-in-imx8mn_clocks_.patch b/tmp-5.10/clk-imx-clk-imx8mn-fix-memory-leak-in-imx8mn_clocks_.patch new file mode 100644 index 00000000000..464b9ec67fb --- /dev/null +++ b/tmp-5.10/clk-imx-clk-imx8mn-fix-memory-leak-in-imx8mn_clocks_.patch @@ -0,0 +1,58 @@ +From a02b3d5010c517e881d73b28bbe34f450366e80f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 09:51:07 +0800 +Subject: clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe + +From: Hao Luo + +[ Upstream commit 188d070de9132667956f5aadd98d2bd87d3eac89 ] + +Use devm_of_iomap() instead of of_iomap() to automatically handle +the unused ioremap region. + +If any error occurs, regions allocated by kzalloc() will leak, +but using devm_kzalloc() instead will automatically free the memory +using devm_kfree(). + +Fixes: daeb14545514 ("clk: imx: imx8mn: Switch to clk_hw based API") +Fixes: 96d6392b54db ("clk: imx: Add support for i.MX8MN clock driver") +Signed-off-by: Hao Luo +Reviewed-by: Dongliang Mu +Reviewed-by: Peng Fan +Link: https://lore.kernel.org/r/20230411015107.2645-1-m202171776@hust.edu.cn +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mn.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c +index 8a49e072d6e86..23f37a2cdf3a8 100644 +--- a/drivers/clk/imx/clk-imx8mn.c ++++ b/drivers/clk/imx/clk-imx8mn.c +@@ -291,7 +291,7 @@ static int imx8mn_clocks_probe(struct platform_device *pdev) + void __iomem *base; + int ret; + +- clk_hw_data = kzalloc(struct_size(clk_hw_data, hws, ++ clk_hw_data = devm_kzalloc(dev, struct_size(clk_hw_data, hws, + IMX8MN_CLK_END), GFP_KERNEL); + if (WARN_ON(!clk_hw_data)) + return -ENOMEM; +@@ -308,10 +308,10 @@ static int imx8mn_clocks_probe(struct platform_device *pdev) + hws[IMX8MN_CLK_EXT4] = imx_obtain_fixed_clk_hw(np, "clk_ext4"); + + np = of_find_compatible_node(NULL, NULL, "fsl,imx8mn-anatop"); +- base = of_iomap(np, 0); ++ base = devm_of_iomap(dev, np, 0, NULL); + of_node_put(np); +- if (WARN_ON(!base)) { +- ret = -ENOMEM; ++ if (WARN_ON(IS_ERR(base))) { ++ ret = PTR_ERR(base); + goto unregister_hws; + } + +-- +2.39.2 + diff --git a/tmp-5.10/clk-imx-clk-imx8mp-improve-error-handling-in-imx8mp_.patch b/tmp-5.10/clk-imx-clk-imx8mp-improve-error-handling-in-imx8mp_.patch new file mode 100644 index 00000000000..9d72650c110 --- /dev/null +++ b/tmp-5.10/clk-imx-clk-imx8mp-improve-error-handling-in-imx8mp_.patch @@ -0,0 +1,85 @@ +From b3cfbe253f4de2f4d8fffae02cb832da07838317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 07:06:07 +0000 +Subject: clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe() + +From: Yuxing Liu + +[ Upstream commit 878b02d5f3b56cb090dbe2c70c89273be144087f ] + +Replace of_iomap() and kzalloc() with devm_of_iomap() and devm_kzalloc() +which can automatically release the related memory when the device +or driver is removed or unloaded to avoid potential memory leak. + +In this case, iounmap(anatop_base) in line 427,433 are removed +as manual release is not required. + +Besides, referring to clk-imx8mq.c, check the return code of +of_clk_add_hw_provider, if it returns negtive, print error info +and unregister hws, which makes the program more robust. + +Fixes: 9c140d992676 ("clk: imx: Add support for i.MX8MP clock driver") +Signed-off-by: Yuxing Liu +Reviewed-by: Dongliang Mu +Reviewed-by: Abel Vesa +Link: https://lore.kernel.org/r/20230503070607.2462-1-lyx2022@hust.edu.cn +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mp.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c +index 72592e35836b3..98a4711ef38d0 100644 +--- a/drivers/clk/imx/clk-imx8mp.c ++++ b/drivers/clk/imx/clk-imx8mp.c +@@ -425,25 +425,22 @@ static int imx8mp_clocks_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + struct device_node *np = dev->of_node; + void __iomem *anatop_base, *ccm_base; ++ int err; + + np = of_find_compatible_node(NULL, NULL, "fsl,imx8mp-anatop"); +- anatop_base = of_iomap(np, 0); ++ anatop_base = devm_of_iomap(dev, np, 0, NULL); + of_node_put(np); +- if (WARN_ON(!anatop_base)) +- return -ENOMEM; ++ if (WARN_ON(IS_ERR(anatop_base))) ++ return PTR_ERR(anatop_base); + + np = dev->of_node; + ccm_base = devm_platform_ioremap_resource(pdev, 0); +- if (WARN_ON(IS_ERR(ccm_base))) { +- iounmap(anatop_base); ++ if (WARN_ON(IS_ERR(ccm_base))) + return PTR_ERR(ccm_base); +- } + +- clk_hw_data = kzalloc(struct_size(clk_hw_data, hws, IMX8MP_CLK_END), GFP_KERNEL); +- if (WARN_ON(!clk_hw_data)) { +- iounmap(anatop_base); ++ clk_hw_data = devm_kzalloc(dev, struct_size(clk_hw_data, hws, IMX8MP_CLK_END), GFP_KERNEL); ++ if (WARN_ON(!clk_hw_data)) + return -ENOMEM; +- } + + clk_hw_data->num = IMX8MP_CLK_END; + hws = clk_hw_data->hws; +@@ -743,7 +740,12 @@ static int imx8mp_clocks_probe(struct platform_device *pdev) + + imx_check_clk_hws(hws, IMX8MP_CLK_END); + +- of_clk_add_hw_provider(np, of_clk_hw_onecell_get, clk_hw_data); ++ err = of_clk_add_hw_provider(np, of_clk_hw_onecell_get, clk_hw_data); ++ if (err < 0) { ++ dev_err(dev, "failed to register hws for i.MX8MP\n"); ++ imx_unregister_hw_clocks(hws, IMX8MP_CLK_END); ++ return err; ++ } + + imx_register_uart_clocks(4); + +-- +2.39.2 + diff --git a/tmp-5.10/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch b/tmp-5.10/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch new file mode 100644 index 00000000000..f5cd637f392 --- /dev/null +++ b/tmp-5.10/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch @@ -0,0 +1,40 @@ +From d82ed942109925470546dc25c31ed4b0ad684cb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:11 +0300 +Subject: clk: keystone: sci-clk: check return value of kasprintf() + +From: Claudiu Beznea + +[ Upstream commit b73ed981da6d25c921aaefa7ca3df85bbd85b7fc ] + +kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: b745c0794e2f ("clk: keystone: Add sci-clk driver support") +Depends-on: 96488c09b0f4 ("clk: keystone: sci-clk: cut down the clock name length") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-7-claudiu.beznea@microchip.com +Reviewed-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/keystone/sci-clk.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/keystone/sci-clk.c b/drivers/clk/keystone/sci-clk.c +index 7e1b136e71ae0..8af2a9faa805a 100644 +--- a/drivers/clk/keystone/sci-clk.c ++++ b/drivers/clk/keystone/sci-clk.c +@@ -302,6 +302,8 @@ static int _sci_clk_build(struct sci_clk_provider *provider, + + name = kasprintf(GFP_KERNEL, "clk:%d:%d", sci_clk->dev_id, + sci_clk->clk_id); ++ if (!name) ++ return -ENOMEM; + + init.name = name; + +-- +2.39.2 + diff --git a/tmp-5.10/clk-qcom-gcc-ipq6018-use-floor-ops-for-sdcc-clocks.patch b/tmp-5.10/clk-qcom-gcc-ipq6018-use-floor-ops-for-sdcc-clocks.patch new file mode 100644 index 00000000000..bcb1aaf0621 --- /dev/null +++ b/tmp-5.10/clk-qcom-gcc-ipq6018-use-floor-ops-for-sdcc-clocks.patch @@ -0,0 +1,37 @@ +From 616a9b481908c95aa72b527b8960b589d3571e81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 12:11:49 +0300 +Subject: clk: qcom: gcc-ipq6018: Use floor ops for sdcc clocks + +From: Mantas Pucka + +[ Upstream commit 56e5ae0116aef87273cf1812d608645b076e4f02 ] + +SDCC clocks must be rounded down to avoid overclocking the controller. + +Fixes: d9db07f088af ("clk: qcom: Add ipq6018 Global Clock Controller support") +Signed-off-by: Mantas Pucka +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/1682413909-24927-1-git-send-email-mantas@8devices.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-ipq6018.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/gcc-ipq6018.c b/drivers/clk/qcom/gcc-ipq6018.c +index 3f9c2f61a5d93..5c5d1b04ea7af 100644 +--- a/drivers/clk/qcom/gcc-ipq6018.c ++++ b/drivers/clk/qcom/gcc-ipq6018.c +@@ -1654,7 +1654,7 @@ static struct clk_rcg2 sdcc1_apps_clk_src = { + .name = "sdcc1_apps_clk_src", + .parent_data = gcc_xo_gpll0_gpll2_gpll0_out_main_div2, + .num_parents = 4, +- .ops = &clk_rcg2_ops, ++ .ops = &clk_rcg2_floor_ops, + }, + }; + +-- +2.39.2 + diff --git a/tmp-5.10/clk-qcom-ipq6018-fix-networking-resets.patch b/tmp-5.10/clk-qcom-ipq6018-fix-networking-resets.patch new file mode 100644 index 00000000000..94ca0e7b142 --- /dev/null +++ b/tmp-5.10/clk-qcom-ipq6018-fix-networking-resets.patch @@ -0,0 +1,72 @@ +From 30c3209f3b0dcecdbf0f87eebc3da1f038037201 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 21:08:55 +0200 +Subject: clk: qcom: ipq6018: fix networking resets + +From: Robert Marko + +[ Upstream commit 349b5bed539b491b7894a5186a895751fd8ba6c7 ] + +Networking resets in IPQ6018 all use bitmask as they require multiple +bits to be set and cleared instead of a single bit. + +So, current networking resets have the same register and bit 0 set which +is clearly incorrect. + +Fixes: d9db07f088af ("clk: qcom: Add ipq6018 Global Clock Controller support") +Signed-off-by: Robert Marko +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230526190855.2941291-2-robimarko@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-ipq6018.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-ipq6018.c b/drivers/clk/qcom/gcc-ipq6018.c +index 5c5d1b04ea7af..cde62a11f5736 100644 +--- a/drivers/clk/qcom/gcc-ipq6018.c ++++ b/drivers/clk/qcom/gcc-ipq6018.c +@@ -4517,24 +4517,24 @@ static const struct qcom_reset_map gcc_ipq6018_resets[] = { + [GCC_PCIE0_AHB_ARES] = { 0x75040, 5 }, + [GCC_PCIE0_AXI_MASTER_STICKY_ARES] = { 0x75040, 6 }, + [GCC_PCIE0_AXI_SLAVE_STICKY_ARES] = { 0x75040, 7 }, +- [GCC_PPE_FULL_RESET] = { 0x68014, 0 }, +- [GCC_UNIPHY0_SOFT_RESET] = { 0x56004, 0 }, ++ [GCC_PPE_FULL_RESET] = { .reg = 0x68014, .bitmask = 0xf0000 }, ++ [GCC_UNIPHY0_SOFT_RESET] = { .reg = 0x56004, .bitmask = 0x3ff2 }, + [GCC_UNIPHY0_XPCS_RESET] = { 0x56004, 2 }, +- [GCC_UNIPHY1_SOFT_RESET] = { 0x56104, 0 }, ++ [GCC_UNIPHY1_SOFT_RESET] = { .reg = 0x56104, .bitmask = 0x32 }, + [GCC_UNIPHY1_XPCS_RESET] = { 0x56104, 2 }, +- [GCC_EDMA_HW_RESET] = { 0x68014, 0 }, +- [GCC_NSSPORT1_RESET] = { 0x68014, 0 }, +- [GCC_NSSPORT2_RESET] = { 0x68014, 0 }, +- [GCC_NSSPORT3_RESET] = { 0x68014, 0 }, +- [GCC_NSSPORT4_RESET] = { 0x68014, 0 }, +- [GCC_NSSPORT5_RESET] = { 0x68014, 0 }, +- [GCC_UNIPHY0_PORT1_ARES] = { 0x56004, 0 }, +- [GCC_UNIPHY0_PORT2_ARES] = { 0x56004, 0 }, +- [GCC_UNIPHY0_PORT3_ARES] = { 0x56004, 0 }, +- [GCC_UNIPHY0_PORT4_ARES] = { 0x56004, 0 }, +- [GCC_UNIPHY0_PORT5_ARES] = { 0x56004, 0 }, +- [GCC_UNIPHY0_PORT_4_5_RESET] = { 0x56004, 0 }, +- [GCC_UNIPHY0_PORT_4_RESET] = { 0x56004, 0 }, ++ [GCC_EDMA_HW_RESET] = { .reg = 0x68014, .bitmask = 0x300000 }, ++ [GCC_NSSPORT1_RESET] = { .reg = 0x68014, .bitmask = 0x1000003 }, ++ [GCC_NSSPORT2_RESET] = { .reg = 0x68014, .bitmask = 0x200000c }, ++ [GCC_NSSPORT3_RESET] = { .reg = 0x68014, .bitmask = 0x4000030 }, ++ [GCC_NSSPORT4_RESET] = { .reg = 0x68014, .bitmask = 0x8000300 }, ++ [GCC_NSSPORT5_RESET] = { .reg = 0x68014, .bitmask = 0x10000c00 }, ++ [GCC_UNIPHY0_PORT1_ARES] = { .reg = 0x56004, .bitmask = 0x30 }, ++ [GCC_UNIPHY0_PORT2_ARES] = { .reg = 0x56004, .bitmask = 0xc0 }, ++ [GCC_UNIPHY0_PORT3_ARES] = { .reg = 0x56004, .bitmask = 0x300 }, ++ [GCC_UNIPHY0_PORT4_ARES] = { .reg = 0x56004, .bitmask = 0xc00 }, ++ [GCC_UNIPHY0_PORT5_ARES] = { .reg = 0x56004, .bitmask = 0x3000 }, ++ [GCC_UNIPHY0_PORT_4_5_RESET] = { .reg = 0x56004, .bitmask = 0x3c02 }, ++ [GCC_UNIPHY0_PORT_4_RESET] = { .reg = 0x56004, .bitmask = 0xc02 }, + [GCC_LPASS_BCR] = {0x1F000, 0}, + [GCC_UBI32_TBU_BCR] = {0x65000, 0}, + [GCC_LPASS_TBU_BCR] = {0x6C000, 0}, +-- +2.39.2 + diff --git a/tmp-5.10/clk-qcom-reset-allow-specifying-custom-reset-delay.patch b/tmp-5.10/clk-qcom-reset-allow-specifying-custom-reset-delay.patch new file mode 100644 index 00000000000..05a0527d64b --- /dev/null +++ b/tmp-5.10/clk-qcom-reset-allow-specifying-custom-reset-delay.patch @@ -0,0 +1,67 @@ +From a61d6636e9c81471b461bc65293107701b097419 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Jul 2022 15:41:29 +0200 +Subject: clk: qcom: reset: Allow specifying custom reset delay + +From: Stephan Gerhold + +[ Upstream commit 2cb8a39b6781ea23accd1fa93b3ad000d0948aec ] + +The amount of time required between asserting and deasserting the reset +signal can vary depending on the involved hardware component. Sometimes +1 us might not be enough and a larger delay is necessary to conform to +the specifications. + +Usually this is worked around in the consuming drivers, by replacing +reset_control_reset() with a sequence of reset_control_assert(), waiting +for a custom delay, followed by reset_control_deassert(). + +However, in some cases the driver making use of the reset is generic and +can be used with different reset controllers. In this case the reset +time requirement is better handled directly by the reset controller +driver. + +Make this possible by adding an "udelay" field to the qcom_reset_map +that allows setting a different reset delay (in microseconds). + +Signed-off-by: Stephan Gerhold +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220706134132.3623415-4-stephan.gerhold@kernkonzept.com +Stable-dep-of: 349b5bed539b ("clk: qcom: ipq6018: fix networking resets") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/reset.c | 4 +++- + drivers/clk/qcom/reset.h | 1 + + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c +index 819d194be8f7b..2a16adb572d2b 100644 +--- a/drivers/clk/qcom/reset.c ++++ b/drivers/clk/qcom/reset.c +@@ -13,8 +13,10 @@ + + static int qcom_reset(struct reset_controller_dev *rcdev, unsigned long id) + { ++ struct qcom_reset_controller *rst = to_qcom_reset_controller(rcdev); ++ + rcdev->ops->assert(rcdev, id); +- udelay(1); ++ udelay(rst->reset_map[id].udelay ?: 1); /* use 1 us as default */ + rcdev->ops->deassert(rcdev, id); + return 0; + } +diff --git a/drivers/clk/qcom/reset.h b/drivers/clk/qcom/reset.h +index 2a08b5e282c77..b8c113582072b 100644 +--- a/drivers/clk/qcom/reset.h ++++ b/drivers/clk/qcom/reset.h +@@ -11,6 +11,7 @@ + struct qcom_reset_map { + unsigned int reg; + u8 bit; ++ u8 udelay; + }; + + struct regmap; +-- +2.39.2 + diff --git a/tmp-5.10/clk-qcom-reset-support-resetting-multiple-bits.patch b/tmp-5.10/clk-qcom-reset-support-resetting-multiple-bits.patch new file mode 100644 index 00000000000..a380eba8220 --- /dev/null +++ b/tmp-5.10/clk-qcom-reset-support-resetting-multiple-bits.patch @@ -0,0 +1,72 @@ +From a87dfe9a16eb2c2197d067716bc5e4ed5ed3075b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 14:28:59 +0100 +Subject: clk: qcom: reset: support resetting multiple bits + +From: Robert Marko + +[ Upstream commit 4a5210893625f89723ea210d7c630b730abb37ad ] + +This patch adds the support for giving the complete bitmask +in reset structure and reset operation will use this bitmask +for all reset operations. + +Currently, reset structure only takes a single bit for each reset +and then calculates the bitmask by using the BIT() macro. + +However, this is not sufficient anymore for newer SoC-s like IPQ8074, +IPQ6018 and more, since their networking resets require multiple bits +to be asserted in order to properly reset the HW block completely. + +So, in order to allow asserting multiple bits add "bitmask" field to +qcom_reset_map, and then use that bitmask value if its populated in the +driver, if its not populated, then we just default to existing behaviour +and calculate the bitmask on the fly. + +Signed-off-by: Robert Marko +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221107132901.489240-1-robimarko@gmail.com +Stable-dep-of: 349b5bed539b ("clk: qcom: ipq6018: fix networking resets") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/reset.c | 4 ++-- + drivers/clk/qcom/reset.h | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/reset.c b/drivers/clk/qcom/reset.c +index 2a16adb572d2b..0e914ec7aeae1 100644 +--- a/drivers/clk/qcom/reset.c ++++ b/drivers/clk/qcom/reset.c +@@ -30,7 +30,7 @@ qcom_reset_assert(struct reset_controller_dev *rcdev, unsigned long id) + + rst = to_qcom_reset_controller(rcdev); + map = &rst->reset_map[id]; +- mask = BIT(map->bit); ++ mask = map->bitmask ? map->bitmask : BIT(map->bit); + + return regmap_update_bits(rst->regmap, map->reg, mask, mask); + } +@@ -44,7 +44,7 @@ qcom_reset_deassert(struct reset_controller_dev *rcdev, unsigned long id) + + rst = to_qcom_reset_controller(rcdev); + map = &rst->reset_map[id]; +- mask = BIT(map->bit); ++ mask = map->bitmask ? map->bitmask : BIT(map->bit); + + return regmap_update_bits(rst->regmap, map->reg, mask, 0); + } +diff --git a/drivers/clk/qcom/reset.h b/drivers/clk/qcom/reset.h +index b8c113582072b..9a47c838d9b1b 100644 +--- a/drivers/clk/qcom/reset.h ++++ b/drivers/clk/qcom/reset.h +@@ -12,6 +12,7 @@ struct qcom_reset_map { + unsigned int reg; + u8 bit; + u8 udelay; ++ u32 bitmask; + }; + + struct regmap; +-- +2.39.2 + diff --git a/tmp-5.10/clk-si5341-add-sysfs-properties-to-allow-checking-re.patch b/tmp-5.10/clk-si5341-add-sysfs-properties-to-allow-checking-re.patch new file mode 100644 index 00000000000..0a132bba217 --- /dev/null +++ b/tmp-5.10/clk-si5341-add-sysfs-properties-to-allow-checking-re.patch @@ -0,0 +1,148 @@ +From 1abc625eb25744d6a221c6b4f63ea0bb963602eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 13:26:43 -0600 +Subject: clk: si5341: Add sysfs properties to allow checking/resetting device + faults + +From: Robert Hancock + +[ Upstream commit 9b13ff4340dff30f361462999a6a122fcc4e473f ] + +Add sysfs property files to allow viewing the current and latched states of +the input present and PLL lock bits, and allow resetting the latched fault +state. This allows manual checks or automated userspace polling for faults +occurring after initialization. + +Signed-off-by: Robert Hancock +Link: https://lore.kernel.org/r/20210325192643.2190069-10-robert.hancock@calian.com +Signed-off-by: Stephen Boyd +Stable-dep-of: 2560114c06d7 ("clk: si5341: return error if one synth clock registration fails") +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-si5341.c | 96 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 96 insertions(+) + +diff --git a/drivers/clk/clk-si5341.c b/drivers/clk/clk-si5341.c +index 64d962c54bba5..5175b3024f060 100644 +--- a/drivers/clk/clk-si5341.c ++++ b/drivers/clk/clk-si5341.c +@@ -1450,6 +1450,94 @@ static int si5341_clk_select_active_input(struct clk_si5341 *data) + return res; + } + ++static ssize_t input_present_show(struct device *dev, ++ struct device_attribute *attr, ++ char *buf) ++{ ++ struct clk_si5341 *data = dev_get_drvdata(dev); ++ u32 status; ++ int res = regmap_read(data->regmap, SI5341_STATUS, &status); ++ ++ if (res < 0) ++ return res; ++ res = !(status & SI5341_STATUS_LOSREF); ++ return snprintf(buf, PAGE_SIZE, "%d\n", res); ++} ++static DEVICE_ATTR_RO(input_present); ++ ++static ssize_t input_present_sticky_show(struct device *dev, ++ struct device_attribute *attr, ++ char *buf) ++{ ++ struct clk_si5341 *data = dev_get_drvdata(dev); ++ u32 status; ++ int res = regmap_read(data->regmap, SI5341_STATUS_STICKY, &status); ++ ++ if (res < 0) ++ return res; ++ res = !(status & SI5341_STATUS_LOSREF); ++ return snprintf(buf, PAGE_SIZE, "%d\n", res); ++} ++static DEVICE_ATTR_RO(input_present_sticky); ++ ++static ssize_t pll_locked_show(struct device *dev, ++ struct device_attribute *attr, ++ char *buf) ++{ ++ struct clk_si5341 *data = dev_get_drvdata(dev); ++ u32 status; ++ int res = regmap_read(data->regmap, SI5341_STATUS, &status); ++ ++ if (res < 0) ++ return res; ++ res = !(status & SI5341_STATUS_LOL); ++ return snprintf(buf, PAGE_SIZE, "%d\n", res); ++} ++static DEVICE_ATTR_RO(pll_locked); ++ ++static ssize_t pll_locked_sticky_show(struct device *dev, ++ struct device_attribute *attr, ++ char *buf) ++{ ++ struct clk_si5341 *data = dev_get_drvdata(dev); ++ u32 status; ++ int res = regmap_read(data->regmap, SI5341_STATUS_STICKY, &status); ++ ++ if (res < 0) ++ return res; ++ res = !(status & SI5341_STATUS_LOL); ++ return snprintf(buf, PAGE_SIZE, "%d\n", res); ++} ++static DEVICE_ATTR_RO(pll_locked_sticky); ++ ++static ssize_t clear_sticky_store(struct device *dev, ++ struct device_attribute *attr, ++ const char *buf, size_t count) ++{ ++ struct clk_si5341 *data = dev_get_drvdata(dev); ++ long val; ++ ++ if (kstrtol(buf, 10, &val)) ++ return -EINVAL; ++ if (val) { ++ int res = regmap_write(data->regmap, SI5341_STATUS_STICKY, 0); ++ ++ if (res < 0) ++ return res; ++ } ++ return count; ++} ++static DEVICE_ATTR_WO(clear_sticky); ++ ++static const struct attribute *si5341_attributes[] = { ++ &dev_attr_input_present.attr, ++ &dev_attr_input_present_sticky.attr, ++ &dev_attr_pll_locked.attr, ++ &dev_attr_pll_locked_sticky.attr, ++ &dev_attr_clear_sticky.attr, ++ NULL ++}; ++ + static int si5341_probe(struct i2c_client *client, + const struct i2c_device_id *id) + { +@@ -1676,6 +1764,12 @@ static int si5341_probe(struct i2c_client *client, + goto cleanup; + } + ++ err = sysfs_create_files(&client->dev.kobj, si5341_attributes); ++ if (err) { ++ dev_err(&client->dev, "unable to create sysfs files\n"); ++ goto cleanup; ++ } ++ + /* Free the names, clk framework makes copies */ + for (i = 0; i < data->num_synth; ++i) + devm_kfree(&client->dev, (void *)synth_clock_names[i]); +@@ -1695,6 +1789,8 @@ static int si5341_remove(struct i2c_client *client) + struct clk_si5341 *data = i2c_get_clientdata(client); + int i; + ++ sysfs_remove_files(&client->dev.kobj, si5341_attributes); ++ + for (i = 0; i < SI5341_MAX_NUM_OUTPUTS; ++i) { + if (data->clk[i].vddo_reg) + regulator_disable(data->clk[i].vddo_reg); +-- +2.39.2 + diff --git a/tmp-5.10/clk-si5341-allow-different-output-vdd_sel-values.patch b/tmp-5.10/clk-si5341-allow-different-output-vdd_sel-values.patch new file mode 100644 index 00000000000..1494f6f580d --- /dev/null +++ b/tmp-5.10/clk-si5341-allow-different-output-vdd_sel-values.patch @@ -0,0 +1,362 @@ +From ee26487342854537b9936e6cd4e8d071acc4d932 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 13:26:40 -0600 +Subject: clk: si5341: Allow different output VDD_SEL values + +From: Robert Hancock + +[ Upstream commit b7bbf6ec4940d1a69811ec354edeeb9751fa8e85 ] + +The driver was not previously programming the VDD_SEL values for each +output to indicate what external VDDO voltage was used for each. Add +ability to specify a regulator supplying the VDDO pin for each output of +the device. The voltage of the regulator is used to automatically set the +VDD_SEL value appropriately. If no regulator is specified and the chip is +being reconfigured, assume 2.5V which appears to be the chip default. + +Signed-off-by: Robert Hancock +Link: https://lore.kernel.org/r/20210325192643.2190069-7-robert.hancock@calian.com +Signed-off-by: Stephen Boyd +Stable-dep-of: 2560114c06d7 ("clk: si5341: return error if one synth clock registration fails") +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-si5341.c | 136 +++++++++++++++++++++++++++++++-------- + 1 file changed, 110 insertions(+), 26 deletions(-) + +diff --git a/drivers/clk/clk-si5341.c b/drivers/clk/clk-si5341.c +index 382a0619a0488..64d962c54bba5 100644 +--- a/drivers/clk/clk-si5341.c ++++ b/drivers/clk/clk-si5341.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -59,6 +60,7 @@ struct clk_si5341_synth { + struct clk_si5341_output { + struct clk_hw hw; + struct clk_si5341 *data; ++ struct regulator *vddo_reg; + u8 index; + }; + #define to_clk_si5341_output(_hw) \ +@@ -84,6 +86,7 @@ struct clk_si5341 { + struct clk_si5341_output_config { + u8 out_format_drv_bits; + u8 out_cm_ampl_bits; ++ u8 vdd_sel_bits; + bool synth_master; + bool always_on; + }; +@@ -136,6 +139,8 @@ struct clk_si5341_output_config { + #define SI5341_OUT_R_REG(output) \ + ((output)->data->reg_rdiv_offset[(output)->index]) + ++#define SI5341_OUT_MUX_VDD_SEL_MASK 0x38 ++ + /* Synthesize N divider */ + #define SI5341_SYNTH_N_NUM(x) (0x0302 + ((x) * 11)) + #define SI5341_SYNTH_N_DEN(x) (0x0308 + ((x) * 11)) +@@ -1250,11 +1255,11 @@ static const struct regmap_config si5341_regmap_config = { + .volatile_table = &si5341_regmap_volatile, + }; + +-static int si5341_dt_parse_dt(struct i2c_client *client, +- struct clk_si5341_output_config *config) ++static int si5341_dt_parse_dt(struct clk_si5341 *data, ++ struct clk_si5341_output_config *config) + { + struct device_node *child; +- struct device_node *np = client->dev.of_node; ++ struct device_node *np = data->i2c_client->dev.of_node; + u32 num; + u32 val; + +@@ -1263,13 +1268,13 @@ static int si5341_dt_parse_dt(struct i2c_client *client, + + for_each_child_of_node(np, child) { + if (of_property_read_u32(child, "reg", &num)) { +- dev_err(&client->dev, "missing reg property of %s\n", ++ dev_err(&data->i2c_client->dev, "missing reg property of %s\n", + child->name); + goto put_child; + } + + if (num >= SI5341_MAX_NUM_OUTPUTS) { +- dev_err(&client->dev, "invalid clkout %d\n", num); ++ dev_err(&data->i2c_client->dev, "invalid clkout %d\n", num); + goto put_child; + } + +@@ -1288,7 +1293,7 @@ static int si5341_dt_parse_dt(struct i2c_client *client, + config[num].out_format_drv_bits |= 0xc0; + break; + default: +- dev_err(&client->dev, ++ dev_err(&data->i2c_client->dev, + "invalid silabs,format %u for %u\n", + val, num); + goto put_child; +@@ -1301,7 +1306,7 @@ static int si5341_dt_parse_dt(struct i2c_client *client, + + if (!of_property_read_u32(child, "silabs,common-mode", &val)) { + if (val > 0xf) { +- dev_err(&client->dev, ++ dev_err(&data->i2c_client->dev, + "invalid silabs,common-mode %u\n", + val); + goto put_child; +@@ -1312,7 +1317,7 @@ static int si5341_dt_parse_dt(struct i2c_client *client, + + if (!of_property_read_u32(child, "silabs,amplitude", &val)) { + if (val > 0xf) { +- dev_err(&client->dev, ++ dev_err(&data->i2c_client->dev, + "invalid silabs,amplitude %u\n", + val); + goto put_child; +@@ -1329,6 +1334,34 @@ static int si5341_dt_parse_dt(struct i2c_client *client, + + config[num].always_on = + of_property_read_bool(child, "always-on"); ++ ++ config[num].vdd_sel_bits = 0x08; ++ if (data->clk[num].vddo_reg) { ++ int vdd = regulator_get_voltage(data->clk[num].vddo_reg); ++ ++ switch (vdd) { ++ case 3300000: ++ config[num].vdd_sel_bits |= 0 << 4; ++ break; ++ case 1800000: ++ config[num].vdd_sel_bits |= 1 << 4; ++ break; ++ case 2500000: ++ config[num].vdd_sel_bits |= 2 << 4; ++ break; ++ default: ++ dev_err(&data->i2c_client->dev, ++ "unsupported vddo voltage %d for %s\n", ++ vdd, child->name); ++ goto put_child; ++ } ++ } else { ++ /* chip seems to default to 2.5V when not set */ ++ dev_warn(&data->i2c_client->dev, ++ "no regulator set, defaulting vdd_sel to 2.5V for %s\n", ++ child->name); ++ config[num].vdd_sel_bits |= 2 << 4; ++ } + } + + return 0; +@@ -1454,9 +1487,33 @@ static int si5341_probe(struct i2c_client *client, + } + } + +- err = si5341_dt_parse_dt(client, config); ++ for (i = 0; i < SI5341_MAX_NUM_OUTPUTS; ++i) { ++ char reg_name[10]; ++ ++ snprintf(reg_name, sizeof(reg_name), "vddo%d", i); ++ data->clk[i].vddo_reg = devm_regulator_get_optional( ++ &client->dev, reg_name); ++ if (IS_ERR(data->clk[i].vddo_reg)) { ++ err = PTR_ERR(data->clk[i].vddo_reg); ++ data->clk[i].vddo_reg = NULL; ++ if (err == -ENODEV) ++ continue; ++ goto cleanup; ++ } else { ++ err = regulator_enable(data->clk[i].vddo_reg); ++ if (err) { ++ dev_err(&client->dev, ++ "failed to enable %s regulator: %d\n", ++ reg_name, err); ++ data->clk[i].vddo_reg = NULL; ++ goto cleanup; ++ } ++ } ++ } ++ ++ err = si5341_dt_parse_dt(data, config); + if (err) +- return err; ++ goto cleanup; + + if (of_property_read_string(client->dev.of_node, "clock-output-names", + &init.name)) +@@ -1464,21 +1521,23 @@ static int si5341_probe(struct i2c_client *client, + root_clock_name = init.name; + + data->regmap = devm_regmap_init_i2c(client, &si5341_regmap_config); +- if (IS_ERR(data->regmap)) +- return PTR_ERR(data->regmap); ++ if (IS_ERR(data->regmap)) { ++ err = PTR_ERR(data->regmap); ++ goto cleanup; ++ } + + i2c_set_clientdata(client, data); + + err = si5341_probe_chip_id(data); + if (err < 0) +- return err; ++ goto cleanup; + + if (of_property_read_bool(client->dev.of_node, "silabs,reprogram")) { + initialization_required = true; + } else { + err = si5341_is_programmed_already(data); + if (err < 0) +- return err; ++ goto cleanup; + + initialization_required = !err; + } +@@ -1487,11 +1546,11 @@ static int si5341_probe(struct i2c_client *client, + /* Populate the regmap cache in preparation for "cache only" */ + err = si5341_read_settings(data); + if (err < 0) +- return err; ++ goto cleanup; + + err = si5341_send_preamble(data); + if (err < 0) +- return err; ++ goto cleanup; + + /* + * We intend to send all 'final' register values in a single +@@ -1504,19 +1563,19 @@ static int si5341_probe(struct i2c_client *client, + err = si5341_write_multiple(data, si5341_reg_defaults, + ARRAY_SIZE(si5341_reg_defaults)); + if (err < 0) +- return err; ++ goto cleanup; + } + + /* Input must be up and running at this point */ + err = si5341_clk_select_active_input(data); + if (err < 0) +- return err; ++ goto cleanup; + + if (initialization_required) { + /* PLL configuration is required */ + err = si5341_initialize_pll(data); + if (err < 0) +- return err; ++ goto cleanup; + } + + /* Register the PLL */ +@@ -1529,7 +1588,7 @@ static int si5341_probe(struct i2c_client *client, + err = devm_clk_hw_register(&client->dev, &data->hw); + if (err) { + dev_err(&client->dev, "clock registration failed\n"); +- return err; ++ goto cleanup; + } + + init.num_parents = 1; +@@ -1566,13 +1625,17 @@ static int si5341_probe(struct i2c_client *client, + regmap_write(data->regmap, + SI5341_OUT_CM(&data->clk[i]), + config[i].out_cm_ampl_bits); ++ regmap_update_bits(data->regmap, ++ SI5341_OUT_MUX_SEL(&data->clk[i]), ++ SI5341_OUT_MUX_VDD_SEL_MASK, ++ config[i].vdd_sel_bits); + } + err = devm_clk_hw_register(&client->dev, &data->clk[i].hw); + kfree(init.name); /* clock framework made a copy of the name */ + if (err) { + dev_err(&client->dev, + "output %u registration failed\n", i); +- return err; ++ goto cleanup; + } + if (config[i].always_on) + clk_prepare(data->clk[i].hw.clk); +@@ -1582,7 +1645,7 @@ static int si5341_probe(struct i2c_client *client, + data); + if (err) { + dev_err(&client->dev, "unable to add clk provider\n"); +- return err; ++ goto cleanup; + } + + if (initialization_required) { +@@ -1590,11 +1653,11 @@ static int si5341_probe(struct i2c_client *client, + regcache_cache_only(data->regmap, false); + err = regcache_sync(data->regmap); + if (err < 0) +- return err; ++ goto cleanup; + + err = si5341_finalize_defaults(data); + if (err < 0) +- return err; ++ goto cleanup; + } + + /* wait for device to report input clock present and PLL lock */ +@@ -1603,14 +1666,14 @@ static int si5341_probe(struct i2c_client *client, + 10000, 250000); + if (err) { + dev_err(&client->dev, "Error waiting for input clock or PLL lock\n"); +- return err; ++ goto cleanup; + } + + /* clear sticky alarm bits from initialization */ + err = regmap_write(data->regmap, SI5341_STATUS_STICKY, 0); + if (err) { + dev_err(&client->dev, "unable to clear sticky status\n"); +- return err; ++ goto cleanup; + } + + /* Free the names, clk framework makes copies */ +@@ -1618,6 +1681,26 @@ static int si5341_probe(struct i2c_client *client, + devm_kfree(&client->dev, (void *)synth_clock_names[i]); + + return 0; ++ ++cleanup: ++ for (i = 0; i < SI5341_MAX_NUM_OUTPUTS; ++i) { ++ if (data->clk[i].vddo_reg) ++ regulator_disable(data->clk[i].vddo_reg); ++ } ++ return err; ++} ++ ++static int si5341_remove(struct i2c_client *client) ++{ ++ struct clk_si5341 *data = i2c_get_clientdata(client); ++ int i; ++ ++ for (i = 0; i < SI5341_MAX_NUM_OUTPUTS; ++i) { ++ if (data->clk[i].vddo_reg) ++ regulator_disable(data->clk[i].vddo_reg); ++ } ++ ++ return 0; + } + + static const struct i2c_device_id si5341_id[] = { +@@ -1646,6 +1729,7 @@ static struct i2c_driver si5341_driver = { + .of_match_table = clk_si5341_of_match, + }, + .probe = si5341_probe, ++ .remove = si5341_remove, + .id_table = si5341_id, + }; + module_i2c_driver(si5341_driver); +-- +2.39.2 + diff --git a/tmp-5.10/clk-si5341-check-return-value-of-devm_-kasprintf.patch b/tmp-5.10/clk-si5341-check-return-value-of-devm_-kasprintf.patch new file mode 100644 index 00000000000..e3f30537db8 --- /dev/null +++ b/tmp-5.10/clk-si5341-check-return-value-of-devm_-kasprintf.patch @@ -0,0 +1,51 @@ +From 6bcfafc4b1d1d99f7361400dd58c4fb1f4f85571 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:09 +0300 +Subject: clk: si5341: check return value of {devm_}kasprintf() + +From: Claudiu Beznea + +[ Upstream commit 36e4ef82016a2b785cf2317eade77e76699b7bff ] + +{devm_}kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 3044a860fd09 ("clk: Add Si5341/Si5340 driver") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-5-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-si5341.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/clk/clk-si5341.c b/drivers/clk/clk-si5341.c +index baa5e2ad22668..af66097f9ac5a 100644 +--- a/drivers/clk/clk-si5341.c ++++ b/drivers/clk/clk-si5341.c +@@ -1685,6 +1685,10 @@ static int si5341_probe(struct i2c_client *client, + for (i = 0; i < data->num_synth; ++i) { + synth_clock_names[i] = devm_kasprintf(&client->dev, GFP_KERNEL, + "%s.N%u", client->dev.of_node->name, i); ++ if (!synth_clock_names[i]) { ++ err = -ENOMEM; ++ goto free_clk_names; ++ } + init.name = synth_clock_names[i]; + data->synth[i].index = i; + data->synth[i].data = data; +@@ -1703,6 +1707,10 @@ static int si5341_probe(struct i2c_client *client, + for (i = 0; i < data->num_outputs; ++i) { + init.name = kasprintf(GFP_KERNEL, "%s.%d", + client->dev.of_node->name, i); ++ if (!init.name) { ++ err = -ENOMEM; ++ goto free_clk_names; ++ } + init.flags = config[i].synth_master ? CLK_SET_RATE_PARENT : 0; + data->clk[i].index = i; + data->clk[i].data = data; +-- +2.39.2 + diff --git a/tmp-5.10/clk-si5341-free-unused-memory-on-probe-failure.patch b/tmp-5.10/clk-si5341-free-unused-memory-on-probe-failure.patch new file mode 100644 index 00000000000..99bbb232b51 --- /dev/null +++ b/tmp-5.10/clk-si5341-free-unused-memory-on-probe-failure.patch @@ -0,0 +1,86 @@ +From 70553cedf5ed7a3a4ba42f7457003a334857985b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:10 +0300 +Subject: clk: si5341: free unused memory on probe failure + +From: Claudiu Beznea + +[ Upstream commit 267ad94b13c53d8c99a336f0841b1fa1595b1d0f ] + +Pointers from synth_clock_names[] should be freed at the end of probe +either on probe success or failure path. + +Fixes: b7bbf6ec4940 ("clk: si5341: Allow different output VDD_SEL values") +Fixes: 9b13ff4340df ("clk: si5341: Add sysfs properties to allow checking/resetting device faults") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-6-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-si5341.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/drivers/clk/clk-si5341.c b/drivers/clk/clk-si5341.c +index af66097f9ac5a..4dea29fa901d4 100644 +--- a/drivers/clk/clk-si5341.c ++++ b/drivers/clk/clk-si5341.c +@@ -1732,7 +1732,7 @@ static int si5341_probe(struct i2c_client *client, + if (err) { + dev_err(&client->dev, + "output %u registration failed\n", i); +- goto cleanup; ++ goto free_clk_names; + } + if (config[i].always_on) + clk_prepare(data->clk[i].hw.clk); +@@ -1742,7 +1742,7 @@ static int si5341_probe(struct i2c_client *client, + data); + if (err) { + dev_err(&client->dev, "unable to add clk provider\n"); +- goto cleanup; ++ goto free_clk_names; + } + + if (initialization_required) { +@@ -1750,11 +1750,11 @@ static int si5341_probe(struct i2c_client *client, + regcache_cache_only(data->regmap, false); + err = regcache_sync(data->regmap); + if (err < 0) +- goto cleanup; ++ goto free_clk_names; + + err = si5341_finalize_defaults(data); + if (err < 0) +- goto cleanup; ++ goto free_clk_names; + } + + /* wait for device to report input clock present and PLL lock */ +@@ -1763,21 +1763,19 @@ static int si5341_probe(struct i2c_client *client, + 10000, 250000); + if (err) { + dev_err(&client->dev, "Error waiting for input clock or PLL lock\n"); +- goto cleanup; ++ goto free_clk_names; + } + + /* clear sticky alarm bits from initialization */ + err = regmap_write(data->regmap, SI5341_STATUS_STICKY, 0); + if (err) { + dev_err(&client->dev, "unable to clear sticky status\n"); +- goto cleanup; ++ goto free_clk_names; + } + + err = sysfs_create_files(&client->dev.kobj, si5341_attributes); +- if (err) { ++ if (err) + dev_err(&client->dev, "unable to create sysfs files\n"); +- goto cleanup; +- } + + free_clk_names: + /* Free the names, clk framework makes copies */ +-- +2.39.2 + diff --git a/tmp-5.10/clk-si5341-return-error-if-one-synth-clock-registrat.patch b/tmp-5.10/clk-si5341-return-error-if-one-synth-clock-registrat.patch new file mode 100644 index 00000000000..a12312c9d43 --- /dev/null +++ b/tmp-5.10/clk-si5341-return-error-if-one-synth-clock-registrat.patch @@ -0,0 +1,72 @@ +From f6434fceb5acbeb28a940987bdb58497420200aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:08 +0300 +Subject: clk: si5341: return error if one synth clock registration fails + +From: Claudiu Beznea + +[ Upstream commit 2560114c06d7a752b3f4639f28cece58fed11267 ] + +In case devm_clk_hw_register() fails for one of synth clocks the probe +continues. Later on, when registering output clocks which have as parents +all the synth clocks, in case there is registration failure for at least +one synth clock the information passed to clk core for registering output +clock is not right: init.num_parents is fixed but init.parents may contain +an array with less parents. + +Fixes: 3044a860fd09 ("clk: Add Si5341/Si5340 driver") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-4-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-si5341.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/clk-si5341.c b/drivers/clk/clk-si5341.c +index 5175b3024f060..baa5e2ad22668 100644 +--- a/drivers/clk/clk-si5341.c ++++ b/drivers/clk/clk-si5341.c +@@ -1545,7 +1545,7 @@ static int si5341_probe(struct i2c_client *client, + struct clk_init_data init; + struct clk *input; + const char *root_clock_name; +- const char *synth_clock_names[SI5341_NUM_SYNTH]; ++ const char *synth_clock_names[SI5341_NUM_SYNTH] = { NULL }; + int err; + unsigned int i; + struct clk_si5341_output_config config[SI5341_MAX_NUM_OUTPUTS]; +@@ -1693,6 +1693,7 @@ static int si5341_probe(struct i2c_client *client, + if (err) { + dev_err(&client->dev, + "synth N%u registration failed\n", i); ++ goto free_clk_names; + } + } + +@@ -1770,16 +1771,17 @@ static int si5341_probe(struct i2c_client *client, + goto cleanup; + } + ++free_clk_names: + /* Free the names, clk framework makes copies */ + for (i = 0; i < data->num_synth; ++i) + devm_kfree(&client->dev, (void *)synth_clock_names[i]); + +- return 0; +- + cleanup: +- for (i = 0; i < SI5341_MAX_NUM_OUTPUTS; ++i) { +- if (data->clk[i].vddo_reg) +- regulator_disable(data->clk[i].vddo_reg); ++ if (err) { ++ for (i = 0; i < SI5341_MAX_NUM_OUTPUTS; ++i) { ++ if (data->clk[i].vddo_reg) ++ regulator_disable(data->clk[i].vddo_reg); ++ } + } + return err; + } +-- +2.39.2 + diff --git a/tmp-5.10/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch b/tmp-5.10/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch new file mode 100644 index 00000000000..0d925e037c0 --- /dev/null +++ b/tmp-5.10/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch @@ -0,0 +1,45 @@ +From d127b02234e27efcf36a6d05e056fa2cb1105221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 09:41:24 +0000 +Subject: clk: tegra: tegra124-emc: Fix potential memory leak + +From: Yuan Can + +[ Upstream commit 53a06e5924c0d43c11379a08c5a78529c3e61595 ] + +The tegra and tegra needs to be freed in the error handling path, otherwise +it will be leaked. + +Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221209094124.71043-1-yuancan@huawei.com +Acked-by: Thierry Reding +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra124-emc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/tegra/clk-tegra124-emc.c b/drivers/clk/tegra/clk-tegra124-emc.c +index 733a962ff521a..15f728edc54b5 100644 +--- a/drivers/clk/tegra/clk-tegra124-emc.c ++++ b/drivers/clk/tegra/clk-tegra124-emc.c +@@ -455,6 +455,7 @@ static int load_timings_from_dt(struct tegra_clk_emc *tegra, + err = load_one_timing_from_dt(tegra, timing, child); + if (err) { + of_node_put(child); ++ kfree(tegra->timings); + return err; + } + +@@ -506,6 +507,7 @@ struct clk *tegra_clk_register_emc(void __iomem *base, struct device_node *np, + err = load_timings_from_dt(tegra, node, node_ram_code); + if (err) { + of_node_put(node); ++ kfree(tegra); + return ERR_PTR(err); + } + } +-- +2.39.2 + diff --git a/tmp-5.10/clk-ti-clkctrl-check-return-value-of-kasprintf.patch b/tmp-5.10/clk-ti-clkctrl-check-return-value-of-kasprintf.patch new file mode 100644 index 00000000000..4063a79a752 --- /dev/null +++ b/tmp-5.10/clk-ti-clkctrl-check-return-value-of-kasprintf.patch @@ -0,0 +1,52 @@ +From 0b0905dce23bac25a37e895555b3e287cc441826 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:12 +0300 +Subject: clk: ti: clkctrl: check return value of kasprintf() + +From: Claudiu Beznea + +[ Upstream commit bd46cd0b802d9c9576ca78007aa084ae3e74907b ] + +kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 852049594b9a ("clk: ti: clkctrl: convert subclocks to use proper names also") +Fixes: 6c3090520554 ("clk: ti: clkctrl: Fix hidden dependency to node name") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-8-claudiu.beznea@microchip.com +Reviewed-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clkctrl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/clk/ti/clkctrl.c b/drivers/clk/ti/clkctrl.c +index 864c484bde1b4..157abc46dcf44 100644 +--- a/drivers/clk/ti/clkctrl.c ++++ b/drivers/clk/ti/clkctrl.c +@@ -267,6 +267,9 @@ static const char * __init clkctrl_get_clock_name(struct device_node *np, + if (clkctrl_name && !legacy_naming) { + clock_name = kasprintf(GFP_KERNEL, "%s-clkctrl:%04x:%d", + clkctrl_name, offset, index); ++ if (!clock_name) ++ return NULL; ++ + strreplace(clock_name, '_', '-'); + + return clock_name; +@@ -598,6 +601,10 @@ static void __init _ti_omap4_clkctrl_setup(struct device_node *node) + if (clkctrl_name) { + provider->clkdm_name = kasprintf(GFP_KERNEL, + "%s_clkdm", clkctrl_name); ++ if (!provider->clkdm_name) { ++ kfree(provider); ++ return; ++ } + goto clkdm_found; + } + +-- +2.39.2 + diff --git a/tmp-5.10/clk-vc5-check-memory-returned-by-kasprintf.patch b/tmp-5.10/clk-vc5-check-memory-returned-by-kasprintf.patch new file mode 100644 index 00000000000..279c439fe10 --- /dev/null +++ b/tmp-5.10/clk-vc5-check-memory-returned-by-kasprintf.patch @@ -0,0 +1,108 @@ +From a1ad4455ef9c2f886f6ff162cc021cb377d1c606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:06 +0300 +Subject: clk: vc5: check memory returned by kasprintf() + +From: Claudiu Beznea + +[ Upstream commit 144601f6228de5598f03e693822b60a95c367a17 ] + +kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: f491276a5168 ("clk: vc5: Allow Versaclock driver to support multiple instances") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-2-claudiu.beznea@microchip.com +Reviewed-by: Luca Ceresoli +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-versaclock5.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/drivers/clk/clk-versaclock5.c b/drivers/clk/clk-versaclock5.c +index eb597ea7bb87b..3ddb974da039a 100644 +--- a/drivers/clk/clk-versaclock5.c ++++ b/drivers/clk/clk-versaclock5.c +@@ -906,6 +906,11 @@ static int vc5_probe(struct i2c_client *client, const struct i2c_device_id *id) + } + + init.name = kasprintf(GFP_KERNEL, "%pOFn.mux", client->dev.of_node); ++ if (!init.name) { ++ ret = -ENOMEM; ++ goto err_clk; ++ } ++ + init.ops = &vc5_mux_ops; + init.flags = 0; + init.parent_names = parent_names; +@@ -920,6 +925,10 @@ static int vc5_probe(struct i2c_client *client, const struct i2c_device_id *id) + memset(&init, 0, sizeof(init)); + init.name = kasprintf(GFP_KERNEL, "%pOFn.dbl", + client->dev.of_node); ++ if (!init.name) { ++ ret = -ENOMEM; ++ goto err_clk; ++ } + init.ops = &vc5_dbl_ops; + init.flags = CLK_SET_RATE_PARENT; + init.parent_names = parent_names; +@@ -935,6 +944,10 @@ static int vc5_probe(struct i2c_client *client, const struct i2c_device_id *id) + /* Register PFD */ + memset(&init, 0, sizeof(init)); + init.name = kasprintf(GFP_KERNEL, "%pOFn.pfd", client->dev.of_node); ++ if (!init.name) { ++ ret = -ENOMEM; ++ goto err_clk; ++ } + init.ops = &vc5_pfd_ops; + init.flags = CLK_SET_RATE_PARENT; + init.parent_names = parent_names; +@@ -952,6 +965,10 @@ static int vc5_probe(struct i2c_client *client, const struct i2c_device_id *id) + /* Register PLL */ + memset(&init, 0, sizeof(init)); + init.name = kasprintf(GFP_KERNEL, "%pOFn.pll", client->dev.of_node); ++ if (!init.name) { ++ ret = -ENOMEM; ++ goto err_clk; ++ } + init.ops = &vc5_pll_ops; + init.flags = CLK_SET_RATE_PARENT; + init.parent_names = parent_names; +@@ -971,6 +988,10 @@ static int vc5_probe(struct i2c_client *client, const struct i2c_device_id *id) + memset(&init, 0, sizeof(init)); + init.name = kasprintf(GFP_KERNEL, "%pOFn.fod%d", + client->dev.of_node, idx); ++ if (!init.name) { ++ ret = -ENOMEM; ++ goto err_clk; ++ } + init.ops = &vc5_fod_ops; + init.flags = CLK_SET_RATE_PARENT; + init.parent_names = parent_names; +@@ -989,6 +1010,10 @@ static int vc5_probe(struct i2c_client *client, const struct i2c_device_id *id) + memset(&init, 0, sizeof(init)); + init.name = kasprintf(GFP_KERNEL, "%pOFn.out0_sel_i2cb", + client->dev.of_node); ++ if (!init.name) { ++ ret = -ENOMEM; ++ goto err_clk; ++ } + init.ops = &vc5_clk_out_ops; + init.flags = CLK_SET_RATE_PARENT; + init.parent_names = parent_names; +@@ -1015,6 +1040,10 @@ static int vc5_probe(struct i2c_client *client, const struct i2c_device_id *id) + memset(&init, 0, sizeof(init)); + init.name = kasprintf(GFP_KERNEL, "%pOFn.out%d", + client->dev.of_node, idx + 1); ++ if (!init.name) { ++ ret = -ENOMEM; ++ goto err_clk; ++ } + init.ops = &vc5_clk_out_ops; + init.flags = CLK_SET_RATE_PARENT; + init.parent_names = parent_names; +-- +2.39.2 + diff --git a/tmp-5.10/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch b/tmp-5.10/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch new file mode 100644 index 00000000000..f7716876ad2 --- /dev/null +++ b/tmp-5.10/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch @@ -0,0 +1,81 @@ +From d0ff9ace7ccea518d20a089b587a8bfbc400389a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 06:56:11 +0000 +Subject: clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe + +From: Feng Mingxi + +[ Upstream commit 8b5bf64c89c7100c921bd807ba39b2eb003061ab ] + +Smatch reports: +drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe() +warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516. + +timer_baseaddr may have the problem of not being released after use, +I replaced it with the devm_of_iomap() function and added the clk_put() +function to cleanup the "clk_ce" and "clk_cs". + +Fixes: e932900a3279 ("arm: zynq: Use standard timer binding") +Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error") +Signed-off-by: Feng Mingxi +Reviewed-by: Dongliang Mu +Acked-by: Michal Simek +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20230425065611.702917-1-m202271825@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-cadence-ttc.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c +index 4efd0cf3b602d..0d52e28fea4de 100644 +--- a/drivers/clocksource/timer-cadence-ttc.c ++++ b/drivers/clocksource/timer-cadence-ttc.c +@@ -486,10 +486,10 @@ static int __init ttc_timer_probe(struct platform_device *pdev) + * and use it. Note that the event timer uses the interrupt and it's the + * 2nd TTC hence the irq_of_parse_and_map(,1) + */ +- timer_baseaddr = of_iomap(timer, 0); +- if (!timer_baseaddr) { ++ timer_baseaddr = devm_of_iomap(&pdev->dev, timer, 0, NULL); ++ if (IS_ERR(timer_baseaddr)) { + pr_err("ERROR: invalid timer base address\n"); +- return -ENXIO; ++ return PTR_ERR(timer_baseaddr); + } + + irq = irq_of_parse_and_map(timer, 1); +@@ -513,20 +513,27 @@ static int __init ttc_timer_probe(struct platform_device *pdev) + clk_ce = of_clk_get(timer, clksel); + if (IS_ERR(clk_ce)) { + pr_err("ERROR: timer input clock not found\n"); +- return PTR_ERR(clk_ce); ++ ret = PTR_ERR(clk_ce); ++ goto put_clk_cs; + } + + ret = ttc_setup_clocksource(clk_cs, timer_baseaddr, timer_width); + if (ret) +- return ret; ++ goto put_clk_ce; + + ret = ttc_setup_clockevent(clk_ce, timer_baseaddr + 4, irq); + if (ret) +- return ret; ++ goto put_clk_ce; + + pr_info("%pOFn #0 at %p, irq=%d\n", timer, timer_baseaddr, irq); + + return 0; ++ ++put_clk_ce: ++ clk_put(clk_ce); ++put_clk_cs: ++ clk_put(clk_cs); ++ return ret; + } + + static const struct of_device_id ttc_timer_of_match[] = { +-- +2.39.2 + diff --git a/tmp-5.10/coresight-fix-loss-of-connection-info-when-a-module-.patch b/tmp-5.10/coresight-fix-loss-of-connection-info-when-a-module-.patch new file mode 100644 index 00000000000..111f544a572 --- /dev/null +++ b/tmp-5.10/coresight-fix-loss-of-connection-info-when-a-module-.patch @@ -0,0 +1,69 @@ +From 61f796fd8aa474d8168da226aa04ea505203440b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 15:35:28 +0100 +Subject: coresight: Fix loss of connection info when a module is unloaded + +From: James Clark + +[ Upstream commit c45b2835e7b205783bdfe08cc98fa86a7c5eeb74 ] + +child_fwnode should be a read only property based on the DT or ACPI. If +it's cleared on the parent device when a child is unloaded, then when +the child is loaded again the connection won't be remade. + +child_dev should be cleared instead which signifies that the connection +should be remade when the child_fwnode registers a new coresight_device. + +Similarly the reference count shouldn't be decremented as long as the +parent device exists. The correct place to drop the reference is in +coresight_release_platform_data() which is already done. + +Reproducible on Juno with the following steps: + + # load all coresight modules. + $ cd /sys/bus/coresight/devices/ + $ echo 1 > tmc_etr0/enable_sink + $ echo 1 > etm0/enable_source + # Works fine ^ + + $ echo 0 > etm0/enable_source + $ rmmod coresight-funnel + $ modprobe coresight-funnel + $ echo 1 > etm0/enable_source + -bash: echo: write error: Invalid argument + +Fixes: 37ea1ffddffa ("coresight: Use fwnode handle instead of device names") +Fixes: 2af89ebacf29 ("coresight: Clear the connection field properly") +Tested-by: Suzuki K Poulose +Reviewed-by: Mike Leach +Signed-off-by: James Clark +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20230425143542.2305069-2-james.clark@arm.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-core.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/hwtracing/coresight/coresight-core.c +index 5ddc8103503b5..c4b805b045316 100644 +--- a/drivers/hwtracing/coresight/coresight-core.c ++++ b/drivers/hwtracing/coresight/coresight-core.c +@@ -1376,13 +1376,8 @@ static int coresight_remove_match(struct device *dev, void *data) + if (csdev->dev.fwnode == conn->child_fwnode) { + iterator->orphan = true; + coresight_remove_links(iterator, conn); +- /* +- * Drop the reference to the handle for the remote +- * device acquired in parsing the connections from +- * platform data. +- */ +- fwnode_handle_put(conn->child_fwnode); +- conn->child_fwnode = NULL; ++ ++ conn->child_dev = NULL; + /* No need to continue */ + break; + } +-- +2.39.2 + diff --git a/tmp-5.10/cpufreq-intel_pstate-fix-energy_performance_preferen.patch b/tmp-5.10/cpufreq-intel_pstate-fix-energy_performance_preferen.patch new file mode 100644 index 00000000000..2cfa5c50aae --- /dev/null +++ b/tmp-5.10/cpufreq-intel_pstate-fix-energy_performance_preferen.patch @@ -0,0 +1,42 @@ +From dd4c8bdc925f6e679059f6ea0d764a970b9169af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 09:58:39 +0300 +Subject: cpufreq: intel_pstate: Fix energy_performance_preference for passive + +From: Tero Kristo + +[ Upstream commit 03f44ffb3d5be2fceda375d92c70ab6de4df7081 ] + +If the intel_pstate driver is set to passive mode, then writing the +same value to the energy_performance_preference sysfs twice will fail. +This is caused by the wrong return value used (index of the matched +energy_perf_string), instead of the length of the passed in parameter. +Fix by forcing the internal return value to zero when the same +preference is passed in by user. This same issue is not present when +active mode is used for the driver. + +Fixes: f6ebbcf08f37 ("cpufreq: intel_pstate: Implement passive mode with HWP enabled") +Reported-by: Niklas Neronin +Signed-off-by: Tero Kristo +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 1686705bee7bd..4b06b81d8bb0a 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -777,6 +777,8 @@ static ssize_t store_energy_performance_preference( + err = cpufreq_start_governor(policy); + if (!ret) + ret = err; ++ } else { ++ ret = 0; + } + } + +-- +2.39.2 + diff --git a/tmp-5.10/crypto-marvell-cesa-fix-type-mismatch-warning.patch b/tmp-5.10/crypto-marvell-cesa-fix-type-mismatch-warning.patch new file mode 100644 index 00000000000..c7c815cc4f9 --- /dev/null +++ b/tmp-5.10/crypto-marvell-cesa-fix-type-mismatch-warning.patch @@ -0,0 +1,49 @@ +From 7054e4ed6a8821523d6531ec5781bcce6c6541e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 10:33:04 +0200 +Subject: crypto: marvell/cesa - Fix type mismatch warning + +From: Arnd Bergmann + +[ Upstream commit efbc7764c4446566edb76ca05e903b5905673d2e ] + +Commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") uncovered +a type mismatch in cesa 3des support that leads to a memcpy beyond the +end of a structure: + +In function 'fortify_memcpy_chk', + inlined from 'mv_cesa_des3_ede_setkey' at drivers/crypto/marvell/cesa/cipher.c:307:2: +include/linux/fortify-string.h:583:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] + 583 | __write_overflow_field(p_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This is probably harmless as the actual data that is copied has the correct +type, but clearly worth fixing nonetheless. + +Fixes: 4ada48397823 ("crypto: marvell/cesa - add Triple-DES support") +Cc: Kees Cook +Cc: Gustavo A. R. Silva +Signed-off-by: Arnd Bergmann +Reviewed-by: Kees Cook +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cesa/cipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c +index 596a8c74e40a5..8dc10f9988948 100644 +--- a/drivers/crypto/marvell/cesa/cipher.c ++++ b/drivers/crypto/marvell/cesa/cipher.c +@@ -287,7 +287,7 @@ static int mv_cesa_des_setkey(struct crypto_skcipher *cipher, const u8 *key, + static int mv_cesa_des3_ede_setkey(struct crypto_skcipher *cipher, + const u8 *key, unsigned int len) + { +- struct mv_cesa_des_ctx *ctx = crypto_skcipher_ctx(cipher); ++ struct mv_cesa_des3_ctx *ctx = crypto_skcipher_ctx(cipher); + int err; + + err = verify_skcipher_des3_key(cipher, key); +-- +2.39.2 + diff --git a/tmp-5.10/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch b/tmp-5.10/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch new file mode 100644 index 00000000000..98b91b47b6e --- /dev/null +++ b/tmp-5.10/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch @@ -0,0 +1,88 @@ +From 1ae406b6e6e6d3d04d7554c3c0dd1e6cd1e8514c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:33:34 -0700 +Subject: crypto: nx - fix build warnings when DEBUG_FS is not enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ] + +Fix build warnings when DEBUG_FS is not enabled by using an empty +do-while loop instead of a value: + +In file included from ../drivers/crypto/nx/nx.c:27: +../drivers/crypto/nx/nx.c: In function 'nx_register_algs': +../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value] + 173 | #define NX_DEBUGFS_INIT(drv) (0) +../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT' + 573 | NX_DEBUGFS_INIT(&nx_driver); +../drivers/crypto/nx/nx.c: In function 'nx_remove': +../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value] + 174 | #define NX_DEBUGFS_FINI(drv) (0) +../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI' + 793 | NX_DEBUGFS_FINI(&nx_driver); + +Also, there is no need to build nx_debugfs.o when DEBUG_FS is not +enabled, so change the Makefile to accommodate that. + +Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption") +Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver") +Signed-off-by: Randy Dunlap +Cc: Breno Leitão +Cc: Nayna Jain +Cc: Paulo Flabiano Smorigo +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: linux-crypto@vger.kernel.org +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Christophe Leroy +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/Makefile | 2 +- + drivers/crypto/nx/nx.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/nx/Makefile b/drivers/crypto/nx/Makefile +index bc89a20e5d9d8..351822a598f97 100644 +--- a/drivers/crypto/nx/Makefile ++++ b/drivers/crypto/nx/Makefile +@@ -1,7 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-$(CONFIG_CRYPTO_DEV_NX_ENCRYPT) += nx-crypto.o + nx-crypto-objs := nx.o \ +- nx_debugfs.o \ + nx-aes-cbc.o \ + nx-aes-ecb.o \ + nx-aes-gcm.o \ +@@ -11,6 +10,7 @@ nx-crypto-objs := nx.o \ + nx-sha256.o \ + nx-sha512.o + ++nx-crypto-$(CONFIG_DEBUG_FS) += nx_debugfs.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_PSERIES) += nx-compress-pseries.o nx-compress.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_POWERNV) += nx-compress-powernv.o nx-compress.o + nx-compress-objs := nx-842.o +diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h +index c6233173c612e..2697baebb6a35 100644 +--- a/drivers/crypto/nx/nx.h ++++ b/drivers/crypto/nx/nx.h +@@ -170,8 +170,8 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *, unsigned int, + void nx_debugfs_init(struct nx_crypto_driver *); + void nx_debugfs_fini(struct nx_crypto_driver *); + #else +-#define NX_DEBUGFS_INIT(drv) (0) +-#define NX_DEBUGFS_FINI(drv) (0) ++#define NX_DEBUGFS_INIT(drv) do {} while (0) ++#define NX_DEBUGFS_FINI(drv) do {} while (0) + #endif + + #define NX_PAGE_NUM(x) ((u64)(x) & 0xfffffffffffff000ULL) +-- +2.39.2 + diff --git a/tmp-5.10/dax-fix-dax_mapping_release-use-after-free.patch b/tmp-5.10/dax-fix-dax_mapping_release-use-after-free.patch new file mode 100644 index 00000000000..71d75ff3f03 --- /dev/null +++ b/tmp-5.10/dax-fix-dax_mapping_release-use-after-free.patch @@ -0,0 +1,79 @@ +From 9a86c330020ffbca3302df39d89d21c55cc73129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 23:13:54 -0700 +Subject: dax: Fix dax_mapping_release() use after free + +From: Dan Williams + +[ Upstream commit 6d24b170a9db0456f577b1ab01226a2254c016a8 ] + +A CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region +provider (like modprobe -r dax_hmem) yields: + + kobject: 'mapping0' (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000) + [..] + DEBUG_LOCKS_WARN_ON(1) + WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260 + [..] + RIP: 0010:__lock_acquire+0x9fc/0x2260 + [..] + Call Trace: + + [..] + lock_acquire+0xd4/0x2c0 + ? ida_free+0x62/0x130 + _raw_spin_lock_irqsave+0x47/0x70 + ? ida_free+0x62/0x130 + ida_free+0x62/0x130 + dax_mapping_release+0x1f/0x30 + device_release+0x36/0x90 + kobject_delayed_cleanup+0x46/0x150 + +Due to attempting ida_free() on an ida object that has already been +freed. Devices typically only hold a reference on their parent while +registered. If a child needs a parent object to complete its release it +needs to hold a reference that it drops from its release callback. +Arrange for a dax_mapping to pin its parent dev_dax instance until +dax_mapping_release(). + +Fixes: 0b07ce872a9e ("device-dax: introduce 'mapping' devices") +Signed-off-by: Dan Williams +Link: https://lore.kernel.org/r/168577283412.1672036.16111545266174261446.stgit@dwillia2-xfh.jf.intel.com +Reviewed-by: Dave Jiang +Reviewed-by: Fan Ni +Reviewed-by: Ira Weiny +Signed-off-by: Vishal Verma +Signed-off-by: Sasha Levin +--- + drivers/dax/bus.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c +index a02777c93c07b..48b7f0a64eb81 100644 +--- a/drivers/dax/bus.c ++++ b/drivers/dax/bus.c +@@ -592,10 +592,12 @@ EXPORT_SYMBOL_GPL(alloc_dax_region); + static void dax_mapping_release(struct device *dev) + { + struct dax_mapping *mapping = to_dax_mapping(dev); +- struct dev_dax *dev_dax = to_dev_dax(dev->parent); ++ struct device *parent = dev->parent; ++ struct dev_dax *dev_dax = to_dev_dax(parent); + + ida_free(&dev_dax->ida, mapping->id); + kfree(mapping); ++ put_device(parent); + } + + static void unregister_dax_mapping(void *data) +@@ -735,6 +737,7 @@ static int devm_register_dax_mapping(struct dev_dax *dev_dax, int range_id) + dev = &mapping->dev; + device_initialize(dev); + dev->parent = &dev_dax->dev; ++ get_device(dev->parent); + dev->type = &dax_mapping_type; + dev_set_name(dev, "mapping%d", mapping->id); + rc = device_add(dev); +-- +2.39.2 + diff --git a/tmp-5.10/dax-introduce-alloc_dev_dax_id.patch b/tmp-5.10/dax-introduce-alloc_dev_dax_id.patch new file mode 100644 index 00000000000..e6c28f0349d --- /dev/null +++ b/tmp-5.10/dax-introduce-alloc_dev_dax_id.patch @@ -0,0 +1,195 @@ +From 74f4ebc32571fd49939ef6daeae9a6fccf960b36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 23:14:05 -0700 +Subject: dax: Introduce alloc_dev_dax_id() + +From: Dan Williams + +[ Upstream commit 70aab281e18c68a1284bc387de127c2fc0bed3f8 ] + +The reference counting of dax_region objects is needlessly complicated, +has lead to confusion [1], and has hidden a bug [2]. Towards cleaning up +that mess introduce alloc_dev_dax_id() to minimize the holding of a +dax_region reference to only what dev_dax_release() needs, the +dax_region->ida. + +Part of the reason for the mess was the design to dereference a +dax_region in all cases in free_dev_dax_id() even if the id was +statically assigned by the upper level dax_region driver. Remove the +need to call "is_static(dax_region)" by tracking whether the id is +dynamic directly in the dev_dax instance itself. + +With that flag the dax_region pinning and release per dev_dax instance +can move to alloc_dev_dax_id() and free_dev_dax_id() respectively. + +A follow-on cleanup address the unnecessary references in the dax_region +setup and drivers. + +Fixes: 0f3da14a4f05 ("device-dax: introduce 'seed' devices") +Link: http://lore.kernel.org/r/20221203095858.612027-1-liuyongqiang13@huawei.com [1] +Link: http://lore.kernel.org/r/3cf0890b-4eb0-e70e-cd9c-2ecc3d496263@hpe.com [2] +Reported-by: Yongqiang Liu +Reported-by: Paul Cassella +Reported-by: Ira Weiny +Signed-off-by: Dan Williams +Link: https://lore.kernel.org/r/168577284563.1672036.13493034988900989554.stgit@dwillia2-xfh.jf.intel.com +Reviewed-by: Ira Weiny +Signed-off-by: Vishal Verma +Signed-off-by: Sasha Levin +--- + drivers/dax/bus.c | 56 ++++++++++++++++++++++++--------------- + drivers/dax/dax-private.h | 4 ++- + 2 files changed, 37 insertions(+), 23 deletions(-) + +diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c +index 48b7f0a64eb81..0541b7e4d5c66 100644 +--- a/drivers/dax/bus.c ++++ b/drivers/dax/bus.c +@@ -403,18 +403,34 @@ static void unregister_dev_dax(void *dev) + put_device(dev); + } + ++static void dax_region_free(struct kref *kref) ++{ ++ struct dax_region *dax_region; ++ ++ dax_region = container_of(kref, struct dax_region, kref); ++ kfree(dax_region); ++} ++ ++void dax_region_put(struct dax_region *dax_region) ++{ ++ kref_put(&dax_region->kref, dax_region_free); ++} ++EXPORT_SYMBOL_GPL(dax_region_put); ++ + /* a return value >= 0 indicates this invocation invalidated the id */ + static int __free_dev_dax_id(struct dev_dax *dev_dax) + { +- struct dax_region *dax_region = dev_dax->region; + struct device *dev = &dev_dax->dev; ++ struct dax_region *dax_region; + int rc = dev_dax->id; + + device_lock_assert(dev); + +- if (is_static(dax_region) || dev_dax->id < 0) ++ if (!dev_dax->dyn_id || dev_dax->id < 0) + return -1; ++ dax_region = dev_dax->region; + ida_free(&dax_region->ida, dev_dax->id); ++ dax_region_put(dax_region); + dev_dax->id = -1; + return rc; + } +@@ -430,6 +446,20 @@ static int free_dev_dax_id(struct dev_dax *dev_dax) + return rc; + } + ++static int alloc_dev_dax_id(struct dev_dax *dev_dax) ++{ ++ struct dax_region *dax_region = dev_dax->region; ++ int id; ++ ++ id = ida_alloc(&dax_region->ida, GFP_KERNEL); ++ if (id < 0) ++ return id; ++ kref_get(&dax_region->kref); ++ dev_dax->dyn_id = true; ++ dev_dax->id = id; ++ return id; ++} ++ + static ssize_t delete_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t len) + { +@@ -517,20 +547,6 @@ static const struct attribute_group *dax_region_attribute_groups[] = { + NULL, + }; + +-static void dax_region_free(struct kref *kref) +-{ +- struct dax_region *dax_region; +- +- dax_region = container_of(kref, struct dax_region, kref); +- kfree(dax_region); +-} +- +-void dax_region_put(struct dax_region *dax_region) +-{ +- kref_put(&dax_region->kref, dax_region_free); +-} +-EXPORT_SYMBOL_GPL(dax_region_put); +- + static void dax_region_unregister(void *region) + { + struct dax_region *dax_region = region; +@@ -1270,12 +1286,10 @@ static const struct attribute_group *dax_attribute_groups[] = { + static void dev_dax_release(struct device *dev) + { + struct dev_dax *dev_dax = to_dev_dax(dev); +- struct dax_region *dax_region = dev_dax->region; + struct dax_device *dax_dev = dev_dax->dax_dev; + + put_dax(dax_dev); + free_dev_dax_id(dev_dax); +- dax_region_put(dax_region); + kfree(dev_dax->pgmap); + kfree(dev_dax); + } +@@ -1299,6 +1313,7 @@ struct dev_dax *devm_create_dev_dax(struct dev_dax_data *data) + if (!dev_dax) + return ERR_PTR(-ENOMEM); + ++ dev_dax->region = dax_region; + if (is_static(dax_region)) { + if (dev_WARN_ONCE(parent, data->id < 0, + "dynamic id specified to static region\n")) { +@@ -1314,13 +1329,11 @@ struct dev_dax *devm_create_dev_dax(struct dev_dax_data *data) + goto err_id; + } + +- rc = ida_alloc(&dax_region->ida, GFP_KERNEL); ++ rc = alloc_dev_dax_id(dev_dax); + if (rc < 0) + goto err_id; +- dev_dax->id = rc; + } + +- dev_dax->region = dax_region; + dev = &dev_dax->dev; + device_initialize(dev); + dev_set_name(dev, "dax%d.%d", dax_region->id, dev_dax->id); +@@ -1358,7 +1371,6 @@ struct dev_dax *devm_create_dev_dax(struct dev_dax_data *data) + dev_dax->target_node = dax_region->target_node; + dev_dax->align = dax_region->align; + ida_init(&dev_dax->ida); +- kref_get(&dax_region->kref); + + inode = dax_inode(dax_dev); + dev->devt = inode->i_rdev; +diff --git a/drivers/dax/dax-private.h b/drivers/dax/dax-private.h +index 1c974b7caae6e..afcada6fd2eda 100644 +--- a/drivers/dax/dax-private.h ++++ b/drivers/dax/dax-private.h +@@ -52,7 +52,8 @@ struct dax_mapping { + * @region - parent region + * @dax_dev - core dax functionality + * @target_node: effective numa node if dev_dax memory range is onlined +- * @id: ida allocated id ++ * @dyn_id: is this a dynamic or statically created instance ++ * @id: ida allocated id when the dax_region is not static + * @ida: mapping id allocator + * @dev - device core + * @pgmap - pgmap for memmap setup / lifetime (driver owned) +@@ -64,6 +65,7 @@ struct dev_dax { + struct dax_device *dax_dev; + unsigned int align; + int target_node; ++ bool dyn_id; + int id; + struct ida ida; + struct device dev; +-- +2.39.2 + diff --git a/tmp-5.10/debugobjects-recheck-debug_objects_enabled-before-re.patch b/tmp-5.10/debugobjects-recheck-debug_objects_enabled-before-re.patch new file mode 100644 index 00000000000..254c321a533 --- /dev/null +++ b/tmp-5.10/debugobjects-recheck-debug_objects_enabled-before-re.patch @@ -0,0 +1,74 @@ +From 32748b662883f68786bcaa72bb6bfd10a9f599b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 19:19:02 +0900 +Subject: debugobjects: Recheck debug_objects_enabled before reporting + +From: Tetsuo Handa + +[ Upstream commit 8b64d420fe2450f82848178506d3e3a0bd195539 ] + +syzbot is reporting false a positive ODEBUG message immediately after +ODEBUG was disabled due to OOM. + + [ 1062.309646][T22911] ODEBUG: Out of memory. ODEBUG disabled + [ 1062.886755][ T5171] ------------[ cut here ]------------ + [ 1062.892770][ T5171] ODEBUG: assert_init not available (active state 0) object: ffffc900056afb20 object type: timer_list hint: process_timeout+0x0/0x40 + + CPU 0 [ T5171] CPU 1 [T22911] + -------------- -------------- + debug_object_assert_init() { + if (!debug_objects_enabled) + return; + db = get_bucket(addr); + lookup_object_or_alloc() { + debug_objects_enabled = 0; + return NULL; + } + debug_objects_oom() { + pr_warn("Out of memory. ODEBUG disabled\n"); + // all buckets get emptied here, and + } + lookup_object_or_alloc(addr, db, descr, false, true) { + // this bucket is already empty. + return ERR_PTR(-ENOENT); + } + // Emits false positive warning. + debug_print_object(&o, "assert_init"); + } + +Recheck debug_object_enabled in debug_print_object() to avoid that. + +Reported-by: syzbot +Suggested-by: Thomas Gleixner +Signed-off-by: Tetsuo Handa +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/492fe2ae-5141-d548-ebd5-62f5fe2e57f7@I-love.SAKURA.ne.jp +Closes: https://syzkaller.appspot.com/bug?extid=7937ba6a50bdd00fffdf +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 4c39678c03ee5..4dd9283f6fea0 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -501,6 +501,15 @@ static void debug_print_object(struct debug_obj *obj, char *msg) + const struct debug_obj_descr *descr = obj->descr; + static int limit; + ++ /* ++ * Don't report if lookup_object_or_alloc() by the current thread ++ * failed because lookup_object_or_alloc()/debug_objects_oom() by a ++ * concurrent thread turned off debug_objects_enabled and cleared ++ * the hash buckets. ++ */ ++ if (!debug_objects_enabled) ++ return; ++ + if (limit < 5 && descr != descr_test) { + void *hint = descr->debug_hint ? + descr->debug_hint(obj->object) : NULL; +-- +2.39.2 + diff --git a/tmp-5.10/devlink-report-devlink_port_type_warn-source-device.patch b/tmp-5.10/devlink-report-devlink_port_type_warn-source-device.patch new file mode 100644 index 00000000000..566bcbe0d2d --- /dev/null +++ b/tmp-5.10/devlink-report-devlink_port_type_warn-source-device.patch @@ -0,0 +1,77 @@ +From e7d166b5c82648002081a09c389843d2cfc48436 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:54:47 +0200 +Subject: devlink: report devlink_port_type_warn source device + +From: Petr Oros + +[ Upstream commit a52305a81d6bb74b90b400dfa56455d37872fe4b ] + +devlink_port_type_warn is scheduled for port devlink and warning +when the port type is not set. But from this warning it is not easy +found out which device (driver) has no devlink port set. + +[ 3709.975552] Type was not set for devlink port. +[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 +[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm +[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse +[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 +[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 +[ 3710.108437] Workqueue: events devlink_port_type_warn +[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 +[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 +[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 +[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 +[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 +[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 +[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 +[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 +[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 +[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 +[ 3710.108456] PKRU: 55555554 +[ 3710.108457] Call Trace: +[ 3710.108458] +[ 3710.108459] process_one_work+0x1e2/0x3b0 +[ 3710.108466] ? rescuer_thread+0x390/0x390 +[ 3710.108468] worker_thread+0x50/0x3a0 +[ 3710.108471] ? rescuer_thread+0x390/0x390 +[ 3710.108473] kthread+0xdd/0x100 +[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 +[ 3710.108479] ret_from_fork+0x1f/0x30 +[ 3710.108485] +[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]--- + +After patch: +[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. +[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. + +Signed-off-by: Petr Oros +Reviewed-by: Pavan Chebbi +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20230615095447.8259-1-poros@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/devlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/core/devlink.c b/net/core/devlink.c +index 72047750dcd96..00c6944ed6342 100644 +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -8092,7 +8092,10 @@ EXPORT_SYMBOL_GPL(devlink_free); + + static void devlink_port_type_warn(struct work_struct *work) + { +- WARN(true, "Type was not set for devlink port."); ++ struct devlink_port *port = container_of(to_delayed_work(work), ++ struct devlink_port, ++ type_warn_dw); ++ dev_warn(port->devlink->dev, "Type was not set for devlink port."); + } + + static bool devlink_port_type_should_warn(struct devlink_port *devlink_port) +-- +2.39.2 + diff --git a/tmp-5.10/drivers-meson-secure-pwrc-always-enable-dma-domain.patch b/tmp-5.10/drivers-meson-secure-pwrc-always-enable-dma-domain.patch new file mode 100644 index 00000000000..ab8d01753dc --- /dev/null +++ b/tmp-5.10/drivers-meson-secure-pwrc-always-enable-dma-domain.patch @@ -0,0 +1,42 @@ +From f3dcb75dc0bf8e09cc4c8318c974898a9d3f7c33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jun 2023 12:04:14 +0300 +Subject: drivers: meson: secure-pwrc: always enable DMA domain + +From: Alexey Romanov + +[ Upstream commit 0bb4644d583789c97e74d3e3047189f0c59c4742 ] + +Starting from commit e45f243409db ("firmware: meson_sm: +populate platform devices from sm device tree data") pwrc +is probed successfully and disables unused pwr domains. +By A1 SoC family design, any TEE requires DMA pwr domain +always enabled. + +Fixes: b3dde5013e13 ("soc: amlogic: Add support for Secure power domains controller") +Signed-off-by: Alexey Romanov +Acked-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230610090414.90529-1-avromanov@sberdevices.ru +[narmstrong: added fixes tag] +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + drivers/soc/amlogic/meson-secure-pwrc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/amlogic/meson-secure-pwrc.c b/drivers/soc/amlogic/meson-secure-pwrc.c +index fff92e2f39744..090a326664756 100644 +--- a/drivers/soc/amlogic/meson-secure-pwrc.c ++++ b/drivers/soc/amlogic/meson-secure-pwrc.c +@@ -103,7 +103,7 @@ static struct meson_secure_pwrc_domain_desc a1_pwrc_domains[] = { + SEC_PD(ACODEC, 0), + SEC_PD(AUDIO, 0), + SEC_PD(OTP, 0), +- SEC_PD(DMA, 0), ++ SEC_PD(DMA, GENPD_FLAG_ALWAYS_ON | GENPD_FLAG_IRQ_SAFE), + SEC_PD(SD_EMMC, 0), + SEC_PD(RAMA, 0), + /* SRAMB is used as ATF runtime memory, and should be always on */ +-- +2.39.2 + diff --git a/tmp-5.10/drm-amd-display-correct-dmub_fw_version-macro.patch b/tmp-5.10/drm-amd-display-correct-dmub_fw_version-macro.patch new file mode 100644 index 00000000000..0a65d48ec66 --- /dev/null +++ b/tmp-5.10/drm-amd-display-correct-dmub_fw_version-macro.patch @@ -0,0 +1,37 @@ +From 274d205cb59f43815542e04b42a9e6d0b9b95eff Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 23 Jun 2023 10:05:19 -0500 +Subject: drm/amd/display: Correct `DMUB_FW_VERSION` macro + +From: Mario Limonciello + +commit 274d205cb59f43815542e04b42a9e6d0b9b95eff upstream. + +The `DMUB_FW_VERSION` macro has a mistake in that the revision field +is off by one byte. The last byte is typically used for other purposes +and not a revision. + +Cc: stable@vger.kernel.org +Cc: Sean Wang +Cc: Marc Rossi +Cc: Hamza Mahfooz +Cc: Tsung-hua (Ryan) Lin +Reviewed-by: Leo Li +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dmub/dmub_srv.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dmub/dmub_srv.h ++++ b/drivers/gpu/drm/amd/display/dmub/dmub_srv.h +@@ -347,7 +347,7 @@ struct dmub_srv { + * of a firmware to know if feature or functionality is supported or present. + */ + #define DMUB_FW_VERSION(major, minor, revision) \ +- ((((major) & 0xFF) << 24) | (((minor) & 0xFF) << 16) | ((revision) & 0xFFFF)) ++ ((((major) & 0xFF) << 24) | (((minor) & 0xFF) << 16) | (((revision) & 0xFF) << 8)) + + /** + * dmub_srv_create() - creates the DMUB service. diff --git a/tmp-5.10/drm-amd-display-explicitly-specify-update-type-per-p.patch b/tmp-5.10/drm-amd-display-explicitly-specify-update-type-per-p.patch new file mode 100644 index 00000000000..8df08c0714c --- /dev/null +++ b/tmp-5.10/drm-amd-display-explicitly-specify-update-type-per-p.patch @@ -0,0 +1,49 @@ +From 278372e7469268193cdfccf91890613ad17bfb17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 May 2019 13:21:48 -0400 +Subject: drm/amd/display: Explicitly specify update type per plane info change + +From: Nicholas Kazlauskas + +[ Upstream commit 710cc1e7cd461446a9325c9bd1e9a54daa462952 ] + +[Why] +The bit for flip addr is being set causing the determination for +FAST vs MEDIUM to always return MEDIUM when plane info is provided +as a surface update. This causes extreme stuttering for the typical +atomic update path on Linux. + +[How] +Don't use update_flags->raw for determining FAST vs MEDIUM. It's too +fragile to changes like this. + +Explicitly specify the update type per update flag instead. It's not +as clever as checking the bits itself but at least it's correct. + +Fixes: aa5fdb1ab5b6 ("drm/amd/display: Explicitly specify update type per plane info change") +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Nicholas Kazlauskas +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 7e0a55aa2b180..099542dd31544 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1855,9 +1855,6 @@ static enum surface_update_type det_surface_update(const struct dc *dc, + enum surface_update_type overall_type = UPDATE_TYPE_FAST; + union surface_update_flags *update_flags = &u->surface->update_flags; + +- if (u->flip_addr) +- update_flags->bits.addr_update = 1; +- + if (!is_surface_in_context(context, u->surface) || u->surface->force_full_update) { + update_flags->raw = 0xFFFFFFFF; + return UPDATE_TYPE_FULL; +-- +2.39.2 + diff --git a/tmp-5.10/drm-amdgpu-validate-vm-ioctl-flags.patch b/tmp-5.10/drm-amdgpu-validate-vm-ioctl-flags.patch new file mode 100644 index 00000000000..986892192ef --- /dev/null +++ b/tmp-5.10/drm-amdgpu-validate-vm-ioctl-flags.patch @@ -0,0 +1,33 @@ +From a2b308044dcaca8d3e580959a4f867a1d5c37fac Mon Sep 17 00:00:00 2001 +From: Bas Nieuwenhuizen +Date: Sat, 13 May 2023 14:51:00 +0200 +Subject: drm/amdgpu: Validate VM ioctl flags. + +From: Bas Nieuwenhuizen + +commit a2b308044dcaca8d3e580959a4f867a1d5c37fac upstream. + +None have been defined yet, so reject anybody setting any. Mesa sets +it to 0 anyway. + +Signed-off-by: Bas Nieuwenhuizen +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -3252,6 +3252,10 @@ int amdgpu_vm_ioctl(struct drm_device *d + long timeout = msecs_to_jiffies(2000); + int r; + ++ /* No valid flags defined yet */ ++ if (args->in.flags) ++ return -EINVAL; ++ + switch (args->in.op) { + case AMDGPU_VM_OP_RESERVE_VMID: + /* We only have requirement to reserve vmid from gfxhub */ diff --git a/tmp-5.10/drm-amdkfd-fix-potential-deallocation-of-previously-.patch b/tmp-5.10/drm-amdkfd-fix-potential-deallocation-of-previously-.patch new file mode 100644 index 00000000000..eb542f1d162 --- /dev/null +++ b/tmp-5.10/drm-amdkfd-fix-potential-deallocation-of-previously-.patch @@ -0,0 +1,58 @@ +From 79a2612e7068c6b93bf1ef8481ee09330ff42a4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 04:23:14 -0700 +Subject: drm/amdkfd: Fix potential deallocation of previously deallocated + memory. + +From: Daniil Dulov + +[ Upstream commit cabbdea1f1861098991768d7bbf5a49ed1608213 ] + +Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate(). +The function then returns non-zero value, which causes the second deallocation. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") +Signed-off-by: Daniil Dulov +Signed-off-by: Felix Kuehling +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +index 3b6f5963180d5..dadeb2013fd9a 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +@@ -113,18 +113,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd, + &(mqd_mem_obj->gtt_mem), + &(mqd_mem_obj->gpu_addr), + (void *)&(mqd_mem_obj->cpu_ptr), true); ++ ++ if (retval) { ++ kfree(mqd_mem_obj); ++ return NULL; ++ } + } else { + retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd), + &mqd_mem_obj); +- } +- +- if (retval) { +- kfree(mqd_mem_obj); +- return NULL; ++ if (retval) ++ return NULL; + } + + return mqd_mem_obj; +- + } + + static void init_mqd(struct mqd_manager *mm, void **mqd, +-- +2.39.2 + diff --git a/tmp-5.10/drm-atomic-allow-vblank-enabled-self-refresh-disable.patch b/tmp-5.10/drm-atomic-allow-vblank-enabled-self-refresh-disable.patch new file mode 100644 index 00000000000..356e20c82df --- /dev/null +++ b/tmp-5.10/drm-atomic-allow-vblank-enabled-self-refresh-disable.patch @@ -0,0 +1,83 @@ +From 9d0e3cac3517942a6e00eeecfe583a98715edb16 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 9 Jan 2023 17:18:16 -0800 +Subject: drm/atomic: Allow vblank-enabled + self-refresh "disable" + +From: Brian Norris + +commit 9d0e3cac3517942a6e00eeecfe583a98715edb16 upstream. + +The self-refresh helper framework overloads "disable" to sometimes mean +"go into self-refresh mode," and this mode activates automatically +(e.g., after some period of unchanging display output). In such cases, +the display pipe is still considered "on", and user-space is not aware +that we went into self-refresh mode. Thus, users may expect that +vblank-related features (such as DRM_IOCTL_WAIT_VBLANK) still work +properly. + +However, we trigger the WARN_ONCE() here if a CRTC driver tries to leave +vblank enabled. + +Add a different expectation: that CRTCs *should* leave vblank enabled +when going into self-refresh. + +This patch is preparation for another patch -- "drm/rockchip: vop: Leave +vblank enabled in self-refresh" -- which resolves conflicts between the +above self-refresh behavior and the API tests in IGT's kms_vblank test +module. + +== Some alternatives discussed: == + +It's likely that on many display controllers, vblank interrupts will +turn off when the CRTC is disabled, and so in some cases, self-refresh +may not support vblank. To support such cases, we might consider +additions to the generic helpers such that we fire vblank events based +on a timer. + +However, there is currently only one driver using the common +self-refresh helpers (i.e., rockchip), and at least as of commit +bed030a49f3e ("drm/rockchip: Don't fully disable vop on self refresh"), +the CRTC hardware is powered enough to continue to generate vblank +interrupts. + +So we chose the simpler option of leaving vblank interrupts enabled. We +can reevaluate this decision and perhaps augment the helpers if/when we +gain a second driver that has different requirements. + +v3: + * include discussion summary + +v2: + * add 'ret != 0' warning case for self-refresh + * describe failing test case and relation to drm/rockchip patch better + +Cc: # dependency for "drm/rockchip: vop: Leave + # vblank enabled in self-refresh" +Signed-off-by: Brian Norris +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20230109171809.v3.1.I3904f697863649eb1be540ecca147a66e42bfad7@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic_helper.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1113,7 +1113,16 @@ disable_outputs(struct drm_device *dev, + continue; + + ret = drm_crtc_vblank_get(crtc); +- WARN_ONCE(ret != -EINVAL, "driver forgot to call drm_crtc_vblank_off()\n"); ++ /* ++ * Self-refresh is not a true "disable"; ensure vblank remains ++ * enabled. ++ */ ++ if (new_crtc_state->self_refresh_active) ++ WARN_ONCE(ret != 0, ++ "driver disabled vblank in self-refresh\n"); ++ else ++ WARN_ONCE(ret != -EINVAL, ++ "driver forgot to call drm_crtc_vblank_off()\n"); + if (ret == 0) + drm_crtc_vblank_put(crtc); + } diff --git a/tmp-5.10/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch b/tmp-5.10/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch new file mode 100644 index 00000000000..deeb6a06767 --- /dev/null +++ b/tmp-5.10/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch @@ -0,0 +1,91 @@ +From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Fri, 21 Jul 2023 15:58:38 +0200 +Subject: drm/atomic: Fix potential use-after-free in nonblocking commits + +From: Daniel Vetter + +commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. + +This requires a bit of background. Properly done a modeset driver's +unload/remove sequence should be + + drm_dev_unplug(); + drm_atomic_helper_shutdown(); + drm_dev_put(); + +The trouble is that the drm_dev_unplugged() checks are by design racy, +they do not synchronize against all outstanding ioctl. This is because +those ioctl could block forever (both for modeset and for driver +specific ioctls), leading to deadlocks in hotunplug. Instead the code +sections that touch the hardware need to be annotated with +drm_dev_enter/exit, to avoid accessing hardware resources after the +unload/remove has finished. + +To avoid use-after-free issues all the involved userspace visible +objects are supposed to hold a reference on the underlying drm_device, +like drm_file does. + +The issue now is that we missed one, the atomic modeset ioctl can be run +in a nonblocking fashion, and in that case it cannot rely on the implied +drm_device reference provided by the ioctl calling context. This can +result in a use-after-free if an nonblocking atomic commit is carefully +raced against a driver unload. + +Fix this by unconditionally grabbing a drm_device reference for any +drm_atomic_state structures. Strictly speaking this isn't required for +blocking commits and TEST_ONLY calls, but it's the simpler approach. + +Thanks to shanzhulig for the initial idea of grabbing an unconditional +reference, I just added comments, a condensed commit message and fixed a +minor potential issue in where exactly we drop the final reference. + +Reported-by: shanzhulig +Suggested-by: shanzhulig +Reviewed-by: Maxime Ripard +Cc: Maarten Lankhorst +Cc: Thomas Zimmermann +Cc: David Airlie +Cc: stable@kernel.org +Signed-off-by: Daniel Vetter +Signed-off-by: Daniel Vetter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_atomic.c ++++ b/drivers/gpu/drm/drm_atomic.c +@@ -98,6 +98,12 @@ drm_atomic_state_init(struct drm_device + if (!state->planes) + goto fail; + ++ /* ++ * Because drm_atomic_state can be committed asynchronously we need our ++ * own reference and cannot rely on the on implied by drm_file in the ++ * ioctl call. ++ */ ++ drm_dev_get(dev); + state->dev = dev; + + DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); +@@ -257,7 +263,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); + void __drm_atomic_state_free(struct kref *ref) + { + struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); +- struct drm_mode_config *config = &state->dev->mode_config; ++ struct drm_device *dev = state->dev; ++ struct drm_mode_config *config = &dev->mode_config; + + drm_atomic_state_clear(state); + +@@ -269,6 +276,8 @@ void __drm_atomic_state_free(struct kref + drm_atomic_state_default_release(state); + kfree(state); + } ++ ++ drm_dev_put(dev); + } + EXPORT_SYMBOL(__drm_atomic_state_free); + diff --git a/tmp-5.10/drm-bridge-tc358768-add-atomic_get_input_bus_fmts-im.patch b/tmp-5.10/drm-bridge-tc358768-add-atomic_get_input_bus_fmts-im.patch new file mode 100644 index 00000000000..6075036c137 --- /dev/null +++ b/tmp-5.10/drm-bridge-tc358768-add-atomic_get_input_bus_fmts-im.patch @@ -0,0 +1,98 @@ +From fd2056366630021dadcb7550b0263923140cc6a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 11:59:41 +0200 +Subject: drm/bridge: tc358768: Add atomic_get_input_bus_fmts() implementation + +From: Francesco Dolcini + +[ Upstream commit cec5ccef85bd0128cf895612de54a9d21d2015d0 ] + +Add atomic_get_input_bus_fmts() implementation, tc358768 has a parallel +RGB input interface with the actual bus format depending on the amount +of parallel input data lines. + +Without this change when the tc358768 is used with less than 24bit the +color mapping is completely wrong. + +Signed-off-by: Francesco Dolcini +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230330095941.428122-7-francesco@dolcini.it +Stable-dep-of: ee18698e212b ("drm/bridge: tc358768: fix TCLK_TRAILCNT computation") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358768.c | 44 +++++++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c +index facd4dab433b1..f6c0300090ecd 100644 +--- a/drivers/gpu/drm/bridge/tc358768.c ++++ b/drivers/gpu/drm/bridge/tc358768.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -871,6 +872,44 @@ static void tc358768_bridge_enable(struct drm_bridge *bridge) + } + } + ++#define MAX_INPUT_SEL_FORMATS 1 ++ ++static u32 * ++tc358768_atomic_get_input_bus_fmts(struct drm_bridge *bridge, ++ struct drm_bridge_state *bridge_state, ++ struct drm_crtc_state *crtc_state, ++ struct drm_connector_state *conn_state, ++ u32 output_fmt, ++ unsigned int *num_input_fmts) ++{ ++ struct tc358768_priv *priv = bridge_to_tc358768(bridge); ++ u32 *input_fmts; ++ ++ *num_input_fmts = 0; ++ ++ input_fmts = kcalloc(MAX_INPUT_SEL_FORMATS, sizeof(*input_fmts), ++ GFP_KERNEL); ++ if (!input_fmts) ++ return NULL; ++ ++ switch (priv->pd_lines) { ++ case 16: ++ input_fmts[0] = MEDIA_BUS_FMT_RGB565_1X16; ++ break; ++ case 18: ++ input_fmts[0] = MEDIA_BUS_FMT_RGB666_1X18; ++ break; ++ default: ++ case 24: ++ input_fmts[0] = MEDIA_BUS_FMT_RGB888_1X24; ++ break; ++ }; ++ ++ *num_input_fmts = MAX_INPUT_SEL_FORMATS; ++ ++ return input_fmts; ++} ++ + static const struct drm_bridge_funcs tc358768_bridge_funcs = { + .attach = tc358768_bridge_attach, + .mode_valid = tc358768_bridge_mode_valid, +@@ -878,6 +917,11 @@ static const struct drm_bridge_funcs tc358768_bridge_funcs = { + .enable = tc358768_bridge_enable, + .disable = tc358768_bridge_disable, + .post_disable = tc358768_bridge_post_disable, ++ ++ .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state, ++ .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state, ++ .atomic_reset = drm_atomic_helper_bridge_reset, ++ .atomic_get_input_bus_fmts = tc358768_atomic_get_input_bus_fmts, + }; + + static const struct drm_bridge_timings default_tc358768_timings = { +-- +2.39.2 + diff --git a/tmp-5.10/drm-bridge-tc358768-always-enable-hs-video-mode.patch b/tmp-5.10/drm-bridge-tc358768-always-enable-hs-video-mode.patch new file mode 100644 index 00000000000..db4ad10bf65 --- /dev/null +++ b/tmp-5.10/drm-bridge-tc358768-always-enable-hs-video-mode.patch @@ -0,0 +1,49 @@ +From 4d7f8fa9e1bc9a27f3e895604e670f2d10389bed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 16:29:26 +0200 +Subject: drm/bridge: tc358768: always enable HS video mode + +From: Francesco Dolcini + +[ Upstream commit 75a8aeac2573ab258c53676eba9b3796ea691988 ] + +Always enable HS video mode setting the TXMD bit, without this change no +video output is present with DSI sinks that are setting +MIPI_DSI_MODE_LPM flag (tested with LT8912B DSI-HDMI bridge). + +Previously the driver was enabling HS mode only when the DSI sink was +not explicitly setting the MIPI_DSI_MODE_LPM, however this is not +correct. + +The MIPI_DSI_MODE_LPM is supposed to indicate that the sink is willing +to receive data in low power mode, however clearing the +TC358768_DSI_CONTROL_TXMD bit will make the TC358768 send video in +LP mode that is not the intended behavior. + +Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") +Signed-off-by: Francesco Dolcini +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-2-francesco@dolcini.it +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358768.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c +index 8ed8302d6bbb4..e65af025a771f 100644 +--- a/drivers/gpu/drm/bridge/tc358768.c ++++ b/drivers/gpu/drm/bridge/tc358768.c +@@ -819,8 +819,7 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + val = TC358768_DSI_CONFW_MODE_SET | TC358768_DSI_CONFW_ADDR_DSI_CONTROL; + val |= (dsi_dev->lanes - 1) << 1; + +- if (!(dsi_dev->mode_flags & MIPI_DSI_MODE_LPM)) +- val |= TC358768_DSI_CONTROL_TXMD; ++ val |= TC358768_DSI_CONTROL_TXMD; + + if (!(dsi_dev->mode_flags & MIPI_DSI_CLOCK_NON_CONTINUOUS)) + val |= TC358768_DSI_CONTROL_HSCKMD; +-- +2.39.2 + diff --git a/tmp-5.10/drm-bridge-tc358768-fix-pll-parameters-computation.patch b/tmp-5.10/drm-bridge-tc358768-fix-pll-parameters-computation.patch new file mode 100644 index 00000000000..a9e41a3adb2 --- /dev/null +++ b/tmp-5.10/drm-bridge-tc358768-fix-pll-parameters-computation.patch @@ -0,0 +1,49 @@ +From 1c11fb6a17896c23936a34d91bef9ebde9703fba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 16:29:27 +0200 +Subject: drm/bridge: tc358768: fix PLL parameters computation + +From: Francesco Dolcini + +[ Upstream commit 6a4020b4c63911977aaf8047f904a300d15de739 ] + +According to Toshiba documentation the PLL input clock after the divider +should be not less than 4MHz, fix the PLL parameters computation +accordingly. + +Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") +Signed-off-by: Francesco Dolcini +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-3-francesco@dolcini.it +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358768.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c +index e65af025a771f..d9021e750940f 100644 +--- a/drivers/gpu/drm/bridge/tc358768.c ++++ b/drivers/gpu/drm/bridge/tc358768.c +@@ -329,13 +329,17 @@ static int tc358768_calc_pll(struct tc358768_priv *priv, + u32 fbd; + + for (fbd = 0; fbd < 512; ++fbd) { +- u32 pll, diff; ++ u32 pll, diff, pll_in; + + pll = (u32)div_u64((u64)refclk * (fbd + 1), divisor); + + if (pll >= max_pll || pll < min_pll) + continue; + ++ pll_in = (u32)div_u64((u64)refclk, prd + 1); ++ if (pll_in < 4000000) ++ continue; ++ + diff = max(pll, target_pll) - min(pll, target_pll); + + if (diff < best_diff) { +-- +2.39.2 + diff --git a/tmp-5.10/drm-bridge-tc358768-fix-pll-target-frequency.patch b/tmp-5.10/drm-bridge-tc358768-fix-pll-target-frequency.patch new file mode 100644 index 00000000000..72ccb21d106 --- /dev/null +++ b/tmp-5.10/drm-bridge-tc358768-fix-pll-target-frequency.patch @@ -0,0 +1,74 @@ +From d04690d7a6b60e39f8bd9815fb73c2c009465349 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 16:29:28 +0200 +Subject: drm/bridge: tc358768: fix PLL target frequency + +From: Francesco Dolcini + +[ Upstream commit ffd2e4bbea626d565b9817312b0fcfb382fecb88 ] + +Correctly compute the PLL target frequency, the current formula works +correctly only when the input bus width is 24bit, actually to properly +compute the PLL target frequency what is relevant is the bits-per-pixel +on the DSI link. + +No regression expected since the DSI format is currently hard-coded as +MIPI_DSI_FMT_RGB888. + +Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") +Signed-off-by: Francesco Dolcini +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-4-francesco@dolcini.it +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358768.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c +index d9021e750940f..4aec4b428189c 100644 +--- a/drivers/gpu/drm/bridge/tc358768.c ++++ b/drivers/gpu/drm/bridge/tc358768.c +@@ -147,6 +147,7 @@ struct tc358768_priv { + + u32 pd_lines; /* number of Parallel Port Input Data Lines */ + u32 dsi_lanes; /* number of DSI Lanes */ ++ u32 dsi_bpp; /* number of Bits Per Pixel over DSI */ + + /* Parameters for PLL programming */ + u32 fbd; /* PLL feedback divider */ +@@ -279,12 +280,12 @@ static void tc358768_hw_disable(struct tc358768_priv *priv) + + static u32 tc358768_pll_to_pclk(struct tc358768_priv *priv, u32 pll_clk) + { +- return (u32)div_u64((u64)pll_clk * priv->dsi_lanes, priv->pd_lines); ++ return (u32)div_u64((u64)pll_clk * priv->dsi_lanes, priv->dsi_bpp); + } + + static u32 tc358768_pclk_to_pll(struct tc358768_priv *priv, u32 pclk) + { +- return (u32)div_u64((u64)pclk * priv->pd_lines, priv->dsi_lanes); ++ return (u32)div_u64((u64)pclk * priv->dsi_bpp, priv->dsi_lanes); + } + + static int tc358768_calc_pll(struct tc358768_priv *priv, +@@ -421,6 +422,7 @@ static int tc358768_dsi_host_attach(struct mipi_dsi_host *host, + priv->output.panel = panel; + + priv->dsi_lanes = dev->lanes; ++ priv->dsi_bpp = mipi_dsi_pixel_format_to_bpp(dev->format); + + /* get input ep (port0/endpoint0) */ + ret = -EINVAL; +@@ -432,7 +434,7 @@ static int tc358768_dsi_host_attach(struct mipi_dsi_host *host, + } + + if (ret) +- priv->pd_lines = mipi_dsi_pixel_format_to_bpp(dev->format); ++ priv->pd_lines = priv->dsi_bpp; + + drm_bridge_add(&priv->bridge); + +-- +2.39.2 + diff --git a/tmp-5.10/drm-bridge-tc358768-fix-tclk_trailcnt-computation.patch b/tmp-5.10/drm-bridge-tc358768-fix-tclk_trailcnt-computation.patch new file mode 100644 index 00000000000..1d64b03d767 --- /dev/null +++ b/tmp-5.10/drm-bridge-tc358768-fix-tclk_trailcnt-computation.patch @@ -0,0 +1,92 @@ +From b3754f2dbf429eb626e0186a8127a6c97ec76c7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 16:29:30 +0200 +Subject: drm/bridge: tc358768: fix TCLK_TRAILCNT computation + +From: Francesco Dolcini + +[ Upstream commit ee18698e212b1659dd0850d7e2ae0f22e16ed3d3 ] + +Correct computation of TCLK_TRAILCNT register. + +The driver does not implement non-continuous clock mode, so the actual +value doesn't make a practical difference yet. However this change also +ensures that the value does not write to reserved registers bits in case +of under/overflow. + +This register must be set to a value that ensures that + +TCLK-TRAIL > 60ns + and +TEOT <= (105 ns + 12 x UI) + +with the actual value of TCLK-TRAIL being + +(TCLK_TRAILCNT + (1 to 2)) xHSByteClkCycle + + (2 + (1 to 2)) * HSBYTECLKCycle - (PHY output delay) + +with PHY output delay being about + +(2 to 3) x MIPIBitClk cycle in the BitClk conversion. + +Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") +Signed-off-by: Francesco Dolcini +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-2-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-3-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-4-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-5-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-2-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-3-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-4-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-5-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-2-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-3-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-4-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-5-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-2-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-3-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-4-francesco@dolcini.it +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-5-francesco@dolcini.it +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358768.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c +index f6c0300090ecd..b7372c5b0b819 100644 +--- a/drivers/gpu/drm/bridge/tc358768.c ++++ b/drivers/gpu/drm/bridge/tc358768.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -633,6 +634,7 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + struct tc358768_priv *priv = bridge_to_tc358768(bridge); + struct mipi_dsi_device *dsi_dev = priv->output.dev; + u32 val, val2, lptxcnt, hact, data_type; ++ s32 raw_val; + const struct drm_display_mode *mode; + u32 dsibclk_nsk, dsiclk_nsk, ui_nsk, phy_delay_nsk; + u32 dsiclk, dsibclk; +@@ -733,9 +735,9 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + dev_dbg(priv->dev, "TCLK_HEADERCNT: 0x%x\n", val); + tc358768_write(priv, TC358768_TCLK_HEADERCNT, val); + +- /* TCLK_TRAIL > 60ns + 3*UI */ +- val = 60 + tc358768_to_ns(3 * ui_nsk); +- val = tc358768_ns_to_cnt(val, dsibclk_nsk) - 5; ++ /* TCLK_TRAIL > 60ns AND TEOT <= 105 ns + 12*UI */ ++ raw_val = tc358768_ns_to_cnt(60 + tc358768_to_ns(2 * ui_nsk), dsibclk_nsk) - 5; ++ val = clamp(raw_val, 0, 127); + dev_dbg(priv->dev, "TCLK_TRAILCNT: 0x%x\n", val); + tc358768_write(priv, TC358768_TCLK_TRAILCNT, val); + +-- +2.39.2 + diff --git a/tmp-5.10/drm-bridge-tc358768-fix-tclk_zerocnt-computation.patch b/tmp-5.10/drm-bridge-tc358768-fix-tclk_zerocnt-computation.patch new file mode 100644 index 00000000000..5a24199ca66 --- /dev/null +++ b/tmp-5.10/drm-bridge-tc358768-fix-tclk_zerocnt-computation.patch @@ -0,0 +1,54 @@ +From e676e8ed72ee4d91498e2214a3980d9b38066a6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 16:29:29 +0200 +Subject: drm/bridge: tc358768: fix TCLK_ZEROCNT computation + +From: Francesco Dolcini + +[ Upstream commit f9cf811374f42fca31ac34aaf59ee2ae72b89879 ] + +Correct computation of TCLK_ZEROCNT register. + +This register must be set to a value that ensure that +(TCLK-PREPARECNT + TCLK-ZERO) > 300ns + +with the actual value of (TCLK-PREPARECNT + TCLK-ZERO) being + +(1 to 2) + (TCLK_ZEROCNT + 1)) x HSByteClkCycle + (PHY output delay) + +with PHY output delay being about + +(2 to 3) x MIPIBitClk cycle in the BitClk conversion. + +Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") +Signed-off-by: Francesco Dolcini +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-5-francesco@dolcini.it +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358768.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c +index 4aec4b428189c..facd4dab433b1 100644 +--- a/drivers/gpu/drm/bridge/tc358768.c ++++ b/drivers/gpu/drm/bridge/tc358768.c +@@ -725,10 +725,10 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + + /* 38ns < TCLK_PREPARE < 95ns */ + val = tc358768_ns_to_cnt(65, dsibclk_nsk) - 1; +- /* TCLK_PREPARE > 300ns */ +- val2 = tc358768_ns_to_cnt(300 + tc358768_to_ns(3 * ui_nsk), +- dsibclk_nsk); +- val |= (val2 - tc358768_to_ns(phy_delay_nsk - dsibclk_nsk)) << 8; ++ /* TCLK_PREPARE + TCLK_ZERO > 300ns */ ++ val2 = tc358768_ns_to_cnt(300 - tc358768_to_ns(2 * ui_nsk), ++ dsibclk_nsk) - 2; ++ val |= val2 << 8; + dev_dbg(priv->dev, "TCLK_HEADERCNT: 0x%x\n", val); + tc358768_write(priv, TC358768_TCLK_HEADERCNT, val); + +-- +2.39.2 + diff --git a/tmp-5.10/drm-bridge-tc358768-fix-ths_trailcnt-computation.patch b/tmp-5.10/drm-bridge-tc358768-fix-ths_trailcnt-computation.patch new file mode 100644 index 00000000000..dda2c7f0d08 --- /dev/null +++ b/tmp-5.10/drm-bridge-tc358768-fix-ths_trailcnt-computation.patch @@ -0,0 +1,60 @@ +From 0b6eb1d98682f44cb5271e6ab297c0d96cbf1fc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 16:29:33 +0200 +Subject: drm/bridge: tc358768: fix THS_TRAILCNT computation + +From: Francesco Dolcini + +[ Upstream commit bac7842cd179572e8e0fc2d7b5254e40c6e9e057 ] + +Correct computation of THS_TRAILCNT register. + +This register must be set to a value that ensure that +THS_TRAIL > 60 ns + 4 x UI + and +THS_TRAIL > 8 x UI + and +THS_TRAIL < TEOT + with +TEOT = 105 ns + (12 x UI) + +with the actual value of THS_TRAIL being + +(1 + THS_TRAILCNT) x ByteClk cycle + ((1 to 2) + 2) xHSBYTECLK cycle + + - (PHY output delay) + +with PHY output delay being about + +(8 + (5 to 6)) x MIPIBitClk cycle in the BitClk conversion. + +Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") +Signed-off-by: Francesco Dolcini +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-9-francesco@dolcini.it +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358768.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c +index 40fffce680c5a..b4a69b2104514 100644 +--- a/drivers/gpu/drm/bridge/tc358768.c ++++ b/drivers/gpu/drm/bridge/tc358768.c +@@ -763,9 +763,10 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + dev_dbg(priv->dev, "TCLK_POSTCNT: 0x%x\n", val); + tc358768_write(priv, TC358768_TCLK_POSTCNT, val); + +- /* 60ns + 4*UI < THS_PREPARE < 105ns + 12*UI */ +- val = tc358768_ns_to_cnt(60 + tc358768_to_ns(15 * ui_nsk), +- dsibclk_nsk) - 5; ++ /* max(60ns + 4*UI, 8*UI) < THS_TRAILCNT < 105ns + 12*UI */ ++ raw_val = tc358768_ns_to_cnt(60 + tc358768_to_ns(18 * ui_nsk), ++ dsibclk_nsk) - 4; ++ val = clamp(raw_val, 0, 15); + dev_dbg(priv->dev, "THS_TRAILCNT: 0x%x\n", val); + tc358768_write(priv, TC358768_THS_TRAILCNT, val); + +-- +2.39.2 + diff --git a/tmp-5.10/drm-bridge-tc358768-fix-ths_zerocnt-computation.patch b/tmp-5.10/drm-bridge-tc358768-fix-ths_zerocnt-computation.patch new file mode 100644 index 00000000000..ff1dc7b3c3f --- /dev/null +++ b/tmp-5.10/drm-bridge-tc358768-fix-ths_zerocnt-computation.patch @@ -0,0 +1,54 @@ +From ad16fef912b6163abbf04cd5ea44db500f280800 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 16:29:31 +0200 +Subject: drm/bridge: tc358768: fix THS_ZEROCNT computation + +From: Francesco Dolcini + +[ Upstream commit 77a089328da791118af9692543a5eedc79eb5fd4 ] + +Correct computation of THS_ZEROCNT register. + +This register must be set to a value that ensure that +THS_PREPARE + THS_ZERO > 145ns + 10*UI + +with the actual value of (THS_PREPARE + THS_ZERO) being + +((1 to 2) + 1 + (TCLK_ZEROCNT + 1) + (3 to 4)) x ByteClk cycle + + + HSByteClk x (2 + (1 to 2)) + (PHY delay) + +with PHY delay being about + +(8 + (5 to 6)) x MIPIBitClk cycle in the BitClk conversion. + +Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") +Signed-off-by: Francesco Dolcini +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-7-francesco@dolcini.it +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358768.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c +index b7372c5b0b819..a35674b6ff244 100644 +--- a/drivers/gpu/drm/bridge/tc358768.c ++++ b/drivers/gpu/drm/bridge/tc358768.c +@@ -744,9 +744,10 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + /* 40ns + 4*UI < THS_PREPARE < 85ns + 6*UI */ + val = 50 + tc358768_to_ns(4 * ui_nsk); + val = tc358768_ns_to_cnt(val, dsibclk_nsk) - 1; +- /* THS_ZERO > 145ns + 10*UI */ +- val2 = tc358768_ns_to_cnt(145 - tc358768_to_ns(ui_nsk), dsibclk_nsk); +- val |= (val2 - tc358768_to_ns(phy_delay_nsk)) << 8; ++ /* THS_PREPARE + THS_ZERO > 145ns + 10*UI */ ++ raw_val = tc358768_ns_to_cnt(145 - tc358768_to_ns(3 * ui_nsk), dsibclk_nsk) - 10; ++ val2 = clamp(raw_val, 0, 127); ++ val |= val2 << 8; + dev_dbg(priv->dev, "THS_HEADERCNT: 0x%x\n", val); + tc358768_write(priv, TC358768_THS_HEADERCNT, val); + +-- +2.39.2 + diff --git a/tmp-5.10/drm-bridge-tc358768-fix-txtagocnt-computation.patch b/tmp-5.10/drm-bridge-tc358768-fix-txtagocnt-computation.patch new file mode 100644 index 00000000000..759d1da473b --- /dev/null +++ b/tmp-5.10/drm-bridge-tc358768-fix-txtagocnt-computation.patch @@ -0,0 +1,44 @@ +From a940446d16f88f79b943931d621d75e8901d14ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 16:29:32 +0200 +Subject: drm/bridge: tc358768: fix TXTAGOCNT computation + +From: Francesco Dolcini + +[ Upstream commit 3666aad8185af8d0ce164fd3c4974235417d6d0b ] + +Correct computation of TXTAGOCNT register. + +This register must be set to a value that ensure that the +TTA-GO period = (4 x TLPX) + +with the actual value of TTA-GO being + +4 x (TXTAGOCNT + 1) x (HSByteClk cycle) + +Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") +Signed-off-by: Francesco Dolcini +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20230427142934.55435-8-francesco@dolcini.it +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358768.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c +index a35674b6ff244..40fffce680c5a 100644 +--- a/drivers/gpu/drm/bridge/tc358768.c ++++ b/drivers/gpu/drm/bridge/tc358768.c +@@ -779,7 +779,7 @@ static void tc358768_bridge_pre_enable(struct drm_bridge *bridge) + + /* TXTAGOCNT[26:16] RXTASURECNT[10:0] */ + val = tc358768_to_ns((lptxcnt + 1) * dsibclk_nsk * 4); +- val = tc358768_ns_to_cnt(val, dsibclk_nsk) - 1; ++ val = tc358768_ns_to_cnt(val, dsibclk_nsk) / 4 - 1; + val2 = tc358768_ns_to_cnt(tc358768_to_ns((lptxcnt + 1) * dsibclk_nsk), + dsibclk_nsk) - 2; + val |= val2 << 16; +-- +2.39.2 + diff --git a/tmp-5.10/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch b/tmp-5.10/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch new file mode 100644 index 00000000000..6d6365350ff --- /dev/null +++ b/tmp-5.10/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch @@ -0,0 +1,46 @@ +From 2329cc7a101af1a844fbf706c0724c0baea38365 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:44 +0200 +Subject: drm/client: Fix memory leak in drm_client_modeset_probe + +From: Jocelyn Falempe + +commit 2329cc7a101af1a844fbf706c0724c0baea38365 upstream. + +When a new mode is set to modeset->mode, the previous mode should be freed. +This fixes the following kmemleak report: + +drm_mode_duplicate+0x45/0x220 [drm] +drm_client_modeset_probe+0x944/0xf50 [drm] +__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] +drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] +drm_client_register+0x169/0x240 [drm] +ast_pci_probe+0x142/0x190 [ast] +local_pci_probe+0xdc/0x180 +work_for_cpu_fn+0x4e/0xa0 +process_one_work+0x8b7/0x1540 +worker_thread+0x70a/0xed0 +kthread+0x29f/0x340 +ret_from_fork+0x1f/0x30 + +cc: +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-3-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -864,6 +864,7 @@ int drm_client_modeset_probe(struct drm_ + break; + } + ++ kfree(modeset->mode); + modeset->mode = drm_mode_duplicate(dev, mode); + drm_connector_get(connector); + modeset->connectors[modeset->num_connectors++] = connector; diff --git a/tmp-5.10/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch b/tmp-5.10/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch new file mode 100644 index 00000000000..93f6ff650ee --- /dev/null +++ b/tmp-5.10/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch @@ -0,0 +1,68 @@ +From c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:43 +0200 +Subject: drm/client: Fix memory leak in drm_client_target_cloned + +From: Jocelyn Falempe + +commit c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 upstream. + +dmt_mode is allocated and never freed in this function. +It was found with the ast driver, but most drivers using generic fbdev +setup are probably affected. + +This fixes the following kmemleak report: + backtrace: + [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] + [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] + [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] + [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] + [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] + [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] + [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] + [<00000000987f19bb>] local_pci_probe+0xdc/0x180 + [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 + [<0000000000b85301>] process_one_work+0x8b7/0x1540 + [<000000003375b17c>] worker_thread+0x70a/0xed0 + [<00000000b0d43cd9>] kthread+0x29f/0x340 + [<000000008d770833>] ret_from_fork+0x1f/0x30 +unreferenced object 0xff11000333089a00 (size 128): + +cc: +Fixes: 1d42bbc8f7f9 ("drm/fbdev: fix cloning on fbcon") +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-2-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -308,6 +308,9 @@ static bool drm_client_target_cloned(str + can_clone = true; + dmt_mode = drm_mode_find_dmt(dev, 1024, 768, 60, false); + ++ if (!dmt_mode) ++ goto fail; ++ + for (i = 0; i < connector_count; i++) { + if (!enabled[i]) + continue; +@@ -323,11 +326,13 @@ static bool drm_client_target_cloned(str + if (!modes[i]) + can_clone = false; + } ++ kfree(dmt_mode); + + if (can_clone) { + DRM_DEBUG_KMS("can clone using 1024x768\n"); + return true; + } ++fail: + DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); + return false; + } diff --git a/tmp-5.10/drm-msm-dp-free-resources-after-unregistering-them.patch b/tmp-5.10/drm-msm-dp-free-resources-after-unregistering-them.patch new file mode 100644 index 00000000000..89a2270a25f --- /dev/null +++ b/tmp-5.10/drm-msm-dp-free-resources-after-unregistering-them.patch @@ -0,0 +1,46 @@ +From 1acb777e45ad88004940dcd829fe2a65b51a7f08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 15:02:59 -0700 +Subject: drm/msm/dp: Free resources after unregistering them + +From: Bjorn Andersson + +[ Upstream commit fa0048a4b1fa7a50c8b0e514f5b428abdf69a6f8 ] + +The DP component's unbind operation walks through the submodules to +unregister and clean things up. But if the unbind happens because the DP +controller itself is being removed, all the memory for those submodules +has just been freed. + +Change the order of these operations to avoid the many use-after-free +that otherwise happens in this code path. + +Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support") +Signed-off-by: Bjorn Andersson +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/542166/ +Link: https://lore.kernel.org/r/20230612220259.1884381-1-quic_bjorande@quicinc.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index 0bcccf422192c..4da8cea76a115 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -1267,9 +1267,9 @@ static int dp_display_remove(struct platform_device *pdev) + dp = container_of(g_dp_display, + struct dp_display_private, dp_display); + ++ component_del(&pdev->dev, &dp_display_comp_ops); + dp_display_deinit_sub_modules(dp); + +- component_del(&pdev->dev, &dp_display_comp_ops); + platform_set_drvdata(pdev, NULL); + + return 0; +-- +2.39.2 + diff --git a/tmp-5.10/drm-msm-dpu-do-not-enable-color-management-if-dspps-.patch b/tmp-5.10/drm-msm-dpu-do-not-enable-color-management-if-dspps-.patch new file mode 100644 index 00000000000..c2f83c4390c --- /dev/null +++ b/tmp-5.10/drm-msm-dpu-do-not-enable-color-management-if-dspps-.patch @@ -0,0 +1,54 @@ +From 8df3562b9b9ae2ba5777508cfdbd198e07615dbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 21:25:33 +0300 +Subject: drm/msm/dpu: do not enable color-management if DSPPs are not + available + +From: Dmitry Baryshkov + +[ Upstream commit 3bcfc7b90465efd337d39b91b43972162f0d1908 ] + +We can not support color management without DSPP blocks being provided +in the HW catalog. Do not enable color management for CRTCs if num_dspps +is 0. + +Fixes: 4259ff7ae509 ("drm/msm/dpu: add support for pcc color block in dpu driver") +Reported-by: Yongqin Liu +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Reviewed-by: Marijn Suijten +Reviewed-by: Sumit Semwal +Tested-by: Yongqin Liu +Patchwork: https://patchwork.freedesktop.org/patch/542141/ +Link: https://lore.kernel.org/r/20230612182534.3345805-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index 5afb3c544653c..4c64e2d4f6500 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -1262,6 +1262,8 @@ static const struct drm_crtc_helper_funcs dpu_crtc_helper_funcs = { + struct drm_crtc *dpu_crtc_init(struct drm_device *dev, struct drm_plane *plane, + struct drm_plane *cursor) + { ++ struct msm_drm_private *priv = dev->dev_private; ++ struct dpu_kms *dpu_kms = to_dpu_kms(priv->kms); + struct drm_crtc *crtc = NULL; + struct dpu_crtc *dpu_crtc = NULL; + int i; +@@ -1293,7 +1295,8 @@ struct drm_crtc *dpu_crtc_init(struct drm_device *dev, struct drm_plane *plane, + + drm_crtc_helper_add(crtc, &dpu_crtc_helper_funcs); + +- drm_crtc_enable_color_mgmt(crtc, 0, true, 0); ++ if (dpu_kms->catalog->dspp_count) ++ drm_crtc_enable_color_mgmt(crtc, 0, true, 0); + + /* save user friendly CRTC name for later */ + snprintf(dpu_crtc->name, DPU_CRTC_NAME_SIZE, "crtc%u", crtc->base.id); +-- +2.39.2 + diff --git a/tmp-5.10/drm-panel-sharp-ls043t1le01-adjust-mode-settings.patch b/tmp-5.10/drm-panel-sharp-ls043t1le01-adjust-mode-settings.patch new file mode 100644 index 00000000000..6c833514c6a --- /dev/null +++ b/tmp-5.10/drm-panel-sharp-ls043t1le01-adjust-mode-settings.patch @@ -0,0 +1,60 @@ +From e54d4b78d05e92130a6e564d04dc8cf98a358d1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 20:26:38 +0300 +Subject: drm/panel: sharp-ls043t1le01: adjust mode settings + +From: Dmitry Baryshkov + +[ Upstream commit dee23b2c9e3ff46d59c5d45e1436eceb878e7c9a ] + +Using current settings causes panel flickering on APQ8074 dragonboard. +Adjust panel settings to follow the vendor-provided mode. This also +enables MIPI_DSI_MODE_VIDEO_SYNC_PULSE, which is also specified by the +vendor dtsi for the mentioned dragonboard. + +Fixes: ee0172383190 ("drm/panel: Add Sharp LS043T1LE01 MIPI DSI panel") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230507172639.2320934-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c +index 16dbf0f353eda..1f5fb1547730d 100644 +--- a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c ++++ b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c +@@ -192,15 +192,15 @@ static int sharp_nt_panel_enable(struct drm_panel *panel) + } + + static const struct drm_display_mode default_mode = { +- .clock = 41118, ++ .clock = (540 + 48 + 32 + 80) * (960 + 3 + 10 + 15) * 60 / 1000, + .hdisplay = 540, + .hsync_start = 540 + 48, +- .hsync_end = 540 + 48 + 80, +- .htotal = 540 + 48 + 80 + 32, ++ .hsync_end = 540 + 48 + 32, ++ .htotal = 540 + 48 + 32 + 80, + .vdisplay = 960, + .vsync_start = 960 + 3, +- .vsync_end = 960 + 3 + 15, +- .vtotal = 960 + 3 + 15 + 1, ++ .vsync_end = 960 + 3 + 10, ++ .vtotal = 960 + 3 + 10 + 15, + }; + + static int sharp_nt_panel_get_modes(struct drm_panel *panel, +@@ -280,6 +280,7 @@ static int sharp_nt_panel_probe(struct mipi_dsi_device *dsi) + dsi->lanes = 2; + dsi->format = MIPI_DSI_FMT_RGB888; + dsi->mode_flags = MIPI_DSI_MODE_VIDEO | ++ MIPI_DSI_MODE_VIDEO_SYNC_PULSE | + MIPI_DSI_MODE_VIDEO_HSE | + MIPI_DSI_CLOCK_NON_CONTINUOUS | + MIPI_DSI_MODE_EOT_PACKET; +-- +2.39.2 + diff --git a/tmp-5.10/drm-panel-simple-add-connector_type-for-innolux_at04.patch b/tmp-5.10/drm-panel-simple-add-connector_type-for-innolux_at04.patch new file mode 100644 index 00000000000..5ac1deb819f --- /dev/null +++ b/tmp-5.10/drm-panel-simple-add-connector_type-for-innolux_at04.patch @@ -0,0 +1,39 @@ +From 31d7ebc306aee8cd050979655f24bf30429400b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 08:22:02 -0300 +Subject: drm/panel: simple: Add connector_type for innolux_at043tn24 + +From: Fabio Estevam + +[ Upstream commit 2c56a751845ddfd3078ebe79981aaaa182629163 ] + +The innolux at043tn24 display is a parallel LCD. Pass the 'connector_type' +information to avoid the following warning: + +panel-simple panel: Specify missing connector_type + +Signed-off-by: Fabio Estevam +Fixes: 41bcceb4de9c ("drm/panel: simple: Add support for Innolux AT043TN24") +Reviewed-by: Sam Ravnborg +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230620112202.654981-1-festevam@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index b0b92f436879a..ffda99c204356 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2091,6 +2091,7 @@ static const struct panel_desc innolux_at043tn24 = { + .height = 54, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, ++ .connector_type = DRM_MODE_CONNECTOR_DPI, + .bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE, + }; + +-- +2.39.2 + diff --git a/tmp-5.10/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch b/tmp-5.10/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch new file mode 100644 index 00000000000..6adae45da16 --- /dev/null +++ b/tmp-5.10/drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch @@ -0,0 +1,38 @@ +From 0b1bddd8f52eb2d2c5215e3046b6c2ca1b3442f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 22:16:02 +0200 +Subject: drm/panel: simple: Add Powertip PH800480T013 drm_display_mode flags + +From: Marek Vasut + +[ Upstream commit 1c519980aced3da1fae37c1339cf43b24eccdee7 ] + +Add missing drm_display_mode DRM_MODE_FLAG_NVSYNC | DRM_MODE_FLAG_NHSYNC +flags. Those are used by various bridges in the pipeline to correctly +configure its sync signals polarity. + +Fixes: d69de69f2be1 ("drm/panel: simple: Add Powertip PH800480T013 panel") +Signed-off-by: Marek Vasut +Reviewed-by: Sam Ravnborg +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230615201602.565948-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index ffda99c204356..7b69f81444ebd 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -3153,6 +3153,7 @@ static const struct drm_display_mode powertip_ph800480t013_idf02_mode = { + .vsync_start = 480 + 49, + .vsync_end = 480 + 49 + 2, + .vtotal = 480 + 49 + 2 + 22, ++ .flags = DRM_MODE_FLAG_NVSYNC | DRM_MODE_FLAG_NHSYNC, + }; + + static const struct panel_desc powertip_ph800480t013_idf02 = { +-- +2.39.2 + diff --git a/tmp-5.10/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch b/tmp-5.10/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch new file mode 100644 index 00000000000..030b49edf2d --- /dev/null +++ b/tmp-5.10/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch @@ -0,0 +1,51 @@ +From 171b3aadf5ae340e6bdac7d79f1d8f1393739b42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:50:39 +0200 +Subject: drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H + +From: Dario Binacchi + +[ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ] + +The previous setting was related to the overall dimension and not to the +active display area. +In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the +following parameters: + + ---------------------------------------------------------- +| Item | Specifications | unit | + ---------------------------------------------------------- +| Display area | 98.7 (W) x 57.5 (H) | mm | + ---------------------------------------------------------- +| Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm | + ---------------------------------------------------------- + +Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H") +Signed-off-by: Dario Binacchi +Reviewed-by: Neil Armstrong +[narmstrong: fixed Fixes commit id length] +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 1a87cc445b5e1..b0b92f436879a 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -704,8 +704,8 @@ static const struct panel_desc ampire_am_480272h3tmqw_t01h = { + .num_modes = 1, + .bpc = 8, + .size = { +- .width = 105, +- .height = 67, ++ .width = 99, ++ .height = 58, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, + }; +-- +2.39.2 + diff --git a/tmp-5.10/drm-radeon-fix-possible-division-by-zero-errors.patch b/tmp-5.10/drm-radeon-fix-possible-division-by-zero-errors.patch new file mode 100644 index 00000000000..62994093608 --- /dev/null +++ b/tmp-5.10/drm-radeon-fix-possible-division-by-zero-errors.patch @@ -0,0 +1,94 @@ +From c768db2787e212f78099874d3a216788cb842325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 08:33:27 -0700 +Subject: drm/radeon: fix possible division-by-zero errors + +From: Nikita Zhandarovich + +[ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ] + +Function rv740_get_decoded_reference_divider() may return 0 due to +unpredictable reference divider value calculated in +radeon_atom_get_clock_dividers(). This will lead to +division-by-zero error once that value is used as a divider +in calculating 'clk_s'. +While unlikely, this issue should nonetheless be prevented so add a +sanity check for such cases by testing 'decoded_ref' value against 0. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +v2: minor coding style fixes (Alex) +In practice this should actually happen as the vbios should be +properly populated. + +Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/cypress_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/ni_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/rv740_dpm.c | 8 ++++++-- + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c +index 35b177d777913..7120710d188fa 100644 +--- a/drivers/gpu/drm/radeon/cypress_dpm.c ++++ b/drivers/gpu/drm/radeon/cypress_dpm.c +@@ -559,8 +559,12 @@ static int cypress_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c +index a5218747742ba..f79b348d36ad9 100644 +--- a/drivers/gpu/drm/radeon/ni_dpm.c ++++ b/drivers/gpu/drm/radeon/ni_dpm.c +@@ -2240,8 +2240,12 @@ static int ni_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/rv740_dpm.c b/drivers/gpu/drm/radeon/rv740_dpm.c +index 327d65a76e1f4..79b2de65e905e 100644 +--- a/drivers/gpu/drm/radeon/rv740_dpm.c ++++ b/drivers/gpu/drm/radeon/rv740_dpm.c +@@ -250,8 +250,12 @@ int rv740_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = 0x40000 * ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = 0x40000 * ss.percentage * + (dividers.whole_fb_div + (dividers.frac_fb_div / 8)) / (clk_s * 10000); + + mpll_ss1 &= ~CLKV_MASK; +-- +2.39.2 + diff --git a/tmp-5.10/drm-rockchip-vop-leave-vblank-enabled-in-self-refresh.patch b/tmp-5.10/drm-rockchip-vop-leave-vblank-enabled-in-self-refresh.patch new file mode 100644 index 00000000000..c5e4347ad7a --- /dev/null +++ b/tmp-5.10/drm-rockchip-vop-leave-vblank-enabled-in-self-refresh.patch @@ -0,0 +1,94 @@ +From 2bdba9d4a3baa758c2ca7f5b37b35c7b3391dc42 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 9 Jan 2023 17:18:17 -0800 +Subject: drm/rockchip: vop: Leave vblank enabled in self-refresh + +From: Brian Norris + +commit 2bdba9d4a3baa758c2ca7f5b37b35c7b3391dc42 upstream. + +If we disable vblank when entering self-refresh, vblank APIs (like +DRM_IOCTL_WAIT_VBLANK) no longer work. But user space is not aware when +we enter self-refresh, so this appears to be an API violation -- that +DRM_IOCTL_WAIT_VBLANK fails with EINVAL whenever the display is idle and +enters self-refresh. + +The downstream driver used by many of these systems never used to +disable vblank for PSR, and in fact, even upstream, we didn't do that +until radically redesigning the state machine in commit 6c836d965bad +("drm/rockchip: Use the helpers for PSR"). + +Thus, it seems like a reasonable API fix to simply restore that +behavior, and leave vblank enabled. + +Note that this appears to potentially unbalance the +drm_crtc_vblank_{off,on}() calls in some cases, but: +(a) drm_crtc_vblank_on() documents this as OK and +(b) if I do the naive balancing, I find state machine issues such that + we're not in sync properly; so it's easier to take advantage of (a). + +This issue was exposed by IGT's kms_vblank tests, and reported by +KernelCI. The bug has been around a while (longer than KernelCI +noticed), but was only exposed once self-refresh was bugfixed more +recently, and so KernelCI could properly test it. Some other notes in: + + https://lore.kernel.org/dri-devel/Y6OCg9BPnJvimQLT@google.com/ + Re: renesas/master bisection: igt-kms-rockchip.kms_vblank.pipe-A-wait-forked on rk3399-gru-kevin + +== Backporting notes: == + +Marking as 'Fixes' commit 6c836d965bad ("drm/rockchip: Use the helpers +for PSR"), but it probably depends on commit bed030a49f3e +("drm/rockchip: Don't fully disable vop on self refresh") as well. + +We also need the previous patch ("drm/atomic: Allow vblank-enabled + +self-refresh "disable""), of course. + +v3: + * no update + +v2: + * skip unnecessary lock/unlock + +Fixes: 6c836d965bad ("drm/rockchip: Use the helpers for PSR") +Cc: +Reported-by: "kernelci.org bot" +Link: https://lore.kernel.org/dri-devel/Y5itf0+yNIQa6fU4@sirena.org.uk/ +Signed-off-by: Brian Norris +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20230109171809.v3.2.Ic07cba4ab9a7bd3618a9e4258b8f92ea7d10ae5a@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -702,13 +702,13 @@ static void vop_crtc_atomic_disable(stru + if (crtc->state->self_refresh_active) + rockchip_drm_set_win_enabled(crtc, false); + ++ if (crtc->state->self_refresh_active) ++ goto out; ++ + mutex_lock(&vop->vop_lock); + + drm_crtc_vblank_off(crtc); + +- if (crtc->state->self_refresh_active) +- goto out; +- + /* + * Vop standby will take effect at end of current frame, + * if dsp hold valid irq happen, it means standby complete. +@@ -740,9 +740,9 @@ static void vop_crtc_atomic_disable(stru + vop_core_clks_disable(vop); + pm_runtime_put(vop->dev); + +-out: + mutex_unlock(&vop->vop_lock); + ++out: + if (crtc->state->event && !crtc->state->active) { + spin_lock_irq(&crtc->dev->event_lock); + drm_crtc_send_vblank_event(crtc, crtc->state->event); diff --git a/tmp-5.10/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch b/tmp-5.10/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch new file mode 100644 index 00000000000..594a37aaeb4 --- /dev/null +++ b/tmp-5.10/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch @@ -0,0 +1,116 @@ +From 95a4e460842959182b838e89f0cb5d0e20a87b8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Apr 2023 19:23:46 +0800 +Subject: drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks` + +From: XuDong Liu + +[ Upstream commit 123ee07ba5b7123e0ce0e0f9d64938026c16a2ce ] + +Smatch reports: +drivers/gpu/drm/sun4i/sun4i_tcon.c:805 sun4i_tcon_init_clocks() warn: +'tcon->clk' from clk_prepare_enable() not released on lines: 792,801. + +In the function sun4i_tcon_init_clocks(), tcon->clk and tcon->sclk0 are +not disabled in the error handling, which affects the release of +these variable. Although sun4i_tcon_bind(), which calls +sun4i_tcon_init_clocks(), use sun4i_tcon_free_clocks to disable the +variables mentioned, but the error handling branch of +sun4i_tcon_init_clocks() ignores the required disable process. + +To fix this issue, use the devm_clk_get_enabled to automatically +balance enable and disabled calls. As original implementation use +sun4i_tcon_free_clocks() to disable clk explicitly, we delete the +related calls and error handling that are no longer needed. + +Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support") +Fixes: b14e945bda8a ("drm/sun4i: tcon: Prepare and enable TCON channel 0 clock at init") +Fixes: 8e9240472522 ("drm/sun4i: support TCONs without channel 1") +Fixes: 34d698f6e349 ("drm/sun4i: Add has_channel_0 TCON quirk") +Signed-off-by: XuDong Liu +Reviewed-by: Dongliang Mu +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20230430112347.4689-1-m202071377@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_tcon.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c +index 9f06dec0fc61d..bb43196d5d83e 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c ++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c +@@ -777,21 +777,19 @@ static irqreturn_t sun4i_tcon_handler(int irq, void *private) + static int sun4i_tcon_init_clocks(struct device *dev, + struct sun4i_tcon *tcon) + { +- tcon->clk = devm_clk_get(dev, "ahb"); ++ tcon->clk = devm_clk_get_enabled(dev, "ahb"); + if (IS_ERR(tcon->clk)) { + dev_err(dev, "Couldn't get the TCON bus clock\n"); + return PTR_ERR(tcon->clk); + } +- clk_prepare_enable(tcon->clk); + + if (tcon->quirks->has_channel_0) { +- tcon->sclk0 = devm_clk_get(dev, "tcon-ch0"); ++ tcon->sclk0 = devm_clk_get_enabled(dev, "tcon-ch0"); + if (IS_ERR(tcon->sclk0)) { + dev_err(dev, "Couldn't get the TCON channel 0 clock\n"); + return PTR_ERR(tcon->sclk0); + } + } +- clk_prepare_enable(tcon->sclk0); + + if (tcon->quirks->has_channel_1) { + tcon->sclk1 = devm_clk_get(dev, "tcon-ch1"); +@@ -804,12 +802,6 @@ static int sun4i_tcon_init_clocks(struct device *dev, + return 0; + } + +-static void sun4i_tcon_free_clocks(struct sun4i_tcon *tcon) +-{ +- clk_disable_unprepare(tcon->sclk0); +- clk_disable_unprepare(tcon->clk); +-} +- + static int sun4i_tcon_init_irq(struct device *dev, + struct sun4i_tcon *tcon) + { +@@ -1224,14 +1216,14 @@ static int sun4i_tcon_bind(struct device *dev, struct device *master, + ret = sun4i_tcon_init_regmap(dev, tcon); + if (ret) { + dev_err(dev, "Couldn't init our TCON regmap\n"); +- goto err_free_clocks; ++ goto err_assert_reset; + } + + if (tcon->quirks->has_channel_0) { + ret = sun4i_dclk_create(dev, tcon); + if (ret) { + dev_err(dev, "Couldn't create our TCON dot clock\n"); +- goto err_free_clocks; ++ goto err_assert_reset; + } + } + +@@ -1294,8 +1286,6 @@ static int sun4i_tcon_bind(struct device *dev, struct device *master, + err_free_dotclock: + if (tcon->quirks->has_channel_0) + sun4i_dclk_free(tcon); +-err_free_clocks: +- sun4i_tcon_free_clocks(tcon); + err_assert_reset: + reset_control_assert(tcon->lcd_rst); + return ret; +@@ -1309,7 +1299,6 @@ static void sun4i_tcon_unbind(struct device *dev, struct device *master, + list_del(&tcon->list); + if (tcon->quirks->has_channel_0) + sun4i_dclk_free(tcon); +- sun4i_tcon_free_clocks(tcon); + } + + static const struct component_ops sun4i_tcon_ops = { +-- +2.39.2 + diff --git a/tmp-5.10/drm-vram-helper-fix-function-names-in-vram-helper-do.patch b/tmp-5.10/drm-vram-helper-fix-function-names-in-vram-helper-do.patch new file mode 100644 index 00000000000..b68d4097e17 --- /dev/null +++ b/tmp-5.10/drm-vram-helper-fix-function-names-in-vram-helper-do.patch @@ -0,0 +1,56 @@ +From 7a77cc705d8a4dc02c0fa265dabfea0cbadedf96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 08:09:16 +0800 +Subject: drm/vram-helper: fix function names in vram helper doc + +From: Luc Ma + +[ Upstream commit b8e392245105b50706f18418054821e71e637288 ] + +Refer to drmm_vram_helper_init() instead of the non-existent +drmm_vram_helper_alloc_mm(). + +Fixes: a5f23a72355d ("drm/vram-helper: Managed vram helpers") +Signed-off-by: Luc Ma +Reviewed-by: Thomas Zimmermann +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/64583db2.630a0220.eb75d.8f51@mx.google.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_gem_vram_helper.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/drm_gem_vram_helper.c b/drivers/gpu/drm/drm_gem_vram_helper.c +index 375c79e23ca59..eb104de16fa73 100644 +--- a/drivers/gpu/drm/drm_gem_vram_helper.c ++++ b/drivers/gpu/drm/drm_gem_vram_helper.c +@@ -41,7 +41,7 @@ static const struct drm_gem_object_funcs drm_gem_vram_object_funcs; + * the frame's scanout buffer or the cursor image. If there's no more space + * left in VRAM, inactive GEM objects can be moved to system memory. + * +- * To initialize the VRAM helper library call drmm_vram_helper_alloc_mm(). ++ * To initialize the VRAM helper library call drmm_vram_helper_init(). + * The function allocates and initializes an instance of &struct drm_vram_mm + * in &struct drm_device.vram_mm . Use &DRM_GEM_VRAM_DRIVER to initialize + * &struct drm_driver and &DRM_VRAM_MM_FILE_OPERATIONS to initialize +@@ -69,7 +69,7 @@ static const struct drm_gem_object_funcs drm_gem_vram_object_funcs; + * // setup device, vram base and size + * // ... + * +- * ret = drmm_vram_helper_alloc_mm(dev, vram_base, vram_size); ++ * ret = drmm_vram_helper_init(dev, vram_base, vram_size); + * if (ret) + * return ret; + * return 0; +@@ -82,7 +82,7 @@ static const struct drm_gem_object_funcs drm_gem_vram_object_funcs; + * to userspace. + * + * You don't have to clean up the instance of VRAM MM. +- * drmm_vram_helper_alloc_mm() is a managed interface that installs a ++ * drmm_vram_helper_init() is a managed interface that installs a + * clean-up handler to run during the DRM device's release. + * + * For drawing or scanout operations, rsp. buffer objects have to be pinned +-- +2.39.2 + diff --git a/tmp-5.10/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch b/tmp-5.10/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch new file mode 100644 index 00000000000..5b52f7c4520 --- /dev/null +++ b/tmp-5.10/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch @@ -0,0 +1,54 @@ +From ab418c2e4ce893c2f6c065ff11c691b4fa2419ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 17:34:10 +0800 +Subject: erofs: avoid infinite loop in z_erofs_do_read_page() when reading + beyond EOF + +From: Chunhai Guo + +[ Upstream commit 8191213a5835b0317c5e4d0d337ae1ae00c75253 ] + +z_erofs_do_read_page() may loop infinitely due to the inappropriate +truncation in the below statement. Since the offset is 64 bits and min_t() +truncates the result to 32 bits. The solution is to replace unsigned int +with a 64-bit type, such as erofs_off_t. + cur = end - min_t(unsigned int, offset + end - map->m_la, end); + + - For example: + - offset = 0x400160000 + - end = 0x370 + - map->m_la = 0x160370 + - offset + end - map->m_la = 0x400000000 + - offset + end - map->m_la = 0x00000000 (truncated as unsigned int) + - Expected result: + - cur = 0 + - Actual result: + - cur = 0x370 + +Signed-off-by: Chunhai Guo +Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") +Reviewed-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20230710093410.44071-1-guochunhai@vivo.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index 8cb2cf612e49b..9cff927382599 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -629,7 +629,7 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe, + tight &= (clt->mode >= COLLECT_PRIMARY_HOOKED && + clt->mode != COLLECT_PRIMARY_FOLLOWED_NOINPLACE); + +- cur = end - min_t(unsigned int, offset + end - map->m_la, end); ++ cur = end - min_t(erofs_off_t, offset + end - map->m_la, end); + if (!(map->m_flags & EROFS_MAP_MAPPED)) { + zero_user_segment(page, cur, end); + goto next_part; +-- +2.39.2 + diff --git a/tmp-5.10/erofs-fix-compact-4b-support-for-16k-block-size.patch b/tmp-5.10/erofs-fix-compact-4b-support-for-16k-block-size.patch new file mode 100644 index 00000000000..8782d8e163d --- /dev/null +++ b/tmp-5.10/erofs-fix-compact-4b-support-for-16k-block-size.patch @@ -0,0 +1,66 @@ +From 001b8ccd0650727e54ec16ef72bf1b8eeab7168e Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Thu, 1 Jun 2023 19:23:41 +0800 +Subject: erofs: fix compact 4B support for 16k block size + +From: Gao Xiang + +commit 001b8ccd0650727e54ec16ef72bf1b8eeab7168e upstream. + +In compact 4B, two adjacent lclusters are packed together as a unit to +form on-disk indexes for effective random access, as below: + +(amortized = 4, vcnt = 2) + _____________________________________________ + |___@_____ encoded bits __________|_ blkaddr _| + 0 . amortized * vcnt = 8 + . . + . . amortized * vcnt - 4 = 4 + . . + .____________________________. + |_type (2 bits)_|_clusterofs_| + +Therefore, encoded bits for each pack are 32 bits (4 bytes). IOWs, +since each lcluster can get 16 bits for its type and clusterofs, the +maximum supported lclustersize for compact 4B format is 16k (14 bits). + +Fix this to enable compact 4B format for 16k lclusters (blocks), which +is tested on an arm64 server with 16k page size. + +Fixes: 152a333a5895 ("staging: erofs: add compacted compression indexes support") +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20230601112341.56960-1-hsiangkao@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/zmap.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/fs/erofs/zmap.c ++++ b/fs/erofs/zmap.c +@@ -215,7 +215,7 @@ static int unpack_compacted_index(struct + int i; + u8 *in, type; + +- if (1 << amortizedshift == 4) ++ if (1 << amortizedshift == 4 && lclusterbits <= 14) + vcnt = 2; + else if (1 << amortizedshift == 2 && lclusterbits == 12) + vcnt = 16; +@@ -273,7 +273,6 @@ static int compacted_load_cluster_from_d + { + struct inode *const inode = m->inode; + struct erofs_inode *const vi = EROFS_I(inode); +- const unsigned int lclusterbits = vi->z_logical_clusterbits; + const erofs_off_t ebase = ALIGN(iloc(EROFS_I_SB(inode), vi->nid) + + vi->inode_isize + vi->xattr_isize, 8) + + sizeof(struct z_erofs_map_header); +@@ -283,9 +282,6 @@ static int compacted_load_cluster_from_d + erofs_off_t pos; + int err; + +- if (lclusterbits != 12) +- return -EOPNOTSUPP; +- + if (lcn >= totalidx) + return -EINVAL; + diff --git a/tmp-5.10/evm-complete-description-of-evm_inode_setattr.patch b/tmp-5.10/evm-complete-description-of-evm_inode_setattr.patch new file mode 100644 index 00000000000..ef994ea06e3 --- /dev/null +++ b/tmp-5.10/evm-complete-description-of-evm_inode_setattr.patch @@ -0,0 +1,39 @@ +From 5cd5aea2d5e6a839d8f3e0daeb312d089c38f7a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 11:40:36 +0100 +Subject: evm: Complete description of evm_inode_setattr() + +From: Roberto Sassu + +[ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ] + +Add the description for missing parameters of evm_inode_setattr() to +avoid the warning arising with W=n compile option. + +Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+ +Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+ +Signed-off-by: Roberto Sassu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/evm/evm_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c +index 0033364ac404f..8cfc49fa4df5b 100644 +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -472,7 +472,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) + + /** + * evm_inode_setattr - prevent updating an invalid EVM extended attribute ++ * @idmap: idmap of the mount + * @dentry: pointer to the affected dentry ++ * @attr: iattr structure containing the new file attributes + * + * Permit update of file attributes when files have a valid EVM signature, + * except in the case of them having an immutable portable signature. +-- +2.39.2 + diff --git a/tmp-5.10/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch b/tmp-5.10/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch new file mode 100644 index 00000000000..aa037f2a8c2 --- /dev/null +++ b/tmp-5.10/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch @@ -0,0 +1,54 @@ +From 6909cf5c4101214f4305a62d582a5b93c7e1eb9a Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Mon, 22 May 2023 14:15:20 -0400 +Subject: ext4: correct inline offset when handling xattrs in inode body + +From: Eric Whitney + +commit 6909cf5c4101214f4305a62d582a5b93c7e1eb9a upstream. + +When run on a file system where the inline_data feature has been +enabled, xfstests generic/269, generic/270, and generic/476 cause ext4 +to emit error messages indicating that inline directory entries are +corrupted. This occurs because the inline offset used to locate +inline directory entries in the inode body is not updated when an +xattr in that shared region is deleted and the region is shifted in +memory to recover the space it occupied. If the deleted xattr precedes +the system.data attribute, which points to the inline directory entries, +that attribute will be moved further up in the region. The inline +offset continues to point to whatever is located in system.data's former +location, with unfortunate effects when used to access directory entries +or (presumably) inline data in the inode body. + +Cc: stable@kernel.org +Signed-off-by: Eric Whitney +Link: https://lore.kernel.org/r/20230522181520.1570360-1-enwlinux@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1725,6 +1725,20 @@ static int ext4_xattr_set_entry(struct e + memmove(here, (void *)here + size, + (void *)last - (void *)here + sizeof(__u32)); + memset(last, 0, size); ++ ++ /* ++ * Update i_inline_off - moved ibody region might contain ++ * system.data attribute. Handling a failure here won't ++ * cause other complications for setting an xattr. ++ */ ++ if (!is_block && ext4_has_inline_data(inode)) { ++ ret = ext4_find_inline_data_nolock(inode); ++ if (ret) { ++ ext4_warning_inode(inode, ++ "unable to update i_inline_off"); ++ goto out; ++ } ++ } + } else if (s->not_found) { + /* Insert new name. */ + size_t size = EXT4_XATTR_LEN(name_len); diff --git a/tmp-5.10/ext4-fix-reusing-stale-buffer-heads-from-last-failed-mounting.patch b/tmp-5.10/ext4-fix-reusing-stale-buffer-heads-from-last-failed-mounting.patch new file mode 100644 index 00000000000..b8365b292f8 --- /dev/null +++ b/tmp-5.10/ext4-fix-reusing-stale-buffer-heads-from-last-failed-mounting.patch @@ -0,0 +1,121 @@ +From 26fb5290240dc31cae99b8b4dd2af7f46dfcba6b Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng +Date: Wed, 15 Mar 2023 09:31:23 +0800 +Subject: ext4: Fix reusing stale buffer heads from last failed mounting + +From: Zhihao Cheng + +commit 26fb5290240dc31cae99b8b4dd2af7f46dfcba6b upstream. + +Following process makes ext4 load stale buffer heads from last failed +mounting in a new mounting operation: +mount_bdev + ext4_fill_super + | ext4_load_and_init_journal + | ext4_load_journal + | jbd2_journal_load + | load_superblock + | journal_get_superblock + | set_buffer_verified(bh) // buffer head is verified + | jbd2_journal_recover // failed caused by EIO + | goto failed_mount3a // skip 'sb->s_root' initialization + deactivate_locked_super + kill_block_super + generic_shutdown_super + if (sb->s_root) + // false, skip ext4_put_super->invalidate_bdev-> + // invalidate_mapping_pages->mapping_evict_folio-> + // filemap_release_folio->try_to_free_buffers, which + // cannot drop buffer head. + blkdev_put + blkdev_put_whole + if (atomic_dec_and_test(&bdev->bd_openers)) + // false, systemd-udev happens to open the device. Then + // blkdev_flush_mapping->kill_bdev->truncate_inode_pages-> + // truncate_inode_folio->truncate_cleanup_folio-> + // folio_invalidate->block_invalidate_folio-> + // filemap_release_folio->try_to_free_buffers will be skipped, + // dropping buffer head is missed again. + +Second mount: +ext4_fill_super + ext4_load_and_init_journal + ext4_load_journal + ext4_get_journal + jbd2_journal_init_inode + journal_init_common + bh = getblk_unmovable + bh = __find_get_block // Found stale bh in last failed mounting + journal->j_sb_buffer = bh + jbd2_journal_load + load_superblock + journal_get_superblock + if (buffer_verified(bh)) + // true, skip journal->j_format_version = 2, value is 0 + jbd2_journal_recover + do_one_pass + next_log_block += count_tags(journal, bh) + // According to journal_tag_bytes(), 'tag_bytes' calculating is + // affected by jbd2_has_feature_csum3(), jbd2_has_feature_csum3() + // returns false because 'j->j_format_version >= 2' is not true, + // then we get wrong next_log_block. The do_one_pass may exit + // early whenoccuring non JBD2_MAGIC_NUMBER in 'next_log_block'. + +The filesystem is corrupted here, journal is partially replayed, and +new journal sequence number actually is already used by last mounting. + +The invalidate_bdev() can drop all buffer heads even racing with bare +reading block device(eg. systemd-udev), so we can fix it by invalidating +bdev in error handling path in __ext4_fill_super(). + +Fetch a reproducer in [Link]. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217171 +Fixes: 25ed6e8a54df ("jbd2: enable journal clients to enable v2 checksumming") +Cc: stable@vger.kernel.org # v3.5 +Signed-off-by: Zhihao Cheng +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230315013128.3911115-2-chengzhihao1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1091,6 +1091,12 @@ static void ext4_blkdev_remove(struct ex + struct block_device *bdev; + bdev = sbi->s_journal_bdev; + if (bdev) { ++ /* ++ * Invalidate the journal device's buffers. We don't want them ++ * floating about in memory - the physical journal device may ++ * hotswapped, and it breaks the `ro-after' testing code. ++ */ ++ invalidate_bdev(bdev); + ext4_blkdev_put(bdev); + sbi->s_journal_bdev = NULL; + } +@@ -1230,13 +1236,7 @@ static void ext4_put_super(struct super_ + sync_blockdev(sb->s_bdev); + invalidate_bdev(sb->s_bdev); + if (sbi->s_journal_bdev && sbi->s_journal_bdev != sb->s_bdev) { +- /* +- * Invalidate the journal device's buffers. We don't want them +- * floating about in memory - the physical journal device may +- * hotswapped, and it breaks the `ro-after' testing code. +- */ + sync_blockdev(sbi->s_journal_bdev); +- invalidate_bdev(sbi->s_journal_bdev); + ext4_blkdev_remove(sbi); + } + +@@ -5206,6 +5206,7 @@ failed_mount: + brelse(bh); + ext4_blkdev_remove(sbi); + out_fail: ++ invalidate_bdev(sb->s_bdev); + sb->s_fs_info = NULL; + kfree(sbi->s_blockgroup_lock); + out_free_base: diff --git a/tmp-5.10/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch b/tmp-5.10/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch new file mode 100644 index 00000000000..a8774a4a660 --- /dev/null +++ b/tmp-5.10/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch @@ -0,0 +1,43 @@ +From c4d13222afd8a64bf11bc7ec68645496ee8b54b9 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 6 Jun 2023 15:32:03 +0800 +Subject: ext4: fix to check return value of freeze_bdev() in ext4_shutdown() + +From: Chao Yu + +commit c4d13222afd8a64bf11bc7ec68645496ee8b54b9 upstream. + +freeze_bdev() can fail due to a lot of reasons, it needs to check its +reason before later process. + +Fixes: 783d94854499 ("ext4: add EXT4_IOC_GOINGDOWN ioctl") +Cc: stable@kernel.org +Signed-off-by: Chao Yu +Link: https://lore.kernel.org/r/20230606073203.1310389-1-chao@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ioctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -612,6 +612,7 @@ static int ext4_shutdown(struct super_bl + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + __u32 flags; ++ int ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -630,7 +631,9 @@ static int ext4_shutdown(struct super_bl + + switch (flags) { + case EXT4_GOING_FLAGS_DEFAULT: +- freeze_bdev(sb->s_bdev); ++ ret = freeze_bdev(sb->s_bdev); ++ if (ret) ++ return ret; + set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags); + thaw_bdev(sb->s_bdev, sb); + break; diff --git a/tmp-5.10/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch b/tmp-5.10/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch new file mode 100644 index 00000000000..e65c93b3023 --- /dev/null +++ b/tmp-5.10/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch @@ -0,0 +1,35 @@ +From 247c3d214c23dfeeeb892e91a82ac1188bdaec9f Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Sat, 3 Jun 2023 23:03:18 +0800 +Subject: ext4: fix wrong unit use in ext4_mb_clear_bb + +From: Kemeng Shi + +commit 247c3d214c23dfeeeb892e91a82ac1188bdaec9f upstream. + +Function ext4_issue_discard need count in cluster. Pass count_clusters +instead of count to fix the mismatch. + +Signed-off-by: Kemeng Shi +Cc: stable@kernel.org +Reviewed-by: Ojaswin Mujoo +Link: https://lore.kernel.org/r/20230603150327.3596033-11-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5549,8 +5549,8 @@ do_more: + * them with group lock_held + */ + if (test_opt(sb, DISCARD)) { +- err = ext4_issue_discard(sb, block_group, bit, count, +- NULL); ++ err = ext4_issue_discard(sb, block_group, bit, ++ count_clusters, NULL); + if (err && err != -EOPNOTSUPP) + ext4_msg(sb, KERN_WARNING, "discard request in" + " group:%u block:%d count:%lu failed" diff --git a/tmp-5.10/ext4-fix-wrong-unit-use-in-ext4_mb_new_blocks.patch b/tmp-5.10/ext4-fix-wrong-unit-use-in-ext4_mb_new_blocks.patch new file mode 100644 index 00000000000..7bd92558a3d --- /dev/null +++ b/tmp-5.10/ext4-fix-wrong-unit-use-in-ext4_mb_new_blocks.patch @@ -0,0 +1,34 @@ +From 2ec6d0a5ea72689a79e6f725fd8b443a788ae279 Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Sat, 3 Jun 2023 23:03:19 +0800 +Subject: ext4: fix wrong unit use in ext4_mb_new_blocks + +From: Kemeng Shi + +commit 2ec6d0a5ea72689a79e6f725fd8b443a788ae279 upstream. + +Function ext4_free_blocks_simple needs count in cluster. Function +ext4_free_blocks accepts count in block. Convert count to cluster +to fix the mismatch. + +Signed-off-by: Kemeng Shi +Cc: stable@kernel.org +Reviewed-by: Ojaswin Mujoo +Link: https://lore.kernel.org/r/20230603150327.3596033-12-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5642,7 +5642,7 @@ void ext4_free_blocks(handle_t *handle, + } + + if (sbi->s_mount_state & EXT4_FC_REPLAY) { +- ext4_free_blocks_simple(inode, block, count); ++ ext4_free_blocks_simple(inode, block, EXT4_NUM_B2C(sbi, count)); + return; + } + diff --git a/tmp-5.10/ext4-get-block-from-bh-in-ext4_free_blocks-for-fast-commit-replay.patch b/tmp-5.10/ext4-get-block-from-bh-in-ext4_free_blocks-for-fast-commit-replay.patch new file mode 100644 index 00000000000..3f5b4069541 --- /dev/null +++ b/tmp-5.10/ext4-get-block-from-bh-in-ext4_free_blocks-for-fast-commit-replay.patch @@ -0,0 +1,52 @@ +From 11b6890be0084ad4df0e06d89a9fdcc948472c65 Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Sat, 3 Jun 2023 23:03:16 +0800 +Subject: ext4: get block from bh in ext4_free_blocks for fast commit replay + +From: Kemeng Shi + +commit 11b6890be0084ad4df0e06d89a9fdcc948472c65 upstream. + +ext4_free_blocks will retrieve block from bh if block parameter is zero. +Retrieve block before ext4_free_blocks_simple to avoid potentially +passing wrong block to ext4_free_blocks_simple. + +Signed-off-by: Kemeng Shi +Cc: stable@kernel.org +Reviewed-by: Ojaswin Mujoo +Link: https://lore.kernel.org/r/20230603150327.3596033-9-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5634,12 +5634,6 @@ void ext4_free_blocks(handle_t *handle, + + sbi = EXT4_SB(sb); + +- if (sbi->s_mount_state & EXT4_FC_REPLAY) { +- ext4_free_blocks_simple(inode, block, count); +- return; +- } +- +- might_sleep(); + if (bh) { + if (block) + BUG_ON(block != bh->b_blocknr); +@@ -5647,6 +5641,13 @@ void ext4_free_blocks(handle_t *handle, + block = bh->b_blocknr; + } + ++ if (sbi->s_mount_state & EXT4_FC_REPLAY) { ++ ext4_free_blocks_simple(inode, block, count); ++ return; ++ } ++ ++ might_sleep(); ++ + if (!(flags & EXT4_FREE_BLOCKS_VALIDATED) && + !ext4_inode_block_valid(inode, block, count)) { + ext4_error(sb, "Freeing blocks not in datazone - " diff --git a/tmp-5.10/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch b/tmp-5.10/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch new file mode 100644 index 00000000000..be011810363 --- /dev/null +++ b/tmp-5.10/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch @@ -0,0 +1,92 @@ +From de25d6e9610a8b30cce9bbb19b50615d02ebca02 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 24 Apr 2023 11:38:35 +0800 +Subject: ext4: only update i_reserved_data_blocks on successful block allocation + +From: Baokun Li + +commit de25d6e9610a8b30cce9bbb19b50615d02ebca02 upstream. + +In our fault injection test, we create an ext4 file, migrate it to +non-extent based file, then punch a hole and finally trigger a WARN_ON +in the ext4_da_update_reserve_space(): + +EXT4-fs warning (device sda): ext4_da_update_reserve_space:369: +ino 14, used 11 with only 10 reserved data blocks + +When writing back a non-extent based file, if we enable delalloc, the +number of reserved blocks will be subtracted from the number of blocks +mapped by ext4_ind_map_blocks(), and the extent status tree will be +updated. We update the extent status tree by first removing the old +extent_status and then inserting the new extent_status. If the block range +we remove happens to be in an extent, then we need to allocate another +extent_status with ext4_es_alloc_extent(). + + use old to remove to add new + |----------|------------|------------| + old extent_status + +The problem is that the allocation of a new extent_status failed due to a +fault injection, and __es_shrink() did not get free memory, resulting in +a return of -ENOMEM. Then do_writepages() retries after receiving -ENOMEM, +we map to the same extent again, and the number of reserved blocks is again +subtracted from the number of blocks in that extent. Since the blocks in +the same extent are subtracted twice, we end up triggering WARN_ON at +ext4_da_update_reserve_space() because used > ei->i_reserved_data_blocks. + +For non-extent based file, we update the number of reserved blocks after +ext4_ind_map_blocks() is executed, which causes a problem that when we call +ext4_ind_map_blocks() to create a block, it doesn't always create a block, +but we always reduce the number of reserved blocks. So we move the logic +for updating reserved blocks to ext4_ind_map_blocks() to ensure that the +number of reserved blocks is updated only after we do succeed in allocating +some new blocks. + +Fixes: 5f634d064c70 ("ext4: Fix quota accounting error with fallocate") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/indirect.c | 8 ++++++++ + fs/ext4/inode.c | 10 ---------- + 2 files changed, 8 insertions(+), 10 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -649,6 +649,14 @@ int ext4_ind_map_blocks(handle_t *handle + + ext4_update_inode_fsync_trans(handle, inode, 1); + count = ar.len; ++ ++ /* ++ * Update reserved blocks/metadata blocks after successful block ++ * allocation which had been deferred till now. ++ */ ++ if (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) ++ ext4_da_update_reserve_space(inode, count, 1); ++ + got_it: + map->m_flags |= EXT4_MAP_MAPPED; + map->m_pblk = le32_to_cpu(chain[depth-1].key); +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -654,16 +654,6 @@ found: + */ + ext4_clear_inode_state(inode, EXT4_STATE_EXT_MIGRATE); + } +- +- /* +- * Update reserved blocks/metadata blocks after successful +- * block allocation which had been deferred till now. We don't +- * support fallocate for non extent files. So we can update +- * reserve space here. +- */ +- if ((retval > 0) && +- (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE)) +- ext4_da_update_reserve_space(inode, retval, 1); + } + + if (retval > 0) { diff --git a/tmp-5.10/ext4-remove-ext4-locking-of-moved-directory.patch b/tmp-5.10/ext4-remove-ext4-locking-of-moved-directory.patch new file mode 100644 index 00000000000..b4d96b51213 --- /dev/null +++ b/tmp-5.10/ext4-remove-ext4-locking-of-moved-directory.patch @@ -0,0 +1,59 @@ +From 3658840cd363f2be094f5dfd2f0b174a9055dd0f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 1 Jun 2023 12:58:21 +0200 +Subject: ext4: Remove ext4 locking of moved directory + +From: Jan Kara + +commit 3658840cd363f2be094f5dfd2f0b174a9055dd0f upstream. + +Remove locking of moved directory in ext4_rename2(). We will take care +of it in VFS instead. This effectively reverts commit 0813299c586b +("ext4: Fix possible corruption when moving a directory") and followup +fixes. + +CC: Ted Tso +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Message-Id: <20230601105830.13168-1-jack@suse.cz> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3863,19 +3863,10 @@ static int ext4_rename(struct inode *old + return retval; + } + +- /* +- * We need to protect against old.inode directory getting converted +- * from inline directory format into a normal one. +- */ +- if (S_ISDIR(old.inode->i_mode)) +- inode_lock_nested(old.inode, I_MUTEX_NONDIR2); +- + old.bh = ext4_find_entry(old.dir, &old.dentry->d_name, &old.de, + &old.inlined); +- if (IS_ERR(old.bh)) { +- retval = PTR_ERR(old.bh); +- goto unlock_moved_dir; +- } ++ if (IS_ERR(old.bh)) ++ return PTR_ERR(old.bh); + + /* + * Check for inode number is _not_ due to possible IO errors. +@@ -4065,10 +4056,6 @@ release_bh: + brelse(old.bh); + brelse(new.bh); + +-unlock_moved_dir: +- if (S_ISDIR(old.inode->i_mode)) +- inode_unlock(old.inode); +- + return retval; + } + diff --git a/tmp-5.10/extcon-fix-kernel-doc-of-property-capability-fields-.patch b/tmp-5.10/extcon-fix-kernel-doc-of-property-capability-fields-.patch new file mode 100644 index 00000000000..820267acb2d --- /dev/null +++ b/tmp-5.10/extcon-fix-kernel-doc-of-property-capability-fields-.patch @@ -0,0 +1,46 @@ +From d0256185a10ef07d2369178e0bbe9cd76428a72a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 16:39:53 +0200 +Subject: extcon: Fix kernel doc of property capability fields to avoid + warnings + +From: Andy Shevchenko + +[ Upstream commit 73346b9965ebda2feb7fef8629e9b28baee820e3 ] + +Kernel documentation has to be synchronized with a code, otherwise +the validator is not happy: + + Function parameter or member 'usb_bits' not described in 'extcon_cable' + Function parameter or member 'chg_bits' not described in 'extcon_cable' + Function parameter or member 'jack_bits' not described in 'extcon_cable' + Function parameter or member 'disp_bits' not described in 'extcon_cable' + +Describe the fields added in the past. + +Fixes: ceaa98f442cf ("extcon: Add the support for the capability of each property") +Signed-off-by: Andy Shevchenko +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c +index 3bc83feb5a34b..fa08dec389dc1 100644 +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -200,6 +200,10 @@ static const struct __extcon_info { + * @chg_propval: the array of charger connector properties + * @jack_propval: the array of jack connector properties + * @disp_propval: the array of display connector properties ++ * @usb_bits: the bit array of the USB connector property capabilities ++ * @chg_bits: the bit array of the charger connector property capabilities ++ * @jack_bits: the bit array of the jack connector property capabilities ++ * @disp_bits: the bit array of the display connector property capabilities + */ + struct extcon_cable { + struct extcon_dev *edev; +-- +2.39.2 + diff --git a/tmp-5.10/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch b/tmp-5.10/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch new file mode 100644 index 00000000000..95a7ab51ff6 --- /dev/null +++ b/tmp-5.10/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch @@ -0,0 +1,45 @@ +From 39bb19587e6471cc482bc008fbad593413305ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 16:39:52 +0200 +Subject: extcon: Fix kernel doc of property fields to avoid warnings + +From: Andy Shevchenko + +[ Upstream commit 7e77e0b7a9f4cdf91cb0950749b40c840ea63efc ] + +Kernel documentation has to be synchronized with a code, otherwise +the validator is not happy: + + Function parameter or member 'usb_propval' not described in 'extcon_cable' + Function parameter or member 'chg_propval' not described in 'extcon_cable' + Function parameter or member 'jack_propval' not described in 'extcon_cable' + Function parameter or member 'disp_propval' not described in 'extcon_cable' + +Describe the fields added in the past. + +Fixes: 067c1652e7a7 ("extcon: Add the support for extcon property according to extcon type") +Signed-off-by: Andy Shevchenko +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c +index 356610404bb40..3bc83feb5a34b 100644 +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -196,6 +196,10 @@ static const struct __extcon_info { + * @attr_name: "name" sysfs entry + * @attr_state: "state" sysfs entry + * @attrs: the array pointing to attr_name and attr_state for attr_g ++ * @usb_propval: the array of USB connector properties ++ * @chg_propval: the array of charger connector properties ++ * @jack_propval: the array of jack connector properties ++ * @disp_propval: the array of display connector properties + */ + struct extcon_cable { + struct extcon_dev *edev; +-- +2.39.2 + diff --git a/tmp-5.10/f2fs-fix-error-path-handling-in-truncate_dnode.patch b/tmp-5.10/f2fs-fix-error-path-handling-in-truncate_dnode.patch new file mode 100644 index 00000000000..78b13f1d34b --- /dev/null +++ b/tmp-5.10/f2fs-fix-error-path-handling-in-truncate_dnode.patch @@ -0,0 +1,39 @@ +From 4bba5c228b9251a0bb28340d8473b289614df26d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:41:02 +0800 +Subject: f2fs: fix error path handling in truncate_dnode() + +From: Chao Yu + +[ Upstream commit 0135c482fa97e2fd8245cb462784112a00ed1211 ] + +If truncate_node() fails in truncate_dnode(), it missed to call +f2fs_put_page(), fix it. + +Fixes: 7735730d39d7 ("f2fs: fix to propagate error from __get_meta_page()") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/node.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index c63274d4b74b0..02cb1c806c3ed 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -884,8 +884,10 @@ static int truncate_dnode(struct dnode_of_data *dn) + dn->ofs_in_node = 0; + f2fs_truncate_data_blocks(dn); + err = truncate_node(dn); +- if (err) ++ if (err) { ++ f2fs_put_page(page, 1); + return err; ++ } + + return 1; + } +-- +2.39.2 + diff --git a/tmp-5.10/f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch b/tmp-5.10/f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch new file mode 100644 index 00000000000..65a73ce58fe --- /dev/null +++ b/tmp-5.10/f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch @@ -0,0 +1,161 @@ +From d8189834d4348ae608083e1f1f53792cfcc2a9bc Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 23 May 2023 14:17:25 +0800 +Subject: f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() + +From: Chao Yu + +commit d8189834d4348ae608083e1f1f53792cfcc2a9bc upstream. + +butt3rflyh4ck reports a bug as below: + +When a thread always calls F2FS_IOC_RESIZE_FS to resize fs, if resize fs is +failed, f2fs kernel thread would invoke callback function to update f2fs io +info, it would call f2fs_write_end_io and may trigger null-ptr-deref in +NODE_MAPPING. + +general protection fault, probably for non-canonical address +KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] +RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:1972 [inline] +RIP: 0010:f2fs_write_end_io+0x727/0x1050 fs/f2fs/data.c:370 + + bio_endio+0x5af/0x6c0 block/bio.c:1608 + req_bio_endio block/blk-mq.c:761 [inline] + blk_update_request+0x5cc/0x1690 block/blk-mq.c:906 + blk_mq_end_request+0x59/0x4c0 block/blk-mq.c:1023 + lo_complete_rq+0x1c6/0x280 drivers/block/loop.c:370 + blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1101 + __do_softirq+0x1d4/0x8ef kernel/softirq.c:571 + run_ksoftirqd kernel/softirq.c:939 [inline] + run_ksoftirqd+0x31/0x60 kernel/softirq.c:931 + smpboot_thread_fn+0x659/0x9e0 kernel/smpboot.c:164 + kthread+0x33e/0x440 kernel/kthread.c:379 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +The root cause is below race case can cause leaving dirty metadata +in f2fs after filesystem is remount as ro: + +Thread A Thread B +- f2fs_ioc_resize_fs + - f2fs_readonly --- return false + - f2fs_resize_fs + - f2fs_remount + - write_checkpoint + - set f2fs as ro + - free_segment_range + - update meta_inode's data + +Then, if f2fs_put_super() fails to write_checkpoint due to readonly +status, and meta_inode's dirty data will be writebacked after node_inode +is put, finally, f2fs_write_end_io will access NULL pointer on +sbi->node_inode. + +Thread A IRQ context +- f2fs_put_super + - write_checkpoint fails + - iput(node_inode) + - node_inode = NULL + - iput(meta_inode) + - write_inode_now + - f2fs_write_meta_page + - f2fs_write_end_io + - NODE_MAPPING(sbi) + : access NULL pointer on node_inode + +Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress") +Reported-by: butt3rflyh4ck +Closes: https://lore.kernel.org/r/1684480657-2375-1-git-send-email-yangtiezhu@loongson.cn +Tested-by: butt3rflyh4ck +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Stefan Ghinea +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/file.c | 2 +- + fs/f2fs/gc.c | 22 +++++++++++++++++++--- + 3 files changed, 21 insertions(+), 5 deletions(-) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3483,7 +3483,7 @@ block_t f2fs_start_bidx_of_node(unsigned + int f2fs_gc(struct f2fs_sb_info *sbi, bool sync, bool background, bool force, + unsigned int segno); + void f2fs_build_gc_manager(struct f2fs_sb_info *sbi); +-int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count); ++int f2fs_resize_fs(struct file *filp, __u64 block_count); + int __init f2fs_create_garbage_collection_cache(void); + void f2fs_destroy_garbage_collection_cache(void); + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -3356,7 +3356,7 @@ static int f2fs_ioc_resize_fs(struct fil + sizeof(block_count))) + return -EFAULT; + +- return f2fs_resize_fs(sbi, block_count); ++ return f2fs_resize_fs(filp, block_count); + } + + static int f2fs_ioc_enable_verity(struct file *filp, unsigned long arg) +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -7,6 +7,7 @@ + */ + #include + #include ++#include + #include + #include + #include +@@ -1976,8 +1977,9 @@ static void update_fs_metadata(struct f2 + } + } + +-int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count) ++int f2fs_resize_fs(struct file *filp, __u64 block_count) + { ++ struct f2fs_sb_info *sbi = F2FS_I_SB(file_inode(filp)); + __u64 old_block_count, shrunk_blocks; + struct cp_control cpc = { CP_RESIZE, 0, 0, 0 }; + unsigned int secs; +@@ -2015,12 +2017,18 @@ int f2fs_resize_fs(struct f2fs_sb_info * + return -EINVAL; + } + ++ err = mnt_want_write_file(filp); ++ if (err) ++ return err; ++ + shrunk_blocks = old_block_count - block_count; + secs = div_u64(shrunk_blocks, BLKS_PER_SEC(sbi)); + + /* stop other GC */ +- if (!down_write_trylock(&sbi->gc_lock)) +- return -EAGAIN; ++ if (!down_write_trylock(&sbi->gc_lock)) { ++ err = -EAGAIN; ++ goto out_drop_write; ++ } + + /* stop CP to protect MAIN_SEC in free_segment_range */ + f2fs_lock_op(sbi); +@@ -2040,10 +2048,18 @@ int f2fs_resize_fs(struct f2fs_sb_info * + out_unlock: + f2fs_unlock_op(sbi); + up_write(&sbi->gc_lock); ++out_drop_write: ++ mnt_drop_write_file(filp); + if (err) + return err; + + freeze_super(sbi->sb); ++ ++ if (f2fs_readonly(sbi->sb)) { ++ thaw_super(sbi->sb); ++ return -EROFS; ++ } ++ + down_write(&sbi->gc_lock); + mutex_lock(&sbi->cp_mutex); + diff --git a/tmp-5.10/fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch b/tmp-5.10/fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch new file mode 100644 index 00000000000..2b2a499306e --- /dev/null +++ b/tmp-5.10/fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch @@ -0,0 +1,74 @@ +From 69562eb0bd3e6bb8e522a7b254334e0fb30dff0c Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 29 Jun 2023 07:20:44 +0300 +Subject: fanotify: disallow mount/sb marks on kernel internal pseudo fs + +From: Amir Goldstein + +commit 69562eb0bd3e6bb8e522a7b254334e0fb30dff0c upstream. + +Hopefully, nobody is trying to abuse mount/sb marks for watching all +anonymous pipes/inodes. + +I cannot think of a good reason to allow this - it looks like an +oversight that dated back to the original fanotify API. + +Link: https://lore.kernel.org/linux-fsdevel/20230628101132.kvchg544mczxv2pm@quack3/ +Fixes: 0ff21db9fcc3 ("fanotify: hooks the fanotify_mark syscall to the vfsmount code") +Signed-off-by: Amir Goldstein +Reviewed-by: Christian Brauner +Signed-off-by: Jan Kara +Message-Id: <20230629042044.25723-1-amir73il@gmail.com> +[backport to 5.x.y] +Signed-off-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fanotify/fanotify_user.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -1090,8 +1090,11 @@ static int fanotify_test_fid(struct path + return 0; + } + +-static int fanotify_events_supported(struct path *path, __u64 mask) ++static int fanotify_events_supported(struct path *path, __u64 mask, ++ unsigned int flags) + { ++ unsigned int mark_type = flags & FANOTIFY_MARK_TYPE_BITS; ++ + /* + * Some filesystems such as 'proc' acquire unusual locks when opening + * files. For them fanotify permission events have high chances of +@@ -1103,6 +1106,21 @@ static int fanotify_events_supported(str + if (mask & FANOTIFY_PERM_EVENTS && + path->mnt->mnt_sb->s_type->fs_flags & FS_DISALLOW_NOTIFY_PERM) + return -EINVAL; ++ ++ /* ++ * mount and sb marks are not allowed on kernel internal pseudo fs, ++ * like pipe_mnt, because that would subscribe to events on all the ++ * anonynous pipes in the system. ++ * ++ * SB_NOUSER covers all of the internal pseudo fs whose objects are not ++ * exposed to user's mount namespace, but there are other SB_KERNMOUNT ++ * fs, like nsfs, debugfs, for which the value of allowing sb and mount ++ * mark is questionable. For now we leave them alone. ++ */ ++ if (mark_type != FAN_MARK_INODE && ++ path->mnt->mnt_sb->s_flags & SB_NOUSER) ++ return -EINVAL; ++ + return 0; + } + +@@ -1218,7 +1236,7 @@ static int do_fanotify_mark(int fanotify + goto fput_and_out; + + if (flags & FAN_MARK_ADD) { +- ret = fanotify_events_supported(&path, mask); ++ ret = fanotify_events_supported(&path, mask, flags); + if (ret) + goto path_put_and_out; + } diff --git a/tmp-5.10/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/tmp-5.10/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch new file mode 100644 index 00000000000..e778fed7956 --- /dev/null +++ b/tmp-5.10/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch @@ -0,0 +1,40 @@ +From 9894aa1babc71aab7693e057a671037408cf7e37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 16:16:56 +0800 +Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe + +From: Zhang Shurong + +[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] + +This func misses checking for platform_get_irq()'s call and may passes the +negative error codes to request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. + +Fix this by stop calling request_irq() with invalid IRQ #s. + +Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") +Signed-off-by: Zhang Shurong +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index a8a0a448cdb5e..80f54111baec1 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1732,6 +1732,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) + + /* Now hook interrupt too */ + irq = platform_get_irq(dev, 0); ++ if (irq < 0) ++ return irq; ++ + ret = request_irq(irq, au1200fb_handle_irq, + IRQF_SHARED, "lcd", (void *)dev); + if (ret) { +-- +2.39.2 + diff --git a/tmp-5.10/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch b/tmp-5.10/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch new file mode 100644 index 00000000000..309f1d4ff3c --- /dev/null +++ b/tmp-5.10/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch @@ -0,0 +1,75 @@ +From c75f5a55061091030a13fef71b9995b89bc86213 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Thu, 27 Apr 2023 11:08:41 +0800 +Subject: fbdev: imsttfb: Fix use after free bug in imsttfb_probe + +From: Zheng Wang + +commit c75f5a55061091030a13fef71b9995b89bc86213 upstream. + +A use-after-free bug may occur if init_imstt invokes framebuffer_release +and free the info ptr. The caller, imsttfb_probe didn't notice that and +still keep the ptr as private data in pdev. + +If we remove the driver which will call imsttfb_remove to make cleanup, +UAF happens. + +Fix it by return error code if bad case happens in init_imstt. + +Signed-off-by: Zheng Wang +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/imsttfb.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/video/fbdev/imsttfb.c ++++ b/drivers/video/fbdev/imsttfb.c +@@ -1346,7 +1346,7 @@ static const struct fb_ops imsttfb_ops = + .fb_ioctl = imsttfb_ioctl, + }; + +-static void init_imstt(struct fb_info *info) ++static int init_imstt(struct fb_info *info) + { + struct imstt_par *par = info->par; + __u32 i, tmp, *ip, *end; +@@ -1419,7 +1419,7 @@ static void init_imstt(struct fb_info *i + || !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) { + printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel); + framebuffer_release(info); +- return; ++ return -ENODEV; + } + + sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP"); +@@ -1455,12 +1455,13 @@ static void init_imstt(struct fb_info *i + + if (register_framebuffer(info) < 0) { + framebuffer_release(info); +- return; ++ return -ENODEV; + } + + tmp = (read_reg_le32(par->dc_regs, SSTATUS) & 0x0f00) >> 8; + fb_info(info, "%s frame buffer; %uMB vram; chip version %u\n", + info->fix.id, info->fix.smem_len >> 20, tmp); ++ return 0; + } + + static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) +@@ -1523,10 +1524,10 @@ static int imsttfb_probe(struct pci_dev + if (!par->cmap_regs) + goto error; + info->pseudo_palette = par->palette; +- init_imstt(info); +- +- pci_set_drvdata(pdev, info); +- return 0; ++ ret = init_imstt(info); ++ if (!ret) ++ pci_set_drvdata(pdev, info); ++ return ret; + + error: + if (par->dc_regs) diff --git a/tmp-5.10/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/tmp-5.10/fbdev-imxfb-warn-about-invalid-left-right-margin.patch new file mode 100644 index 00000000000..da7b5d56f8a --- /dev/null +++ b/tmp-5.10/fbdev-imxfb-warn-about-invalid-left-right-margin.patch @@ -0,0 +1,43 @@ +From 5fc5ae5bcfe10fe347c46c27342375d3544466b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 15:24:37 +0200 +Subject: fbdev: imxfb: warn about invalid left/right margin + +From: Martin Kaiser + +[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] + +Warn about invalid var->left_margin or var->right_margin. Their values +are read from the device tree. + +We store var->left_margin-3 and var->right_margin-1 in register +fields. These fields should be >= 0. + +Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") +Signed-off-by: Martin Kaiser +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index 564bd0407ed81..d663e080b1571 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -602,10 +602,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf + if (var->hsync_len < 1 || var->hsync_len > 64) + printk(KERN_ERR "%s: invalid hsync_len %d\n", + info->fix.id, var->hsync_len); +- if (var->left_margin > 255) ++ if (var->left_margin < 3 || var->left_margin > 255) + printk(KERN_ERR "%s: invalid left_margin %d\n", + info->fix.id, var->left_margin); +- if (var->right_margin > 255) ++ if (var->right_margin < 1 || var->right_margin > 255) + printk(KERN_ERR "%s: invalid right_margin %d\n", + info->fix.id, var->right_margin); + if (var->yres < 1 || var->yres > ymax_mask) +-- +2.39.2 + diff --git a/tmp-5.10/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch b/tmp-5.10/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch new file mode 100644 index 00000000000..35c11ba143e --- /dev/null +++ b/tmp-5.10/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch @@ -0,0 +1,44 @@ +From 8a1e222bddaa49697f6e2a74003c86ea9109a884 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 17:42:28 +0200 +Subject: fbdev: omapfb: lcd_mipid: Fix an error handling path in + mipid_spi_probe() + +From: Christophe JAILLET + +[ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ] + +If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak. + +Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap/lcd_mipid.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/omap/lcd_mipid.c b/drivers/video/fbdev/omap/lcd_mipid.c +index a75ae0c9b14c7..d1cd8785d011d 100644 +--- a/drivers/video/fbdev/omap/lcd_mipid.c ++++ b/drivers/video/fbdev/omap/lcd_mipid.c +@@ -563,11 +563,15 @@ static int mipid_spi_probe(struct spi_device *spi) + + r = mipid_detect(md); + if (r < 0) +- return r; ++ goto free_md; + + omapfb_register_panel(&md->panel); + + return 0; ++ ++free_md: ++ kfree(md); ++ return r; + } + + static int mipid_spi_remove(struct spi_device *spi) +-- +2.39.2 + diff --git a/tmp-5.10/firmware-stratix10-svc-fix-a-potential-resource-leak-in-svc_create_memory_pool.patch b/tmp-5.10/firmware-stratix10-svc-fix-a-potential-resource-leak-in-svc_create_memory_pool.patch new file mode 100644 index 00000000000..9b2812dbc59 --- /dev/null +++ b/tmp-5.10/firmware-stratix10-svc-fix-a-potential-resource-leak-in-svc_create_memory_pool.patch @@ -0,0 +1,39 @@ +From 1995f15590ca222f91193ed11461862b450abfd6 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Tue, 13 Jun 2023 16:15:21 -0500 +Subject: firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool() + +From: Christophe JAILLET + +commit 1995f15590ca222f91193ed11461862b450abfd6 upstream. + +svc_create_memory_pool() is only called from stratix10_svc_drv_probe(). +Most of resources in the probe are managed, but not this memremap() call. + +There is also no memunmap() call in the file. + +So switch to devm_memremap() to avoid a resource leak. + +Cc: stable@vger.kernel.org +Fixes: 7ca5ce896524 ("firmware: add Intel Stratix10 service layer driver") +Link: https://lore.kernel.org/all/783e9dfbba34e28505c9efa8bba41f97fd0fa1dc.1686109400.git.christophe.jaillet@wanadoo.fr/ +Signed-off-by: Christophe JAILLET +Signed-off-by: Dinh Nguyen +Message-ID: <20230613211521.16366-1-dinguyen@kernel.org> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -622,7 +622,7 @@ svc_create_memory_pool(struct platform_d + end = rounddown(sh_memory->addr + sh_memory->size, PAGE_SIZE); + paddr = begin; + size = end - begin; +- va = memremap(paddr, size, MEMREMAP_WC); ++ va = devm_memremap(dev, paddr, size, MEMREMAP_WC); + if (!va) { + dev_err(dev, "fail to remap shared memory\n"); + return ERR_PTR(-EINVAL); diff --git a/tmp-5.10/fs-avoid-empty-option-when-generating-legacy-mount-string.patch b/tmp-5.10/fs-avoid-empty-option-when-generating-legacy-mount-string.patch new file mode 100644 index 00000000000..137c67371c4 --- /dev/null +++ b/tmp-5.10/fs-avoid-empty-option-when-generating-legacy-mount-string.patch @@ -0,0 +1,43 @@ +From 62176420274db5b5127cd7a0083a9aeb461756ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Wed, 7 Jun 2023 19:28:48 +0200 +Subject: fs: avoid empty option when generating legacy mount string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 62176420274db5b5127cd7a0083a9aeb461756ee upstream. + +As each option string fragment is always prepended with a comma it would +happen that the whole string always starts with a comma. This could be +interpreted by filesystem drivers as an empty option and may produce +errors. + +For example the NTFS driver from ntfs.ko behaves like this and fails +when mounted via the new API. + +Link: https://github.com/util-linux/util-linux/issues/2298 +Signed-off-by: Thomas Weißschuh +Fixes: 3e1aeb00e6d1 ("vfs: Implement a filesystem superblock creation/configuration context") +Cc: stable@vger.kernel.org +Message-Id: <20230607-fs-empty-option-v1-1-20c8dbf4671b@weissschuh.net> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/fs_context.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/fs_context.c ++++ b/fs/fs_context.c +@@ -543,7 +543,8 @@ static int legacy_parse_param(struct fs_ + return -ENOMEM; + } + +- ctx->legacy_data[size++] = ','; ++ if (size) ++ ctx->legacy_data[size++] = ','; + len = strlen(param->key); + memcpy(ctx->legacy_data + size, param->key, len); + size += len; diff --git a/tmp-5.10/fs-dlm-return-positive-pid-value-for-f_getlk.patch b/tmp-5.10/fs-dlm-return-positive-pid-value-for-f_getlk.patch new file mode 100644 index 00000000000..e41a88a3395 --- /dev/null +++ b/tmp-5.10/fs-dlm-return-positive-pid-value-for-f_getlk.patch @@ -0,0 +1,36 @@ +From 92655fbda5c05950a411eaabc19e025e86e2a291 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Fri, 19 May 2023 11:21:24 -0400 +Subject: fs: dlm: return positive pid value for F_GETLK + +From: Alexander Aring + +commit 92655fbda5c05950a411eaabc19e025e86e2a291 upstream. + +The GETLK pid values have all been negated since commit 9d5b86ac13c5 +("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks"). +Revert this for local pids, and leave in place negative pids for remote +owners. + +Cc: stable@vger.kernel.org +Fixes: 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/plock.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/dlm/plock.c ++++ b/fs/dlm/plock.c +@@ -363,7 +363,9 @@ int dlm_posix_get(dlm_lockspace_t *locks + locks_init_lock(fl); + fl->fl_type = (op->info.ex) ? F_WRLCK : F_RDLCK; + fl->fl_flags = FL_POSIX; +- fl->fl_pid = -op->info.pid; ++ fl->fl_pid = op->info.pid; ++ if (op->info.nodeid != dlm_our_nodeid()) ++ fl->fl_pid = -fl->fl_pid; + fl->fl_start = op->info.start; + fl->fl_end = op->info.end; + rv = 0; diff --git a/tmp-5.10/fs-establish-locking-order-for-unrelated-directories.patch b/tmp-5.10/fs-establish-locking-order-for-unrelated-directories.patch new file mode 100644 index 00000000000..cbb41e61f26 --- /dev/null +++ b/tmp-5.10/fs-establish-locking-order-for-unrelated-directories.patch @@ -0,0 +1,104 @@ +From f23ce757185319886ca80c4864ce5f81ac6cc9e9 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 1 Jun 2023 12:58:24 +0200 +Subject: fs: Establish locking order for unrelated directories + +From: Jan Kara + +commit f23ce757185319886ca80c4864ce5f81ac6cc9e9 upstream. + +Currently the locking order of inode locks for directories that are not +in ancestor relationship is not defined because all operations that +needed to lock two directories like this were serialized by +sb->s_vfs_rename_mutex. However some filesystems need to lock two +subdirectories for RENAME_EXCHANGE operations and for this we need the +locking order established even for two tree-unrelated directories. +Provide a helper function lock_two_inodes() that establishes lock +ordering for any two inodes and use it in lock_two_directories(). + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Message-Id: <20230601105830.13168-4-jack@suse.cz> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/inode.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + fs/internal.h | 2 ++ + fs/namei.c | 4 ++-- + 3 files changed, 46 insertions(+), 2 deletions(-) + +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -1016,6 +1016,48 @@ void discard_new_inode(struct inode *ino + EXPORT_SYMBOL(discard_new_inode); + + /** ++ * lock_two_inodes - lock two inodes (may be regular files but also dirs) ++ * ++ * Lock any non-NULL argument. The caller must make sure that if he is passing ++ * in two directories, one is not ancestor of the other. Zero, one or two ++ * objects may be locked by this function. ++ * ++ * @inode1: first inode to lock ++ * @inode2: second inode to lock ++ * @subclass1: inode lock subclass for the first lock obtained ++ * @subclass2: inode lock subclass for the second lock obtained ++ */ ++void lock_two_inodes(struct inode *inode1, struct inode *inode2, ++ unsigned subclass1, unsigned subclass2) ++{ ++ if (!inode1 || !inode2) { ++ /* ++ * Make sure @subclass1 will be used for the acquired lock. ++ * This is not strictly necessary (no current caller cares) but ++ * let's keep things consistent. ++ */ ++ if (!inode1) ++ swap(inode1, inode2); ++ goto lock; ++ } ++ ++ /* ++ * If one object is directory and the other is not, we must make sure ++ * to lock directory first as the other object may be its child. ++ */ ++ if (S_ISDIR(inode2->i_mode) == S_ISDIR(inode1->i_mode)) { ++ if (inode1 > inode2) ++ swap(inode1, inode2); ++ } else if (!S_ISDIR(inode1->i_mode)) ++ swap(inode1, inode2); ++lock: ++ if (inode1) ++ inode_lock_nested(inode1, subclass1); ++ if (inode2 && inode2 != inode1) ++ inode_lock_nested(inode2, subclass2); ++} ++ ++/** + * lock_two_nondirectories - take two i_mutexes on non-directory objects + * + * Lock any non-NULL argument that is not a directory. +--- a/fs/internal.h ++++ b/fs/internal.h +@@ -150,6 +150,8 @@ extern long prune_icache_sb(struct super + extern void inode_add_lru(struct inode *inode); + extern int dentry_needs_remove_privs(struct dentry *dentry); + bool in_group_or_capable(const struct inode *inode, kgid_t gid); ++void lock_two_inodes(struct inode *inode1, struct inode *inode2, ++ unsigned subclass1, unsigned subclass2); + + /* + * fs-writeback.c +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2782,8 +2782,8 @@ struct dentry *lock_rename(struct dentry + return p; + } + +- inode_lock_nested(p1->d_inode, I_MUTEX_PARENT); +- inode_lock_nested(p2->d_inode, I_MUTEX_PARENT2); ++ lock_two_inodes(p1->d_inode, p2->d_inode, ++ I_MUTEX_PARENT, I_MUTEX_PARENT2); + return NULL; + } + EXPORT_SYMBOL(lock_rename); diff --git a/tmp-5.10/fs-lock-moved-directories.patch b/tmp-5.10/fs-lock-moved-directories.patch new file mode 100644 index 00000000000..31e388d7629 --- /dev/null +++ b/tmp-5.10/fs-lock-moved-directories.patch @@ -0,0 +1,126 @@ +From 28eceeda130f5058074dd007d9c59d2e8bc5af2e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 1 Jun 2023 12:58:25 +0200 +Subject: fs: Lock moved directories + +From: Jan Kara + +commit 28eceeda130f5058074dd007d9c59d2e8bc5af2e upstream. + +When a directory is moved to a different directory, some filesystems +(udf, ext4, ocfs2, f2fs, and likely gfs2, reiserfs, and others) need to +update their pointer to the parent and this must not race with other +operations on the directory. Lock the directories when they are moved. +Although not all filesystems need this locking, we perform it in +vfs_rename() because getting the lock ordering right is really difficult +and we don't want to expose these locking details to filesystems. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Message-Id: <20230601105830.13168-5-jack@suse.cz> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/filesystems/directory-locking.rst | 26 ++++++++++++------------ + fs/namei.c | 22 ++++++++++++-------- + 2 files changed, 28 insertions(+), 20 deletions(-) + +--- a/Documentation/filesystems/directory-locking.rst ++++ b/Documentation/filesystems/directory-locking.rst +@@ -22,12 +22,11 @@ exclusive. + 3) object removal. Locking rules: caller locks parent, finds victim, + locks victim and calls the method. Locks are exclusive. + +-4) rename() that is _not_ cross-directory. Locking rules: caller locks +-the parent and finds source and target. In case of exchange (with +-RENAME_EXCHANGE in flags argument) lock both. In any case, +-if the target already exists, lock it. If the source is a non-directory, +-lock it. If we need to lock both, lock them in inode pointer order. +-Then call the method. All locks are exclusive. ++4) rename() that is _not_ cross-directory. Locking rules: caller locks the ++parent and finds source and target. We lock both (provided they exist). If we ++need to lock two inodes of different type (dir vs non-dir), we lock directory ++first. If we need to lock two inodes of the same type, lock them in inode ++pointer order. Then call the method. All locks are exclusive. + NB: we might get away with locking the source (and target in exchange + case) shared. + +@@ -44,15 +43,17 @@ All locks are exclusive. + rules: + + * lock the filesystem +- * lock parents in "ancestors first" order. ++ * lock parents in "ancestors first" order. If one is not ancestor of ++ the other, lock them in inode pointer order. + * find source and target. + * if old parent is equal to or is a descendent of target + fail with -ENOTEMPTY + * if new parent is equal to or is a descendent of source + fail with -ELOOP +- * If it's an exchange, lock both the source and the target. +- * If the target exists, lock it. If the source is a non-directory, +- lock it. If we need to lock both, do so in inode pointer order. ++ * Lock both the source and the target provided they exist. If we ++ need to lock two inodes of different type (dir vs non-dir), we lock ++ the directory first. If we need to lock two inodes of the same type, ++ lock them in inode pointer order. + * call the method. + + All ->i_rwsem are taken exclusive. Again, we might get away with locking +@@ -66,8 +67,9 @@ If no directory is its own ancestor, the + + Proof: + +- First of all, at any moment we have a partial ordering of the +- objects - A < B iff A is an ancestor of B. ++ First of all, at any moment we have a linear ordering of the ++ objects - A < B iff (A is an ancestor of B) or (B is not an ancestor ++ of A and ptr(A) < ptr(B)). + + That ordering can change. However, the following is true: + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -4264,7 +4264,7 @@ SYSCALL_DEFINE2(link, const char __user + * sb->s_vfs_rename_mutex. We might be more accurate, but that's another + * story. + * c) we have to lock _four_ objects - parents and victim (if it exists), +- * and source (if it is not a directory). ++ * and source. + * And that - after we got ->i_mutex on parents (until then we don't know + * whether the target exists). Solution: try to be smart with locking + * order for inodes. We rely on the fact that tree topology may change +@@ -4341,10 +4341,16 @@ int vfs_rename(struct inode *old_dir, st + + take_dentry_name_snapshot(&old_name, old_dentry); + dget(new_dentry); +- if (!is_dir || (flags & RENAME_EXCHANGE)) +- lock_two_nondirectories(source, target); +- else if (target) +- inode_lock(target); ++ /* ++ * Lock all moved children. Moved directories may need to change parent ++ * pointer so they need the lock to prevent against concurrent ++ * directory changes moving parent pointer. For regular files we've ++ * historically always done this. The lockdep locking subclasses are ++ * somewhat arbitrary but RENAME_EXCHANGE in particular can swap ++ * regular files and directories so it's difficult to tell which ++ * subclasses to use. ++ */ ++ lock_two_inodes(source, target, I_MUTEX_NORMAL, I_MUTEX_NONDIR2); + + error = -EBUSY; + if (is_local_mountpoint(old_dentry) || is_local_mountpoint(new_dentry)) +@@ -4388,9 +4394,9 @@ int vfs_rename(struct inode *old_dir, st + d_exchange(old_dentry, new_dentry); + } + out: +- if (!is_dir || (flags & RENAME_EXCHANGE)) +- unlock_two_nondirectories(source, target); +- else if (target) ++ if (source) ++ inode_unlock(source); ++ if (target) + inode_unlock(target); + dput(new_dentry); + if (!error) { diff --git a/tmp-5.10/fs-no-need-to-check-source.patch b/tmp-5.10/fs-no-need-to-check-source.patch new file mode 100644 index 00000000000..f1b48d2b4fb --- /dev/null +++ b/tmp-5.10/fs-no-need-to-check-source.patch @@ -0,0 +1,45 @@ +From 66d8fc0539b0d49941f313c9509a8384e4245ac1 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 3 Jul 2023 16:49:11 +0200 +Subject: fs: no need to check source + +From: Jan Kara + +commit 66d8fc0539b0d49941f313c9509a8384e4245ac1 upstream. + +The @source inode must be valid. It is even checked via IS_SWAPFILE() +above making it pretty clear. So no need to check it when we unlock. + +What doesn't need to exist is the @target inode. The lock_two_inodes() +helper currently swaps the @inode1 and @inode2 arguments if @inode1 is +NULL to have consistent lock class usage. However, we know that at least +for vfs_rename() that @inode1 is @source and thus is never NULL as per +above. We also know that @source is a different inode than @target as +that is checked right at the beginning of vfs_rename(). So we know that +@source is valid and locked and that @target is locked. So drop the +check whether @source is non-NULL. + +Fixes: 28eceeda130f ("fs: Lock moved directories") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202307030026.9sE2pk2x-lkp@intel.com +Message-Id: <20230703-vfs-rename-source-v1-1-37eebb29b65b@kernel.org> +[brauner: use commit message from patch I sent concurrently] +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namei.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -4394,8 +4394,7 @@ int vfs_rename(struct inode *old_dir, st + d_exchange(old_dentry, new_dentry); + } + out: +- if (source) +- inode_unlock(source); ++ inode_unlock(source); + if (target) + inode_unlock(target); + dput(new_dentry); diff --git a/tmp-5.10/fs-pipe-reveal-missing-function-protoypes.patch b/tmp-5.10/fs-pipe-reveal-missing-function-protoypes.patch new file mode 100644 index 00000000000..09b82bb6232 --- /dev/null +++ b/tmp-5.10/fs-pipe-reveal-missing-function-protoypes.patch @@ -0,0 +1,56 @@ +From 60ae9568ce89cb13304827df3196c9453cdc3644 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 21:56:12 +0200 +Subject: fs: pipe: reveal missing function protoypes + +From: Arnd Bergmann + +[ Upstream commit 247c8d2f9837a3e29e3b6b7a4aa9c36c37659dd4 ] + +A couple of functions from fs/pipe.c are used both internally +and for the watch queue code, but the declaration is only +visible when the latter is enabled: + +fs/pipe.c:1254:5: error: no previous prototype for 'pipe_resize_ring' +fs/pipe.c:758:15: error: no previous prototype for 'account_pipe_buffers' +fs/pipe.c:764:6: error: no previous prototype for 'too_many_pipe_buffers_soft' +fs/pipe.c:771:6: error: no previous prototype for 'too_many_pipe_buffers_hard' +fs/pipe.c:777:6: error: no previous prototype for 'pipe_is_unprivileged_user' + +Make the visible unconditionally to avoid these warnings. + +Fixes: c73be61cede5 ("pipe: Add general notification queue support") +Signed-off-by: Arnd Bergmann +Message-Id: <20230516195629.551602-1-arnd@kernel.org> +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + include/linux/pipe_fs_i.h | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h +index c0b6ec6bf65b7..ef236dbaa2945 100644 +--- a/include/linux/pipe_fs_i.h ++++ b/include/linux/pipe_fs_i.h +@@ -256,18 +256,14 @@ void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *); + + extern const struct pipe_buf_operations nosteal_pipe_buf_ops; + +-#ifdef CONFIG_WATCH_QUEUE + unsigned long account_pipe_buffers(struct user_struct *user, + unsigned long old, unsigned long new); + bool too_many_pipe_buffers_soft(unsigned long user_bufs); + bool too_many_pipe_buffers_hard(unsigned long user_bufs); + bool pipe_is_unprivileged_user(void); +-#endif + + /* for F_SETPIPE_SZ and F_GETPIPE_SZ */ +-#ifdef CONFIG_WATCH_QUEUE + int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots); +-#endif + long pipe_fcntl(struct file *, unsigned int, unsigned long arg); + struct pipe_inode_info *get_pipe_info(struct file *file, bool for_splice); + +-- +2.39.2 + diff --git a/tmp-5.10/ftrace-fix-possible-warning-on-checking-all-pages-used-in-ftrace_process_locs.patch b/tmp-5.10/ftrace-fix-possible-warning-on-checking-all-pages-used-in-ftrace_process_locs.patch new file mode 100644 index 00000000000..47f6f6026a4 --- /dev/null +++ b/tmp-5.10/ftrace-fix-possible-warning-on-checking-all-pages-used-in-ftrace_process_locs.patch @@ -0,0 +1,131 @@ +From 26efd79c4624294e553aeaa3439c646729bad084 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Wed, 12 Jul 2023 14:04:52 +0800 +Subject: ftrace: Fix possible warning on checking all pages used in ftrace_process_locs() + +From: Zheng Yejian + +commit 26efd79c4624294e553aeaa3439c646729bad084 upstream. + +As comments in ftrace_process_locs(), there may be NULL pointers in +mcount_loc section: + > Some architecture linkers will pad between + > the different mcount_loc sections of different + > object files to satisfy alignments. + > Skip any NULL pointers. + +After commit 20e5227e9f55 ("ftrace: allow NULL pointers in mcount_loc"), +NULL pointers will be accounted when allocating ftrace pages but skipped +before adding into ftrace pages, this may result in some pages not being +used. Then after commit 706c81f87f84 ("ftrace: Remove extra helper +functions"), warning may occur at: + WARN_ON(pg->next); + +To fix it, only warn for case that no pointers skipped but pages not used +up, then free those unused pages after releasing ftrace_lock. + +Link: https://lore.kernel.org/linux-trace-kernel/20230712060452.3175675-1-zhengyejian1@huawei.com + +Cc: stable@vger.kernel.org +Fixes: 706c81f87f84 ("ftrace: Remove extra helper functions") +Suggested-by: Steven Rostedt +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 45 +++++++++++++++++++++++++++++++-------------- + 1 file changed, 31 insertions(+), 14 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3196,6 +3196,22 @@ static int ftrace_allocate_records(struc + return cnt; + } + ++static void ftrace_free_pages(struct ftrace_page *pages) ++{ ++ struct ftrace_page *pg = pages; ++ ++ while (pg) { ++ if (pg->records) { ++ free_pages((unsigned long)pg->records, pg->order); ++ ftrace_number_of_pages -= 1 << pg->order; ++ } ++ pages = pg->next; ++ kfree(pg); ++ pg = pages; ++ ftrace_number_of_groups--; ++ } ++} ++ + static struct ftrace_page * + ftrace_allocate_pages(unsigned long num_to_init) + { +@@ -3234,17 +3250,7 @@ ftrace_allocate_pages(unsigned long num_ + return start_pg; + + free_pages: +- pg = start_pg; +- while (pg) { +- if (pg->records) { +- free_pages((unsigned long)pg->records, pg->order); +- ftrace_number_of_pages -= 1 << pg->order; +- } +- start_pg = pg->next; +- kfree(pg); +- pg = start_pg; +- ftrace_number_of_groups--; +- } ++ ftrace_free_pages(start_pg); + pr_info("ftrace: FAILED to allocate memory for functions\n"); + return NULL; + } +@@ -6190,9 +6196,11 @@ static int ftrace_process_locs(struct mo + unsigned long *start, + unsigned long *end) + { ++ struct ftrace_page *pg_unuse = NULL; + struct ftrace_page *start_pg; + struct ftrace_page *pg; + struct dyn_ftrace *rec; ++ unsigned long skipped = 0; + unsigned long count; + unsigned long *p; + unsigned long addr; +@@ -6246,8 +6254,10 @@ static int ftrace_process_locs(struct mo + * object files to satisfy alignments. + * Skip any NULL pointers. + */ +- if (!addr) ++ if (!addr) { ++ skipped++; + continue; ++ } + + end_offset = (pg->index+1) * sizeof(pg->records[0]); + if (end_offset > PAGE_SIZE << pg->order) { +@@ -6261,8 +6271,10 @@ static int ftrace_process_locs(struct mo + rec->ip = addr; + } + +- /* We should have used all pages */ +- WARN_ON(pg->next); ++ if (pg->next) { ++ pg_unuse = pg->next; ++ pg->next = NULL; ++ } + + /* Assign the last page to ftrace_pages */ + ftrace_pages = pg; +@@ -6284,6 +6296,11 @@ static int ftrace_process_locs(struct mo + out: + mutex_unlock(&ftrace_lock); + ++ /* We should have used all pages unless we skipped some */ ++ if (pg_unuse) { ++ WARN_ON(!skipped); ++ ftrace_free_pages(pg_unuse); ++ } + return ret; + } + diff --git a/tmp-5.10/ftrace-store-the-order-of-pages-allocated-in-ftrace_page.patch b/tmp-5.10/ftrace-store-the-order-of-pages-allocated-in-ftrace_page.patch new file mode 100644 index 00000000000..5044e9f3397 --- /dev/null +++ b/tmp-5.10/ftrace-store-the-order-of-pages-allocated-in-ftrace_page.patch @@ -0,0 +1,136 @@ +From db42523b4f3e83ff86b53cdda219a9767c8b047f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 1 Apr 2021 16:14:17 -0400 +Subject: ftrace: Store the order of pages allocated in ftrace_page + +From: Linus Torvalds + +commit db42523b4f3e83ff86b53cdda219a9767c8b047f upstream. + +Instead of saving the size of the records field of the ftrace_page, store +the order it uses to allocate the pages, as that is what is needed to know +in order to free the pages. This simplifies the code. + +Link: https://lore.kernel.org/lkml/CAHk-=whyMxheOqXAORt9a7JK9gc9eHTgCJ55Pgs4p=X3RrQubQ@mail.gmail.com/ + +Signed-off-by: Linus Torvalds +[ change log written by Steven Rostedt ] +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Zheng Yejian +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 35 +++++++++++++++++------------------ + 1 file changed, 17 insertions(+), 18 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1091,7 +1091,7 @@ struct ftrace_page { + struct ftrace_page *next; + struct dyn_ftrace *records; + int index; +- int size; ++ int order; + }; + + #define ENTRY_SIZE sizeof(struct dyn_ftrace) +@@ -3188,7 +3188,7 @@ static int ftrace_allocate_records(struc + ftrace_number_of_groups++; + + cnt = (PAGE_SIZE << order) / ENTRY_SIZE; +- pg->size = cnt; ++ pg->order = order; + + if (cnt > count) + cnt = count; +@@ -3201,7 +3201,6 @@ ftrace_allocate_pages(unsigned long num_ + { + struct ftrace_page *start_pg; + struct ftrace_page *pg; +- int order; + int cnt; + + if (!num_to_init) +@@ -3237,13 +3236,13 @@ ftrace_allocate_pages(unsigned long num_ + free_pages: + pg = start_pg; + while (pg) { +- order = get_count_order(pg->size / ENTRIES_PER_PAGE); +- if (order >= 0) +- free_pages((unsigned long)pg->records, order); ++ if (pg->records) { ++ free_pages((unsigned long)pg->records, pg->order); ++ ftrace_number_of_pages -= 1 << pg->order; ++ } + start_pg = pg->next; + kfree(pg); + pg = start_pg; +- ftrace_number_of_pages -= 1 << order; + ftrace_number_of_groups--; + } + pr_info("ftrace: FAILED to allocate memory for functions\n"); +@@ -6239,6 +6238,7 @@ static int ftrace_process_locs(struct mo + p = start; + pg = start_pg; + while (p < end) { ++ unsigned long end_offset; + addr = ftrace_call_adjust(*p++); + /* + * Some architecture linkers will pad between +@@ -6249,7 +6249,8 @@ static int ftrace_process_locs(struct mo + if (!addr) + continue; + +- if (pg->index == pg->size) { ++ end_offset = (pg->index+1) * sizeof(pg->records[0]); ++ if (end_offset > PAGE_SIZE << pg->order) { + /* We should have allocated enough */ + if (WARN_ON(!pg->next)) + break; +@@ -6418,7 +6419,6 @@ void ftrace_release_mod(struct module *m + struct ftrace_page **last_pg; + struct ftrace_page *tmp_page = NULL; + struct ftrace_page *pg; +- int order; + + mutex_lock(&ftrace_lock); + +@@ -6469,12 +6469,12 @@ void ftrace_release_mod(struct module *m + /* Needs to be called outside of ftrace_lock */ + clear_mod_from_hashes(pg); + +- order = get_count_order(pg->size / ENTRIES_PER_PAGE); +- if (order >= 0) +- free_pages((unsigned long)pg->records, order); ++ if (pg->records) { ++ free_pages((unsigned long)pg->records, pg->order); ++ ftrace_number_of_pages -= 1 << pg->order; ++ } + tmp_page = pg->next; + kfree(pg); +- ftrace_number_of_pages -= 1 << order; + ftrace_number_of_groups--; + } + } +@@ -6792,7 +6792,6 @@ void ftrace_free_mem(struct module *mod, + struct ftrace_mod_map *mod_map = NULL; + struct ftrace_init_func *func, *func_next; + struct list_head clear_hash; +- int order; + + INIT_LIST_HEAD(&clear_hash); + +@@ -6830,10 +6829,10 @@ void ftrace_free_mem(struct module *mod, + ftrace_update_tot_cnt--; + if (!pg->index) { + *last_pg = pg->next; +- order = get_count_order(pg->size / ENTRIES_PER_PAGE); +- if (order >= 0) +- free_pages((unsigned long)pg->records, order); +- ftrace_number_of_pages -= 1 << order; ++ if (pg->records) { ++ free_pages((unsigned long)pg->records, pg->order); ++ ftrace_number_of_pages -= 1 << pg->order; ++ } + ftrace_number_of_groups--; + kfree(pg); + pg = container_of(last_pg, struct ftrace_page, next); diff --git a/tmp-5.10/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/tmp-5.10/fuse-revalidate-don-t-invalidate-if-interrupted.patch new file mode 100644 index 00000000000..08fc64e3e8c --- /dev/null +++ b/tmp-5.10/fuse-revalidate-don-t-invalidate-if-interrupted.patch @@ -0,0 +1,34 @@ +From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:20 +0200 +Subject: fuse: revalidate: don't invalidate if interrupted + +From: Miklos Szeredi + +commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream. + +If the LOOKUP request triggered from fuse_dentry_revalidate() is +interrupted, then the dentry will be invalidated, possibly resulting in +submounts being unmounted. + +Reported-by: Xu Rongbo +Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/ +Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -249,7 +249,7 @@ static int fuse_dentry_revalidate(struct + spin_unlock(&fi->lock); + } + kfree(forget); +- if (ret == -ENOMEM) ++ if (ret == -ENOMEM || ret == -EINTR) + goto out; + if (ret || fuse_invalid_attr(&outarg.attr) || + fuse_stale_inode(inode, outarg.generation, &outarg.attr)) diff --git a/tmp-5.10/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch b/tmp-5.10/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch new file mode 100644 index 00000000000..f769b3b2a28 --- /dev/null +++ b/tmp-5.10/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch @@ -0,0 +1,190 @@ +From d8ca0703cf886f4147a599fb6b5ac5edf0f67e8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 14:32:31 -0700 +Subject: gtp: Fix use-after-free in __gtp_encap_destroy(). + +From: Kuniyuki Iwashima + +[ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ] + +syzkaller reported use-after-free in __gtp_encap_destroy(). [0] + +It shows the same process freed sk and touched it illegally. + +Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() +and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, +but release_sock() is called after sock_put() releases the last refcnt. + +[0]: +BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] +BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] +BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] +BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] +BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 +Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 + +CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:351 [inline] + print_report+0xcc/0x620 mm/kasan/report.c:462 + kasan_report+0xb2/0xe0 mm/kasan/report.c:572 + check_region_inline mm/kasan/generic.c:181 [inline] + kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 + instrument_atomic_read_write include/linux/instrumented.h:96 [inline] + atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] + queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] + do_raw_spin_lock include/linux/spinlock.h:186 [inline] + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] + _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:355 [inline] + release_sock+0x1f/0x1a0 net/core/sock.c:3526 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f1168b1fe5d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 +RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d +RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 + + +Allocated by task 1483: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:186 [inline] + slab_post_alloc_hook mm/slab.h:711 [inline] + slab_alloc_node mm/slub.c:3451 [inline] + slab_alloc mm/slub.c:3459 [inline] + __kmem_cache_alloc_lru mm/slub.c:3466 [inline] + kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475 + sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073 + sk_alloc+0x34/0x6c0 net/core/sock.c:2132 + inet6_create net/ipv6/af_inet6.c:192 [inline] + inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119 + __sock_create+0x2a1/0x530 net/socket.c:1535 + sock_create net/socket.c:1586 [inline] + __sys_socket_create net/socket.c:1623 [inline] + __sys_socket_create net/socket.c:1608 [inline] + __sys_socket+0x137/0x250 net/socket.c:1651 + __do_sys_socket net/socket.c:1664 [inline] + __se_sys_socket net/socket.c:1662 [inline] + __x64_sys_socket+0x72/0xb0 net/socket.c:1662 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 2401: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free mm/kasan/common.c:200 [inline] + __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:162 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook mm/slub.c:1807 [inline] + slab_free mm/slub.c:3786 [inline] + kmem_cache_free+0xb4/0x490 mm/slub.c:3808 + sk_prot_free net/core/sock.c:2113 [inline] + __sk_destruct+0x500/0x720 net/core/sock.c:2207 + sk_destruct+0xc1/0xe0 net/core/sock.c:2222 + __sk_free+0xed/0x3d0 net/core/sock.c:2233 + sk_free+0x7c/0xa0 net/core/sock.c:2244 + sock_put include/net/sock.h:1981 [inline] + __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The buggy address belongs to the object at ffff88800dbef300 + which belongs to the cache UDPv6 of size 1344 +The buggy address is located 152 bytes inside of + freed 1344-byte region [ffff88800dbef300, ffff88800dbef840) + +The buggy address belongs to the physical page: +page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8 +head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +memcg:ffff888008ee0801 +flags: 0x100000000010200(slab|head|node=0|zone=1) +page_type: 0xffffffff() +raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000 +raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Pablo Neira Ayuso +Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 1c46bc4d27058..05ea3a18552b6 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -291,7 +291,9 @@ static void __gtp_encap_destroy(struct sock *sk) + gtp->sk1u = NULL; + udp_sk(sk)->encap_type = 0; + rcu_assign_sk_user_data(sk, NULL); ++ release_sock(sk); + sock_put(sk); ++ return; + } + release_sock(sk); + } +-- +2.39.2 + diff --git a/tmp-5.10/gve-set-default-duplex-configuration-to-full.patch b/tmp-5.10/gve-set-default-duplex-configuration-to-full.patch new file mode 100644 index 00000000000..e2ab8b698b4 --- /dev/null +++ b/tmp-5.10/gve-set-default-duplex-configuration-to-full.patch @@ -0,0 +1,43 @@ +From 16788fe6a3213dc782c2135f0e2e7ba48ec48d54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 12:41:28 +0800 +Subject: gve: Set default duplex configuration to full + +From: Junfeng Guo + +[ Upstream commit 0503efeadbf6bb8bf24397613a73b67e665eac5f ] + +Current duplex mode was unset in the driver, resulting in the default +parameter being set to 0, which corresponds to half duplex. It might +mislead users to have incorrect expectation about the driver's +transmission capabilities. +Set the default duplex configuration to full, as the driver runs in +full duplex mode at this point. + +Fixes: 7e074d5a76ca ("gve: Enable Link Speed Reporting in the driver.") +Signed-off-by: Junfeng Guo +Reviewed-by: Leon Romanovsky +Message-ID: <20230706044128.2726747-1-junfeng.guo@intel.com> +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/google/gve/gve_ethtool.c b/drivers/net/ethernet/google/gve/gve_ethtool.c +index e0449cc24fbdb..cbfd007449351 100644 +--- a/drivers/net/ethernet/google/gve/gve_ethtool.c ++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c +@@ -516,6 +516,9 @@ static int gve_get_link_ksettings(struct net_device *netdev, + err = gve_adminq_report_link_speed(priv); + + cmd->base.speed = priv->link_speed; ++ ++ cmd->base.duplex = DUPLEX_FULL; ++ + return err; + } + +-- +2.39.2 + diff --git a/tmp-5.10/hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch b/tmp-5.10/hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch new file mode 100644 index 00000000000..745d5b2830c --- /dev/null +++ b/tmp-5.10/hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch @@ -0,0 +1,34 @@ +From 5fe251112646d8626818ea90f7af325bab243efa Mon Sep 17 00:00:00 2001 +From: Mike Hommey +Date: Sun, 18 Jun 2023 08:09:57 +0900 +Subject: HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651. + +From: Mike Hommey + +commit 5fe251112646d8626818ea90f7af325bab243efa upstream. + +commit 498ba2069035 ("HID: logitech-hidpp: Don't restart communication if +not necessary") put restarting communication behind that flag, and this +was apparently necessary on the T651, but the flag was not set for it. + +Fixes: 498ba2069035 ("HID: logitech-hidpp: Don't restart communication if not necessary") +Cc: stable@vger.kernel.org +Signed-off-by: Mike Hommey +Link: https://lore.kernel.org/r/20230617230957.6mx73th4blv7owqk@glandium.org +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-logitech-hidpp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -4009,7 +4009,7 @@ static const struct hid_device_id hidpp_ + { /* wireless touchpad T651 */ + HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, + USB_DEVICE_ID_LOGITECH_T651), +- .driver_data = HIDPP_QUIRK_CLASS_WTP }, ++ .driver_data = HIDPP_QUIRK_CLASS_WTP | HIDPP_QUIRK_DELAYED_INIT }, + { /* Mouse Logitech Anywhere MX */ + LDJ_DEVICE(0x1017), .driver_data = HIDPP_QUIRK_HI_RES_SCROLL_1P0 }, + { /* Mouse Logitech Cube */ diff --git a/tmp-5.10/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch b/tmp-5.10/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch new file mode 100644 index 00000000000..717dded5790 --- /dev/null +++ b/tmp-5.10/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch @@ -0,0 +1,70 @@ +From 9a6c0e28e215535b2938c61ded54603b4e5814c5 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Thu, 8 Jun 2023 14:38:28 -0700 +Subject: HID: wacom: Use ktime_t rather than int when dealing with timestamps + +From: Jason Gerecke + +commit 9a6c0e28e215535b2938c61ded54603b4e5814c5 upstream. + +Code which interacts with timestamps needs to use the ktime_t type +returned by functions like ktime_get. The int type does not offer +enough space to store these values, and attempting to use it is a +recipe for problems. In this particular case, overflows would occur +when calculating/storing timestamps leading to incorrect values being +reported to userspace. In some cases these bad timestamps cause input +handling in userspace to appear hung. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/901 +Fixes: 17d793f3ed53 ("HID: wacom: insert timestamp to packed Bluetooth (BT) events") +CC: stable@vger.kernel.org +Signed-off-by: Jason Gerecke +Reviewed-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20230608213828.2108-1-jason.gerecke@wacom.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 6 +++--- + drivers/hid/wacom_wac.h | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1307,7 +1307,7 @@ static void wacom_intuos_pro2_bt_pen(str + struct input_dev *pen_input = wacom->pen_input; + unsigned char *data = wacom->data; + int number_of_valid_frames = 0; +- int time_interval = 15000000; ++ ktime_t time_interval = 15000000; + ktime_t time_packet_received = ktime_get(); + int i; + +@@ -1341,7 +1341,7 @@ static void wacom_intuos_pro2_bt_pen(str + if (number_of_valid_frames) { + if (wacom->hid_data.time_delayed) + time_interval = ktime_get() - wacom->hid_data.time_delayed; +- time_interval /= number_of_valid_frames; ++ time_interval = div_u64(time_interval, number_of_valid_frames); + wacom->hid_data.time_delayed = time_packet_received; + } + +@@ -1352,7 +1352,7 @@ static void wacom_intuos_pro2_bt_pen(str + bool range = frame[0] & 0x20; + bool invert = frame[0] & 0x10; + int frames_number_reversed = number_of_valid_frames - i - 1; +- int event_timestamp = time_packet_received - frames_number_reversed * time_interval; ++ ktime_t event_timestamp = time_packet_received - frames_number_reversed * time_interval; + + if (!valid) + continue; +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -320,7 +320,7 @@ struct hid_data { + int bat_connected; + int ps_connected; + bool pad_input_event_flag; +- int time_delayed; ++ ktime_t time_delayed; + }; + + struct wacom_remote_data { diff --git a/tmp-5.10/hwmon-adm1275-allow-setting-sample-averaging.patch b/tmp-5.10/hwmon-adm1275-allow-setting-sample-averaging.patch new file mode 100644 index 00000000000..32bdf9cee1e --- /dev/null +++ b/tmp-5.10/hwmon-adm1275-allow-setting-sample-averaging.patch @@ -0,0 +1,94 @@ +From 6dce6ecfd6901dba4cf79b2165da2facac6240d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 20:38:16 +0800 +Subject: hwmon: (adm1275) Allow setting sample averaging + +From: Potin Lai + +[ Upstream commit a3cd66d7cbadcc0c29884f25b754fd22699c719c ] + +Current driver assume PWR_AVG and VI_AVG as 1 by default, and user needs +to set sample averaging via sysfs manually. + +This patch parses the properties "adi,power-sample-average" and +"adi,volt-curr-sample-average" from device tree, and setting sample +averaging during probe. Input value must be one of value in the +list [1, 2, 4, 8, 16, 32, 64, 128]. + +Signed-off-by: Potin Lai +Link: https://lore.kernel.org/r/20220302123817.27025-2-potin.lai@quantatw.com +Signed-off-by: Guenter Roeck +Stable-dep-of: b153a0bb4199 ("hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on ADM1272") +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/adm1275.c | 40 ++++++++++++++++++++++++++++++++++- + 1 file changed, 39 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/pmbus/adm1275.c b/drivers/hwmon/pmbus/adm1275.c +index 0be1b5777d2f0..92eb047ff246f 100644 +--- a/drivers/hwmon/pmbus/adm1275.c ++++ b/drivers/hwmon/pmbus/adm1275.c +@@ -475,6 +475,7 @@ static int adm1275_probe(struct i2c_client *client) + int vindex = -1, voindex = -1, cindex = -1, pindex = -1; + int tindex = -1; + u32 shunt; ++ u32 avg; + + if (!i2c_check_functionality(client->adapter, + I2C_FUNC_SMBUS_READ_BYTE_DATA +@@ -687,7 +688,7 @@ static int adm1275_probe(struct i2c_client *client) + if ((config & (ADM1278_VOUT_EN | ADM1278_TEMP1_EN)) != + (ADM1278_VOUT_EN | ADM1278_TEMP1_EN)) { + config |= ADM1278_VOUT_EN | ADM1278_TEMP1_EN; +- ret = i2c_smbus_write_byte_data(client, ++ ret = i2c_smbus_write_word_data(client, + ADM1275_PMON_CONFIG, + config); + if (ret < 0) { +@@ -756,6 +757,43 @@ static int adm1275_probe(struct i2c_client *client) + return -ENODEV; + } + ++ if (data->have_power_sampling && ++ of_property_read_u32(client->dev.of_node, ++ "adi,power-sample-average", &avg) == 0) { ++ if (!avg || avg > ADM1275_SAMPLES_AVG_MAX || ++ BIT(__fls(avg)) != avg) { ++ dev_err(&client->dev, ++ "Invalid number of power samples"); ++ return -EINVAL; ++ } ++ ret = adm1275_write_pmon_config(data, client, true, ++ ilog2(avg)); ++ if (ret < 0) { ++ dev_err(&client->dev, ++ "Setting power sample averaging failed with error %d", ++ ret); ++ return ret; ++ } ++ } ++ ++ if (of_property_read_u32(client->dev.of_node, ++ "adi,volt-curr-sample-average", &avg) == 0) { ++ if (!avg || avg > ADM1275_SAMPLES_AVG_MAX || ++ BIT(__fls(avg)) != avg) { ++ dev_err(&client->dev, ++ "Invalid number of voltage/current samples"); ++ return -EINVAL; ++ } ++ ret = adm1275_write_pmon_config(data, client, false, ++ ilog2(avg)); ++ if (ret < 0) { ++ dev_err(&client->dev, ++ "Setting voltage and current sample averaging failed with error %d", ++ ret); ++ return ret; ++ } ++ } ++ + if (voindex < 0) + voindex = vindex; + if (vindex >= 0) { +-- +2.39.2 + diff --git a/tmp-5.10/hwmon-adm1275-enable-adm1272-temperature-reporting.patch b/tmp-5.10/hwmon-adm1275-enable-adm1272-temperature-reporting.patch new file mode 100644 index 00000000000..0d1b94144c1 --- /dev/null +++ b/tmp-5.10/hwmon-adm1275-enable-adm1272-temperature-reporting.patch @@ -0,0 +1,65 @@ +From 0c0b7009ecd50f2663ebeecc2f294fd680f2b3f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 17:10:43 +0000 +Subject: hwmon: (adm1275) enable adm1272 temperature reporting + +From: Chu Lin + +[ Upstream commit 9da9c2dc57b2fa2e65521894cb66df4bf615214d ] + +adm1272 supports temperature reporting but it is disabled by default. + +Tested: +ls temp1_* +temp1_crit temp1_highest temp1_max +temp1_crit_alarm temp1_input temp1_max_alarm + +cat temp1_input +26642 + +Signed-off-by: Chu Lin +Link: https://lore.kernel.org/r/20210512171043.2433694-1-linchuyuan@google.com +[groeck: Updated subject to reflect correct driver] +Signed-off-by: Guenter Roeck +Stable-dep-of: b153a0bb4199 ("hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on ADM1272") +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/adm1275.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/hwmon/pmbus/adm1275.c b/drivers/hwmon/pmbus/adm1275.c +index e7997f37b2666..0be1b5777d2f0 100644 +--- a/drivers/hwmon/pmbus/adm1275.c ++++ b/drivers/hwmon/pmbus/adm1275.c +@@ -611,11 +611,13 @@ static int adm1275_probe(struct i2c_client *client) + tindex = 8; + + info->func[0] |= PMBUS_HAVE_PIN | PMBUS_HAVE_STATUS_INPUT | +- PMBUS_HAVE_VOUT | PMBUS_HAVE_STATUS_VOUT; ++ PMBUS_HAVE_VOUT | PMBUS_HAVE_STATUS_VOUT | ++ PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP; + +- /* Enable VOUT if not enabled (it is disabled by default) */ +- if (!(config & ADM1278_VOUT_EN)) { +- config |= ADM1278_VOUT_EN; ++ /* Enable VOUT & TEMP1 if not enabled (disabled by default) */ ++ if ((config & (ADM1278_VOUT_EN | ADM1278_TEMP1_EN)) != ++ (ADM1278_VOUT_EN | ADM1278_TEMP1_EN)) { ++ config |= ADM1278_VOUT_EN | ADM1278_TEMP1_EN; + ret = i2c_smbus_write_byte_data(client, + ADM1275_PMON_CONFIG, + config); +@@ -625,10 +627,6 @@ static int adm1275_probe(struct i2c_client *client) + return -ENODEV; + } + } +- +- if (config & ADM1278_TEMP1_EN) +- info->func[0] |= +- PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP; + if (config & ADM1278_VIN_EN) + info->func[0] |= PMBUS_HAVE_VIN; + break; +-- +2.39.2 + diff --git a/tmp-5.10/hwmon-gsc-hwmon-fix-fan-pwm-temperature-scaling.patch b/tmp-5.10/hwmon-gsc-hwmon-fix-fan-pwm-temperature-scaling.patch new file mode 100644 index 00000000000..e7a68d681eb --- /dev/null +++ b/tmp-5.10/hwmon-gsc-hwmon-fix-fan-pwm-temperature-scaling.patch @@ -0,0 +1,48 @@ +From f25316d6adfc6d3a70b958e068628015d8d028d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 08:30:04 -0700 +Subject: hwmon: (gsc-hwmon) fix fan pwm temperature scaling + +From: Tim Harvey + +[ Upstream commit a6d80df47ee2c69db99e4f2f8871aa4db154620b ] + +The GSC fan pwm temperature register is in centidegrees celcius but the +Linux hwmon convention is to use milidegrees celcius. Fix the scaling. + +Fixes: 3bce5377ef66 ("hwmon: Add Gateworks System Controller support") +Signed-off-by: Tim Harvey +Link: https://lore.kernel.org/r/20230606153004.1448086-1-tharvey@gateworks.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/gsc-hwmon.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwmon/gsc-hwmon.c b/drivers/hwmon/gsc-hwmon.c +index f29ce49294daf..89d036bf88df7 100644 +--- a/drivers/hwmon/gsc-hwmon.c ++++ b/drivers/hwmon/gsc-hwmon.c +@@ -82,8 +82,8 @@ static ssize_t pwm_auto_point_temp_store(struct device *dev, + if (kstrtol(buf, 10, &temp)) + return -EINVAL; + +- temp = clamp_val(temp, 0, 10000); +- temp = DIV_ROUND_CLOSEST(temp, 10); ++ temp = clamp_val(temp, 0, 100000); ++ temp = DIV_ROUND_CLOSEST(temp, 100); + + regs[0] = temp & 0xff; + regs[1] = (temp >> 8) & 0xff; +@@ -100,7 +100,7 @@ static ssize_t pwm_auto_point_pwm_show(struct device *dev, + { + struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr); + +- return sprintf(buf, "%d\n", 255 * (50 + (attr->index * 10)) / 100); ++ return sprintf(buf, "%d\n", 255 * (50 + (attr->index * 10))); + } + + static SENSOR_DEVICE_ATTR_RO(pwm1_auto_point1_pwm, pwm_auto_point_pwm, 0); +-- +2.39.2 + diff --git a/tmp-5.10/hwmon-pmbus-adm1275-fix-problems-with-temperature-mo.patch b/tmp-5.10/hwmon-pmbus-adm1275-fix-problems-with-temperature-mo.patch new file mode 100644 index 00000000000..3e83a6dbccc --- /dev/null +++ b/tmp-5.10/hwmon-pmbus-adm1275-fix-problems-with-temperature-mo.patch @@ -0,0 +1,128 @@ +From 26275eeecfd6a64675eea200d88f78bfe98b2d2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 14:34:47 -0700 +Subject: hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on + ADM1272 + +From: Guenter Roeck + +[ Upstream commit b153a0bb4199566abd337119207f82b59a8cd1ca ] + +The PMON_CONFIG register on ADM1272 is a 16 bit register. Writing a 8 bit +value into it clears the upper 8 bits of the register, resulting in +unexpected side effects. Fix by writing the 16 bit register value. + +Also, it has been reported that temperature readings are sometimes widely +inaccurate, to the point where readings may result in device shutdown due +to errant overtemperature faults. Improve by enabling temperature sampling. + +While at it, move the common code for ADM1272 and ADM1278 into a separate +function, and clarify in the error message that an attempt was made to +enable both VOUT and temperature monitoring. + +Last but not least, return the error code reported by the underlying I2C +controller and not -ENODEV if updating the PMON_CONFIG register fails. +After all, this does not indicate that the chip is not present, but an +error in the communication with the chip. + +Fixes: 4ff0ce227a1e ("hwmon: (pmbus/adm1275) Add support for ADM1272") +Fixes: 9da9c2dc57b2 ("hwmon: (adm1275) enable adm1272 temperature reporting") +Signed-off-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230602213447.3557346-1-linux@roeck-us.net +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/adm1275.c | 52 +++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 26 deletions(-) + +diff --git a/drivers/hwmon/pmbus/adm1275.c b/drivers/hwmon/pmbus/adm1275.c +index 92eb047ff246f..c0618205758e9 100644 +--- a/drivers/hwmon/pmbus/adm1275.c ++++ b/drivers/hwmon/pmbus/adm1275.c +@@ -37,10 +37,13 @@ enum chips { adm1075, adm1272, adm1275, adm1276, adm1278, adm1293, adm1294 }; + + #define ADM1272_IRANGE BIT(0) + ++#define ADM1278_TSFILT BIT(15) + #define ADM1278_TEMP1_EN BIT(3) + #define ADM1278_VIN_EN BIT(2) + #define ADM1278_VOUT_EN BIT(1) + ++#define ADM1278_PMON_DEFCONFIG (ADM1278_VOUT_EN | ADM1278_TEMP1_EN | ADM1278_TSFILT) ++ + #define ADM1293_IRANGE_25 0 + #define ADM1293_IRANGE_50 BIT(6) + #define ADM1293_IRANGE_100 BIT(7) +@@ -462,6 +465,22 @@ static const struct i2c_device_id adm1275_id[] = { + }; + MODULE_DEVICE_TABLE(i2c, adm1275_id); + ++/* Enable VOUT & TEMP1 if not enabled (disabled by default) */ ++static int adm1275_enable_vout_temp(struct i2c_client *client, int config) ++{ ++ int ret; ++ ++ if ((config & ADM1278_PMON_DEFCONFIG) != ADM1278_PMON_DEFCONFIG) { ++ config |= ADM1278_PMON_DEFCONFIG; ++ ret = i2c_smbus_write_word_data(client, ADM1275_PMON_CONFIG, config); ++ if (ret < 0) { ++ dev_err(&client->dev, "Failed to enable VOUT/TEMP1 monitoring\n"); ++ return ret; ++ } ++ } ++ return 0; ++} ++ + static int adm1275_probe(struct i2c_client *client) + { + s32 (*config_read_fn)(const struct i2c_client *client, u8 reg); +@@ -615,19 +634,10 @@ static int adm1275_probe(struct i2c_client *client) + PMBUS_HAVE_VOUT | PMBUS_HAVE_STATUS_VOUT | + PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP; + +- /* Enable VOUT & TEMP1 if not enabled (disabled by default) */ +- if ((config & (ADM1278_VOUT_EN | ADM1278_TEMP1_EN)) != +- (ADM1278_VOUT_EN | ADM1278_TEMP1_EN)) { +- config |= ADM1278_VOUT_EN | ADM1278_TEMP1_EN; +- ret = i2c_smbus_write_byte_data(client, +- ADM1275_PMON_CONFIG, +- config); +- if (ret < 0) { +- dev_err(&client->dev, +- "Failed to enable VOUT monitoring\n"); +- return -ENODEV; +- } +- } ++ ret = adm1275_enable_vout_temp(client, config); ++ if (ret) ++ return ret; ++ + if (config & ADM1278_VIN_EN) + info->func[0] |= PMBUS_HAVE_VIN; + break; +@@ -684,19 +694,9 @@ static int adm1275_probe(struct i2c_client *client) + PMBUS_HAVE_VOUT | PMBUS_HAVE_STATUS_VOUT | + PMBUS_HAVE_TEMP | PMBUS_HAVE_STATUS_TEMP; + +- /* Enable VOUT & TEMP1 if not enabled (disabled by default) */ +- if ((config & (ADM1278_VOUT_EN | ADM1278_TEMP1_EN)) != +- (ADM1278_VOUT_EN | ADM1278_TEMP1_EN)) { +- config |= ADM1278_VOUT_EN | ADM1278_TEMP1_EN; +- ret = i2c_smbus_write_word_data(client, +- ADM1275_PMON_CONFIG, +- config); +- if (ret < 0) { +- dev_err(&client->dev, +- "Failed to enable VOUT monitoring\n"); +- return -ENODEV; +- } +- } ++ ret = adm1275_enable_vout_temp(client, config); ++ if (ret) ++ return ret; + + if (config & ADM1278_VIN_EN) + info->func[0] |= PMBUS_HAVE_VIN; +-- +2.39.2 + diff --git a/tmp-5.10/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch b/tmp-5.10/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch new file mode 100644 index 00000000000..5b05790584c --- /dev/null +++ b/tmp-5.10/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch @@ -0,0 +1,45 @@ +From d744ae7477190967a3ddc289e2cd4ae59e8b1237 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Thu, 15 Jun 2023 15:49:59 +0100 +Subject: hwrng: imx-rngc - fix the timeout for init and self check + +From: Martin Kaiser + +commit d744ae7477190967a3ddc289e2cd4ae59e8b1237 upstream. + +Fix the timeout that is used for the initialisation and for the self +test. wait_for_completion_timeout expects a timeout in jiffies, but +RNGC_TIMEOUT is in milliseconds. Call msecs_to_jiffies to do the +conversion. + +Cc: stable@vger.kernel.org +Fixes: 1d5449445bd0 ("hwrng: mx-rngc - add a driver for Freescale RNGC") +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/imx-rngc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/char/hw_random/imx-rngc.c ++++ b/drivers/char/hw_random/imx-rngc.c +@@ -110,7 +110,7 @@ static int imx_rngc_self_test(struct imx + cmd = readl(rngc->base + RNGC_COMMAND); + writel(cmd | RNGC_CMD_SELF_TEST, rngc->base + RNGC_COMMAND); + +- ret = wait_for_completion_timeout(&rngc->rng_op_done, RNGC_TIMEOUT); ++ ret = wait_for_completion_timeout(&rngc->rng_op_done, msecs_to_jiffies(RNGC_TIMEOUT)); + imx_rngc_irq_mask_clear(rngc); + if (!ret) + return -ETIMEDOUT; +@@ -187,9 +187,7 @@ static int imx_rngc_init(struct hwrng *r + cmd = readl(rngc->base + RNGC_COMMAND); + writel(cmd | RNGC_CMD_SEED, rngc->base + RNGC_COMMAND); + +- ret = wait_for_completion_timeout(&rngc->rng_op_done, +- RNGC_TIMEOUT); +- ++ ret = wait_for_completion_timeout(&rngc->rng_op_done, msecs_to_jiffies(RNGC_TIMEOUT)); + if (!ret) { + ret = -ETIMEDOUT; + goto err; diff --git a/tmp-5.10/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch b/tmp-5.10/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch new file mode 100644 index 00000000000..2533211f3cd --- /dev/null +++ b/tmp-5.10/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch @@ -0,0 +1,96 @@ +From 77c49dc265cc96ffdd5b46cb08d8bc03ccd6ba56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 09:58:13 +0100 +Subject: hwrng: st - keep clock enabled while hwrng is registered + +From: Martin Kaiser + +[ Upstream commit 501e197a02d4aef157f53ba3a0b9049c3e52fedc ] + +The st-rng driver uses devres to register itself with the hwrng core, +the driver will be unregistered from hwrng when its device goes out of +scope. This happens after the driver's remove function is called. + +However, st-rng's clock is disabled in the remove function. There's a +short timeframe where st-rng is still registered with the hwrng core +although its clock is disabled. I suppose the clock must be active to +access the hardware and serve requests from the hwrng core. + +Switch to devm_clk_get_enabled and let devres disable the clock and +unregister the hwrng. This avoids the race condition. + +Fixes: 3e75241be808 ("hwrng: drivers - Use device-managed registration API") +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/st-rng.c | 21 +-------------------- + 1 file changed, 1 insertion(+), 20 deletions(-) + +diff --git a/drivers/char/hw_random/st-rng.c b/drivers/char/hw_random/st-rng.c +index 15ba1e6fae4d2..6e9dfac9fc9f4 100644 +--- a/drivers/char/hw_random/st-rng.c ++++ b/drivers/char/hw_random/st-rng.c +@@ -42,7 +42,6 @@ + + struct st_rng_data { + void __iomem *base; +- struct clk *clk; + struct hwrng ops; + }; + +@@ -85,26 +84,18 @@ static int st_rng_probe(struct platform_device *pdev) + if (IS_ERR(base)) + return PTR_ERR(base); + +- clk = devm_clk_get(&pdev->dev, NULL); ++ clk = devm_clk_get_enabled(&pdev->dev, NULL); + if (IS_ERR(clk)) + return PTR_ERR(clk); + +- ret = clk_prepare_enable(clk); +- if (ret) +- return ret; +- + ddata->ops.priv = (unsigned long)ddata; + ddata->ops.read = st_rng_read; + ddata->ops.name = pdev->name; + ddata->base = base; +- ddata->clk = clk; +- +- dev_set_drvdata(&pdev->dev, ddata); + + ret = devm_hwrng_register(&pdev->dev, &ddata->ops); + if (ret) { + dev_err(&pdev->dev, "Failed to register HW RNG\n"); +- clk_disable_unprepare(clk); + return ret; + } + +@@ -113,15 +104,6 @@ static int st_rng_probe(struct platform_device *pdev) + return 0; + } + +-static int st_rng_remove(struct platform_device *pdev) +-{ +- struct st_rng_data *ddata = dev_get_drvdata(&pdev->dev); +- +- clk_disable_unprepare(ddata->clk); +- +- return 0; +-} +- + static const struct of_device_id st_rng_match[] __maybe_unused = { + { .compatible = "st,rng" }, + {}, +@@ -134,7 +116,6 @@ static struct platform_driver st_rng_driver = { + .of_match_table = of_match_ptr(st_rng_match), + }, + .probe = st_rng_probe, +- .remove = st_rng_remove + }; + + module_platform_driver(st_rng_driver); +-- +2.39.2 + diff --git a/tmp-5.10/hwrng-virtio-add-an-internal-buffer.patch b/tmp-5.10/hwrng-virtio-add-an-internal-buffer.patch new file mode 100644 index 00000000000..a740cf2f78f --- /dev/null +++ b/tmp-5.10/hwrng-virtio-add-an-internal-buffer.patch @@ -0,0 +1,127 @@ +From cf1206c3cb516b6a5d22d5a8452a679feed45d1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:08 +0200 +Subject: hwrng: virtio - add an internal buffer + +From: Laurent Vivier + +[ Upstream commit bf3175bc50a3754dc427e2f5046e17a9fafc8be7 ] + +hwrng core uses two buffers that can be mixed in the +virtio-rng queue. + +If the buffer is provided with wait=0 it is enqueued in the +virtio-rng queue but unused by the caller. +On the next call, core provides another buffer but the +first one is filled instead and the new one queued. +And the caller reads the data from the new one that is not +updated, and the data in the first one are lost. + +To avoid this mix, virtio-rng needs to use its own unique +internal buffer at a cost of a data copy to the caller buffer. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-2-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 43 ++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 10 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index a90001e02bf7a..208c547dcac16 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -18,13 +18,20 @@ static DEFINE_IDA(rng_index_ida); + struct virtrng_info { + struct hwrng hwrng; + struct virtqueue *vq; +- struct completion have_data; + char name[25]; +- unsigned int data_avail; + int index; + bool busy; + bool hwrng_register_done; + bool hwrng_removed; ++ /* data transfer */ ++ struct completion have_data; ++ unsigned int data_avail; ++ /* minimal size returned by rng_buffer_size() */ ++#if SMP_CACHE_BYTES < 32 ++ u8 data[32]; ++#else ++ u8 data[SMP_CACHE_BYTES]; ++#endif + }; + + static void random_recv_done(struct virtqueue *vq) +@@ -39,14 +46,14 @@ static void random_recv_done(struct virtqueue *vq) + } + + /* The host will fill any buffer we give it with sweet, sweet randomness. */ +-static void register_buffer(struct virtrng_info *vi, u8 *buf, size_t size) ++static void register_buffer(struct virtrng_info *vi) + { + struct scatterlist sg; + +- sg_init_one(&sg, buf, size); ++ sg_init_one(&sg, vi->data, sizeof(vi->data)); + + /* There should always be room for one buffer. */ +- virtqueue_add_inbuf(vi->vq, &sg, 1, buf, GFP_KERNEL); ++ virtqueue_add_inbuf(vi->vq, &sg, 1, vi->data, GFP_KERNEL); + + virtqueue_kick(vi->vq); + } +@@ -55,6 +62,8 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + { + int ret; + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; ++ unsigned int chunk; ++ size_t read; + + if (vi->hwrng_removed) + return -ENODEV; +@@ -62,19 +71,33 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (!vi->busy) { + vi->busy = true; + reinit_completion(&vi->have_data); +- register_buffer(vi, buf, size); ++ register_buffer(vi); + } + + if (!wait) + return 0; + +- ret = wait_for_completion_killable(&vi->have_data); +- if (ret < 0) +- return ret; ++ read = 0; ++ while (size != 0) { ++ ret = wait_for_completion_killable(&vi->have_data); ++ if (ret < 0) ++ return ret; ++ ++ chunk = min_t(unsigned int, size, vi->data_avail); ++ memcpy(buf + read, vi->data, chunk); ++ read += chunk; ++ size -= chunk; ++ vi->data_avail = 0; ++ ++ if (size != 0) { ++ reinit_completion(&vi->have_data); ++ register_buffer(vi); ++ } ++ } + + vi->busy = false; + +- return vi->data_avail; ++ return read; + } + + static void virtio_cleanup(struct hwrng *rng) +-- +2.39.2 + diff --git a/tmp-5.10/hwrng-virtio-always-add-a-pending-request.patch b/tmp-5.10/hwrng-virtio-always-add-a-pending-request.patch new file mode 100644 index 00000000000..fbe14dad9b7 --- /dev/null +++ b/tmp-5.10/hwrng-virtio-always-add-a-pending-request.patch @@ -0,0 +1,111 @@ +From a4ef1bf50da23c50ffc9b011e4d22f19f95af67a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:11 +0200 +Subject: hwrng: virtio - always add a pending request + +From: Laurent Vivier + +[ Upstream commit 9a4b612d675b03f7fc9fa1957ca399c8223f3954 ] + +If we ensure we have already some data available by enqueuing +again the buffer once data are exhausted, we can return what we +have without waiting for the device answer. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-5-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 8ba97cf4ca8fb..0a7dde135db19 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -20,7 +20,6 @@ struct virtrng_info { + struct virtqueue *vq; + char name[25]; + int index; +- bool busy; + bool hwrng_register_done; + bool hwrng_removed; + /* data transfer */ +@@ -44,16 +43,18 @@ static void random_recv_done(struct virtqueue *vq) + return; + + vi->data_idx = 0; +- vi->busy = false; + + complete(&vi->have_data); + } + +-/* The host will fill any buffer we give it with sweet, sweet randomness. */ +-static void register_buffer(struct virtrng_info *vi) ++static void request_entropy(struct virtrng_info *vi) + { + struct scatterlist sg; + ++ reinit_completion(&vi->have_data); ++ vi->data_avail = 0; ++ vi->data_idx = 0; ++ + sg_init_one(&sg, vi->data, sizeof(vi->data)); + + /* There should always be room for one buffer. */ +@@ -69,6 +70,8 @@ static unsigned int copy_data(struct virtrng_info *vi, void *buf, + memcpy(buf, vi->data + vi->data_idx, size); + vi->data_idx += size; + vi->data_avail -= size; ++ if (vi->data_avail == 0) ++ request_entropy(vi); + return size; + } + +@@ -98,13 +101,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + * so either size is 0 or data_avail is 0 + */ + while (size != 0) { +- /* data_avail is 0 */ +- if (!vi->busy) { +- /* no pending request, ask for more */ +- vi->busy = true; +- reinit_completion(&vi->have_data); +- register_buffer(vi); +- } ++ /* data_avail is 0 but a request is pending */ + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; +@@ -126,8 +123,7 @@ static void virtio_cleanup(struct hwrng *rng) + { + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; + +- if (vi->busy) +- complete(&vi->have_data); ++ complete(&vi->have_data); + } + + static int probe_common(struct virtio_device *vdev) +@@ -163,6 +159,9 @@ static int probe_common(struct virtio_device *vdev) + goto err_find; + } + ++ /* we always have a pending entropy request */ ++ request_entropy(vi); ++ + return 0; + + err_find: +@@ -181,7 +180,6 @@ static void remove_common(struct virtio_device *vdev) + vi->data_idx = 0; + complete(&vi->have_data); + vdev->config->reset(vdev); +- vi->busy = false; + if (vi->hwrng_register_done) + hwrng_unregister(&vi->hwrng); + vdev->config->del_vqs(vdev); +-- +2.39.2 + diff --git a/tmp-5.10/hwrng-virtio-don-t-wait-on-cleanup.patch b/tmp-5.10/hwrng-virtio-don-t-wait-on-cleanup.patch new file mode 100644 index 00000000000..2e881dfedc5 --- /dev/null +++ b/tmp-5.10/hwrng-virtio-don-t-wait-on-cleanup.patch @@ -0,0 +1,58 @@ +From e5c27d8f5dd76cd19bd01e31e5df496b21c4be20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:09 +0200 +Subject: hwrng: virtio - don't wait on cleanup + +From: Laurent Vivier + +[ Upstream commit 2bb31abdbe55742c89f4dc0cc26fcbc8467364f6 ] + +When virtio-rng device was dropped by the hwrng core we were forced +to wait the buffer to come back from the device to not have +remaining ongoing operation that could spoil the buffer. + +But now, as the buffer is internal to the virtio-rng we can release +the waiting loop immediately, the buffer will be retrieve and use +when the virtio-rng driver will be selected again. + +This avoids to hang on an rng_current write command if the virtio-rng +device is blocked by a lack of entropy. This allows to select +another entropy source if the current one is empty. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-3-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 208c547dcac16..173aeea835bb6 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -82,6 +82,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; ++ /* if vi->data_avail is 0, we have been interrupted ++ * by a cleanup, but buffer stays in the queue ++ */ ++ if (vi->data_avail == 0) ++ return read; + + chunk = min_t(unsigned int, size, vi->data_avail); + memcpy(buf + read, vi->data, chunk); +@@ -105,7 +110,7 @@ static void virtio_cleanup(struct hwrng *rng) + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; + + if (vi->busy) +- wait_for_completion(&vi->have_data); ++ complete(&vi->have_data); + } + + static int probe_common(struct virtio_device *vdev) +-- +2.39.2 + diff --git a/tmp-5.10/hwrng-virtio-don-t-waste-entropy.patch b/tmp-5.10/hwrng-virtio-don-t-waste-entropy.patch new file mode 100644 index 00000000000..46dee150142 --- /dev/null +++ b/tmp-5.10/hwrng-virtio-don-t-waste-entropy.patch @@ -0,0 +1,130 @@ +From 25df29d220b89bf5b7a4a3087e091adddf5b3314 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:10 +0200 +Subject: hwrng: virtio - don't waste entropy + +From: Laurent Vivier + +[ Upstream commit 5c8e933050044d6dd2a000f9a5756ae73cbe7c44 ] + +if we don't use all the entropy available in the buffer, keep it +and use it later. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-4-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 52 +++++++++++++++++++---------- + 1 file changed, 35 insertions(+), 17 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 173aeea835bb6..8ba97cf4ca8fb 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -26,6 +26,7 @@ struct virtrng_info { + /* data transfer */ + struct completion have_data; + unsigned int data_avail; ++ unsigned int data_idx; + /* minimal size returned by rng_buffer_size() */ + #if SMP_CACHE_BYTES < 32 + u8 data[32]; +@@ -42,6 +43,9 @@ static void random_recv_done(struct virtqueue *vq) + if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) + return; + ++ vi->data_idx = 0; ++ vi->busy = false; ++ + complete(&vi->have_data); + } + +@@ -58,6 +62,16 @@ static void register_buffer(struct virtrng_info *vi) + virtqueue_kick(vi->vq); + } + ++static unsigned int copy_data(struct virtrng_info *vi, void *buf, ++ unsigned int size) ++{ ++ size = min_t(unsigned int, size, vi->data_avail); ++ memcpy(buf, vi->data + vi->data_idx, size); ++ vi->data_idx += size; ++ vi->data_avail -= size; ++ return size; ++} ++ + static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + { + int ret; +@@ -68,17 +82,29 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (vi->hwrng_removed) + return -ENODEV; + +- if (!vi->busy) { +- vi->busy = true; +- reinit_completion(&vi->have_data); +- register_buffer(vi); ++ read = 0; ++ ++ /* copy available data */ ++ if (vi->data_avail) { ++ chunk = copy_data(vi, buf, size); ++ size -= chunk; ++ read += chunk; + } + + if (!wait) +- return 0; ++ return read; + +- read = 0; ++ /* We have already copied available entropy, ++ * so either size is 0 or data_avail is 0 ++ */ + while (size != 0) { ++ /* data_avail is 0 */ ++ if (!vi->busy) { ++ /* no pending request, ask for more */ ++ vi->busy = true; ++ reinit_completion(&vi->have_data); ++ register_buffer(vi); ++ } + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; +@@ -88,20 +114,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (vi->data_avail == 0) + return read; + +- chunk = min_t(unsigned int, size, vi->data_avail); +- memcpy(buf + read, vi->data, chunk); +- read += chunk; ++ chunk = copy_data(vi, buf + read, size); + size -= chunk; +- vi->data_avail = 0; +- +- if (size != 0) { +- reinit_completion(&vi->have_data); +- register_buffer(vi); +- } ++ read += chunk; + } + +- vi->busy = false; +- + return read; + } + +@@ -161,6 +178,7 @@ static void remove_common(struct virtio_device *vdev) + + vi->hwrng_removed = true; + vi->data_avail = 0; ++ vi->data_idx = 0; + complete(&vi->have_data); + vdev->config->reset(vdev); + vi->busy = false; +-- +2.39.2 + diff --git a/tmp-5.10/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch b/tmp-5.10/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch new file mode 100644 index 00000000000..f35e70a9938 --- /dev/null +++ b/tmp-5.10/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch @@ -0,0 +1,86 @@ +From b069af228565e64e0ac0fe214167dd764103a3bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 11:59:32 +0800 +Subject: hwrng: virtio - Fix race on data_avail and actual data + +From: Herbert Xu + +[ Upstream commit ac52578d6e8d300dd50f790f29a24169b1edd26c ] + +The virtio rng device kicks off a new entropy request whenever the +data available reaches zero. When a new request occurs at the end +of a read operation, that is, when the result of that request is +only needed by the next reader, then there is a race between the +writing of the new data and the next reader. + +This is because there is no synchronisation whatsoever between the +writer and the reader. + +Fix this by writing data_avail with smp_store_release and reading +it with smp_load_acquire when we first enter read. The subsequent +reads are safe because they're either protected by the first load +acquire, or by the completion mechanism. + +Also remove the redundant zeroing of data_idx in random_recv_done +(data_idx must already be zero at this point) and data_avail in +request_entropy (ditto). + +Reported-by: syzbot+726dc8c62c3536431ceb@syzkaller.appspotmail.com +Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.") +Signed-off-by: Herbert Xu +Acked-by: Michael S. Tsirkin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 0a7dde135db19..3a194eb3ce8ad 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -4,6 +4,7 @@ + * Copyright (C) 2007, 2008 Rusty Russell IBM Corporation + */ + ++#include + #include + #include + #include +@@ -37,13 +38,13 @@ struct virtrng_info { + static void random_recv_done(struct virtqueue *vq) + { + struct virtrng_info *vi = vq->vdev->priv; ++ unsigned int len; + + /* We can get spurious callbacks, e.g. shared IRQs + virtio_pci. */ +- if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) ++ if (!virtqueue_get_buf(vi->vq, &len)) + return; + +- vi->data_idx = 0; +- ++ smp_store_release(&vi->data_avail, len); + complete(&vi->have_data); + } + +@@ -52,7 +53,6 @@ static void request_entropy(struct virtrng_info *vi) + struct scatterlist sg; + + reinit_completion(&vi->have_data); +- vi->data_avail = 0; + vi->data_idx = 0; + + sg_init_one(&sg, vi->data, sizeof(vi->data)); +@@ -88,7 +88,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + read = 0; + + /* copy available data */ +- if (vi->data_avail) { ++ if (smp_load_acquire(&vi->data_avail)) { + chunk = copy_data(vi, buf, size); + size -= chunk; + read += chunk; +-- +2.39.2 + diff --git a/tmp-5.10/i2c-qup-add-missing-unwind-goto-in-qup_i2c_probe.patch b/tmp-5.10/i2c-qup-add-missing-unwind-goto-in-qup_i2c_probe.patch new file mode 100644 index 00000000000..861849709a3 --- /dev/null +++ b/tmp-5.10/i2c-qup-add-missing-unwind-goto-in-qup_i2c_probe.patch @@ -0,0 +1,75 @@ +From cd9489623c29aa2f8cc07088168afb6e0d5ef06d Mon Sep 17 00:00:00 2001 +From: Shuai Jiang +Date: Tue, 18 Apr 2023 21:56:12 +0800 +Subject: i2c: qup: Add missing unwind goto in qup_i2c_probe() + +From: Shuai Jiang + +commit cd9489623c29aa2f8cc07088168afb6e0d5ef06d upstream. + +Smatch Warns: + drivers/i2c/busses/i2c-qup.c:1784 qup_i2c_probe() + warn: missing unwind goto? + +The goto label "fail_runtime" and "fail" will disable qup->pclk, +but here qup->pclk failed to obtain, in order to be consistent, +change the direct return to goto label "fail_dma". + +Fixes: 9cedf3b2f099 ("i2c: qup: Add bam dma capabilities") +Signed-off-by: Shuai Jiang +Reviewed-by: Dongliang Mu +Reviewed-by: Andi Shyti +Signed-off-by: Wolfram Sang +Cc: # v4.6+ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-qup.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/i2c/busses/i2c-qup.c ++++ b/drivers/i2c/busses/i2c-qup.c +@@ -1752,16 +1752,21 @@ nodma: + if (!clk_freq || clk_freq > I2C_MAX_FAST_MODE_PLUS_FREQ) { + dev_err(qup->dev, "clock frequency not supported %d\n", + clk_freq); +- return -EINVAL; ++ ret = -EINVAL; ++ goto fail_dma; + } + + qup->base = devm_platform_ioremap_resource(pdev, 0); +- if (IS_ERR(qup->base)) +- return PTR_ERR(qup->base); ++ if (IS_ERR(qup->base)) { ++ ret = PTR_ERR(qup->base); ++ goto fail_dma; ++ } + + qup->irq = platform_get_irq(pdev, 0); +- if (qup->irq < 0) +- return qup->irq; ++ if (qup->irq < 0) { ++ ret = qup->irq; ++ goto fail_dma; ++ } + + if (has_acpi_companion(qup->dev)) { + ret = device_property_read_u32(qup->dev, +@@ -1775,13 +1780,15 @@ nodma: + qup->clk = devm_clk_get(qup->dev, "core"); + if (IS_ERR(qup->clk)) { + dev_err(qup->dev, "Could not get core clock\n"); +- return PTR_ERR(qup->clk); ++ ret = PTR_ERR(qup->clk); ++ goto fail_dma; + } + + qup->pclk = devm_clk_get(qup->dev, "iface"); + if (IS_ERR(qup->pclk)) { + dev_err(qup->dev, "Could not get iface clock\n"); +- return PTR_ERR(qup->pclk); ++ ret = PTR_ERR(qup->pclk); ++ goto fail_dma; + } + qup_i2c_enable_clocks(qup); + src_clk_freq = clk_get_rate(qup->clk); diff --git a/tmp-5.10/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch b/tmp-5.10/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch new file mode 100644 index 00000000000..7940b906d1a --- /dev/null +++ b/tmp-5.10/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch @@ -0,0 +1,112 @@ +From 76c2ad598eae18e59b499f84abc748ad2b4dcee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Aug 2021 23:41:42 +0200 +Subject: i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in + xiic_process() + +From: Marek Vasut + +[ Upstream commit 743e227a895923c37a333eb2ebf3e391f00c406d ] + +The __xiic_start_xfer() manipulates the interrupt flags, xiic_wakeup() +may result in return from xiic_xfer() early. Defer both to the end of +the xiic_process() interrupt thread, so that they are executed after +all the other interrupt bits handling completed and once it completely +safe to perform changes to the interrupt bits in the hardware. + +Signed-off-by: Marek Vasut +Acked-by: Michal Simek +Signed-off-by: Wolfram Sang +Stable-dep-of: cb6e45c9a0ad ("i2c: xiic: Don't try to handle more interrupt events after error") +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 37 ++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index 3b564e68130b5..8b93c22f3c400 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -375,6 +375,9 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + struct xiic_i2c *i2c = dev_id; + u32 pend, isr, ier; + u32 clr = 0; ++ int xfer_more = 0; ++ int wakeup_req = 0; ++ int wakeup_code = 0; + + /* Get the interrupt Status from the IPIF. There is no clearing of + * interrupts in the IPIF. Interrupts must be cleared at the source. +@@ -411,10 +414,14 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + */ + xiic_reinit(i2c); + +- if (i2c->rx_msg) +- xiic_wakeup(i2c, STATE_ERROR); +- if (i2c->tx_msg) +- xiic_wakeup(i2c, STATE_ERROR); ++ if (i2c->rx_msg) { ++ wakeup_req = 1; ++ wakeup_code = STATE_ERROR; ++ } ++ if (i2c->tx_msg) { ++ wakeup_req = 1; ++ wakeup_code = STATE_ERROR; ++ } + } + if (pend & XIIC_INTR_RX_FULL_MASK) { + /* Receive register/FIFO is full */ +@@ -448,8 +455,7 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + i2c->tx_msg++; + dev_dbg(i2c->adap.dev.parent, + "%s will start next...\n", __func__); +- +- __xiic_start_xfer(i2c); ++ xfer_more = 1; + } + } + } +@@ -463,11 +469,13 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + if (!i2c->tx_msg) + goto out; + +- if ((i2c->nmsgs == 1) && !i2c->rx_msg && +- xiic_tx_space(i2c) == 0) +- xiic_wakeup(i2c, STATE_DONE); ++ wakeup_req = 1; ++ ++ if (i2c->nmsgs == 1 && !i2c->rx_msg && ++ xiic_tx_space(i2c) == 0) ++ wakeup_code = STATE_DONE; + else +- xiic_wakeup(i2c, STATE_ERROR); ++ wakeup_code = STATE_ERROR; + } + if (pend & (XIIC_INTR_TX_EMPTY_MASK | XIIC_INTR_TX_HALF_MASK)) { + /* Transmit register/FIFO is empty or ½ empty */ +@@ -491,7 +499,7 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + if (i2c->nmsgs > 1) { + i2c->nmsgs--; + i2c->tx_msg++; +- __xiic_start_xfer(i2c); ++ xfer_more = 1; + } else { + xiic_irq_dis(i2c, XIIC_INTR_TX_HALF_MASK); + +@@ -509,6 +517,13 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + dev_dbg(i2c->adap.dev.parent, "%s clr: 0x%x\n", __func__, clr); + + xiic_setreg32(i2c, XIIC_IISR_OFFSET, clr); ++ if (xfer_more) ++ __xiic_start_xfer(i2c); ++ if (wakeup_req) ++ xiic_wakeup(i2c, wakeup_code); ++ ++ WARN_ON(xfer_more && wakeup_req); ++ + mutex_unlock(&i2c->lock); + return IRQ_HANDLED; + } +-- +2.39.2 + diff --git a/tmp-5.10/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch b/tmp-5.10/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch new file mode 100644 index 00000000000..e8c9b2e71f1 --- /dev/null +++ b/tmp-5.10/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch @@ -0,0 +1,60 @@ +From 513d8061c71348ce38424f08942004a1c7dca1bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 12:25:58 -0600 +Subject: i2c: xiic: Don't try to handle more interrupt events after error + +From: Robert Hancock + +[ Upstream commit cb6e45c9a0ad9e0f8664fd06db0227d185dc76ab ] + +In xiic_process, it is possible that error events such as arbitration +lost or TX error can be raised in conjunction with other interrupt flags +such as TX FIFO empty or bus not busy. Error events result in the +controller being reset and the error returned to the calling request, +but the function could potentially try to keep handling the other +events, such as by writing more messages into the TX FIFO. Since the +transaction has already failed, this is not helpful and will just cause +issues. + +This problem has been present ever since: + +commit 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr") + +which allowed non-error events to be handled after errors, but became +more obvious after: + +commit 743e227a8959 ("i2c: xiic: Defer xiic_wakeup() and +__xiic_start_xfer() in xiic_process()") + +which reworked the code to add a WARN_ON which triggers if both the +xfer_more and wakeup_req flags were set, since this combination is +not supposed to happen, but was occurring in this scenario. + +Skip further interrupt handling after error flags are detected to avoid +this problem. + +Fixes: 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr") +Signed-off-by: Robert Hancock +Acked-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index 8b93c22f3c400..568e97c3896d1 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -422,6 +422,8 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + wakeup_req = 1; + wakeup_code = STATE_ERROR; + } ++ /* don't try to handle other events */ ++ goto out; + } + if (pend & XIIC_INTR_RX_FULL_MASK) { + /* Receive register/FIFO is full */ +-- +2.39.2 + diff --git a/tmp-5.10/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch b/tmp-5.10/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch new file mode 100644 index 00000000000..a28196c8c5a --- /dev/null +++ b/tmp-5.10/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch @@ -0,0 +1,160 @@ +From 28c24578bfd5042256efc1c91c6b3c8408b18260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:48 +0800 +Subject: iavf: Fix out-of-bounds when setting channels on remove + +From: Ding Hui + +[ Upstream commit 7c4bced3caa749ce468b0c5de711c98476b23a52 ] + +If we set channels greater during iavf_remove(), and waiting reset done +would be timeout, then returned with error but changed num_active_queues +directly, that will lead to OOB like the following logs. Because the +num_active_queues is greater than tx/rx_rings[] allocated actually. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 3506.152887] iavf 0000:41:02.0: Removing device +[ 3510.400799] ================================================================== +[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536 +[ 3510.400823] +[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 3510.400835] Call Trace: +[ 3510.400851] dump_stack+0x71/0xab +[ 3510.400860] print_address_description+0x6b/0x290 +[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400868] kasan_report+0x14a/0x2b0 +[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf] +[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf] +[ 3510.400891] ? wait_woken+0x1d0/0x1d0 +[ 3510.400895] ? notifier_call_chain+0xc1/0x130 +[ 3510.400903] pci_device_remove+0xa8/0x1f0 +[ 3510.400910] device_release_driver_internal+0x1c6/0x460 +[ 3510.400916] pci_stop_bus_device+0x101/0x150 +[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20 +[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420 +[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 3510.400929] ? pci_get_subsys+0x90/0x90 +[ 3510.400932] sriov_disable+0xed/0x3e0 +[ 3510.400936] ? bus_find_device+0x12d/0x1a0 +[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e] +[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 3510.400968] ? pci_get_device+0x7c/0x90 +[ 3510.400970] ? pci_get_subsys+0x90/0x90 +[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 3510.401001] sriov_numvfs_store+0x214/0x290 +[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30 +[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.401011] ? __check_object_size+0x15a/0x350 +[ 3510.401018] kernfs_fop_write+0x280/0x3f0 +[ 3510.401022] vfs_write+0x145/0x440 +[ 3510.401025] ksys_write+0xab/0x160 +[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0 +[ 3510.401031] ? fput_many+0x1a/0x120 +[ 3510.401032] ? filp_close+0xf0/0x130 +[ 3510.401038] do_syscall_64+0xa0/0x370 +[ 3510.401041] ? page_fault+0x8/0x30 +[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 3510.401073] RIP: 0033:0x7f3a9bb842c0 +[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 3510.401080] RSP: 002b:00007ffc05f1fe18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 3510.401083] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f3a9bb842c0 +[ 3510.401085] RDX: 0000000000000002 RSI: 0000000002327408 RDI: 0000000000000001 +[ 3510.401086] RBP: 0000000002327408 R08: 00007f3a9be53780 R09: 00007f3a9c8a4700 +[ 3510.401086] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 3510.401087] R13: 0000000000000001 R14: 00007f3a9be52620 R15: 0000000000000001 +[ 3510.401090] +[ 3510.401093] Allocated by task 76795: +[ 3510.401098] kasan_kmalloc+0xa6/0xd0 +[ 3510.401099] __kmalloc+0xfb/0x200 +[ 3510.401104] iavf_init_interrupt_scheme+0x26f/0x1310 [iavf] +[ 3510.401108] iavf_watchdog_task+0x1d58/0x4050 [iavf] +[ 3510.401114] process_one_work+0x56a/0x11f0 +[ 3510.401115] worker_thread+0x8f/0xf40 +[ 3510.401117] kthread+0x2a0/0x390 +[ 3510.401119] ret_from_fork+0x1f/0x40 +[ 3510.401122] 0xffffffffffffffff +[ 3510.401123] + +In timeout handling, we should keep the original num_active_queues +and reset num_req_queues to 0. + +Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 4680a2fe6d3cc..05cd70579c169 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -968,7 +968,7 @@ static int iavf_set_channels(struct net_device *netdev, + } + if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; +- adapter->num_active_queues = num_req; ++ adapter->num_req_queues = 0; + return -EOPNOTSUPP; + } + +-- +2.39.2 + diff --git a/tmp-5.10/iavf-fix-use-after-free-in-free_netdev.patch b/tmp-5.10/iavf-fix-use-after-free-in-free_netdev.patch new file mode 100644 index 00000000000..e66f5d182ad --- /dev/null +++ b/tmp-5.10/iavf-fix-use-after-free-in-free_netdev.patch @@ -0,0 +1,215 @@ +From 7aa9176369e824ba7c0892a9ca686a5b70b08713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:47 +0800 +Subject: iavf: Fix use-after-free in free_netdev + +From: Ding Hui + +[ Upstream commit 5f4fa1672d98fe99d2297b03add35346f1685d6b ] + +We do netif_napi_add() for all allocated q_vectors[], but potentially +do netif_napi_del() for part of them, then kfree q_vectors and leave +invalid pointers at dev->napi_list. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 4093.900222] ================================================================== +[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390 +[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 +[ 4093.900233] +[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 4093.900239] Call Trace: +[ 4093.900244] dump_stack+0x71/0xab +[ 4093.900249] print_address_description+0x6b/0x290 +[ 4093.900251] ? free_netdev+0x308/0x390 +[ 4093.900252] kasan_report+0x14a/0x2b0 +[ 4093.900254] free_netdev+0x308/0x390 +[ 4093.900261] iavf_remove+0x825/0xd20 [iavf] +[ 4093.900265] pci_device_remove+0xa8/0x1f0 +[ 4093.900268] device_release_driver_internal+0x1c6/0x460 +[ 4093.900271] pci_stop_bus_device+0x101/0x150 +[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 4093.900278] ? pci_get_subsys+0x90/0x90 +[ 4093.900280] sriov_disable+0xed/0x3e0 +[ 4093.900282] ? bus_find_device+0x12d/0x1a0 +[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 4093.900299] ? pci_get_device+0x7c/0x90 +[ 4093.900300] ? pci_get_subsys+0x90/0x90 +[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900318] sriov_numvfs_store+0x214/0x290 +[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30 +[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900323] ? __check_object_size+0x15a/0x350 +[ 4093.900326] kernfs_fop_write+0x280/0x3f0 +[ 4093.900329] vfs_write+0x145/0x440 +[ 4093.900330] ksys_write+0xab/0x160 +[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0 +[ 4093.900334] ? fput_many+0x1a/0x120 +[ 4093.900335] ? filp_close+0xf0/0x130 +[ 4093.900338] do_syscall_64+0xa0/0x370 +[ 4093.900339] ? page_fault+0x8/0x30 +[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900357] RIP: 0033:0x7f16ad4d22c0 +[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 +[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 +[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 +[ 4093.900364] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 4093.900365] R13: 0000000000000001 R14: 00007f16ad7a0620 R15: 0000000000000001 +[ 4093.900367] +[ 4093.900368] Allocated by task 820: +[ 4093.900371] kasan_kmalloc+0xa6/0xd0 +[ 4093.900373] __kmalloc+0xfb/0x200 +[ 4093.900376] iavf_init_interrupt_scheme+0x63b/0x1320 [iavf] +[ 4093.900380] iavf_watchdog_task+0x3d51/0x52c0 [iavf] +[ 4093.900382] process_one_work+0x56a/0x11f0 +[ 4093.900383] worker_thread+0x8f/0xf40 +[ 4093.900384] kthread+0x2a0/0x390 +[ 4093.900385] ret_from_fork+0x1f/0x40 +[ 4093.900387] 0xffffffffffffffff +[ 4093.900387] +[ 4093.900388] Freed by task 6699: +[ 4093.900390] __kasan_slab_free+0x137/0x190 +[ 4093.900391] kfree+0x8b/0x1b0 +[ 4093.900394] iavf_free_q_vectors+0x11d/0x1a0 [iavf] +[ 4093.900397] iavf_remove+0x35a/0xd20 [iavf] +[ 4093.900399] pci_device_remove+0xa8/0x1f0 +[ 4093.900400] device_release_driver_internal+0x1c6/0x460 +[ 4093.900401] pci_stop_bus_device+0x101/0x150 +[ 4093.900402] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900403] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900404] sriov_disable+0xed/0x3e0 +[ 4093.900409] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900415] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900416] sriov_numvfs_store+0x214/0x290 +[ 4093.900417] kernfs_fop_write+0x280/0x3f0 +[ 4093.900418] vfs_write+0x145/0x440 +[ 4093.900419] ksys_write+0xab/0x160 +[ 4093.900420] do_syscall_64+0xa0/0x370 +[ 4093.900421] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900422] 0xffffffffffffffff +[ 4093.900422] +[ 4093.900424] The buggy address belongs to the object at ffff88b4dc144200 + which belongs to the cache kmalloc-8k of size 8192 +[ 4093.900425] The buggy address is located 5184 bytes inside of + 8192-byte region [ffff88b4dc144200, ffff88b4dc146200) +[ 4093.900425] The buggy address belongs to the page: +[ 4093.900427] page:ffffea00d3705000 refcount:1 mapcount:0 mapping:ffff88bf04415c80 index:0x0 compound_mapcount: 0 +[ 4093.900430] flags: 0x10000000008100(slab|head) +[ 4093.900433] raw: 0010000000008100 dead000000000100 dead000000000200 ffff88bf04415c80 +[ 4093.900434] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 +[ 4093.900434] page dumped because: kasan: bad access detected +[ 4093.900435] +[ 4093.900435] Memory state around the buggy address: +[ 4093.900436] ffff88b4dc145500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900437] ffff88b4dc145580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] >ffff88b4dc145600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] ^ +[ 4093.900439] ffff88b4dc145680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ffff88b4dc145700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ================================================================== + +Although the patch #2 (of 2) can avoid the issue triggered by this +repro.sh, there still are other potential risks that if num_active_queues +is changed to less than allocated q_vectors[] by unexpected, the +mismatched netif_napi_add/del() can also cause UAF. + +Since we actually call netif_napi_add() for all allocated q_vectors +unconditionally in iavf_alloc_q_vectors(), so we should fix it by +letting netif_napi_del() match to netif_napi_add(). + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Simon Horman +Reviewed-by: Madhu Chittim +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index e45f3a1a11f36..b64801bc216bb 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1377,19 +1377,16 @@ static int iavf_alloc_q_vectors(struct iavf_adapter *adapter) + static void iavf_free_q_vectors(struct iavf_adapter *adapter) + { + int q_idx, num_q_vectors; +- int napi_vectors; + + if (!adapter->q_vectors) + return; + + num_q_vectors = adapter->num_msix_vectors - NONQ_VECS; +- napi_vectors = adapter->num_active_queues; + + for (q_idx = 0; q_idx < num_q_vectors; q_idx++) { + struct iavf_q_vector *q_vector = &adapter->q_vectors[q_idx]; + +- if (q_idx < napi_vectors) +- netif_napi_del(&q_vector->napi); ++ netif_napi_del(&q_vector->napi); + } + kfree(adapter->q_vectors); + adapter->q_vectors = NULL; +-- +2.39.2 + diff --git a/tmp-5.10/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch b/tmp-5.10/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch new file mode 100644 index 00000000000..9f83c1a9e8e --- /dev/null +++ b/tmp-5.10/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch @@ -0,0 +1,111 @@ +From ca3cf4ea5ab2608e6153ac6e6734cc2e88d389b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 11:56:28 -0500 +Subject: IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors + +From: Patrick Kelsey + +[ Upstream commit fd8958efe8779d3db19c9124fce593ce681ac709 ] + +Fix three sources of error involving struct sdma_txreq.num_descs. + +When _extend_sdma_tx_descs() extends the descriptor array, it uses the +value of tx->num_descs to determine how many existing entries from the +tx's original, internal descriptor array to copy to the newly allocated +one. As this value was incremented before the call, the copy loop will +access one entry past the internal descriptor array, copying its contents +into the corresponding slot in the new array. + +If the call to _extend_sdma_tx_descs() fails, _pad_smda_tx_descs() then +invokes __sdma_tx_clean() which uses the value of tx->num_desc to drive a +loop that unmaps all descriptor entries in use. As this value was +incremented before the call, the unmap loop will invoke sdma_unmap_desc() +on a descriptor entry whose contents consist of whatever random data was +copied into it during (1), leading to cascading further calls into the +kernel and driver using arbitrary data. + +_sdma_close_tx() was using tx->num_descs instead of tx->num_descs - 1. + +Fix all of the above by: +- Only increment .num_descs after .descp is extended. +- Use .num_descs - 1 instead of .num_descs for last .descp entry. + +Fixes: f4d26d81ad7f ("staging/rdma/hfi1: Add coalescing support for SDMA TX descriptors") +Link: https://lore.kernel.org/r/167656658879.2223096.10026561343022570690.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Brendan Cunningham +Signed-off-by: Patrick Kelsey +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Stable-dep-of: c9358de193ec ("IB/hfi1: Fix wrong mmu_node used for user SDMA packet after invalidate") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/sdma.c | 4 ++-- + drivers/infiniband/hw/hfi1/sdma.h | 15 +++++++-------- + 2 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index 061562627dae4..728bf122ee0a7 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -3187,8 +3187,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + { + int rval = 0; + +- tx->num_desc++; +- if ((unlikely(tx->num_desc == tx->desc_limit))) { ++ if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) { + rval = _extend_sdma_tx_descs(dd, tx); + if (rval) { + __sdma_txclean(dd, tx); +@@ -3203,6 +3202,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + NULL, + dd->sdma_pad_phys, + sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1))); ++ tx->num_desc++; + _sdma_close_tx(dd, tx); + return rval; + } +diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h +index 7d4f316ac6e43..5a372ca1f6acf 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.h ++++ b/drivers/infiniband/hw/hfi1/sdma.h +@@ -674,14 +674,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx) + static inline void _sdma_close_tx(struct hfi1_devdata *dd, + struct sdma_txreq *tx) + { +- tx->descp[tx->num_desc].qw[0] |= +- SDMA_DESC0_LAST_DESC_FLAG; +- tx->descp[tx->num_desc].qw[1] |= +- dd->default_desc1; ++ u16 last_desc = tx->num_desc - 1; ++ ++ tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; ++ tx->descp[last_desc].qw[1] |= dd->default_desc1; + if (tx->flags & SDMA_TXREQ_F_URGENT) +- tx->descp[tx->num_desc].qw[1] |= +- (SDMA_DESC1_HEAD_TO_HOST_FLAG | +- SDMA_DESC1_INT_REQ_FLAG); ++ tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | ++ SDMA_DESC1_INT_REQ_FLAG); + } + + static inline int _sdma_txadd_daddr( +@@ -700,6 +699,7 @@ static inline int _sdma_txadd_daddr( + pinning_ctx, + addr, len); + WARN_ON(len > tx->tlen); ++ tx->num_desc++; + tx->tlen -= len; + /* special cases for last */ + if (!tx->tlen) { +@@ -711,7 +711,6 @@ static inline int _sdma_txadd_daddr( + _sdma_close_tx(dd, tx); + } + } +- tx->num_desc++; + return rval; + } + +-- +2.39.2 + diff --git a/tmp-5.10/ib-hfi1-fix-wrong-mmu_node-used-for-user-sdma-packet.patch b/tmp-5.10/ib-hfi1-fix-wrong-mmu_node-used-for-user-sdma-packet.patch new file mode 100644 index 00000000000..1940d397eb0 --- /dev/null +++ b/tmp-5.10/ib-hfi1-fix-wrong-mmu_node-used-for-user-sdma-packet.patch @@ -0,0 +1,765 @@ +From 59423d0101c7a2958d3388a4ad2f1210fe6b4d64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 12:32:16 -0400 +Subject: IB/hfi1: Fix wrong mmu_node used for user SDMA packet after + invalidate + +From: Brendan Cunningham + +[ Upstream commit c9358de193ecfb360c3ce75f27ce839ca0b0bc8c ] + +The hfi1 user SDMA pinned-page cache will leave a stale cache entry when +the cache-entry's virtual address range is invalidated but that cache +entry is in-use by an outstanding SDMA request. + +Subsequent user SDMA requests with buffers in or spanning the virtual +address range of the stale cache entry will result in packets constructed +from the wrong memory, the physical pages pointed to by the stale cache +entry. + +To fix this, remove mmu_rb_node cache entries from the mmu_rb_handler +cache independent of the cache entry's refcount. Add 'struct kref +refcount' to struct mmu_rb_node and manage mmu_rb_node lifetime with +kref_get() and kref_put(). + +mmu_rb_node.refcount makes sdma_mmu_node.refcount redundant. Remove +'atomic_t refcount' from struct sdma_mmu_node and change sdma_mmu_node +code to use mmu_rb_node.refcount. + +Move the mmu_rb_handler destructor call after a +wait-for-SDMA-request-completion call so mmu_rb_nodes that need +mmu_rb_handler's workqueue to queue themselves up for destruction from an +interrupt context may do so. + +Fixes: f48ad614c100 ("IB/hfi1: Move driver out of staging") +Fixes: 00cbce5cbf88 ("IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests") +Link: https://lore.kernel.org/r/168451393605.3700681.13493776139032178861.stgit@awfm-02.cornelisnetworks.com +Reviewed-by: Dean Luick +Signed-off-by: Brendan Cunningham +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/ipoib_tx.c | 4 +- + drivers/infiniband/hw/hfi1/mmu_rb.c | 101 ++++++++++------- + drivers/infiniband/hw/hfi1/mmu_rb.h | 3 + + drivers/infiniband/hw/hfi1/sdma.c | 23 +++- + drivers/infiniband/hw/hfi1/sdma.h | 47 +++++--- + drivers/infiniband/hw/hfi1/sdma_txreq.h | 2 + + drivers/infiniband/hw/hfi1/user_sdma.c | 137 ++++++++++-------------- + drivers/infiniband/hw/hfi1/user_sdma.h | 1 - + drivers/infiniband/hw/hfi1/vnic_sdma.c | 4 +- + 9 files changed, 177 insertions(+), 145 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/ipoib_tx.c b/drivers/infiniband/hw/hfi1/ipoib_tx.c +index 956fc3fd88b99..1880484681357 100644 +--- a/drivers/infiniband/hw/hfi1/ipoib_tx.c ++++ b/drivers/infiniband/hw/hfi1/ipoib_tx.c +@@ -251,11 +251,11 @@ static int hfi1_ipoib_build_ulp_payload(struct ipoib_txreq *tx, + const skb_frag_t *frag = &skb_shinfo(skb)->frags[i]; + + ret = sdma_txadd_page(dd, +- NULL, + txreq, + skb_frag_page(frag), + frag->bv_offset, +- skb_frag_size(frag)); ++ skb_frag_size(frag), ++ NULL, NULL, NULL); + if (unlikely(ret)) + break; + } +diff --git a/drivers/infiniband/hw/hfi1/mmu_rb.c b/drivers/infiniband/hw/hfi1/mmu_rb.c +index d331184ded308..a501b7a682fca 100644 +--- a/drivers/infiniband/hw/hfi1/mmu_rb.c ++++ b/drivers/infiniband/hw/hfi1/mmu_rb.c +@@ -60,8 +60,7 @@ static int mmu_notifier_range_start(struct mmu_notifier *, + const struct mmu_notifier_range *); + static struct mmu_rb_node *__mmu_rb_search(struct mmu_rb_handler *, + unsigned long, unsigned long); +-static void do_remove(struct mmu_rb_handler *handler, +- struct list_head *del_list); ++static void release_immediate(struct kref *refcount); + static void handle_remove(struct work_struct *work); + + static const struct mmu_notifier_ops mn_opts = { +@@ -144,7 +143,11 @@ void hfi1_mmu_rb_unregister(struct mmu_rb_handler *handler) + } + spin_unlock_irqrestore(&handler->lock, flags); + +- do_remove(handler, &del_list); ++ while (!list_empty(&del_list)) { ++ rbnode = list_first_entry(&del_list, struct mmu_rb_node, list); ++ list_del(&rbnode->list); ++ kref_put(&rbnode->refcount, release_immediate); ++ } + + /* Now the mm may be freed. */ + mmdrop(handler->mn.mm); +@@ -172,12 +175,6 @@ int hfi1_mmu_rb_insert(struct mmu_rb_handler *handler, + } + __mmu_int_rb_insert(mnode, &handler->root); + list_add_tail(&mnode->list, &handler->lru_list); +- +- ret = handler->ops->insert(handler->ops_arg, mnode); +- if (ret) { +- __mmu_int_rb_remove(mnode, &handler->root); +- list_del(&mnode->list); /* remove from LRU list */ +- } + mnode->handler = handler; + unlock: + spin_unlock_irqrestore(&handler->lock, flags); +@@ -221,6 +218,48 @@ static struct mmu_rb_node *__mmu_rb_search(struct mmu_rb_handler *handler, + return node; + } + ++/* ++ * Must NOT call while holding mnode->handler->lock. ++ * mnode->handler->ops->remove() may sleep and mnode->handler->lock is a ++ * spinlock. ++ */ ++static void release_immediate(struct kref *refcount) ++{ ++ struct mmu_rb_node *mnode = ++ container_of(refcount, struct mmu_rb_node, refcount); ++ mnode->handler->ops->remove(mnode->handler->ops_arg, mnode); ++} ++ ++/* Caller must hold mnode->handler->lock */ ++static void release_nolock(struct kref *refcount) ++{ ++ struct mmu_rb_node *mnode = ++ container_of(refcount, struct mmu_rb_node, refcount); ++ list_move(&mnode->list, &mnode->handler->del_list); ++ queue_work(mnode->handler->wq, &mnode->handler->del_work); ++} ++ ++/* ++ * struct mmu_rb_node->refcount kref_put() callback. ++ * Adds mmu_rb_node to mmu_rb_node->handler->del_list and queues ++ * handler->del_work on handler->wq. ++ * Does not remove mmu_rb_node from handler->lru_list or handler->rb_root. ++ * Acquires mmu_rb_node->handler->lock; do not call while already holding ++ * handler->lock. ++ */ ++void hfi1_mmu_rb_release(struct kref *refcount) ++{ ++ struct mmu_rb_node *mnode = ++ container_of(refcount, struct mmu_rb_node, refcount); ++ struct mmu_rb_handler *handler = mnode->handler; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&handler->lock, flags); ++ list_move(&mnode->list, &mnode->handler->del_list); ++ spin_unlock_irqrestore(&handler->lock, flags); ++ queue_work(handler->wq, &handler->del_work); ++} ++ + void hfi1_mmu_rb_evict(struct mmu_rb_handler *handler, void *evict_arg) + { + struct mmu_rb_node *rbnode, *ptr; +@@ -235,6 +274,10 @@ void hfi1_mmu_rb_evict(struct mmu_rb_handler *handler, void *evict_arg) + + spin_lock_irqsave(&handler->lock, flags); + list_for_each_entry_safe(rbnode, ptr, &handler->lru_list, list) { ++ /* refcount == 1 implies mmu_rb_handler has only rbnode ref */ ++ if (kref_read(&rbnode->refcount) > 1) ++ continue; ++ + if (handler->ops->evict(handler->ops_arg, rbnode, evict_arg, + &stop)) { + __mmu_int_rb_remove(rbnode, &handler->root); +@@ -247,7 +290,7 @@ void hfi1_mmu_rb_evict(struct mmu_rb_handler *handler, void *evict_arg) + spin_unlock_irqrestore(&handler->lock, flags); + + list_for_each_entry_safe(rbnode, ptr, &del_list, list) { +- handler->ops->remove(handler->ops_arg, rbnode); ++ kref_put(&rbnode->refcount, release_immediate); + } + } + +@@ -259,7 +302,6 @@ static int mmu_notifier_range_start(struct mmu_notifier *mn, + struct rb_root_cached *root = &handler->root; + struct mmu_rb_node *node, *ptr = NULL; + unsigned long flags; +- bool added = false; + + spin_lock_irqsave(&handler->lock, flags); + for (node = __mmu_int_rb_iter_first(root, range->start, range->end-1); +@@ -268,38 +310,16 @@ static int mmu_notifier_range_start(struct mmu_notifier *mn, + ptr = __mmu_int_rb_iter_next(node, range->start, + range->end - 1); + trace_hfi1_mmu_mem_invalidate(node->addr, node->len); +- if (handler->ops->invalidate(handler->ops_arg, node)) { +- __mmu_int_rb_remove(node, root); +- /* move from LRU list to delete list */ +- list_move(&node->list, &handler->del_list); +- added = true; +- } ++ /* Remove from rb tree and lru_list. */ ++ __mmu_int_rb_remove(node, root); ++ list_del_init(&node->list); ++ kref_put(&node->refcount, release_nolock); + } + spin_unlock_irqrestore(&handler->lock, flags); + +- if (added) +- queue_work(handler->wq, &handler->del_work); +- + return 0; + } + +-/* +- * Call the remove function for the given handler and the list. This +- * is expected to be called with a delete list extracted from handler. +- * The caller should not be holding the handler lock. +- */ +-static void do_remove(struct mmu_rb_handler *handler, +- struct list_head *del_list) +-{ +- struct mmu_rb_node *node; +- +- while (!list_empty(del_list)) { +- node = list_first_entry(del_list, struct mmu_rb_node, list); +- list_del(&node->list); +- handler->ops->remove(handler->ops_arg, node); +- } +-} +- + /* + * Work queue function to remove all nodes that have been queued up to + * be removed. The key feature is that mm->mmap_lock is not being held +@@ -312,11 +332,16 @@ static void handle_remove(struct work_struct *work) + del_work); + struct list_head del_list; + unsigned long flags; ++ struct mmu_rb_node *node; + + /* remove anything that is queued to get removed */ + spin_lock_irqsave(&handler->lock, flags); + list_replace_init(&handler->del_list, &del_list); + spin_unlock_irqrestore(&handler->lock, flags); + +- do_remove(handler, &del_list); ++ while (!list_empty(&del_list)) { ++ node = list_first_entry(&del_list, struct mmu_rb_node, list); ++ list_del(&node->list); ++ handler->ops->remove(handler->ops_arg, node); ++ } + } +diff --git a/drivers/infiniband/hw/hfi1/mmu_rb.h b/drivers/infiniband/hw/hfi1/mmu_rb.h +index 0265d81c62061..be85537d23267 100644 +--- a/drivers/infiniband/hw/hfi1/mmu_rb.h ++++ b/drivers/infiniband/hw/hfi1/mmu_rb.h +@@ -57,6 +57,7 @@ struct mmu_rb_node { + struct rb_node node; + struct mmu_rb_handler *handler; + struct list_head list; ++ struct kref refcount; + }; + + /* +@@ -92,6 +93,8 @@ int hfi1_mmu_rb_register(void *ops_arg, + void hfi1_mmu_rb_unregister(struct mmu_rb_handler *handler); + int hfi1_mmu_rb_insert(struct mmu_rb_handler *handler, + struct mmu_rb_node *mnode); ++void hfi1_mmu_rb_release(struct kref *refcount); ++ + void hfi1_mmu_rb_evict(struct mmu_rb_handler *handler, void *evict_arg); + struct mmu_rb_node *hfi1_mmu_rb_get_first(struct mmu_rb_handler *handler, + unsigned long addr, +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index 728bf122ee0a7..2dc97de434a5e 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -1635,7 +1635,20 @@ static inline void sdma_unmap_desc( + struct hfi1_devdata *dd, + struct sdma_desc *descp) + { +- system_descriptor_complete(dd, descp); ++ switch (sdma_mapping_type(descp)) { ++ case SDMA_MAP_SINGLE: ++ dma_unmap_single(&dd->pcidev->dev, sdma_mapping_addr(descp), ++ sdma_mapping_len(descp), DMA_TO_DEVICE); ++ break; ++ case SDMA_MAP_PAGE: ++ dma_unmap_page(&dd->pcidev->dev, sdma_mapping_addr(descp), ++ sdma_mapping_len(descp), DMA_TO_DEVICE); ++ break; ++ } ++ ++ if (descp->pinning_ctx && descp->ctx_put) ++ descp->ctx_put(descp->pinning_ctx); ++ descp->pinning_ctx = NULL; + } + + /* +@@ -3155,8 +3168,8 @@ int ext_coal_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx, + + /* Add descriptor for coalesce buffer */ + tx->desc_limit = MAX_DESC; +- return _sdma_txadd_daddr(dd, SDMA_MAP_SINGLE, NULL, tx, +- addr, tx->tlen); ++ return _sdma_txadd_daddr(dd, SDMA_MAP_SINGLE, tx, ++ addr, tx->tlen, NULL, NULL, NULL); + } + + return 1; +@@ -3199,9 +3212,9 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + make_tx_sdma_desc( + tx, + SDMA_MAP_NONE, +- NULL, + dd->sdma_pad_phys, +- sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1))); ++ sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1)), ++ NULL, NULL, NULL); + tx->num_desc++; + _sdma_close_tx(dd, tx); + return rval; +diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h +index 5a372ca1f6acf..7611f09d78dca 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.h ++++ b/drivers/infiniband/hw/hfi1/sdma.h +@@ -635,9 +635,11 @@ static inline dma_addr_t sdma_mapping_addr(struct sdma_desc *d) + static inline void make_tx_sdma_desc( + struct sdma_txreq *tx, + int type, +- void *pinning_ctx, + dma_addr_t addr, +- size_t len) ++ size_t len, ++ void *pinning_ctx, ++ void (*ctx_get)(void *), ++ void (*ctx_put)(void *)) + { + struct sdma_desc *desc = &tx->descp[tx->num_desc]; + +@@ -654,7 +656,11 @@ static inline void make_tx_sdma_desc( + << SDMA_DESC0_PHY_ADDR_SHIFT) | + (((u64)len & SDMA_DESC0_BYTE_COUNT_MASK) + << SDMA_DESC0_BYTE_COUNT_SHIFT); ++ + desc->pinning_ctx = pinning_ctx; ++ desc->ctx_put = ctx_put; ++ if (pinning_ctx && ctx_get) ++ ctx_get(pinning_ctx); + } + + /* helper to extend txreq */ +@@ -686,18 +692,20 @@ static inline void _sdma_close_tx(struct hfi1_devdata *dd, + static inline int _sdma_txadd_daddr( + struct hfi1_devdata *dd, + int type, +- void *pinning_ctx, + struct sdma_txreq *tx, + dma_addr_t addr, +- u16 len) ++ u16 len, ++ void *pinning_ctx, ++ void (*ctx_get)(void *), ++ void (*ctx_put)(void *)) + { + int rval = 0; + + make_tx_sdma_desc( + tx, + type, +- pinning_ctx, +- addr, len); ++ addr, len, ++ pinning_ctx, ctx_get, ctx_put); + WARN_ON(len > tx->tlen); + tx->num_desc++; + tx->tlen -= len; +@@ -717,11 +725,18 @@ static inline int _sdma_txadd_daddr( + /** + * sdma_txadd_page() - add a page to the sdma_txreq + * @dd: the device to use for mapping +- * @pinning_ctx: context to be released at descriptor retirement + * @tx: tx request to which the page is added + * @page: page to map + * @offset: offset within the page + * @len: length in bytes ++ * @pinning_ctx: context to be stored on struct sdma_desc .pinning_ctx. Not ++ * added if coalesce buffer is used. E.g. pointer to pinned-page ++ * cache entry for the sdma_desc. ++ * @ctx_get: optional function to take reference to @pinning_ctx. Not called if ++ * @pinning_ctx is NULL. ++ * @ctx_put: optional function to release reference to @pinning_ctx after ++ * sdma_desc completes. May be called in interrupt context so must ++ * not sleep. Not called if @pinning_ctx is NULL. + * + * This is used to add a page/offset/length descriptor. + * +@@ -733,11 +748,13 @@ static inline int _sdma_txadd_daddr( + */ + static inline int sdma_txadd_page( + struct hfi1_devdata *dd, +- void *pinning_ctx, + struct sdma_txreq *tx, + struct page *page, + unsigned long offset, +- u16 len) ++ u16 len, ++ void *pinning_ctx, ++ void (*ctx_get)(void *), ++ void (*ctx_put)(void *)) + { + dma_addr_t addr; + int rval; +@@ -761,7 +778,8 @@ static inline int sdma_txadd_page( + return -ENOSPC; + } + +- return _sdma_txadd_daddr(dd, SDMA_MAP_PAGE, pinning_ctx, tx, addr, len); ++ return _sdma_txadd_daddr(dd, SDMA_MAP_PAGE, tx, addr, len, ++ pinning_ctx, ctx_get, ctx_put); + } + + /** +@@ -795,8 +813,8 @@ static inline int sdma_txadd_daddr( + return rval; + } + +- return _sdma_txadd_daddr(dd, SDMA_MAP_NONE, NULL, tx, +- addr, len); ++ return _sdma_txadd_daddr(dd, SDMA_MAP_NONE, tx, addr, len, ++ NULL, NULL, NULL); + } + + /** +@@ -842,7 +860,8 @@ static inline int sdma_txadd_kvaddr( + return -ENOSPC; + } + +- return _sdma_txadd_daddr(dd, SDMA_MAP_SINGLE, NULL, tx, addr, len); ++ return _sdma_txadd_daddr(dd, SDMA_MAP_SINGLE, tx, addr, len, ++ NULL, NULL, NULL); + } + + struct iowait_work; +@@ -1093,6 +1112,4 @@ u16 sdma_get_descq_cnt(void); + extern uint mod_num_sdma; + + void sdma_update_lmc(struct hfi1_devdata *dd, u64 mask, u32 lid); +- +-void system_descriptor_complete(struct hfi1_devdata *dd, struct sdma_desc *descp); + #endif +diff --git a/drivers/infiniband/hw/hfi1/sdma_txreq.h b/drivers/infiniband/hw/hfi1/sdma_txreq.h +index 4204650cebc29..fb091b5834b5d 100644 +--- a/drivers/infiniband/hw/hfi1/sdma_txreq.h ++++ b/drivers/infiniband/hw/hfi1/sdma_txreq.h +@@ -62,6 +62,8 @@ struct sdma_desc { + /* private: don't use directly */ + u64 qw[2]; + void *pinning_ctx; ++ /* Release reference to @pinning_ctx. May be called in interrupt context. Must not sleep. */ ++ void (*ctx_put)(void *ctx); + }; + + /** +diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c +index 3f49633bf9855..a67791187d46d 100644 +--- a/drivers/infiniband/hw/hfi1/user_sdma.c ++++ b/drivers/infiniband/hw/hfi1/user_sdma.c +@@ -103,18 +103,14 @@ static int defer_packet_queue( + static void activate_packet_queue(struct iowait *wait, int reason); + static bool sdma_rb_filter(struct mmu_rb_node *node, unsigned long addr, + unsigned long len); +-static int sdma_rb_insert(void *arg, struct mmu_rb_node *mnode); + static int sdma_rb_evict(void *arg, struct mmu_rb_node *mnode, + void *arg2, bool *stop); + static void sdma_rb_remove(void *arg, struct mmu_rb_node *mnode); +-static int sdma_rb_invalidate(void *arg, struct mmu_rb_node *mnode); + + static struct mmu_rb_ops sdma_rb_ops = { + .filter = sdma_rb_filter, +- .insert = sdma_rb_insert, + .evict = sdma_rb_evict, + .remove = sdma_rb_remove, +- .invalidate = sdma_rb_invalidate + }; + + static int add_system_pages_to_sdma_packet(struct user_sdma_request *req, +@@ -288,14 +284,14 @@ int hfi1_user_sdma_free_queues(struct hfi1_filedata *fd, + spin_unlock(&fd->pq_rcu_lock); + synchronize_srcu(&fd->pq_srcu); + /* at this point there can be no more new requests */ +- if (pq->handler) +- hfi1_mmu_rb_unregister(pq->handler); + iowait_sdma_drain(&pq->busy); + /* Wait until all requests have been freed. */ + wait_event_interruptible( + pq->wait, + !atomic_read(&pq->n_reqs)); + kfree(pq->reqs); ++ if (pq->handler) ++ hfi1_mmu_rb_unregister(pq->handler); + bitmap_free(pq->req_in_use); + kmem_cache_destroy(pq->txreq_cache); + flush_pq_iowait(pq); +@@ -1316,25 +1312,17 @@ static void free_system_node(struct sdma_mmu_node *node) + kfree(node); + } + +-static inline void acquire_node(struct sdma_mmu_node *node) +-{ +- atomic_inc(&node->refcount); +- WARN_ON(atomic_read(&node->refcount) < 0); +-} +- +-static inline void release_node(struct mmu_rb_handler *handler, +- struct sdma_mmu_node *node) +-{ +- atomic_dec(&node->refcount); +- WARN_ON(atomic_read(&node->refcount) < 0); +-} +- ++/* ++ * kref_get()'s an additional kref on the returned rb_node to prevent rb_node ++ * from being released until after rb_node is assigned to an SDMA descriptor ++ * (struct sdma_desc) under add_system_iovec_to_sdma_packet(), even if the ++ * virtual address range for rb_node is invalidated between now and then. ++ */ + static struct sdma_mmu_node *find_system_node(struct mmu_rb_handler *handler, + unsigned long start, + unsigned long end) + { + struct mmu_rb_node *rb_node; +- struct sdma_mmu_node *node; + unsigned long flags; + + spin_lock_irqsave(&handler->lock, flags); +@@ -1343,11 +1331,12 @@ static struct sdma_mmu_node *find_system_node(struct mmu_rb_handler *handler, + spin_unlock_irqrestore(&handler->lock, flags); + return NULL; + } +- node = container_of(rb_node, struct sdma_mmu_node, rb); +- acquire_node(node); ++ ++ /* "safety" kref to prevent release before add_system_iovec_to_sdma_packet() */ ++ kref_get(&rb_node->refcount); + spin_unlock_irqrestore(&handler->lock, flags); + +- return node; ++ return container_of(rb_node, struct sdma_mmu_node, rb); + } + + static int pin_system_pages(struct user_sdma_request *req, +@@ -1396,6 +1385,13 @@ static int pin_system_pages(struct user_sdma_request *req, + return 0; + } + ++/* ++ * kref refcount on *node_p will be 2 on successful addition: one kref from ++ * kref_init() for mmu_rb_handler and one kref to prevent *node_p from being ++ * released until after *node_p is assigned to an SDMA descriptor (struct ++ * sdma_desc) under add_system_iovec_to_sdma_packet(), even if the virtual ++ * address range for *node_p is invalidated between now and then. ++ */ + static int add_system_pinning(struct user_sdma_request *req, + struct sdma_mmu_node **node_p, + unsigned long start, unsigned long len) +@@ -1409,6 +1405,12 @@ static int add_system_pinning(struct user_sdma_request *req, + if (!node) + return -ENOMEM; + ++ /* First kref "moves" to mmu_rb_handler */ ++ kref_init(&node->rb.refcount); ++ ++ /* "safety" kref to prevent release before add_system_iovec_to_sdma_packet() */ ++ kref_get(&node->rb.refcount); ++ + node->pq = pq; + ret = pin_system_pages(req, start, len, node, PFN_DOWN(len)); + if (ret == 0) { +@@ -1472,15 +1474,15 @@ static int get_system_cache_entry(struct user_sdma_request *req, + return 0; + } + +- SDMA_DBG(req, "prepend: node->rb.addr %lx, node->refcount %d", +- node->rb.addr, atomic_read(&node->refcount)); ++ SDMA_DBG(req, "prepend: node->rb.addr %lx, node->rb.refcount %d", ++ node->rb.addr, kref_read(&node->rb.refcount)); + prepend_len = node->rb.addr - start; + + /* + * This node will not be returned, instead a new node + * will be. So release the reference. + */ +- release_node(handler, node); ++ kref_put(&node->rb.refcount, hfi1_mmu_rb_release); + + /* Prepend a node to cover the beginning of the allocation */ + ret = add_system_pinning(req, node_p, start, prepend_len); +@@ -1492,6 +1494,20 @@ static int get_system_cache_entry(struct user_sdma_request *req, + } + } + ++static void sdma_mmu_rb_node_get(void *ctx) ++{ ++ struct mmu_rb_node *node = ctx; ++ ++ kref_get(&node->refcount); ++} ++ ++static void sdma_mmu_rb_node_put(void *ctx) ++{ ++ struct sdma_mmu_node *node = ctx; ++ ++ kref_put(&node->rb.refcount, hfi1_mmu_rb_release); ++} ++ + static int add_mapping_to_sdma_packet(struct user_sdma_request *req, + struct user_sdma_txreq *tx, + struct sdma_mmu_node *cache_entry, +@@ -1535,9 +1551,12 @@ static int add_mapping_to_sdma_packet(struct user_sdma_request *req, + ctx = cache_entry; + } + +- ret = sdma_txadd_page(pq->dd, ctx, &tx->txreq, ++ ret = sdma_txadd_page(pq->dd, &tx->txreq, + cache_entry->pages[page_index], +- page_offset, from_this_page); ++ page_offset, from_this_page, ++ ctx, ++ sdma_mmu_rb_node_get, ++ sdma_mmu_rb_node_put); + if (ret) { + /* + * When there's a failure, the entire request is freed by +@@ -1559,8 +1578,6 @@ static int add_system_iovec_to_sdma_packet(struct user_sdma_request *req, + struct user_sdma_iovec *iovec, + size_t from_this_iovec) + { +- struct mmu_rb_handler *handler = req->pq->handler; +- + while (from_this_iovec > 0) { + struct sdma_mmu_node *cache_entry; + size_t from_this_cache_entry; +@@ -1581,15 +1598,15 @@ static int add_system_iovec_to_sdma_packet(struct user_sdma_request *req, + + ret = add_mapping_to_sdma_packet(req, tx, cache_entry, start, + from_this_cache_entry); ++ ++ /* ++ * Done adding cache_entry to zero or more sdma_desc. Can ++ * kref_put() the "safety" kref taken under ++ * get_system_cache_entry(). ++ */ ++ kref_put(&cache_entry->rb.refcount, hfi1_mmu_rb_release); ++ + if (ret) { +- /* +- * We're guaranteed that there will be no descriptor +- * completion callback that releases this node +- * because only the last descriptor referencing it +- * has a context attached, and a failure means the +- * last descriptor was never added. +- */ +- release_node(handler, cache_entry); + SDMA_DBG(req, "add system segment failed %d", ret); + return ret; + } +@@ -1640,42 +1657,12 @@ static int add_system_pages_to_sdma_packet(struct user_sdma_request *req, + return 0; + } + +-void system_descriptor_complete(struct hfi1_devdata *dd, +- struct sdma_desc *descp) +-{ +- switch (sdma_mapping_type(descp)) { +- case SDMA_MAP_SINGLE: +- dma_unmap_single(&dd->pcidev->dev, sdma_mapping_addr(descp), +- sdma_mapping_len(descp), DMA_TO_DEVICE); +- break; +- case SDMA_MAP_PAGE: +- dma_unmap_page(&dd->pcidev->dev, sdma_mapping_addr(descp), +- sdma_mapping_len(descp), DMA_TO_DEVICE); +- break; +- } +- +- if (descp->pinning_ctx) { +- struct sdma_mmu_node *node = descp->pinning_ctx; +- +- release_node(node->rb.handler, node); +- } +-} +- + static bool sdma_rb_filter(struct mmu_rb_node *node, unsigned long addr, + unsigned long len) + { + return (bool)(node->addr == addr); + } + +-static int sdma_rb_insert(void *arg, struct mmu_rb_node *mnode) +-{ +- struct sdma_mmu_node *node = +- container_of(mnode, struct sdma_mmu_node, rb); +- +- atomic_inc(&node->refcount); +- return 0; +-} +- + /* + * Return 1 to remove the node from the rb tree and call the remove op. + * +@@ -1688,10 +1675,6 @@ static int sdma_rb_evict(void *arg, struct mmu_rb_node *mnode, + container_of(mnode, struct sdma_mmu_node, rb); + struct evict_data *evict_data = evict_arg; + +- /* is this node still being used? */ +- if (atomic_read(&node->refcount)) +- return 0; /* keep this node */ +- + /* this node will be evicted, add its pages to our count */ + evict_data->cleared += node->npages; + +@@ -1709,13 +1692,3 @@ static void sdma_rb_remove(void *arg, struct mmu_rb_node *mnode) + + free_system_node(node); + } +- +-static int sdma_rb_invalidate(void *arg, struct mmu_rb_node *mnode) +-{ +- struct sdma_mmu_node *node = +- container_of(mnode, struct sdma_mmu_node, rb); +- +- if (!atomic_read(&node->refcount)) +- return 1; +- return 0; +-} +diff --git a/drivers/infiniband/hw/hfi1/user_sdma.h b/drivers/infiniband/hw/hfi1/user_sdma.h +index 9d417aacfa8b7..b2b26b71fcef0 100644 +--- a/drivers/infiniband/hw/hfi1/user_sdma.h ++++ b/drivers/infiniband/hw/hfi1/user_sdma.h +@@ -145,7 +145,6 @@ struct hfi1_user_sdma_comp_q { + struct sdma_mmu_node { + struct mmu_rb_node rb; + struct hfi1_user_sdma_pkt_q *pq; +- atomic_t refcount; + struct page **pages; + unsigned int npages; + }; +diff --git a/drivers/infiniband/hw/hfi1/vnic_sdma.c b/drivers/infiniband/hw/hfi1/vnic_sdma.c +index 7658c620a125c..ab8bcdf104475 100644 +--- a/drivers/infiniband/hw/hfi1/vnic_sdma.c ++++ b/drivers/infiniband/hw/hfi1/vnic_sdma.c +@@ -106,11 +106,11 @@ static noinline int build_vnic_ulp_payload(struct sdma_engine *sde, + + /* combine physically continuous fragments later? */ + ret = sdma_txadd_page(sde->dd, +- NULL, + &tx->txreq, + skb_frag_page(frag), + skb_frag_off(frag), +- skb_frag_size(frag)); ++ skb_frag_size(frag), ++ NULL, NULL, NULL); + if (unlikely(ret)) + goto bail_txadd; + } +-- +2.39.2 + diff --git a/tmp-5.10/ib-hfi1-use-bitmap_zalloc-when-applicable.patch b/tmp-5.10/ib-hfi1-use-bitmap_zalloc-when-applicable.patch new file mode 100644 index 00000000000..cffe5618dcc --- /dev/null +++ b/tmp-5.10/ib-hfi1-use-bitmap_zalloc-when-applicable.patch @@ -0,0 +1,60 @@ +From 854f7af34a3c8ff45221c9062afb9b802a127f1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 20:53:22 +0100 +Subject: IB/hfi1: Use bitmap_zalloc() when applicable + +From: Christophe JAILLET + +[ Upstream commit f86dbc9fc5d83384eae7eda0de17f823e8c81ca0 ] + +Use 'bitmap_zalloc()' to simplify code, improve the semantic and avoid +some open-coded arithmetic in allocator arguments. + +Also change the corresponding 'kfree()' into 'bitmap_free()' to keep +consistency. + +Link: https://lore.kernel.org/r/d46c6bc1869b8869244fa71943d2cad4104b3668.1637869925.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Christophe JAILLET +Signed-off-by: Jason Gunthorpe +Stable-dep-of: c9358de193ec ("IB/hfi1: Fix wrong mmu_node used for user SDMA packet after invalidate") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_sdma.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c +index 1eb5a44a4ae6a..3f49633bf9855 100644 +--- a/drivers/infiniband/hw/hfi1/user_sdma.c ++++ b/drivers/infiniband/hw/hfi1/user_sdma.c +@@ -202,9 +202,7 @@ int hfi1_user_sdma_alloc_queues(struct hfi1_ctxtdata *uctxt, + if (!pq->reqs) + goto pq_reqs_nomem; + +- pq->req_in_use = kcalloc(BITS_TO_LONGS(hfi1_sdma_comp_ring_size), +- sizeof(*pq->req_in_use), +- GFP_KERNEL); ++ pq->req_in_use = bitmap_zalloc(hfi1_sdma_comp_ring_size, GFP_KERNEL); + if (!pq->req_in_use) + goto pq_reqs_no_in_use; + +@@ -251,7 +249,7 @@ int hfi1_user_sdma_alloc_queues(struct hfi1_ctxtdata *uctxt, + cq_nomem: + kmem_cache_destroy(pq->txreq_cache); + pq_txreq_nomem: +- kfree(pq->req_in_use); ++ bitmap_free(pq->req_in_use); + pq_reqs_no_in_use: + kfree(pq->reqs); + pq_reqs_nomem: +@@ -298,7 +296,7 @@ int hfi1_user_sdma_free_queues(struct hfi1_filedata *fd, + pq->wait, + !atomic_read(&pq->n_reqs)); + kfree(pq->reqs); +- kfree(pq->req_in_use); ++ bitmap_free(pq->req_in_use); + kmem_cache_destroy(pq->txreq_cache); + flush_pq_iowait(pq); + kfree(pq); +-- +2.39.2 + diff --git a/tmp-5.10/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch b/tmp-5.10/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch new file mode 100644 index 00000000000..aa2256cec62 --- /dev/null +++ b/tmp-5.10/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch @@ -0,0 +1,145 @@ +From fd4812e25f97d7173396b96409ed2a2b0b4ed5df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 18:43:27 -0700 +Subject: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in + icmp6_dev(). + +From: Kuniyuki Iwashima + +[ Upstream commit 2aaa8a15de73874847d62eb595c6683bface80fd ] + +With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that +has the link-local address as src and dst IP and will be forwarded to +an external IP in the IPv6 Ext Hdr. + +For example, the script below generates a packet whose src IP is the +link-local address and dst is updated to 11::. + + # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done + # python3 + >>> from socket import * + >>> from scapy.all import * + >>> + >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456" + >>> + >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) + >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1) + >>> + >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) + >>> sk.sendto(bytes(pkt), (DST_ADDR, 0)) + +For such a packet, we call ip6_route_input() to look up a route for the +next destination in these three functions depending on the header type. + + * ipv6_rthdr_rcv() + * ipv6_rpl_srh_rcv() + * ipv6_srh_rcv() + +If no route is found, ip6_null_entry is set to skb, and the following +dst_input(skb) calls ip6_pkt_drop(). + +Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev +as the input device is the loopback interface. Then, we have to check if +skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref +for ip6_null_entry. + +BUG: kernel NULL pointer dereference, address: 0000000000000000 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Call Trace: + + ip6_pkt_drop (net/ipv6/route.c:4513) + ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686) + ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) + ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483) + __netif_receive_skb_one_core (net/core/dev.c:5455) + process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895) + __napi_poll (net/core/dev.c:6460) + net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660) + __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) + do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) + + + __local_bh_enable_ip (kernel/softirq.c:381) + __dev_queue_xmit (net/core/dev.c:4231) + ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135) + rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) + sock_sendmsg (net/socket.c:725 net/socket.c:748) + __sys_sendto (net/socket.c:2134) + __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +RIP: 0033:0x7f9dc751baea +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffe98712c38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007ffe98712cf8 RCX: 00007f9dc751baea +RDX: 0000000000000060 RSI: 00007f9dc6460b90 RDI: 0000000000000003 +RBP: 00007f9dc56e8be0 R08: 00007ffe98712d70 R09: 000000000000001c +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f9dc6af5d1b + +Modules linked in: +CR2: 0000000000000000 + ---[ end trace 0000000000000000 ]--- +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception in interrupt +Kernel Offset: disabled + +Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address") +Reported-by: Wang Yufen +Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index fd1f896115c1e..d01165bb6a32b 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -429,7 +429,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb) + if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { + const struct rt6_info *rt6 = skb_rt6_info(skb); + +- if (rt6) ++ /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.), ++ * and ip6_null_entry could be set to skb if no route is found. ++ */ ++ if (rt6 && rt6->rt6i_idev) + dev = rt6->rt6i_idev->dev; + } + +-- +2.39.2 + diff --git a/tmp-5.10/igb-fix-igb_down-hung-on-surprise-removal.patch b/tmp-5.10/igb-fix-igb_down-hung-on-surprise-removal.patch new file mode 100644 index 00000000000..e4a166a1081 --- /dev/null +++ b/tmp-5.10/igb-fix-igb_down-hung-on-surprise-removal.patch @@ -0,0 +1,89 @@ +From d1b5b76e89bade94a485030ca38a1277811a7f78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 10:47:32 -0700 +Subject: igb: Fix igb_down hung on surprise removal + +From: Ying Hsu + +[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] + +In a setup where a Thunderbolt hub connects to Ethernet and a display +through USB Type-C, users may experience a hung task timeout when they +remove the cable between the PC and the Thunderbolt hub. +This is because the igb_down function is called multiple times when +the Thunderbolt hub is unplugged. For example, the igb_io_error_detected +triggers the first call, and the igb_remove triggers the second call. +The second call to igb_down will block at napi_synchronize. +Here's the call trace: + __schedule+0x3b0/0xddb + ? __mod_timer+0x164/0x5d3 + schedule+0x44/0xa8 + schedule_timeout+0xb2/0x2a4 + ? run_local_timers+0x4e/0x4e + msleep+0x31/0x38 + igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] + __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] + igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] + __dev_close_many+0x95/0xec + dev_close_many+0x6e/0x103 + unregister_netdevice_many+0x105/0x5b1 + unregister_netdevice_queue+0xc2/0x10d + unregister_netdev+0x1c/0x23 + igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] + pci_device_remove+0x3f/0x9c + device_release_driver_internal+0xfe/0x1b4 + pci_stop_bus_device+0x5b/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_and_remove_bus_device+0x12/0x19 + pciehp_unconfigure_device+0x76/0xe9 + pciehp_disable_slot+0x6e/0x131 + pciehp_handle_presence_or_link_change+0x7a/0x3f7 + pciehp_ist+0xbe/0x194 + irq_thread_fn+0x22/0x4d + ? irq_thread+0x1fd/0x1fd + irq_thread+0x17b/0x1fd + ? irq_forced_thread_fn+0x5f/0x5f + kthread+0x142/0x153 + ? __irq_get_irqchip_state+0x46/0x46 + ? kthread_associate_blkcg+0x71/0x71 + ret_from_fork+0x1f/0x30 + +In this case, igb_io_error_detected detaches the network interface +and requests a PCIE slot reset, however, the PCIE reset callback is +not being invoked and thus the Ethernet connection breaks down. +As the PCIE error in this case is a non-fatal one, requesting a +slot reset can be avoided. +This patch fixes the task hung issue and preserves Ethernet +connection by ignoring non-fatal PCIE errors. + +Signed-off-by: Ying Hsu +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index c5f465814dec3..4465982100127 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9453,6 +9453,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, + struct net_device *netdev = pci_get_drvdata(pdev); + struct igb_adapter *adapter = netdev_priv(netdev); + ++ if (state == pci_channel_io_normal) { ++ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); ++ return PCI_ERS_RESULT_CAN_RECOVER; ++ } ++ + netif_device_detach(netdev); + + if (state == pci_channel_io_perm_failure) +-- +2.39.2 + diff --git a/tmp-5.10/igc-enable-and-fix-rx-hash-usage-by-netstack.patch b/tmp-5.10/igc-enable-and-fix-rx-hash-usage-by-netstack.patch new file mode 100644 index 00000000000..742df6c9aa1 --- /dev/null +++ b/tmp-5.10/igc-enable-and-fix-rx-hash-usage-by-netstack.patch @@ -0,0 +1,149 @@ +From e21a93d91af937916e22e329a86dfe710ae4d7fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 15:30:42 +0200 +Subject: igc: Enable and fix RX hash usage by netstack + +From: Jesper Dangaard Brouer + +[ Upstream commit 84214ab4689f962b4bfc47fc9a5838d25ac4274d ] + +When function igc_rx_hash() was introduced in v4.20 via commit 0507ef8a0372 +("igc: Add transmit and receive fastpath and interrupt handlers"), the +hardware wasn't configured to provide RSS hash, thus it made sense to not +enable net_device NETIF_F_RXHASH feature bit. + +The NIC hardware was configured to enable RSS hash info in v5.2 via commit +2121c2712f82 ("igc: Add multiple receive queues control supporting"), but +forgot to set the NETIF_F_RXHASH feature bit. + +The original implementation of igc_rx_hash() didn't extract the associated +pkt_hash_type, but statically set PKT_HASH_TYPE_L3. The largest portions of +this patch are about extracting the RSS Type from the hardware and mapping +this to enum pkt_hash_types. This was based on Foxville i225 software user +manual rev-1.3.1 and tested on Intel Ethernet Controller I225-LM (rev 03). + +For UDP it's worth noting that RSS (type) hashing have been disabled both for +IPv4 and IPv6 (see IGC_MRQC_RSS_FIELD_IPV4_UDP + IGC_MRQC_RSS_FIELD_IPV6_UDP) +because hardware RSS doesn't handle fragmented pkts well when enabled (can +cause out-of-order). This results in PKT_HASH_TYPE_L3 for UDP packets, and +hash value doesn't include UDP port numbers. Not being PKT_HASH_TYPE_L4, have +the effect that netstack will do a software based hash calc calling into +flow_dissect, but only when code calls skb_get_hash(), which doesn't +necessary happen for local delivery. + +For QA verification testing I wrote a small bpftrace prog: + [0] https://github.com/xdp-project/xdp-project/blob/master/areas/hints/monitor_skb_hash_on_dev.bt + +Fixes: 2121c2712f82 ("igc: Add multiple receive queues control supporting") +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: Daniel Borkmann +Acked-by: Song Yoong Siang +Link: https://lore.kernel.org/bpf/168182464270.616355.11391652654430626584.stgit@firesoul +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 28 ++++++++++++++++++++ + drivers/net/ethernet/intel/igc/igc_main.c | 31 ++++++++++++++++++++--- + 2 files changed, 55 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 970dd878d8a76..47ba1eafcdc7b 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + + #include "igc_hw.h" + +@@ -272,6 +273,33 @@ extern char igc_driver_name[]; + #define IGC_MRQC_RSS_FIELD_IPV4_UDP 0x00400000 + #define IGC_MRQC_RSS_FIELD_IPV6_UDP 0x00800000 + ++/* RX-desc Write-Back format RSS Type's */ ++enum igc_rss_type_num { ++ IGC_RSS_TYPE_NO_HASH = 0, ++ IGC_RSS_TYPE_HASH_TCP_IPV4 = 1, ++ IGC_RSS_TYPE_HASH_IPV4 = 2, ++ IGC_RSS_TYPE_HASH_TCP_IPV6 = 3, ++ IGC_RSS_TYPE_HASH_IPV6_EX = 4, ++ IGC_RSS_TYPE_HASH_IPV6 = 5, ++ IGC_RSS_TYPE_HASH_TCP_IPV6_EX = 6, ++ IGC_RSS_TYPE_HASH_UDP_IPV4 = 7, ++ IGC_RSS_TYPE_HASH_UDP_IPV6 = 8, ++ IGC_RSS_TYPE_HASH_UDP_IPV6_EX = 9, ++ IGC_RSS_TYPE_MAX = 10, ++}; ++#define IGC_RSS_TYPE_MAX_TABLE 16 ++#define IGC_RSS_TYPE_MASK GENMASK(3,0) /* 4-bits (3:0) = mask 0x0F */ ++ ++/* igc_rss_type - Rx descriptor RSS type field */ ++static inline u32 igc_rss_type(const union igc_adv_rx_desc *rx_desc) ++{ ++ /* RSS Type 4-bits (3:0) number: 0-9 (above 9 is reserved) ++ * Accessing the same bits via u16 (wb.lower.lo_dword.hs_rss.pkt_info) ++ * is slightly slower than via u32 (wb.lower.lo_dword.data) ++ */ ++ return le32_get_bits(rx_desc->wb.lower.lo_dword.data, IGC_RSS_TYPE_MASK); ++} ++ + /* Interrupt defines */ + #define IGC_START_ITR 648 /* ~6000 ints/sec */ + #define IGC_4K_ITR 980 +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 3aa0efb542aaf..72d7d2cf126d1 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1569,14 +1569,36 @@ static void igc_rx_checksum(struct igc_ring *ring, + le32_to_cpu(rx_desc->wb.upper.status_error)); + } + ++/* Mapping HW RSS Type to enum pkt_hash_types */ ++static const enum pkt_hash_types igc_rss_type_table[IGC_RSS_TYPE_MAX_TABLE] = { ++ [IGC_RSS_TYPE_NO_HASH] = PKT_HASH_TYPE_L2, ++ [IGC_RSS_TYPE_HASH_TCP_IPV4] = PKT_HASH_TYPE_L4, ++ [IGC_RSS_TYPE_HASH_IPV4] = PKT_HASH_TYPE_L3, ++ [IGC_RSS_TYPE_HASH_TCP_IPV6] = PKT_HASH_TYPE_L4, ++ [IGC_RSS_TYPE_HASH_IPV6_EX] = PKT_HASH_TYPE_L3, ++ [IGC_RSS_TYPE_HASH_IPV6] = PKT_HASH_TYPE_L3, ++ [IGC_RSS_TYPE_HASH_TCP_IPV6_EX] = PKT_HASH_TYPE_L4, ++ [IGC_RSS_TYPE_HASH_UDP_IPV4] = PKT_HASH_TYPE_L4, ++ [IGC_RSS_TYPE_HASH_UDP_IPV6] = PKT_HASH_TYPE_L4, ++ [IGC_RSS_TYPE_HASH_UDP_IPV6_EX] = PKT_HASH_TYPE_L4, ++ [10] = PKT_HASH_TYPE_NONE, /* RSS Type above 9 "Reserved" by HW */ ++ [11] = PKT_HASH_TYPE_NONE, /* keep array sized for SW bit-mask */ ++ [12] = PKT_HASH_TYPE_NONE, /* to handle future HW revisons */ ++ [13] = PKT_HASH_TYPE_NONE, ++ [14] = PKT_HASH_TYPE_NONE, ++ [15] = PKT_HASH_TYPE_NONE, ++}; ++ + static inline void igc_rx_hash(struct igc_ring *ring, + union igc_adv_rx_desc *rx_desc, + struct sk_buff *skb) + { +- if (ring->netdev->features & NETIF_F_RXHASH) +- skb_set_hash(skb, +- le32_to_cpu(rx_desc->wb.lower.hi_dword.rss), +- PKT_HASH_TYPE_L3); ++ if (ring->netdev->features & NETIF_F_RXHASH) { ++ u32 rss_hash = le32_to_cpu(rx_desc->wb.lower.hi_dword.rss); ++ u32 rss_type = igc_rss_type(rx_desc); ++ ++ skb_set_hash(skb, rss_hash, igc_rss_type_table[rss_type]); ++ } + } + + /** +@@ -5257,6 +5279,7 @@ static int igc_probe(struct pci_dev *pdev, + netdev->features |= NETIF_F_TSO; + netdev->features |= NETIF_F_TSO6; + netdev->features |= NETIF_F_TSO_ECN; ++ netdev->features |= NETIF_F_RXHASH; + netdev->features |= NETIF_F_RXCSUM; + netdev->features |= NETIF_F_HW_CSUM; + netdev->features |= NETIF_F_SCTP_CRC; +-- +2.39.2 + diff --git a/tmp-5.10/igc-fix-inserting-of-empty-frame-for-launchtime.patch b/tmp-5.10/igc-fix-inserting-of-empty-frame-for-launchtime.patch new file mode 100644 index 00000000000..ea7234f31a1 --- /dev/null +++ b/tmp-5.10/igc-fix-inserting-of-empty-frame-for-launchtime.patch @@ -0,0 +1,128 @@ +From 28e19afbca0fa1e531bf500dfb1772f86514af4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 16:07:14 +0200 +Subject: igc: Fix inserting of empty frame for launchtime + +From: Florian Kauer + +[ Upstream commit 0bcc62858d6ba62cbade957d69745e6adeed5f3d ] + +The insertion of an empty frame was introduced with +commit db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit") +in order to ensure that the current cycle has at least one packet if +there is some packet to be scheduled for the next cycle. + +However, the current implementation does not properly check if +a packet is already scheduled for the current cycle. Currently, +an empty packet is always inserted if and only if +txtime >= end_of_cycle && txtime > last_tx_cycle +but since last_tx_cycle is always either the end of the current +cycle (end_of_cycle) or the end of a previous cycle, the +second part (txtime > last_tx_cycle) is always true unless +txtime == last_tx_cycle. + +What actually needs to be checked here is if the last_tx_cycle +was already written within the current cycle, so an empty frame +should only be inserted if and only if +txtime >= end_of_cycle && end_of_cycle > last_tx_cycle. + +This patch does not only avoid an unnecessary insertion, but it +can actually be harmful to insert an empty packet if packets +are already scheduled in the current cycle, because it can lead +to a situation where the empty packet is actually processed +as the first packet in the upcoming cycle shifting the packet +with the first_flag even one cycle into the future, finally leading +to a TX hang. + +The TX hang can be reproduced on a i225 with: + + sudo tc qdisc replace dev enp1s0 parent root handle 100 taprio \ + num_tc 1 \ + map 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \ + queues 1@0 \ + base-time 0 \ + sched-entry S 01 300000 \ + flags 0x1 \ + txtime-delay 500000 \ + clockid CLOCK_TAI + sudo tc qdisc replace dev enp1s0 parent 100:1 etf \ + clockid CLOCK_TAI \ + delta 500000 \ + offload \ + skip_sock_check + +and traffic generator + + sudo trafgen -i traffic.cfg -o enp1s0 --cpp -n0 -q -t1400ns + +with traffic.cfg + + #define ETH_P_IP 0x0800 + + { + /* Ethernet Header */ + 0x30, 0x1f, 0x9a, 0xd0, 0xf0, 0x0e, # MAC Dest - adapt as needed + 0x24, 0x5e, 0xbe, 0x57, 0x2e, 0x36, # MAC Src - adapt as needed + const16(ETH_P_IP), + + /* IPv4 Header */ + 0b01000101, 0, # IPv4 version, IHL, TOS + const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header)) + const16(2), # IPv4 ident + 0b01000000, 0, # IPv4 flags, fragmentation off + 64, # IPv4 TTL + 17, # Protocol UDP + csumip(14, 33), # IPv4 checksum + + /* UDP Header */ + 10, 0, 48, 1, # IP Src - adapt as needed + 10, 0, 48, 10, # IP Dest - adapt as needed + const16(5555), # UDP Src Port + const16(6666), # UDP Dest Port + const16(1008), # UDP length (UDP header 8 bytes + payload length) + csumudp(14, 34), # UDP checksum + + /* Payload */ + fill('W', 1000), + } + +and the observed message with that is for example + + igc 0000:01:00.0 enp1s0: Detected Tx Unit Hang + Tx Queue <0> + TDH <32> + TDT <3c> + next_to_use <3c> + next_to_clean <32> + buffer_info[next_to_clean] + time_stamp + next_to_watch <00000000632a1828> + jiffies + desc.status <1048000> + +Fixes: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit") +Signed-off-by: Florian Kauer +Reviewed-by: Kurt Kanzenbach +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 051b1048eb41b..631ce793fb2ec 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -918,7 +918,7 @@ static __le32 igc_tx_launchtime(struct igc_ring *ring, ktime_t txtime, + *first_flag = true; + ring->last_ff_cycle = baset_est; + +- if (ktime_compare(txtime, ring->last_tx_cycle) > 0) ++ if (ktime_compare(end_of_cycle, ring->last_tx_cycle) > 0) + *insert_empty = true; + } + } +-- +2.39.2 + diff --git a/tmp-5.10/igc-fix-launchtime-before-start-of-cycle.patch b/tmp-5.10/igc-fix-launchtime-before-start-of-cycle.patch new file mode 100644 index 00000000000..a52262e4338 --- /dev/null +++ b/tmp-5.10/igc-fix-launchtime-before-start-of-cycle.patch @@ -0,0 +1,46 @@ +From 5bd9a05d5faa13c4939b72db846ba1a409b9bc39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 16:07:13 +0200 +Subject: igc: Fix launchtime before start of cycle + +From: Florian Kauer + +[ Upstream commit c1bca9ac0bcb355be11354c2e68bc7bf31f5ac5a ] + +It is possible (verified on a running system) that frames are processed +by igc_tx_launchtime with a txtime before the start of the cycle +(baset_est). + +However, the result of txtime - baset_est is written into a u32, +leading to a wrap around to a positive number. The following +launchtime > 0 check will only branch to executing launchtime = 0 +if launchtime is already 0. + +Fix it by using a s32 before checking launchtime > 0. + +Fixes: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit") +Signed-off-by: Florian Kauer +Reviewed-by: Kurt Kanzenbach +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 2b51ee87a2def..051b1048eb41b 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -905,7 +905,7 @@ static __le32 igc_tx_launchtime(struct igc_ring *ring, ktime_t txtime, + ktime_t base_time = adapter->base_time; + ktime_t now = ktime_get_clocktai(); + ktime_t baset_est, end_of_cycle; +- u32 launchtime; ++ s32 launchtime; + s64 n; + + n = div64_s64(ktime_sub_ns(now, base_time), cycle_time); +-- +2.39.2 + diff --git a/tmp-5.10/igc-fix-race-condition-in-ptp-tx-code.patch b/tmp-5.10/igc-fix-race-condition-in-ptp-tx-code.patch new file mode 100644 index 00000000000..172084562a4 --- /dev/null +++ b/tmp-5.10/igc-fix-race-condition-in-ptp-tx-code.patch @@ -0,0 +1,237 @@ +From 36e6af181b7d5be161661f87e7e94c93c932e1c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 14:32:29 -0700 +Subject: igc: Fix race condition in PTP tx code + +From: Vinicius Costa Gomes + +[ Upstream commit 9c50e2b150c8ee0eee5f8154e2ad168cdd748877 ] + +Currently, the igc driver supports timestamping only one tx packet at a +time. During the transmission flow, the skb that requires hardware +timestamping is saved in adapter->ptp_tx_skb. Once hardware has the +timestamp, an interrupt is delivered, and adapter->ptp_tx_work is +scheduled. In igc_ptp_tx_work(), we read the timestamp register, update +adapter->ptp_tx_skb, and notify the network stack. + +While the thread executing the transmission flow (the user process +running in kernel mode) and the thread executing ptp_tx_work don't +access adapter->ptp_tx_skb concurrently, there are two other places +where adapter->ptp_tx_skb is accessed: igc_ptp_tx_hang() and +igc_ptp_suspend(). + +igc_ptp_tx_hang() is executed by the adapter->watchdog_task worker +thread which runs periodically so it is possible we have two threads +accessing ptp_tx_skb at the same time. Consider the following scenario: +right after __IGC_PTP_TX_IN_PROGRESS is set in igc_xmit_frame_ring(), +igc_ptp_tx_hang() is executed. Since adapter->ptp_tx_start hasn't been +written yet, this is considered a timeout and adapter->ptp_tx_skb is +cleaned up. + +This patch fixes the issue described above by adding the ptp_tx_lock to +protect access to ptp_tx_skb and ptp_tx_start fields from igc_adapter. +Since igc_xmit_frame_ring() called in atomic context by the networking +stack, ptp_tx_lock is defined as a spinlock, and the irq safe variants +of lock/unlock are used. + +With the introduction of the ptp_tx_lock, the __IGC_PTP_TX_IN_PROGRESS +flag doesn't provide much of a use anymore so this patch gets rid of it. + +Fixes: 2c344ae24501 ("igc: Add support for TX timestamping") +Signed-off-by: Andre Guedes +Signed-off-by: Vinicius Costa Gomes +Reviewed-by: Kurt Kanzenbach +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 5 +- + drivers/net/ethernet/intel/igc/igc_main.c | 9 ++-- + drivers/net/ethernet/intel/igc/igc_ptp.c | 57 ++++++++++++----------- + 3 files changed, 41 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 47ba1eafcdc7b..33f64c80335d3 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -210,6 +210,10 @@ struct igc_adapter { + struct ptp_clock *ptp_clock; + struct ptp_clock_info ptp_caps; + struct work_struct ptp_tx_work; ++ /* Access to ptp_tx_skb and ptp_tx_start are protected by the ++ * ptp_tx_lock. ++ */ ++ spinlock_t ptp_tx_lock; + struct sk_buff *ptp_tx_skb; + struct hwtstamp_config tstamp_config; + unsigned long ptp_tx_start; +@@ -389,7 +393,6 @@ enum igc_state_t { + __IGC_TESTING, + __IGC_RESETTING, + __IGC_DOWN, +- __IGC_PTP_TX_IN_PROGRESS, + }; + + enum igc_tx_flags { +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 72d7d2cf126d1..a15e4b6d7fa40 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -1467,9 +1467,10 @@ static netdev_tx_t igc_xmit_frame_ring(struct sk_buff *skb, + * the other timer registers before skipping the + * timestamping request. + */ +- if (adapter->tstamp_config.tx_type == HWTSTAMP_TX_ON && +- !test_and_set_bit_lock(__IGC_PTP_TX_IN_PROGRESS, +- &adapter->state)) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&adapter->ptp_tx_lock, flags); ++ if (adapter->tstamp_config.tx_type == HWTSTAMP_TX_ON && !adapter->ptp_tx_skb) { + skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS; + tx_flags |= IGC_TX_FLAGS_TSTAMP; + +@@ -1478,6 +1479,8 @@ static netdev_tx_t igc_xmit_frame_ring(struct sk_buff *skb, + } else { + adapter->tx_hwtstamp_skipped++; + } ++ ++ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); + } + + /* record initial flags and protocol */ +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index ef53f7665b58c..25b238c6a675c 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -323,6 +323,7 @@ static int igc_ptp_set_timestamp_mode(struct igc_adapter *adapter, + return 0; + } + ++/* Requires adapter->ptp_tx_lock held by caller. */ + static void igc_ptp_tx_timeout(struct igc_adapter *adapter) + { + struct igc_hw *hw = &adapter->hw; +@@ -330,7 +331,6 @@ static void igc_ptp_tx_timeout(struct igc_adapter *adapter) + dev_kfree_skb_any(adapter->ptp_tx_skb); + adapter->ptp_tx_skb = NULL; + adapter->tx_hwtstamp_timeouts++; +- clear_bit_unlock(__IGC_PTP_TX_IN_PROGRESS, &adapter->state); + /* Clear the tx valid bit in TSYNCTXCTL register to enable interrupt. */ + rd32(IGC_TXSTMPH); + netdev_warn(adapter->netdev, "Tx timestamp timeout\n"); +@@ -338,20 +338,20 @@ static void igc_ptp_tx_timeout(struct igc_adapter *adapter) + + void igc_ptp_tx_hang(struct igc_adapter *adapter) + { +- bool timeout = time_is_before_jiffies(adapter->ptp_tx_start + +- IGC_PTP_TX_TIMEOUT); ++ unsigned long flags; + +- if (!test_bit(__IGC_PTP_TX_IN_PROGRESS, &adapter->state)) +- return; ++ spin_lock_irqsave(&adapter->ptp_tx_lock, flags); + +- /* If we haven't received a timestamp within the timeout, it is +- * reasonable to assume that it will never occur, so we can unlock the +- * timestamp bit when this occurs. +- */ +- if (timeout) { +- cancel_work_sync(&adapter->ptp_tx_work); +- igc_ptp_tx_timeout(adapter); +- } ++ if (!adapter->ptp_tx_skb) ++ goto unlock; ++ ++ if (time_is_after_jiffies(adapter->ptp_tx_start + IGC_PTP_TX_TIMEOUT)) ++ goto unlock; ++ ++ igc_ptp_tx_timeout(adapter); ++ ++unlock: ++ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); + } + + /** +@@ -361,6 +361,8 @@ void igc_ptp_tx_hang(struct igc_adapter *adapter) + * If we were asked to do hardware stamping and such a time stamp is + * available, then it must have been for this skb here because we only + * allow only one such packet into the queue. ++ * ++ * Context: Expects adapter->ptp_tx_lock to be held by caller. + */ + static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + { +@@ -396,13 +398,7 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + shhwtstamps.hwtstamp = + ktime_add_ns(shhwtstamps.hwtstamp, adjust); + +- /* Clear the lock early before calling skb_tstamp_tx so that +- * applications are not woken up before the lock bit is clear. We use +- * a copy of the skb pointer to ensure other threads can't change it +- * while we're notifying the stack. +- */ + adapter->ptp_tx_skb = NULL; +- clear_bit_unlock(__IGC_PTP_TX_IN_PROGRESS, &adapter->state); + + /* Notify the stack and free the skb after we've unlocked */ + skb_tstamp_tx(skb, &shhwtstamps); +@@ -413,24 +409,33 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter) + * igc_ptp_tx_work + * @work: pointer to work struct + * +- * This work function polls the TSYNCTXCTL valid bit to determine when a +- * timestamp has been taken for the current stored skb. ++ * This work function checks the TSYNCTXCTL valid bit to determine when ++ * a timestamp has been taken for the current stored skb. + */ + static void igc_ptp_tx_work(struct work_struct *work) + { + struct igc_adapter *adapter = container_of(work, struct igc_adapter, + ptp_tx_work); + struct igc_hw *hw = &adapter->hw; ++ unsigned long flags; + u32 tsynctxctl; + +- if (!test_bit(__IGC_PTP_TX_IN_PROGRESS, &adapter->state)) +- return; ++ spin_lock_irqsave(&adapter->ptp_tx_lock, flags); ++ ++ if (!adapter->ptp_tx_skb) ++ goto unlock; + + tsynctxctl = rd32(IGC_TSYNCTXCTL); +- if (WARN_ON_ONCE(!(tsynctxctl & IGC_TSYNCTXCTL_TXTT_0))) +- return; ++ tsynctxctl &= IGC_TSYNCTXCTL_TXTT_0; ++ if (!tsynctxctl) { ++ WARN_ONCE(1, "Received a TSTAMP interrupt but no TSTAMP is ready.\n"); ++ goto unlock; ++ } + + igc_ptp_tx_hwtstamp(adapter); ++ ++unlock: ++ spin_unlock_irqrestore(&adapter->ptp_tx_lock, flags); + } + + /** +@@ -506,6 +511,7 @@ void igc_ptp_init(struct igc_adapter *adapter) + return; + } + ++ spin_lock_init(&adapter->ptp_tx_lock); + spin_lock_init(&adapter->tmreg_lock); + INIT_WORK(&adapter->ptp_tx_work, igc_ptp_tx_work); + +@@ -559,7 +565,6 @@ void igc_ptp_suspend(struct igc_adapter *adapter) + cancel_work_sync(&adapter->ptp_tx_work); + dev_kfree_skb_any(adapter->ptp_tx_skb); + adapter->ptp_tx_skb = NULL; +- clear_bit_unlock(__IGC_PTP_TX_IN_PROGRESS, &adapter->state); + + if (pci_device_is_present(adapter->pdev)) + igc_ptp_time_save(adapter); +-- +2.39.2 + diff --git a/tmp-5.10/igc-remove-delay-during-tx-ring-configuration.patch b/tmp-5.10/igc-remove-delay-during-tx-ring-configuration.patch new file mode 100644 index 00000000000..a0e9e75312a --- /dev/null +++ b/tmp-5.10/igc-remove-delay-during-tx-ring-configuration.patch @@ -0,0 +1,46 @@ +From 2db76a308aa7625f060b0945befbf2f97128673c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 08:18:12 +0800 +Subject: igc: Remove delay during TX ring configuration + +From: Muhammad Husaini Zulkifli + +[ Upstream commit cca28ceac7c7857bc2d313777017585aef00bcc4 ] + +Remove unnecessary delay during the TX ring configuration. +This will cause delay, especially during link down and +link up activity. + +Furthermore, old SKUs like as I225 will call the reset_adapter +to reset the controller during TSN mode Gate Control List (GCL) +setting. This will add more time to the configuration of the +real-time use case. + +It doesn't mentioned about this delay in the Software User Manual. +It might have been ported from legacy code I210 in the past. + +Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings") +Signed-off-by: Muhammad Husaini Zulkifli +Acked-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index a15e4b6d7fa40..2b51ee87a2def 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -600,7 +600,6 @@ static void igc_configure_tx_ring(struct igc_adapter *adapter, + /* disable the queue */ + wr32(IGC_TXDCTL(reg_idx), 0); + wrfl(); +- mdelay(10); + + wr32(IGC_TDLEN(reg_idx), + ring->count * sizeof(union igc_adv_tx_desc)); +-- +2.39.2 + diff --git a/tmp-5.10/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch b/tmp-5.10/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch new file mode 100644 index 00000000000..96864b40f9e --- /dev/null +++ b/tmp-5.10/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch @@ -0,0 +1,39 @@ +From b8e41a5723d033d84e74fa79a056bb31a3ed303b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 11:09:01 -0700 +Subject: igc: set TP bit in 'supported' and 'advertising' fields of + ethtool_link_ksettings + +From: Prasad Koya + +[ Upstream commit 9ac3fc2f42e5ffa1e927dcbffb71b15fa81459e2 ] + +set TP bit in the 'supported' and 'advertising' fields. i225/226 parts +only support twisted pair copper. + +Fixes: 8c5ad0dae93c ("igc: Add ethtool support") +Signed-off-by: Prasad Koya +Acked-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index da259cd59adda..d28ac3a025ab1 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1673,6 +1673,8 @@ static int igc_ethtool_get_link_ksettings(struct net_device *netdev, + /* twisted pair */ + cmd->base.port = PORT_TP; + cmd->base.phy_address = hw->phy.addr; ++ ethtool_link_ksettings_add_link_mode(cmd, supported, TP); ++ ethtool_link_ksettings_add_link_mode(cmd, advertising, TP); + + /* advertising link modes */ + if (hw->phy.autoneg_advertised & ADVERTISE_10_HALF) +-- +2.39.2 + diff --git a/tmp-5.10/ima-fix-build-warnings.patch b/tmp-5.10/ima-fix-build-warnings.patch new file mode 100644 index 00000000000..bb5f2e5f3b5 --- /dev/null +++ b/tmp-5.10/ima-fix-build-warnings.patch @@ -0,0 +1,61 @@ +From 902948244674474fb1ecb33d17916f973ac5922a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 09:41:13 +0200 +Subject: ima: Fix build warnings + +From: Roberto Sassu + +[ Upstream commit 95526d13038c2bbddd567a4d8e39fac42484e182 ] + +Fix build warnings (function parameters description) for +ima_collect_modsig(), ima_match_policy() and ima_parse_add_rule(). + +Fixes: 15588227e086 ("ima: Collect modsig") # v5.4+ +Fixes: 2fe5d6def167 ("ima: integrity appraisal extension") # v5.14+ +Fixes: 4af4662fa4a9 ("integrity: IMA policy") # v3.2+ +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_modsig.c | 3 +++ + security/integrity/ima/ima_policy.c | 3 ++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c +index fb25723c65bc4..3e7bee30080f2 100644 +--- a/security/integrity/ima/ima_modsig.c ++++ b/security/integrity/ima/ima_modsig.c +@@ -89,6 +89,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, + + /** + * ima_collect_modsig - Calculate the file hash without the appended signature. ++ * @modsig: parsed module signature ++ * @buf: data to verify the signature on ++ * @size: data size + * + * Since the modsig is part of the file contents, the hash used in its signature + * isn't the same one ordinarily calculated by IMA. Therefore PKCS7 code +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 96ecb7d254037..1c403e8a8044c 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -628,6 +628,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) + * @secid: LSM secid of the task to be validated + * @func: IMA hook identifier + * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) ++ * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) + * @pcr: set the pcr to extend + * @template_desc: the template that should be used for this rule + * @keyring: the keyring name, if given, to be used to check in the policy. +@@ -1515,7 +1516,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + + /** + * ima_parse_add_rule - add a rule to ima_policy_rules +- * @rule - ima measurement policy rule ++ * @rule: ima measurement policy rule + * + * Avoid locking by allowing just one writer at a time in ima_write_policy() + * Returns the length of the rule parsed, an error code on failure +-- +2.39.2 + diff --git a/tmp-5.10/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch b/tmp-5.10/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch new file mode 100644 index 00000000000..bdf21b5c7f4 --- /dev/null +++ b/tmp-5.10/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch @@ -0,0 +1,39 @@ +From 19d4b60d5c5bda29e11d0b30ba63f9e2d4e02760 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 17:27:55 -0700 +Subject: Input: adxl34x - do not hardcode interrupt trigger type + +From: Marek Vasut + +[ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ] + +Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's +respect the settings specified in the firmware description. + +Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") +Signed-off-by: Marek Vasut +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/adxl34x.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c +index 4cc4e8ff42b33..ad035c342cd3b 100644 +--- a/drivers/input/misc/adxl34x.c ++++ b/drivers/input/misc/adxl34x.c +@@ -811,8 +811,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq, + AC_WRITE(ac, POWER_CTL, 0); + + err = request_threaded_irq(ac->irq, NULL, adxl34x_irq, +- IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +- dev_name(dev), ac); ++ IRQF_ONESHOT, dev_name(dev), ac); + if (err) { + dev_err(dev, "irq %d busy?\n", ac->irq); + goto err_free_mem; +-- +2.39.2 + diff --git a/tmp-5.10/input-drv260x-sleep-between-polling-go-bit.patch b/tmp-5.10/input-drv260x-sleep-between-polling-go-bit.patch new file mode 100644 index 00000000000..515d1125fa3 --- /dev/null +++ b/tmp-5.10/input-drv260x-sleep-between-polling-go-bit.patch @@ -0,0 +1,39 @@ +From 58984b34d65b9013dfb335f8a1cfb0de5b425dae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 May 2023 17:01:45 -0700 +Subject: Input: drv260x - sleep between polling GO bit + +From: Luca Weiss + +[ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ] + +When doing the initial startup there's no need to poll without any +delay and spam the I2C bus. + +Let's sleep 15ms between each attempt, which is the same time as used +in the vendor driver. + +Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver") +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/drv260x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c +index 79d7fa710a714..54002d1a446b7 100644 +--- a/drivers/input/misc/drv260x.c ++++ b/drivers/input/misc/drv260x.c +@@ -435,6 +435,7 @@ static int drv260x_init(struct drv260x_data *haptics) + } + + do { ++ usleep_range(15000, 15500); + error = regmap_read(haptics->regmap, DRV260X_GO, &cal_buf); + if (error) { + dev_err(&haptics->client->dev, +-- +2.39.2 + diff --git a/tmp-5.10/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch b/tmp-5.10/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch new file mode 100644 index 00000000000..5c5d648e351 --- /dev/null +++ b/tmp-5.10/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch @@ -0,0 +1,62 @@ +From 9df6a4870dc371136e90330cfbbc51464ee66993 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Thu, 1 Jun 2023 14:42:44 +0800 +Subject: integrity: Fix possible multiple allocation in integrity_inode_get() + +From: Tianjia Zhang + +commit 9df6a4870dc371136e90330cfbbc51464ee66993 upstream. + +When integrity_inode_get() is querying and inserting the cache, there +is a conditional race in the concurrent environment. + +The race condition is the result of not properly implementing +"double-checked locking". In this case, it first checks to see if the +iint cache record exists before taking the lock, but doesn't check +again after taking the integrity_iint_lock. + +Fixes: bf2276d10ce5 ("ima: allocating iint improvements") +Signed-off-by: Tianjia Zhang +Cc: Dmitry Kasatkin +Cc: # v3.10+ +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/iint.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/security/integrity/iint.c ++++ b/security/integrity/iint.c +@@ -43,12 +43,10 @@ static struct integrity_iint_cache *__in + else if (inode > iint->inode) + n = n->rb_right; + else +- break; ++ return iint; + } +- if (!n) +- return NULL; + +- return iint; ++ return NULL; + } + + /* +@@ -121,10 +119,15 @@ struct integrity_iint_cache *integrity_i + parent = *p; + test_iint = rb_entry(parent, struct integrity_iint_cache, + rb_node); +- if (inode < test_iint->inode) ++ if (inode < test_iint->inode) { + p = &(*p)->rb_left; +- else ++ } else if (inode > test_iint->inode) { + p = &(*p)->rb_right; ++ } else { ++ write_unlock(&integrity_iint_lock); ++ kmem_cache_free(iint_cache, iint); ++ return test_iint; ++ } + } + + iint->inode = inode; diff --git a/tmp-5.10/io_uring-add-reschedule-point-to-handle_tw_list.patch b/tmp-5.10/io_uring-add-reschedule-point-to-handle_tw_list.patch new file mode 100644 index 00000000000..83cf6781b1f --- /dev/null +++ b/tmp-5.10/io_uring-add-reschedule-point-to-handle_tw_list.patch @@ -0,0 +1,38 @@ +From 4e214e7e01158a87308a17766706159bca472855 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 17 Jul 2023 10:27:20 -0600 +Subject: io_uring: add reschedule point to handle_tw_list() + +From: Jens Axboe + +Commit f58680085478dd292435727210122960d38e8014 upstream. + +If CONFIG_PREEMPT_NONE is set and the task_work chains are long, we +could be running into issues blocking others for too long. Add a +reschedule check in handle_tw_list(), and flush the ctx if we need to +reschedule. + +Cc: stable@vger.kernel.org # 5.10+ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2214,9 +2214,12 @@ static void tctx_task_work(struct callba + } + req->io_task_work.func(req, &locked); + node = next; ++ if (unlikely(need_resched())) { ++ ctx_flush_and_put(ctx, &locked); ++ ctx = NULL; ++ cond_resched(); ++ } + } while (node); +- +- cond_resched(); + } + + ctx_flush_and_put(ctx, &locked); diff --git a/tmp-5.10/io_uring-ensure-iopoll-locks-around-deferred-work.patch b/tmp-5.10/io_uring-ensure-iopoll-locks-around-deferred-work.patch new file mode 100644 index 00000000000..bce4e368e7c --- /dev/null +++ b/tmp-5.10/io_uring-ensure-iopoll-locks-around-deferred-work.patch @@ -0,0 +1,82 @@ +From dc27db64bb7d431a853e5dcc5da01718b58bdd29 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 11 Jul 2023 09:35:30 -0600 +Subject: io_uring: ensure IOPOLL locks around deferred work + +From: Jens Axboe + +No direct upstream commit exists for this issue. It was fixed in +5.18 as part of a larger rework of the completion side. + +io_commit_cqring() writes the CQ ring tail to make it visible, but it +also kicks off any deferred work we have. A ring setup with IOPOLL +does not need any locking around the CQ ring updates, as we're always +under the ctx uring_lock. But if we have deferred work that needs +processing, then io_queue_deferred() assumes that the completion_lock +is held, as it is for !IOPOLL. + +Add a lockdep assertion to check and document this fact, and have +io_iopoll_complete() check if we have deferred work and run that +separately with the appropriate lock grabbed. + +Cc: stable@vger.kernel.org # 5.10, 5.15 +Reported-by: dghost david +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1521,6 +1521,8 @@ static void io_kill_timeout(struct io_ki + + static void io_queue_deferred(struct io_ring_ctx *ctx) + { ++ lockdep_assert_held(&ctx->completion_lock); ++ + while (!list_empty(&ctx->defer_list)) { + struct io_defer_entry *de = list_first_entry(&ctx->defer_list, + struct io_defer_entry, list); +@@ -1572,14 +1574,24 @@ static void __io_commit_cqring_flush(str + io_queue_deferred(ctx); + } + +-static inline void io_commit_cqring(struct io_ring_ctx *ctx) ++static inline bool io_commit_needs_flush(struct io_ring_ctx *ctx) ++{ ++ return ctx->off_timeout_used || ctx->drain_active; ++} ++ ++static inline void __io_commit_cqring(struct io_ring_ctx *ctx) + { +- if (unlikely(ctx->off_timeout_used || ctx->drain_active)) +- __io_commit_cqring_flush(ctx); + /* order cqe stores with ring update */ + smp_store_release(&ctx->rings->cq.tail, ctx->cached_cq_tail); + } + ++static inline void io_commit_cqring(struct io_ring_ctx *ctx) ++{ ++ if (unlikely(io_commit_needs_flush(ctx))) ++ __io_commit_cqring_flush(ctx); ++ __io_commit_cqring(ctx); ++} ++ + static inline bool io_sqring_full(struct io_ring_ctx *ctx) + { + struct io_rings *r = ctx->rings; +@@ -2518,7 +2530,12 @@ static void io_iopoll_complete(struct io + io_req_free_batch(&rb, req, &ctx->submit_state); + } + +- io_commit_cqring(ctx); ++ if (io_commit_needs_flush(ctx)) { ++ spin_lock(&ctx->completion_lock); ++ __io_commit_cqring_flush(ctx); ++ spin_unlock(&ctx->completion_lock); ++ } ++ __io_commit_cqring(ctx); + io_cqring_ev_posted_iopoll(ctx); + io_req_free_batch_finish(ctx, &rb); + } diff --git a/tmp-5.10/io_uring-use-io_schedule-in-cqring-wait.patch b/tmp-5.10/io_uring-use-io_schedule-in-cqring-wait.patch new file mode 100644 index 00000000000..2330ab23fa2 --- /dev/null +++ b/tmp-5.10/io_uring-use-io_schedule-in-cqring-wait.patch @@ -0,0 +1,78 @@ +From c8c88d523c89e0ac8affbf2fd57def82e0d5d4bf Mon Sep 17 00:00:00 2001 +From: Andres Freund +Date: Sun, 16 Jul 2023 12:07:03 -0600 +Subject: io_uring: Use io_schedule* in cqring wait + +From: Andres Freund + +Commit 8a796565cec3601071cbbd27d6304e202019d014 upstream. + +I observed poor performance of io_uring compared to synchronous IO. That +turns out to be caused by deeper CPU idle states entered with io_uring, +due to io_uring using plain schedule(), whereas synchronous IO uses +io_schedule(). + +The losses due to this are substantial. On my cascade lake workstation, +t/io_uring from the fio repository e.g. yields regressions between 20% +and 40% with the following command: +./t/io_uring -r 5 -X0 -d 1 -s 1 -c 1 -p 0 -S$use_sync -R 0 /mnt/t2/fio/write.0.0 + +This is repeatable with different filesystems, using raw block devices +and using different block devices. + +Use io_schedule_prepare() / io_schedule_finish() in +io_cqring_wait_schedule() to address the difference. + +After that using io_uring is on par or surpassing synchronous IO (using +registered files etc makes it reliably win, but arguably is a less fair +comparison). + +There are other calls to schedule() in io_uring/, but none immediately +jump out to be similarly situated, so I did not touch them. Similarly, +it's possible that mutex_lock_io() should be used, but it's not clear if +there are cases where that matters. + +Cc: stable@vger.kernel.org # 5.10+ +Cc: Pavel Begunkov +Cc: io-uring@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Andres Freund +Link: https://lore.kernel.org/r/20230707162007.194068-1-andres@anarazel.de +[axboe: minor style fixup] +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -7625,7 +7625,7 @@ static inline int io_cqring_wait_schedul + struct io_wait_queue *iowq, + ktime_t *timeout) + { +- int ret; ++ int token, ret; + + /* make sure we run task_work before checking for signals */ + ret = io_run_task_work_sig(); +@@ -7635,9 +7635,17 @@ static inline int io_cqring_wait_schedul + if (test_bit(0, &ctx->check_cq_overflow)) + return 1; + ++ /* ++ * Use io_schedule_prepare/finish, so cpufreq can take into account ++ * that the task is waiting for IO - turns out to be important for low ++ * QD IO. ++ */ ++ token = io_schedule_prepare(); ++ ret = 1; + if (!schedule_hrtimeout(timeout, HRTIMER_MODE_ABS)) +- return -ETIME; +- return 1; ++ ret = -ETIME; ++ io_schedule_finish(token); ++ return ret; + } + + /* diff --git a/tmp-5.10/io_uring-wait-interruptibly-for-request-completions-on-exit.patch b/tmp-5.10/io_uring-wait-interruptibly-for-request-completions-on-exit.patch new file mode 100644 index 00000000000..e1dd6cdf139 --- /dev/null +++ b/tmp-5.10/io_uring-wait-interruptibly-for-request-completions-on-exit.patch @@ -0,0 +1,73 @@ +From 4826c59453b3b4677d6bf72814e7ababdea86949 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 11 Jun 2023 21:14:09 -0600 +Subject: io_uring: wait interruptibly for request completions on exit + +From: Jens Axboe + +commit 4826c59453b3b4677d6bf72814e7ababdea86949 upstream. + +WHen the ring exits, cleanup is done and the final cancelation and +waiting on completions is done by io_ring_exit_work. That function is +invoked by kworker, which doesn't take any signals. Because of that, it +doesn't really matter if we wait for completions in TASK_INTERRUPTIBLE +or TASK_UNINTERRUPTIBLE state. However, it does matter to the hung task +detection checker! + +Normally we expect cancelations and completions to happen rather +quickly. Some test cases, however, will exit the ring and park the +owning task stopped (eg via SIGSTOP). If the owning task needs to run +task_work to complete requests, then io_ring_exit_work won't make any +progress until the task is runnable again. Hence io_ring_exit_work can +trigger the hung task detection, which is particularly problematic if +panic-on-hung-task is enabled. + +As the ring exit doesn't take signals to begin with, have it wait +interruptibly rather than uninterruptibly. io_uring has a separate +stuck-exit warning that triggers independently anyway, so we're not +really missing anything by making this switch. + +Cc: stable@vger.kernel.org # 5.10+ +Link: https://lore.kernel.org/r/b0e4aaef-7088-56ce-244c-976edeac0e66@kernel.dk +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -9543,7 +9543,18 @@ static void io_ring_exit_work(struct wor + /* there is little hope left, don't run it too often */ + interval = HZ * 60; + } +- } while (!wait_for_completion_timeout(&ctx->ref_comp, interval)); ++ /* ++ * This is really an uninterruptible wait, as it has to be ++ * complete. But it's also run from a kworker, which doesn't ++ * take signals, so it's fine to make it interruptible. This ++ * avoids scenarios where we knowingly can wait much longer ++ * on completions, for example if someone does a SIGSTOP on ++ * a task that needs to finish task_work to make this loop ++ * complete. That's a synthetic situation that should not ++ * cause a stuck task backtrace, and hence a potential panic ++ * on stuck tasks if that is enabled. ++ */ ++ } while (!wait_for_completion_interruptible_timeout(&ctx->ref_comp, interval)); + + init_completion(&exit.completion); + init_task_work(&exit.task_work, io_tctx_exit_cb); +@@ -9568,7 +9579,12 @@ static void io_ring_exit_work(struct wor + wake_up_process(node->task); + + mutex_unlock(&ctx->uring_lock); +- wait_for_completion(&exit.completion); ++ /* ++ * See comment above for ++ * wait_for_completion_interruptible_timeout() on why this ++ * wait is marked as interruptible. ++ */ ++ wait_for_completion_interruptible(&exit.completion); + mutex_lock(&ctx->uring_lock); + } + mutex_unlock(&ctx->uring_lock); diff --git a/tmp-5.10/ionic-remove-warn_on-to-prevent-panic_on_warn.patch b/tmp-5.10/ionic-remove-warn_on-to-prevent-panic_on_warn.patch new file mode 100644 index 00000000000..7ec6e836161 --- /dev/null +++ b/tmp-5.10/ionic-remove-warn_on-to-prevent-panic_on_warn.patch @@ -0,0 +1,42 @@ +From d882c5c49b84da8cf2d6039045449ef7fb0316bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 11:20:06 -0700 +Subject: ionic: remove WARN_ON to prevent panic_on_warn + +From: Nitya Sunkad + +[ Upstream commit abfb2a58a5377ebab717d4362d6180f901b6e5c1 ] + +Remove unnecessary early code development check and the WARN_ON +that it uses. The irq alloc and free paths have long been +cleaned up and this check shouldn't have stuck around so long. + +Fixes: 77ceb68e29cc ("ionic: Add notifyq support") +Signed-off-by: Nitya Sunkad +Signed-off-by: Shannon Nelson +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index fcd4213c99b83..098772601df8c 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -433,11 +433,6 @@ static void ionic_qcqs_free(struct ionic_lif *lif) + static void ionic_link_qcq_interrupts(struct ionic_qcq *src_qcq, + struct ionic_qcq *n_qcq) + { +- if (WARN_ON(n_qcq->flags & IONIC_QCQ_F_INTR)) { +- ionic_intr_free(n_qcq->cq.lif->ionic, n_qcq->intr.index); +- n_qcq->flags &= ~IONIC_QCQ_F_INTR; +- } +- + n_qcq->intr.vector = src_qcq->intr.vector; + n_qcq->intr.index = src_qcq->intr.index; + } +-- +2.39.2 + diff --git a/tmp-5.10/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch b/tmp-5.10/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch new file mode 100644 index 00000000000..4dd464c4d2a --- /dev/null +++ b/tmp-5.10/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch @@ -0,0 +1,53 @@ +From 07fc730e8fffd463605d4bd1de5a3366e57fae89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 14:59:10 +0800 +Subject: ipv6/addrconf: fix a potential refcount underflow for idev + +From: Ziyang Xuan + +[ Upstream commit 06a0716949c22e2aefb648526580671197151acc ] + +Now in addrconf_mod_rs_timer(), reference idev depends on whether +rs_timer is not pending. Then modify rs_timer timeout. + +There is a time gap in [1], during which if the pending rs_timer +becomes not pending. It will miss to hold idev, but the rs_timer +is activated. Thus rs_timer callback function addrconf_rs_timer() +will be executed and put idev later without holding idev. A refcount +underflow issue for idev can be caused by this. + + if (!timer_pending(&idev->rs_timer)) + in6_dev_hold(idev); + <--------------[1] + mod_timer(&idev->rs_timer, jiffies + when); + +To fix the issue, hold idev if mod_timer() return 0. + +Fixes: b7b1bfce0bb6 ("ipv6: split duplicate address detection and router solicitation timer") +Suggested-by: Eric Dumazet +Signed-off-by: Ziyang Xuan +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index ed1e5bfc97b31..d5d10496b4aef 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -314,9 +314,8 @@ static void addrconf_del_dad_work(struct inet6_ifaddr *ifp) + static void addrconf_mod_rs_timer(struct inet6_dev *idev, + unsigned long when) + { +- if (!timer_pending(&idev->rs_timer)) ++ if (!mod_timer(&idev->rs_timer, jiffies + when)) + in6_dev_hold(idev); +- mod_timer(&idev->rs_timer, jiffies + when); + } + + static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, +-- +2.39.2 + diff --git a/tmp-5.10/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch b/tmp-5.10/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch new file mode 100644 index 00000000000..1b779eed190 --- /dev/null +++ b/tmp-5.10/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch @@ -0,0 +1,66 @@ +From c50c6223c860ea3db19e35ba7a1898ee59debb07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 17:33:47 +0800 +Subject: ipvlan: Fix return value of ipvlan_queue_xmit() + +From: Cambda Zhu + +[ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ] + +ipvlan_queue_xmit() should return NET_XMIT_XXX, but +ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX +in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED +in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to +NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or +NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase +both ipvlan and ipvlan->phy_dev drops counter. + +The skb to forward can be treated as xmitted successfully. This patch +makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb. + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Cambda Zhu +Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 0a5b5ff597c6f..ab09d110760ec 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -586,7 +586,8 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + return NET_XMIT_DROP; + } +- return ipvlan_rcv_frame(addr, &skb, true); ++ ipvlan_rcv_frame(addr, &skb, true); ++ return NET_XMIT_SUCCESS; + } + } + out: +@@ -612,7 +613,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + return NET_XMIT_DROP; + } +- return ipvlan_rcv_frame(addr, &skb, true); ++ ipvlan_rcv_frame(addr, &skb, true); ++ return NET_XMIT_SUCCESS; + } + } + skb = skb_share_check(skb, GFP_ATOMIC); +@@ -624,7 +626,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + * the skb for the main-dev. At the RX side we just return + * RX_PASS for it to be processed further on the stack. + */ +- return dev_forward_skb(ipvlan->phy_dev, skb); ++ dev_forward_skb(ipvlan->phy_dev, skb); ++ return NET_XMIT_SUCCESS; + + } else if (is_multicast_ether_addr(eth->h_dest)) { + skb_reset_mac_header(skb); +-- +2.39.2 + diff --git a/tmp-5.10/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch b/tmp-5.10/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch new file mode 100644 index 00000000000..211b0c8c47f --- /dev/null +++ b/tmp-5.10/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch @@ -0,0 +1,53 @@ +From 258d14bec79a9e559ecef460edeb5f3999b9e30e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 18:33:42 +0200 +Subject: irqchip/jcore-aic: Fix missing allocation of IRQ descriptors + +From: John Paul Adrian Glaubitz + +[ Upstream commit 4848229494a323eeaab62eee5574ef9f7de80374 ] + +The initialization function for the J-Core AIC aic_irq_of_init() is +currently missing the call to irq_alloc_descs() which allocates and +initializes all the IRQ descriptors. Add missing function call and +return the error code from irq_alloc_descs() in case the allocation +fails. + +Fixes: 981b58f66cfc ("irqchip/jcore-aic: Add J-Core AIC driver") +Signed-off-by: John Paul Adrian Glaubitz +Tested-by: Rob Landley +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230510163343.43090-1-glaubitz@physik.fu-berlin.de +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-jcore-aic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c +index 5f47d8ee4ae39..b9dcc8e78c750 100644 +--- a/drivers/irqchip/irq-jcore-aic.c ++++ b/drivers/irqchip/irq-jcore-aic.c +@@ -68,6 +68,7 @@ static int __init aic_irq_of_init(struct device_node *node, + unsigned min_irq = JCORE_AIC2_MIN_HWIRQ; + unsigned dom_sz = JCORE_AIC_MAX_HWIRQ+1; + struct irq_domain *domain; ++ int ret; + + pr_info("Initializing J-Core AIC\n"); + +@@ -100,6 +101,12 @@ static int __init aic_irq_of_init(struct device_node *node, + jcore_aic.irq_unmask = noop; + jcore_aic.name = "AIC"; + ++ ret = irq_alloc_descs(-1, min_irq, dom_sz - min_irq, ++ of_node_to_nid(node)); ++ ++ if (ret < 0) ++ return ret; ++ + domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, + &jcore_aic_irqdomain_ops, + &jcore_aic); +-- +2.39.2 + diff --git a/tmp-5.10/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch b/tmp-5.10/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch new file mode 100644 index 00000000000..bfd767d8e6c --- /dev/null +++ b/tmp-5.10/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch @@ -0,0 +1,41 @@ +From efa0e7b662390f48bb0e5debb82d7fef482bb4ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 10:35:51 +0100 +Subject: irqchip/jcore-aic: Kill use of irq_create_strict_mappings() + +From: Marc Zyngier + +[ Upstream commit 5f8b938bd790cff6542c7fe3c1495c71f89fef1b ] + +irq_create_strict_mappings() is a poor way to allow the use of +a linear IRQ domain as a legacy one. Let's be upfront about it. + +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210406093557.1073423-4-maz@kernel.org +Stable-dep-of: 4848229494a3 ("irqchip/jcore-aic: Fix missing allocation of IRQ descriptors") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-jcore-aic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c +index 033bccb41455c..5f47d8ee4ae39 100644 +--- a/drivers/irqchip/irq-jcore-aic.c ++++ b/drivers/irqchip/irq-jcore-aic.c +@@ -100,11 +100,11 @@ static int __init aic_irq_of_init(struct device_node *node, + jcore_aic.irq_unmask = noop; + jcore_aic.name = "AIC"; + +- domain = irq_domain_add_linear(node, dom_sz, &jcore_aic_irqdomain_ops, ++ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, ++ &jcore_aic_irqdomain_ops, + &jcore_aic); + if (!domain) + return -ENOMEM; +- irq_create_strict_mappings(domain, min_irq, min_irq, dom_sz - min_irq); + + return 0; + } +-- +2.39.2 + diff --git a/tmp-5.10/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch b/tmp-5.10/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch new file mode 100644 index 00000000000..7ffa2036cfa --- /dev/null +++ b/tmp-5.10/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch @@ -0,0 +1,128 @@ +From 1168f095417643f663caa341211e117db552989f Mon Sep 17 00:00:00 2001 +From: Fabian Frederick +Date: Sat, 6 May 2023 06:56:12 +0200 +Subject: jffs2: reduce stack usage in jffs2_build_xattr_subsystem() + +From: Fabian Frederick + +commit 1168f095417643f663caa341211e117db552989f upstream. + +Use kcalloc() for allocation/flush of 128 pointers table to +reduce stack usage. + +Function now returns -ENOMEM or 0 on success. + +stackusage +Before: +./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 1208 +dynamic,bounded + +After: +./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 192 +dynamic,bounded + +Also update definition when CONFIG_JFFS2_FS_XATTR is not enabled + +Tested with an MTD mount point and some user set/getfattr. + +Many current target on OpenWRT also suffer from a compilation warning +(that become an error with CONFIG_WERROR) with the following output: + +fs/jffs2/xattr.c: In function 'jffs2_build_xattr_subsystem': +fs/jffs2/xattr.c:887:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] + 887 | } + | ^ + +Using dynamic allocation fix this compilation warning. + +Fixes: c9f700f840bd ("[JFFS2][XATTR] using 'delete marker' for xdatum/xref deletion") +Reported-by: Tim Gardner +Reported-by: kernel test robot +Reported-by: Ron Economos +Reported-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Fabian Frederick +Signed-off-by: Christian Marangi +Cc: stable@vger.kernel.org +Message-Id: <20230506045612.16616-1-ansuelsmth@gmail.com> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/build.c | 5 ++++- + fs/jffs2/xattr.c | 13 +++++++++---- + fs/jffs2/xattr.h | 4 ++-- + 3 files changed, 15 insertions(+), 7 deletions(-) + +--- a/fs/jffs2/build.c ++++ b/fs/jffs2/build.c +@@ -211,7 +211,10 @@ static int jffs2_build_filesystem(struct + ic->scan_dents = NULL; + cond_resched(); + } +- jffs2_build_xattr_subsystem(c); ++ ret = jffs2_build_xattr_subsystem(c); ++ if (ret) ++ goto exit; ++ + c->flags &= ~JFFS2_SB_FLAG_BUILDING; + + dbg_fsbuild("FS build complete\n"); +--- a/fs/jffs2/xattr.c ++++ b/fs/jffs2/xattr.c +@@ -772,10 +772,10 @@ void jffs2_clear_xattr_subsystem(struct + } + + #define XREF_TMPHASH_SIZE (128) +-void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c) ++int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c) + { + struct jffs2_xattr_ref *ref, *_ref; +- struct jffs2_xattr_ref *xref_tmphash[XREF_TMPHASH_SIZE]; ++ struct jffs2_xattr_ref **xref_tmphash; + struct jffs2_xattr_datum *xd, *_xd; + struct jffs2_inode_cache *ic; + struct jffs2_raw_node_ref *raw; +@@ -784,9 +784,12 @@ void jffs2_build_xattr_subsystem(struct + + BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING)); + ++ xref_tmphash = kcalloc(XREF_TMPHASH_SIZE, ++ sizeof(struct jffs2_xattr_ref *), GFP_KERNEL); ++ if (!xref_tmphash) ++ return -ENOMEM; ++ + /* Phase.1 : Merge same xref */ +- for (i=0; i < XREF_TMPHASH_SIZE; i++) +- xref_tmphash[i] = NULL; + for (ref=c->xref_temp; ref; ref=_ref) { + struct jffs2_xattr_ref *tmp; + +@@ -884,6 +887,8 @@ void jffs2_build_xattr_subsystem(struct + "%u of xref (%u dead, %u orphan) found.\n", + xdatum_count, xdatum_unchecked_count, xdatum_orphan_count, + xref_count, xref_dead_count, xref_orphan_count); ++ kfree(xref_tmphash); ++ return 0; + } + + struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c, +--- a/fs/jffs2/xattr.h ++++ b/fs/jffs2/xattr.h +@@ -71,7 +71,7 @@ static inline int is_xattr_ref_dead(stru + #ifdef CONFIG_JFFS2_FS_XATTR + + extern void jffs2_init_xattr_subsystem(struct jffs2_sb_info *c); +-extern void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c); ++extern int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c); + extern void jffs2_clear_xattr_subsystem(struct jffs2_sb_info *c); + + extern struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c, +@@ -103,7 +103,7 @@ extern ssize_t jffs2_listxattr(struct de + #else + + #define jffs2_init_xattr_subsystem(c) +-#define jffs2_build_xattr_subsystem(c) ++#define jffs2_build_xattr_subsystem(c) (0) + #define jffs2_clear_xattr_subsystem(c) + + #define jffs2_xattr_do_crccheck_inode(c, ic) diff --git a/tmp-5.10/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch b/tmp-5.10/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch new file mode 100644 index 00000000000..00fec96e551 --- /dev/null +++ b/tmp-5.10/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch @@ -0,0 +1,66 @@ +From 11509910c599cbd04585ec35a6d5e1a0053d84c1 Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant +Date: Tue, 20 Jun 2023 22:17:00 +0530 +Subject: jfs: jfs_dmap: Validate db_l2nbperpage while mounting + +From: Siddh Raman Pant + +commit 11509910c599cbd04585ec35a6d5e1a0053d84c1 upstream. + +In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block +number inside dbFree(). db_l2nbperpage, which is the log2 number of +blocks per page, is passed as an argument to BLKTODMAP which uses it +for shifting. + +Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is +too big. This happens because the large value is set without any +validation in dbMount() at line 181. + +Thus, make sure that db_l2nbperpage is correct while mounting. + +Max number of blocks per page = Page size / Min block size +=> log2(Max num_block per page) = log2(Page size / Min block size) + = log2(Page size) - log2(Min block size) + +=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE + +Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715 +Cc: stable@vger.kernel.org +Suggested-by: Dave Kleikamp +Signed-off-by: Siddh Raman Pant +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dmap.c | 6 ++++++ + fs/jfs/jfs_filsys.h | 2 ++ + 2 files changed, 8 insertions(+) + +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -178,7 +178,13 @@ int dbMount(struct inode *ipbmap) + dbmp_le = (struct dbmap_disk *) mp->data; + bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize); + bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); ++ + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); ++ if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) { ++ err = -EINVAL; ++ goto err_release_metapage; ++ } ++ + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); + if (!bmp->db_numag) { + err = -EINVAL; +--- a/fs/jfs/jfs_filsys.h ++++ b/fs/jfs/jfs_filsys.h +@@ -122,7 +122,9 @@ + #define NUM_INODE_PER_IAG INOSPERIAG + + #define MINBLOCKSIZE 512 ++#define L2MINBLOCKSIZE 9 + #define MAXBLOCKSIZE 4096 ++#define L2MAXBLOCKSIZE 12 + #define MAXFILESIZE ((s64)1 << 52) + + #define JFS_LINK_MAX 0xffffffff diff --git a/tmp-5.10/kcsan-don-t-expect-64-bits-atomic-builtins-from-32-b.patch b/tmp-5.10/kcsan-don-t-expect-64-bits-atomic-builtins-from-32-b.patch new file mode 100644 index 00000000000..a3476b0fb97 --- /dev/null +++ b/tmp-5.10/kcsan-don-t-expect-64-bits-atomic-builtins-from-32-b.patch @@ -0,0 +1,71 @@ +From a3c57e8fa7590ab2a1e2641d13d77717cdcaaa2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 17:31:17 +0200 +Subject: kcsan: Don't expect 64 bits atomic builtins from 32 bits + architectures + +From: Christophe Leroy + +[ Upstream commit 353e7300a1db928e427462f2745f9a2cd1625b3d ] + +Activating KCSAN on a 32 bits architecture leads to the following +link-time failure: + + LD .tmp_vmlinux.kallsyms1 + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_load': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_load_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_store': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_store_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_exchange': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_exchange_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_add': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_add_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_sub': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_sub_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_and': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_and_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_or': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_or_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_xor': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_xor_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_fetch_nand': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_fetch_nand_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_compare_exchange_strong': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_compare_exchange_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_compare_exchange_weak': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_compare_exchange_8' + powerpc64-linux-ld: kernel/kcsan/core.o: in function `__tsan_atomic64_compare_exchange_val': + kernel/kcsan/core.c:1273: undefined reference to `__atomic_compare_exchange_8' + +32 bits architectures don't have 64 bits atomic builtins. Only +include DEFINE_TSAN_ATOMIC_OPS(64) on 64 bits architectures. + +Fixes: 0f8ad5f2e934 ("kcsan: Add support for atomic builtins") +Suggested-by: Marco Elver +Signed-off-by: Christophe Leroy +Reviewed-by: Marco Elver +Acked-by: Marco Elver +Signed-off-by: Michael Ellerman +Link: https://msgid.link/d9c6afc28d0855240171a4e0ad9ffcdb9d07fceb.1683892665.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + kernel/kcsan/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/kcsan/core.c b/kernel/kcsan/core.c +index 762df6108c589..473dc04591b8e 100644 +--- a/kernel/kcsan/core.c ++++ b/kernel/kcsan/core.c +@@ -1035,7 +1035,9 @@ EXPORT_SYMBOL(__tsan_init); + DEFINE_TSAN_ATOMIC_OPS(8); + DEFINE_TSAN_ATOMIC_OPS(16); + DEFINE_TSAN_ATOMIC_OPS(32); ++#ifdef CONFIG_64BIT + DEFINE_TSAN_ATOMIC_OPS(64); ++#endif + + void __tsan_atomic_thread_fence(int memorder); + void __tsan_atomic_thread_fence(int memorder) +-- +2.39.2 + diff --git a/tmp-5.10/kernfs-fix-missing-kernfs_idr_lock-to-remove-an-id-f.patch b/tmp-5.10/kernfs-fix-missing-kernfs_idr_lock-to-remove-an-id-f.patch new file mode 100644 index 00000000000..95f8bb0c774 --- /dev/null +++ b/tmp-5.10/kernfs-fix-missing-kernfs_idr_lock-to-remove-an-id-f.patch @@ -0,0 +1,39 @@ +From 85f37765b34fefa7c7fa4b3b2a210c953058985f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 10:40:17 +0800 +Subject: kernfs: fix missing kernfs_idr_lock to remove an ID from the IDR + +From: Muchun Song + +[ Upstream commit 30480b988f88c279752f3202a26b6fee5f586aef ] + +The root->ino_idr is supposed to be protected by kernfs_idr_lock, fix +it. + +Fixes: 488dee96bb62 ("kernfs: allow creating kernfs objects with arbitrary uid/gid") +Signed-off-by: Muchun Song +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20230523024017.24851-1-songmuchun@bytedance.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/kernfs/dir.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c +index 8b3c86a502daa..c91ee05cce74f 100644 +--- a/fs/kernfs/dir.c ++++ b/fs/kernfs/dir.c +@@ -679,7 +679,9 @@ static struct kernfs_node *__kernfs_new_node(struct kernfs_root *root, + return kn; + + err_out3: ++ spin_lock(&kernfs_idr_lock); + idr_remove(&root->ino_idr, (u32)kernfs_ino(kn)); ++ spin_unlock(&kernfs_idr_lock); + err_out2: + kmem_cache_free(kernfs_node_cache, kn); + err_out1: +-- +2.39.2 + diff --git a/tmp-5.10/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch b/tmp-5.10/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch new file mode 100644 index 00000000000..80b17a813dc --- /dev/null +++ b/tmp-5.10/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch @@ -0,0 +1,93 @@ +From 38f86974676b88696f3161d2486f2bdf5643603f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 20:34:34 +0800 +Subject: kexec: fix a memory leak in crash_shrink_memory() + +From: Zhen Lei + +[ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ] + +Patch series "kexec: enable kexec_crash_size to support two crash kernel +regions". + +When crashkernel=X fails to reserve region under 4G, it will fall back to +reserve region above 4G and a region of the default size will also be +reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only +supports one crash kernel region now, the user cannot sense the low memory +reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot +be freed by writing this file. + +For example: +resource_size(crashk_res) = 512M +resource_size(crashk_low_res) = 256M + +The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be +768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size +of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB, +which is incorrect. + +Since crashk_res manages the memory with high address and crashk_low_res +manages the memory with low address, crashk_low_res is shrunken only when +all crashk_res is shrunken. And because when there is only one crash +kernel region, crashk_res is always used. Therefore, if all crashk_res is +shrunken and crashk_low_res still exists, swap them. + +This patch (of 6): + +If the value of parameter 'new_size' is in the semi-open and semi-closed +interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the +calculation result of ram_res is: + + ram_res->start = crashk_res.end + 1 + ram_res->end = crashk_res.end + +The operation of insert_resource() fails, and ram_res is not added to +iomem_resource. As a result, the memory of the control block ram_res is +leaked. + +In fact, on all architectures, the start address and size of crashk_res +are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need +to round up crashk_res.start again. Instead, we should round up +'new_size' in advance. + +Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com +Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com +Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()") +Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size") +Signed-off-by: Zhen Lei +Acked-by: Baoquan He +Cc: Cong Wang +Cc: Eric W. Biederman +Cc: Michael Holzheu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kexec_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c +index 7a8104d489971..3a37fc62dc95f 100644 +--- a/kernel/kexec_core.c ++++ b/kernel/kexec_core.c +@@ -1029,6 +1029,7 @@ int crash_shrink_memory(unsigned long new_size) + start = crashk_res.start; + end = crashk_res.end; + old_size = (end == 0) ? 0 : end - start + 1; ++ new_size = roundup(new_size, KEXEC_CRASH_MEM_ALIGN); + if (new_size >= old_size) { + ret = (new_size == old_size) ? 0 : -EINVAL; + goto unlock; +@@ -1040,9 +1041,7 @@ int crash_shrink_memory(unsigned long new_size) + goto unlock; + } + +- start = roundup(start, KEXEC_CRASH_MEM_ALIGN); +- end = roundup(start + new_size, KEXEC_CRASH_MEM_ALIGN); +- ++ end = start + new_size; + crash_free_reserved_phys_range(end, crashk_res.end); + + if ((start == end) && (crashk_res.parent != NULL)) +-- +2.39.2 + diff --git a/tmp-5.10/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch b/tmp-5.10/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch new file mode 100644 index 00000000000..75ed3459f73 --- /dev/null +++ b/tmp-5.10/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch @@ -0,0 +1,177 @@ +From d55901522f96082a43b9842d34867363c0cdbac5 Mon Sep 17 00:00:00 2001 +From: Petr Pavlu +Date: Thu, 23 Mar 2023 14:04:12 +0100 +Subject: keys: Fix linking a duplicate key to a keyring's assoc_array + +From: Petr Pavlu + +commit d55901522f96082a43b9842d34867363c0cdbac5 upstream. + +When making a DNS query inside the kernel using dns_query(), the request +code can in rare cases end up creating a duplicate index key in the +assoc_array of the destination keyring. It is eventually found by +a BUG_ON() check in the assoc_array implementation and results in +a crash. + +Example report: +[2158499.700025] kernel BUG at ../lib/assoc_array.c:652! +[2158499.700039] invalid opcode: 0000 [#1] SMP PTI +[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 +[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] +[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 +[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f +[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 +[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 +[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 +[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 +[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 +[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 +[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 +[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 +[2158499.700702] Call Trace: +[2158499.700741] ? key_alloc+0x447/0x4b0 +[2158499.700768] ? __key_link_begin+0x43/0xa0 +[2158499.700790] __key_link_begin+0x43/0xa0 +[2158499.700814] request_key_and_link+0x2c7/0x730 +[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] +[2158499.700873] ? key_default_cmp+0x20/0x20 +[2158499.700898] request_key_tag+0x43/0xa0 +[2158499.700926] dns_query+0x114/0x2ca [dns_resolver] +[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] +[2158499.701164] ? scnprintf+0x49/0x90 +[2158499.701190] ? __switch_to_asm+0x40/0x70 +[2158499.701211] ? __switch_to_asm+0x34/0x70 +[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] +[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] +[2158499.701632] process_one_work+0x1f8/0x3e0 +[2158499.701658] worker_thread+0x2d/0x3f0 +[2158499.701682] ? process_one_work+0x3e0/0x3e0 +[2158499.701703] kthread+0x10d/0x130 +[2158499.701723] ? kthread_park+0xb0/0xb0 +[2158499.701746] ret_from_fork+0x1f/0x40 + +The situation occurs as follows: +* Some kernel facility invokes dns_query() to resolve a hostname, for + example, "abcdef". The function registers its global DNS resolver + cache as current->cred.thread_keyring and passes the query to + request_key_net() -> request_key_tag() -> request_key_and_link(). +* Function request_key_and_link() creates a keyring_search_context + object. Its match_data.cmp method gets set via a call to + type->match_preparse() (resolves to dns_resolver_match_preparse()) to + dns_resolver_cmp(). +* Function request_key_and_link() continues and invokes + search_process_keyrings_rcu() which returns that a given key was not + found. The control is then passed to request_key_and_link() -> + construct_alloc_key(). +* Concurrently to that, a second task similarly makes a DNS query for + "abcdef." and its result gets inserted into the DNS resolver cache. +* Back on the first task, function construct_alloc_key() first runs + __key_link_begin() to determine an assoc_array_edit operation to + insert a new key. Index keys in the array are compared exactly as-is, + using keyring_compare_object(). The operation finds that "abcdef" is + not yet present in the destination keyring. +* Function construct_alloc_key() continues and checks if a given key is + already present on some keyring by again calling + search_process_keyrings_rcu(). This search is done using + dns_resolver_cmp() and "abcdef" gets matched with now present key + "abcdef.". +* The found key is linked on the destination keyring by calling + __key_link() and using the previously calculated assoc_array_edit + operation. This inserts the "abcdef." key in the array but creates + a duplicity because the same index key is already present. + +Fix the problem by postponing __key_link_begin() in +construct_alloc_key() until an actual key which should be linked into +the destination keyring is determined. + +[jarkko@kernel.org: added a fixes tag and cc to stable] +Cc: stable@vger.kernel.org # v5.3+ +Fixes: df593ee23e05 ("keys: Hoist locking out of __key_link_begin()") +Signed-off-by: Petr Pavlu +Reviewed-by: Joey Lee +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/request_key.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -401,17 +401,21 @@ static int construct_alloc_key(struct ke + set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); + + if (dest_keyring) { +- ret = __key_link_lock(dest_keyring, &ctx->index_key); ++ ret = __key_link_lock(dest_keyring, &key->index_key); + if (ret < 0) + goto link_lock_failed; +- ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit); +- if (ret < 0) +- goto link_prealloc_failed; + } + +- /* attach the key to the destination keyring under lock, but we do need ++ /* ++ * Attach the key to the destination keyring under lock, but we do need + * to do another check just in case someone beat us to it whilst we +- * waited for locks */ ++ * waited for locks. ++ * ++ * The caller might specify a comparison function which looks for keys ++ * that do not exactly match but are still equivalent from the caller's ++ * perspective. The __key_link_begin() operation must be done only after ++ * an actual key is determined. ++ */ + mutex_lock(&key_construction_mutex); + + rcu_read_lock(); +@@ -420,12 +424,16 @@ static int construct_alloc_key(struct ke + if (!IS_ERR(key_ref)) + goto key_already_present; + +- if (dest_keyring) ++ if (dest_keyring) { ++ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); ++ if (ret < 0) ++ goto link_alloc_failed; + __key_link(dest_keyring, key, &edit); ++ } + + mutex_unlock(&key_construction_mutex); + if (dest_keyring) +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++ __key_link_end(dest_keyring, &key->index_key, edit); + mutex_unlock(&user->cons_lock); + *_key = key; + kleave(" = 0 [%d]", key_serial(key)); +@@ -438,10 +446,13 @@ key_already_present: + mutex_unlock(&key_construction_mutex); + key = key_ref_to_ptr(key_ref); + if (dest_keyring) { ++ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); ++ if (ret < 0) ++ goto link_alloc_failed_unlocked; + ret = __key_link_check_live_key(dest_keyring, key); + if (ret == 0) + __key_link(dest_keyring, key, &edit); +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++ __key_link_end(dest_keyring, &key->index_key, edit); + if (ret < 0) + goto link_check_failed; + } +@@ -456,8 +467,10 @@ link_check_failed: + kleave(" = %d [linkcheck]", ret); + return ret; + +-link_prealloc_failed: +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++link_alloc_failed: ++ mutex_unlock(&key_construction_mutex); ++link_alloc_failed_unlocked: ++ __key_link_end(dest_keyring, &key->index_key, edit); + link_lock_failed: + mutex_unlock(&user->cons_lock); + key_put(key); diff --git a/tmp-5.10/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch b/tmp-5.10/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch new file mode 100644 index 00000000000..7c89ba5fea6 --- /dev/null +++ b/tmp-5.10/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch @@ -0,0 +1,74 @@ +From f23a34647b05c14ae2a46511c53c8ac0d9274a38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 15:54:23 +0100 +Subject: KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes + +From: Nico Boehr + +[ Upstream commit 285cff4c0454340a4dc53f46e67f2cb1c293bd74 ] + +The KVM_S390_GET_CMMA_BITS ioctl may return incorrect values when userspace +specifies a start_gfn outside of memslots. + +This can occur when a VM has multiple memslots with a hole in between: + ++-----+----------+--------+--------+ +| ... | Slot N-1 | | Slot N | ++-----+----------+--------+--------+ + ^ ^ ^ ^ + | | | | +GFN A A+B | | + A+B+C | + A+B+C+D + +When userspace specifies a GFN in [A+B, A+B+C), it would expect to get the +CMMA values of the first dirty page in Slot N. However, userspace may get a +start_gfn of A+B+C+D with a count of 0, hence completely skipping over any +dirty pages in slot N. + +The error is in kvm_s390_next_dirty_cmma(), which assumes +gfn_to_memslot_approx() will return the memslot _below_ the specified GFN +when the specified GFN lies outside a memslot. In reality it may return +either the memslot below or above the specified GFN. + +When a memslot above the specified GFN is returned this happens: + +- ofs is calculated, but since the memslot's base_gfn is larger than the + specified cur_gfn, ofs will underflow to a huge number. +- ofs is passed to find_next_bit(). Since ofs will exceed the memslot's + number of pages, the number of pages in the memslot is returned, + completely skipping over all bits in the memslot userspace would be + interested in. + +Fix this by resetting ofs to zero when a memslot _above_ cur_gfn is +returned (cur_gfn < ms->base_gfn). + +Signed-off-by: Nico Boehr +Reviewed-by: Claudio Imbrenda +Fixes: afdad61615cc ("KVM: s390: Fix storage attributes migration with memory slots") +Message-Id: <20230324145424.293889-2-nrb@linux.ibm.com> +Signed-off-by: Claudio Imbrenda +Signed-off-by: Janosch Frank +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/kvm-s390.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 7ffc73ba220fb..7a326d03087ab 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -2005,6 +2005,10 @@ static unsigned long kvm_s390_next_dirty_cmma(struct kvm_memslots *slots, + ms = slots->memslots + slotidx; + ofs = 0; + } ++ ++ if (cur_gfn < ms->base_gfn) ++ ofs = 0; ++ + ofs = find_next_bit(kvm_second_dirty_bitmap(ms), ms->npages, ofs); + while ((slotidx > 0) && (ofs >= ms->npages)) { + slotidx--; +-- +2.39.2 + diff --git a/tmp-5.10/kvm-s390-vsie-fix-the-length-of-apcb-bitmap.patch b/tmp-5.10/kvm-s390-vsie-fix-the-length-of-apcb-bitmap.patch new file mode 100644 index 00000000000..721cdbd7e30 --- /dev/null +++ b/tmp-5.10/kvm-s390-vsie-fix-the-length-of-apcb-bitmap.patch @@ -0,0 +1,52 @@ +From f97c4c8574cf7668e778f8caad7b0f8b83e75af4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 17:42:58 +0200 +Subject: KVM: s390: vsie: fix the length of APCB bitmap + +From: Pierre Morel + +[ Upstream commit 246be7d2720ea9a795b576067ecc5e5c7a1e7848 ] + +bit_and() uses the count of bits as the woking length. +Fix the previous implementation and effectively use +the right bitmap size. + +Fixes: 19fd83a64718 ("KVM: s390: vsie: allow CRYCB FORMAT-1") +Fixes: 56019f9aca22 ("KVM: s390: vsie: Allow CRYCB FORMAT-2") + +Signed-off-by: Pierre Morel +Reviewed-by: Janosch Frank +Link: https://lore.kernel.org/kvm/20230511094719.9691-1-pmorel@linux.ibm.com/ +Signed-off-by: Janosch Frank +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/vsie.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c +index ff58decfef5e8..192eacc8fbb7a 100644 +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -168,7 +168,8 @@ static int setup_apcb00(struct kvm_vcpu *vcpu, unsigned long *apcb_s, + sizeof(struct kvm_s390_apcb0))) + return -EFAULT; + +- bitmap_and(apcb_s, apcb_s, apcb_h, sizeof(struct kvm_s390_apcb0)); ++ bitmap_and(apcb_s, apcb_s, apcb_h, ++ BITS_PER_BYTE * sizeof(struct kvm_s390_apcb0)); + + return 0; + } +@@ -190,7 +191,8 @@ static int setup_apcb11(struct kvm_vcpu *vcpu, unsigned long *apcb_s, + sizeof(struct kvm_s390_apcb1))) + return -EFAULT; + +- bitmap_and(apcb_s, apcb_s, apcb_h, sizeof(struct kvm_s390_apcb1)); ++ bitmap_and(apcb_s, apcb_s, apcb_h, ++ BITS_PER_BYTE * sizeof(struct kvm_s390_apcb1)); + + return 0; + } +-- +2.39.2 + diff --git a/tmp-5.10/leds-trigger-netdev-recheck-netdev_led_mode_linkup-on-dev-rename.patch b/tmp-5.10/leds-trigger-netdev-recheck-netdev_led_mode_linkup-on-dev-rename.patch new file mode 100644 index 00000000000..de3cc3c3e3c --- /dev/null +++ b/tmp-5.10/leds-trigger-netdev-recheck-netdev_led_mode_linkup-on-dev-rename.patch @@ -0,0 +1,39 @@ +From cee4bd16c3195a701be683f7da9e88c6e11acb73 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Wed, 19 Apr 2023 23:07:39 +0200 +Subject: leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename + +From: Christian Marangi + +commit cee4bd16c3195a701be683f7da9e88c6e11acb73 upstream. + +Dev can be renamed also while up for supported device. We currently +wrongly clear the NETDEV_LED_MODE_LINKUP flag on NETDEV_CHANGENAME +event. + +Fix this by rechecking if the carrier is ok on NETDEV_CHANGENAME and +correctly set the NETDEV_LED_MODE_LINKUP bit. + +Fixes: 5f820ed52371 ("leds: trigger: netdev: fix handling on interface rename") +Cc: stable@vger.kernel.org # v5.5+ +Signed-off-by: Christian Marangi +Reviewed-by: Andrew Lunn +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20230419210743.3594-2-ansuelsmth@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/trigger/ledtrig-netdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/leds/trigger/ledtrig-netdev.c ++++ b/drivers/leds/trigger/ledtrig-netdev.c +@@ -318,6 +318,9 @@ static int netdev_trig_notify(struct not + clear_bit(NETDEV_LED_MODE_LINKUP, &trigger_data->mode); + switch (evt) { + case NETDEV_CHANGENAME: ++ if (netif_carrier_ok(dev)) ++ set_bit(NETDEV_LED_MODE_LINKUP, &trigger_data->mode); ++ fallthrough; + case NETDEV_REGISTER: + if (trigger_data->net_dev) + dev_put(trigger_data->net_dev); diff --git a/tmp-5.10/lib-ts_bm-reset-initial-match-offset-for-every-block.patch b/tmp-5.10/lib-ts_bm-reset-initial-match-offset-for-every-block.patch new file mode 100644 index 00000000000..e236cd40a0b --- /dev/null +++ b/tmp-5.10/lib-ts_bm-reset-initial-match-offset-for-every-block.patch @@ -0,0 +1,59 @@ +From d67c1b8520fd7e6fe7cfdb78a8167e2c331ef6c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 20:06:57 +0100 +Subject: lib/ts_bm: reset initial match offset for every block of text + +From: Jeremy Sowden + +[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ] + +The `shift` variable which indicates the offset in the string at which +to start matching the pattern is initialized to `bm->patlen - 1`, but it +is not reset when a new block is retrieved. This means the implemen- +tation may start looking at later and later positions in each successive +block and miss occurrences of the pattern at the beginning. E.g., +consider a HTTP packet held in a non-linear skb, where the HTTP request +line occurs in the second block: + + [... 52 bytes of packet headers ...] + GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n + +and the pattern is "GET /bmtest". + +Once the first block comprising the packet headers has been examined, +`shift` will be pointing to somewhere near the end of the block, and so +when the second block is examined the request line at the beginning will +be missed. + +Reinitialize the variable for each new block. + +Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2") +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390 +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + lib/ts_bm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/ts_bm.c b/lib/ts_bm.c +index 4cf250031f0f0..352ae837e0317 100644 +--- a/lib/ts_bm.c ++++ b/lib/ts_bm.c +@@ -60,10 +60,12 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state) + struct ts_bm *bm = ts_config_priv(conf); + unsigned int i, text_len, consumed = state->offset; + const u8 *text; +- int shift = bm->patlen - 1, bs; ++ int bs; + const u8 icase = conf->flags & TS_IGNORECASE; + + for (;;) { ++ int shift = bm->patlen - 1; ++ + text_len = conf->get_next_block(consumed, &text, conf, state); + + if (unlikely(text_len == 0)) +-- +2.39.2 + diff --git a/tmp-5.10/libbpf-fix-offsetof-and-container_of-to-work-with-co.patch b/tmp-5.10/libbpf-fix-offsetof-and-container_of-to-work-with-co.patch new file mode 100644 index 00000000000..c3cf66efbb8 --- /dev/null +++ b/tmp-5.10/libbpf-fix-offsetof-and-container_of-to-work-with-co.patch @@ -0,0 +1,62 @@ +From 8a7a9f3fa7e6f0c1bec40f4048358a1cde9714d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 23:55:02 -0700 +Subject: libbpf: fix offsetof() and container_of() to work with CO-RE + +From: Andrii Nakryiko + +[ Upstream commit bdeeed3498c7871c17465bb4f11d1bc67f9098af ] + +It seems like __builtin_offset() doesn't preserve CO-RE field +relocations properly. So if offsetof() macro is defined through +__builtin_offset(), CO-RE-enabled BPF code using container_of() will be +subtly and silently broken. + +To avoid this problem, redefine offsetof() and container_of() in the +form that works with CO-RE relocations more reliably. + +Fixes: 5fbc220862fc ("tools/libpf: Add offsetof/container_of macro in bpf_helpers.h") +Reported-by: Lennart Poettering +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230509065502.2306180-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_helpers.h | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/tools/lib/bpf/bpf_helpers.h b/tools/lib/bpf/bpf_helpers.h +index 72b251110c4d7..1c389b0f5499a 100644 +--- a/tools/lib/bpf/bpf_helpers.h ++++ b/tools/lib/bpf/bpf_helpers.h +@@ -42,16 +42,21 @@ + /* + * Helper macro to manipulate data structures + */ +-#ifndef offsetof +-#define offsetof(TYPE, MEMBER) ((unsigned long)&((TYPE *)0)->MEMBER) +-#endif +-#ifndef container_of ++ ++/* offsetof() definition that uses __builtin_offset() might not preserve field ++ * offset CO-RE relocation properly, so force-redefine offsetof() using ++ * old-school approach which works with CO-RE correctly ++ */ ++#undef offsetof ++#define offsetof(type, member) ((unsigned long)&((type *)0)->member) ++ ++/* redefined container_of() to ensure we use the above offsetof() macro */ ++#undef container_of + #define container_of(ptr, type, member) \ + ({ \ + void *__mptr = (void *)(ptr); \ + ((type *)(__mptr - offsetof(type, member))); \ + }) +-#endif + + /* + * Helper macro to throw a compilation error if __bpf_unreachable() gets +-- +2.39.2 + diff --git a/tmp-5.10/llc-don-t-drop-packet-from-non-root-netns.patch b/tmp-5.10/llc-don-t-drop-packet-from-non-root-netns.patch new file mode 100644 index 00000000000..7a19c410245 --- /dev/null +++ b/tmp-5.10/llc-don-t-drop-packet-from-non-root-netns.patch @@ -0,0 +1,50 @@ +From e974d01b88c768b3a302a923ee7e765b39fccbd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:41:51 -0700 +Subject: llc: Don't drop packet from non-root netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] + +Now these upper layer protocol handlers can be called from llc_rcv() +as sap->rcv_func(), which is registered by llc_sap_open(). + + * function which is passed to register_8022_client() + -> no in-kernel user calls register_8022_client(). + + * snap_rcv() + `- proto->rcvfunc() : registered by register_snap_client() + -> aarp_rcv() and atalk_rcv() drop packets from non-root netns + + * stp_pdu_rcv() + `- garp_protos[]->rcv() : registered by stp_proto_register() + -> garp_pdu_rcv() and br_stp_rcv() are netns-aware + +So, we can safely remove the netns restriction in llc_rcv(). + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index c309b72a58779..7cac441862e21 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -163,9 +163,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, + void (*sta_handler)(struct sk_buff *skb); + void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); + +- if (!net_eq(dev_net(dev), &init_net)) +- goto drop; +- + /* + * When the interface is in promisc. mode, drop all the crap that it + * receives, do not try to analyse it. +-- +2.39.2 + diff --git a/tmp-5.10/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch b/tmp-5.10/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch new file mode 100644 index 00000000000..8598c820556 --- /dev/null +++ b/tmp-5.10/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch @@ -0,0 +1,75 @@ +From fa372120604ab979ca8e1579a6a76715f8d63feb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 20:00:22 -0500 +Subject: mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 + +From: Nishanth Menon + +[ Upstream commit 1b712f18c461bd75f018033a15cf381e712806b5 ] + +Sec proxy/message manager data buffer is 60 bytes with the last of the +registers indicating transmission completion. This however poses a bit +of a challenge. + +The backing memory for sec_proxy / message manager is regular memory, +and all sec proxy does is to trigger a burst of all 60 bytes of data +over to the target thread backing ring accelerator. It doesn't do a +memory scrub when it moves data out in the burst. When we transmit +multiple messages, remnants of previous message is also transmitted +which results in some random data being set in TISCI fields of +messages that have been expanded forward. + +The entire concept of backward compatibility hinges on the fact that +the unused message fields remain 0x0 allowing for 0x0 value to be +specially considered when backward compatibility of message extension +is done. + +So, instead of just writing the completion register, we continue +to fill the message buffer up with 0x0 (note: for partial message +involving completion, we already do this). + +This allows us to scale and introduce ABI changes back also work with +other boot stages that may have left data in the internal memory. + +While at this, be consistent and explicit with the data_reg pointer +increment. + +Fixes: aace66b170ce ("mailbox: Introduce TI message manager driver") +Signed-off-by: Nishanth Menon +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/ti-msgmgr.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/mailbox/ti-msgmgr.c b/drivers/mailbox/ti-msgmgr.c +index 0130628f4d9db..535fe73ce3109 100644 +--- a/drivers/mailbox/ti-msgmgr.c ++++ b/drivers/mailbox/ti-msgmgr.c +@@ -385,14 +385,20 @@ static int ti_msgmgr_send_data(struct mbox_chan *chan, void *data) + /* Ensure all unused data is 0 */ + data_trail &= 0xFFFFFFFF >> (8 * (sizeof(u32) - trail_bytes)); + writel(data_trail, data_reg); +- data_reg++; ++ data_reg += sizeof(u32); + } ++ + /* + * 'data_reg' indicates next register to write. If we did not already + * write on tx complete reg(last reg), we must do so for transmit ++ * In addition, we also need to make sure all intermediate data ++ * registers(if any required), are reset to 0 for TISCI backward ++ * compatibility to be maintained. + */ +- if (data_reg <= qinst->queue_buff_end) +- writel(0, qinst->queue_buff_end); ++ while (data_reg <= qinst->queue_buff_end) { ++ writel(0, data_reg); ++ data_reg += sizeof(u32); ++ } + + return 0; + } +-- +2.39.2 + diff --git a/tmp-5.10/md-fix-data-corruption-for-raid456-when-reshape-rest.patch b/tmp-5.10/md-fix-data-corruption-for-raid456-when-reshape-rest.patch new file mode 100644 index 00000000000..bf2f64db534 --- /dev/null +++ b/tmp-5.10/md-fix-data-corruption-for-raid456-when-reshape-rest.patch @@ -0,0 +1,60 @@ +From aa794f5655fbe55a4c5b1f73f22077511a6a7447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:56:07 +0800 +Subject: md: fix data corruption for raid456 when reshape restart while grow + up + +From: Yu Kuai + +[ Upstream commit 873f50ece41aad5c4f788a340960c53774b5526e ] + +Currently, if reshape is interrupted, echo "reshape" to sync_action will +restart reshape from scratch, for example: + +echo frozen > sync_action +echo reshape > sync_action + +This will corrupt data before reshape_position if the array is growing, +fix the problem by continue reshape from reshape_position. + +Reported-by: Peter Neuwirth +Link: https://lore.kernel.org/linux-raid/e2f96772-bfbc-f43b-6da1-f520e5164536@online.de/ +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230512015610.821290-3-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index bbf39abc32b79..ae0a857d6076a 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4890,11 +4890,21 @@ action_store(struct mddev *mddev, const char *page, size_t len) + return -EINVAL; + err = mddev_lock(mddev); + if (!err) { +- if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) ++ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) { + err = -EBUSY; +- else { ++ } else if (mddev->reshape_position == MaxSector || ++ mddev->pers->check_reshape == NULL || ++ mddev->pers->check_reshape(mddev)) { + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + err = mddev->pers->start_reshape(mddev); ++ } else { ++ /* ++ * If reshape is still in progress, and ++ * md_check_recovery() can continue to reshape, ++ * don't restart reshape because data can be ++ * corrupted for raid456. ++ */ ++ clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + } + mddev_unlock(mddev); + } +-- +2.39.2 + diff --git a/tmp-5.10/md-raid0-add-discard-support-for-the-original-layout.patch b/tmp-5.10/md-raid0-add-discard-support-for-the-original-layout.patch new file mode 100644 index 00000000000..1f6dc4961d1 --- /dev/null +++ b/tmp-5.10/md-raid0-add-discard-support-for-the-original-layout.patch @@ -0,0 +1,203 @@ +From e836007089ba8fdf24e636ef2b007651fb4582e6 Mon Sep 17 00:00:00 2001 +From: Jason Baron +Date: Fri, 23 Jun 2023 14:05:23 -0400 +Subject: md/raid0: add discard support for the 'original' layout + +From: Jason Baron + +commit e836007089ba8fdf24e636ef2b007651fb4582e6 upstream. + +We've found that using raid0 with the 'original' layout and discard +enabled with different disk sizes (such that at least two zones are +created) can result in data corruption. This is due to the fact that +the discard handling in 'raid0_handle_discard()' assumes the 'alternate' +layout. We've seen this corruption using ext4 but other filesystems are +likely susceptible as well. + +More specifically, while multiple zones are necessary to create the +corruption, the corruption may not occur with multiple zones if they +layout in such a way the layout matches what the 'alternate' layout +would have produced. Thus, not all raid0 devices with the 'original' +layout, different size disks and discard enabled will encounter this +corruption. + +The 3.14 kernel inadvertently changed the raid0 disk layout for different +size disks. Thus, running a pre-3.14 kernel and post-3.14 kernel on the +same raid0 array could corrupt data. This lead to the creation of the +'original' layout (to match the pre-3.14 layout) and the 'alternate' layout +(to match the post 3.14 layout) in the 5.4 kernel time frame and an option +to tell the kernel which layout to use (since it couldn't be autodetected). +However, when the 'original' layout was added back to 5.4 discard support +for the 'original' layout was not added leading this issue. + +I've been able to reliably reproduce the corruption with the following +test case: + +1. create raid0 array with different size disks using original layout +2. mkfs +3. mount -o discard +4. create lots of files +5. remove 1/2 the files +6. fstrim -a (or just the mount point for the raid0 array) +7. umount +8. fsck -fn /dev/md0 (spews all sorts of corruptions) + +Let's fix this by adding proper discard support to the 'original' layout. +The fix 'maps' the 'original' layout disks to the order in which they are +read/written such that we can compare the disks in the same way that the +current 'alternate' layout does. A 'disk_shift' field is added to +'struct strip_zone'. This could be computed on the fly in +raid0_handle_discard() but by adding this field, we save some computation +in the discard path. + +Note we could also potentially fix this by re-ordering the disks in the +zones that follow the first one, and then always read/writing them using +the 'alternate' layout. However, that is seen as a more substantial change, +and we are attempting the least invasive fix at this time to remedy the +corruption. + +I've verified the change using the reproducer mentioned above. Typically, +the corruption is seen after less than 3 iterations, while the patch has +run 500+ iterations. + +Cc: NeilBrown +Cc: Song Liu +Fixes: c84a1372df92 ("md/raid0: avoid RAID0 data corruption due to layout confusion.") +Cc: stable@vger.kernel.org +Signed-off-by: Jason Baron +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230623180523.1901230-1-jbaron@akamai.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid0.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++------- + drivers/md/raid0.h | 1 + 2 files changed, 55 insertions(+), 8 deletions(-) + +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -274,6 +274,18 @@ static int create_strip_zones(struct mdd + goto abort; + } + ++ if (conf->layout == RAID0_ORIG_LAYOUT) { ++ for (i = 1; i < conf->nr_strip_zones; i++) { ++ sector_t first_sector = conf->strip_zone[i-1].zone_end; ++ ++ sector_div(first_sector, mddev->chunk_sectors); ++ zone = conf->strip_zone + i; ++ /* disk_shift is first disk index used in the zone */ ++ zone->disk_shift = sector_div(first_sector, ++ zone->nb_dev); ++ } ++ } ++ + pr_debug("md/raid0:%s: done.\n", mdname(mddev)); + *private_conf = conf; + +@@ -427,6 +439,20 @@ static void raid0_free(struct mddev *mdd + kfree(conf); + } + ++/* ++ * Convert disk_index to the disk order in which it is read/written. ++ * For example, if we have 4 disks, they are numbered 0,1,2,3. If we ++ * write the disks starting at disk 3, then the read/write order would ++ * be disk 3, then 0, then 1, and then disk 2 and we want map_disk_shift() ++ * to map the disks as follows 0,1,2,3 => 1,2,3,0. So disk 0 would map ++ * to 1, 1 to 2, 2 to 3, and 3 to 0. That way we can compare disks in ++ * that 'output' space to understand the read/write disk ordering. ++ */ ++static int map_disk_shift(int disk_index, int num_disks, int disk_shift) ++{ ++ return ((disk_index + num_disks - disk_shift) % num_disks); ++} ++ + static void raid0_handle_discard(struct mddev *mddev, struct bio *bio) + { + struct r0conf *conf = mddev->private; +@@ -440,7 +466,9 @@ static void raid0_handle_discard(struct + sector_t end_disk_offset; + unsigned int end_disk_index; + unsigned int disk; ++ sector_t orig_start, orig_end; + ++ orig_start = start; + zone = find_zone(conf, &start); + + if (bio_end_sector(bio) > zone->zone_end) { +@@ -454,6 +482,7 @@ static void raid0_handle_discard(struct + } else + end = bio_end_sector(bio); + ++ orig_end = end; + if (zone != conf->strip_zone) + end = end - zone[-1].zone_end; + +@@ -465,13 +494,26 @@ static void raid0_handle_discard(struct + last_stripe_index = end; + sector_div(last_stripe_index, stripe_size); + +- start_disk_index = (int)(start - first_stripe_index * stripe_size) / +- mddev->chunk_sectors; ++ /* In the first zone the original and alternate layouts are the same */ ++ if ((conf->layout == RAID0_ORIG_LAYOUT) && (zone != conf->strip_zone)) { ++ sector_div(orig_start, mddev->chunk_sectors); ++ start_disk_index = sector_div(orig_start, zone->nb_dev); ++ start_disk_index = map_disk_shift(start_disk_index, ++ zone->nb_dev, ++ zone->disk_shift); ++ sector_div(orig_end, mddev->chunk_sectors); ++ end_disk_index = sector_div(orig_end, zone->nb_dev); ++ end_disk_index = map_disk_shift(end_disk_index, ++ zone->nb_dev, zone->disk_shift); ++ } else { ++ start_disk_index = (int)(start - first_stripe_index * stripe_size) / ++ mddev->chunk_sectors; ++ end_disk_index = (int)(end - last_stripe_index * stripe_size) / ++ mddev->chunk_sectors; ++ } + start_disk_offset = ((int)(start - first_stripe_index * stripe_size) % + mddev->chunk_sectors) + + first_stripe_index * mddev->chunk_sectors; +- end_disk_index = (int)(end - last_stripe_index * stripe_size) / +- mddev->chunk_sectors; + end_disk_offset = ((int)(end - last_stripe_index * stripe_size) % + mddev->chunk_sectors) + + last_stripe_index * mddev->chunk_sectors; +@@ -480,18 +522,22 @@ static void raid0_handle_discard(struct + sector_t dev_start, dev_end; + struct bio *discard_bio = NULL; + struct md_rdev *rdev; ++ int compare_disk; ++ ++ compare_disk = map_disk_shift(disk, zone->nb_dev, ++ zone->disk_shift); + +- if (disk < start_disk_index) ++ if (compare_disk < start_disk_index) + dev_start = (first_stripe_index + 1) * + mddev->chunk_sectors; +- else if (disk > start_disk_index) ++ else if (compare_disk > start_disk_index) + dev_start = first_stripe_index * mddev->chunk_sectors; + else + dev_start = start_disk_offset; + +- if (disk < end_disk_index) ++ if (compare_disk < end_disk_index) + dev_end = (last_stripe_index + 1) * mddev->chunk_sectors; +- else if (disk > end_disk_index) ++ else if (compare_disk > end_disk_index) + dev_end = last_stripe_index * mddev->chunk_sectors; + else + dev_end = end_disk_offset; +--- a/drivers/md/raid0.h ++++ b/drivers/md/raid0.h +@@ -6,6 +6,7 @@ struct strip_zone { + sector_t zone_end; /* Start of the next zone (in sectors) */ + sector_t dev_start; /* Zone offset in real dev (in sectors) */ + int nb_dev; /* # of devices attached to the zone */ ++ int disk_shift; /* start disk for the original layout */ + }; + + /* Linux 3.14 (20d0189b101) made an unintended change to diff --git a/tmp-5.10/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch b/tmp-5.10/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch new file mode 100644 index 00000000000..5a2de32bfa0 --- /dev/null +++ b/tmp-5.10/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch @@ -0,0 +1,65 @@ +From 386c7b4d579af23dfe234fa1e78bda68e7be6c6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:48:05 +0800 +Subject: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter + +From: Li Nan + +[ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ] + +If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() +will return -EINVAL because 'page >= bitmap->pages', but the return value +was not checked immediately in md_bitmap_get_counter() in order to set +*blocks value and slab-out-of-bounds occurs. + +Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and +return directly if true. + +Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 20afc0aec1778..f843ade442dec 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -54,14 +54,7 @@ __acquires(bitmap->lock) + { + unsigned char *mappage; + +- if (page >= bitmap->pages) { +- /* This can happen if bitmap_start_sync goes beyond +- * End-of-device while looking for a whole page. +- * It is harmless. +- */ +- return -EINVAL; +- } +- ++ WARN_ON_ONCE(page >= bitmap->pages); + if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */ + return 0; + +@@ -1365,6 +1358,14 @@ __acquires(bitmap->lock) + sector_t csize; + int err; + ++ if (page >= bitmap->pages) { ++ /* ++ * This can happen if bitmap_start_sync goes beyond ++ * End-of-device while looking for a whole page or ++ * user set a huge number to sysfs bitmap_set_bits. ++ */ ++ return NULL; ++ } + err = md_bitmap_checkpage(bitmap, page, create, 0); + + if (bitmap->bp[page].hijacked || +-- +2.39.2 + diff --git a/tmp-5.10/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch b/tmp-5.10/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch new file mode 100644 index 00000000000..91ea36b024f --- /dev/null +++ b/tmp-5.10/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch @@ -0,0 +1,79 @@ +From 4d9e559b8c3eb9360636faa593edb329d07e5d68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 17:18:39 +0800 +Subject: md/raid10: fix io loss while replacement replace rdev + +From: Li Nan + +[ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ] + +When removing a disk with replacement, the replacement will be used to +replace rdev. During this process, there is a brief window in which both +rdev and replacement are read as NULL in raid10_write_request(). This +will result in io not being submitted but it should be. + + //remove //write + raid10_remove_disk raid10_write_request + mirror->rdev = NULL + read rdev -> NULL + mirror->rdev = mirror->replacement + mirror->replacement = NULL + read replacement -> NULL + +Fix it by reading replacement first and rdev later, meanwhile, use smp_mb() +to prevent memory reordering. + +Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 01680029f0de5..32a917e5103a6 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -751,8 +751,16 @@ static struct md_rdev *read_balance(struct r10conf *conf, + disk = r10_bio->devs[slot].devnum; + rdev = rcu_dereference(conf->mirrors[disk].replacement); + if (rdev == NULL || test_bit(Faulty, &rdev->flags) || +- r10_bio->devs[slot].addr + sectors > rdev->recovery_offset) ++ r10_bio->devs[slot].addr + sectors > ++ rdev->recovery_offset) { ++ /* ++ * Read replacement first to prevent reading both rdev ++ * and replacement as NULL during replacement replace ++ * rdev. ++ */ ++ smp_mb(); + rdev = rcu_dereference(conf->mirrors[disk].rdev); ++ } + if (rdev == NULL || + test_bit(Faulty, &rdev->flags)) + continue; +@@ -1346,9 +1354,15 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, + + for (i = 0; i < conf->copies; i++) { + int d = r10_bio->devs[i].devnum; +- struct md_rdev *rdev = rcu_dereference(conf->mirrors[d].rdev); +- struct md_rdev *rrdev = rcu_dereference( +- conf->mirrors[d].replacement); ++ struct md_rdev *rdev, *rrdev; ++ ++ rrdev = rcu_dereference(conf->mirrors[d].replacement); ++ /* ++ * Read replacement first to prevent reading both rdev and ++ * replacement as NULL during replacement replace rdev. ++ */ ++ smp_mb(); ++ rdev = rcu_dereference(conf->mirrors[d].rdev); + if (rdev == rrdev) + rrdev = NULL; + if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) { +-- +2.39.2 + diff --git a/tmp-5.10/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch b/tmp-5.10/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch new file mode 100644 index 00000000000..5b096bb5d8e --- /dev/null +++ b/tmp-5.10/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch @@ -0,0 +1,81 @@ +From e0aca2e91cd72aa9a8d67e78a15980205ecb955e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 15:22:15 +0800 +Subject: md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request + +From: Li Nan + +[ Upstream commit 34817a2441747b48e444cb0e05d84e14bc9443da ] + +There are two check of 'mreplace' in raid10_sync_request(). In the first +check, 'need_replace' will be set and 'mreplace' will be used later if +no-Faulty 'mreplace' exists, In the second check, 'mreplace' will be +set to NULL if it is Faulty, but 'need_replace' will not be changed +accordingly. null-ptr-deref occurs if Faulty is set between two check. + +Fix it by merging two checks into one. And replace 'need_replace' with +'mreplace' because their values are always the same. + +Fixes: ee37d7314a32 ("md/raid10: Fix raid10 replace hang when new added disk faulty") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230527072218.2365857-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 6a0459f9fafbc..01680029f0de5 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3037,7 +3037,6 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + int must_sync; + int any_working; + int need_recover = 0; +- int need_replace = 0; + struct raid10_info *mirror = &conf->mirrors[i]; + struct md_rdev *mrdev, *mreplace; + +@@ -3049,11 +3048,10 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + !test_bit(Faulty, &mrdev->flags) && + !test_bit(In_sync, &mrdev->flags)) + need_recover = 1; +- if (mreplace != NULL && +- !test_bit(Faulty, &mreplace->flags)) +- need_replace = 1; ++ if (mreplace && test_bit(Faulty, &mreplace->flags)) ++ mreplace = NULL; + +- if (!need_recover && !need_replace) { ++ if (!need_recover && !mreplace) { + rcu_read_unlock(); + continue; + } +@@ -3069,8 +3067,6 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + rcu_read_unlock(); + continue; + } +- if (mreplace && test_bit(Faulty, &mreplace->flags)) +- mreplace = NULL; + /* Unless we are doing a full sync, or a replacement + * we only need to recover the block if it is set in + * the bitmap +@@ -3193,11 +3189,11 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + bio = r10_bio->devs[1].repl_bio; + if (bio) + bio->bi_end_io = NULL; +- /* Note: if need_replace, then bio ++ /* Note: if replace is not NULL, then bio + * cannot be NULL as r10buf_pool_alloc will + * have allocated it. + */ +- if (!need_replace) ++ if (!mreplace) + break; + bio->bi_next = biolist; + biolist = bio; +-- +2.39.2 + diff --git a/tmp-5.10/md-raid10-fix-overflow-of-md-safe_mode_delay.patch b/tmp-5.10/md-raid10-fix-overflow-of-md-safe_mode_delay.patch new file mode 100644 index 00000000000..29d77c42f5a --- /dev/null +++ b/tmp-5.10/md-raid10-fix-overflow-of-md-safe_mode_delay.patch @@ -0,0 +1,51 @@ +From b30b16a728ee79acd711c60e324c2cfa423aaaeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:33 +0800 +Subject: md/raid10: fix overflow of md/safe_mode_delay + +From: Li Nan + +[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ] + +There is no input check when echo md/safe_mode_delay in safe_delay_store(). +And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by +checking overflow in safe_delay_store() and use unsigned long conversion in +safe_delay_show(). + +Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers") +Signed-off-by: Li Nan +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 1553c2495841b..204838a6d443e 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3890,8 +3890,9 @@ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale) + static ssize_t + safe_delay_show(struct mddev *mddev, char *page) + { +- int msec = (mddev->safemode_delay*1000)/HZ; +- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000); ++ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ; ++ ++ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000); + } + static ssize_t + safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) +@@ -3903,7 +3904,7 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) + return -EINVAL; + } + +- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0) ++ if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 || msec > UINT_MAX / HZ) + return -EINVAL; + if (msec == 0) + mddev->safemode_delay = 0; +-- +2.39.2 + diff --git a/tmp-5.10/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch b/tmp-5.10/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch new file mode 100644 index 00000000000..1ab0412df02 --- /dev/null +++ b/tmp-5.10/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch @@ -0,0 +1,38 @@ +From fc949584cca57f4a65bcdce6230955bbdb8fdf22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:34 +0800 +Subject: md/raid10: fix wrong setting of max_corr_read_errors + +From: Li Nan + +[ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ] + +There is no input check when echo md/max_read_errors and overflow might +occur. Add check of input number. + +Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 204838a6d443e..bbf39abc32b79 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4574,6 +4574,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len + rv = kstrtouint(buf, 10, &n); + if (rv < 0) + return rv; ++ if (n > INT_MAX) ++ return -EINVAL; + atomic_set(&mddev->max_corr_read_errors, n); + return len; + } +-- +2.39.2 + diff --git a/tmp-5.10/md-raid10-prevent-soft-lockup-while-flush-writes.patch b/tmp-5.10/md-raid10-prevent-soft-lockup-while-flush-writes.patch new file mode 100644 index 00000000000..93879f61a6c --- /dev/null +++ b/tmp-5.10/md-raid10-prevent-soft-lockup-while-flush-writes.patch @@ -0,0 +1,79 @@ +From ce0f5dd6857f9bc9ed16056cd85019a75757c467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 21:11:00 +0800 +Subject: md/raid10: prevent soft lockup while flush writes + +From: Yu Kuai + +[ Upstream commit 010444623e7f4da6b4a4dd603a7da7469981e293 ] + +Currently, there is no limit for raid1/raid10 plugged bio. While flushing +writes, raid1 has cond_resched() while raid10 doesn't, and too many +writes can cause soft lockup. + +Follow up soft lockup can be triggered easily with writeback test for +raid10 with ramdisks: + +watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293] +Call Trace: + + call_rcu+0x16/0x20 + put_object+0x41/0x80 + __delete_object+0x50/0x90 + delete_object_full+0x2b/0x40 + kmemleak_free+0x46/0xa0 + slab_free_freelist_hook.constprop.0+0xed/0x1a0 + kmem_cache_free+0xfd/0x300 + mempool_free_slab+0x1f/0x30 + mempool_free+0x3a/0x100 + bio_free+0x59/0x80 + bio_put+0xcf/0x2c0 + free_r10bio+0xbf/0xf0 + raid_end_bio_io+0x78/0xb0 + one_write_done+0x8a/0xa0 + raid10_end_write_request+0x1b4/0x430 + bio_endio+0x175/0x320 + brd_submit_bio+0x3b9/0x9b7 [brd] + __submit_bio+0x69/0xe0 + submit_bio_noacct_nocheck+0x1e6/0x5a0 + submit_bio_noacct+0x38c/0x7e0 + flush_pending_writes+0xf0/0x240 + raid10d+0xac/0x1ed0 + +Fix the problem by adding cond_resched() to raid10 like what raid1 did. + +Note that unlimited plugged bio still need to be optimized, for example, +in the case of lots of dirty pages writeback, this will take lots of +memory and io will spend a long time in plug, hence io latency is bad. + +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230529131106.2123367-2-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 32a917e5103a6..55144f7d93037 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -902,6 +902,7 @@ static void flush_pending_writes(struct r10conf *conf) + else + submit_bio_noacct(bio); + bio = next; ++ cond_resched(); + } + blk_finish_plug(&plug); + } else +@@ -1095,6 +1096,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule) + else + submit_bio_noacct(bio); + bio = next; ++ cond_resched(); + } + kfree(plug); + } +-- +2.39.2 + diff --git a/tmp-5.10/media-atomisp-fix-variable-dereferenced-before-check-asd.patch b/tmp-5.10/media-atomisp-fix-variable-dereferenced-before-check-asd.patch new file mode 100644 index 00000000000..48a3017e01b --- /dev/null +++ b/tmp-5.10/media-atomisp-fix-variable-dereferenced-before-check-asd.patch @@ -0,0 +1,63 @@ +From ac56760a8bbb4e654b2fd54e5de79dd5d72f937d Mon Sep 17 00:00:00 2001 +From: Tsuchiya Yuto +Date: Wed, 1 Dec 2021 15:19:04 +0100 +Subject: media: atomisp: fix "variable dereferenced before check 'asd'" + +From: Tsuchiya Yuto + +commit ac56760a8bbb4e654b2fd54e5de79dd5d72f937d upstream. + +There are two occurrences where the variable 'asd' is dereferenced +before check. Fix this issue by using the variable after the check. + +Link: https://lore.kernel.org/linux-media/20211122074122.GA6581@kili/ + +Link: https://lore.kernel.org/linux-media/20211201141904.47231-1-kitakar@gmail.com +Reported-by: Dan Carpenter +Signed-off-by: Tsuchiya Yuto +Signed-off-by: Mauro Carvalho Chehab +Igned-off-by: Anastasia Belova +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/atomisp/pci/atomisp_cmd.c | 3 ++- + drivers/staging/media/atomisp/pci/atomisp_ioctl.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c +@@ -5243,7 +5243,7 @@ static int atomisp_set_fmt_to_isp(struct + int (*configure_pp_input)(struct atomisp_sub_device *asd, + unsigned int width, unsigned int height) = + configure_pp_input_nop; +- u16 stream_index = atomisp_source_pad_to_stream_id(asd, source_pad); ++ u16 stream_index; + const struct atomisp_in_fmt_conv *fc; + int ret, i; + +@@ -5252,6 +5252,7 @@ static int atomisp_set_fmt_to_isp(struct + __func__, vdev->name); + return -EINVAL; + } ++ stream_index = atomisp_source_pad_to_stream_id(asd, source_pad); + + v4l2_fh_init(&fh.vfh, vdev); + +--- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +@@ -1123,7 +1123,7 @@ int __atomisp_reqbufs(struct file *file, + struct ia_css_frame *frame; + struct videobuf_vmalloc_memory *vm_mem; + u16 source_pad = atomisp_subdev_source_pad(vdev); +- u16 stream_id = atomisp_source_pad_to_stream_id(asd, source_pad); ++ u16 stream_id; + int ret = 0, i = 0; + + if (!asd) { +@@ -1131,6 +1131,7 @@ int __atomisp_reqbufs(struct file *file, + __func__, vdev->name); + return -EINVAL; + } ++ stream_id = atomisp_source_pad_to_stream_id(asd, source_pad); + + if (req->count == 0) { + mutex_lock(&pipe->capq.vb_lock); diff --git a/tmp-5.10/media-atomisp-gmin_platform-fix-out_len-in-gmin_get_.patch b/tmp-5.10/media-atomisp-gmin_platform-fix-out_len-in-gmin_get_.patch new file mode 100644 index 00000000000..90baded7799 --- /dev/null +++ b/tmp-5.10/media-atomisp-gmin_platform-fix-out_len-in-gmin_get_.patch @@ -0,0 +1,42 @@ +From 24f37a094cda6fdd619038c997a39f2bd01ef57b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 12:53:23 +0100 +Subject: media: atomisp: gmin_platform: fix out_len in + gmin_get_config_dsm_var() + +From: Dan Carpenter + +[ Upstream commit 1657f2934daf89e8d9fa4b2697008909eb22c73e ] + +Ideally, strlen(cur->string.pointer) and strlen(out) would be the same. +But this code is using strscpy() to avoid a potential buffer overflow. +So in the same way we should take the strlen() of the smaller string to +avoid a buffer overflow in the caller, gmin_get_var_int(). + +Link: https://lore.kernel.org/r/26124bcd-8132-4483-9d67-225c87d424e8@kili.mountain + +Fixes: 387041cda44e ("media: atomisp: improve sensor detection code to use _DSM table") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans de Goede +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c +index c9ee85037644f..f0387486eb174 100644 +--- a/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c ++++ b/drivers/staging/media/atomisp/pci/atomisp_gmin_platform.c +@@ -1198,7 +1198,7 @@ static int gmin_get_config_dsm_var(struct device *dev, + dev_info(dev, "found _DSM entry for '%s': %s\n", var, + cur->string.pointer); + strscpy(out, cur->string.pointer, *out_len); +- *out_len = strlen(cur->string.pointer); ++ *out_len = strlen(out); + + ACPI_FREE(obj); + return 0; +-- +2.39.2 + diff --git a/tmp-5.10/media-cec-i2c-ch7322-also-select-regmap.patch b/tmp-5.10/media-cec-i2c-ch7322-also-select-regmap.patch new file mode 100644 index 00000000000..0972bc6866e --- /dev/null +++ b/tmp-5.10/media-cec-i2c-ch7322-also-select-regmap.patch @@ -0,0 +1,69 @@ +From 5e051363fb7b1b7787d0243ced8a391a95c0a79a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 04:54:35 +0200 +Subject: media: cec: i2c: ch7322: also select REGMAP + +From: Randy Dunlap + +[ Upstream commit 29f96ac23648b2259f42d40703c47dd18fd172ca ] + +Selecting only REGMAP_I2C can leave REGMAP unset, causing build errors, +so also select REGMAP to prevent the build errors. + +../drivers/media/cec/i2c/ch7322.c:158:21: error: variable 'ch7322_regmap' has initializer but incomplete type + 158 | static const struct regmap_config ch7322_regmap = { +../drivers/media/cec/i2c/ch7322.c:159:10: error: 'const struct regmap_config' has no member named 'reg_bits' + 159 | .reg_bits = 8, +../drivers/media/cec/i2c/ch7322.c:159:21: warning: excess elements in struct initializer + 159 | .reg_bits = 8, +../drivers/media/cec/i2c/ch7322.c:160:10: error: 'const struct regmap_config' has no member named 'val_bits' + 160 | .val_bits = 8, +../drivers/media/cec/i2c/ch7322.c:160:21: warning: excess elements in struct initializer + 160 | .val_bits = 8, +../drivers/media/cec/i2c/ch7322.c:161:10: error: 'const struct regmap_config' has no member named 'max_register' + 161 | .max_register = 0x7f, +../drivers/media/cec/i2c/ch7322.c:161:25: warning: excess elements in struct initializer + 161 | .max_register = 0x7f, +../drivers/media/cec/i2c/ch7322.c:162:10: error: 'const struct regmap_config' has no member named 'disable_locking' + 162 | .disable_locking = true, +../drivers/media/cec/i2c/ch7322.c:162:28: warning: excess elements in struct initializer + 162 | .disable_locking = true, +../drivers/media/cec/i2c/ch7322.c: In function 'ch7322_probe': +../drivers/media/cec/i2c/ch7322.c:468:26: error: implicit declaration of function 'devm_regmap_init_i2c' [-Werror=implicit-function-declaration] + 468 | ch7322->regmap = devm_regmap_init_i2c(client, &ch7322_regmap); +../drivers/media/cec/i2c/ch7322.c:468:24: warning: assignment to 'struct regmap *' from 'int' makes pointer from integer without a cast [-Wint-conversion] + 468 | ch7322->regmap = devm_regmap_init_i2c(client, &ch7322_regmap); +../drivers/media/cec/i2c/ch7322.c: At top level: +../drivers/media/cec/i2c/ch7322.c:158:35: error: storage size of 'ch7322_regmap' isn't known + 158 | static const struct regmap_config ch7322_regmap = { + +Link: https://lore.kernel.org/linux-media/20230608025435.29249-1-rdunlap@infradead.org +Fixes: 21b9a47e0ec7 ("media: cec: i2c: ch7322: Add ch7322 CEC controller driver") +Signed-off-by: Randy Dunlap +Cc: Jeff Chase +Cc: Hans Verkuil +Cc: Joe Tessler +Cc: Arnd Bergmann +Cc: Mark Brown +Cc: Masahiro Yamada +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/cec/i2c/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/cec/i2c/Kconfig b/drivers/media/cec/i2c/Kconfig +index 70432a1d69186..d912d143fb312 100644 +--- a/drivers/media/cec/i2c/Kconfig ++++ b/drivers/media/cec/i2c/Kconfig +@@ -5,6 +5,7 @@ + config CEC_CH7322 + tristate "Chrontel CH7322 CEC controller" + depends on I2C ++ select REGMAP + select REGMAP_I2C + select CEC_CORE + help +-- +2.39.2 + diff --git a/tmp-5.10/media-usb-check-az6007_read-return-value.patch b/tmp-5.10/media-usb-check-az6007_read-return-value.patch new file mode 100644 index 00000000000..41c8c1dd90d --- /dev/null +++ b/tmp-5.10/media-usb-check-az6007_read-return-value.patch @@ -0,0 +1,38 @@ +From c6af9662d3d6edf3d2bbc10fa5c62fdba365f6b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 10:04:49 -0700 +Subject: media: usb: Check az6007_read() return value + +From: Daniil Dulov + +[ Upstream commit fdaca63186f59fc664b346c45b76576624b48e57 ] + +If az6007_read() returns error, there is no sence to continue. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 3af2f4f15a61 ("[media] az6007: Change the az6007 read/write routine parameter") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c +index 62ee09f28a0bc..7524c90f5da61 100644 +--- a/drivers/media/usb/dvb-usb-v2/az6007.c ++++ b/drivers/media/usb/dvb-usb-v2/az6007.c +@@ -202,7 +202,8 @@ static int az6007_rc_query(struct dvb_usb_device *d) + unsigned code; + enum rc_proto proto; + +- az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10); ++ if (az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10) < 0) ++ return -EIO; + + if (st->data[1] == 0x44) + return 0; +-- +2.39.2 + diff --git a/tmp-5.10/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch b/tmp-5.10/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch new file mode 100644 index 00000000000..ec9c1794267 --- /dev/null +++ b/tmp-5.10/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch @@ -0,0 +1,83 @@ +From eef4166ddd9baaece342e36420631e4910a5914b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 07:59:32 +0800 +Subject: media: usb: siano: Fix warning due to null work_func_t function + pointer + +From: Duoming Zhou + +[ Upstream commit 6f489a966fbeb0da63d45c2c66a8957eab604bf6 ] + +The previous commit ebad8e731c1c ("media: usb: siano: Fix use after +free bugs caused by do_submit_urb") adds cancel_work_sync() in +smsusb_stop_streaming(). But smsusb_stop_streaming() may be called, +even if the work_struct surb->wq has not been initialized. As a result, +the warning will occur. One of the processes that could lead to warning +is shown below: + +smsusb_probe() + smsusb_init_device() + if (!dev->in_ep || !dev->out_ep || align < 0) { + smsusb_term_device(intf); + smsusb_stop_streaming() + cancel_work_sync(&dev->surbs[i].wq); + __cancel_work_timer() + __flush_work() + if (WARN_ON(!work->func)) // work->func is null + +The log reported by syzbot is shown below: + +WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063 +Modules linked in: +CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0 +RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066 +... +RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246 +RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e +RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8 +RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f +R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8 +R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160 + smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline] + smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344 + smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419 + smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567 +... + +This patch adds check before cancel_work_sync(). If surb->wq has not +been initialized, the cancel_work_sync() will not be executed. + +Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com +Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/siano/smsusb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 1babfe6e2c361..5c223b5498b4b 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -179,7 +179,8 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev) + + for (i = 0; i < MAX_URBS; i++) { + usb_kill_urb(&dev->surbs[i].urb); +- cancel_work_sync(&dev->surbs[i].wq); ++ if (dev->surbs[i].wq.func) ++ cancel_work_sync(&dev->surbs[i].wq); + + if (dev->surbs[i].cb) { + smscore_putbuffer(dev->coredev, dev->surbs[i].cb); +-- +2.39.2 + diff --git a/tmp-5.10/media-venus-helpers-fix-align-of-non-power-of-two.patch b/tmp-5.10/media-venus-helpers-fix-align-of-non-power-of-two.patch new file mode 100644 index 00000000000..2a7922550b6 --- /dev/null +++ b/tmp-5.10/media-venus-helpers-fix-align-of-non-power-of-two.patch @@ -0,0 +1,51 @@ +From 68795b78a6685f75fa9962152a32f9bac8065db6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Sep 2020 20:03:01 +0100 +Subject: media: venus: helpers: Fix ALIGN() of non power of two + +From: Rikard Falkeborn + +[ Upstream commit 927e78ac8bc58155316cf6f46026e1912bbbbcfc ] + +ALIGN() expects its second argument to be a power of 2, otherwise +incorrect results are produced for some inputs. The output can be +both larger or smaller than what is expected. + +For example, ALIGN(304, 192) equals 320 instead of 384, and +ALIGN(65, 192) equals 256 instead of 192. + +However, nestling two ALIGN() as is done in this case seem to only +produce results equal to or bigger than the expected result if ALIGN() +had handled non powers of two, and that in turn results in framesizes +that are either the correct size or too large. + +Fortunately, since 192 * 4 / 3 equals 256, it turns out that one ALIGN() +is sufficient. + +Fixes: ab1eda449c6e ("media: venus: vdec: handle 10bit bitstreams") +Signed-off-by: Rikard Falkeborn +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/helpers.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/helpers.c b/drivers/media/platform/qcom/venus/helpers.c +index 5ca3920237c5a..5fdce5f07364e 100644 +--- a/drivers/media/platform/qcom/venus/helpers.c ++++ b/drivers/media/platform/qcom/venus/helpers.c +@@ -917,8 +917,8 @@ static u32 get_framesize_raw_yuv420_tp10_ubwc(u32 width, u32 height) + u32 extradata = SZ_16K; + u32 size; + +- y_stride = ALIGN(ALIGN(width, 192) * 4 / 3, 256); +- uv_stride = ALIGN(ALIGN(width, 192) * 4 / 3, 256); ++ y_stride = ALIGN(width * 4 / 3, 256); ++ uv_stride = ALIGN(width * 4 / 3, 256); + y_sclines = ALIGN(height, 16); + uv_sclines = ALIGN((height + 1) >> 1, 16); + +-- +2.39.2 + diff --git a/tmp-5.10/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch b/tmp-5.10/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch new file mode 100644 index 00000000000..2eef8376c66 --- /dev/null +++ b/tmp-5.10/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch @@ -0,0 +1,62 @@ +From 5587bb26600eadc5dcc5590b653d602fe4a3ba24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 15:36:49 +0200 +Subject: media: videodev2.h: Fix struct v4l2_input tuner index comment + +From: Marek Vasut + +[ Upstream commit 26ae58f65e64fa7ba61d64bae752e59e08380c6a ] + +VIDIOC_ENUMINPUT documentation describes the tuner field of +struct v4l2_input as index: + +Documentation/userspace-api/media/v4l/vidioc-enuminput.rst +" +* - __u32 + - ``tuner`` + - Capture devices can have zero or more tuners (RF demodulators). + When the ``type`` is set to ``V4L2_INPUT_TYPE_TUNER`` this is an + RF connector and this field identifies the tuner. It corresponds + to struct :c:type:`v4l2_tuner` field ``index``. For + details on tuners see :ref:`tuner`. +" + +Drivers I could find also use the 'tuner' field as an index, e.g.: +drivers/media/pci/bt8xx/bttv-driver.c bttv_enum_input() +drivers/media/usb/go7007/go7007-v4l2.c vidioc_enum_input() + +However, the UAPI comment claims this field is 'enum v4l2_tuner_type': +include/uapi/linux/videodev2.h + +This field being 'enum v4l2_tuner_type' is unlikely as it seems to be +never used that way in drivers, and documentation confirms it. It seem +this comment got in accidentally in the commit which this patch fixes. +Fix the UAPI comment to stop confusion. + +This was pointed out by Dmitry while reviewing VIDIOC_ENUMINPUT +support for strace. + +Fixes: 6016af82eafc ("[media] v4l2: use __u32 rather than enums in ioctl() structs") +Signed-off-by: Marek Vasut +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + include/uapi/linux/videodev2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h +index b28817c59fdf2..55b8c4b824797 100644 +--- a/include/uapi/linux/videodev2.h ++++ b/include/uapi/linux/videodev2.h +@@ -1644,7 +1644,7 @@ struct v4l2_input { + __u8 name[32]; /* Label */ + __u32 type; /* Type of input */ + __u32 audioset; /* Associated audios (bitfield) */ +- __u32 tuner; /* enum v4l2_tuner_type */ ++ __u32 tuner; /* Tuner index */ + v4l2_std_id std; + __u32 status; + __u32 capabilities; +-- +2.39.2 + diff --git a/tmp-5.10/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch b/tmp-5.10/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch new file mode 100644 index 00000000000..282275828e8 --- /dev/null +++ b/tmp-5.10/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch @@ -0,0 +1,50 @@ +From 8692fe93f831a0e5f8228bfa5adfa0fa6acbae89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 May 2023 13:29:31 +0200 +Subject: memory: brcmstb_dpfe: fix testing array offset after use + +From: Krzysztof Kozlowski + +[ Upstream commit 1d9e93fad549bc38f593147479ee063f2872c170 ] + +Code should first check for valid value of array offset, then use it as +the index. Fixes smatch warning: + + drivers/memory/brcmstb_dpfe.c:443 __send_command() error: testing array offset 'cmd' after use. + +Fixes: 2f330caff577 ("memory: brcmstb: Add driver for DPFE") +Acked-by: Markus Mayer +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230513112931.176066-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/brcmstb_dpfe.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c +index f43ba69fbb3e3..2daae2e0cb19e 100644 +--- a/drivers/memory/brcmstb_dpfe.c ++++ b/drivers/memory/brcmstb_dpfe.c +@@ -434,15 +434,17 @@ static void __finalize_command(struct brcmstb_dpfe_priv *priv) + static int __send_command(struct brcmstb_dpfe_priv *priv, unsigned int cmd, + u32 result[]) + { +- const u32 *msg = priv->dpfe_api->command[cmd]; + void __iomem *regs = priv->regs; + unsigned int i, chksum, chksum_idx; ++ const u32 *msg; + int ret = 0; + u32 resp; + + if (cmd >= DPFE_CMD_MAX) + return -1; + ++ msg = priv->dpfe_api->command[cmd]; ++ + mutex_lock(&priv->lock); + + /* Wait for DCPU to become ready */ +-- +2.39.2 + diff --git a/tmp-5.10/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch b/tmp-5.10/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch new file mode 100644 index 00000000000..1e02dd69fac --- /dev/null +++ b/tmp-5.10/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch @@ -0,0 +1,49 @@ +From 12e8019e683678656271e29ed55e4a1cfad6473a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:27:04 +0200 +Subject: memstick r592: make memstick_debug_get_tpc_name() static + +From: Arnd Bergmann + +[ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ] + +There are no other files referencing this function, apparently +it was left global to avoid an 'unused function' warning when +the only caller is left out. With a 'W=1' build, it causes +a 'missing prototype' warning though: + +drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes] + +Annotate the function as 'static __maybe_unused' to avoid both +problems. + +Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index dd06c18495eb6..0e37c6a5ee36c 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -44,12 +44,10 @@ static const char *tpc_names[] = { + * memstick_debug_get_tpc_name - debug helper that returns string for + * a TPC number + */ +-const char *memstick_debug_get_tpc_name(int tpc) ++static __maybe_unused const char *memstick_debug_get_tpc_name(int tpc) + { + return tpc_names[tpc-1]; + } +-EXPORT_SYMBOL(memstick_debug_get_tpc_name); +- + + /* Read a register*/ + static inline u32 r592_read_reg(struct r592_device *dev, int address) +-- +2.39.2 + diff --git a/tmp-5.10/meson-saradc-fix-clock-divider-mask-length.patch b/tmp-5.10/meson-saradc-fix-clock-divider-mask-length.patch new file mode 100644 index 00000000000..7a45af73f99 --- /dev/null +++ b/tmp-5.10/meson-saradc-fix-clock-divider-mask-length.patch @@ -0,0 +1,37 @@ +From c57fa0037024c92c2ca34243e79e857da5d2c0a9 Mon Sep 17 00:00:00 2001 +From: George Stark +Date: Tue, 6 Jun 2023 19:53:57 +0300 +Subject: meson saradc: fix clock divider mask length + +From: George Stark + +commit c57fa0037024c92c2ca34243e79e857da5d2c0a9 upstream. + +According to the datasheets of supported meson SoCs length of ADC_CLK_DIV +field is 6-bit. Although all supported SoCs have the register +with that field documented later SoCs use external clock rather than +ADC internal clock so this patch affects only meson8 family (S8* SoCs). + +Fixes: 3adbf3427330 ("iio: adc: add a driver for the SAR ADC found in Amlogic Meson SoCs") +Signed-off-by: George Stark +Reviewed-by: Andy Shevchenko +Reviewed-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20230606165357.42417-1-gnstark@sberdevices.ru +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/meson_saradc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/meson_saradc.c ++++ b/drivers/iio/adc/meson_saradc.c +@@ -71,7 +71,7 @@ + #define MESON_SAR_ADC_REG3_PANEL_DETECT_COUNT_MASK GENMASK(20, 18) + #define MESON_SAR_ADC_REG3_PANEL_DETECT_FILTER_TB_MASK GENMASK(17, 16) + #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_SHIFT 10 +- #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_WIDTH 5 ++ #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_WIDTH 6 + #define MESON_SAR_ADC_REG3_BLOCK_DLY_SEL_MASK GENMASK(9, 8) + #define MESON_SAR_ADC_REG3_BLOCK_DLY_MASK GENMASK(7, 0) + diff --git a/tmp-5.10/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch b/tmp-5.10/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch new file mode 100644 index 00000000000..4e687db21f7 --- /dev/null +++ b/tmp-5.10/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch @@ -0,0 +1,38 @@ +From d404583f6cd336dbfd1430dc204f1eb214fffb12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 09:48:18 +0800 +Subject: mfd: intel-lpss: Add missing check for platform_get_resource + +From: Jiasheng Jiang + +[ Upstream commit d918e0d5824495a75d00b879118b098fcab36fdb ] + +Add the missing check for platform_get_resource and return error +if it fails. + +Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20230609014818.28475-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel-lpss-acpi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mfd/intel-lpss-acpi.c b/drivers/mfd/intel-lpss-acpi.c +index 045cbf0cbe53a..993e305a232c5 100644 +--- a/drivers/mfd/intel-lpss-acpi.c ++++ b/drivers/mfd/intel-lpss-acpi.c +@@ -114,6 +114,9 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev) + return -ENOMEM; + + info->mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!info->mem) ++ return -ENODEV; ++ + info->irq = platform_get_irq(pdev, 0); + + ret = intel_lpss_probe(&pdev->dev, info); +-- +2.39.2 + diff --git a/tmp-5.10/mfd-rt5033-drop-rt5033-battery-sub-device.patch b/tmp-5.10/mfd-rt5033-drop-rt5033-battery-sub-device.patch new file mode 100644 index 00000000000..bfa37de550a --- /dev/null +++ b/tmp-5.10/mfd-rt5033-drop-rt5033-battery-sub-device.patch @@ -0,0 +1,41 @@ +From 5b2a92f9c5a87bb052b40b8e0c6a51e7c0bed49a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 22:57:10 +0200 +Subject: mfd: rt5033: Drop rt5033-battery sub-device + +From: Stephan Gerhold + +[ Upstream commit 43db1344e0f8c1eb687a1d6cd5b0de3009ab66cb ] + +The fuel gauge in the RT5033 PMIC (rt5033-battery) has its own I2C bus +and interrupt lines. Therefore, it is not part of the MFD device +and needs to be specified separately in the device tree. + +Fixes: 0b271258544b ("mfd: rt5033: Add Richtek RT5033 driver core.") +Signed-off-by: Stephan Gerhold +Signed-off-by: Jakob Hauser +Reviewed-by: Linus Walleij +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/6a8a19bc67b5be3732882e8131ad2ffcb546ac03.1684182964.git.jahau@rocketmail.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/rt5033.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/mfd/rt5033.c b/drivers/mfd/rt5033.c +index 48381d9bf7403..302115dabff4b 100644 +--- a/drivers/mfd/rt5033.c ++++ b/drivers/mfd/rt5033.c +@@ -41,9 +41,6 @@ static const struct mfd_cell rt5033_devs[] = { + { + .name = "rt5033-charger", + .of_compatible = "richtek,rt5033-charger", +- }, { +- .name = "rt5033-battery", +- .of_compatible = "richtek,rt5033-battery", + }, { + .name = "rt5033-led", + .of_compatible = "richtek,rt5033-led", +-- +2.39.2 + diff --git a/tmp-5.10/mfd-stmfx-fix-error-path-in-stmfx_chip_init.patch b/tmp-5.10/mfd-stmfx-fix-error-path-in-stmfx_chip_init.patch new file mode 100644 index 00000000000..339546b9595 --- /dev/null +++ b/tmp-5.10/mfd-stmfx-fix-error-path-in-stmfx_chip_init.patch @@ -0,0 +1,38 @@ +From df6968cf625def84233379d22cf75bf1e74df765 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 11:28:03 +0200 +Subject: mfd: stmfx: Fix error path in stmfx_chip_init + +From: Amelie Delaunay + +[ Upstream commit f592cf624531286f8b52e40dcfc157a5a7fb115c ] + +In error path, disable vdd regulator if it exists, but don't overload ret. +Because if regulator_disable() is successful, stmfx_chip_init will exit +successfully while chip init failed. + +Fixes: 06252ade9156 ("mfd: Add ST Multi-Function eXpander (STMFX) core driver") +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20230609092804.793100-1-amelie.delaunay@foss.st.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stmfx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/stmfx.c b/drivers/mfd/stmfx.c +index 988e2ba6dd0f3..41e74b5dd9901 100644 +--- a/drivers/mfd/stmfx.c ++++ b/drivers/mfd/stmfx.c +@@ -387,7 +387,7 @@ static int stmfx_chip_init(struct i2c_client *client) + + err: + if (stmfx->vdd) +- return regulator_disable(stmfx->vdd); ++ regulator_disable(stmfx->vdd); + + return ret; + } +-- +2.39.2 + diff --git a/tmp-5.10/mfd-stmfx-nullify-stmfx-vdd-in-case-of-error.patch b/tmp-5.10/mfd-stmfx-nullify-stmfx-vdd-in-case-of-error.patch new file mode 100644 index 00000000000..4a1da4642e6 --- /dev/null +++ b/tmp-5.10/mfd-stmfx-nullify-stmfx-vdd-in-case-of-error.patch @@ -0,0 +1,41 @@ +From f98af3b172ee75a7ec19d3f8a42bc0ee525221b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 11:28:04 +0200 +Subject: mfd: stmfx: Nullify stmfx->vdd in case of error + +From: Amelie Delaunay + +[ Upstream commit 7c81582c0bccb4757186176f0ee12834597066ad ] + +Nullify stmfx->vdd in case devm_regulator_get_optional() returns an error. +And simplify code by returning an error only if return code is not -ENODEV, +which means there is no vdd regulator and it is not an issue. + +Fixes: d75846ed08e6 ("mfd: stmfx: Fix dev_err_probe() call in stmfx_chip_init()") +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20230609092804.793100-2-amelie.delaunay@foss.st.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stmfx.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/stmfx.c b/drivers/mfd/stmfx.c +index 41e74b5dd9901..b45d7b0b842c5 100644 +--- a/drivers/mfd/stmfx.c ++++ b/drivers/mfd/stmfx.c +@@ -330,9 +330,8 @@ static int stmfx_chip_init(struct i2c_client *client) + stmfx->vdd = devm_regulator_get_optional(&client->dev, "vdd"); + ret = PTR_ERR_OR_ZERO(stmfx->vdd); + if (ret) { +- if (ret == -ENODEV) +- stmfx->vdd = NULL; +- else ++ stmfx->vdd = NULL; ++ if (ret != -ENODEV) + return dev_err_probe(&client->dev, ret, "Failed to get VDD regulator\n"); + } + +-- +2.39.2 + diff --git a/tmp-5.10/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch b/tmp-5.10/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch new file mode 100644 index 00000000000..ff5f89ff3cd --- /dev/null +++ b/tmp-5.10/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch @@ -0,0 +1,45 @@ +From 7ec1dce25fc5e8d18cc84cc256ba978368c5ac15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 12:43:16 +0200 +Subject: mfd: stmpe: Only disable the regulators if they are enabled + +From: Christophe JAILLET + +[ Upstream commit 104d32bd81f620bb9f67fbf7d1159c414e89f05f ] + +In stmpe_probe(), if some regulator_enable() calls fail, probing continues +and there is only a dev_warn(). + +So, if stmpe_probe() is called the regulator may not be enabled. It is +cleaner to test it before calling regulator_disable() in the remove +function. + +Fixes: 9c9e321455fb ("mfd: stmpe: add optional regulators") +Signed-off-by: Christophe JAILLET +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/8de3aaf297931d655b9ad6aed548f4de8b85425a.1686998575.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stmpe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/stmpe.c b/drivers/mfd/stmpe.c +index 508349399f8af..7f758fb60c1fa 100644 +--- a/drivers/mfd/stmpe.c ++++ b/drivers/mfd/stmpe.c +@@ -1494,9 +1494,9 @@ int stmpe_probe(struct stmpe_client_info *ci, enum stmpe_partnum partnum) + + int stmpe_remove(struct stmpe *stmpe) + { +- if (!IS_ERR(stmpe->vio)) ++ if (!IS_ERR(stmpe->vio) && regulator_is_enabled(stmpe->vio)) + regulator_disable(stmpe->vio); +- if (!IS_ERR(stmpe->vcc)) ++ if (!IS_ERR(stmpe->vcc) && regulator_is_enabled(stmpe->vcc)) + regulator_disable(stmpe->vcc); + + __stmpe_disable(stmpe, STMPE_BLOCK_ADC); +-- +2.39.2 + diff --git a/tmp-5.10/mips-loongson-fix-cpu_probe_loongson-again.patch b/tmp-5.10/mips-loongson-fix-cpu_probe_loongson-again.patch new file mode 100644 index 00000000000..179c3d703d2 --- /dev/null +++ b/tmp-5.10/mips-loongson-fix-cpu_probe_loongson-again.patch @@ -0,0 +1,85 @@ +From 65fee014dc41a774bcd94896f3fb380bc39d8dda Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Mon, 26 Jun 2023 15:50:14 +0800 +Subject: MIPS: Loongson: Fix cpu_probe_loongson() again + +From: Huacai Chen + +commit 65fee014dc41a774bcd94896f3fb380bc39d8dda upstream. + +Commit 7db5e9e9e5e6c10d7d ("MIPS: loongson64: fix FTLB configuration") +move decode_configs() from the beginning of cpu_probe_loongson() to the +end in order to fix FTLB configuration. However, it breaks the CPUCFG +decoding because decode_configs() use "c->options = xxxx" rather than +"c->options |= xxxx", all information get from CPUCFG by decode_cpucfg() +is lost. + +This causes error when creating a KVM guest on Loongson-3A4000: +Exception Code: 4 not handled @ PC: 0000000087ad5981, inst: 0xcb7a1898 BadVaddr: 0x0 Status: 0x0 + +Fix this by moving the c->cputype setting to the beginning and moving +decode_configs() after that. + +Fixes: 7db5e9e9e5e6c10d7d ("MIPS: loongson64: fix FTLB configuration") +Cc: stable@vger.kernel.org +Cc: Huang Pei +Signed-off-by: Huacai Chen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/kernel/cpu-probe.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/arch/mips/kernel/cpu-probe.c ++++ b/arch/mips/kernel/cpu-probe.c +@@ -1721,7 +1721,10 @@ static inline void decode_cpucfg(struct + + static inline void cpu_probe_loongson(struct cpuinfo_mips *c, unsigned int cpu) + { ++ c->cputype = CPU_LOONGSON64; ++ + /* All Loongson processors covered here define ExcCode 16 as GSExc. */ ++ decode_configs(c); + c->options |= MIPS_CPU_GSEXCEX; + + switch (c->processor_id & PRID_IMP_MASK) { +@@ -1731,7 +1734,6 @@ static inline void cpu_probe_loongson(st + case PRID_REV_LOONGSON2K_R1_1: + case PRID_REV_LOONGSON2K_R1_2: + case PRID_REV_LOONGSON2K_R1_3: +- c->cputype = CPU_LOONGSON64; + __cpu_name[cpu] = "Loongson-2K"; + set_elf_platform(cpu, "gs264e"); + set_isa(c, MIPS_CPU_ISA_M64R2); +@@ -1744,14 +1746,12 @@ static inline void cpu_probe_loongson(st + switch (c->processor_id & PRID_REV_MASK) { + case PRID_REV_LOONGSON3A_R2_0: + case PRID_REV_LOONGSON3A_R2_1: +- c->cputype = CPU_LOONGSON64; + __cpu_name[cpu] = "ICT Loongson-3"; + set_elf_platform(cpu, "loongson3a"); + set_isa(c, MIPS_CPU_ISA_M64R2); + break; + case PRID_REV_LOONGSON3A_R3_0: + case PRID_REV_LOONGSON3A_R3_1: +- c->cputype = CPU_LOONGSON64; + __cpu_name[cpu] = "ICT Loongson-3"; + set_elf_platform(cpu, "loongson3a"); + set_isa(c, MIPS_CPU_ISA_M64R2); +@@ -1771,7 +1771,6 @@ static inline void cpu_probe_loongson(st + c->ases &= ~MIPS_ASE_VZ; /* VZ of Loongson-3A2000/3000 is incomplete */ + break; + case PRID_IMP_LOONGSON_64G: +- c->cputype = CPU_LOONGSON64; + __cpu_name[cpu] = "ICT Loongson-3"; + set_elf_platform(cpu, "loongson3a"); + set_isa(c, MIPS_CPU_ISA_M64R2); +@@ -1781,8 +1780,6 @@ static inline void cpu_probe_loongson(st + panic("Unknown Loongson Processor ID!"); + break; + } +- +- decode_configs(c); + } + #else + static inline void cpu_probe_loongson(struct cpuinfo_mips *c, unsigned int cpu) { } diff --git a/tmp-5.10/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch b/tmp-5.10/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch new file mode 100644 index 00000000000..4e946ed25ec --- /dev/null +++ b/tmp-5.10/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch @@ -0,0 +1,37 @@ +From 0b4e32df3e09406b835d8230b9331273f2805058 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Wed, 14 Jun 2023 17:24:45 +0530 +Subject: misc: fastrpc: Create fastrpc scalar with correct buffer count + +From: Ekansh Gupta + +commit 0b4e32df3e09406b835d8230b9331273f2805058 upstream. + +A process can spawn a PD on DSP with some attributes that can be +associated with the PD during spawn and run. The invocation +corresponding to the create request with attributes has total +4 buffers at the DSP side implementation. If this number is not +correct, the invocation is expected to fail on DSP. Added change +to use correct number of buffer count for creating fastrpc scalar. + +Fixes: d73f71c7c6ee ("misc: fastrpc: Add support for create remote init process") +Cc: stable +Tested-by: Ekansh Gupta +Signed-off-by: Ekansh Gupta +Message-ID: <1686743685-21715-1-git-send-email-quic_ekangupt@quicinc.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1106,7 +1106,7 @@ static int fastrpc_init_create_process(s + + sc = FASTRPC_SCALARS(FASTRPC_RMID_INIT_CREATE, 4, 0); + if (init.attrs) +- sc = FASTRPC_SCALARS(FASTRPC_RMID_INIT_CREATE_ATTR, 6, 0); ++ sc = FASTRPC_SCALARS(FASTRPC_RMID_INIT_CREATE_ATTR, 4, 0); + + err = fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, + sc, args); diff --git a/tmp-5.10/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch b/tmp-5.10/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch new file mode 100644 index 00000000000..7b3b9264daf --- /dev/null +++ b/tmp-5.10/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch @@ -0,0 +1,50 @@ +From f61b7634a3249d12b9daa36ffbdb9965b6f24c6c Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 15 Apr 2023 11:35:39 +0900 +Subject: misc: pci_endpoint_test: Free IRQs before removing the device + +From: Damien Le Moal + +commit f61b7634a3249d12b9daa36ffbdb9965b6f24c6c upstream. + +In pci_endpoint_test_remove(), freeing the IRQs after removing the device +creates a small race window for IRQs to be received with the test device +memory already released, causing the IRQ handler to access invalid memory, +resulting in an oops. + +Free the device IRQs before removing the device to avoid this issue. + +Link: https://lore.kernel.org/r/20230415023542.77601-15-dlemoal@kernel.org +Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands") +Signed-off-by: Damien Le Moal +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -935,6 +935,9 @@ static void pci_endpoint_test_remove(str + if (id < 0) + return; + ++ pci_endpoint_test_release_irq(test); ++ pci_endpoint_test_free_irq_vectors(test); ++ + misc_deregister(&test->miscdev); + kfree(misc_device->name); + kfree(test->name); +@@ -944,9 +947,6 @@ static void pci_endpoint_test_remove(str + pci_iounmap(pdev, test->bar[bar]); + } + +- pci_endpoint_test_release_irq(test); +- pci_endpoint_test_free_irq_vectors(test); +- + pci_release_regions(pdev); + pci_disable_device(pdev); + } diff --git a/tmp-5.10/misc-pci_endpoint_test-re-init-completion-for-every-test.patch b/tmp-5.10/misc-pci_endpoint_test-re-init-completion-for-every-test.patch new file mode 100644 index 00000000000..b678aed92c6 --- /dev/null +++ b/tmp-5.10/misc-pci_endpoint_test-re-init-completion-for-every-test.patch @@ -0,0 +1,44 @@ +From fb620ae73b70c2f57b9d3e911fc24c024ba2324f Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 15 Apr 2023 11:35:40 +0900 +Subject: misc: pci_endpoint_test: Re-init completion for every test + +From: Damien Le Moal + +commit fb620ae73b70c2f57b9d3e911fc24c024ba2324f upstream. + +The irq_raised completion used to detect the end of a test case is +initialized when the test device is probed, but never reinitialized again +before a test case. As a result, the irq_raised completion synchronization +is effective only for the first ioctl test case executed. Any subsequent +call to wait_for_completion() by another ioctl() call will immediately +return, potentially too early, leading to false positive failures. + +Fix this by reinitializing the irq_raised completion before starting a new +ioctl() test command. + +Link: https://lore.kernel.org/r/20230415023542.77601-16-dlemoal@kernel.org +Fixes: 2c156ac71c6b ("misc: Add host side PCI driver for PCI test function device") +Signed-off-by: Damien Le Moal +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -727,6 +727,10 @@ static long pci_endpoint_test_ioctl(stru + struct pci_dev *pdev = test->pdev; + + mutex_lock(&test->mutex); ++ ++ reinit_completion(&test->irq_raised); ++ test->last_irq = -ENODATA; ++ + switch (cmd) { + case PCITEST_BAR: + bar = arg; diff --git a/tmp-5.10/mm-rename-p4d_page_vaddr-to-p4d_pgtable-and-make-it-.patch b/tmp-5.10/mm-rename-p4d_page_vaddr-to-p4d_pgtable-and-make-it-.patch new file mode 100644 index 00000000000..d82e129b7c5 --- /dev/null +++ b/tmp-5.10/mm-rename-p4d_page_vaddr-to-p4d_pgtable-and-make-it-.patch @@ -0,0 +1,240 @@ +From d7d20f8a4d21a09c843d64bb378fc2c9741e849a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 18:09:56 -0700 +Subject: mm: rename p4d_page_vaddr to p4d_pgtable and make it return pud_t * + +From: Aneesh Kumar K.V + +[ Upstream commit dc4875f0e791de554bdc45aa1dbd6e45e107e50f ] + +No functional change in this patch. + +[aneesh.kumar@linux.ibm.com: m68k build error reported by kernel robot] + Link: https://lkml.kernel.org/r/87tulxnb2v.fsf@linux.ibm.com + +Link: https://lkml.kernel.org/r/20210615110859.320299-2-aneesh.kumar@linux.ibm.com +Link: https://lore.kernel.org/linuxppc-dev/CAHk-=wi+J+iodze9FtjM3Zi4j4OeS+qqbKxME9QN4roxPEXH9Q@mail.gmail.com/ +Signed-off-by: Aneesh Kumar K.V +Cc: Christophe Leroy +Cc: Hugh Dickins +Cc: Joel Fernandes +Cc: Kalesh Singh +Cc: Kirill A. Shutemov +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Stephen Rothwell +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: 0da90af431ab ("powerpc/book3s64/mm: Fix DirectMap stats in /proc/meminfo") +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/pgtable.h | 4 ++-- + arch/ia64/include/asm/pgtable.h | 2 +- + arch/mips/include/asm/pgtable-64.h | 4 ++-- + arch/powerpc/include/asm/book3s/64/pgtable.h | 5 ++++- + arch/powerpc/include/asm/nohash/64/pgtable-4k.h | 6 +++++- + arch/powerpc/mm/book3s64/radix_pgtable.c | 2 +- + arch/powerpc/mm/pgtable_64.c | 2 +- + arch/sparc/include/asm/pgtable_64.h | 4 ++-- + arch/x86/include/asm/pgtable.h | 4 ++-- + arch/x86/mm/init_64.c | 4 ++-- + include/asm-generic/pgtable-nop4d.h | 2 +- + include/asm-generic/pgtable-nopud.h | 2 +- + include/linux/pgtable.h | 2 +- + 13 files changed, 25 insertions(+), 18 deletions(-) + +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index 3635d48ada17d..4eedfd784cf63 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -694,9 +694,9 @@ static inline phys_addr_t p4d_page_paddr(p4d_t p4d) + return __p4d_to_phys(p4d); + } + +-static inline unsigned long p4d_page_vaddr(p4d_t p4d) ++static inline pud_t *p4d_pgtable(p4d_t p4d) + { +- return (unsigned long)__va(p4d_page_paddr(p4d)); ++ return (pud_t *)__va(p4d_page_paddr(p4d)); + } + + /* Find an entry in the frst-level page table. */ +diff --git a/arch/ia64/include/asm/pgtable.h b/arch/ia64/include/asm/pgtable.h +index fd92792d148b4..6e5c387566573 100644 +--- a/arch/ia64/include/asm/pgtable.h ++++ b/arch/ia64/include/asm/pgtable.h +@@ -287,7 +287,7 @@ extern unsigned long VMALLOC_END; + #define p4d_bad(p4d) (!ia64_phys_addr_valid(p4d_val(p4d))) + #define p4d_present(p4d) (p4d_val(p4d) != 0UL) + #define p4d_clear(p4dp) (p4d_val(*(p4dp)) = 0UL) +-#define p4d_page_vaddr(p4d) ((unsigned long) __va(p4d_val(p4d) & _PFN_MASK)) ++#define p4d_pgtable(p4d) ((pud_t *) __va(p4d_val(p4d) & _PFN_MASK)) + #define p4d_page(p4d) virt_to_page((p4d_val(p4d) + PAGE_OFFSET)) + #endif + +diff --git a/arch/mips/include/asm/pgtable-64.h b/arch/mips/include/asm/pgtable-64.h +index ab305453e90f8..b865edff2670e 100644 +--- a/arch/mips/include/asm/pgtable-64.h ++++ b/arch/mips/include/asm/pgtable-64.h +@@ -210,9 +210,9 @@ static inline void p4d_clear(p4d_t *p4dp) + p4d_val(*p4dp) = (unsigned long)invalid_pud_table; + } + +-static inline unsigned long p4d_page_vaddr(p4d_t p4d) ++static inline pud_t *p4d_pgtable(p4d_t p4d) + { +- return p4d_val(p4d); ++ return (pud_t *)p4d_val(p4d); + } + + #define p4d_phys(p4d) virt_to_phys((void *)p4d_val(p4d)) +diff --git a/arch/powerpc/include/asm/book3s/64/pgtable.h b/arch/powerpc/include/asm/book3s/64/pgtable.h +index 5ebf6450f6dad..2b4af824bdc55 100644 +--- a/arch/powerpc/include/asm/book3s/64/pgtable.h ++++ b/arch/powerpc/include/asm/book3s/64/pgtable.h +@@ -1030,7 +1030,10 @@ extern struct page *p4d_page(p4d_t p4d); + /* Pointers in the page table tree are physical addresses */ + #define __pgtable_ptr_val(ptr) __pa(ptr) + +-#define p4d_page_vaddr(p4d) __va(p4d_val(p4d) & ~P4D_MASKED_BITS) ++static inline pud_t *p4d_pgtable(p4d_t p4d) ++{ ++ return (pud_t *)__va(p4d_val(p4d) & ~P4D_MASKED_BITS); ++} + + static inline pmd_t *pud_pgtable(pud_t pud) + { +diff --git a/arch/powerpc/include/asm/nohash/64/pgtable-4k.h b/arch/powerpc/include/asm/nohash/64/pgtable-4k.h +index fe2f4c9acd9ed..10f5cf444d72a 100644 +--- a/arch/powerpc/include/asm/nohash/64/pgtable-4k.h ++++ b/arch/powerpc/include/asm/nohash/64/pgtable-4k.h +@@ -56,10 +56,14 @@ + #define p4d_none(p4d) (!p4d_val(p4d)) + #define p4d_bad(p4d) (p4d_val(p4d) == 0) + #define p4d_present(p4d) (p4d_val(p4d) != 0) +-#define p4d_page_vaddr(p4d) (p4d_val(p4d) & ~P4D_MASKED_BITS) + + #ifndef __ASSEMBLY__ + ++static inline pud_t *p4d_pgtable(p4d_t p4d) ++{ ++ return (pud_t *) (p4d_val(p4d) & ~P4D_MASKED_BITS); ++} ++ + static inline void p4d_clear(p4d_t *p4dp) + { + *p4dp = __p4d(0); +diff --git a/arch/powerpc/mm/book3s64/radix_pgtable.c b/arch/powerpc/mm/book3s64/radix_pgtable.c +index 605c770dd8191..44239e0acf8ea 100644 +--- a/arch/powerpc/mm/book3s64/radix_pgtable.c ++++ b/arch/powerpc/mm/book3s64/radix_pgtable.c +@@ -898,7 +898,7 @@ static void __meminit remove_pagetable(unsigned long start, unsigned long end) + continue; + } + +- pud_base = (pud_t *)p4d_page_vaddr(*p4d); ++ pud_base = p4d_pgtable(*p4d); + remove_pud_table(pud_base, addr, next); + free_pud_table(pud_base, p4d); + } +diff --git a/arch/powerpc/mm/pgtable_64.c b/arch/powerpc/mm/pgtable_64.c +index bd0d903196d98..175aabf101e87 100644 +--- a/arch/powerpc/mm/pgtable_64.c ++++ b/arch/powerpc/mm/pgtable_64.c +@@ -106,7 +106,7 @@ struct page *p4d_page(p4d_t p4d) + VM_WARN_ON(!p4d_huge(p4d)); + return pte_page(p4d_pte(p4d)); + } +- return virt_to_page(p4d_page_vaddr(p4d)); ++ return virt_to_page(p4d_pgtable(p4d)); + } + #endif + +diff --git a/arch/sparc/include/asm/pgtable_64.h b/arch/sparc/include/asm/pgtable_64.h +index cac02ac301f13..5a1efd600f770 100644 +--- a/arch/sparc/include/asm/pgtable_64.h ++++ b/arch/sparc/include/asm/pgtable_64.h +@@ -860,8 +860,8 @@ static inline pmd_t *pud_pgtable(pud_t pud) + #define pmd_clear(pmdp) (pmd_val(*(pmdp)) = 0UL) + #define pud_present(pud) (pud_val(pud) != 0U) + #define pud_clear(pudp) (pud_val(*(pudp)) = 0UL) +-#define p4d_page_vaddr(p4d) \ +- ((unsigned long) __va(p4d_val(p4d))) ++#define p4d_pgtable(p4d) \ ++ ((pud_t *) __va(p4d_val(p4d))) + #define p4d_present(p4d) (p4d_val(p4d) != 0U) + #define p4d_clear(p4dp) (p4d_val(*(p4dp)) = 0UL) + +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h +index a90f6d02fb961..9bacde3ff514a 100644 +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -906,9 +906,9 @@ static inline int p4d_present(p4d_t p4d) + return p4d_flags(p4d) & _PAGE_PRESENT; + } + +-static inline unsigned long p4d_page_vaddr(p4d_t p4d) ++static inline pud_t *p4d_pgtable(p4d_t p4d) + { +- return (unsigned long)__va(p4d_val(p4d) & p4d_pfn_mask(p4d)); ++ return (pud_t *)__va(p4d_val(p4d) & p4d_pfn_mask(p4d)); + } + + /* +diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c +index 20951ab522a1d..acf4e50c5988b 100644 +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -193,8 +193,8 @@ static void sync_global_pgds_l4(unsigned long start, unsigned long end) + spin_lock(pgt_lock); + + if (!p4d_none(*p4d_ref) && !p4d_none(*p4d)) +- BUG_ON(p4d_page_vaddr(*p4d) +- != p4d_page_vaddr(*p4d_ref)); ++ BUG_ON(p4d_pgtable(*p4d) ++ != p4d_pgtable(*p4d_ref)); + + if (p4d_none(*p4d)) + set_p4d(p4d, *p4d_ref); +diff --git a/include/asm-generic/pgtable-nop4d.h b/include/asm-generic/pgtable-nop4d.h +index ce2cbb3c380ff..2f1d0aad645cf 100644 +--- a/include/asm-generic/pgtable-nop4d.h ++++ b/include/asm-generic/pgtable-nop4d.h +@@ -42,7 +42,7 @@ static inline p4d_t *p4d_offset(pgd_t *pgd, unsigned long address) + #define __p4d(x) ((p4d_t) { __pgd(x) }) + + #define pgd_page(pgd) (p4d_page((p4d_t){ pgd })) +-#define pgd_page_vaddr(pgd) (p4d_page_vaddr((p4d_t){ pgd })) ++#define pgd_page_vaddr(pgd) ((unsigned long)(p4d_pgtable((p4d_t){ pgd }))) + + /* + * allocating and freeing a p4d is trivial: the 1-entry p4d is +diff --git a/include/asm-generic/pgtable-nopud.h b/include/asm-generic/pgtable-nopud.h +index 7cbd15f70bf55..eb70c6d7ceff2 100644 +--- a/include/asm-generic/pgtable-nopud.h ++++ b/include/asm-generic/pgtable-nopud.h +@@ -49,7 +49,7 @@ static inline pud_t *pud_offset(p4d_t *p4d, unsigned long address) + #define __pud(x) ((pud_t) { __p4d(x) }) + + #define p4d_page(p4d) (pud_page((pud_t){ p4d })) +-#define p4d_page_vaddr(p4d) (pud_pgtable((pud_t){ p4d })) ++#define p4d_pgtable(p4d) ((pud_t *)(pud_pgtable((pud_t){ p4d }))) + + /* + * allocating and freeing a pud is trivial: the 1-entry pud is +diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h +index f8570799bc263..f924468d84ec4 100644 +--- a/include/linux/pgtable.h ++++ b/include/linux/pgtable.h +@@ -97,7 +97,7 @@ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address) + #ifndef pud_offset + static inline pud_t *pud_offset(p4d_t *p4d, unsigned long address) + { +- return (pud_t *)p4d_page_vaddr(*p4d) + pud_index(address); ++ return p4d_pgtable(*p4d) + pud_index(address); + } + #define pud_offset pud_offset + #endif +-- +2.39.2 + diff --git a/tmp-5.10/mm-rename-pud_page_vaddr-to-pud_pgtable-and-make-it-.patch b/tmp-5.10/mm-rename-pud_page_vaddr-to-pud_pgtable-and-make-it-.patch new file mode 100644 index 00000000000..c5de6a2602f --- /dev/null +++ b/tmp-5.10/mm-rename-pud_page_vaddr-to-pud_pgtable-and-make-it-.patch @@ -0,0 +1,425 @@ +From 26e3fe5c3e6d486b886f903750f2b4a422c2e14a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jul 2021 18:09:53 -0700 +Subject: mm: rename pud_page_vaddr to pud_pgtable and make it return pmd_t * + +From: Aneesh Kumar K.V + +[ Upstream commit 9cf6fa2458443118b84090aa1bf7a3630b5940e8 ] + +No functional change in this patch. + +[aneesh.kumar@linux.ibm.com: fix] + Link: https://lkml.kernel.org/r/87wnqtnb60.fsf@linux.ibm.com +[sfr@canb.auug.org.au: another fix] + Link: https://lkml.kernel.org/r/20210619134410.89559-1-aneesh.kumar@linux.ibm.com + +Link: https://lkml.kernel.org/r/20210615110859.320299-1-aneesh.kumar@linux.ibm.com +Link: https://lore.kernel.org/linuxppc-dev/CAHk-=wi+J+iodze9FtjM3Zi4j4OeS+qqbKxME9QN4roxPEXH9Q@mail.gmail.com/ +Signed-off-by: Aneesh Kumar K.V +Signed-off-by: Stephen Rothwell +Cc: Christophe Leroy +Cc: Hugh Dickins +Cc: Joel Fernandes +Cc: Kalesh Singh +Cc: Kirill A. Shutemov +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Stephen Rothwell +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: 0da90af431ab ("powerpc/book3s64/mm: Fix DirectMap stats in /proc/meminfo") +Signed-off-by: Sasha Levin +--- + arch/alpha/include/asm/pgtable.h | 8 +++++--- + arch/arm/include/asm/pgtable-3level.h | 2 +- + arch/arm64/include/asm/pgtable.h | 4 ++-- + arch/ia64/include/asm/pgtable.h | 2 +- + arch/m68k/include/asm/motorola_pgtable.h | 2 +- + arch/mips/include/asm/pgtable-64.h | 4 ++-- + arch/parisc/include/asm/pgtable.h | 4 ++-- + arch/powerpc/include/asm/book3s/64/pgtable.h | 6 +++++- + arch/powerpc/include/asm/nohash/64/pgtable.h | 6 +++++- + arch/powerpc/mm/book3s64/radix_pgtable.c | 4 ++-- + arch/powerpc/mm/pgtable_64.c | 2 +- + arch/riscv/include/asm/pgtable-64.h | 4 ++-- + arch/sh/include/asm/pgtable-3level.h | 4 ++-- + arch/sparc/include/asm/pgtable_32.h | 6 +++--- + arch/sparc/include/asm/pgtable_64.h | 6 +++--- + arch/um/include/asm/pgtable-3level.h | 2 +- + arch/x86/include/asm/pgtable.h | 4 ++-- + arch/x86/mm/pat/set_memory.c | 4 ++-- + arch/x86/mm/pgtable.c | 2 +- + include/asm-generic/pgtable-nopmd.h | 2 +- + include/asm-generic/pgtable-nopud.h | 2 +- + include/linux/pgtable.h | 2 +- + 22 files changed, 46 insertions(+), 36 deletions(-) + +diff --git a/arch/alpha/include/asm/pgtable.h b/arch/alpha/include/asm/pgtable.h +index 660b14ce13179..12c120e436a24 100644 +--- a/arch/alpha/include/asm/pgtable.h ++++ b/arch/alpha/include/asm/pgtable.h +@@ -241,8 +241,10 @@ pmd_page_vaddr(pmd_t pmd) + #define pud_page(pud) (mem_map + ((pud_val(pud) & _PFN_MASK) >> 32)) + #endif + +-extern inline unsigned long pud_page_vaddr(pud_t pgd) +-{ return PAGE_OFFSET + ((pud_val(pgd) & _PFN_MASK) >> (32-PAGE_SHIFT)); } ++extern inline pmd_t *pud_pgtable(pud_t pgd) ++{ ++ return (pmd_t *)(PAGE_OFFSET + ((pud_val(pgd) & _PFN_MASK) >> (32-PAGE_SHIFT))); ++} + + extern inline int pte_none(pte_t pte) { return !pte_val(pte); } + extern inline int pte_present(pte_t pte) { return pte_val(pte) & _PAGE_VALID; } +@@ -292,7 +294,7 @@ extern inline pte_t pte_mkyoung(pte_t pte) { pte_val(pte) |= __ACCESS_BITS; retu + /* Find an entry in the second-level page table.. */ + extern inline pmd_t * pmd_offset(pud_t * dir, unsigned long address) + { +- pmd_t *ret = (pmd_t *) pud_page_vaddr(*dir) + ((address >> PMD_SHIFT) & (PTRS_PER_PAGE - 1)); ++ pmd_t *ret = pud_pgtable(*dir) + ((address >> PMD_SHIFT) & (PTRS_PER_PAGE - 1)); + smp_rmb(); /* see above */ + return ret; + } +diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h +index 2b85d175e9996..4487aea88477d 100644 +--- a/arch/arm/include/asm/pgtable-3level.h ++++ b/arch/arm/include/asm/pgtable-3level.h +@@ -130,7 +130,7 @@ + flush_pmd_entry(pudp); \ + } while (0) + +-static inline pmd_t *pud_page_vaddr(pud_t pud) ++static inline pmd_t *pud_pgtable(pud_t pud) + { + return __va(pud_val(pud) & PHYS_MASK & (s32)PAGE_MASK); + } +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index 3f74db7b0a31d..3635d48ada17d 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -633,9 +633,9 @@ static inline phys_addr_t pud_page_paddr(pud_t pud) + return __pud_to_phys(pud); + } + +-static inline unsigned long pud_page_vaddr(pud_t pud) ++static inline pmd_t *pud_pgtable(pud_t pud) + { +- return (unsigned long)__va(pud_page_paddr(pud)); ++ return (pmd_t *)__va(pud_page_paddr(pud)); + } + + /* Find an entry in the second-level page table. */ +diff --git a/arch/ia64/include/asm/pgtable.h b/arch/ia64/include/asm/pgtable.h +index 9f64fdfbf2750..fd92792d148b4 100644 +--- a/arch/ia64/include/asm/pgtable.h ++++ b/arch/ia64/include/asm/pgtable.h +@@ -279,7 +279,7 @@ extern unsigned long VMALLOC_END; + #define pud_bad(pud) (!ia64_phys_addr_valid(pud_val(pud))) + #define pud_present(pud) (pud_val(pud) != 0UL) + #define pud_clear(pudp) (pud_val(*(pudp)) = 0UL) +-#define pud_page_vaddr(pud) ((unsigned long) __va(pud_val(pud) & _PFN_MASK)) ++#define pud_pgtable(pud) ((pmd_t *) __va(pud_val(pud) & _PFN_MASK)) + #define pud_page(pud) virt_to_page((pud_val(pud) + PAGE_OFFSET)) + + #if CONFIG_PGTABLE_LEVELS == 4 +diff --git a/arch/m68k/include/asm/motorola_pgtable.h b/arch/m68k/include/asm/motorola_pgtable.h +index 8076467eff4b0..956c80874f98b 100644 +--- a/arch/m68k/include/asm/motorola_pgtable.h ++++ b/arch/m68k/include/asm/motorola_pgtable.h +@@ -129,7 +129,7 @@ static inline void pud_set(pud_t *pudp, pmd_t *pmdp) + + #define __pte_page(pte) ((unsigned long)__va(pte_val(pte) & PAGE_MASK)) + #define pmd_page_vaddr(pmd) ((unsigned long)__va(pmd_val(pmd) & _TABLE_MASK)) +-#define pud_page_vaddr(pud) ((unsigned long)__va(pud_val(pud) & _TABLE_MASK)) ++#define pud_pgtable(pud) ((pmd_t *)__va(pud_val(pud) & _TABLE_MASK)) + + + #define pte_none(pte) (!pte_val(pte)) +diff --git a/arch/mips/include/asm/pgtable-64.h b/arch/mips/include/asm/pgtable-64.h +index 1e7d6ce9d8d62..ab305453e90f8 100644 +--- a/arch/mips/include/asm/pgtable-64.h ++++ b/arch/mips/include/asm/pgtable-64.h +@@ -314,9 +314,9 @@ static inline void pud_clear(pud_t *pudp) + #endif + + #ifndef __PAGETABLE_PMD_FOLDED +-static inline unsigned long pud_page_vaddr(pud_t pud) ++static inline pmd_t *pud_pgtable(pud_t pud) + { +- return pud_val(pud); ++ return (pmd_t *)pud_val(pud); + } + #define pud_phys(pud) virt_to_phys((void *)pud_val(pud)) + #define pud_page(pud) (pfn_to_page(pud_phys(pud) >> PAGE_SHIFT)) +diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h +index 8964798b8274e..ade591927cbff 100644 +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -330,8 +330,8 @@ static inline void pmd_clear(pmd_t *pmd) { + + + #if CONFIG_PGTABLE_LEVELS == 3 +-#define pud_page_vaddr(pud) ((unsigned long) __va(pud_address(pud))) +-#define pud_page(pud) virt_to_page((void *)pud_page_vaddr(pud)) ++#define pud_pgtable(pud) ((pmd_t *) __va(pud_address(pud))) ++#define pud_page(pud) virt_to_page((void *)pud_pgtable(pud)) + + /* For 64 bit we have three level tables */ + +diff --git a/arch/powerpc/include/asm/book3s/64/pgtable.h b/arch/powerpc/include/asm/book3s/64/pgtable.h +index 71e2c524f1eea..5ebf6450f6dad 100644 +--- a/arch/powerpc/include/asm/book3s/64/pgtable.h ++++ b/arch/powerpc/include/asm/book3s/64/pgtable.h +@@ -1030,9 +1030,13 @@ extern struct page *p4d_page(p4d_t p4d); + /* Pointers in the page table tree are physical addresses */ + #define __pgtable_ptr_val(ptr) __pa(ptr) + +-#define pud_page_vaddr(pud) __va(pud_val(pud) & ~PUD_MASKED_BITS) + #define p4d_page_vaddr(p4d) __va(p4d_val(p4d) & ~P4D_MASKED_BITS) + ++static inline pmd_t *pud_pgtable(pud_t pud) ++{ ++ return (pmd_t *)__va(pud_val(pud) & ~PUD_MASKED_BITS); ++} ++ + #define pte_ERROR(e) \ + pr_err("%s:%d: bad pte %08lx.\n", __FILE__, __LINE__, pte_val(e)) + #define pmd_ERROR(e) \ +diff --git a/arch/powerpc/include/asm/nohash/64/pgtable.h b/arch/powerpc/include/asm/nohash/64/pgtable.h +index 1eacff0fff029..a4d475c0fc2c0 100644 +--- a/arch/powerpc/include/asm/nohash/64/pgtable.h ++++ b/arch/powerpc/include/asm/nohash/64/pgtable.h +@@ -164,7 +164,11 @@ static inline void pud_clear(pud_t *pudp) + #define pud_bad(pud) (!is_kernel_addr(pud_val(pud)) \ + || (pud_val(pud) & PUD_BAD_BITS)) + #define pud_present(pud) (pud_val(pud) != 0) +-#define pud_page_vaddr(pud) (pud_val(pud) & ~PUD_MASKED_BITS) ++ ++static inline pmd_t *pud_pgtable(pud_t pud) ++{ ++ return (pmd_t *)(pud_val(pud) & ~PUD_MASKED_BITS); ++} + + extern struct page *pud_page(pud_t pud); + +diff --git a/arch/powerpc/mm/book3s64/radix_pgtable.c b/arch/powerpc/mm/book3s64/radix_pgtable.c +index 5f0a2fa611fa2..605c770dd8191 100644 +--- a/arch/powerpc/mm/book3s64/radix_pgtable.c ++++ b/arch/powerpc/mm/book3s64/radix_pgtable.c +@@ -864,7 +864,7 @@ static void __meminit remove_pud_table(pud_t *pud_start, unsigned long addr, + continue; + } + +- pmd_base = (pmd_t *)pud_page_vaddr(*pud); ++ pmd_base = pud_pgtable(*pud); + remove_pmd_table(pmd_base, addr, next); + free_pmd_table(pmd_base, pud); + } +@@ -1156,7 +1156,7 @@ int pud_free_pmd_page(pud_t *pud, unsigned long addr) + pmd_t *pmd; + int i; + +- pmd = (pmd_t *)pud_page_vaddr(*pud); ++ pmd = pud_pgtable(*pud); + pud_clear(pud); + + flush_tlb_kernel_range(addr, addr + PUD_SIZE); +diff --git a/arch/powerpc/mm/pgtable_64.c b/arch/powerpc/mm/pgtable_64.c +index aefc2bfdf1049..bd0d903196d98 100644 +--- a/arch/powerpc/mm/pgtable_64.c ++++ b/arch/powerpc/mm/pgtable_64.c +@@ -117,7 +117,7 @@ struct page *pud_page(pud_t pud) + VM_WARN_ON(!pud_huge(pud)); + return pte_page(pud_pte(pud)); + } +- return virt_to_page(pud_page_vaddr(pud)); ++ return virt_to_page(pud_pgtable(pud)); + } + + /* +diff --git a/arch/riscv/include/asm/pgtable-64.h b/arch/riscv/include/asm/pgtable-64.h +index f3b0da64c6c8f..0e863f3f7187a 100644 +--- a/arch/riscv/include/asm/pgtable-64.h ++++ b/arch/riscv/include/asm/pgtable-64.h +@@ -60,9 +60,9 @@ static inline void pud_clear(pud_t *pudp) + set_pud(pudp, __pud(0)); + } + +-static inline unsigned long pud_page_vaddr(pud_t pud) ++static inline pmd_t *pud_pgtable(pud_t pud) + { +- return (unsigned long)pfn_to_virt(pud_val(pud) >> _PAGE_PFN_SHIFT); ++ return (pmd_t *)pfn_to_virt(pud_val(pud) >> _PAGE_PFN_SHIFT); + } + + static inline struct page *pud_page(pud_t pud) +diff --git a/arch/sh/include/asm/pgtable-3level.h b/arch/sh/include/asm/pgtable-3level.h +index 82d74472dfcda..56bf35c2f29c2 100644 +--- a/arch/sh/include/asm/pgtable-3level.h ++++ b/arch/sh/include/asm/pgtable-3level.h +@@ -32,9 +32,9 @@ typedef struct { unsigned long long pmd; } pmd_t; + #define pmd_val(x) ((x).pmd) + #define __pmd(x) ((pmd_t) { (x) } ) + +-static inline unsigned long pud_page_vaddr(pud_t pud) ++static inline pmd_t *pud_pgtable(pud_t pud) + { +- return pud_val(pud); ++ return (pmd_t *)pud_val(pud); + } + + /* only used by the stubbed out hugetlb gup code, should never be called */ +diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h +index 632cdb959542c..7d1d10a8fd937 100644 +--- a/arch/sparc/include/asm/pgtable_32.h ++++ b/arch/sparc/include/asm/pgtable_32.h +@@ -152,13 +152,13 @@ static inline unsigned long pmd_page_vaddr(pmd_t pmd) + return (unsigned long)__nocache_va(v << 4); + } + +-static inline unsigned long pud_page_vaddr(pud_t pud) ++static inline pmd_t *pud_pgtable(pud_t pud) + { + if (srmmu_device_memory(pud_val(pud))) { +- return ~0; ++ return (pmd_t *)~0; + } else { + unsigned long v = pud_val(pud) & SRMMU_PTD_PMASK; +- return (unsigned long)__nocache_va(v << 4); ++ return (pmd_t *)__nocache_va(v << 4); + } + } + +diff --git a/arch/sparc/include/asm/pgtable_64.h b/arch/sparc/include/asm/pgtable_64.h +index 7ef6affa105e4..cac02ac301f13 100644 +--- a/arch/sparc/include/asm/pgtable_64.h ++++ b/arch/sparc/include/asm/pgtable_64.h +@@ -845,18 +845,18 @@ static inline unsigned long pmd_page_vaddr(pmd_t pmd) + return ((unsigned long) __va(pfn << PAGE_SHIFT)); + } + +-static inline unsigned long pud_page_vaddr(pud_t pud) ++static inline pmd_t *pud_pgtable(pud_t pud) + { + pte_t pte = __pte(pud_val(pud)); + unsigned long pfn; + + pfn = pte_pfn(pte); + +- return ((unsigned long) __va(pfn << PAGE_SHIFT)); ++ return ((pmd_t *) __va(pfn << PAGE_SHIFT)); + } + + #define pmd_page(pmd) virt_to_page((void *)pmd_page_vaddr(pmd)) +-#define pud_page(pud) virt_to_page((void *)pud_page_vaddr(pud)) ++#define pud_page(pud) virt_to_page((void *)pud_pgtable(pud)) + #define pmd_clear(pmdp) (pmd_val(*(pmdp)) = 0UL) + #define pud_present(pud) (pud_val(pud) != 0U) + #define pud_clear(pudp) (pud_val(*(pudp)) = 0UL) +diff --git a/arch/um/include/asm/pgtable-3level.h b/arch/um/include/asm/pgtable-3level.h +index 7e6a4180db9d3..091bff319ccdf 100644 +--- a/arch/um/include/asm/pgtable-3level.h ++++ b/arch/um/include/asm/pgtable-3level.h +@@ -84,7 +84,7 @@ static inline void pud_clear (pud_t *pud) + } + + #define pud_page(pud) phys_to_page(pud_val(pud) & PAGE_MASK) +-#define pud_page_vaddr(pud) ((unsigned long) __va(pud_val(pud) & PAGE_MASK)) ++#define pud_pgtable(pud) ((pmd_t *) __va(pud_val(pud) & PAGE_MASK)) + + static inline unsigned long pte_pfn(pte_t pte) + { +diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h +index 87de9f2d71cf2..a90f6d02fb961 100644 +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -865,9 +865,9 @@ static inline int pud_present(pud_t pud) + return pud_flags(pud) & _PAGE_PRESENT; + } + +-static inline unsigned long pud_page_vaddr(pud_t pud) ++static inline pmd_t *pud_pgtable(pud_t pud) + { +- return (unsigned long)__va(pud_val(pud) & pud_pfn_mask(pud)); ++ return (pmd_t *)__va(pud_val(pud) & pud_pfn_mask(pud)); + } + + /* +diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c +index 40baa90e74f4c..217dda690ed82 100644 +--- a/arch/x86/mm/pat/set_memory.c ++++ b/arch/x86/mm/pat/set_memory.c +@@ -1126,7 +1126,7 @@ static void __unmap_pmd_range(pud_t *pud, pmd_t *pmd, + unsigned long start, unsigned long end) + { + if (unmap_pte_range(pmd, start, end)) +- if (try_to_free_pmd_page((pmd_t *)pud_page_vaddr(*pud))) ++ if (try_to_free_pmd_page(pud_pgtable(*pud))) + pud_clear(pud); + } + +@@ -1170,7 +1170,7 @@ static void unmap_pmd_range(pud_t *pud, unsigned long start, unsigned long end) + * Try again to free the PMD page if haven't succeeded above. + */ + if (!pud_none(*pud)) +- if (try_to_free_pmd_page((pmd_t *)pud_page_vaddr(*pud))) ++ if (try_to_free_pmd_page(pud_pgtable(*pud))) + pud_clear(pud); + } + +diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c +index f6a9e2e366425..204b25ee26f0b 100644 +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -805,7 +805,7 @@ int pud_free_pmd_page(pud_t *pud, unsigned long addr) + pte_t *pte; + int i; + +- pmd = (pmd_t *)pud_page_vaddr(*pud); ++ pmd = pud_pgtable(*pud); + pmd_sv = (pmd_t *)__get_free_page(GFP_KERNEL); + if (!pmd_sv) + return 0; +diff --git a/include/asm-generic/pgtable-nopmd.h b/include/asm-generic/pgtable-nopmd.h +index 3e13acd019aef..10789cf51d160 100644 +--- a/include/asm-generic/pgtable-nopmd.h ++++ b/include/asm-generic/pgtable-nopmd.h +@@ -51,7 +51,7 @@ static inline pmd_t * pmd_offset(pud_t * pud, unsigned long address) + #define __pmd(x) ((pmd_t) { __pud(x) } ) + + #define pud_page(pud) (pmd_page((pmd_t){ pud })) +-#define pud_page_vaddr(pud) (pmd_page_vaddr((pmd_t){ pud })) ++#define pud_pgtable(pud) ((pmd_t *)(pmd_page_vaddr((pmd_t){ pud }))) + + /* + * allocating and freeing a pmd is trivial: the 1-entry pmd is +diff --git a/include/asm-generic/pgtable-nopud.h b/include/asm-generic/pgtable-nopud.h +index a9d751fbda9e8..7cbd15f70bf55 100644 +--- a/include/asm-generic/pgtable-nopud.h ++++ b/include/asm-generic/pgtable-nopud.h +@@ -49,7 +49,7 @@ static inline pud_t *pud_offset(p4d_t *p4d, unsigned long address) + #define __pud(x) ((pud_t) { __p4d(x) }) + + #define p4d_page(p4d) (pud_page((pud_t){ p4d })) +-#define p4d_page_vaddr(p4d) (pud_page_vaddr((pud_t){ p4d })) ++#define p4d_page_vaddr(p4d) (pud_pgtable((pud_t){ p4d })) + + /* + * allocating and freeing a pud is trivial: the 1-entry pud is +diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h +index 9def1ac19546b..f8570799bc263 100644 +--- a/include/linux/pgtable.h ++++ b/include/linux/pgtable.h +@@ -89,7 +89,7 @@ static inline pte_t *pte_offset_kernel(pmd_t *pmd, unsigned long address) + #ifndef pmd_offset + static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address) + { +- return (pmd_t *)pud_page_vaddr(*pud) + pmd_index(address); ++ return pud_pgtable(*pud) + pmd_index(address); + } + #define pmd_offset pmd_offset + #endif +-- +2.39.2 + diff --git a/tmp-5.10/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch b/tmp-5.10/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch new file mode 100644 index 00000000000..e868d90bf66 --- /dev/null +++ b/tmp-5.10/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch @@ -0,0 +1,46 @@ +From f1738a1f816233e6dfc2407f24a31d596643fd90 Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Mon, 19 Jun 2023 21:35:58 +0200 +Subject: mmc: core: disable TRIM on Kingston EMMC04G-M627 + +From: Robert Marko + +commit f1738a1f816233e6dfc2407f24a31d596643fd90 upstream. + +It seems that Kingston EMMC04G-M627 despite advertising TRIM support does +not work when the core is trying to use REQ_OP_WRITE_ZEROES. + +We are seeing I/O errors in OpenWrt under 6.1 on Zyxel NBG7815 that we did +not previously have and tracked it down to REQ_OP_WRITE_ZEROES. + +Trying to use fstrim seems to also throw errors like: +[93010.835112] I/O error, dev loop0, sector 16902 op 0x3:(DISCARD) flags 0x800 phys_seg 1 prio class 2 + +Disabling TRIM makes the error go away, so lets add a quirk for this eMMC +to disable TRIM. + +Signed-off-by: Robert Marko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230619193621.437358-1-robimarko@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/quirks.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -100,6 +100,13 @@ static const struct mmc_fixup __maybe_un + MMC_QUIRK_TRIM_BROKEN), + + /* ++ * Kingston EMMC04G-M627 advertises TRIM but it does not seems to ++ * support being used to offload WRITE_ZEROES. ++ */ ++ MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc, ++ MMC_QUIRK_TRIM_BROKEN), ++ ++ /* + * Some SD cards reports discard support while they don't + */ + MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd, diff --git a/tmp-5.10/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch b/tmp-5.10/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch new file mode 100644 index 00000000000..15412ebc1a7 --- /dev/null +++ b/tmp-5.10/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch @@ -0,0 +1,44 @@ +From dbfbddcddcebc9ce8a08757708d4e4a99d238e44 Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Tue, 30 May 2023 23:32:59 +0200 +Subject: mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M + +From: Robert Marko + +commit dbfbddcddcebc9ce8a08757708d4e4a99d238e44 upstream. + +It seems that Micron MTFC4GACAJCN-1M despite advertising TRIM support does +not work when the core is trying to use REQ_OP_WRITE_ZEROES. + +We are seeing the following errors in OpenWrt under 6.1 on Qnap Qhora 301W +that we did not previously have and tracked it down to REQ_OP_WRITE_ZEROES: +[ 18.085950] I/O error, dev loop0, sector 596 op 0x9:(WRITE_ZEROES) flags 0x800 phys_seg 0 prio class 2 + +Disabling TRIM makes the error go away, so lets add a quirk for this eMMC +to disable TRIM. + +Signed-off-by: Robert Marko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230530213259.1776512-1-robimarko@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/quirks.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -107,6 +107,13 @@ static const struct mmc_fixup __maybe_un + MMC_QUIRK_TRIM_BROKEN), + + /* ++ * Micron MTFC4GACAJCN-1M advertises TRIM but it does not seems to ++ * support being used to offload WRITE_ZEROES. ++ */ ++ MMC_FIXUP("Q2J54A", CID_MANFID_MICRON, 0x014e, add_quirk_mmc, ++ MMC_QUIRK_TRIM_BROKEN), ++ ++ /* + * Some SD cards reports discard support while they don't + */ + MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd, diff --git a/tmp-5.10/mmc-mmci-set-probe_prefer_asynchronous.patch b/tmp-5.10/mmc-mmci-set-probe_prefer_asynchronous.patch new file mode 100644 index 00000000000..a806798bc9d --- /dev/null +++ b/tmp-5.10/mmc-mmci-set-probe_prefer_asynchronous.patch @@ -0,0 +1,33 @@ +From 3108eb2e8aa7e955a9dd3a4c1bf19a7898961822 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Mon, 12 Jun 2023 16:37:30 +0200 +Subject: mmc: mmci: Set PROBE_PREFER_ASYNCHRONOUS + +From: Ulf Hansson + +commit 3108eb2e8aa7e955a9dd3a4c1bf19a7898961822 upstream. + +All mmc host drivers should have the asynchronous probe option enabled, but +it seems like we failed to set it for mmci, so let's do that now. + +Fixes: 21b2cec61c04 ("mmc: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in v4.4") +Signed-off-by: Ulf Hansson +Tested-by: Linus Walleij +Tested-by: Yann Gautier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230612143730.210390-1-ulf.hansson@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mmci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/mmci.c ++++ b/drivers/mmc/host/mmci.c +@@ -2386,6 +2386,7 @@ static struct amba_driver mmci_driver = + .drv = { + .name = DRIVER_NAME, + .pm = &mmci_dev_pm_ops, ++ .probe_type = PROBE_PREFER_ASYNCHRONOUS, + }, + .probe = mmci_probe, + .remove = mmci_remove, diff --git a/tmp-5.10/mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch b/tmp-5.10/mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch new file mode 100644 index 00000000000..66e5c400d8a --- /dev/null +++ b/tmp-5.10/mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch @@ -0,0 +1,58 @@ +From 20dbd07ef0a8bc29eb03d6a95258ac8934cbe52d Mon Sep 17 00:00:00 2001 +From: Chevron Li +Date: Tue, 23 May 2023 19:11:14 +0800 +Subject: mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used. + +From: Chevron Li + +commit 20dbd07ef0a8bc29eb03d6a95258ac8934cbe52d upstream. + +Bayhub SD host has hardware limitation: +1.The upper 32bit address is inhibited to be written at SD Host Register + [03E][13]=0 (32bits addressing) mode, is admitted to be written only at + SD Host Register [03E][13]=1 (64bits addressing) mode. +2.Because of above item#1, need to configure SD Host Register [03E][13] to + 1(64bits addressing mode) before set 64bit ADMA system address's higher + 32bits SD Host Register [05F~05C] if 64 bits addressing mode is used. + +The hardware limitation is reasonable for below reasons: +1.Normal flow should set DMA working mode first, then do + DMA-transfer-related configuration, such as system address. +2.The hardware limitation may avoid the software to configure wrong higher + 32bit address at 32bits addressing mode although it is redundant. + +The change that set 32bits/64bits addressing mode before set ADMA address, + has no side-effect to other host IPs for below reason: +The setting order is reasonable and standard: DMA Mode setting first and + then DMA address setting. It meets all DMA setting sequence. + +Signed-off-by: Chevron Li +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230523111114.18124-1-chevron_li@126.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -1145,6 +1145,8 @@ static void sdhci_prepare_data(struct sd + } + } + ++ sdhci_config_dma(host); ++ + if (host->flags & SDHCI_REQ_USE_DMA) { + int sg_cnt = sdhci_pre_dma_transfer(host, data, COOKIE_MAPPED); + +@@ -1164,8 +1166,6 @@ static void sdhci_prepare_data(struct sd + } + } + +- sdhci_config_dma(host); +- + if (!(host->flags & SDHCI_REQ_USE_DMA)) { + int flags; + diff --git a/tmp-5.10/modpost-fix-off-by-one-in-is_executable_section.patch b/tmp-5.10/modpost-fix-off-by-one-in-is_executable_section.patch new file mode 100644 index 00000000000..80b8c0ead46 --- /dev/null +++ b/tmp-5.10/modpost-fix-off-by-one-in-is_executable_section.patch @@ -0,0 +1,36 @@ +From 49cae101ae3245339a6016a083ed7291abbc1451 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 11:23:40 +0300 +Subject: modpost: fix off by one in is_executable_section() + +From: Dan Carpenter + +[ Upstream commit 3a3f1e573a105328a2cca45a7cfbebabbf5e3192 ] + +The > comparison should be >= to prevent an out of bounds array +access. + +Fixes: 52dc0595d540 ("modpost: handle relocations mismatch in __ex_table.") +Signed-off-by: Dan Carpenter +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index fb7f75fa786bc..78ac98cfa02d4 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1621,7 +1621,7 @@ static void default_mismatch_handler(const char *modname, struct elf_info *elf, + + static int is_executable_section(struct elf_info* elf, unsigned int section_index) + { +- if (section_index > elf->num_sections) ++ if (section_index >= elf->num_sections) + fatal("section_index is outside elf->num_sections!\n"); + + return ((elf->sechdrs[section_index].sh_flags & SHF_EXECINSTR) == SHF_EXECINSTR); +-- +2.39.2 + diff --git a/tmp-5.10/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch b/tmp-5.10/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch new file mode 100644 index 00000000000..8f81bbdef55 --- /dev/null +++ b/tmp-5.10/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch @@ -0,0 +1,106 @@ +From 4d41f6c42cbf57d879aaa1f9bb13cbb0fc070709 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:56 +0900 +Subject: modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} + +From: Masahiro Yamada + +[ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ] + +addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a +wrong way. + +Here, test code. + +[test code for R_ARM_JUMP24] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + b bar + +[test code for R_ARM_CALL] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + push {lr} + bl bar + pop {pc} + +If you compile it with ARM multi_v7_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text) + +(You need to use GNU linker instead of LLD to reproduce it.) + +Fix the code to make modpost show the correct symbol name. + +I imported (with adjustment) sign_extend32() from include/linux/bitops.h. + +The '+8' is the compensation for pc-relative instruction. It is +documented in "ELF for the Arm Architecture" [1]. + + "If the relocation is pc-relative then compensation for the PC bias + (the PC value is 8 bytes ahead of the executing instruction in Arm + state and 4 bytes in Thumb state) must be encoded in the relocation + by the object producer." + +[1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 9216eae798ff2..fb7f75fa786bc 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1796,12 +1796,20 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + #define R_ARM_THM_JUMP19 51 + #endif + ++static int32_t sign_extend32(int32_t value, int index) ++{ ++ uint8_t shift = 31 - index; ++ ++ return (int32_t)(value << shift) >> shift; ++} ++ + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); + Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); + void *loc = reloc_location(elf, sechdr, r); + uint32_t inst; ++ int32_t offset; + + switch (r_typ) { + case R_ARM_ABS32: +@@ -1811,6 +1819,10 @@ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + case R_ARM_PC24: + case R_ARM_CALL: + case R_ARM_JUMP24: ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ offset = sign_extend32((inst & 0x00ffffff) << 2, 25); ++ r->r_addend = offset + sym->st_value + 8; ++ break; + case R_ARM_THM_CALL: + case R_ARM_THM_JUMP24: + case R_ARM_THM_JUMP19: +-- +2.39.2 + diff --git a/tmp-5.10/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch b/tmp-5.10/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch new file mode 100644 index 00000000000..46105f57be3 --- /dev/null +++ b/tmp-5.10/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch @@ -0,0 +1,133 @@ +From d83fda93ca383efde0bfc570f4b558d4c0cfc8ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:55 +0900 +Subject: modpost: fix section mismatch message for R_ARM_ABS32 + +From: Masahiro Yamada + +[ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ] + +addend_arm_rel() processes R_ARM_ABS32 in a wrong way. + +Here, test code. + + [test code 1] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + +If you compile it with ARM versatile_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data) + +(You need to use GNU linker instead of LLD to reproduce it.) + +If you compile it for other architectures, modpost will show the correct +symbol name. + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + +For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value. + +I just mimicked the code in arch/arm/kernel/module.c. + +However, there is more difficulty for ARM. + +Here, test code. + + [test code 2] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + + int __initdata bar; + int get_bar(void) { return bar; } + +With this commit applied, modpost will show the following messages +for ARM versatile_defconfig: + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data) + +The reference from 'get_bar' to 'foo' seems wrong. + +I have no solution for this because it is true in assembly level. + +In the following output, relocation at 0x1c is no longer associated +with 'bar'. The two relocation entries point to the same symbol, and +the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'. + + Disassembly of section .text: + + 00000000 : + 0: e59f3004 ldr r3, [pc, #4] @ c + 4: e5930000 ldr r0, [r3] + 8: e12fff1e bx lr + c: 00000000 .word 0x00000000 + + 00000010 : + 10: e59f3004 ldr r3, [pc, #4] @ 1c + 14: e5930004 ldr r0, [r3, #4] + 18: e12fff1e bx lr + 1c: 00000000 .word 0x00000000 + + Relocation section '.rel.text' at offset 0x244 contains 2 entries: + Offset Info Type Sym.Value Sym. Name + 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data + 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data + +When find_elf_symbol() gets into a situation where relsym->st_name is +zero, there is no guarantee to get the symbol name as written in C. + +I am keeping the current logic because it is useful in many architectures, +but the symbol name is not always correct depending on the optimization. +I left some comments in find_tosym(). + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index e48742760fec8..9216eae798ff2 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1313,6 +1313,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + if (relsym->st_name != 0) + return relsym; + ++ /* ++ * Strive to find a better symbol name, but the resulting name may not ++ * match the symbol referenced in the original code. ++ */ + relsym_secindex = get_secindex(elf, relsym); + for (sym = elf->symtab_start; sym < elf->symtab_stop; sym++) { + if (get_secindex(elf, sym) != relsym_secindex) +@@ -1795,12 +1799,14 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); ++ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); ++ void *loc = reloc_location(elf, sechdr, r); ++ uint32_t inst; + + switch (r_typ) { + case R_ARM_ABS32: +- /* From ARM ABI: (S + A) | T */ +- r->r_addend = (int)(long) +- (elf->symtab_start + ELF_R_SYM(r->r_info)); ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ r->r_addend = inst + sym->st_value; + break; + case R_ARM_PC24: + case R_ARM_CALL: +-- +2.39.2 + diff --git a/tmp-5.10/mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch b/tmp-5.10/mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch new file mode 100644 index 00000000000..6fcf564b932 --- /dev/null +++ b/tmp-5.10/mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch @@ -0,0 +1,44 @@ +From 98480a181a08ceeede417e5b28f6d0429d8ae156 Mon Sep 17 00:00:00 2001 +From: Arseniy Krasnov +Date: Thu, 15 Jun 2023 11:08:15 +0300 +Subject: mtd: rawnand: meson: fix unaligned DMA buffers handling + +From: Arseniy Krasnov + +commit 98480a181a08ceeede417e5b28f6d0429d8ae156 upstream. + +Meson NAND controller requires 8 bytes alignment for DMA addresses, +otherwise it "aligns" passed address by itself thus accessing invalid +location in the provided buffer. This patch makes unaligned buffers to +be reallocated to become valid. + +Fixes: 8fae856c5350 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller") +Cc: +Signed-off-by: Arseniy Krasnov +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230615080815.3291006-1-AVKrasnov@sberdevices.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/meson_nand.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/nand/raw/meson_nand.c ++++ b/drivers/mtd/nand/raw/meson_nand.c +@@ -72,6 +72,7 @@ + #define GENCMDIADDRH(aih, addr) ((aih) | (((addr) >> 16) & 0xffff)) + + #define DMA_DIR(dir) ((dir) ? NFC_CMD_N2M : NFC_CMD_M2N) ++#define DMA_ADDR_ALIGN 8 + + #define ECC_CHECK_RETURN_FF (-1) + +@@ -838,6 +839,9 @@ static int meson_nfc_read_oob(struct nan + + static bool meson_nfc_is_buffer_dma_safe(const void *buffer) + { ++ if ((uintptr_t)buffer % DMA_ADDR_ALIGN) ++ return false; ++ + if (virt_addr_valid(buffer) && (!object_is_on_stack(buffer))) + return true; + return false; diff --git a/tmp-5.10/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch b/tmp-5.10/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch new file mode 100644 index 00000000000..225042ddc7c --- /dev/null +++ b/tmp-5.10/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch @@ -0,0 +1,41 @@ +From 1ee913770b2755306f0e129a4ebf089b59039b3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 20:21:59 +0800 +Subject: nbd: Add the maximum limit of allocated index in nbd_dev_add + +From: Zhong Jinghua + +[ Upstream commit f12bc113ce904777fd6ca003b473b427782b3dde ] + +If the index allocated by idr_alloc greater than MINORMASK >> part_shift, +the device number will overflow, resulting in failure to create a block +device. + +Fix it by imiting the size of the max allocation. + +Signed-off-by: Zhong Jinghua +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230605122159.2134384-1-zhongjinghua@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index b6940f0a9c905..e0f805ca0e727 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1723,7 +1723,8 @@ static int nbd_dev_add(int index) + if (err == -ENOSPC) + err = -EEXIST; + } else { +- err = idr_alloc(&nbd_index_idr, nbd, 0, 0, GFP_KERNEL); ++ err = idr_alloc(&nbd_index_idr, nbd, 0, ++ (MINORMASK >> part_shift) + 1, GFP_KERNEL); + if (err >= 0) + index = err; + } +-- +2.39.2 + diff --git a/tmp-5.10/net-axienet-move-reset-before-64-bit-dma-detection.patch b/tmp-5.10/net-axienet-move-reset-before-64-bit-dma-detection.patch new file mode 100644 index 00000000000..a6708bfeeb7 --- /dev/null +++ b/tmp-5.10/net-axienet-move-reset-before-64-bit-dma-detection.patch @@ -0,0 +1,60 @@ +From d69737b2a1ccd25cefd56e5bfa156dedd5a002e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 22:22:45 +0300 +Subject: net: axienet: Move reset before 64-bit DMA detection + +From: Maxim Kochetkov + +[ Upstream commit f1bc9fc4a06de0108e0dca2a9a7e99ba1fc632f9 ] + +64-bit DMA detection will fail if axienet was started before (by boot +loader, boot ROM, etc). In this state axienet will not start properly. +XAXIDMA_TX_CDESC_OFFSET + 4 register (MM2S_CURDESC_MSB) is used to detect +64-bit DMA capability here. But datasheet says: When DMACR.RS is 1 +(axienet is in enabled state), CURDESC_PTR becomes Read Only (RO) and +is used to fetch the first descriptor. So iowrite32()/ioread32() trick +to this register to detect 64-bit DMA will not work. +So move axienet reset before 64-bit DMA detection. + +Fixes: f735c40ed93c ("net: axienet: Autodetect 64-bit DMA capability") +Signed-off-by: Maxim Kochetkov +Reviewed-by: Robert Hancock +Reviewed-by: Radhey Shyam Pandey +Link: https://lore.kernel.org/r/20230622192245.116864-1-fido_max@inbox.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 3d91baf2e55aa..9d362283196aa 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -2009,6 +2009,11 @@ static int axienet_probe(struct platform_device *pdev) + goto cleanup_clk; + } + ++ /* Reset core now that clocks are enabled, prior to accessing MDIO */ ++ ret = __axienet_device_reset(lp); ++ if (ret) ++ goto cleanup_clk; ++ + /* Autodetect the need for 64-bit DMA pointers. + * When the IP is configured for a bus width bigger than 32 bits, + * writing the MSB registers is mandatory, even if they are all 0. +@@ -2055,11 +2060,6 @@ static int axienet_probe(struct platform_device *pdev) + lp->coalesce_count_rx = XAXIDMA_DFT_RX_THRESHOLD; + lp->coalesce_count_tx = XAXIDMA_DFT_TX_THRESHOLD; + +- /* Reset core now that clocks are enabled, prior to accessing MDIO */ +- ret = __axienet_device_reset(lp); +- if (ret) +- goto cleanup_clk; +- + ret = axienet_mdio_setup(lp); + if (ret) + dev_warn(&pdev->dev, +-- +2.39.2 + diff --git a/tmp-5.10/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch b/tmp-5.10/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch new file mode 100644 index 00000000000..801d041ac37 --- /dev/null +++ b/tmp-5.10/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch @@ -0,0 +1,39 @@ +From 1b5ea7ffb7a3bdfffb4b7f40ce0d20a3372ee405 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 22 Jun 2023 03:31:07 -0700 +Subject: net: bcmgenet: Ensure MDIO unregistration has clocks enabled + +From: Florian Fainelli + +commit 1b5ea7ffb7a3bdfffb4b7f40ce0d20a3372ee405 upstream. + +With support for Ethernet PHY LEDs having been added, while +unregistering a MDIO bus and its child device liks PHYs there may be +"late" accesses to the MDIO bus. One typical use case is setting the PHY +LEDs brightness to OFF for instance. + +We need to ensure that the MDIO bus controller remains entirely +functional since it runs off the main GENET adapter clock. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20230617155500.4005881-1-andrew@lunn.ch/ +Fixes: 9a4e79697009 ("net: bcmgenet: utilize generic Broadcom UniMAC MDIO controller driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230622103107.1760280-1-florian.fainelli@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -624,5 +624,7 @@ void bcmgenet_mii_exit(struct net_device + if (of_phy_is_fixed_link(dn)) + of_phy_deregister_fixed_link(dn); + of_node_put(priv->phy_dn); ++ clk_prepare_enable(priv->clk); + platform_device_unregister(priv->mii_pdev); ++ clk_disable_unprepare(priv->clk); + } diff --git a/tmp-5.10/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch b/tmp-5.10/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch new file mode 100644 index 00000000000..6ca6484e626 --- /dev/null +++ b/tmp-5.10/net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch @@ -0,0 +1,55 @@ +From ed50cac1312221bd55775880bbadd85707d48851 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 08:53:25 +0200 +Subject: net: bgmac: postpone turning IRQs off to avoid SoC hangs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit e7731194fdf085f46d58b1adccfddbd0dfee4873 ] + +Turning IRQs off is done by accessing Ethernet controller registers. +That can't be done until device's clock is enabled. It results in a SoC +hang otherwise. + +This bug remained unnoticed for years as most bootloaders keep all +Ethernet interfaces turned on. It seems to only affect a niche SoC +family BCM47189. It has two Ethernet controllers but CFE bootloader uses +only the first one. + +Fixes: 34322615cbaa ("net: bgmac: Mask interrupts during probe") +Signed-off-by: Rafał Miłecki +Reviewed-by: Michal Kubiak +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bgmac.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c +index bb999e67d7736..ab8ee93316354 100644 +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -1492,8 +1492,6 @@ int bgmac_enet_probe(struct bgmac *bgmac) + + bgmac->in_init = true; + +- bgmac_chip_intrs_off(bgmac); +- + net_dev->irq = bgmac->irq; + SET_NETDEV_DEV(net_dev, bgmac->dev); + dev_set_drvdata(bgmac->dev, bgmac); +@@ -1511,6 +1509,8 @@ int bgmac_enet_probe(struct bgmac *bgmac) + */ + bgmac_clk_enable(bgmac, 0); + ++ bgmac_chip_intrs_off(bgmac); ++ + /* This seems to be fixing IRQ by assigning OOB #6 to the core */ + if (!(bgmac->feature_flags & BGMAC_FEAT_IDM_MASK)) { + if (bgmac->feature_flags & BGMAC_FEAT_IRQ_ID_OOB_6) +-- +2.39.2 + diff --git a/tmp-5.10/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch b/tmp-5.10/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch new file mode 100644 index 00000000000..6017c4fb8ca --- /dev/null +++ b/tmp-5.10/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch @@ -0,0 +1,198 @@ +From 03d40a655ae7abb7e0093c64f3728edb3b15c053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:41:18 +0300 +Subject: net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode + +From: Vladimir Oltean + +[ Upstream commit 6ca3c005d0604e8d2b439366e3923ea58db99641 ] + +According to the synchronization rules for .ndo_get_stats() as seen in +Documentation/networking/netdevices.rst, acquiring a plain spin_lock() +should not be illegal, but the bridge driver implementation makes it so. + +After running these commands, I am being faced with the following +lockdep splat: + +$ ip link add link swp0 name macsec0 type macsec encrypt on && ip link set swp0 up +$ ip link add dev br0 type bridge vlan_filtering 1 && ip link set br0 up +$ ip link set macsec0 master br0 && ip link set macsec0 up + + ======================================================== + WARNING: possible irq lock inversion dependency detected + 6.4.0-04295-g31b577b4bd4a #603 Not tainted + -------------------------------------------------------- + swapper/1/0 just changed the state of lock: + ffff6bd348724cd8 (&br->lock){+.-.}-{3:3}, at: br_forward_delay_timer_expired+0x34/0x198 + but this lock took another, SOFTIRQ-unsafe lock in the past: + (&ocelot->stats_lock){+.+.}-{3:3} + + and interrupts could create inverse lock ordering between them. + + other info that might help us debug this: + Chain exists of: + &br->lock --> &br->hash_lock --> &ocelot->stats_lock + + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&ocelot->stats_lock); + local_irq_disable(); + lock(&br->lock); + lock(&br->hash_lock); + + lock(&br->lock); + + *** DEADLOCK *** + +(details about the 3 locks skipped) + +swp0 is instantiated by drivers/net/dsa/ocelot/felix.c, and this +only matters to the extent that its .ndo_get_stats64() method calls +spin_lock(&ocelot->stats_lock). + +Documentation/locking/lockdep-design.rst says: + +| A lock is irq-safe means it was ever used in an irq context, while a lock +| is irq-unsafe means it was ever acquired with irq enabled. + +(...) + +| Furthermore, the following usage based lock dependencies are not allowed +| between any two lock-classes:: +| +| -> +| -> + +Lockdep marks br->hash_lock as softirq-safe, because it is sometimes +taken in softirq context (for example br_fdb_update() which runs in +NET_RX softirq), and when it's not in softirq context it blocks softirqs +by using spin_lock_bh(). + +Lockdep marks ocelot->stats_lock as softirq-unsafe, because it never +blocks softirqs from running, and it is never taken from softirq +context. So it can always be interrupted by softirqs. + +There is a call path through which a function that holds br->hash_lock: +fdb_add_hw_addr() will call a function that acquires ocelot->stats_lock: +ocelot_port_get_stats64(). This can be seen below: + +ocelot_port_get_stats64+0x3c/0x1e0 +felix_get_stats64+0x20/0x38 +dsa_slave_get_stats64+0x3c/0x60 +dev_get_stats+0x74/0x2c8 +rtnl_fill_stats+0x4c/0x150 +rtnl_fill_ifinfo+0x5cc/0x7b8 +rtmsg_ifinfo_build_skb+0xe4/0x150 +rtmsg_ifinfo+0x5c/0xb0 +__dev_notify_flags+0x58/0x200 +__dev_set_promiscuity+0xa0/0x1f8 +dev_set_promiscuity+0x30/0x70 +macsec_dev_change_rx_flags+0x68/0x88 +__dev_set_promiscuity+0x1a8/0x1f8 +__dev_set_rx_mode+0x74/0xa8 +dev_uc_add+0x74/0xa0 +fdb_add_hw_addr+0x68/0xd8 +fdb_add_local+0xc4/0x110 +br_fdb_add_local+0x54/0x88 +br_add_if+0x338/0x4a0 +br_add_slave+0x20/0x38 +do_setlink+0x3a4/0xcb8 +rtnl_newlink+0x758/0x9d0 +rtnetlink_rcv_msg+0x2f0/0x550 +netlink_rcv_skb+0x128/0x148 +rtnetlink_rcv+0x24/0x38 + +the plain English explanation for it is: + +The macsec0 bridge port is created without p->flags & BR_PROMISC, +because it is what br_manage_promisc() decides for a VLAN filtering +bridge with a single auto port. + +As part of the br_add_if() procedure, br_fdb_add_local() is called for +the MAC address of the device, and this results in a call to +dev_uc_add() for macsec0 while the softirq-safe br->hash_lock is taken. + +Because macsec0 does not have IFF_UNICAST_FLT, dev_uc_add() ends up +calling __dev_set_promiscuity() for macsec0, which is propagated by its +implementation, macsec_dev_change_rx_flags(), to the lower device: swp0. +This triggers the call path: + +dev_set_promiscuity(swp0) +-> rtmsg_ifinfo() + -> dev_get_stats() + -> ocelot_port_get_stats64() + +with a calling context that lockdep doesn't like (br->hash_lock held). + +Normally we don't see this, because even though many drivers that can be +bridge ports don't support IFF_UNICAST_FLT, we need a driver that + +(a) doesn't support IFF_UNICAST_FLT, *and* +(b) it forwards the IFF_PROMISC flag to another driver, and +(c) *that* driver implements ndo_get_stats64() using a softirq-unsafe + spinlock. + +Condition (b) is necessary because the first __dev_set_rx_mode() calls +__dev_set_promiscuity() with "bool notify=false", and thus, the +rtmsg_ifinfo() code path won't be entered. + +The same criteria also hold true for DSA switches which don't report +IFF_UNICAST_FLT. When the DSA master uses a spin_lock() in its +ndo_get_stats64() method, the same lockdep splat can be seen. + +I think the deadlock possibility is real, even though I didn't reproduce +it, and I'm thinking of the following situation to support that claim: + +fdb_add_hw_addr() runs on a CPU A, in a context with softirqs locally +disabled and br->hash_lock held, and may end up attempting to acquire +ocelot->stats_lock. + +In parallel, ocelot->stats_lock is currently held by a thread B (say, +ocelot_check_stats_work()), which is interrupted while holding it by a +softirq which attempts to lock br->hash_lock. + +Thread B cannot make progress because br->hash_lock is held by A. Whereas +thread A cannot make progress because ocelot->stats_lock is held by B. + +When taking the issue at face value, the bridge can avoid that problem +by simply making the ports promiscuous from a code path with a saner +calling context (br->hash_lock not held). A bridge port without +IFF_UNICAST_FLT is going to become promiscuous as soon as we call +dev_uc_add() on it (which we do unconditionally), so why not be +preemptive and make it promiscuous right from the beginning, so as to +not be taken by surprise. + +With this, we've broken the links between code that holds br->hash_lock +or br->lock and code that calls into the ndo_change_rx_flags() or +ndo_get_stats64() ops of the bridge port. + +Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.") +Signed-off-by: Vladimir Oltean +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_if.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index 1d87bf51f3840..e35488fde9c85 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -157,8 +157,9 @@ void br_manage_promisc(struct net_bridge *br) + * This lets us disable promiscuous mode and write + * this config to hw. + */ +- if (br->auto_cnt == 0 || +- (br->auto_cnt == 1 && br_auto_port(p))) ++ if ((p->dev->priv_flags & IFF_UNICAST_FLT) && ++ (br->auto_cnt == 0 || ++ (br->auto_cnt == 1 && br_auto_port(p)))) + br_port_clear_promisc(p); + else + br_port_set_promisc(p); +-- +2.39.2 + diff --git a/tmp-5.10/net-create-netdev-dev_addr-assignment-helpers.patch b/tmp-5.10/net-create-netdev-dev_addr-assignment-helpers.patch new file mode 100644 index 00000000000..638a0a9ee1e --- /dev/null +++ b/tmp-5.10/net-create-netdev-dev_addr-assignment-helpers.patch @@ -0,0 +1,82 @@ +From a08cdc8ae945d27aa6d522b7c960234a238cee05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 11:10:37 -0700 +Subject: net: create netdev->dev_addr assignment helpers + +From: Jakub Kicinski + +[ Upstream commit 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 ] + +Recent work on converting address list to a tree made it obvious +we need an abstraction around writing netdev->dev_addr. Without +such abstraction updating the main device address is invisible +to the core. + +Introduce a number of helpers which for now just wrap memcpy() +but in the future can make necessary changes to the address +tree. + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + include/linux/etherdevice.h | 12 ++++++++++++ + include/linux/netdevice.h | 18 ++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index 99209f50915f4..b060514bf25d2 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -299,6 +299,18 @@ static inline void ether_addr_copy(u8 *dst, const u8 *src) + #endif + } + ++/** ++ * eth_hw_addr_set - Assign Ethernet address to a net_device ++ * @dev: pointer to net_device structure ++ * @addr: address to assign ++ * ++ * Assign given address to the net_device, addr_assign_type is not changed. ++ */ ++static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ ether_addr_copy(dev->dev_addr, addr); ++} ++ + /** + * eth_hw_addr_inherit - Copy dev_addr from another net_device + * @dst: pointer to net_device to copy dev_addr to +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 8f03cc42bd43f..302abfc2a1f63 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4474,6 +4474,24 @@ void __hw_addr_unsync_dev(struct netdev_hw_addr_list *list, + void __hw_addr_init(struct netdev_hw_addr_list *list); + + /* Functions used for device addresses handling */ ++static inline void ++__dev_addr_set(struct net_device *dev, const u8 *addr, size_t len) ++{ ++ memcpy(dev->dev_addr, addr, len); ++} ++ ++static inline void dev_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ __dev_addr_set(dev, addr, dev->addr_len); ++} ++ ++static inline void ++dev_addr_mod(struct net_device *dev, unsigned int offset, ++ const u8 *addr, size_t len) ++{ ++ memcpy(&dev->dev_addr[offset], addr, len); ++} ++ + int dev_addr_add(struct net_device *dev, const unsigned char *addr, + unsigned char addr_type); + int dev_addr_del(struct net_device *dev, const unsigned char *addr, +-- +2.39.2 + diff --git a/tmp-5.10/net-dsa-tag_sja1105-fix-mac-da-patching-from-meta-fr.patch b/tmp-5.10/net-dsa-tag_sja1105-fix-mac-da-patching-from-meta-fr.patch new file mode 100644 index 00000000000..c212146e6a6 --- /dev/null +++ b/tmp-5.10/net-dsa-tag_sja1105-fix-mac-da-patching-from-meta-fr.patch @@ -0,0 +1,46 @@ +From 12c6d660a05c41a708a70408521a91b7812f553f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 01:05:44 +0300 +Subject: net: dsa: tag_sja1105: fix MAC DA patching from meta frames + +From: Vladimir Oltean + +[ Upstream commit 1dcf6efd5f0c1f4496b3ef7ec5a7db104a53b38c ] + +The SJA1105 manual says that at offset 4 into the meta frame payload we +have "MAC destination byte 2" and at offset 5 we have "MAC destination +byte 1". These are counted from the LSB, so byte 1 is h_dest[ETH_HLEN-2] +aka h_dest[4] and byte 2 is h_dest[ETH_HLEN-3] aka h_dest[3]. + +The sja1105_meta_unpack() function decodes these the other way around, +so a frame with MAC DA 01:80:c2:11:22:33 is received by the network +stack as having 01:80:c2:22:11:33. + +Fixes: e53e18a6fe4d ("net: dsa: sja1105: Receive and decode meta frames") +Signed-off-by: Vladimir Oltean +Reviewed-by: Simon Horman +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/dsa/tag_sja1105.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/dsa/tag_sja1105.c b/net/dsa/tag_sja1105.c +index 50496013cdb7f..07876160edd2b 100644 +--- a/net/dsa/tag_sja1105.c ++++ b/net/dsa/tag_sja1105.c +@@ -48,8 +48,8 @@ static void sja1105_meta_unpack(const struct sk_buff *skb, + * a unified unpacking command for both device series. + */ + packing(buf, &meta->tstamp, 31, 0, 4, UNPACK, 0); +- packing(buf + 4, &meta->dmac_byte_4, 7, 0, 1, UNPACK, 0); +- packing(buf + 5, &meta->dmac_byte_3, 7, 0, 1, UNPACK, 0); ++ packing(buf + 4, &meta->dmac_byte_3, 7, 0, 1, UNPACK, 0); ++ packing(buf + 5, &meta->dmac_byte_4, 7, 0, 1, UNPACK, 0); + packing(buf + 6, &meta->source_port, 7, 0, 1, UNPACK, 0); + packing(buf + 7, &meta->switch_id, 7, 0, 1, UNPACK, 0); + } +-- +2.39.2 + diff --git a/tmp-5.10/net-dsa-vsc73xx-fix-mtu-configuration.patch b/tmp-5.10/net-dsa-vsc73xx-fix-mtu-configuration.patch new file mode 100644 index 00000000000..c50e5d54260 --- /dev/null +++ b/tmp-5.10/net-dsa-vsc73xx-fix-mtu-configuration.patch @@ -0,0 +1,54 @@ +From 3985b7a568cad244f30ac210a9af01ff58c280f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 21:43:27 +0200 +Subject: net: dsa: vsc73xx: fix MTU configuration + +From: Pawel Dembicki + +[ Upstream commit 3cf62c8177adb0db9e15c8b898c44f997acf3ebf ] + +Switch in MAXLEN register stores the maximum size of a data frame. +The MTU size is 18 bytes smaller than the frame size. + +The current settings are causing problems with packet forwarding. +This patch fixes the MTU settings to proper values. + +Fixes: fb77ffc6ec86 ("net: dsa: vsc73xx: make the MTU configurable") +Reviewed-by: Linus Walleij +Signed-off-by: Pawel Dembicki +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20230628194327.1765644-1-paweldembicki@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/vitesse-vsc73xx-core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/vitesse-vsc73xx-core.c b/drivers/net/dsa/vitesse-vsc73xx-core.c +index 19ce4aa0973b4..80eadf509c0a9 100644 +--- a/drivers/net/dsa/vitesse-vsc73xx-core.c ++++ b/drivers/net/dsa/vitesse-vsc73xx-core.c +@@ -1025,17 +1025,17 @@ static int vsc73xx_change_mtu(struct dsa_switch *ds, int port, int new_mtu) + struct vsc73xx *vsc = ds->priv; + + return vsc73xx_write(vsc, VSC73XX_BLOCK_MAC, port, +- VSC73XX_MAXLEN, new_mtu); ++ VSC73XX_MAXLEN, new_mtu + ETH_HLEN + ETH_FCS_LEN); + } + + /* According to application not "VSC7398 Jumbo Frames" setting +- * up the MTU to 9.6 KB does not affect the performance on standard ++ * up the frame size to 9.6 KB does not affect the performance on standard + * frames. It is clear from the application note that + * "9.6 kilobytes" == 9600 bytes. + */ + static int vsc73xx_get_max_mtu(struct dsa_switch *ds, int port) + { +- return 9600; ++ return 9600 - ETH_HLEN - ETH_FCS_LEN; + } + + static const struct dsa_switch_ops vsc73xx_ds_ops = { +-- +2.39.2 + diff --git a/tmp-5.10/net-ena-fix-shift-out-of-bounds-in-exponential-backoff.patch b/tmp-5.10/net-ena-fix-shift-out-of-bounds-in-exponential-backoff.patch new file mode 100644 index 00000000000..90f050b9a2a --- /dev/null +++ b/tmp-5.10/net-ena-fix-shift-out-of-bounds-in-exponential-backoff.patch @@ -0,0 +1,81 @@ +From 1e9cb763e9bacf0c932aa948f50dcfca6f519a26 Mon Sep 17 00:00:00 2001 +From: Krister Johansen +Date: Mon, 10 Jul 2023 18:36:21 -0700 +Subject: net: ena: fix shift-out-of-bounds in exponential backoff + +From: Krister Johansen + +commit 1e9cb763e9bacf0c932aa948f50dcfca6f519a26 upstream. + +The ENA adapters on our instances occasionally reset. Once recently +logged a UBSAN failure to console in the process: + + UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/ena_com.c:540:13 + shift exponent 32 is too large for 32-bit type 'unsigned int' + CPU: 28 PID: 70012 Comm: kworker/u72:2 Kdump: loaded not tainted 5.15.117 + Hardware name: Amazon EC2 c5d.9xlarge/, BIOS 1.0 10/16/2017 + Workqueue: ena ena_fw_reset_device [ena] + Call Trace: + + dump_stack_lvl+0x4a/0x63 + dump_stack+0x10/0x16 + ubsan_epilogue+0x9/0x36 + __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e + ? __const_udelay+0x43/0x50 + ena_delay_exponential_backoff_us.cold+0x16/0x1e [ena] + wait_for_reset_state+0x54/0xa0 [ena] + ena_com_dev_reset+0xc8/0x110 [ena] + ena_down+0x3fe/0x480 [ena] + ena_destroy_device+0xeb/0xf0 [ena] + ena_fw_reset_device+0x30/0x50 [ena] + process_one_work+0x22b/0x3d0 + worker_thread+0x4d/0x3f0 + ? process_one_work+0x3d0/0x3d0 + kthread+0x12a/0x150 + ? set_kthread_struct+0x50/0x50 + ret_from_fork+0x22/0x30 + + +Apparently, the reset delays are getting so large they can trigger a +UBSAN panic. + +Looking at the code, the current timeout is capped at 5000us. Using a +base value of 100us, the current code will overflow after (1<<29). Even +at values before 32, this function wraps around, perhaps +unintentionally. + +Cap the value of the exponent used for this backoff at (1<<16) which is +larger than currently necessary, but large enough to support bigger +values in the future. + +Cc: stable@vger.kernel.org +Fixes: 4bb7f4cf60e3 ("net: ena: reduce driver load time") +Signed-off-by: Krister Johansen +Reviewed-by: Leon Romanovsky +Reviewed-by: Shay Agroskin +Link: https://lore.kernel.org/r/20230711013621.GE1926@templeofstupid.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_com.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/amazon/ena/ena_com.c ++++ b/drivers/net/ethernet/amazon/ena/ena_com.c +@@ -35,6 +35,8 @@ + + #define ENA_REGS_ADMIN_INTR_MASK 1 + ++#define ENA_MAX_BACKOFF_DELAY_EXP 16U ++ + #define ENA_MIN_ADMIN_POLL_US 100 + + #define ENA_MAX_ADMIN_POLL_US 5000 +@@ -522,6 +524,7 @@ static int ena_com_comp_status_to_errno( + + static void ena_delay_exponential_backoff_us(u32 exp, u32 delay_us) + { ++ exp = min_t(u32, exp, ENA_MAX_BACKOFF_DELAY_EXP); + delay_us = max_t(u32, ENA_MIN_ADMIN_POLL_US, delay_us); + delay_us = min_t(u32, delay_us * (1U << exp), ENA_MAX_ADMIN_POLL_US); + usleep_range(delay_us, 2 * delay_us); diff --git a/tmp-5.10/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/tmp-5.10/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch new file mode 100644 index 00000000000..d9ce3cf8416 --- /dev/null +++ b/tmp-5.10/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch @@ -0,0 +1,78 @@ +From 96ea5ecf20426f959f93f844b16d3582f11c6c6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 16:36:57 +0530 +Subject: net: ethernet: ti: cpsw_ale: Fix + cpsw_ale_get_field()/cpsw_ale_set_field() + +From: Tanmay Patil + +[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] + +CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. +The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the +field will be strictly contained within one word. However, this is not +guaranteed to be the case and it is possible for ALE field entries to span +across up to two words at the most. + +Fix the methods to handle getting/setting fields spanning up to two words. + +Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") +Signed-off-by: Tanmay Patil +[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] +Signed-off-by: Siddharth Vadapalli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index a6a455c326288..73efc8b453643 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -104,23 +104,37 @@ struct cpsw_ale_dev_id { + + static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + { +- int idx; ++ int idx, idx2; ++ u32 hi_val = 0; + + idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be fetched exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); ++ } + start -= idx * 32; + idx = 2 - idx; /* flip */ +- return (ale_entry[idx] >> start) & BITMASK(bits); ++ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); + } + + static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, + u32 value) + { +- int idx; ++ int idx, idx2; + + value &= BITMASK(bits); +- idx = start / 32; ++ idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be set exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); ++ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); ++ } + start -= idx * 32; +- idx = 2 - idx; /* flip */ ++ idx = 2 - idx; /* flip */ + ale_entry[idx] &= ~(BITMASK(bits) << start); + ale_entry[idx] |= (value << start); + } +-- +2.39.2 + diff --git a/tmp-5.10/net-introduce-net.ipv4.tcp_migrate_req.patch b/tmp-5.10/net-introduce-net.ipv4.tcp_migrate_req.patch new file mode 100644 index 00000000000..e00f5e14e6d --- /dev/null +++ b/tmp-5.10/net-introduce-net.ipv4.tcp_migrate_req.patch @@ -0,0 +1,99 @@ +From ae21150f40b0f78661a99973150ac17b5503fced Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Jun 2021 21:32:14 +0900 +Subject: net: Introduce net.ipv4.tcp_migrate_req. + +From: Kuniyuki Iwashima + +[ Upstream commit f9ac779f881c2ec3d1cdcd7fa9d4f9442bf60e80 ] + +This commit adds a new sysctl option: net.ipv4.tcp_migrate_req. If this +option is enabled or eBPF program is attached, we will be able to migrate +child sockets from a listener to another in the same reuseport group after +close() or shutdown() syscalls. + +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Daniel Borkmann +Reviewed-by: Benjamin Herrenschmidt +Reviewed-by: Eric Dumazet +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20210612123224.12525-2-kuniyu@amazon.co.jp +Stable-dep-of: 3a037f0f3c4b ("tcp: annotate data-races around icsk->icsk_syn_retries") +Signed-off-by: Sasha Levin +--- + Documentation/networking/ip-sysctl.rst | 25 +++++++++++++++++++++++++ + include/net/netns/ipv4.h | 1 + + net/ipv4/sysctl_net_ipv4.c | 9 +++++++++ + 3 files changed, 35 insertions(+) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index df26cf4110ef5..252212998378e 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -713,6 +713,31 @@ tcp_syncookies - INTEGER + network connections you can set this knob to 2 to enable + unconditionally generation of syncookies. + ++tcp_migrate_req - BOOLEAN ++ The incoming connection is tied to a specific listening socket when ++ the initial SYN packet is received during the three-way handshake. ++ When a listener is closed, in-flight request sockets during the ++ handshake and established sockets in the accept queue are aborted. ++ ++ If the listener has SO_REUSEPORT enabled, other listeners on the ++ same port should have been able to accept such connections. This ++ option makes it possible to migrate such child sockets to another ++ listener after close() or shutdown(). ++ ++ The BPF_SK_REUSEPORT_SELECT_OR_MIGRATE type of eBPF program should ++ usually be used to define the policy to pick an alive listener. ++ Otherwise, the kernel will randomly pick an alive listener only if ++ this option is enabled. ++ ++ Note that migration between listeners with different settings may ++ crash applications. Let's say migration happens from listener A to ++ B, and only B has TCP_SAVE_SYN enabled. B cannot read SYN data from ++ the requests migrated from A. To avoid such a situation, cancel ++ migration by returning SK_DROP in the type of eBPF program, or ++ disable this option. ++ ++ Default: 0 ++ + tcp_fastopen - INTEGER + Enable TCP Fast Open (RFC7413) to send and accept data in the opening + SYN packet. +diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h +index 4a4a5270ff6f2..9b0d8649ae5b8 100644 +--- a/include/net/netns/ipv4.h ++++ b/include/net/netns/ipv4.h +@@ -131,6 +131,7 @@ struct netns_ipv4 { + u8 sysctl_tcp_syn_retries; + u8 sysctl_tcp_synack_retries; + u8 sysctl_tcp_syncookies; ++ u8 sysctl_tcp_migrate_req; + int sysctl_tcp_reordering; + u8 sysctl_tcp_retries1; + u8 sysctl_tcp_retries2; +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 5aa8bde3e9c8e..59ba518a85b9c 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -878,6 +878,15 @@ static struct ctl_table ipv4_net_table[] = { + .proc_handler = proc_dou8vec_minmax, + }, + #endif ++ { ++ .procname = "tcp_migrate_req", ++ .data = &init_net.ipv4.sysctl_tcp_migrate_req, ++ .maxlen = sizeof(u8), ++ .mode = 0644, ++ .proc_handler = proc_dou8vec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = SYSCTL_ONE ++ }, + { + .procname = "tcp_reordering", + .data = &init_net.ipv4.sysctl_tcp_reordering, +-- +2.39.2 + diff --git a/tmp-5.10/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch b/tmp-5.10/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch new file mode 100644 index 00000000000..acae9d867aa --- /dev/null +++ b/tmp-5.10/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch @@ -0,0 +1,38 @@ +From 8a36b7e84c4f11a95dcae5ff1a0ca5c7f8d64669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:59:19 +0800 +Subject: net: ipv4: Use kfree_sensitive instead of kfree + +From: Wang Ming + +[ Upstream commit daa751444fd9d4184270b1479d8af49aaf1a1ee6 ] + +key might contain private part of the key, so better use +kfree_sensitive to free it. + +Fixes: 38320c70d282 ("[IPSEC]: Use crypto_aead and authenc in ESP") +Signed-off-by: Wang Ming +Reviewed-by: Tariq Toukan +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index 20d7381378418..28252029bd798 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -1134,7 +1134,7 @@ static int esp_init_authenc(struct xfrm_state *x) + err = crypto_aead_setkey(aead, key, keylen); + + free_key: +- kfree(key); ++ kfree_sensitive(key); + + error: + return err; +-- +2.39.2 + diff --git a/tmp-5.10/net-ipv6-check-return-value-of-pskb_trim.patch b/tmp-5.10/net-ipv6-check-return-value-of-pskb_trim.patch new file mode 100644 index 00000000000..2234befecca --- /dev/null +++ b/tmp-5.10/net-ipv6-check-return-value-of-pskb_trim.patch @@ -0,0 +1,39 @@ +From 68600431fa18bb9f24aeb659ce4fe926f3c5535a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 22:45:19 +0800 +Subject: net:ipv6: check return value of pskb_trim() + +From: Yuanjun Gong + +[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] + +goto tx_err if an unexpected result is returned by pskb_tirm() +in ip6erspan_tunnel_xmit(). + +Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") +Signed-off-by: Yuanjun Gong +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 7b50e1811678e..2df1036330f80 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -955,7 +955,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + goto tx_err; + + if (skb->len > dev->mtu + dev->hard_header_len) { +- pskb_trim(skb, dev->mtu + dev->hard_header_len); ++ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) ++ goto tx_err; + truncate = true; + } + +-- +2.39.2 + diff --git a/tmp-5.10/net-lan743x-don-t-sleep-in-atomic-context.patch b/tmp-5.10/net-lan743x-don-t-sleep-in-atomic-context.patch new file mode 100644 index 00000000000..97a5a4caff1 --- /dev/null +++ b/tmp-5.10/net-lan743x-don-t-sleep-in-atomic-context.patch @@ -0,0 +1,72 @@ +From 7a8227b2e76be506b2ac64d2beac950ca04892a5 Mon Sep 17 00:00:00 2001 +From: Moritz Fischer +Date: Tue, 27 Jun 2023 03:50:00 +0000 +Subject: net: lan743x: Don't sleep in atomic context + +From: Moritz Fischer + +commit 7a8227b2e76be506b2ac64d2beac950ca04892a5 upstream. + +dev_set_rx_mode() grabs a spin_lock, and the lan743x implementation +proceeds subsequently to go to sleep using readx_poll_timeout(). + +Introduce a helper wrapping the readx_poll_timeout_atomic() function +and use it to replace the calls to readx_polL_timeout(). + +Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") +Cc: stable@vger.kernel.org +Cc: Bryan Whitehead +Cc: UNGLinuxDriver@microchip.com +Signed-off-by: Moritz Fischer +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230627035000.1295254-1-moritzf@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan743x_main.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -83,6 +83,18 @@ static int lan743x_csr_light_reset(struc + !(data & HW_CFG_LRST_), 100000, 10000000); + } + ++static int lan743x_csr_wait_for_bit_atomic(struct lan743x_adapter *adapter, ++ int offset, u32 bit_mask, ++ int target_value, int udelay_min, ++ int udelay_max, int count) ++{ ++ u32 data; ++ ++ return readx_poll_timeout_atomic(LAN743X_CSR_READ_OP, offset, data, ++ target_value == !!(data & bit_mask), ++ udelay_max, udelay_min * count); ++} ++ + static int lan743x_csr_wait_for_bit(struct lan743x_adapter *adapter, + int offset, u32 bit_mask, + int target_value, int usleep_min, +@@ -678,8 +690,8 @@ static int lan743x_dp_write(struct lan74 + u32 dp_sel; + int i; + +- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_, +- 1, 40, 100, 100)) ++ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, DP_SEL_DPRDY_, ++ 1, 40, 100, 100)) + return -EIO; + dp_sel = lan743x_csr_read(adapter, DP_SEL); + dp_sel &= ~DP_SEL_MASK_; +@@ -690,8 +702,9 @@ static int lan743x_dp_write(struct lan74 + lan743x_csr_write(adapter, DP_ADDR, addr + i); + lan743x_csr_write(adapter, DP_DATA_0, buf[i]); + lan743x_csr_write(adapter, DP_CMD, DP_CMD_WRITE_); +- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_, +- 1, 40, 100, 100)) ++ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, ++ DP_SEL_DPRDY_, ++ 1, 40, 100, 100)) + return -EIO; + } + diff --git a/tmp-5.10/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch b/tmp-5.10/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch new file mode 100644 index 00000000000..7f37aaa9fa5 --- /dev/null +++ b/tmp-5.10/net-mlx5e-check-for-not_ready-flag-state-after-locki.patch @@ -0,0 +1,133 @@ +From 4fab9166cfad1448f3e5a54a365ade31178e240e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 09:32:10 +0200 +Subject: net/mlx5e: Check for NOT_READY flag state after locking + +From: Vlad Buslov + +[ Upstream commit 65e64640e97c0f223e77f9ea69b5a46186b93470 ] + +Currently the check for NOT_READY flag is performed before obtaining the +necessary lock. This opens a possibility for race condition when the flow +is concurrently removed from unready_flows list by the workqueue task, +which causes a double-removal from the list and a crash[0]. Fix the issue +by moving the flag check inside the section protected by +uplink_priv->unready_flows_lock mutex. + +[0]: +[44376.389654] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP +[44376.391665] CPU: 7 PID: 59123 Comm: tc Not tainted 6.4.0-rc4+ #1 +[44376.392984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[44376.395342] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core] +[44376.396857] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06 +[44376.399167] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246 +[44376.399680] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00 +[44376.400337] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0 +[44376.401001] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001 +[44376.401663] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000 +[44376.402342] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000 +[44376.402999] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000 +[44376.403787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[44376.404343] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0 +[44376.405004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[44376.405665] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[44376.406339] Call Trace: +[44376.406651] +[44376.406939] ? die_addr+0x33/0x90 +[44376.407311] ? exc_general_protection+0x192/0x390 +[44376.407795] ? asm_exc_general_protection+0x22/0x30 +[44376.408292] ? mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core] +[44376.408876] __mlx5e_tc_del_fdb_peer_flow+0xbc/0xe0 [mlx5_core] +[44376.409482] mlx5e_tc_del_flow+0x42/0x210 [mlx5_core] +[44376.410055] mlx5e_flow_put+0x25/0x50 [mlx5_core] +[44376.410529] mlx5e_delete_flower+0x24b/0x350 [mlx5_core] +[44376.411043] tc_setup_cb_reoffload+0x22/0x80 +[44376.411462] fl_reoffload+0x261/0x2f0 [cls_flower] +[44376.411907] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core] +[44376.412481] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core] +[44376.413044] tcf_block_playback_offloads+0x76/0x170 +[44376.413497] tcf_block_unbind+0x7b/0xd0 +[44376.413881] tcf_block_setup+0x17d/0x1c0 +[44376.414269] tcf_block_offload_cmd.isra.0+0xf1/0x130 +[44376.414725] tcf_block_offload_unbind+0x43/0x70 +[44376.415153] __tcf_block_put+0x82/0x150 +[44376.415532] ingress_destroy+0x22/0x30 [sch_ingress] +[44376.415986] qdisc_destroy+0x3b/0xd0 +[44376.416343] qdisc_graft+0x4d0/0x620 +[44376.416706] tc_get_qdisc+0x1c9/0x3b0 +[44376.417074] rtnetlink_rcv_msg+0x29c/0x390 +[44376.419978] ? rep_movs_alternative+0x3a/0xa0 +[44376.420399] ? rtnl_calcit.isra.0+0x120/0x120 +[44376.420813] netlink_rcv_skb+0x54/0x100 +[44376.421192] netlink_unicast+0x1f6/0x2c0 +[44376.421573] netlink_sendmsg+0x232/0x4a0 +[44376.421980] sock_sendmsg+0x38/0x60 +[44376.422328] ____sys_sendmsg+0x1d0/0x1e0 +[44376.422709] ? copy_msghdr_from_user+0x6d/0xa0 +[44376.423127] ___sys_sendmsg+0x80/0xc0 +[44376.423495] ? ___sys_recvmsg+0x8b/0xc0 +[44376.423869] __sys_sendmsg+0x51/0x90 +[44376.424226] do_syscall_64+0x3d/0x90 +[44376.424587] entry_SYSCALL_64_after_hwframe+0x46/0xb0 +[44376.425046] RIP: 0033:0x7f045134f887 +[44376.425403] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 +[44376.426914] RSP: 002b:00007ffd63a82b98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[44376.427592] RAX: ffffffffffffffda RBX: 000000006481955f RCX: 00007f045134f887 +[44376.428195] RDX: 0000000000000000 RSI: 00007ffd63a82c00 RDI: 0000000000000003 +[44376.428796] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +[44376.429404] R10: 00007f0451208708 R11: 0000000000000246 R12: 0000000000000001 +[44376.430039] R13: 0000000000409980 R14: 000000000047e538 R15: 0000000000485400 +[44376.430644] +[44376.430907] Modules linked in: mlx5_ib mlx5_core act_mirred act_tunnel_key cls_flower vxlan dummy sch_ingress openvswitch nsh rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_g +ss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: mlx5_core] +[44376.433936] ---[ end trace 0000000000000000 ]--- +[44376.434373] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core] +[44376.434951] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06 +[44376.436452] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246 +[44376.436924] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00 +[44376.437530] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0 +[44376.438179] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001 +[44376.438786] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000 +[44376.439393] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000 +[44376.439998] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000 +[44376.440714] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[44376.441225] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0 +[44376.441843] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[44376.442471] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: ad86755b18d5 ("net/mlx5e: Protect unready flows with dedicated lock") +Signed-off-by: Vlad Buslov +Reviewed-by: Roi Dayan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +index 16846442717dc..c6a81a51530d2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -1334,7 +1334,8 @@ static void remove_unready_flow(struct mlx5e_tc_flow *flow) + uplink_priv = &rpriv->uplink_priv; + + mutex_lock(&uplink_priv->unready_flows_lock); +- unready_flow_del(flow); ++ if (flow_flag_test(flow, NOT_READY)) ++ unready_flow_del(flow); + mutex_unlock(&uplink_priv->unready_flows_lock); + } + +@@ -1475,8 +1476,7 @@ static void mlx5e_tc_del_fdb_flow(struct mlx5e_priv *priv, + + mlx5e_put_flow_tunnel_id(flow); + +- if (flow_flag_test(flow, NOT_READY)) +- remove_unready_flow(flow); ++ remove_unready_flow(flow); + + if (mlx5e_is_offloaded_flow(flow)) { + if (flow_flag_test(flow, SLOW)) +-- +2.39.2 + diff --git a/tmp-5.10/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch b/tmp-5.10/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch new file mode 100644 index 00000000000..390629d9fcf --- /dev/null +++ b/tmp-5.10/net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch @@ -0,0 +1,38 @@ +From 51c1d01a8df6ae61c3421a1b34f59d4ff6474735 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 08:59:34 +0800 +Subject: net/mlx5e: fix double free in mlx5e_destroy_flow_table + +From: Zhengchao Shao + +[ Upstream commit 884abe45a9014d0de2e6edb0630dfd64f23f1d1b ] + +In function accel_fs_tcp_create_groups(), when the ft->g memory is +successfully allocated but the 'in' memory fails to be allocated, the +memory pointed to by ft->g is released once. And in function +accel_fs_tcp_create_table, mlx5e_destroy_flow_table is called to release +the memory pointed to by ft->g again. This will cause double free problem. + +Fixes: c062d52ac24c ("net/mlx5e: Receive flow steering framework for accelerated TCP flows") +Signed-off-by: Zhengchao Shao +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c +index e51f60b55daa4..2da90f6649d17 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/fs_tcp.c +@@ -194,6 +194,7 @@ static int accel_fs_tcp_create_groups(struct mlx5e_flow_table *ft, + in = kvzalloc(inlen, GFP_KERNEL); + if (!in || !ft->g) { + kfree(ft->g); ++ ft->g = NULL; + kvfree(in); + return -ENOMEM; + } +-- +2.39.2 + diff --git a/tmp-5.10/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch b/tmp-5.10/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch new file mode 100644 index 00000000000..48d4f71190f --- /dev/null +++ b/tmp-5.10/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch @@ -0,0 +1,48 @@ +From 8d474071fb65277ad4a185d716e67d58a5603536 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 07:37:12 +0200 +Subject: net: mvneta: fix txq_map in case of txq_number==1 + +From: Klaus Kudielka + +[ Upstream commit 21327f81db6337c8843ce755b01523c7d3df715b ] + +If we boot with mvneta.txq_number=1, the txq_map is set incorrectly: +MVNETA_CPU_TXQ_ACCESS(1) refers to TX queue 1, but only TX queue 0 is +initialized. Fix this. + +Fixes: 50bf8cb6fc9c ("net: mvneta: Configure XPS support") +Signed-off-by: Klaus Kudielka +Reviewed-by: Michal Kubiak +Link: https://lore.kernel.org/r/20230705053712.3914-1-klaus.kudielka@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index f5567d485e91a..3656a3937eca6 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1471,7 +1471,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == pp->rxq_def) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + + } else { + txq_map = MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +@@ -4165,7 +4165,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == elected_cpu) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + else + txq_map = mvreg_read(pp, MVNETA_CPU_MAP(cpu)) & + MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +-- +2.39.2 + diff --git a/tmp-5.10/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch b/tmp-5.10/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch new file mode 100644 index 00000000000..c838ff8dad0 --- /dev/null +++ b/tmp-5.10/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch @@ -0,0 +1,558 @@ +From 6ad39efca516d26f976bb2fd3da622dae913c90a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jun 2023 17:10:07 +0800 +Subject: net: nfc: Fix use-after-free caused by nfc_llcp_find_local + +From: Lin Ma + +[ Upstream commit 6709d4b7bc2e079241fdef15d1160581c5261c10 ] + +This commit fixes several use-after-free that caused by function +nfc_llcp_find_local(). For example, one UAF can happen when below buggy +time window occurs. + +// nfc_genl_llc_get_params | // nfc_unregister_device + | +dev = nfc_get_device(idx); | device_lock(...) +if (!dev) | dev->shutting_down = true; + return -ENODEV; | device_unlock(...); + | +device_lock(...); | // nfc_llcp_unregister_device + | nfc_llcp_find_local() +nfc_llcp_find_local(...); | + | local_cleanup() +if (!local) { | + rc = -ENODEV; | // nfc_llcp_local_put + goto exit; | kref_put(.., local_release) +} | + | // local_release + | list_del(&local->list) + // nfc_genl_send_params | kfree() + local->dev->idx !!!UAF!!! | + | + +and the crash trace for the one of the discussed UAF like: + +BUG: KASAN: slab-use-after-free in nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045 +Read of size 8 at addr ffff888105b0e410 by task 20114 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:319 [inline] + print_report+0xcc/0x620 mm/kasan/report.c:430 + kasan_report+0xb2/0xe0 mm/kasan/report.c:536 + nfc_genl_send_params net/nfc/netlink.c:999 [inline] + nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045 + genl_family_rcv_msg_doit.isra.0+0x1ee/0x2e0 net/netlink/genetlink.c:968 + genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] + genl_rcv_msg+0x503/0x7d0 net/netlink/genetlink.c:1065 + netlink_rcv_skb+0x161/0x430 net/netlink/af_netlink.c:2548 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x644/0x900 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x934/0xe70 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b6/0x200 net/socket.c:747 + ____sys_sendmsg+0x6e9/0x890 net/socket.c:2501 + ___sys_sendmsg+0x110/0x1b0 net/socket.c:2555 + __sys_sendmsg+0xf7/0x1d0 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f34640a2389 +RSP: 002b:00007f3463415168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f34641c1f80 RCX: 00007f34640a2389 +RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000006 +RBP: 00007f34640ed493 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffe38449ecf R14: 00007f3463415300 R15: 0000000000022000 + + +Allocated by task 20116: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:374 [inline] + __kasan_kmalloc+0x7f/0x90 mm/kasan/common.c:383 + kmalloc include/linux/slab.h:580 [inline] + kzalloc include/linux/slab.h:720 [inline] + nfc_llcp_register_device+0x49/0xa40 net/nfc/llcp_core.c:1567 + nfc_register_device+0x61/0x260 net/nfc/core.c:1124 + nci_register_device+0x776/0xb20 net/nfc/nci/core.c:1257 + virtual_ncidev_open+0x147/0x230 drivers/nfc/virtual_ncidev.c:148 + misc_open+0x379/0x4a0 drivers/char/misc.c:165 + chrdev_open+0x26c/0x780 fs/char_dev.c:414 + do_dentry_open+0x6c4/0x12a0 fs/open.c:920 + do_open fs/namei.c:3560 [inline] + path_openat+0x24fe/0x37e0 fs/namei.c:3715 + do_filp_open+0x1ba/0x410 fs/namei.c:3742 + do_sys_openat2+0x171/0x4c0 fs/open.c:1356 + do_sys_open fs/open.c:1372 [inline] + __do_sys_openat fs/open.c:1388 [inline] + __se_sys_openat fs/open.c:1383 [inline] + __x64_sys_openat+0x143/0x200 fs/open.c:1383 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 20115: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free mm/kasan/common.c:200 [inline] + __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:162 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook mm/slub.c:1807 [inline] + slab_free mm/slub.c:3787 [inline] + __kmem_cache_free+0x7a/0x190 mm/slub.c:3800 + local_release net/nfc/llcp_core.c:174 [inline] + kref_put include/linux/kref.h:65 [inline] + nfc_llcp_local_put net/nfc/llcp_core.c:182 [inline] + nfc_llcp_local_put net/nfc/llcp_core.c:177 [inline] + nfc_llcp_unregister_device+0x206/0x290 net/nfc/llcp_core.c:1620 + nfc_unregister_device+0x160/0x1d0 net/nfc/core.c:1179 + virtual_ncidev_close+0x52/0xa0 drivers/nfc/virtual_ncidev.c:163 + __fput+0x252/0xa20 fs/file_table.c:321 + task_work_run+0x174/0x270 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x108/0x110 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:297 + do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Last potentially related work creation: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + __kasan_record_aux_stack+0x95/0xb0 mm/kasan/generic.c:491 + kvfree_call_rcu+0x29/0xa80 kernel/rcu/tree.c:3328 + drop_sysctl_table+0x3be/0x4e0 fs/proc/proc_sysctl.c:1735 + unregister_sysctl_table.part.0+0x9c/0x190 fs/proc/proc_sysctl.c:1773 + unregister_sysctl_table+0x24/0x30 fs/proc/proc_sysctl.c:1753 + neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3895 + addrconf_notify+0x140/0x17b0 net/ipv6/addrconf.c:3684 + notifier_call_chain+0xbe/0x210 kernel/notifier.c:87 + call_netdevice_notifiers_info+0xb5/0x150 net/core/dev.c:1937 + call_netdevice_notifiers_extack net/core/dev.c:1975 [inline] + call_netdevice_notifiers net/core/dev.c:1989 [inline] + dev_change_name+0x3c3/0x870 net/core/dev.c:1211 + dev_ifsioc+0x800/0xf70 net/core/dev_ioctl.c:376 + dev_ioctl+0x3d9/0xf80 net/core/dev_ioctl.c:542 + sock_do_ioctl+0x160/0x260 net/socket.c:1213 + sock_ioctl+0x3f9/0x670 net/socket.c:1316 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x19e/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The buggy address belongs to the object at ffff888105b0e400 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 16 bytes inside of + freed 1024-byte region [ffff888105b0e400, ffff888105b0e800) + +The buggy address belongs to the physical page: +head:ffffea000416c200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0x200000000010200(slab|head|node=0|zone=2) +raw: 0200000000010200 ffff8881000430c0 ffffea00044c7010 ffffea0004510e10 +raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888105b0e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff888105b0e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff888105b0e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888105b0e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888105b0e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +In summary, this patch solves those use-after-free by + +1. Re-implement the nfc_llcp_find_local(). The current version does not +grab the reference when getting the local from the linked list. For +example, the llcp_sock_bind() gets the reference like below: + +// llcp_sock_bind() + + local = nfc_llcp_find_local(dev); // A + ..... \ + | raceable + ..... / + llcp_sock->local = nfc_llcp_local_get(local); // B + +There is an apparent race window that one can drop the reference +and free the local object fetched in (A) before (B) gets the reference. + +2. Some callers of the nfc_llcp_find_local() do not grab the reference +at all. For example, the nfc_genl_llc_{{get/set}_params/sdreq} functions. +We add the nfc_llcp_local_put() for them. Moreover, we add the necessary +error handling function to put the reference. + +3. Add the nfc_llcp_remove_local() helper. The local object is removed +from the linked list in local_release() when all reference is gone. This +patch removes it when nfc_llcp_unregister_device() is called. + +Therefore, every caller of nfc_llcp_find_local() will get a reference +even when the nfc_llcp_unregister_device() is called. This promises no +use-after-free for the local object is ever possible. + +Fixes: 52feb444a903 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support") +Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") +Signed-off-by: Lin Ma +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/llcp.h | 1 - + net/nfc/llcp_commands.c | 12 +++++++--- + net/nfc/llcp_core.c | 49 +++++++++++++++++++++++++++++++++++------ + net/nfc/llcp_sock.c | 18 ++++++++------- + net/nfc/netlink.c | 20 ++++++++++++----- + net/nfc/nfc.h | 1 + + 6 files changed, 77 insertions(+), 24 deletions(-) + +diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h +index d49d4bf2e37c8..a81893bc06ce8 100644 +--- a/net/nfc/llcp.h ++++ b/net/nfc/llcp.h +@@ -202,7 +202,6 @@ void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *s); + void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *s); + void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); +-struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local); + int nfc_llcp_local_put(struct nfc_llcp_local *local); + u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local, + struct nfc_llcp_sock *sock); +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index bb9f40563ff63..5b8754ae7d3af 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -361,6 +361,7 @@ int nfc_llcp_send_symm(struct nfc_dev *dev) + struct sk_buff *skb; + struct nfc_llcp_local *local; + u16 size = 0; ++ int err; + + pr_debug("Sending SYMM\n"); + +@@ -372,8 +373,10 @@ int nfc_llcp_send_symm(struct nfc_dev *dev) + size += dev->tx_headroom + dev->tx_tailroom + NFC_HEADER_SIZE; + + skb = alloc_skb(size, GFP_KERNEL); +- if (skb == NULL) +- return -ENOMEM; ++ if (skb == NULL) { ++ err = -ENOMEM; ++ goto out; ++ } + + skb_reserve(skb, dev->tx_headroom + NFC_HEADER_SIZE); + +@@ -383,8 +386,11 @@ int nfc_llcp_send_symm(struct nfc_dev *dev) + + nfc_llcp_send_to_raw_sock(local, skb, NFC_DIRECTION_TX); + +- return nfc_data_exchange(dev, local->target_idx, skb, ++ err = nfc_data_exchange(dev, local->target_idx, skb, + nfc_llcp_recv, local); ++out: ++ nfc_llcp_local_put(local); ++ return err; + } + + int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index fd43e75abd948..ddfd159f64e13 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -17,6 +17,8 @@ + static u8 llcp_magic[3] = {0x46, 0x66, 0x6d}; + + static LIST_HEAD(llcp_devices); ++/* Protects llcp_devices list */ ++static DEFINE_SPINLOCK(llcp_devices_lock); + + static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb); + +@@ -143,7 +145,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device, + write_unlock(&local->raw_sockets.lock); + } + +-struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local) ++static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local) + { + kref_get(&local->ref); + +@@ -171,7 +173,6 @@ static void local_release(struct kref *ref) + + local = container_of(ref, struct nfc_llcp_local, ref); + +- list_del(&local->list); + local_cleanup(local); + kfree(local); + } +@@ -284,12 +285,33 @@ static void nfc_llcp_sdreq_timer(struct timer_list *t) + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev) + { + struct nfc_llcp_local *local; ++ struct nfc_llcp_local *res = NULL; + ++ spin_lock(&llcp_devices_lock); + list_for_each_entry(local, &llcp_devices, list) +- if (local->dev == dev) ++ if (local->dev == dev) { ++ res = nfc_llcp_local_get(local); ++ break; ++ } ++ spin_unlock(&llcp_devices_lock); ++ ++ return res; ++} ++ ++static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev) ++{ ++ struct nfc_llcp_local *local, *tmp; ++ ++ spin_lock(&llcp_devices_lock); ++ list_for_each_entry_safe(local, tmp, &llcp_devices, list) ++ if (local->dev == dev) { ++ list_del(&local->list); ++ spin_unlock(&llcp_devices_lock); + return local; ++ } ++ spin_unlock(&llcp_devices_lock); + +- pr_debug("No device found\n"); ++ pr_warn("Shutting down device not found\n"); + + return NULL; + } +@@ -610,12 +632,15 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len) + + *general_bytes_len = local->gb_len; + ++ nfc_llcp_local_put(local); ++ + return local->gb; + } + + int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + struct nfc_llcp_local *local; ++ int err; + + if (gb_len < 3 || gb_len > NFC_MAX_GT_LEN) + return -EINVAL; +@@ -632,12 +657,16 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + + if (memcmp(local->remote_gb, llcp_magic, 3)) { + pr_err("MAC does not support LLCP\n"); +- return -EINVAL; ++ err = -EINVAL; ++ goto out; + } + +- return nfc_llcp_parse_gb_tlv(local, ++ err = nfc_llcp_parse_gb_tlv(local, + &local->remote_gb[3], + local->remote_gb_len - 3); ++out: ++ nfc_llcp_local_put(local); ++ return err; + } + + static u8 nfc_llcp_dsap(const struct sk_buff *pdu) +@@ -1527,6 +1556,8 @@ int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb) + + __nfc_llcp_recv(local, skb); + ++ nfc_llcp_local_put(local); ++ + return 0; + } + +@@ -1543,6 +1574,8 @@ void nfc_llcp_mac_is_down(struct nfc_dev *dev) + + /* Close and purge all existing sockets */ + nfc_llcp_socket_release(local, true, 0); ++ ++ nfc_llcp_local_put(local); + } + + void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, +@@ -1568,6 +1601,8 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, + mod_timer(&local->link_timer, + jiffies + msecs_to_jiffies(local->remote_lto)); + } ++ ++ nfc_llcp_local_put(local); + } + + int nfc_llcp_register_device(struct nfc_dev *ndev) +@@ -1618,7 +1653,7 @@ int nfc_llcp_register_device(struct nfc_dev *ndev) + + void nfc_llcp_unregister_device(struct nfc_dev *dev) + { +- struct nfc_llcp_local *local = nfc_llcp_find_local(dev); ++ struct nfc_llcp_local *local = nfc_llcp_remove_local(dev); + + if (local == NULL) { + pr_debug("No such device\n"); +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index fdf0856182c65..6e1fba2084930 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -99,7 +99,7 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) + } + + llcp_sock->dev = dev; +- llcp_sock->local = nfc_llcp_local_get(local); ++ llcp_sock->local = local; + llcp_sock->nfc_protocol = llcp_addr.nfc_protocol; + llcp_sock->service_name_len = min_t(unsigned int, + llcp_addr.service_name_len, +@@ -181,7 +181,7 @@ static int llcp_raw_sock_bind(struct socket *sock, struct sockaddr *addr, + } + + llcp_sock->dev = dev; +- llcp_sock->local = nfc_llcp_local_get(local); ++ llcp_sock->local = local; + llcp_sock->nfc_protocol = llcp_addr.nfc_protocol; + + nfc_llcp_sock_link(&local->raw_sockets, sk); +@@ -698,22 +698,22 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + if (dev->dep_link_up == false) { + ret = -ENOLINK; + device_unlock(&dev->dev); +- goto put_dev; ++ goto sock_llcp_put_local; + } + device_unlock(&dev->dev); + + if (local->rf_mode == NFC_RF_INITIATOR && + addr->target_idx != local->target_idx) { + ret = -ENOLINK; +- goto put_dev; ++ goto sock_llcp_put_local; + } + + llcp_sock->dev = dev; +- llcp_sock->local = nfc_llcp_local_get(local); ++ llcp_sock->local = local; + llcp_sock->ssap = nfc_llcp_get_local_ssap(local); + if (llcp_sock->ssap == LLCP_SAP_MAX) { + ret = -ENOMEM; +- goto sock_llcp_put_local; ++ goto sock_llcp_nullify; + } + + llcp_sock->reserved_ssap = llcp_sock->ssap; +@@ -759,11 +759,13 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + sock_llcp_release: + nfc_llcp_put_ssap(local, llcp_sock->ssap); + +-sock_llcp_put_local: +- nfc_llcp_local_put(llcp_sock->local); ++sock_llcp_nullify: + llcp_sock->local = NULL; + llcp_sock->dev = NULL; + ++sock_llcp_put_local: ++ nfc_llcp_local_put(local); ++ + put_dev: + nfc_put_device(dev); + +diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c +index e0e1168655118..1c5b3ce1e8b16 100644 +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -1039,11 +1039,14 @@ static int nfc_genl_llc_get_params(struct sk_buff *skb, struct genl_info *info) + msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!msg) { + rc = -ENOMEM; +- goto exit; ++ goto put_local; + } + + rc = nfc_genl_send_params(msg, local, info->snd_portid, info->snd_seq); + ++put_local: ++ nfc_llcp_local_put(local); ++ + exit: + device_unlock(&dev->dev); + +@@ -1105,7 +1108,7 @@ static int nfc_genl_llc_set_params(struct sk_buff *skb, struct genl_info *info) + if (info->attrs[NFC_ATTR_LLC_PARAM_LTO]) { + if (dev->dep_link_up) { + rc = -EINPROGRESS; +- goto exit; ++ goto put_local; + } + + local->lto = nla_get_u8(info->attrs[NFC_ATTR_LLC_PARAM_LTO]); +@@ -1117,6 +1120,9 @@ static int nfc_genl_llc_set_params(struct sk_buff *skb, struct genl_info *info) + if (info->attrs[NFC_ATTR_LLC_PARAM_MIUX]) + local->miux = cpu_to_be16(miux); + ++put_local: ++ nfc_llcp_local_put(local); ++ + exit: + device_unlock(&dev->dev); + +@@ -1172,7 +1178,7 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info) + + if (rc != 0) { + rc = -EINVAL; +- goto exit; ++ goto put_local; + } + + if (!sdp_attrs[NFC_SDP_ATTR_URI]) +@@ -1191,7 +1197,7 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info) + sdreq = nfc_llcp_build_sdreq_tlv(tid, uri, uri_len); + if (sdreq == NULL) { + rc = -ENOMEM; +- goto exit; ++ goto put_local; + } + + tlvs_len += sdreq->tlv_len; +@@ -1201,10 +1207,14 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info) + + if (hlist_empty(&sdreq_list)) { + rc = -EINVAL; +- goto exit; ++ goto put_local; + } + + rc = nfc_llcp_send_snl_sdreq(local, &sdreq_list, tlvs_len); ++ ++put_local: ++ nfc_llcp_local_put(local); ++ + exit: + device_unlock(&dev->dev); + +diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h +index de2ec66d7e83a..0b1e6466f4fbf 100644 +--- a/net/nfc/nfc.h ++++ b/net/nfc/nfc.h +@@ -52,6 +52,7 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len); + u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len); + int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); ++int nfc_llcp_local_put(struct nfc_llcp_local *local); + int __init nfc_llcp_init(void); + void nfc_llcp_exit(void); + void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp); +-- +2.39.2 + diff --git a/tmp-5.10/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch b/tmp-5.10/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch new file mode 100644 index 00000000000..6950148c07f --- /dev/null +++ b/tmp-5.10/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch @@ -0,0 +1,74 @@ +From ecaeaa4a0f90773cee09db5c81fc5c4032f37e41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 03:02:31 +0300 +Subject: net: phy: prevent stale pointer dereference in phy_init() + +From: Vladimir Oltean + +[ Upstream commit 1c613beaf877c0c0d755853dc62687e2013e55c4 ] + +mdio_bus_init() and phy_driver_register() both have error paths, and if +those are ever hit, ethtool will have a stale pointer to the +phy_ethtool_phy_ops stub structure, which references memory from a +module that failed to load (phylib). + +It is probably hard to force an error in this code path even manually, +but the error teardown path of phy_init() should be the same as +phy_exit(), which is now simply not the case. + +Fixes: 55d8f053ce1b ("net: phy: Register ethtool PHY operations") +Link: https://lore.kernel.org/netdev/ZLaiJ4G6TaJYGJyU@shell.armlinux.org.uk/ +Suggested-by: Russell King (Oracle) +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20230720000231.1939689-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index e771e0e8a9bc6..095d16ceafcf8 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -3024,23 +3024,30 @@ static int __init phy_init(void) + { + int rc; + ++ ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); ++ + rc = mdio_bus_init(); + if (rc) +- return rc; ++ goto err_ethtool_phy_ops; + +- ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); + features_init(); + + rc = phy_driver_register(&genphy_c45_driver, THIS_MODULE); + if (rc) +- goto err_c45; ++ goto err_mdio_bus; + + rc = phy_driver_register(&genphy_driver, THIS_MODULE); +- if (rc) { +- phy_driver_unregister(&genphy_c45_driver); ++ if (rc) ++ goto err_c45; ++ ++ return 0; ++ + err_c45: +- mdio_bus_exit(); +- } ++ phy_driver_unregister(&genphy_c45_driver); ++err_mdio_bus: ++ mdio_bus_exit(); ++err_ethtool_phy_ops: ++ ethtool_set_ethtool_phy_ops(NULL); + + return rc; + } +-- +2.39.2 + diff --git a/tmp-5.10/net-prevent-skb-corruption-on-frag-list-segmentation.patch b/tmp-5.10/net-prevent-skb-corruption-on-frag-list-segmentation.patch new file mode 100644 index 00000000000..469cf66b8f0 --- /dev/null +++ b/tmp-5.10/net-prevent-skb-corruption-on-frag-list-segmentation.patch @@ -0,0 +1,102 @@ +From 26aa2d34f0d6c8d867b7723dbaeb20226317bd4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 10:11:10 +0200 +Subject: net: prevent skb corruption on frag list segmentation + +From: Paolo Abeni + +[ Upstream commit c329b261afe71197d9da83c1f18eb45a7e97e089 ] + +Ian reported several skb corruptions triggered by rx-gro-list, +collecting different oops alike: + +[ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0 +[ 62.631083] #PF: supervisor read access in kernel mode +[ 62.636312] #PF: error_code(0x0000) - not-present page +[ 62.641541] PGD 0 P4D 0 +[ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI +[ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364 +[ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022 +[ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858 +./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261 +net/ipv4/udp_offload.c:277) +[ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246 +[ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000 +[ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4 +[ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9 +[ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2 +[ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9 +[ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000) +knlGS:0000000000000000 +[ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0 +[ 62.749948] Call Trace: +[ 62.752498] +[ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398) +[ 62.787605] skb_mac_gso_segment (net/core/gro.c:141) +[ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2)) +[ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862 +net/core/dev.c:3659) +[ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710) +[ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330) +[ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210) +net/netfilter/core.c:626) +[ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55) +[ 62.825652] maybe_deliver (net/bridge/br_forward.c:193) +[ 62.829420] br_flood (net/bridge/br_forward.c:233) +[ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215) +[ 62.837403] br_handle_frame (net/bridge/br_input.c:298 +net/bridge/br_input.c:416) +[ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387) +[ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570) +[ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638 +net/core/dev.c:5727) +[ 62.876795] napi_complete_done (./include/linux/list.h:37 +./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067) +[ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191) +[ 62.893534] __napi_poll (net/core/dev.c:6498) +[ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89 +net/core/dev.c:6640) +[ 62.905276] kthread (kernel/kthread.c:379) +[ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314) +[ 62.917119] + +In the critical scenario, rx-gro-list GRO-ed packets are fed, via a +bridge, both to the local input path and to an egress device (tun). + +The segmentation of such packets unsafely writes to the cloned skbs +with shared heads. + +This change addresses the issue by uncloning as needed the +to-be-segmented skbs. + +Reported-by: Ian Kumlien +Tested-by: Ian Kumlien +Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index e203172b9b9e7..b10285d06a2ca 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3685,6 +3685,11 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + + skb_push(skb, -skb_network_offset(skb) + offset); + ++ /* Ensure the head is writeable before touching the shared info */ ++ err = skb_unclone(skb, GFP_ATOMIC); ++ if (err) ++ goto err_linearize; ++ + skb_shinfo(skb)->frag_list = NULL; + + while (list_skb) { +-- +2.39.2 + diff --git a/tmp-5.10/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch b/tmp-5.10/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch new file mode 100644 index 00000000000..d89d82ca997 --- /dev/null +++ b/tmp-5.10/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch @@ -0,0 +1,57 @@ +From e1a0c6f3b277986e3b359681e7e6609ebc1a156c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 19:08:42 +0800 +Subject: net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX + +From: Lin Ma + +[ Upstream commit 30c45b5361d39b4b793780ffac5538090b9e2eb1 ] + +The attribute TCA_PEDIT_PARMS_EX is not be included in pedit_policy and +one malicious user could fake a TCA_PEDIT_PARMS_EX whose length is +smaller than the intended sizeof(struct tc_pedit). Hence, the +dereference in tcf_pedit_init() could access dirty heap data. + +static int tcf_pedit_init(...) +{ + // ... + pattr = tb[TCA_PEDIT_PARMS]; // TCA_PEDIT_PARMS is included + if (!pattr) + pattr = tb[TCA_PEDIT_PARMS_EX]; // but this is not + + // ... + parm = nla_data(pattr); + + index = parm->index; // parm is able to be smaller than 4 bytes + // and this dereference gets dirty skb_buff + // data created in netlink_sendmsg +} + +This commit adds TCA_PEDIT_PARMS_EX length in pedit_policy which avoid +the above case, just like the TCA_PEDIT_PARMS. + +Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers") +Signed-off-by: Lin Ma +Reviewed-by: Pedro Tammela +Link: https://lore.kernel.org/r/20230703110842.590282-1-linma@zju.edu.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/act_pedit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c +index db0d3bff19eba..a44101b2f4419 100644 +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -26,6 +26,7 @@ static struct tc_action_ops act_pedit_ops; + + static const struct nla_policy pedit_policy[TCA_PEDIT_MAX + 1] = { + [TCA_PEDIT_PARMS] = { .len = sizeof(struct tc_pedit) }, ++ [TCA_PEDIT_PARMS_EX] = { .len = sizeof(struct tc_pedit) }, + [TCA_PEDIT_KEYS_EX] = { .type = NLA_NESTED }, + }; + +-- +2.39.2 + diff --git a/tmp-5.10/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch b/tmp-5.10/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch new file mode 100644 index 00000000000..26a7b7a3f8f --- /dev/null +++ b/tmp-5.10/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch @@ -0,0 +1,62 @@ +From a5dfedd80251cd7f449b05be9ca3bfee01513642 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 12:15:30 -0400 +Subject: net/sched: cls_fw: Fix improper refcount update leads to + use-after-free + +From: M A Ramdhan + +[ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ] + +In the event of a failure in tcf_change_indev(), fw_set_parms() will +immediately return an error after incrementing or decrementing +reference counter in tcf_bind_filter(). If attacker can control +reference counter to zero and make reference freed, leading to +use after free. + +In order to prevent this, move the point of possible failure above the +point where the TC_FW_CLASSID is handled. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: M A Ramdhan +Signed-off-by: M A Ramdhan +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg> +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_fw.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c +index ec945294626a8..41f0898a5a565 100644 +--- a/net/sched/cls_fw.c ++++ b/net/sched/cls_fw.c +@@ -210,11 +210,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + if (err < 0) + return err; + +- if (tb[TCA_FW_CLASSID]) { +- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); +- tcf_bind_filter(tp, &f->res, base); +- } +- + if (tb[TCA_FW_INDEV]) { + int ret; + ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack); +@@ -231,6 +226,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + } else if (head->mask != 0xFFFFFFFF) + return err; + ++ if (tb[TCA_FW_CLASSID]) { ++ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); ++ tcf_bind_filter(tp, &f->res, base); ++ } ++ + return 0; + } + +-- +2.39.2 + diff --git a/tmp-5.10/net-sched-flower-ensure-both-minimum-and-maximum-por.patch b/tmp-5.10/net-sched-flower-ensure-both-minimum-and-maximum-por.patch new file mode 100644 index 00000000000..3df73ff13f1 --- /dev/null +++ b/tmp-5.10/net-sched-flower-ensure-both-minimum-and-maximum-por.patch @@ -0,0 +1,82 @@ +From 1b7c76fe6d9b400849874bef849242b3832a3ed2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 10:08:09 +0300 +Subject: net/sched: flower: Ensure both minimum and maximum ports are + specified + +From: Ido Schimmel + +[ Upstream commit d3f87278bcb80bd7f9519669d928b43320363d4f ] + +The kernel does not currently validate that both the minimum and maximum +ports of a port range are specified. This can lead user space to think +that a filter matching on a port range was successfully added, when in +fact it was not. For example, with a patched (buggy) iproute2 that only +sends the minimum port, the following commands do not return an error: + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp src_port 100-200 action pass + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp dst_port 100-200 action pass + + # tc filter show dev swp1 ingress + filter protocol ip pref 1 flower chain 0 + filter protocol ip pref 1 flower chain 0 handle 0x1 + eth_type ipv4 + ip_proto udp + not_in_hw + action order 1: gact action pass + random type none pass val 0 + index 1 ref 1 bind 1 + + filter protocol ip pref 1 flower chain 0 handle 0x2 + eth_type ipv4 + ip_proto udp + not_in_hw + action order 1: gact action pass + random type none pass val 0 + index 2 ref 1 bind 1 + +Fix by returning an error unless both ports are specified: + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp src_port 100-200 action pass + Error: Both min and max source ports must be specified. + We have an error talking to the kernel + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp dst_port 100-200 action pass + Error: Both min and max destination ports must be specified. + We have an error talking to the kernel + +Fixes: 5c72299fba9d ("net: sched: cls_flower: Classify packets using port ranges") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index caf1a05bfbde4..dcf21d99f132c 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -778,6 +778,16 @@ static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key, + TCA_FLOWER_KEY_PORT_SRC_MAX, &mask->tp_range.tp_max.src, + TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.src)); + ++ if (mask->tp_range.tp_min.dst != mask->tp_range.tp_max.dst) { ++ NL_SET_ERR_MSG(extack, ++ "Both min and max destination ports must be specified"); ++ return -EINVAL; ++ } ++ if (mask->tp_range.tp_min.src != mask->tp_range.tp_max.src) { ++ NL_SET_ERR_MSG(extack, ++ "Both min and max source ports must be specified"); ++ return -EINVAL; ++ } + if (mask->tp_range.tp_min.dst && mask->tp_range.tp_max.dst && + ntohs(key->tp_range.tp_max.dst) <= + ntohs(key->tp_range.tp_min.dst)) { +-- +2.39.2 + diff --git a/tmp-5.10/net-sched-make-psched_mtu-rtnl-less-safe.patch b/tmp-5.10/net-sched-make-psched_mtu-rtnl-less-safe.patch new file mode 100644 index 00000000000..73e21bed4e9 --- /dev/null +++ b/tmp-5.10/net-sched-make-psched_mtu-rtnl-less-safe.patch @@ -0,0 +1,49 @@ +From 138f6a37f75054e68b1ab8f84c79d3580fbbbba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 23:16:34 -0300 +Subject: net/sched: make psched_mtu() RTNL-less safe + +From: Pedro Tammela + +[ Upstream commit 150e33e62c1fa4af5aaab02776b6c3812711d478 ] + +Eric Dumazet says[1]: +------- +Speaking of psched_mtu(), I see that net/sched/sch_pie.c is using it +without holding RTNL, so dev->mtu can be changed underneath. +KCSAN could issue a warning. +------- + +Annotate dev->mtu with READ_ONCE() so KCSAN don't issue a warning. + +[1] https://lore.kernel.org/all/CANn89iJoJO5VtaJ-2=_d2aOQhb0Xw8iBT_Cxqp2HyuS-zj6azw@mail.gmail.com/ + +v1 -> v2: Fix commit message + +Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme") +Suggested-by: Eric Dumazet +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230711021634.561598-1-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/pkt_sched.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h +index ba781e0aaf566..e186b2bd8c860 100644 +--- a/include/net/pkt_sched.h ++++ b/include/net/pkt_sched.h +@@ -136,7 +136,7 @@ extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1]; + */ + static inline unsigned int psched_mtu(const struct net_device *dev) + { +- return dev->mtu + dev->hard_header_len; ++ return READ_ONCE(dev->mtu) + dev->hard_header_len; + } + + static inline struct net *qdisc_net(struct Qdisc *q) +-- +2.39.2 + diff --git a/tmp-5.10/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch b/tmp-5.10/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch new file mode 100644 index 00000000000..a0a40945e6c --- /dev/null +++ b/tmp-5.10/net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch @@ -0,0 +1,96 @@ +From f2f7cbdad43b636ff9da4a90f187be4aeb8562b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 18:01:02 -0300 +Subject: net/sched: sch_qfq: account for stab overhead in qfq_enqueue + +From: Pedro Tammela + +[ Upstream commit 3e337087c3b5805fe0b8a46ba622a962880b5d64 ] + +Lion says: +------- +In the QFQ scheduler a similar issue to CVE-2023-31436 +persists. + +Consider the following code in net/sched/sch_qfq.c: + +static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch, + struct sk_buff **to_free) +{ + unsigned int len = qdisc_pkt_len(skb), gso_segs; + + // ... + + if (unlikely(cl->agg->lmax < len)) { + pr_debug("qfq: increasing maxpkt from %u to %u for class %u", + cl->agg->lmax, len, cl->common.classid); + err = qfq_change_agg(sch, cl, cl->agg->class_weight, len); + if (err) { + cl->qstats.drops++; + return qdisc_drop(skb, sch, to_free); + } + + // ... + + } + +Similarly to CVE-2023-31436, "lmax" is increased without any bounds +checks according to the packet length "len". Usually this would not +impose a problem because packet sizes are naturally limited. + +This is however not the actual packet length, rather the +"qdisc_pkt_len(skb)" which might apply size transformations according to +"struct qdisc_size_table" as created by "qdisc_get_stab()" in +net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc. + +A user may choose virtually any size using such a table. + +As a result the same issue as in CVE-2023-31436 can occur, allowing heap +out-of-bounds read / writes in the kmalloc-8192 cache. +------- + +We can create the issue with the following commands: + +tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \ +overhead 999999999 linklayer ethernet qfq +tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k +tc filter add dev $DEV parent 1: matchall classid 1:1 +ping -I $DEV 1.1.1.2 + +This is caused by incorrectly assuming that qdisc_pkt_len() returns a +length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: Lion +Reviewed-by: Eric Dumazet +Signed-off-by: Jamal Hadi Salim +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 975e444f2d820..616d1798cfef6 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -381,8 +381,13 @@ static int qfq_change_agg(struct Qdisc *sch, struct qfq_class *cl, u32 weight, + u32 lmax) + { + struct qfq_sched *q = qdisc_priv(sch); +- struct qfq_aggregate *new_agg = qfq_find_agg(q, lmax, weight); ++ struct qfq_aggregate *new_agg; + ++ /* 'lmax' can range from [QFQ_MIN_LMAX, pktlen + stab overhead] */ ++ if (lmax > QFQ_MAX_LMAX) ++ return -EINVAL; ++ ++ new_agg = qfq_find_agg(q, lmax, weight); + if (new_agg == NULL) { /* create new aggregate */ + new_agg = kzalloc(sizeof(*new_agg), GFP_ATOMIC); + if (new_agg == NULL) +-- +2.39.2 + diff --git a/tmp-5.10/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch b/tmp-5.10/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch new file mode 100644 index 00000000000..3ee34ddd5ec --- /dev/null +++ b/tmp-5.10/net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch @@ -0,0 +1,87 @@ +From 53538e9ed4bd86297de2fe1e408f4b207ed8b82d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Apr 2023 12:56:11 -0300 +Subject: net/sched: sch_qfq: refactor parsing of netlink parameters + +From: Pedro Tammela + +[ Upstream commit 25369891fcef373540f8b4e0b3bccf77a04490d5 ] + +Two parameters can be transformed into netlink policies and +validated while parsing the netlink message. + +Reviewed-by: Simon Horman +Acked-by: Jamal Hadi Salim +Signed-off-by: Pedro Tammela +Signed-off-by: David S. Miller +Stable-dep-of: 3e337087c3b5 ("net/sched: sch_qfq: account for stab overhead in qfq_enqueue") +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index cad7deacf60a4..975e444f2d820 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -113,6 +113,7 @@ + + #define QFQ_MTU_SHIFT 16 /* to support TSO/GSO */ + #define QFQ_MIN_LMAX 512 /* see qfq_slot_insert */ ++#define QFQ_MAX_LMAX (1UL << QFQ_MTU_SHIFT) + + #define QFQ_MAX_AGG_CLASSES 8 /* max num classes per aggregate allowed */ + +@@ -214,9 +215,14 @@ static struct qfq_class *qfq_find_class(struct Qdisc *sch, u32 classid) + return container_of(clc, struct qfq_class, common); + } + ++static struct netlink_range_validation lmax_range = { ++ .min = QFQ_MIN_LMAX, ++ .max = QFQ_MAX_LMAX, ++}; ++ + static const struct nla_policy qfq_policy[TCA_QFQ_MAX + 1] = { +- [TCA_QFQ_WEIGHT] = { .type = NLA_U32 }, +- [TCA_QFQ_LMAX] = { .type = NLA_U32 }, ++ [TCA_QFQ_WEIGHT] = NLA_POLICY_RANGE(NLA_U32, 1, QFQ_MAX_WEIGHT), ++ [TCA_QFQ_LMAX] = NLA_POLICY_FULL_RANGE(NLA_U32, &lmax_range), + }; + + /* +@@ -408,17 +414,13 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + } + + err = nla_parse_nested_deprecated(tb, TCA_QFQ_MAX, tca[TCA_OPTIONS], +- qfq_policy, NULL); ++ qfq_policy, extack); + if (err < 0) + return err; + +- if (tb[TCA_QFQ_WEIGHT]) { ++ if (tb[TCA_QFQ_WEIGHT]) + weight = nla_get_u32(tb[TCA_QFQ_WEIGHT]); +- if (!weight || weight > (1UL << QFQ_MAX_WSHIFT)) { +- pr_notice("qfq: invalid weight %u\n", weight); +- return -EINVAL; +- } +- } else ++ else + weight = 1; + + if (tb[TCA_QFQ_LMAX]) +@@ -426,11 +428,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + else + lmax = psched_mtu(qdisc_dev(sch)); + +- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { +- pr_notice("qfq: invalid max length %u\n", lmax); +- return -EINVAL; +- } +- + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; + +-- +2.39.2 + diff --git a/tmp-5.10/net-sched-sch_qfq-reintroduce-lmax-bound-check-for-mtu.patch b/tmp-5.10/net-sched-sch_qfq-reintroduce-lmax-bound-check-for-mtu.patch new file mode 100644 index 00000000000..ec990f6a959 --- /dev/null +++ b/tmp-5.10/net-sched-sch_qfq-reintroduce-lmax-bound-check-for-mtu.patch @@ -0,0 +1,47 @@ +From 158810b261d02fc7dd92ca9c392d8f8a211a2401 Mon Sep 17 00:00:00 2001 +From: Pedro Tammela +Date: Tue, 11 Jul 2023 18:01:00 -0300 +Subject: net/sched: sch_qfq: reintroduce lmax bound check for MTU + +From: Pedro Tammela + +commit 158810b261d02fc7dd92ca9c392d8f8a211a2401 upstream. + +25369891fcef deletes a check for the case where no 'lmax' is +specified which 3037933448f6 previously fixed as 'lmax' +could be set to the device's MTU without any bound checking +for QFQ_LMAX_MIN and QFQ_LMAX_MAX. Therefore, reintroduce the check. + +Fixes: 25369891fcef ("net/sched: sch_qfq: refactor parsing of netlink parameters") +Acked-by: Jamal Hadi Salim +Reviewed-by: Eric Dumazet +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_qfq.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -428,10 +428,17 @@ static int qfq_change_class(struct Qdisc + else + weight = 1; + +- if (tb[TCA_QFQ_LMAX]) ++ if (tb[TCA_QFQ_LMAX]) { + lmax = nla_get_u32(tb[TCA_QFQ_LMAX]); +- else ++ } else { ++ /* MTU size is user controlled */ + lmax = psched_mtu(qdisc_dev(sch)); ++ if (lmax < QFQ_MIN_LMAX || lmax > QFQ_MAX_LMAX) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "MTU size out of bounds for qfq"); ++ return -EINVAL; ++ } ++ } + + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; diff --git a/tmp-5.10/net-stmmac-fix-double-serdes-powerdown.patch b/tmp-5.10/net-stmmac-fix-double-serdes-powerdown.patch new file mode 100644 index 00000000000..3bcbccdb51b --- /dev/null +++ b/tmp-5.10/net-stmmac-fix-double-serdes-powerdown.patch @@ -0,0 +1,50 @@ +From 2764756c66513a7ad3cada7cacb3b8ad87d9e0bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 15:55:37 +0200 +Subject: net: stmmac: fix double serdes powerdown + +From: Bartosz Golaszewski + +[ Upstream commit c4fc88ad2a765224a648db8ab35f125e120fe41b ] + +Commit 49725ffc15fc ("net: stmmac: power up/down serdes in +stmmac_open/release") correctly added a call to the serdes_powerdown() +callback to stmmac_release() but did not remove the one from +stmmac_remove() which leads to a doubled call to serdes_powerdown(). + +This can lead to all kinds of problems: in the case of the qcom ethqos +driver, it caused an unbalanced regulator disable splat. + +Fixes: 49725ffc15fc ("net: stmmac: power up/down serdes in stmmac_open/release") +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Jiri Pirko +Acked-by: Junxiao Chang +Reviewed-by: Andrew Halaney +Tested-by: Andrew Halaney +Link: https://lore.kernel.org/r/20230621135537.376649-1-brgl@bgdev.pl +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index de66406c50572..83e9a4d019c16 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -5254,12 +5254,6 @@ int stmmac_dvr_remove(struct device *dev) + netif_carrier_off(ndev); + unregister_netdev(ndev); + +- /* Serdes power down needs to happen after VLAN filter +- * is deleted that is triggered by unregister_netdev(). +- */ +- if (priv->plat->serdes_powerdown) +- priv->plat->serdes_powerdown(ndev, priv->plat->bsp_priv); +- + #ifdef CONFIG_DEBUG_FS + stmmac_exit_fs(ndev); + #endif +-- +2.39.2 + diff --git a/tmp-5.10/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch b/tmp-5.10/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch new file mode 100644 index 00000000000..565885a1e48 --- /dev/null +++ b/tmp-5.10/netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch @@ -0,0 +1,55 @@ +From a372d451f1e494f60eb06515981309299843c920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 11:52:26 +0300 +Subject: netdevsim: fix uninitialized data in nsim_dev_trap_fa_cookie_write() + +From: Dan Carpenter + +[ Upstream commit f72207a5c0dbaaf6921cf9a6c0d2fd0bc249ea78 ] + +The simple_write_to_buffer() function is designed to handle partial +writes. It returns negatives on error, otherwise it returns the number +of bytes that were able to be copied. This code doesn't check the +return properly. We only know that the first byte is written, the rest +of the buffer might be uninitialized. + +There is no need to use the simple_write_to_buffer() function. +Partial writes are prohibited by the "if (*ppos != 0)" check at the +start of the function. Just use memdup_user() and copy the whole +buffer. + +Fixes: d3cbb907ae57 ("netdevsim: add ACL trap reporting cookie as a metadata") +Signed-off-by: Dan Carpenter +Reviewed-by: Pavan Chebbi +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/7c1f950b-3a7d-4252-82a6-876e53078ef7@moroto.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/dev.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c +index 9bbecf4d159b4..bcf354719745c 100644 +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -149,13 +149,10 @@ static ssize_t nsim_dev_trap_fa_cookie_write(struct file *file, + cookie_len = (count - 1) / 2; + if ((count - 1) % 2) + return -EINVAL; +- buf = kmalloc(count, GFP_KERNEL | __GFP_NOWARN); +- if (!buf) +- return -ENOMEM; + +- ret = simple_write_to_buffer(buf, count, ppos, data, count); +- if (ret < 0) +- goto free_buf; ++ buf = memdup_user(data, count); ++ if (IS_ERR(buf)) ++ return PTR_ERR(buf); + + fa_cookie = kmalloc(sizeof(*fa_cookie) + cookie_len, + GFP_KERNEL | __GFP_NOWARN); +-- +2.39.2 + diff --git a/tmp-5.10/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch b/tmp-5.10/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch new file mode 100644 index 00000000000..0ae4479e562 --- /dev/null +++ b/tmp-5.10/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch @@ -0,0 +1,51 @@ +From 6eef7a2b933885a17679eb8ed0796ddf0ee5309b Mon Sep 17 00:00:00 2001 +From: Florent Revest +Date: Mon, 3 Jul 2023 16:52:16 +0200 +Subject: netfilter: conntrack: Avoid nf_ct_helper_hash uses after free + +From: Florent Revest + +commit 6eef7a2b933885a17679eb8ed0796ddf0ee5309b upstream. + +If nf_conntrack_init_start() fails (for example due to a +register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini() +clean-up path frees the nf_ct_helper_hash map. + +When built with NF_CONNTRACK=y, further netfilter modules (e.g: +netfilter_conntrack_ftp) can still be loaded and call +nf_conntrack_helpers_register(), independently of whether nf_conntrack +initialized correctly. This accesses the nf_ct_helper_hash dangling +pointer and causes a uaf, possibly leading to random memory corruption. + +This patch guards nf_conntrack_helper_register() from accessing a freed +or uninitialized nf_ct_helper_hash pointer and fixes possible +uses-after-free when loading a conntrack module. + +Cc: stable@vger.kernel.org +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Florent Revest +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_helper.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -404,6 +404,9 @@ int nf_conntrack_helper_register(struct + BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES); + BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1); + ++ if (!nf_ct_helper_hash) ++ return -ENOENT; ++ + if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT) + return -EINVAL; + +@@ -587,4 +590,5 @@ void nf_conntrack_helper_fini(void) + { + nf_ct_extend_unregister(&helper_extend); + kvfree(nf_ct_helper_hash); ++ nf_ct_helper_hash = NULL; + } diff --git a/tmp-5.10/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch b/tmp-5.10/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch new file mode 100644 index 00000000000..2d5b4b27fbc --- /dev/null +++ b/tmp-5.10/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch @@ -0,0 +1,149 @@ +From 582ea97f8965d0aa2efdc6253c88ddaeaa017515 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 17:56:53 +0200 +Subject: netfilter: conntrack: dccp: copy entire header to stack buffer, not + just basic one + +From: Florian Westphal + +[ Upstream commit ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30 ] + +Eric Dumazet says: + nf_conntrack_dccp_packet() has an unique: + + dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + + And nothing more is 'pulled' from the packet, depending on the content. + dh->dccph_doff, and/or dh->dccph_x ...) + So dccp_ack_seq() is happily reading stuff past the _dh buffer. + +BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0 +Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371 +[..] + +Fix this by increasing the stack buffer to also include room for +the extra sequence numbers and all the known dccp packet type headers, +then pull again after the initial validation of the basic header. + +While at it, mark packets invalid that lack 48bit sequence bit but +where RFC says the type MUST use them. + +Compile tested only. + +v2: first skb_header_pointer() now needs to adjust the size to + only pull the generic header. (Eric) + +Heads-up: I intend to remove dccp conntrack support later this year. + +Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support") +Reported-by: Eric Dumazet +Signed-off-by: Florian Westphal +Reviewed-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_dccp.c | 52 +++++++++++++++++++++++-- + 1 file changed, 49 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c +index 94001eb51ffe4..a9ae292e932ae 100644 +--- a/net/netfilter/nf_conntrack_proto_dccp.c ++++ b/net/netfilter/nf_conntrack_proto_dccp.c +@@ -431,9 +431,19 @@ static bool dccp_error(const struct dccp_hdr *dh, + struct sk_buff *skb, unsigned int dataoff, + const struct nf_hook_state *state) + { ++ static const unsigned long require_seq48 = 1 << DCCP_PKT_REQUEST | ++ 1 << DCCP_PKT_RESPONSE | ++ 1 << DCCP_PKT_CLOSEREQ | ++ 1 << DCCP_PKT_CLOSE | ++ 1 << DCCP_PKT_RESET | ++ 1 << DCCP_PKT_SYNC | ++ 1 << DCCP_PKT_SYNCACK; + unsigned int dccp_len = skb->len - dataoff; + unsigned int cscov; + const char *msg; ++ u8 type; ++ ++ BUILD_BUG_ON(DCCP_PKT_INVALID >= BITS_PER_LONG); + + if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) || + dh->dccph_doff * 4 > dccp_len) { +@@ -458,10 +468,17 @@ static bool dccp_error(const struct dccp_hdr *dh, + goto out_invalid; + } + +- if (dh->dccph_type >= DCCP_PKT_INVALID) { ++ type = dh->dccph_type; ++ if (type >= DCCP_PKT_INVALID) { + msg = "nf_ct_dccp: reserved packet type "; + goto out_invalid; + } ++ ++ if (test_bit(type, &require_seq48) && !dh->dccph_x) { ++ msg = "nf_ct_dccp: type lacks 48bit sequence numbers"; ++ goto out_invalid; ++ } ++ + return false; + out_invalid: + nf_l4proto_log_invalid(skb, state->net, state->pf, +@@ -469,24 +486,53 @@ static bool dccp_error(const struct dccp_hdr *dh, + return true; + } + ++struct nf_conntrack_dccp_buf { ++ struct dccp_hdr dh; /* generic header part */ ++ struct dccp_hdr_ext ext; /* optional depending dh->dccph_x */ ++ union { /* depends on header type */ ++ struct dccp_hdr_ack_bits ack; ++ struct dccp_hdr_request req; ++ struct dccp_hdr_response response; ++ struct dccp_hdr_reset rst; ++ } u; ++}; ++ ++static struct dccp_hdr * ++dccp_header_pointer(const struct sk_buff *skb, int offset, const struct dccp_hdr *dh, ++ struct nf_conntrack_dccp_buf *buf) ++{ ++ unsigned int hdrlen = __dccp_hdr_len(dh); ++ ++ if (hdrlen > sizeof(*buf)) ++ return NULL; ++ ++ return skb_header_pointer(skb, offset, hdrlen, buf); ++} ++ + int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb, + unsigned int dataoff, + enum ip_conntrack_info ctinfo, + const struct nf_hook_state *state) + { + enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); +- struct dccp_hdr _dh, *dh; ++ struct nf_conntrack_dccp_buf _dh; + u_int8_t type, old_state, new_state; + enum ct_dccp_roles role; + unsigned int *timeouts; ++ struct dccp_hdr *dh; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(*dh), &_dh.dh); + if (!dh) + return NF_DROP; + + if (dccp_error(dh, skb, dataoff, state)) + return -NF_ACCEPT; + ++ /* pull again, including possible 48 bit sequences and subtype header */ ++ dh = dccp_header_pointer(skb, dataoff, dh, &_dh); ++ if (!dh) ++ return NF_DROP; ++ + type = dh->dccph_type; + if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh)) + return -NF_ACCEPT; +-- +2.39.2 + diff --git a/tmp-5.10/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch b/tmp-5.10/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch new file mode 100644 index 00000000000..5b9e350bfbf --- /dev/null +++ b/tmp-5.10/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch @@ -0,0 +1,53 @@ +From bbde13d2663de15196c26ab572f08c068588f449 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jun 2023 11:23:46 +0000 +Subject: netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() + return value. + +From: Ilia.Gavrilov + +[ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ] + +ct_sip_parse_numerical_param() returns only 0 or 1 now. +But process_register_request() and process_register_response() imply +checking for a negative value if parsing of a numerical header parameter +failed. +The invocation in nf_nat_sip() looks correct: + if (ct_sip_parse_numerical_param(...) > 0 && + ...) { ... } + +Make the return value of the function ct_sip_parse_numerical_param() +a tristate to fix all the cases +a) return 1 if value is found; *val is set +b) return 0 if value is not found; *val is unchanged +c) return -1 on error; *val is undefined + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations") +Signed-off-by: Ilia.Gavrilov +Reviewed-by: Simon Horman +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index 78fd9122b70c7..751df19fe0f8a 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -611,7 +611,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr, + start += strlen(name); + *val = simple_strtoul(start, &end, 0); + if (start == end) +- return 0; ++ return -1; + if (matchoff && matchlen) { + *matchoff = start - dptr; + *matchlen = end - start; +-- +2.39.2 + diff --git a/tmp-5.10/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch b/tmp-5.10/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch new file mode 100644 index 00000000000..1fdba2a577b --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch @@ -0,0 +1,170 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:52 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:53 +0200 +Subject: netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-6-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ Upstream commit 26b5a5712eb85e253724e56a54c17f8519bd8e4e ] + +Add a new state to deal with rule expressions deactivation from the +newrule error path, otherwise the anonymous set remains in the list in +inactive state for the next generation. Mark the set/chain transaction +as unbound so the abort path releases this object, set it as inactive in +the next generation so it is not reachable anymore from this transaction +and reference counter is dropped. + +Fixes: 1240eb93f061 ("netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 2 + + net/netfilter/nf_tables_api.c | 45 ++++++++++++++++++++++++++++++++------ + net/netfilter/nft_immediate.c | 3 ++ + 3 files changed, 43 insertions(+), 7 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -777,6 +777,7 @@ struct nft_expr_type { + + enum nft_trans_phase { + NFT_TRANS_PREPARE, ++ NFT_TRANS_PREPARE_ERROR, + NFT_TRANS_ABORT, + NFT_TRANS_COMMIT, + NFT_TRANS_RELEASE +@@ -970,6 +971,7 @@ struct nft_chain { + + int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain); + int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain); ++void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain); + + enum nft_chain_types { + NFT_CHAIN_T_DEFAULT = 0, +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -173,7 +173,8 @@ static void nft_trans_destroy(struct nft + kfree(trans); + } + +-static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, ++ bool bind) + { + struct nftables_pernet *nft_net; + struct net *net = ctx->net; +@@ -187,17 +188,28 @@ static void nft_set_trans_bind(const str + switch (trans->msg_type) { + case NFT_MSG_NEWSET: + if (nft_trans_set(trans) == set) +- nft_trans_set_bound(trans) = true; ++ nft_trans_set_bound(trans) = bind; + break; + case NFT_MSG_NEWSETELEM: + if (nft_trans_elem_set(trans) == set) +- nft_trans_elem_set_bound(trans) = true; ++ nft_trans_elem_set_bound(trans) = bind; + break; + } + } + } + +-static void nft_chain_trans_bind(const struct nft_ctx *ctx, struct nft_chain *chain) ++static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ return __nft_set_trans_bind(ctx, set, true); ++} ++ ++static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ return __nft_set_trans_bind(ctx, set, false); ++} ++ ++static void __nft_chain_trans_bind(const struct nft_ctx *ctx, ++ struct nft_chain *chain, bool bind) + { + struct nftables_pernet *nft_net; + struct net *net = ctx->net; +@@ -211,16 +223,22 @@ static void nft_chain_trans_bind(const s + switch (trans->msg_type) { + case NFT_MSG_NEWCHAIN: + if (nft_trans_chain(trans) == chain) +- nft_trans_chain_bound(trans) = true; ++ nft_trans_chain_bound(trans) = bind; + break; + case NFT_MSG_NEWRULE: + if (trans->ctx.chain == chain) +- nft_trans_rule_bound(trans) = true; ++ nft_trans_rule_bound(trans) = bind; + break; + } + } + } + ++static void nft_chain_trans_bind(const struct nft_ctx *ctx, ++ struct nft_chain *chain) ++{ ++ __nft_chain_trans_bind(ctx, chain, true); ++} ++ + int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) + { + if (!nft_chain_binding(chain)) +@@ -239,6 +257,11 @@ int nf_tables_bind_chain(const struct nf + return 0; + } + ++void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) ++{ ++ __nft_chain_trans_bind(ctx, chain, false); ++} ++ + static int nft_netdev_register_hooks(struct net *net, + struct list_head *hook_list) + { +@@ -3449,7 +3472,7 @@ static int nf_tables_newrule(struct net + + return 0; + err2: +- nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); ++ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR); + nf_tables_rule_destroy(&ctx, rule); + err1: + for (i = 0; i < n; i++) { +@@ -4585,6 +4608,13 @@ void nf_tables_deactivate_set(const stru + enum nft_trans_phase phase) + { + switch (phase) { ++ case NFT_TRANS_PREPARE_ERROR: ++ nft_set_trans_unbind(ctx, set); ++ if (nft_set_is_anonymous(set)) ++ nft_deactivate_next(ctx->net, set); ++ ++ set->use--; ++ break; + case NFT_TRANS_PREPARE: + if (nft_set_is_anonymous(set)) + nft_deactivate_next(ctx->net, set); +@@ -6525,6 +6555,7 @@ void nf_tables_deactivate_flowtable(cons + enum nft_trans_phase phase) + { + switch (phase) { ++ case NFT_TRANS_PREPARE_ERROR: + case NFT_TRANS_PREPARE: + case NFT_TRANS_ABORT: + case NFT_TRANS_RELEASE: +--- a/net/netfilter/nft_immediate.c ++++ b/net/netfilter/nft_immediate.c +@@ -150,6 +150,9 @@ static void nft_immediate_deactivate(con + nft_rule_expr_deactivate(&chain_ctx, rule, phase); + + switch (phase) { ++ case NFT_TRANS_PREPARE_ERROR: ++ nf_tables_unbind_chain(ctx, chain); ++ fallthrough; + case NFT_TRANS_PREPARE: + nft_deactivate_next(ctx->net, chain); + break; diff --git a/tmp-5.10/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch b/tmp-5.10/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch new file mode 100644 index 00000000000..e003123cf61 --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch @@ -0,0 +1,50 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:47 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:50 +0200 +Subject: netfilter: nf_tables: add rescheduling points during loop detection walks +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-3-pablo@netfilter.org> + +From: Florian Westphal + +[ Upstream commit 81ea010667417ef3f218dfd99b69769fe66c2b67 ] + +Add explicit rescheduling points during ruleset walk. + +Switching to a faster algorithm is possible but this is a much +smaller change, suitable for nf tree. + +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1460 +Signed-off-by: Florian Westphal +Acked-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3164,6 +3164,8 @@ int nft_chain_validate(const struct nft_ + if (err < 0) + return err; + } ++ ++ cond_resched(); + } + + return 0; +@@ -8506,9 +8508,13 @@ static int nf_tables_check_loops(const s + break; + } + } ++ ++ cond_resched(); + } + + list_for_each_entry(set, &ctx->table->sets, list) { ++ cond_resched(); ++ + if (!nft_is_active_next(ctx->net, set)) + continue; + if (!(set->flags & NFT_SET_MAP) || diff --git a/tmp-5.10/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/tmp-5.10/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch new file mode 100644 index 00000000000..804f23f75e9 --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch @@ -0,0 +1,64 @@ +From 5103fefc2d79d684a4a836a73788f1a9d0f3ad70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 01:30:33 +0200 +Subject: netfilter: nf_tables: can't schedule in nft_chain_validate + +From: Florian Westphal + +[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] + +Can be called via nft set element list iteration, which may acquire +rcu and/or bh read lock (depends on set type). + +BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 +in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft +preempt_count: 0, expected: 0 +RCU nest depth: 1, expected: 0 +2 locks held by nft/1232: + #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid + #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire +Call Trace: + nft_chain_validate + nft_lookup_validate_setelem + nft_pipapo_walk + nft_lookup_validate + nft_chain_validate + nft_immediate_validate + nft_chain_validate + nf_tables_validate + nf_tables_abort + +No choice but to move it to nf_tables_validate(). + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 9c3a9e3f1ede9..a8d316a58e44c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3276,8 +3276,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) + if (err < 0) + return err; + } +- +- cond_resched(); + } + + return 0; +@@ -3301,6 +3299,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) + err = nft_chain_validate(&ctx, chain); + if (err < 0) + return err; ++ ++ cond_resched(); + } + + return 0; +-- +2.39.2 + diff --git a/tmp-5.10/netfilter-nf_tables-do-not-ignore-genmask-when-looking-up-chain-by-id.patch b/tmp-5.10/netfilter-nf_tables-do-not-ignore-genmask-when-looking-up-chain-by-id.patch new file mode 100644 index 00000000000..673595cd5f3 --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-do-not-ignore-genmask-when-looking-up-chain-by-id.patch @@ -0,0 +1,120 @@ +From 515ad530795c118f012539ed76d02bacfd426d89 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Wed, 5 Jul 2023 09:12:55 -0300 +Subject: netfilter: nf_tables: do not ignore genmask when looking up chain by id + +From: Thadeu Lima de Souza Cascardo + +commit 515ad530795c118f012539ed76d02bacfd426d89 upstream. + +When adding a rule to a chain referring to its ID, if that chain had been +deleted on the same batch, the rule might end up referring to a deleted +chain. + +This will lead to a WARNING like following: + +[ 33.098431] ------------[ cut here ]------------ +[ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260 +[ 33.099217] Modules linked in: +[ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409 +[ 33.099726] Workqueue: events nf_tables_trans_destroy_work +[ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260 +[ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 +[ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202 +[ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000 +[ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +[ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000 +[ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500 +[ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10 +[ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000 +[ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0 +[ 33.104872] PKRU: 55555554 +[ 33.104999] Call Trace: +[ 33.105113] +[ 33.105214] ? show_regs+0x72/0x90 +[ 33.105371] ? __warn+0xa5/0x210 +[ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260 +[ 33.105732] ? report_bug+0x1f2/0x200 +[ 33.105902] ? handle_bug+0x46/0x90 +[ 33.106546] ? exc_invalid_op+0x19/0x50 +[ 33.106762] ? asm_exc_invalid_op+0x1b/0x20 +[ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260 +[ 33.107249] ? nf_tables_chain_destroy+0x30/0x260 +[ 33.107506] nf_tables_trans_destroy_work+0x669/0x680 +[ 33.107782] ? mark_held_locks+0x28/0xa0 +[ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 +[ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70 +[ 33.108538] process_one_work+0x68c/0xb70 +[ 33.108755] ? lock_acquire+0x17f/0x420 +[ 33.108977] ? __pfx_process_one_work+0x10/0x10 +[ 33.109218] ? do_raw_spin_lock+0x128/0x1d0 +[ 33.109435] ? _raw_spin_lock_irq+0x71/0x80 +[ 33.109634] worker_thread+0x2bd/0x700 +[ 33.109817] ? __pfx_worker_thread+0x10/0x10 +[ 33.110254] kthread+0x18b/0x1d0 +[ 33.110410] ? __pfx_kthread+0x10/0x10 +[ 33.110581] ret_from_fork+0x29/0x50 +[ 33.110757] +[ 33.110866] irq event stamp: 1651 +[ 33.111017] hardirqs last enabled at (1659): [] __up_console_sem+0x79/0xa0 +[ 33.111379] hardirqs last disabled at (1666): [] __up_console_sem+0x5e/0xa0 +[ 33.111740] softirqs last enabled at (1616): [] __irq_exit_rcu+0x9e/0xe0 +[ 33.112094] softirqs last disabled at (1367): [] __irq_exit_rcu+0x9e/0xe0 +[ 33.112453] ---[ end trace 0000000000000000 ]--- + +This is due to the nft_chain_lookup_byid ignoring the genmask. After this +change, adding the new rule will fail as it will not find the chain. + +Fixes: 837830a4b439 ("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute") +Cc: stable@vger.kernel.org +Reported-by: Mingi Cho of Theori working with ZDI +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2427,7 +2427,7 @@ err: + + static struct nft_chain *nft_chain_lookup_byid(const struct net *net, + const struct nft_table *table, +- const struct nlattr *nla) ++ const struct nlattr *nla, u8 genmask) + { + struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + u32 id = ntohl(nla_get_be32(nla)); +@@ -2438,7 +2438,8 @@ static struct nft_chain *nft_chain_looku + + if (trans->msg_type == NFT_MSG_NEWCHAIN && + chain->table == table && +- id == nft_trans_chain_id(trans)) ++ id == nft_trans_chain_id(trans) && ++ nft_active_genmask(chain, genmask)) + return chain; + } + return ERR_PTR(-ENOENT); +@@ -3353,7 +3354,8 @@ static int nf_tables_newrule(struct net + return -EOPNOTSUPP; + + } else if (nla[NFTA_RULE_CHAIN_ID]) { +- chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]); ++ chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID], ++ genmask); + if (IS_ERR(chain)) { + NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); + return PTR_ERR(chain); +@@ -8937,7 +8939,8 @@ static int nft_verdict_init(const struct + genmask); + } else if (tb[NFTA_VERDICT_CHAIN_ID]) { + chain = nft_chain_lookup_byid(ctx->net, ctx->table, +- tb[NFTA_VERDICT_CHAIN_ID]); ++ tb[NFTA_VERDICT_CHAIN_ID], ++ genmask); + if (IS_ERR(chain)) + return PTR_ERR(chain); + } else { diff --git a/tmp-5.10/netfilter-nf_tables-drop-map-element-references-from-preparation-phase.patch b/tmp-5.10/netfilter-nf_tables-drop-map-element-references-from-preparation-phase.patch new file mode 100644 index 00000000000..e4f4bfe1f20 --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-drop-map-element-references-from-preparation-phase.patch @@ -0,0 +1,376 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:53 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:57 +0200 +Subject: netfilter: nf_tables: drop map element references from preparation phase +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-10-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ Upstream commit 628bd3e49cba1c066228e23d71a852c23e26da73 ] + +set .destroy callback releases the references to other objects in maps. +This is very late and it results in spurious EBUSY errors. Drop refcount +from the preparation phase instead, update set backend not to drop +reference counter from set .destroy path. + +Exceptions: NFT_TRANS_PREPARE_ERROR does not require to drop the +reference counter because the transaction abort path releases the map +references for each element since the set is unbound. The abort path +also deals with releasing reference counter for new elements added to +unbound sets. + +Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 5 +- + net/netfilter/nf_tables_api.c | 89 ++++++++++++++++++++++++++++++++++---- + net/netfilter/nft_set_bitmap.c | 5 +- + net/netfilter/nft_set_hash.c | 23 +++++++-- + net/netfilter/nft_set_pipapo.c | 14 +++-- + net/netfilter/nft_set_rbtree.c | 5 +- + 6 files changed, 117 insertions(+), 24 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -382,7 +382,8 @@ struct nft_set_ops { + int (*init)(const struct nft_set *set, + const struct nft_set_desc *desc, + const struct nlattr * const nla[]); +- void (*destroy)(const struct nft_set *set); ++ void (*destroy)(const struct nft_ctx *ctx, ++ const struct nft_set *set); + void (*gc_init)(const struct nft_set *set); + + unsigned int elemsize; +@@ -686,6 +687,8 @@ void *nft_set_elem_init(const struct nft + u64 timeout, u64 expiration, gfp_t gfp); + void nft_set_elem_destroy(const struct nft_set *set, void *elem, + bool destroy_expr); ++void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set, void *elem); + + /** + * struct nft_set_gc_batch_head - nf_tables set garbage collection batch +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -557,6 +557,31 @@ static int nft_trans_set_add(const struc + return 0; + } + ++static void nft_setelem_data_deactivate(const struct net *net, ++ const struct nft_set *set, ++ struct nft_set_elem *elem); ++ ++static int nft_mapelem_deactivate(const struct nft_ctx *ctx, ++ struct nft_set *set, ++ const struct nft_set_iter *iter, ++ struct nft_set_elem *elem) ++{ ++ nft_setelem_data_deactivate(ctx->net, set, elem); ++ ++ return 0; ++} ++ ++static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ struct nft_set_iter iter = { ++ .genmask = nft_genmask_next(ctx->net), ++ .fn = nft_mapelem_deactivate, ++ }; ++ ++ set->ops->walk(ctx, set, &iter); ++ WARN_ON_ONCE(iter.err); ++} ++ + static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) + { + int err; +@@ -565,6 +590,9 @@ static int nft_delset(const struct nft_c + if (err < 0) + return err; + ++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_deactivate(ctx, set); ++ + nft_deactivate_next(ctx->net, set); + ctx->table->use--; + +@@ -4474,7 +4502,7 @@ err_set_expr_alloc: + if (set->expr) + nft_expr_destroy(&ctx, set->expr); + +- ops->destroy(set); ++ ops->destroy(&ctx, set); + err_set_init: + kfree(set->name); + err_set_name: +@@ -4490,7 +4518,7 @@ static void nft_set_destroy(const struct + if (set->expr) + nft_expr_destroy(ctx, set->expr); + +- set->ops->destroy(set); ++ set->ops->destroy(ctx, set); + kfree(set->name); + kvfree(set); + } +@@ -4614,10 +4642,39 @@ static void nf_tables_unbind_set(const s + } + } + ++static void nft_setelem_data_activate(const struct net *net, ++ const struct nft_set *set, ++ struct nft_set_elem *elem); ++ ++static int nft_mapelem_activate(const struct nft_ctx *ctx, ++ struct nft_set *set, ++ const struct nft_set_iter *iter, ++ struct nft_set_elem *elem) ++{ ++ nft_setelem_data_activate(ctx->net, set, elem); ++ ++ return 0; ++} ++ ++static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ struct nft_set_iter iter = { ++ .genmask = nft_genmask_next(ctx->net), ++ .fn = nft_mapelem_activate, ++ }; ++ ++ set->ops->walk(ctx, set, &iter); ++ WARN_ON_ONCE(iter.err); ++} ++ + void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) + { +- if (nft_set_is_anonymous(set)) ++ if (nft_set_is_anonymous(set)) { ++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_activate(ctx, set); ++ + nft_clear(ctx->net, set); ++ } + + set->use++; + } +@@ -4636,13 +4693,20 @@ void nf_tables_deactivate_set(const stru + set->use--; + break; + case NFT_TRANS_PREPARE: +- if (nft_set_is_anonymous(set)) +- nft_deactivate_next(ctx->net, set); ++ if (nft_set_is_anonymous(set)) { ++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_deactivate(ctx, set); + ++ nft_deactivate_next(ctx->net, set); ++ } + set->use--; + return; + case NFT_TRANS_ABORT: + case NFT_TRANS_RELEASE: ++ if (nft_set_is_anonymous(set) && ++ set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_deactivate(ctx, set); ++ + set->use--; + fallthrough; + default: +@@ -5249,6 +5313,7 @@ static void nft_set_elem_expr_destroy(co + } + } + ++/* Drop references and destroy. Called from gc, dynset and abort path. */ + void nft_set_elem_destroy(const struct nft_set *set, void *elem, + bool destroy_expr) + { +@@ -5270,11 +5335,11 @@ void nft_set_elem_destroy(const struct n + } + EXPORT_SYMBOL_GPL(nft_set_elem_destroy); + +-/* Only called from commit path, nft_setelem_data_deactivate() already deals +- * with the refcounting from the preparation phase. ++/* Destroy element. References have been already dropped in the preparation ++ * path via nft_setelem_data_deactivate(). + */ +-static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, +- const struct nft_set *set, void *elem) ++void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set, void *elem) + { + struct nft_set_ext *ext = nft_set_elem_ext(set, elem); + +@@ -8399,6 +8464,9 @@ static int __nf_tables_abort(struct net + case NFT_MSG_DELSET: + trans->ctx.table->use++; + nft_clear(trans->ctx.net, nft_trans_set(trans)); ++ if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_activate(&trans->ctx, nft_trans_set(trans)); ++ + nft_trans_destroy(trans); + break; + case NFT_MSG_NEWSETELEM: +@@ -9128,6 +9196,9 @@ static void __nft_release_table(struct n + list_for_each_entry_safe(set, ns, &table->sets, list) { + list_del(&set->list); + table->use--; ++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ++ nft_map_deactivate(&ctx, set); ++ + nft_set_destroy(&ctx, set); + } + list_for_each_entry_safe(obj, ne, &table->objects, list) { +--- a/net/netfilter/nft_set_bitmap.c ++++ b/net/netfilter/nft_set_bitmap.c +@@ -270,13 +270,14 @@ static int nft_bitmap_init(const struct + return 0; + } + +-static void nft_bitmap_destroy(const struct nft_set *set) ++static void nft_bitmap_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set) + { + struct nft_bitmap *priv = nft_set_priv(set); + struct nft_bitmap_elem *be, *n; + + list_for_each_entry_safe(be, n, &priv->list, head) +- nft_set_elem_destroy(set, be, true); ++ nf_tables_set_elem_destroy(ctx, set, be); + } + + static bool nft_bitmap_estimate(const struct nft_set_desc *desc, u32 features, +--- a/net/netfilter/nft_set_hash.c ++++ b/net/netfilter/nft_set_hash.c +@@ -380,19 +380,31 @@ static int nft_rhash_init(const struct n + return 0; + } + ++struct nft_rhash_ctx { ++ const struct nft_ctx ctx; ++ const struct nft_set *set; ++}; ++ + static void nft_rhash_elem_destroy(void *ptr, void *arg) + { +- nft_set_elem_destroy(arg, ptr, true); ++ struct nft_rhash_ctx *rhash_ctx = arg; ++ ++ nf_tables_set_elem_destroy(&rhash_ctx->ctx, rhash_ctx->set, ptr); + } + +-static void nft_rhash_destroy(const struct nft_set *set) ++static void nft_rhash_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set) + { + struct nft_rhash *priv = nft_set_priv(set); ++ struct nft_rhash_ctx rhash_ctx = { ++ .ctx = *ctx, ++ .set = set, ++ }; + + cancel_delayed_work_sync(&priv->gc_work); + rcu_barrier(); + rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy, +- (void *)set); ++ (void *)&rhash_ctx); + } + + /* Number of buckets is stored in u32, so cap our result to 1U<<31 */ +@@ -621,7 +633,8 @@ static int nft_hash_init(const struct nf + return 0; + } + +-static void nft_hash_destroy(const struct nft_set *set) ++static void nft_hash_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set) + { + struct nft_hash *priv = nft_set_priv(set); + struct nft_hash_elem *he; +@@ -631,7 +644,7 @@ static void nft_hash_destroy(const struc + for (i = 0; i < priv->buckets; i++) { + hlist_for_each_entry_safe(he, next, &priv->table[i], node) { + hlist_del_rcu(&he->node); +- nft_set_elem_destroy(set, he, true); ++ nf_tables_set_elem_destroy(ctx, set, he); + } + } + } +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -2127,10 +2127,12 @@ out_scratch: + + /** + * nft_set_pipapo_match_destroy() - Destroy elements from key mapping array ++ * @ctx: context + * @set: nftables API set representation + * @m: matching data pointing to key mapping array + */ +-static void nft_set_pipapo_match_destroy(const struct nft_set *set, ++static void nft_set_pipapo_match_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set, + struct nft_pipapo_match *m) + { + struct nft_pipapo_field *f; +@@ -2147,15 +2149,17 @@ static void nft_set_pipapo_match_destroy + + e = f->mt[r].e; + +- nft_set_elem_destroy(set, e, true); ++ nf_tables_set_elem_destroy(ctx, set, e); + } + } + + /** + * nft_pipapo_destroy() - Free private data for set and all committed elements ++ * @ctx: context + * @set: nftables API set representation + */ +-static void nft_pipapo_destroy(const struct nft_set *set) ++static void nft_pipapo_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set) + { + struct nft_pipapo *priv = nft_set_priv(set); + struct nft_pipapo_match *m; +@@ -2165,7 +2169,7 @@ static void nft_pipapo_destroy(const str + if (m) { + rcu_barrier(); + +- nft_set_pipapo_match_destroy(set, m); ++ nft_set_pipapo_match_destroy(ctx, set, m); + + #ifdef NFT_PIPAPO_ALIGN + free_percpu(m->scratch_aligned); +@@ -2182,7 +2186,7 @@ static void nft_pipapo_destroy(const str + m = priv->clone; + + if (priv->dirty) +- nft_set_pipapo_match_destroy(set, m); ++ nft_set_pipapo_match_destroy(ctx, set, m); + + #ifdef NFT_PIPAPO_ALIGN + free_percpu(priv->clone->scratch_aligned); +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -657,7 +657,8 @@ static int nft_rbtree_init(const struct + return 0; + } + +-static void nft_rbtree_destroy(const struct nft_set *set) ++static void nft_rbtree_destroy(const struct nft_ctx *ctx, ++ const struct nft_set *set) + { + struct nft_rbtree *priv = nft_set_priv(set); + struct nft_rbtree_elem *rbe; +@@ -668,7 +669,7 @@ static void nft_rbtree_destroy(const str + while ((node = priv->root.rb_node) != NULL) { + rb_erase(node, &priv->root); + rbe = rb_entry(node, struct nft_rbtree_elem, node); +- nft_set_elem_destroy(set, rbe, true); ++ nf_tables_set_elem_destroy(ctx, set, rbe); + } + } + diff --git a/tmp-5.10/netfilter-nf_tables-fix-chain-binding-transaction-logic.patch b/tmp-5.10/netfilter-nf_tables-fix-chain-binding-transaction-logic.patch new file mode 100644 index 00000000000..039be7394c5 --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-fix-chain-binding-transaction-logic.patch @@ -0,0 +1,432 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:52 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:52 +0200 +Subject: netfilter: nf_tables: fix chain binding transaction logic +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-5-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ Upstream commit 4bedf9eee016286c835e3d8fa981ddece5338795 ] + +Add bound flag to rule and chain transactions as in 6a0a8d10a366 +("netfilter: nf_tables: use-after-free in failing rule with bound set") +to skip them in case that the chain is already bound from the abort +path. + +This patch fixes an imbalance in the chain use refcnt that triggers a +WARN_ON on the table and chain destroy path. + +This patch also disallows nested chain bindings, which is not +supported from userspace. + +The logic to deal with chain binding in nft_data_hold() and +nft_data_release() is not correct. The NFT_TRANS_PREPARE state needs a +special handling in case a chain is bound but next expressions in the +same rule fail to initialize as described by 1240eb93f061 ("netfilter: +nf_tables: incorrect error path handling with NFT_MSG_NEWRULE"). + +The chain is left bound if rule construction fails, so the objects +stored in this chain (and the chain itself) are released by the +transaction records from the abort path, follow up patch ("netfilter: +nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") +completes this error handling. + +When deleting an existing rule, chain bound flag is set off so the +rule expression .destroy path releases the objects. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 21 ++++++++- + net/netfilter/nf_tables_api.c | 86 ++++++++++++++++++++++++------------- + net/netfilter/nft_immediate.c | 87 ++++++++++++++++++++++++++++++++++---- + 3 files changed, 153 insertions(+), 41 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -907,7 +907,10 @@ static inline struct nft_userdata *nft_u + return (void *)&rule->data[rule->dlen]; + } + +-void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule); ++void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule); ++void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule, ++ enum nft_trans_phase phase); ++void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule); + + static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext, + struct nft_regs *regs, +@@ -966,6 +969,7 @@ struct nft_chain { + }; + + int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain); ++int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain); + + enum nft_chain_types { + NFT_CHAIN_T_DEFAULT = 0, +@@ -1002,11 +1006,17 @@ int nft_chain_validate_dependency(const + int nft_chain_validate_hooks(const struct nft_chain *chain, + unsigned int hook_flags); + ++static inline bool nft_chain_binding(const struct nft_chain *chain) ++{ ++ return chain->flags & NFT_CHAIN_BINDING; ++} ++ + static inline bool nft_chain_is_bound(struct nft_chain *chain) + { + return (chain->flags & NFT_CHAIN_BINDING) && chain->bound; + } + ++int nft_chain_add(struct nft_table *table, struct nft_chain *chain); + void nft_chain_del(struct nft_chain *chain); + void nf_tables_chain_destroy(struct nft_ctx *ctx); + +@@ -1431,6 +1441,7 @@ struct nft_trans_rule { + struct nft_rule *rule; + struct nft_flow_rule *flow; + u32 rule_id; ++ bool bound; + }; + + #define nft_trans_rule(trans) \ +@@ -1439,6 +1450,8 @@ struct nft_trans_rule { + (((struct nft_trans_rule *)trans->data)->flow) + #define nft_trans_rule_id(trans) \ + (((struct nft_trans_rule *)trans->data)->rule_id) ++#define nft_trans_rule_bound(trans) \ ++ (((struct nft_trans_rule *)trans->data)->bound) + + struct nft_trans_set { + struct nft_set *set; +@@ -1454,13 +1467,17 @@ struct nft_trans_set { + (((struct nft_trans_set *)trans->data)->bound) + + struct nft_trans_chain { ++ struct nft_chain *chain; + bool update; + char *name; + struct nft_stats __percpu *stats; + u8 policy; ++ bool bound; + u32 chain_id; + }; + ++#define nft_trans_chain(trans) \ ++ (((struct nft_trans_chain *)trans->data)->chain) + #define nft_trans_chain_update(trans) \ + (((struct nft_trans_chain *)trans->data)->update) + #define nft_trans_chain_name(trans) \ +@@ -1469,6 +1486,8 @@ struct nft_trans_chain { + (((struct nft_trans_chain *)trans->data)->stats) + #define nft_trans_chain_policy(trans) \ + (((struct nft_trans_chain *)trans->data)->policy) ++#define nft_trans_chain_bound(trans) \ ++ (((struct nft_trans_chain *)trans->data)->bound) + #define nft_trans_chain_id(trans) \ + (((struct nft_trans_chain *)trans->data)->chain_id) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -197,6 +197,48 @@ static void nft_set_trans_bind(const str + } + } + ++static void nft_chain_trans_bind(const struct nft_ctx *ctx, struct nft_chain *chain) ++{ ++ struct nftables_pernet *nft_net; ++ struct net *net = ctx->net; ++ struct nft_trans *trans; ++ ++ if (!nft_chain_binding(chain)) ++ return; ++ ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWCHAIN: ++ if (nft_trans_chain(trans) == chain) ++ nft_trans_chain_bound(trans) = true; ++ break; ++ case NFT_MSG_NEWRULE: ++ if (trans->ctx.chain == chain) ++ nft_trans_rule_bound(trans) = true; ++ break; ++ } ++ } ++} ++ ++int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) ++{ ++ if (!nft_chain_binding(chain)) ++ return 0; ++ ++ if (nft_chain_binding(ctx->chain)) ++ return -EOPNOTSUPP; ++ ++ if (chain->bound) ++ return -EBUSY; ++ ++ chain->bound = true; ++ chain->use++; ++ nft_chain_trans_bind(ctx, chain); ++ ++ return 0; ++} ++ + static int nft_netdev_register_hooks(struct net *net, + struct list_head *hook_list) + { +@@ -328,8 +370,9 @@ static struct nft_trans *nft_trans_chain + ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID])); + } + } +- ++ nft_trans_chain(trans) = ctx->chain; + nft_trans_commit_list_add_tail(ctx->net, trans); ++ + return trans; + } + +@@ -347,8 +390,7 @@ static int nft_delchain(struct nft_ctx * + return 0; + } + +-static void nft_rule_expr_activate(const struct nft_ctx *ctx, +- struct nft_rule *rule) ++void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule) + { + struct nft_expr *expr; + +@@ -361,9 +403,8 @@ static void nft_rule_expr_activate(const + } + } + +-static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, +- struct nft_rule *rule, +- enum nft_trans_phase phase) ++void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule, ++ enum nft_trans_phase phase) + { + struct nft_expr *expr; + +@@ -2017,7 +2058,7 @@ static int nft_basechain_init(struct nft + return 0; + } + +-static int nft_chain_add(struct nft_table *table, struct nft_chain *chain) ++int nft_chain_add(struct nft_table *table, struct nft_chain *chain) + { + int err; + +@@ -3118,8 +3159,7 @@ err_fill_rule_info: + return err; + } + +-static void nf_tables_rule_destroy(const struct nft_ctx *ctx, +- struct nft_rule *rule) ++void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule) + { + struct nft_expr *expr, *next; + +@@ -3136,7 +3176,7 @@ static void nf_tables_rule_destroy(const + kfree(rule); + } + +-void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) ++static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule) + { + nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE); + nf_tables_rule_destroy(ctx, rule); +@@ -5547,7 +5587,6 @@ static int nf_tables_newsetelem(struct n + void nft_data_hold(const struct nft_data *data, enum nft_data_types type) + { + struct nft_chain *chain; +- struct nft_rule *rule; + + if (type == NFT_DATA_VERDICT) { + switch (data->verdict.code) { +@@ -5555,15 +5594,6 @@ void nft_data_hold(const struct nft_data + case NFT_GOTO: + chain = data->verdict.chain; + chain->use++; +- +- if (!nft_chain_is_bound(chain)) +- break; +- +- chain->table->use++; +- list_for_each_entry(rule, &chain->rules, list) +- chain->use++; +- +- nft_chain_add(chain->table, chain); + break; + } + } +@@ -8254,7 +8284,7 @@ static int __nf_tables_abort(struct net + kfree(nft_trans_chain_name(trans)); + nft_trans_destroy(trans); + } else { +- if (nft_chain_is_bound(trans->ctx.chain)) { ++ if (nft_trans_chain_bound(trans)) { + nft_trans_destroy(trans); + break; + } +@@ -8271,6 +8301,10 @@ static int __nf_tables_abort(struct net + nft_trans_destroy(trans); + break; + case NFT_MSG_NEWRULE: ++ if (nft_trans_rule_bound(trans)) { ++ nft_trans_destroy(trans); ++ break; ++ } + trans->ctx.chain->use--; + list_del_rcu(&nft_trans_rule(trans)->list); + nft_rule_expr_deactivate(&trans->ctx, +@@ -8796,22 +8830,12 @@ static int nft_verdict_init(const struct + static void nft_verdict_uninit(const struct nft_data *data) + { + struct nft_chain *chain; +- struct nft_rule *rule; + + switch (data->verdict.code) { + case NFT_JUMP: + case NFT_GOTO: + chain = data->verdict.chain; + chain->use--; +- +- if (!nft_chain_is_bound(chain)) +- break; +- +- chain->table->use--; +- list_for_each_entry(rule, &chain->rules, list) +- chain->use--; +- +- nft_chain_del(chain); + break; + } + } +--- a/net/netfilter/nft_immediate.c ++++ b/net/netfilter/nft_immediate.c +@@ -76,11 +76,9 @@ static int nft_immediate_init(const stru + switch (priv->data.verdict.code) { + case NFT_JUMP: + case NFT_GOTO: +- if (nft_chain_is_bound(chain)) { +- err = -EBUSY; +- goto err1; +- } +- chain->bound = true; ++ err = nf_tables_bind_chain(ctx, chain); ++ if (err < 0) ++ return err; + break; + default: + break; +@@ -98,6 +96,31 @@ static void nft_immediate_activate(const + const struct nft_expr *expr) + { + const struct nft_immediate_expr *priv = nft_expr_priv(expr); ++ const struct nft_data *data = &priv->data; ++ struct nft_ctx chain_ctx; ++ struct nft_chain *chain; ++ struct nft_rule *rule; ++ ++ if (priv->dreg == NFT_REG_VERDICT) { ++ switch (data->verdict.code) { ++ case NFT_JUMP: ++ case NFT_GOTO: ++ chain = data->verdict.chain; ++ if (!nft_chain_binding(chain)) ++ break; ++ ++ chain_ctx = *ctx; ++ chain_ctx.chain = chain; ++ ++ list_for_each_entry(rule, &chain->rules, list) ++ nft_rule_expr_activate(&chain_ctx, rule); ++ ++ nft_clear(ctx->net, chain); ++ break; ++ default: ++ break; ++ } ++ } + + return nft_data_hold(&priv->data, nft_dreg_to_type(priv->dreg)); + } +@@ -107,6 +130,40 @@ static void nft_immediate_deactivate(con + enum nft_trans_phase phase) + { + const struct nft_immediate_expr *priv = nft_expr_priv(expr); ++ const struct nft_data *data = &priv->data; ++ struct nft_ctx chain_ctx; ++ struct nft_chain *chain; ++ struct nft_rule *rule; ++ ++ if (priv->dreg == NFT_REG_VERDICT) { ++ switch (data->verdict.code) { ++ case NFT_JUMP: ++ case NFT_GOTO: ++ chain = data->verdict.chain; ++ if (!nft_chain_binding(chain)) ++ break; ++ ++ chain_ctx = *ctx; ++ chain_ctx.chain = chain; ++ ++ list_for_each_entry(rule, &chain->rules, list) ++ nft_rule_expr_deactivate(&chain_ctx, rule, phase); ++ ++ switch (phase) { ++ case NFT_TRANS_PREPARE: ++ nft_deactivate_next(ctx->net, chain); ++ break; ++ default: ++ nft_chain_del(chain); ++ chain->bound = false; ++ chain->table->use--; ++ break; ++ } ++ break; ++ default: ++ break; ++ } ++ } + + if (phase == NFT_TRANS_COMMIT) + return; +@@ -131,15 +188,27 @@ static void nft_immediate_destroy(const + case NFT_GOTO: + chain = data->verdict.chain; + +- if (!nft_chain_is_bound(chain)) ++ if (!nft_chain_binding(chain)) ++ break; ++ ++ /* Rule construction failed, but chain is already bound: ++ * let the transaction records release this chain and its rules. ++ */ ++ if (chain->bound) { ++ chain->use--; + break; ++ } + ++ /* Rule has been deleted, release chain and its rules. */ + chain_ctx = *ctx; + chain_ctx.chain = chain; + +- list_for_each_entry_safe(rule, n, &chain->rules, list) +- nf_tables_rule_release(&chain_ctx, rule); +- ++ chain->use--; ++ list_for_each_entry_safe(rule, n, &chain->rules, list) { ++ chain->use--; ++ list_del(&rule->list); ++ nf_tables_rule_destroy(&chain_ctx, rule); ++ } + nf_tables_chain_destroy(&chain_ctx); + break; + default: diff --git a/tmp-5.10/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch b/tmp-5.10/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch new file mode 100644 index 00000000000..8193a3c767e --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch @@ -0,0 +1,39 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:58 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:59 +0200 +Subject: netfilter: nf_tables: fix scheduling-while-atomic splat +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-12-pablo@netfilter.org> + +From: Florian Westphal + +[ Upstream commit 2024439bd5ceb145eeeb428b2a59e9b905153ac3 ] + +nf_tables_check_loops() can be called from rhashtable list +walk so cond_resched() cannot be used here. + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8684,13 +8684,9 @@ static int nf_tables_check_loops(const s + break; + } + } +- +- cond_resched(); + } + + list_for_each_entry(set, &ctx->table->sets, list) { +- cond_resched(); +- + if (!nft_is_active_next(ctx->net, set)) + continue; + if (!(set->flags & NFT_SET_MAP) || diff --git a/tmp-5.10/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/tmp-5.10/netfilter-nf_tables-fix-spurious-set-element-inserti.patch new file mode 100644 index 00000000000..5b3ef16ddab --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-fix-spurious-set-element-inserti.patch @@ -0,0 +1,49 @@ +From 949a1f70d02ec54cf43534a8d2eff243dcb11238 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 00:29:58 +0200 +Subject: netfilter: nf_tables: fix spurious set element insertion failure + +From: Florian Westphal + +[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] + +On some platforms there is a padding hole in the nft_verdict +structure, between the verdict code and the chain pointer. + +On element insertion, if the new element clashes with an existing one and +NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as +the data associated with duplicated element is the same as the existing +one. The data equality check uses memcmp. + +For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT +padding area leads to spurious failure even if the verdict data is the +same. + +This then makes the insertion fail with 'already exists' error, even +though the new "key : data" matches an existing entry and userspace +told the kernel that it doesn't want to receive an error indication. + +Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index d56f5d7fa5455..9c3a9e3f1ede9 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8914,6 +8914,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + + if (!tb[NFTA_VERDICT_CODE]) + return -EINVAL; ++ ++ /* zero padding hole for memcmp */ ++ memset(data, 0, sizeof(*data)); + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +-- +2.39.2 + diff --git a/tmp-5.10/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch b/tmp-5.10/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch new file mode 100644 index 00000000000..17c6b4af69d --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch @@ -0,0 +1,73 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:52 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:51 +0200 +Subject: netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-4-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ Upstream commit 1240eb93f0616b21c675416516ff3d74798fdc97 ] + +In case of error when adding a new rule that refers to an anonymous set, +deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE. +Thus, the lookup expression marks anonymous sets as inactive in the next +generation to ensure it is not reachable in this transaction anymore and +decrement the set refcount as introduced by c1592a89942e ("netfilter: +nf_tables: deactivate anonymous set from preparation phase"). The abort +step takes care of undoing the anonymous set. + +This is also consistent with rule deletion, where NFT_TRANS_PREPARE is +used. Note that this error path is exercised in the preparation step of +the commit protocol. This patch replaces nf_tables_rule_release() by the +deactivate and destroy calls, this time with NFT_TRANS_PREPARE. + +Due to this incorrect error handling, it is possible to access a +dangling pointer to the anonymous set that remains in the transaction +list. + +[1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110 +[1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256 +[1009.379128] Call Trace: +[1009.379132] +[1009.379135] dump_stack_lvl+0x33/0x50 +[1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379191] print_address_description.constprop.0+0x27/0x300 +[1009.379201] kasan_report+0x107/0x120 +[1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables] +[1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables] +[1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables] +[1009.379441] ? kasan_unpoison+0x23/0x50 +[1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink] +[1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] +[1009.379485] ? __alloc_skb+0xb8/0x1e0 +[1009.379493] ? __alloc_skb+0xb8/0x1e0 +[1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 +[1009.379509] ? unwind_get_return_address+0x2a/0x40 +[1009.379517] ? write_profile+0xc0/0xc0 +[1009.379524] ? avc_lookup+0x8f/0xc0 +[1009.379532] ? __rcu_read_unlock+0x43/0x60 + +Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3409,7 +3409,8 @@ static int nf_tables_newrule(struct net + + return 0; + err2: +- nf_tables_rule_release(&ctx, rule); ++ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); ++ nf_tables_rule_destroy(&ctx, rule); + err1: + for (i = 0; i < n; i++) { + if (info[i].ops) { diff --git a/tmp-5.10/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch b/tmp-5.10/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch new file mode 100644 index 00000000000..4651546ad4a --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch @@ -0,0 +1,211 @@ +From caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Wed, 5 Jul 2023 18:05:35 -0300 +Subject: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval + +From: Thadeu Lima de Souza Cascardo + +commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd upstream. + +When evaluating byteorder expressions with size 2, a union with 32-bit and +16-bit members is used. Since the 16-bit members are aligned to 32-bit, +the array accesses will be out-of-bounds. + +It may lead to a stack-out-of-bounds access like the one below: + +[ 23.095215] ================================================================== +[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 +[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 +[ 23.096358] +[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 +[ 23.096770] Call Trace: +[ 23.096910] +[ 23.097030] dump_stack_lvl+0x60/0xc0 +[ 23.097218] print_report+0xcf/0x630 +[ 23.097388] ? nft_byteorder_eval+0x13c/0x320 +[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 +[ 23.097760] ? nft_byteorder_eval+0x13c/0x320 +[ 23.097949] kasan_report+0xc9/0x110 +[ 23.098106] ? nft_byteorder_eval+0x13c/0x320 +[ 23.098298] __asan_load2+0x83/0xd0 +[ 23.098453] nft_byteorder_eval+0x13c/0x320 +[ 23.098659] nft_do_chain+0x1c8/0xc50 +[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 +[ 23.099078] ? __kasan_check_read+0x11/0x20 +[ 23.099295] ? __pfx___lock_acquire+0x10/0x10 +[ 23.099535] ? __pfx___lock_acquire+0x10/0x10 +[ 23.099745] ? __kasan_check_read+0x11/0x20 +[ 23.099929] nft_do_chain_ipv4+0xfe/0x140 +[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 +[ 23.100327] ? lock_release+0x204/0x400 +[ 23.100515] ? nf_hook.constprop.0+0x340/0x550 +[ 23.100779] nf_hook_slow+0x6c/0x100 +[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 +[ 23.101223] nf_hook.constprop.0+0x334/0x550 +[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 +[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 +[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 +[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 +[ 23.102291] ? rcu_read_lock_held+0x4b/0x70 +[ 23.102481] ip_local_deliver+0xbb/0x110 +[ 23.102665] ? __pfx_ip_rcv+0x10/0x10 +[ 23.102839] ip_rcv+0x199/0x2a0 +[ 23.102980] ? __pfx_ip_rcv+0x10/0x10 +[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 +[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 +[ 23.103647] ? mark_held_locks+0x48/0xa0 +[ 23.103819] ? process_backlog+0x36c/0x380 +[ 23.103999] __netif_receive_skb+0x23/0xc0 +[ 23.104179] process_backlog+0x91/0x380 +[ 23.104350] __napi_poll.constprop.0+0x66/0x360 +[ 23.104589] ? net_rx_action+0x1cb/0x610 +[ 23.104811] net_rx_action+0x33e/0x610 +[ 23.105024] ? _raw_spin_unlock+0x23/0x50 +[ 23.105257] ? __pfx_net_rx_action+0x10/0x10 +[ 23.105485] ? mark_held_locks+0x48/0xa0 +[ 23.105741] __do_softirq+0xfa/0x5ab +[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 +[ 23.106193] do_softirq.part.0+0x49/0xc0 +[ 23.106423] +[ 23.106547] +[ 23.106670] __local_bh_enable_ip+0xf5/0x120 +[ 23.106903] __dev_queue_xmit+0x789/0x1c00 +[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 +[ 23.107381] ? find_held_lock+0x8e/0xb0 +[ 23.107585] ? lock_release+0x204/0x400 +[ 23.107798] ? neigh_resolve_output+0x185/0x350 +[ 23.108049] ? mark_held_locks+0x48/0xa0 +[ 23.108265] ? neigh_resolve_output+0x185/0x350 +[ 23.108514] neigh_resolve_output+0x246/0x350 +[ 23.108753] ? neigh_resolve_output+0x246/0x350 +[ 23.109003] ip_finish_output2+0x3c3/0x10b0 +[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 +[ 23.109510] ? __pfx_nf_hook+0x10/0x10 +[ 23.109732] __ip_finish_output+0x217/0x390 +[ 23.109978] ip_finish_output+0x2f/0x130 +[ 23.110207] ip_output+0xc9/0x170 +[ 23.110404] ip_push_pending_frames+0x1a0/0x240 +[ 23.110652] raw_sendmsg+0x102e/0x19e0 +[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 +[ 23.111093] ? lock_release+0x204/0x400 +[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 +[ 23.111567] ? find_held_lock+0x8e/0xb0 +[ 23.111777] ? find_held_lock+0x8e/0xb0 +[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 +[ 23.112225] ? aa_sk_perm+0x18a/0x550 +[ 23.112431] ? filemap_map_pages+0x4f1/0x900 +[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 +[ 23.112880] ? find_held_lock+0x8e/0xb0 +[ 23.113098] inet_sendmsg+0xa0/0xb0 +[ 23.113297] ? inet_sendmsg+0xa0/0xb0 +[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 +[ 23.113727] sock_sendmsg+0xf4/0x100 +[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 +[ 23.114190] __sys_sendto+0x1d4/0x290 +[ 23.114391] ? __pfx___sys_sendto+0x10/0x10 +[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 +[ 23.114869] ? lock_release+0x204/0x400 +[ 23.115076] ? find_held_lock+0x8e/0xb0 +[ 23.115287] ? rcu_is_watching+0x23/0x60 +[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 +[ 23.115778] ? __kasan_check_write+0x14/0x30 +[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 +[ 23.116285] ? mark_held_locks+0x28/0xa0 +[ 23.116503] ? do_syscall_64+0x37/0x90 +[ 23.116713] __x64_sys_sendto+0x7f/0xb0 +[ 23.116924] do_syscall_64+0x59/0x90 +[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 +[ 23.117387] ? irqentry_exit+0x77/0xb0 +[ 23.117593] ? exc_page_fault+0x92/0x140 +[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 23.118081] RIP: 0033:0x7f744aee2bba +[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba +[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 +[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 +[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 +[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 +[ 23.121617] +[ 23.121749] +[ 23.121845] The buggy address belongs to the virtual mapping at +[ 23.121845] [ffffc90000000000, ffffc90000009000) created by: +[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 +[ 23.122707] +[ 23.122803] The buggy address belongs to the physical page: +[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 +[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) +[ 23.123998] page_type: 0xffffffff() +[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 +[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 +[ 23.125023] page dumped because: kasan: bad access detected +[ 23.125326] +[ 23.125421] Memory state around the buggy address: +[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 +[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 +[ 23.126840] ^ +[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 +[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 +[ 23.127906] ================================================================== +[ 23.128324] Disabling lock debugging due to kernel taint + +Using simple s16 pointers for the 16-bit accesses fixes the problem. For +the 32-bit accesses, src and dst can be used directly. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Cc: stable@vger.kernel.org +Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_byteorder.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/netfilter/nft_byteorder.c ++++ b/net/netfilter/nft_byteorder.c +@@ -30,11 +30,11 @@ void nft_byteorder_eval(const struct nft + const struct nft_byteorder *priv = nft_expr_priv(expr); + u32 *src = ®s->data[priv->sreg]; + u32 *dst = ®s->data[priv->dreg]; +- union { u32 u32; u16 u16; } *s, *d; ++ u16 *s16, *d16; + unsigned int i; + +- s = (void *)src; +- d = (void *)dst; ++ s16 = (void *)src; ++ d16 = (void *)dst; + + switch (priv->size) { + case 8: { +@@ -61,11 +61,11 @@ void nft_byteorder_eval(const struct nft + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = ntohl((__force __be32)s[i].u32); ++ dst[i] = ntohl((__force __be32)src[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = (__force __u32)htonl(s[i].u32); ++ dst[i] = (__force __u32)htonl(src[i]); + break; + } + break; +@@ -73,11 +73,11 @@ void nft_byteorder_eval(const struct nft + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = ntohs((__force __be16)s[i].u16); ++ d16[i] = ntohs((__force __be16)s16[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = (__force __u16)htons(s[i].u16); ++ d16[i] = (__force __u16)htons(s16[i]); + break; + } + break; diff --git a/tmp-5.10/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch b/tmp-5.10/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch new file mode 100644 index 00000000000..08a0f52413e --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch @@ -0,0 +1,139 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:53 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:54 +0200 +Subject: netfilter: nf_tables: reject unbound anonymous set before commit phase +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-7-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ Upstream commit 938154b93be8cd611ddfd7bafc1849f3c4355201 ] + +Add a new list to track set transaction and to check for unbound +anonymous sets before entering the commit phase. + +Bail out at the end of the transaction handling if an anonymous set +remains unbound. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 3 +++ + net/netfilter/nf_tables_api.c | 34 +++++++++++++++++++++++++++++++--- + 2 files changed, 34 insertions(+), 3 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1426,6 +1426,7 @@ static inline void nft_set_elem_clear_bu + * struct nft_trans - nf_tables object update in transaction + * + * @list: used internally ++ * @binding_list: list of objects with possible bindings + * @msg_type: message type + * @put_net: ctx->net needs to be put + * @ctx: transaction context +@@ -1433,6 +1434,7 @@ static inline void nft_set_elem_clear_bu + */ + struct nft_trans { + struct list_head list; ++ struct list_head binding_list; + int msg_type; + bool put_net; + struct nft_ctx ctx; +@@ -1559,6 +1561,7 @@ __be64 nf_jiffies64_to_msecs(u64 input); + struct nftables_pernet { + struct list_head tables; + struct list_head commit_list; ++ struct list_head binding_list; + struct list_head module_list; + struct list_head notify_list; + struct mutex commit_mutex; +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -155,6 +155,7 @@ static struct nft_trans *nft_trans_alloc + return NULL; + + INIT_LIST_HEAD(&trans->list); ++ INIT_LIST_HEAD(&trans->binding_list); + trans->msg_type = msg_type; + trans->ctx = *ctx; + +@@ -167,9 +168,15 @@ static struct nft_trans *nft_trans_alloc + return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); + } + +-static void nft_trans_destroy(struct nft_trans *trans) ++static void nft_trans_list_del(struct nft_trans *trans) + { + list_del(&trans->list); ++ list_del(&trans->binding_list); ++} ++ ++static void nft_trans_destroy(struct nft_trans *trans) ++{ ++ nft_trans_list_del(trans); + kfree(trans); + } + +@@ -347,6 +354,14 @@ static void nft_trans_commit_list_add_ta + struct nftables_pernet *nft_net; + + nft_net = net_generic(net, nf_tables_net_id); ++ ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWSET: ++ if (nft_set_is_anonymous(nft_trans_set(trans))) ++ list_add_tail(&trans->binding_list, &nft_net->binding_list); ++ break; ++ } ++ + list_add_tail(&trans->list, &nft_net->commit_list); + } + +@@ -7717,7 +7732,7 @@ static void nf_tables_trans_destroy_work + synchronize_rcu(); + + list_for_each_entry_safe(trans, next, &head, list) { +- list_del(&trans->list); ++ nft_trans_list_del(trans); + nft_commit_release(trans); + } + } +@@ -8019,6 +8034,18 @@ static int nf_tables_commit(struct net * + return 0; + } + ++ list_for_each_entry(trans, &nft_net->binding_list, binding_list) { ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWSET: ++ if (nft_set_is_anonymous(nft_trans_set(trans)) && ++ !nft_trans_set_bound(trans)) { ++ pr_warn_once("nftables ruleset with unbound set\n"); ++ return -EINVAL; ++ } ++ break; ++ } ++ } ++ + /* 0. Validate ruleset, otherwise roll back for error reporting. */ + if (nf_tables_validate(net) < 0) + return -EAGAIN; +@@ -8421,7 +8448,7 @@ static int __nf_tables_abort(struct net + + list_for_each_entry_safe_reverse(trans, next, + &nft_net->commit_list, list) { +- list_del(&trans->list); ++ nft_trans_list_del(trans); + nf_tables_abort_release(trans); + } + +@@ -9120,6 +9147,7 @@ static int __net_init nf_tables_init_net + + INIT_LIST_HEAD(&nft_net->tables); + INIT_LIST_HEAD(&nft_net->commit_list); ++ INIT_LIST_HEAD(&nft_net->binding_list); + INIT_LIST_HEAD(&nft_net->module_list); + INIT_LIST_HEAD(&nft_net->notify_list); + mutex_init(&nft_net->commit_mutex); diff --git a/tmp-5.10/netfilter-nf_tables-reject-unbound-chain-set-before-commit-phase.patch b/tmp-5.10/netfilter-nf_tables-reject-unbound-chain-set-before-commit-phase.patch new file mode 100644 index 00000000000..22f706a8bcc --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-reject-unbound-chain-set-before-commit-phase.patch @@ -0,0 +1,54 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:52 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:55 +0200 +Subject: netfilter: nf_tables: reject unbound chain set before commit phase +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-8-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ Upstream commit 62e1e94b246e685d89c3163aaef4b160e42ceb02 ] + +Use binding list to track set transaction and to check for unbound +chains before entering the commit phase. + +Bail out if chain binding remain unused before entering the commit +step. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -360,6 +360,11 @@ static void nft_trans_commit_list_add_ta + if (nft_set_is_anonymous(nft_trans_set(trans))) + list_add_tail(&trans->binding_list, &nft_net->binding_list); + break; ++ case NFT_MSG_NEWCHAIN: ++ if (!nft_trans_chain_update(trans) && ++ nft_chain_binding(nft_trans_chain(trans))) ++ list_add_tail(&trans->binding_list, &nft_net->binding_list); ++ break; + } + + list_add_tail(&trans->list, &nft_net->commit_list); +@@ -8043,6 +8048,14 @@ static int nf_tables_commit(struct net * + return -EINVAL; + } + break; ++ case NFT_MSG_NEWCHAIN: ++ if (!nft_trans_chain_update(trans) && ++ nft_chain_binding(nft_trans_chain(trans)) && ++ !nft_trans_chain_bound(trans)) { ++ pr_warn_once("nftables ruleset with unbound chain\n"); ++ return -EINVAL; ++ } ++ break; + } + } + diff --git a/tmp-5.10/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch b/tmp-5.10/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch new file mode 100644 index 00000000000..669a2fd20a6 --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch @@ -0,0 +1,37 @@ +From 87d298c12c1adcafaf724fd215f7c32d83d761ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 20:19:43 +0200 +Subject: netfilter: nf_tables: skip bound chain in netns release path + +From: Pablo Neira Ayuso + +[ Upstream commit 751d460ccff3137212f47d876221534bf0490996 ] + +Skip bound chain from netns release path, the rule that owns this chain +releases these objects. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index a8d316a58e44c..40ed4dd530c5a 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9185,6 +9185,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table) + ctx.family = table->family; + ctx.table = table; + list_for_each_entry(chain, &table->chains, list) { ++ if (nft_chain_is_bound(chain)) ++ continue; ++ + ctx.chain = chain; + list_for_each_entry_safe(rule, nr, &chain->rules, list) { + list_del(&rule->list); +-- +2.39.2 + diff --git a/tmp-5.10/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch b/tmp-5.10/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch new file mode 100644 index 00000000000..9d874a6ce1f --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch @@ -0,0 +1,43 @@ +From 0e16d022fdda3fa766dc1f96580784be0ef3726f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:17:21 +0200 +Subject: netfilter: nf_tables: skip bound chain on rule flush + +From: Pablo Neira Ayuso + +[ Upstream commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 ] + +Skip bound chain when flushing table rules, the rule that owns this +chain releases these objects. + +Otherwise, the following warning is triggered: + + WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 + RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Reported-by: Kevin Rich +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 40ed4dd530c5a..356416564d9f4 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3611,6 +3611,8 @@ static int nf_tables_delrule(struct net *net, struct sock *nlsk, + list_for_each_entry(chain, &table->chains, list) { + if (!nft_is_active_next(net, chain)) + continue; ++ if (nft_chain_is_bound(chain)) ++ continue; + + ctx.chain = chain; + err = nft_delrule_by_chain(&ctx); +-- +2.39.2 + diff --git a/tmp-5.10/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch b/tmp-5.10/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch new file mode 100644 index 00000000000..aee6afbe4d8 --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch @@ -0,0 +1,33 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:58 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:58 +0200 +Subject: netfilter: nf_tables: unbind non-anonymous set if rule construction fails +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-11-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ Upstream commit 3e70489721b6c870252c9082c496703677240f53 ] + +Otherwise a dangling reference to a rule object that is gone remains +in the set binding list. + +Fixes: 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4689,6 +4689,8 @@ void nf_tables_deactivate_set(const stru + nft_set_trans_unbind(ctx, set); + if (nft_set_is_anonymous(set)) + nft_deactivate_next(ctx->net, set); ++ else ++ list_del_rcu(&binding->list); + + set->use--; + break; diff --git a/tmp-5.10/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch b/tmp-5.10/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch new file mode 100644 index 00000000000..769fada9476 --- /dev/null +++ b/tmp-5.10/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch @@ -0,0 +1,1443 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:52 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:49 +0200 +Subject: netfilter: nf_tables: use net_generic infra for transaction data +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-2-pablo@netfilter.org> + +From: Florian Westphal + +[ Upstream commit 0854db2aaef3fcdd3498a9d299c60adea2aa3dc6 ] + +This moves all nf_tables pernet data from struct net to a net_generic +extension, with the exception of the gencursor. + +The latter is used in the data path and also outside of the nf_tables +core. All others are only used from the configuration plane. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 10 + include/net/netns/nftables.h | 7 + net/netfilter/nf_tables_api.c | 382 +++++++++++++++++++++++--------------- + net/netfilter/nf_tables_offload.c | 30 +- + net/netfilter/nft_chain_filter.c | 11 - + net/netfilter/nft_dynset.c | 6 + 6 files changed, 279 insertions(+), 167 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1535,4 +1535,14 @@ void nf_tables_trans_destroy_flush_work( + int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result); + __be64 nf_jiffies64_to_msecs(u64 input); + ++struct nftables_pernet { ++ struct list_head tables; ++ struct list_head commit_list; ++ struct list_head module_list; ++ struct list_head notify_list; ++ struct mutex commit_mutex; ++ unsigned int base_seq; ++ u8 validate_state; ++}; ++ + #endif /* _NET_NF_TABLES_H */ +--- a/include/net/netns/nftables.h ++++ b/include/net/netns/nftables.h +@@ -5,14 +5,7 @@ + #include + + struct netns_nftables { +- struct list_head tables; +- struct list_head commit_list; +- struct list_head module_list; +- struct list_head notify_list; +- struct mutex commit_mutex; +- unsigned int base_seq; + u8 gencursor; +- u8 validate_state; + }; + + #endif +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -21,10 +21,13 @@ + #include + #include + #include ++#include + #include + + #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) + ++unsigned int nf_tables_net_id __read_mostly; ++ + static LIST_HEAD(nf_tables_expressions); + static LIST_HEAD(nf_tables_objects); + static LIST_HEAD(nf_tables_flowtables); +@@ -103,7 +106,9 @@ static const u8 nft2audit_op[NFT_MSG_MAX + + static void nft_validate_state_update(struct net *net, u8 new_validate_state) + { +- switch (net->nft.validate_state) { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ switch (nft_net->validate_state) { + case NFT_VALIDATE_SKIP: + WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); + break; +@@ -114,7 +119,7 @@ static void nft_validate_state_update(st + return; + } + +- net->nft.validate_state = new_validate_state; ++ nft_net->validate_state = new_validate_state; + } + static void nf_tables_trans_destroy_work(struct work_struct *w); + static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); +@@ -170,13 +175,15 @@ static void nft_trans_destroy(struct nft + + static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) + { ++ struct nftables_pernet *nft_net; + struct net *net = ctx->net; + struct nft_trans *trans; + + if (!nft_set_is_anonymous(set)) + return; + +- list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { + switch (trans->msg_type) { + case NFT_MSG_NEWSET: + if (nft_trans_set(trans) == set) +@@ -270,6 +277,14 @@ static void nf_tables_unregister_hook(st + nf_unregister_net_hook(net, &basechain->ops); + } + ++static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) ++{ ++ struct nftables_pernet *nft_net; ++ ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_add_tail(&trans->list, &nft_net->commit_list); ++} ++ + static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type) + { + struct nft_trans *trans; +@@ -281,7 +296,7 @@ static int nft_trans_table_add(struct nf + if (msg_type == NFT_MSG_NEWTABLE) + nft_activate_next(ctx->net, ctx->table); + +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + } + +@@ -314,7 +329,7 @@ static struct nft_trans *nft_trans_chain + } + } + +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return trans; + } + +@@ -387,7 +402,7 @@ static struct nft_trans *nft_trans_rule_ + ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); + } + nft_trans_rule(trans) = rule; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return trans; + } +@@ -453,7 +468,7 @@ static int nft_trans_set_add(const struc + nft_activate_next(ctx->net, set); + } + nft_trans_set(trans) = set; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + } +@@ -485,7 +500,7 @@ static int nft_trans_obj_add(struct nft_ + nft_activate_next(ctx->net, obj); + + nft_trans_obj(trans) = obj; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + } +@@ -519,7 +534,7 @@ static int nft_trans_flowtable_add(struc + + INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); + nft_trans_flowtable(trans) = flowtable; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + } +@@ -547,13 +562,15 @@ static struct nft_table *nft_table_looku + const struct nlattr *nla, + u8 family, u8 genmask) + { ++ struct nftables_pernet *nft_net; + struct nft_table *table; + + if (nla == NULL) + return ERR_PTR(-EINVAL); + +- list_for_each_entry_rcu(table, &net->nft.tables, list, +- lockdep_is_held(&net->nft.commit_mutex)) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry_rcu(table, &nft_net->tables, list, ++ lockdep_is_held(&nft_net->commit_mutex)) { + if (!nla_strcmp(nla, table->name) && + table->family == family && + nft_active_genmask(table, genmask)) +@@ -567,9 +584,11 @@ static struct nft_table *nft_table_looku + const struct nlattr *nla, + u8 genmask) + { ++ struct nftables_pernet *nft_net; + struct nft_table *table; + +- list_for_each_entry(table, &net->nft.tables, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry(table, &nft_net->tables, list) { + if (be64_to_cpu(nla_get_be64(nla)) == table->handle && + nft_active_genmask(table, genmask)) + return table; +@@ -621,6 +640,7 @@ struct nft_module_request { + static int nft_request_module(struct net *net, const char *fmt, ...) + { + char module_name[MODULE_NAME_LEN]; ++ struct nftables_pernet *nft_net; + struct nft_module_request *req; + va_list args; + int ret; +@@ -631,7 +651,8 @@ static int nft_request_module(struct net + if (ret >= MODULE_NAME_LEN) + return 0; + +- list_for_each_entry(req, &net->nft.module_list, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry(req, &nft_net->module_list, list) { + if (!strcmp(req->module, module_name)) { + if (req->done) + return 0; +@@ -647,7 +668,7 @@ static int nft_request_module(struct net + + req->done = false; + strlcpy(req->module, module_name, MODULE_NAME_LEN); +- list_add_tail(&req->list, &net->nft.module_list); ++ list_add_tail(&req->list, &nft_net->module_list); + + return -EAGAIN; + } +@@ -685,7 +706,9 @@ nf_tables_chain_type_lookup(struct net * + + static __be16 nft_base_seq(const struct net *net) + { +- return htons(net->nft.base_seq & 0xffff); ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ return htons(nft_net->base_seq & 0xffff); + } + + static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { +@@ -743,6 +766,7 @@ static void nft_notify_enqueue(struct sk + + static void nf_tables_table_notify(const struct nft_ctx *ctx, int event) + { ++ struct nftables_pernet *nft_net; + struct sk_buff *skb; + int err; + +@@ -761,7 +785,8 @@ static void nf_tables_table_notify(const + goto err; + } + +- nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); ++ nft_net = net_generic(ctx->net, nf_tables_net_id); ++ nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); + return; + err: + nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); +@@ -771,15 +796,17 @@ static int nf_tables_dump_tables(struct + struct netlink_callback *cb) + { + const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); ++ struct nftables_pernet *nft_net; + const struct nft_table *table; + unsigned int idx = 0, s_idx = cb->args[0]; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -954,7 +981,7 @@ static int nf_tables_updtable(struct nft + goto err; + + nft_trans_table_update(trans) = true; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + err: + nft_trans_destroy(trans); +@@ -1017,6 +1044,7 @@ static int nf_tables_newtable(struct net + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + const struct nfgenmsg *nfmsg = nlmsg_data(nlh); + u8 genmask = nft_genmask_next(net); + int family = nfmsg->nfgen_family; +@@ -1026,7 +1054,7 @@ static int nf_tables_newtable(struct net + u32 flags = 0; + int err; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + attr = nla[NFTA_TABLE_NAME]; + table = nft_table_lookup(net, attr, family, genmask); + if (IS_ERR(table)) { +@@ -1084,7 +1112,7 @@ static int nf_tables_newtable(struct net + if (err < 0) + goto err_trans; + +- list_add_tail_rcu(&table->list, &net->nft.tables); ++ list_add_tail_rcu(&table->list, &nft_net->tables); + return 0; + err_trans: + rhltable_destroy(&table->chains_ht); +@@ -1172,11 +1200,12 @@ out: + + static int nft_flush(struct nft_ctx *ctx, int family) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct nft_table *table, *nt; + const struct nlattr * const *nla = ctx->nla; + int err = 0; + +- list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { ++ list_for_each_entry_safe(table, nt, &nft_net->tables, list) { + if (family != AF_UNSPEC && table->family != family) + continue; + +@@ -1291,7 +1320,9 @@ nft_chain_lookup_byhandle(const struct n + static bool lockdep_commit_lock_is_held(const struct net *net) + { + #ifdef CONFIG_PROVE_LOCKING +- return lockdep_is_held(&net->nft.commit_mutex); ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ return lockdep_is_held(&nft_net->commit_mutex); + #else + return true; + #endif +@@ -1494,6 +1525,7 @@ nla_put_failure: + + static void nf_tables_chain_notify(const struct nft_ctx *ctx, int event) + { ++ struct nftables_pernet *nft_net; + struct sk_buff *skb; + int err; + +@@ -1513,7 +1545,8 @@ static void nf_tables_chain_notify(const + goto err; + } + +- nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); ++ nft_net = net_generic(ctx->net, nf_tables_net_id); ++ nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); + return; + err: + nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); +@@ -1528,11 +1561,13 @@ static int nf_tables_dump_chains(struct + unsigned int idx = 0, s_idx = cb->args[0]; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; ++ struct nftables_pernet *nft_net; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -1847,11 +1882,12 @@ static int nft_chain_parse_hook(struct n + struct nft_chain_hook *hook, u8 family, + bool autoload) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nlattr *ha[NFTA_HOOK_MAX + 1]; + const struct nft_chain_type *type; + int err; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + lockdep_nfnl_nft_mutex_not_held(); + + err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, +@@ -2244,6 +2280,7 @@ static int nf_tables_updchain(struct nft + + if (nla[NFTA_CHAIN_HANDLE] && + nla[NFTA_CHAIN_NAME]) { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct nft_trans *tmp; + char *name; + +@@ -2253,7 +2290,7 @@ static int nf_tables_updchain(struct nft + goto err; + + err = -EEXIST; +- list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { ++ list_for_each_entry(tmp, &nft_net->commit_list, list) { + if (tmp->msg_type == NFT_MSG_NEWCHAIN && + tmp->ctx.table == table && + nft_trans_chain_update(tmp) && +@@ -2267,7 +2304,7 @@ static int nf_tables_updchain(struct nft + + nft_trans_chain_name(trans) = name; + } +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + err: +@@ -2280,10 +2317,11 @@ static struct nft_chain *nft_chain_looku + const struct nft_table *table, + const struct nlattr *nla) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + u32 id = ntohl(nla_get_be32(nla)); + struct nft_trans *trans; + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + struct nft_chain *chain = trans->ctx.chain; + + if (trans->msg_type == NFT_MSG_NEWCHAIN && +@@ -2299,6 +2337,7 @@ static int nf_tables_newchain(struct net + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + const struct nfgenmsg *nfmsg = nlmsg_data(nlh); + u8 genmask = nft_genmask_next(net); + int family = nfmsg->nfgen_family; +@@ -2310,7 +2349,7 @@ static int nf_tables_newchain(struct net + u64 handle = 0; + u32 flags = 0; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + + table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); + if (IS_ERR(table)) { +@@ -2848,6 +2887,7 @@ nla_put_failure: + static void nf_tables_rule_notify(const struct nft_ctx *ctx, + const struct nft_rule *rule, int event) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct sk_buff *skb; + int err; + +@@ -2867,7 +2907,7 @@ static void nf_tables_rule_notify(const + goto err; + } + +- nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); ++ nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); + return; + err: + nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); +@@ -2925,11 +2965,13 @@ static int nf_tables_dump_rules(struct s + unsigned int idx = 0; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; ++ struct nftables_pernet *nft_net; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -3161,6 +3203,7 @@ static int nf_tables_newrule(struct net + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + const struct nfgenmsg *nfmsg = nlmsg_data(nlh); + u8 genmask = nft_genmask_next(net); + struct nft_expr_info *info = NULL; +@@ -3178,7 +3221,7 @@ static int nf_tables_newrule(struct net + int err, rem; + u64 handle, pos_handle; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + + table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); + if (IS_ERR(table)) { +@@ -3351,7 +3394,7 @@ static int nf_tables_newrule(struct net + kvfree(info); + chain->use++; + +- if (net->nft.validate_state == NFT_VALIDATE_DO) ++ if (nft_net->validate_state == NFT_VALIDATE_DO) + return nft_table_validate(net, table); + + if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { +@@ -3381,10 +3424,11 @@ static struct nft_rule *nft_rule_lookup_ + const struct nft_chain *chain, + const struct nlattr *nla) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + u32 id = ntohl(nla_get_be32(nla)); + struct nft_trans *trans; + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + struct nft_rule *rule = nft_trans_rule(trans); + + if (trans->msg_type == NFT_MSG_NEWRULE && +@@ -3497,13 +3541,14 @@ nft_select_set_ops(const struct nft_ctx + const struct nft_set_desc *desc, + enum nft_set_policies policy) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + const struct nft_set_ops *ops, *bops; + struct nft_set_estimate est, best; + const struct nft_set_type *type; + u32 flags = 0; + int i; + +- lockdep_assert_held(&ctx->net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + lockdep_nfnl_nft_mutex_not_held(); + + if (nla[NFTA_SET_FLAGS] != NULL) +@@ -3641,10 +3686,11 @@ static struct nft_set *nft_set_lookup_by + const struct nft_table *table, + const struct nlattr *nla, u8 genmask) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans; + u32 id = ntohl(nla_get_be32(nla)); + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + if (trans->msg_type == NFT_MSG_NEWSET) { + struct nft_set *set = nft_trans_set(trans); + +@@ -3867,6 +3913,7 @@ static void nf_tables_set_notify(const s + const struct nft_set *set, int event, + gfp_t gfp_flags) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct sk_buff *skb; + u32 portid = ctx->portid; + int err; +@@ -3885,7 +3932,7 @@ static void nf_tables_set_notify(const s + goto err; + } + +- nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); ++ nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); + return; + err: + nfnetlink_set_err(ctx->net, portid, NFNLGRP_NFTABLES, -ENOBUFS); +@@ -3898,14 +3945,16 @@ static int nf_tables_dump_sets(struct sk + struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; + struct net *net = sock_net(skb->sk); + struct nft_ctx *ctx = cb->data, ctx_set; ++ struct nftables_pernet *nft_net; + + if (cb->args[1]) + return skb->len; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (ctx->family != NFPROTO_UNSPEC && + ctx->family != table->family) + continue; +@@ -4706,6 +4755,7 @@ static int nf_tables_dump_set(struct sk_ + { + struct nft_set_dump_ctx *dump_ctx = cb->data; + struct net *net = sock_net(skb->sk); ++ struct nftables_pernet *nft_net; + struct nft_table *table; + struct nft_set *set; + struct nft_set_dump_args args; +@@ -4716,7 +4766,8 @@ static int nf_tables_dump_set(struct sk_ + int event; + + rcu_read_lock(); +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (dump_ctx->ctx.family != NFPROTO_UNSPEC && + dump_ctx->ctx.family != table->family) + continue; +@@ -4995,6 +5046,7 @@ static void nf_tables_setelem_notify(con + const struct nft_set_elem *elem, + int event, u16 flags) + { ++ struct nftables_pernet *nft_net; + struct net *net = ctx->net; + u32 portid = ctx->portid; + struct sk_buff *skb; +@@ -5014,7 +5066,8 @@ static void nf_tables_setelem_notify(con + goto err; + } + +- nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); ++ nft_net = net_generic(net, nf_tables_net_id); ++ nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); + return; + err: + nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); +@@ -5410,7 +5463,7 @@ static int nft_add_set_elem(struct nft_c + } + + nft_trans_elem(trans) = elem; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + + err_set_full: +@@ -5441,6 +5494,7 @@ static int nf_tables_newsetelem(struct n + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + u8 genmask = nft_genmask_next(net); + const struct nlattr *attr; + struct nft_set *set; +@@ -5470,7 +5524,7 @@ static int nf_tables_newsetelem(struct n + return err; + } + +- if (net->nft.validate_state == NFT_VALIDATE_DO) ++ if (nft_net->validate_state == NFT_VALIDATE_DO) + return nft_table_validate(net, ctx.table); + + return 0; +@@ -5606,7 +5660,7 @@ static int nft_del_setelem(struct nft_ct + nft_set_elem_deactivate(ctx->net, set, &elem); + + nft_trans_elem(trans) = elem; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + + fail_ops: +@@ -5640,7 +5694,7 @@ static int nft_flush_set(const struct nf + nft_set_elem_deactivate(ctx->net, set, elem); + nft_trans_elem_set(trans) = set; + nft_trans_elem(trans) = *elem; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + err1: +@@ -5939,7 +5993,7 @@ static int nf_tables_updobj(const struct + nft_trans_obj(trans) = obj; + nft_trans_obj_update(trans) = true; + nft_trans_obj_newobj(trans) = newobj; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + +@@ -6102,6 +6156,7 @@ static int nf_tables_dump_obj(struct sk_ + struct nft_obj_filter *filter = cb->data; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; ++ struct nftables_pernet *nft_net; + struct nft_object *obj; + bool reset = false; + +@@ -6109,9 +6164,10 @@ static int nf_tables_dump_obj(struct sk_ + reset = true; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -6134,7 +6190,7 @@ static int nf_tables_dump_obj(struct sk_ + char *buf = kasprintf(GFP_ATOMIC, + "%s:%u", + table->name, +- net->nft.base_seq); ++ nft_net->base_seq); + + audit_log_nfcfg(buf, + family, +@@ -6255,8 +6311,11 @@ static int nf_tables_getobj(struct net * + reset = true; + + if (reset) { +- char *buf = kasprintf(GFP_ATOMIC, "%s:%u", +- table->name, net->nft.base_seq); ++ const struct nftables_pernet *nft_net; ++ char *buf; ++ ++ nft_net = net_generic(net, nf_tables_net_id); ++ buf = kasprintf(GFP_ATOMIC, "%s:%u", table->name, nft_net->base_seq); + + audit_log_nfcfg(buf, + family, +@@ -6341,10 +6400,11 @@ void nft_obj_notify(struct net *net, con + struct nft_object *obj, u32 portid, u32 seq, int event, + int family, int report, gfp_t gfp) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct sk_buff *skb; + int err; + char *buf = kasprintf(gfp, "%s:%u", +- table->name, net->nft.base_seq); ++ table->name, nft_net->base_seq); + + audit_log_nfcfg(buf, + family, +@@ -6370,7 +6430,7 @@ void nft_obj_notify(struct net *net, con + goto err; + } + +- nft_notify_enqueue(skb, report, &net->nft.notify_list); ++ nft_notify_enqueue(skb, report, &nft_net->notify_list); + return; + err: + nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); +@@ -6706,7 +6766,7 @@ static int nft_flowtable_update(struct n + INIT_LIST_HEAD(&nft_trans_flowtable_hooks(trans)); + list_splice(&flowtable_hook.list, &nft_trans_flowtable_hooks(trans)); + +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + +@@ -6896,7 +6956,7 @@ static int nft_delflowtable_hook(struct + list_splice(&flowtable_del_list, &nft_trans_flowtable_hooks(trans)); + nft_flowtable_hook_release(&flowtable_hook); + +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + +@@ -7022,12 +7082,14 @@ static int nf_tables_dump_flowtable(stru + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; + struct nft_flowtable *flowtable; ++ struct nftables_pernet *nft_net; + const struct nft_table *table; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -7162,6 +7224,7 @@ static void nf_tables_flowtable_notify(s + struct list_head *hook_list, + int event) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct sk_buff *skb; + int err; + +@@ -7181,7 +7244,7 @@ static void nf_tables_flowtable_notify(s + goto err; + } + +- nft_notify_enqueue(skb, ctx->report, &ctx->net->nft.notify_list); ++ nft_notify_enqueue(skb, ctx->report, &nft_net->notify_list); + return; + err: + nfnetlink_set_err(ctx->net, ctx->portid, NFNLGRP_NFTABLES, -ENOBUFS); +@@ -7206,6 +7269,7 @@ static void nf_tables_flowtable_destroy( + static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, + u32 portid, u32 seq) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nlmsghdr *nlh; + char buf[TASK_COMM_LEN]; + int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); +@@ -7215,7 +7279,7 @@ static int nf_tables_fill_gen_info(struc + if (!nlh) + goto nla_put_failure; + +- if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || ++ if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || + nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || + nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) + goto nla_put_failure; +@@ -7250,6 +7314,7 @@ static int nf_tables_flowtable_event(str + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); + struct nft_flowtable *flowtable; ++ struct nftables_pernet *nft_net; + struct nft_table *table; + struct net *net; + +@@ -7257,13 +7322,14 @@ static int nf_tables_flowtable_event(str + return 0; + + net = dev_net(dev); +- mutex_lock(&net->nft.commit_mutex); +- list_for_each_entry(table, &net->nft.tables, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ mutex_lock(&nft_net->commit_mutex); ++ list_for_each_entry(table, &nft_net->tables, list) { + list_for_each_entry(flowtable, &table->flowtables, list) { + nft_flowtable_event(event, dev, flowtable); + } + } +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return NOTIFY_DONE; + } +@@ -7444,16 +7510,17 @@ static const struct nfnl_callback nf_tab + + static int nf_tables_validate(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_table *table; + +- switch (net->nft.validate_state) { ++ switch (nft_net->validate_state) { + case NFT_VALIDATE_SKIP: + break; + case NFT_VALIDATE_NEED: + nft_validate_state_update(net, NFT_VALIDATE_DO); + fallthrough; + case NFT_VALIDATE_DO: +- list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(table, &nft_net->tables, list) { + if (nft_table_validate(net, table) < 0) + return -EAGAIN; + } +@@ -7630,9 +7697,10 @@ static int nf_tables_commit_chain_prepar + + static void nf_tables_commit_chain_prepare_cancel(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + +- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { ++ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { + struct nft_chain *chain = trans->ctx.chain; + + if (trans->msg_type == NFT_MSG_NEWRULE || +@@ -7730,10 +7798,11 @@ void nft_chain_del(struct nft_chain *cha + + static void nf_tables_module_autoload_cleanup(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_module_request *req, *next; + +- WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); +- list_for_each_entry_safe(req, next, &net->nft.module_list, list) { ++ WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); ++ list_for_each_entry_safe(req, next, &nft_net->module_list, list) { + WARN_ON_ONCE(!req->done); + list_del(&req->list); + kfree(req); +@@ -7742,6 +7811,7 @@ static void nf_tables_module_autoload_cl + + static void nf_tables_commit_release(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans; + + /* all side effects have to be made visible. +@@ -7751,35 +7821,36 @@ static void nf_tables_commit_release(str + * Memory reclaim happens asynchronously from work queue + * to prevent expensive synchronize_rcu() in commit phase. + */ +- if (list_empty(&net->nft.commit_list)) { ++ if (list_empty(&nft_net->commit_list)) { + nf_tables_module_autoload_cleanup(net); +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + return; + } + +- trans = list_last_entry(&net->nft.commit_list, ++ trans = list_last_entry(&nft_net->commit_list, + struct nft_trans, list); + get_net(trans->ctx.net); + WARN_ON_ONCE(trans->put_net); + + trans->put_net = true; + spin_lock(&nf_tables_destroy_list_lock); +- list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list); ++ list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list); + spin_unlock(&nf_tables_destroy_list_lock); + + nf_tables_module_autoload_cleanup(net); + schedule_work(&trans_destroy_work); + +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + } + + static void nft_commit_notify(struct net *net, u32 portid) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct sk_buff *batch_skb = NULL, *nskb, *skb; + unsigned char *data; + int len; + +- list_for_each_entry_safe(skb, nskb, &net->nft.notify_list, list) { ++ list_for_each_entry_safe(skb, nskb, &nft_net->notify_list, list) { + if (!batch_skb) { + new_batch: + batch_skb = skb; +@@ -7805,7 +7876,7 @@ new_batch: + NFT_CB(batch_skb).report, GFP_KERNEL); + } + +- WARN_ON_ONCE(!list_empty(&net->nft.notify_list)); ++ WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); + } + + static int nf_tables_commit_audit_alloc(struct list_head *adl, +@@ -7871,6 +7942,7 @@ static void nf_tables_commit_audit_log(s + + static int nf_tables_commit(struct net *net, struct sk_buff *skb) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + struct nft_trans_elem *te; + struct nft_chain *chain; +@@ -7878,8 +7950,8 @@ static int nf_tables_commit(struct net * + LIST_HEAD(adl); + int err; + +- if (list_empty(&net->nft.commit_list)) { +- mutex_unlock(&net->nft.commit_mutex); ++ if (list_empty(&nft_net->commit_list)) { ++ mutex_unlock(&nft_net->commit_mutex); + return 0; + } + +@@ -7892,7 +7964,7 @@ static int nf_tables_commit(struct net * + return err; + + /* 1. Allocate space for next generation rules_gen_X[] */ +- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { ++ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { + int ret; + + ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table); +@@ -7915,7 +7987,7 @@ static int nf_tables_commit(struct net * + } + + /* step 2. Make rules_gen_X visible to packet path */ +- list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(table, &nft_net->tables, list) { + list_for_each_entry(chain, &table->chains, list) + nf_tables_commit_chain(net, chain); + } +@@ -7924,12 +7996,13 @@ static int nf_tables_commit(struct net * + * Bump generation counter, invalidate any dump in progress. + * Cannot fail after this point. + */ +- while (++net->nft.base_seq == 0); ++ while (++nft_net->base_seq == 0) ++ ; + + /* step 3. Start new generation, rules_gen_X now in use. */ + net->nft.gencursor = nft_gencursor_next(net); + +- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { ++ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { + nf_tables_commit_audit_collect(&adl, trans->ctx.table, + trans->msg_type); + switch (trans->msg_type) { +@@ -8089,7 +8162,7 @@ static int nf_tables_commit(struct net * + + nft_commit_notify(net, NETLINK_CB(skb).portid); + nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN); +- nf_tables_commit_audit_log(&adl, net->nft.base_seq); ++ nf_tables_commit_audit_log(&adl, nft_net->base_seq); + nf_tables_commit_release(net); + + return 0; +@@ -8097,17 +8170,18 @@ static int nf_tables_commit(struct net * + + static void nf_tables_module_autoload(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_module_request *req, *next; + LIST_HEAD(module_list); + +- list_splice_init(&net->nft.module_list, &module_list); +- mutex_unlock(&net->nft.commit_mutex); ++ list_splice_init(&nft_net->module_list, &module_list); ++ mutex_unlock(&nft_net->commit_mutex); + list_for_each_entry_safe(req, next, &module_list, list) { + request_module("%s", req->module); + req->done = true; + } +- mutex_lock(&net->nft.commit_mutex); +- list_splice(&module_list, &net->nft.module_list); ++ mutex_lock(&nft_net->commit_mutex); ++ list_splice(&module_list, &nft_net->module_list); + } + + static void nf_tables_abort_release(struct nft_trans *trans) +@@ -8144,6 +8218,7 @@ static void nf_tables_abort_release(stru + + static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + struct nft_trans_elem *te; + +@@ -8151,7 +8226,7 @@ static int __nf_tables_abort(struct net + nf_tables_validate(net) < 0) + return -EAGAIN; + +- list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, ++ list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, + list) { + switch (trans->msg_type) { + case NFT_MSG_NEWTABLE: +@@ -8277,7 +8352,7 @@ static int __nf_tables_abort(struct net + synchronize_rcu(); + + list_for_each_entry_safe_reverse(trans, next, +- &net->nft.commit_list, list) { ++ &nft_net->commit_list, list) { + list_del(&trans->list); + nf_tables_abort_release(trans); + } +@@ -8293,22 +8368,24 @@ static int __nf_tables_abort(struct net + static int nf_tables_abort(struct net *net, struct sk_buff *skb, + enum nfnl_abort_action action) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + int ret = __nf_tables_abort(net, action); + +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return ret; + } + + static bool nf_tables_valid_genid(struct net *net, u32 genid) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + bool genid_ok; + +- mutex_lock(&net->nft.commit_mutex); ++ mutex_lock(&nft_net->commit_mutex); + +- genid_ok = genid == 0 || net->nft.base_seq == genid; ++ genid_ok = genid == 0 || nft_net->base_seq == genid; + if (!genid_ok) +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + /* else, commit mutex has to be released by commit or abort function */ + return genid_ok; +@@ -8909,19 +8986,19 @@ EXPORT_SYMBOL_GPL(__nft_release_basechai + + static void __nft_release_hooks(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_table *table; + struct nft_chain *chain; + +- list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(table, &nft_net->tables, list) { + list_for_each_entry(chain, &table->chains, list) + nf_tables_unregister_hook(net, table, chain); + } + } + +-static void __nft_release_tables(struct net *net) ++static void __nft_release_table(struct net *net, struct nft_table *table) + { + struct nft_flowtable *flowtable, *nf; +- struct nft_table *table, *nt; + struct nft_chain *chain, *nc; + struct nft_object *obj, *ne; + struct nft_rule *rule, *nr; +@@ -8931,79 +9008,94 @@ static void __nft_release_tables(struct + .family = NFPROTO_NETDEV, + }; + +- list_for_each_entry_safe(table, nt, &net->nft.tables, list) { +- ctx.family = table->family; +- ctx.table = table; +- list_for_each_entry(chain, &table->chains, list) { +- ctx.chain = chain; +- list_for_each_entry_safe(rule, nr, &chain->rules, list) { +- list_del(&rule->list); +- chain->use--; +- nf_tables_rule_release(&ctx, rule); +- } +- } +- list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { +- list_del(&flowtable->list); +- table->use--; +- nf_tables_flowtable_destroy(flowtable); +- } +- list_for_each_entry_safe(set, ns, &table->sets, list) { +- list_del(&set->list); +- table->use--; +- nft_set_destroy(&ctx, set); +- } +- list_for_each_entry_safe(obj, ne, &table->objects, list) { +- nft_obj_del(obj); +- table->use--; +- nft_obj_destroy(&ctx, obj); +- } +- list_for_each_entry_safe(chain, nc, &table->chains, list) { +- ctx.chain = chain; +- nft_chain_del(chain); +- table->use--; +- nf_tables_chain_destroy(&ctx); ++ ctx.family = table->family; ++ ctx.table = table; ++ list_for_each_entry(chain, &table->chains, list) { ++ ctx.chain = chain; ++ list_for_each_entry_safe(rule, nr, &chain->rules, list) { ++ list_del(&rule->list); ++ chain->use--; ++ nf_tables_rule_release(&ctx, rule); + } +- list_del(&table->list); +- nf_tables_table_destroy(&ctx); + } ++ list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { ++ list_del(&flowtable->list); ++ table->use--; ++ nf_tables_flowtable_destroy(flowtable); ++ } ++ list_for_each_entry_safe(set, ns, &table->sets, list) { ++ list_del(&set->list); ++ table->use--; ++ nft_set_destroy(&ctx, set); ++ } ++ list_for_each_entry_safe(obj, ne, &table->objects, list) { ++ nft_obj_del(obj); ++ table->use--; ++ nft_obj_destroy(&ctx, obj); ++ } ++ list_for_each_entry_safe(chain, nc, &table->chains, list) { ++ ctx.chain = chain; ++ nft_chain_del(chain); ++ table->use--; ++ nf_tables_chain_destroy(&ctx); ++ } ++ list_del(&table->list); ++ nf_tables_table_destroy(&ctx); ++} ++ ++static void __nft_release_tables(struct net *net) ++{ ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ struct nft_table *table, *nt; ++ ++ list_for_each_entry_safe(table, nt, &nft_net->tables, list) ++ __nft_release_table(net, table); + } + + static int __net_init nf_tables_init_net(struct net *net) + { +- INIT_LIST_HEAD(&net->nft.tables); +- INIT_LIST_HEAD(&net->nft.commit_list); +- INIT_LIST_HEAD(&net->nft.module_list); +- INIT_LIST_HEAD(&net->nft.notify_list); +- mutex_init(&net->nft.commit_mutex); +- net->nft.base_seq = 1; +- net->nft.validate_state = NFT_VALIDATE_SKIP; ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ INIT_LIST_HEAD(&nft_net->tables); ++ INIT_LIST_HEAD(&nft_net->commit_list); ++ INIT_LIST_HEAD(&nft_net->module_list); ++ INIT_LIST_HEAD(&nft_net->notify_list); ++ mutex_init(&nft_net->commit_mutex); ++ nft_net->base_seq = 1; ++ nft_net->validate_state = NFT_VALIDATE_SKIP; + + return 0; + } + + static void __net_exit nf_tables_pre_exit_net(struct net *net) + { +- mutex_lock(&net->nft.commit_mutex); ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ mutex_lock(&nft_net->commit_mutex); + __nft_release_hooks(net); +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + } + + static void __net_exit nf_tables_exit_net(struct net *net) + { +- mutex_lock(&net->nft.commit_mutex); +- if (!list_empty(&net->nft.commit_list)) ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ mutex_lock(&nft_net->commit_mutex); ++ if (!list_empty(&nft_net->commit_list)) + __nf_tables_abort(net, NFNL_ABORT_NONE); + __nft_release_tables(net); +- mutex_unlock(&net->nft.commit_mutex); +- WARN_ON_ONCE(!list_empty(&net->nft.tables)); +- WARN_ON_ONCE(!list_empty(&net->nft.module_list)); +- WARN_ON_ONCE(!list_empty(&net->nft.notify_list)); ++ mutex_unlock(&nft_net->commit_mutex); ++ WARN_ON_ONCE(!list_empty(&nft_net->tables)); ++ WARN_ON_ONCE(!list_empty(&nft_net->module_list)); ++ WARN_ON_ONCE(!list_empty(&nft_net->notify_list)); + } + + static struct pernet_operations nf_tables_net_ops = { + .init = nf_tables_init_net, + .pre_exit = nf_tables_pre_exit_net, + .exit = nf_tables_exit_net, ++ .id = &nf_tables_net_id, ++ .size = sizeof(struct nftables_pernet), + }; + + static int __init nf_tables_module_init(void) +--- a/net/netfilter/nf_tables_offload.c ++++ b/net/netfilter/nf_tables_offload.c +@@ -7,6 +7,8 @@ + #include + #include + ++extern unsigned int nf_tables_net_id; ++ + static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions) + { + struct nft_flow_rule *flow; +@@ -371,16 +373,18 @@ static void nft_indr_block_cleanup(struc + struct nft_base_chain *basechain = block_cb->indr.data; + struct net_device *dev = block_cb->indr.dev; + struct netlink_ext_ack extack = {}; ++ struct nftables_pernet *nft_net; + struct net *net = dev_net(dev); + struct flow_block_offload bo; + + nft_flow_block_offload_init(&bo, dev_net(dev), FLOW_BLOCK_UNBIND, + basechain, &extack); +- mutex_lock(&net->nft.commit_mutex); ++ nft_net = net_generic(net, nf_tables_net_id); ++ mutex_lock(&nft_net->commit_mutex); + list_del(&block_cb->driver_list); + list_move(&block_cb->list, &bo.cb_list); + nft_flow_offload_unbind(&bo, basechain); +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + } + + static int nft_indr_block_offload_cmd(struct nft_base_chain *basechain, +@@ -476,9 +480,10 @@ static int nft_flow_offload_chain(struct + static void nft_flow_rule_offload_abort(struct net *net, + struct nft_trans *trans) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + int err = 0; + +- list_for_each_entry_continue_reverse(trans, &net->nft.commit_list, list) { ++ list_for_each_entry_continue_reverse(trans, &nft_net->commit_list, list) { + if (trans->ctx.family != NFPROTO_NETDEV) + continue; + +@@ -524,11 +529,12 @@ static void nft_flow_rule_offload_abort( + + int nft_flow_rule_offload_commit(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans; + int err = 0; + u8 policy; + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + if (trans->ctx.family != NFPROTO_NETDEV) + continue; + +@@ -580,7 +586,7 @@ int nft_flow_rule_offload_commit(struct + } + } + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + if (trans->ctx.family != NFPROTO_NETDEV) + continue; + +@@ -600,15 +606,15 @@ int nft_flow_rule_offload_commit(struct + return err; + } + +-static struct nft_chain *__nft_offload_get_chain(struct net_device *dev) ++static struct nft_chain *__nft_offload_get_chain(const struct nftables_pernet *nft_net, ++ struct net_device *dev) + { + struct nft_base_chain *basechain; +- struct net *net = dev_net(dev); + struct nft_hook *hook, *found; + const struct nft_table *table; + struct nft_chain *chain; + +- list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(table, &nft_net->tables, list) { + if (table->family != NFPROTO_NETDEV) + continue; + +@@ -640,19 +646,21 @@ static int nft_offload_netdev_event(stru + unsigned long event, void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct nftables_pernet *nft_net; + struct net *net = dev_net(dev); + struct nft_chain *chain; + + if (event != NETDEV_UNREGISTER) + return NOTIFY_DONE; + +- mutex_lock(&net->nft.commit_mutex); +- chain = __nft_offload_get_chain(dev); ++ nft_net = net_generic(net, nf_tables_net_id); ++ mutex_lock(&nft_net->commit_mutex); ++ chain = __nft_offload_get_chain(nft_net, dev); + if (chain) + nft_flow_block_chain(nft_base_chain(chain), dev, + FLOW_BLOCK_UNBIND); + +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return NOTIFY_DONE; + } +--- a/net/netfilter/nft_chain_filter.c ++++ b/net/netfilter/nft_chain_filter.c +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -10,6 +11,8 @@ + #include + #include + ++extern unsigned int nf_tables_net_id; ++ + #ifdef CONFIG_NF_TABLES_IPV4 + static unsigned int nft_do_chain_ipv4(void *priv, + struct sk_buff *skb, +@@ -355,6 +358,7 @@ static int nf_tables_netdev_event(struct + unsigned long event, void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct nftables_pernet *nft_net; + struct nft_table *table; + struct nft_chain *chain, *nr; + struct nft_ctx ctx = { +@@ -365,8 +369,9 @@ static int nf_tables_netdev_event(struct + event != NETDEV_CHANGENAME) + return NOTIFY_DONE; + +- mutex_lock(&ctx.net->nft.commit_mutex); +- list_for_each_entry(table, &ctx.net->nft.tables, list) { ++ nft_net = net_generic(ctx.net, nf_tables_net_id); ++ mutex_lock(&nft_net->commit_mutex); ++ list_for_each_entry(table, &nft_net->tables, list) { + if (table->family != NFPROTO_NETDEV) + continue; + +@@ -380,7 +385,7 @@ static int nf_tables_netdev_event(struct + nft_netdev_event(event, dev, &ctx); + } + } +- mutex_unlock(&ctx.net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return NOTIFY_DONE; + } +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -11,6 +11,9 @@ + #include + #include + #include ++#include ++ ++extern unsigned int nf_tables_net_id; + + struct nft_dynset { + struct nft_set *set; +@@ -106,13 +109,14 @@ static int nft_dynset_init(const struct + const struct nft_expr *expr, + const struct nlattr * const tb[]) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct nft_dynset *priv = nft_expr_priv(expr); + u8 genmask = nft_genmask_next(ctx->net); + struct nft_set *set; + u64 timeout; + int err; + +- lockdep_assert_held(&ctx->net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + + if (tb[NFTA_DYNSET_SET_NAME] == NULL || + tb[NFTA_DYNSET_OP] == NULL || diff --git a/tmp-5.10/netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/tmp-5.10/netfilter-nft_set_pipapo-fix-improper-element-remova.patch new file mode 100644 index 00000000000..7d82a09cc83 --- /dev/null +++ b/tmp-5.10/netfilter-nft_set_pipapo-fix-improper-element-remova.patch @@ -0,0 +1,63 @@ +From 6af637ced32834d5a6788762f311e79483caf404 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:08:21 +0200 +Subject: netfilter: nft_set_pipapo: fix improper element removal + +From: Florian Westphal + +[ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ] + +end key should be equal to start unless NFT_SET_EXT_KEY_END is present. + +Its possible to add elements that only have a start key +("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. + +Insertion treats this via: + +if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) + end = (const u8 *)nft_set_ext_key_end(ext)->data; +else + end = start; + +but removal side always uses nft_set_ext_key_end(). +This is wrong and leads to garbage remaining in the set after removal +next lookup/insert attempt will give: + +BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 +Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 +Call Trace: + kasan_report+0x105/0x140 + pipapo_get+0x8eb/0xb90 + nft_pipapo_insert+0x1dc/0x1710 + nf_tables_newsetelem+0x31f5/0x4e00 + .. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: lonial con +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 7c759e9b4d848..3be93175b3ffd 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1904,7 +1904,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + int i, start, rules_fx; + + match_start = data; +- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ ++ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) ++ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ else ++ match_end = data; + + start = first_rule; + rules_fx = rules_f0; +-- +2.39.2 + diff --git a/tmp-5.10/netfilter-nftables-rename-set-element-data-activation-deactivation-functions.patch b/tmp-5.10/netfilter-nftables-rename-set-element-data-activation-deactivation-functions.patch new file mode 100644 index 00000000000..8c9da8e66f2 --- /dev/null +++ b/tmp-5.10/netfilter-nftables-rename-set-element-data-activation-deactivation-functions.patch @@ -0,0 +1,92 @@ +From stable-owner@vger.kernel.org Thu Jul 13 10:49:53 2023 +From: Pablo Neira Ayuso +Date: Thu, 13 Jul 2023 10:48:56 +0200 +Subject: netfilter: nftables: rename set element data activation/deactivation functions +To: netfilter-devel@vger.kernel.org +Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org, sashal@kernel.org +Message-ID: <20230713084859.71541-9-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ Upstream commit f8bb7889af58d8e74d2d61c76b1418230f1610fa ] + +Rename: + +- nft_set_elem_activate() to nft_set_elem_data_activate(). +- nft_set_elem_deactivate() to nft_set_elem_data_deactivate(). + +To prepare for updates in the set element infrastructure to add support +for the special catch-all element. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5270,8 +5270,8 @@ void nft_set_elem_destroy(const struct n + } + EXPORT_SYMBOL_GPL(nft_set_elem_destroy); + +-/* Only called from commit path, nft_set_elem_deactivate() already deals with +- * the refcounting from the preparation phase. ++/* Only called from commit path, nft_setelem_data_deactivate() already deals ++ * with the refcounting from the preparation phase. + */ + static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx, + const struct nft_set *set, void *elem) +@@ -5649,9 +5649,9 @@ void nft_data_hold(const struct nft_data + } + } + +-static void nft_set_elem_activate(const struct net *net, +- const struct nft_set *set, +- struct nft_set_elem *elem) ++static void nft_setelem_data_activate(const struct net *net, ++ const struct nft_set *set, ++ struct nft_set_elem *elem) + { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); + +@@ -5661,9 +5661,9 @@ static void nft_set_elem_activate(const + (*nft_set_ext_obj(ext))->use++; + } + +-static void nft_set_elem_deactivate(const struct net *net, +- const struct nft_set *set, +- struct nft_set_elem *elem) ++static void nft_setelem_data_deactivate(const struct net *net, ++ const struct nft_set *set, ++ struct nft_set_elem *elem) + { + const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); + +@@ -5740,7 +5740,7 @@ static int nft_del_setelem(struct nft_ct + kfree(elem.priv); + elem.priv = priv; + +- nft_set_elem_deactivate(ctx->net, set, &elem); ++ nft_setelem_data_deactivate(ctx->net, set, &elem); + + nft_trans_elem(trans) = elem; + nft_trans_commit_list_add_tail(ctx->net, trans); +@@ -5774,7 +5774,7 @@ static int nft_flush_set(const struct nf + } + set->ndeact++; + +- nft_set_elem_deactivate(ctx->net, set, elem); ++ nft_setelem_data_deactivate(ctx->net, set, elem); + nft_trans_elem_set(trans) = set; + nft_trans_elem(trans) = *elem; + nft_trans_commit_list_add_tail(ctx->net, trans); +@@ -8413,7 +8413,7 @@ static int __nf_tables_abort(struct net + case NFT_MSG_DELSETELEM: + te = (struct nft_trans_elem *)trans->data; + +- nft_set_elem_activate(net, te->set, &te->elem); ++ nft_setelem_data_activate(net, te->set, &te->elem); + te->set->ops->activate(net, te->set, &te->elem); + te->set->ndeact--; + diff --git a/tmp-5.10/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch b/tmp-5.10/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch new file mode 100644 index 00000000000..c0fa65c8a57 --- /dev/null +++ b/tmp-5.10/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch @@ -0,0 +1,152 @@ +From 2d09f0cb4979acb6cce6b687bb1673fd0729bac9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 09:43:13 -0700 +Subject: netlink: Add __sock_i_ino() for __netlink_diag_dump(). + +From: Kuniyuki Iwashima + +[ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ] + +syzbot reported a warning in __local_bh_enable_ip(). [0] + +Commit 8d61f926d420 ("netlink: fix potential deadlock in +netlink_set_err()") converted read_lock(&nl_table_lock) to +read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock. + +However, __netlink_diag_dump() calls sock_i_ino() that uses +read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y, +read_unlock_bh() finally enables IRQ even though it should stay +disabled until the following read_unlock_irqrestore(). + +Using read_lock() in sock_i_ino() would trigger a lockdep splat +in another place that was fixed in commit f064af1e500a ("net: fix +a lockdep splat"), so let's add __sock_i_ino() that would be safe +to use under BH disabled. + +[0]: +WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Modules linked in: +CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f +RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996 +RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3 +RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3 +R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4 +R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000 +FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sock_i_ino+0x83/0xa0 net/core/sock.c:2559 + __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171 + netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207 + netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269 + __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374 + netlink_dump_start include/linux/netlink.h:329 [inline] + netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238 + __sock_diag_cmd net/core/sock_diag.c:238 [inline] + sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269 + netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547 + sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0xde/0x190 net/socket.c:747 + ____sys_sendmsg+0x71c/0x900 net/socket.c:2503 + ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557 + __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f5303aaabb9 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()") +Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422 +Suggested-by: Eric Dumazet +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 1 + + net/core/sock.c | 17 ++++++++++++++--- + net/netlink/diag.c | 2 +- + 3 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 03e7f7581559d..1fb5c535537c1 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1934,6 +1934,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) + } + + kuid_t sock_i_uid(struct sock *sk); ++unsigned long __sock_i_ino(struct sock *sk); + unsigned long sock_i_ino(struct sock *sk); + + static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk) +diff --git a/net/core/sock.c b/net/core/sock.c +index 9b013d052a722..4e00c6e2cb431 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2175,13 +2175,24 @@ kuid_t sock_i_uid(struct sock *sk) + } + EXPORT_SYMBOL(sock_i_uid); + +-unsigned long sock_i_ino(struct sock *sk) ++unsigned long __sock_i_ino(struct sock *sk) + { + unsigned long ino; + +- read_lock_bh(&sk->sk_callback_lock); ++ read_lock(&sk->sk_callback_lock); + ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0; +- read_unlock_bh(&sk->sk_callback_lock); ++ read_unlock(&sk->sk_callback_lock); ++ return ino; ++} ++EXPORT_SYMBOL(__sock_i_ino); ++ ++unsigned long sock_i_ino(struct sock *sk) ++{ ++ unsigned long ino; ++ ++ local_bh_disable(); ++ ino = __sock_i_ino(sk); ++ local_bh_enable(); + return ino; + } + EXPORT_SYMBOL(sock_i_ino); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index 4143b2ea4195a..e4f21b1067bcc 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -168,7 +168,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, + NLM_F_MULTI, +- sock_i_ino(sk)) < 0) { ++ __sock_i_ino(sk)) < 0) { + ret = 1; + break; + } +-- +2.39.2 + diff --git a/tmp-5.10/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch b/tmp-5.10/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch new file mode 100644 index 00000000000..59bb437a788 --- /dev/null +++ b/tmp-5.10/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch @@ -0,0 +1,157 @@ +From c2632c8e99a95f686c18e6515fddac171942fe23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 17:47:20 +0000 +Subject: netlink: do not hard code device address lenth in fdb dumps + +From: Eric Dumazet + +[ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ] + +syzbot reports that some netdev devices do not have a six bytes +address [1] + +Replace ETH_ALEN by dev->addr_len. + +[1] (Case of a device where dev->addr_len = 4) + +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 +instrument_copy_to_user include/linux/instrumented.h:114 [inline] +copyout+0xb8/0x100 lib/iov_iter.c:169 +_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 +copy_to_iter include/linux/uio.h:206 [inline] +simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 +__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 +skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 +skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] +netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 +sock_recvmsg_nosec net/socket.c:1019 [inline] +sock_recvmsg net/socket.c:1040 [inline] +____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was stored to memory at: +__nla_put lib/nlattr.c:1009 [inline] +nla_put+0x1c6/0x230 lib/nlattr.c:1067 +nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 +nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] +ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 +rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 +netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 +netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 +sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 +____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 +slab_alloc_node mm/slub.c:3451 [inline] +__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 +kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 +kmalloc include/linux/slab.h:559 [inline] +__hw_addr_create net/core/dev_addr_lists.c:60 [inline] +__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 +__dev_mc_add net/core/dev_addr_lists.c:867 [inline] +dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 +igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 +ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 +ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 +addrconf_type_change net/ipv6/addrconf.c:3731 [inline] +addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 +notifier_call_chain kernel/notifier.c:93 [inline] +raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1935 [inline] +call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] +call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 +bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 +do_set_master net/core/rtnetlink.c:2626 [inline] +rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] +__rtnl_newlink net/core/rtnetlink.c:3660 [inline] +rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 +rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 +netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 +rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0x999/0xd50 net/socket.c:2503 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557 +__sys_sendmsg net/socket.c:2586 [inline] +__do_sys_sendmsg net/socket.c:2595 [inline] +__se_sys_sendmsg net/socket.c:2593 [inline] +__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Bytes 2856-2857 of 3500 are uninitialized +Memory access of size 3500 starts at ffff888018d99104 +Data copied to user address 0000000020000480 + +Fixes: d83b06036048 ("net: add fdb generic dump routine") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 888ff53c8144d..d3c03ebf06a5b 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3889,7 +3889,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + ndm->ndm_ifindex = dev->ifindex; + ndm->ndm_state = ndm_state; + +- if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr)) ++ if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr)) + goto nla_put_failure; + if (vid) + if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid)) +@@ -3903,10 +3903,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + return -EMSGSIZE; + } + +-static inline size_t rtnl_fdb_nlmsg_size(void) ++static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev) + { + return NLMSG_ALIGN(sizeof(struct ndmsg)) + +- nla_total_size(ETH_ALEN) + /* NDA_LLADDR */ ++ nla_total_size(dev->addr_len) + /* NDA_LLADDR */ + nla_total_size(sizeof(u16)) + /* NDA_VLAN */ + 0; + } +@@ -3918,7 +3918,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type, + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC); ++ skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC); + if (!skb) + goto errout; + +-- +2.39.2 + diff --git a/tmp-5.10/netlink-fix-potential-deadlock-in-netlink_set_err.patch b/tmp-5.10/netlink-fix-potential-deadlock-in-netlink_set_err.patch new file mode 100644 index 00000000000..e71063863f2 --- /dev/null +++ b/tmp-5.10/netlink-fix-potential-deadlock-in-netlink_set_err.patch @@ -0,0 +1,117 @@ +From ca8f00bc3f157df70df3480903b22ea7f584dbc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 15:43:37 +0000 +Subject: netlink: fix potential deadlock in netlink_set_err() + +From: Eric Dumazet + +[ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ] + +syzbot reported a possible deadlock in netlink_set_err() [1] + +A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs +for netlink_lock_table()") in netlink_lock_table() + +This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump() +which were not covered by cited commit. + +[1] + +WARNING: possible irq lock inversion dependency detected +6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted + +syz-executor.2/23011 just changed the state of lock: +ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612 +but this lock was taken by another, SOFTIRQ-safe lock in the past: + (&local->queue_stop_reason_lock){..-.}-{2:2} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(nl_table_lock); + local_irq_disable(); + lock(&local->queue_stop_reason_lock); + lock(nl_table_lock); + + lock(&local->queue_stop_reason_lock); + + *** DEADLOCK *** + +Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()") +Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c +Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Johannes Berg +Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 5 +++-- + net/netlink/diag.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 99c869d8d3044..9737c3229c12a 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1602,6 +1602,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p) + int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + { + struct netlink_set_err_data info; ++ unsigned long flags; + struct sock *sk; + int ret = 0; + +@@ -1611,12 +1612,12 @@ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + /* sk->sk_err wants a positive error value */ + info.code = -code; + +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + + sk_for_each_bound(sk, &nl_table[ssk->sk_protocol].mc_list) + ret += do_one_set_err(sk, &info); + +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + return ret; + } + EXPORT_SYMBOL(netlink_set_err); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index c6255eac305c7..4143b2ea4195a 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -94,6 +94,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + struct net *net = sock_net(skb->sk); + struct netlink_diag_req *req; + struct netlink_sock *nlsk; ++ unsigned long flags; + struct sock *sk; + int num = 2; + int ret = 0; +@@ -152,7 +153,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + num++; + + mc_list: +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + sk_for_each_bound(sk, &tbl->mc_list) { + if (sk_hashed(sk)) + continue; +@@ -173,7 +174,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + } + num++; + } +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + + done: + cb->args[0] = num; +-- +2.39.2 + diff --git a/tmp-5.10/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch b/tmp-5.10/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch new file mode 100644 index 00000000000..c6dd43b9147 --- /dev/null +++ b/tmp-5.10/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch @@ -0,0 +1,465 @@ +From 18de3171ec2270d9e520a5325a8dfdf385729ed2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 16:41:59 +0200 +Subject: nfc: constify several pointers to u8, char and sk_buff + +From: Krzysztof Kozlowski + +[ Upstream commit 3df40eb3a2ea58bf404a38f15a7a2768e4762cb0 ] + +Several functions receive pointers to u8, char or sk_buff but do not +modify the contents so make them const. This allows doing the same for +local variables and in total makes the code a little bit safer. + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Stable-dep-of: 0d9b41daa590 ("nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()") +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 4 ++-- + net/nfc/core.c | 4 ++-- + net/nfc/hci/llc_shdlc.c | 10 ++++----- + net/nfc/llcp.h | 8 +++---- + net/nfc/llcp_commands.c | 46 ++++++++++++++++++++++------------------- + net/nfc/llcp_core.c | 44 +++++++++++++++++++++------------------ + net/nfc/nfc.h | 2 +- + 7 files changed, 63 insertions(+), 55 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index 2cd3a261bcbcf..32890e43f06cc 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -266,7 +266,7 @@ struct sk_buff *nfc_alloc_send_skb(struct nfc_dev *dev, struct sock *sk, + struct sk_buff *nfc_alloc_recv_skb(unsigned int size, gfp_t gfp); + + int nfc_set_remote_general_bytes(struct nfc_dev *dev, +- u8 *gt, u8 gt_len); ++ const u8 *gt, u8 gt_len); + u8 *nfc_get_local_general_bytes(struct nfc_dev *dev, size_t *gb_len); + + int nfc_fw_download_done(struct nfc_dev *dev, const char *firmware_name, +@@ -280,7 +280,7 @@ int nfc_dep_link_is_up(struct nfc_dev *dev, u32 target_idx, + u8 comm_mode, u8 rf_mode); + + int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, +- u8 *gb, size_t gb_len); ++ const u8 *gb, size_t gb_len); + int nfc_tm_deactivated(struct nfc_dev *dev); + int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb); + +diff --git a/net/nfc/core.c b/net/nfc/core.c +index 2ef56366bd5fe..10a3d740d1553 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -634,7 +634,7 @@ int nfc_disable_se(struct nfc_dev *dev, u32 se_idx) + return rc; + } + +-int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len) ++int nfc_set_remote_general_bytes(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len); + +@@ -663,7 +663,7 @@ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb) + EXPORT_SYMBOL(nfc_tm_data_received); + + int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, +- u8 *gb, size_t gb_len) ++ const u8 *gb, size_t gb_len) + { + int rc; + +diff --git a/net/nfc/hci/llc_shdlc.c b/net/nfc/hci/llc_shdlc.c +index 0eb4ddc056e78..02909e3e91ef1 100644 +--- a/net/nfc/hci/llc_shdlc.c ++++ b/net/nfc/hci/llc_shdlc.c +@@ -123,7 +123,7 @@ static bool llc_shdlc_x_lteq_y_lt_z(int x, int y, int z) + return ((y >= x) || (y < z)) ? true : false; + } + +-static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, ++static struct sk_buff *llc_shdlc_alloc_skb(const struct llc_shdlc *shdlc, + int payload_len) + { + struct sk_buff *skb; +@@ -137,7 +137,7 @@ static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, + } + + /* immediately sends an S frame. */ +-static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, ++static int llc_shdlc_send_s_frame(const struct llc_shdlc *shdlc, + enum sframe_type sframe_type, int nr) + { + int r; +@@ -159,7 +159,7 @@ static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, + } + + /* immediately sends an U frame. skb may contain optional payload */ +-static int llc_shdlc_send_u_frame(struct llc_shdlc *shdlc, ++static int llc_shdlc_send_u_frame(const struct llc_shdlc *shdlc, + struct sk_buff *skb, + enum uframe_modifier uframe_modifier) + { +@@ -361,7 +361,7 @@ static void llc_shdlc_connect_complete(struct llc_shdlc *shdlc, int r) + wake_up(shdlc->connect_wq); + } + +-static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) ++static int llc_shdlc_connect_initiate(const struct llc_shdlc *shdlc) + { + struct sk_buff *skb; + +@@ -377,7 +377,7 @@ static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) + return llc_shdlc_send_u_frame(shdlc, skb, U_FRAME_RSET); + } + +-static int llc_shdlc_connect_send_ua(struct llc_shdlc *shdlc) ++static int llc_shdlc_connect_send_ua(const struct llc_shdlc *shdlc) + { + struct sk_buff *skb; + +diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h +index 97853c9cefc70..d49d4bf2e37c8 100644 +--- a/net/nfc/llcp.h ++++ b/net/nfc/llcp.h +@@ -221,15 +221,15 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *sk, struct socket *newsock); + + /* TLV API */ + int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, +- u8 *tlv_array, u16 tlv_array_len); ++ const u8 *tlv_array, u16 tlv_array_len); + int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, +- u8 *tlv_array, u16 tlv_array_len); ++ const u8 *tlv_array, u16 tlv_array_len); + + /* Commands API */ + void nfc_llcp_recv(void *data, struct sk_buff *skb, int err); +-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length); ++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length); + struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap); +-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, ++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, + size_t uri_len); + void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp); + void nfc_llcp_free_sdp_tlv_list(struct hlist_head *sdp_head); +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 475061c79c442..3c4172a5aeb5e 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -15,7 +15,7 @@ + #include "nfc.h" + #include "llcp.h" + +-static u8 llcp_tlv_length[LLCP_TLV_MAX] = { ++static const u8 llcp_tlv_length[LLCP_TLV_MAX] = { + 0, + 1, /* VERSION */ + 2, /* MIUX */ +@@ -29,7 +29,7 @@ static u8 llcp_tlv_length[LLCP_TLV_MAX] = { + + }; + +-static u8 llcp_tlv8(u8 *tlv, u8 type) ++static u8 llcp_tlv8(const u8 *tlv, u8 type) + { + if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) + return 0; +@@ -37,7 +37,7 @@ static u8 llcp_tlv8(u8 *tlv, u8 type) + return tlv[2]; + } + +-static u16 llcp_tlv16(u8 *tlv, u8 type) ++static u16 llcp_tlv16(const u8 *tlv, u8 type) + { + if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) + return 0; +@@ -46,37 +46,37 @@ static u16 llcp_tlv16(u8 *tlv, u8 type) + } + + +-static u8 llcp_tlv_version(u8 *tlv) ++static u8 llcp_tlv_version(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_VERSION); + } + +-static u16 llcp_tlv_miux(u8 *tlv) ++static u16 llcp_tlv_miux(const u8 *tlv) + { + return llcp_tlv16(tlv, LLCP_TLV_MIUX) & 0x7ff; + } + +-static u16 llcp_tlv_wks(u8 *tlv) ++static u16 llcp_tlv_wks(const u8 *tlv) + { + return llcp_tlv16(tlv, LLCP_TLV_WKS); + } + +-static u16 llcp_tlv_lto(u8 *tlv) ++static u16 llcp_tlv_lto(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_LTO); + } + +-static u8 llcp_tlv_opt(u8 *tlv) ++static u8 llcp_tlv_opt(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_OPT); + } + +-static u8 llcp_tlv_rw(u8 *tlv) ++static u8 llcp_tlv_rw(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_RW) & 0xf; + } + +-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length) ++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length) + { + u8 *tlv, length; + +@@ -130,7 +130,7 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap) + return sdres; + } + +-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, ++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, + size_t uri_len) + { + struct nfc_llcp_sdp_tlv *sdreq; +@@ -190,9 +190,10 @@ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *head) + } + + int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, +- u8 *tlv_array, u16 tlv_array_len) ++ const u8 *tlv_array, u16 tlv_array_len) + { +- u8 *tlv = tlv_array, type, length, offset = 0; ++ const u8 *tlv = tlv_array; ++ u8 type, length, offset = 0; + + pr_debug("TLV array length %d\n", tlv_array_len); + +@@ -239,9 +240,10 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, + } + + int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, +- u8 *tlv_array, u16 tlv_array_len) ++ const u8 *tlv_array, u16 tlv_array_len) + { +- u8 *tlv = tlv_array, type, length, offset = 0; ++ const u8 *tlv = tlv_array; ++ u8 type, length, offset = 0; + + pr_debug("TLV array length %d\n", tlv_array_len); + +@@ -295,7 +297,7 @@ static struct sk_buff *llcp_add_header(struct sk_buff *pdu, + return pdu; + } + +-static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, u8 *tlv, ++static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, const u8 *tlv, + u8 tlv_length) + { + /* XXX Add an skb length check */ +@@ -389,9 +391,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + { + struct nfc_llcp_local *local; + struct sk_buff *skb; +- u8 *service_name_tlv = NULL, service_name_tlv_length; +- u8 *miux_tlv = NULL, miux_tlv_length; +- u8 *rw_tlv = NULL, rw_tlv_length, rw; ++ const u8 *service_name_tlv = NULL; ++ const u8 *miux_tlv = NULL; ++ const u8 *rw_tlv = NULL; ++ u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +@@ -465,8 +468,9 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock) + { + struct nfc_llcp_local *local; + struct sk_buff *skb; +- u8 *miux_tlv = NULL, miux_tlv_length; +- u8 *rw_tlv = NULL, rw_tlv_length, rw; ++ const u8 *miux_tlv = NULL; ++ const u8 *rw_tlv = NULL; ++ u8 miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index edadebb3efd2a..fd43e75abd948 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -302,7 +302,7 @@ static char *wks[] = { + "urn:nfc:sn:snep", + }; + +-static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) ++static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len) + { + int sap, num_wks; + +@@ -326,7 +326,7 @@ static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) + + static + struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, +- u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len) + { + struct sock *sk; + struct nfc_llcp_sock *llcp_sock, *tmp_sock; +@@ -523,7 +523,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local) + { + u8 *gb_cur, version, version_length; + u8 lto_length, wks_length, miux_length; +- u8 *version_tlv = NULL, *lto_tlv = NULL, ++ const u8 *version_tlv = NULL, *lto_tlv = NULL, + *wks_tlv = NULL, *miux_tlv = NULL; + __be16 wks = cpu_to_be16(local->local_wks); + u8 gb_len = 0; +@@ -613,7 +613,7 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len) + return local->gb; + } + +-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) ++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + struct nfc_llcp_local *local; + +@@ -640,27 +640,27 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) + local->remote_gb_len - 3); + } + +-static u8 nfc_llcp_dsap(struct sk_buff *pdu) ++static u8 nfc_llcp_dsap(const struct sk_buff *pdu) + { + return (pdu->data[0] & 0xfc) >> 2; + } + +-static u8 nfc_llcp_ptype(struct sk_buff *pdu) ++static u8 nfc_llcp_ptype(const struct sk_buff *pdu) + { + return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6); + } + +-static u8 nfc_llcp_ssap(struct sk_buff *pdu) ++static u8 nfc_llcp_ssap(const struct sk_buff *pdu) + { + return pdu->data[1] & 0x3f; + } + +-static u8 nfc_llcp_ns(struct sk_buff *pdu) ++static u8 nfc_llcp_ns(const struct sk_buff *pdu) + { + return pdu->data[2] >> 4; + } + +-static u8 nfc_llcp_nr(struct sk_buff *pdu) ++static u8 nfc_llcp_nr(const struct sk_buff *pdu) + { + return pdu->data[2] & 0xf; + } +@@ -802,7 +802,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local + } + + static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, +- u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len) + { + struct nfc_llcp_sock *llcp_sock; + +@@ -816,9 +816,10 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, + return llcp_sock; + } + +-static u8 *nfc_llcp_connect_sn(struct sk_buff *skb, size_t *sn_len) ++static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len) + { +- u8 *tlv = &skb->data[2], type, length; ++ u8 type, length; ++ const u8 *tlv = &skb->data[2]; + size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0; + + while (offset < tlv_array_len) { +@@ -876,7 +877,7 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local, + } + + static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct sock *new_sk, *parent; + struct nfc_llcp_sock *sock, *new_sock; +@@ -894,7 +895,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, + goto fail; + } + } else { +- u8 *sn; ++ const u8 *sn; + size_t sn_len; + + sn = nfc_llcp_connect_sn(skb, &sn_len); +@@ -1113,7 +1114,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local, + } + + static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1156,7 +1157,8 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, + nfc_llcp_sock_put(llcp_sock); + } + +-static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) ++static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1189,7 +1191,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) + nfc_llcp_sock_put(llcp_sock); + } + +-static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) ++static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1227,12 +1230,13 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) + } + + static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; +- u8 dsap, ssap, *tlv, type, length, tid, sap; ++ u8 dsap, ssap, type, length, tid, sap; ++ const u8 *tlv; + u16 tlv_len, offset; +- char *service_name; ++ const char *service_name; + size_t service_name_len; + struct nfc_llcp_sdp_tlv *sdp; + HLIST_HEAD(llc_sdres_list); +diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h +index 889fefd64e56b..de2ec66d7e83a 100644 +--- a/net/nfc/nfc.h ++++ b/net/nfc/nfc.h +@@ -48,7 +48,7 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, + u8 comm_mode, u8 rf_mode); + int nfc_llcp_register_device(struct nfc_dev *dev); + void nfc_llcp_unregister_device(struct nfc_dev *dev); +-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len); ++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len); + u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len); + int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); +-- +2.39.2 + diff --git a/tmp-5.10/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch b/tmp-5.10/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch new file mode 100644 index 00000000000..287d54bd465 --- /dev/null +++ b/tmp-5.10/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch @@ -0,0 +1,41 @@ +From 953865878bb11ed6b9f729717f012aa30be6ab61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 May 2023 13:52:04 +0200 +Subject: nfc: llcp: fix possible use of uninitialized variable in + nfc_llcp_send_connect() + +From: Krzysztof Kozlowski + +[ Upstream commit 0d9b41daa5907756a31772d8af8ac5ff25cf17c1 ] + +If sock->service_name is NULL, the local variable +service_name_tlv_length will not be assigned by nfc_llcp_build_tlv(), +later leading to using value frmo the stack. Smatch warning: + + net/nfc/llcp_commands.c:442 nfc_llcp_send_connect() error: uninitialized symbol 'service_name_tlv_length'. + +Fixes: de9e5aeb4f40 ("NFC: llcp: Fix usage of llcp_add_tlv()") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 3c4172a5aeb5e..bb9f40563ff63 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -394,7 +394,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + const u8 *service_name_tlv = NULL; + const u8 *miux_tlv = NULL; + const u8 *rw_tlv = NULL; +- u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; ++ u8 service_name_tlv_length = 0; ++ u8 miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +-- +2.39.2 + diff --git a/tmp-5.10/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch b/tmp-5.10/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch new file mode 100644 index 00000000000..6a585191d08 --- /dev/null +++ b/tmp-5.10/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch @@ -0,0 +1,51 @@ +From 998b900982f58640594482f27569947d33e70a94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 20:25:19 +0100 +Subject: nfc: llcp: simplify llcp_sock_connect() error paths + +From: Krzysztof Kozlowski + +[ Upstream commit ec10fd154d934cc4195da3cbd017a12817b41d51 ] + +The llcp_sock_connect() error paths were using a mixed way of central +exit (goto) and cleanup + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Stable-dep-of: 6709d4b7bc2e ("net: nfc: Fix use-after-free caused by nfc_llcp_find_local") +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index 0b93a17b9f11f..fdf0856182c65 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -712,10 +712,8 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + llcp_sock->local = nfc_llcp_local_get(local); + llcp_sock->ssap = nfc_llcp_get_local_ssap(local); + if (llcp_sock->ssap == LLCP_SAP_MAX) { +- nfc_llcp_local_put(llcp_sock->local); +- llcp_sock->local = NULL; + ret = -ENOMEM; +- goto put_dev; ++ goto sock_llcp_put_local; + } + + llcp_sock->reserved_ssap = llcp_sock->ssap; +@@ -760,8 +758,11 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + + sock_llcp_release: + nfc_llcp_put_ssap(local, llcp_sock->ssap); ++ ++sock_llcp_put_local: + nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ++ llcp_sock->dev = NULL; + + put_dev: + nfc_put_device(dev); +-- +2.39.2 + diff --git a/tmp-5.10/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch b/tmp-5.10/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch new file mode 100644 index 00000000000..7c0e9f71550 --- /dev/null +++ b/tmp-5.10/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch @@ -0,0 +1,32 @@ +From 58f5d894006d82ed7335e1c37182fbc5f08c2f51 Mon Sep 17 00:00:00 2001 +From: Dai Ngo +Date: Tue, 6 Jun 2023 16:41:02 -0700 +Subject: NFSD: add encoding of op_recall flag for write delegation + +From: Dai Ngo + +commit 58f5d894006d82ed7335e1c37182fbc5f08c2f51 upstream. + +Modified nfsd4_encode_open to encode the op_recall flag properly +for OPEN result with write delegation granted. + +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3705,7 +3705,7 @@ nfsd4_encode_open(struct nfsd4_compoundr + p = xdr_reserve_space(xdr, 32); + if (!p) + return nfserr_resource; +- *p++ = cpu_to_be32(0); ++ *p++ = cpu_to_be32(open->op_recall); + + /* + * TODO: space_limit's in delegations diff --git a/tmp-5.10/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch b/tmp-5.10/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch new file mode 100644 index 00000000000..e2b3a19e217 --- /dev/null +++ b/tmp-5.10/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch @@ -0,0 +1,41 @@ +From 8fdf7a52857c304fa818cfe881d03e4577dbd0a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jun 2023 17:32:25 -0400 +Subject: NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION + +From: Olga Kornievskaia + +[ Upstream commit c907e72f58ed979a24a9fdcadfbc447c51d5e509 ] + +When the client received NFS4ERR_BADSESSION, it schedules recovery +and start the state manager thread which in turn freezes the +session table and does not allow for any new requests to use the +no-longer valid session. However, it is possible that before +the state manager thread runs, a new operation would use the +released slot that received BADSESSION and was therefore not +updated its sequence number. Such re-use of the slot can lead +the application errors. + +Fixes: 5c441544f045 ("NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index bca5d1bdd79bd..b9567cc8698ed 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -926,6 +926,7 @@ static int nfs41_sequence_process(struct rpc_task *task, + out_noaction: + return ret; + session_recover: ++ set_bit(NFS4_SLOT_TBL_DRAINING, &session->fc_slot_table.slot_tbl_state); + nfs4_schedule_session_recovery(session, status); + dprintk("%s ERROR: %d Reset session\n", __func__, status); + nfs41_sequence_free_slot(res); +-- +2.39.2 + diff --git a/tmp-5.10/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch b/tmp-5.10/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch new file mode 100644 index 00000000000..d17921103f2 --- /dev/null +++ b/tmp-5.10/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch @@ -0,0 +1,64 @@ +From acb70e7fad57fad2b84b9cef5f7abdbafd1deea1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:09 +0000 +Subject: NTB: amd: Fix error handling in amd_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 ] + +A problem about ntb_hw_amd create debugfs failed is triggered with the +following log given: + + [ 618.431232] AMD(R) PCI-E Non-Transparent Bridge Driver 1.0 + [ 618.433284] debugfs: Directory 'ntb_hw_amd' with parent '/' already present! + +The reason is that amd_ntb_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_amd can never be created later. + + amd_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index 71428d8cbcfc5..ac401ad7884a6 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1344,12 +1344,17 @@ static struct pci_driver amd_ntb_pci_driver = { + + static int __init amd_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&amd_ntb_pci_driver); ++ ret = pci_register_driver(&amd_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(amd_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/tmp-5.10/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch b/tmp-5.10/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch new file mode 100644 index 00000000000..420401f97cb --- /dev/null +++ b/tmp-5.10/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch @@ -0,0 +1,66 @@ +From 901c9a0805498149af8ac8ca51b1ca8cba34d3d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:01 +0000 +Subject: ntb: idt: Fix error handling in idt_pci_driver_init() + +From: Yuan Can + +[ Upstream commit c012968259b451dc4db407f2310fe131eaefd800 ] + +A problem about ntb_hw_idt create debugfs failed is triggered with the +following log given: + + [ 1236.637636] IDT PCI-E Non-Transparent Bridge Driver 2.0 + [ 1236.639292] debugfs: Directory 'ntb_hw_idt' with parent '/' already present! + +The reason is that idt_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_idt can never be created later. + + idt_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: bf2a952d31d2 ("NTB: Add IDT 89HPESxNTx PCIe-switches support") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/idt/ntb_hw_idt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c +index d54261f508519..99711dd0b6e8e 100644 +--- a/drivers/ntb/hw/idt/ntb_hw_idt.c ++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c +@@ -2902,6 +2902,7 @@ static struct pci_driver idt_pci_driver = { + + static int __init idt_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + /* Create the top DebugFS directory if the FS is initialized */ +@@ -2909,7 +2910,11 @@ static int __init idt_pci_driver_init(void) + dbgfs_topdir = debugfs_create_dir(KBUILD_MODNAME, NULL); + + /* Register the NTB hardware driver to handle the PCI device */ +- return pci_register_driver(&idt_pci_driver); ++ ret = pci_register_driver(&idt_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(dbgfs_topdir); ++ ++ return ret; + } + module_init(idt_pci_driver_init); + +-- +2.39.2 + diff --git a/tmp-5.10/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch b/tmp-5.10/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch new file mode 100644 index 00000000000..2a289bac2d2 --- /dev/null +++ b/tmp-5.10/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch @@ -0,0 +1,65 @@ +From f716610f915b3ea672a36b1d2b7d9c5077b6ef2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:22 +0000 +Subject: ntb: intel: Fix error handling in intel_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 4c3c796aca02883ad35bb117468938cc4022ca41 ] + +A problem about ntb_hw_intel create debugfs failed is triggered with the +following log given: + + [ 273.112733] Intel(R) PCI-E Non-Transparent Bridge Driver 2.0 + [ 273.115342] debugfs: Directory 'ntb_hw_intel' with parent '/' already present! + +The reason is that intel_ntb_pci_driver_init() returns +pci_register_driver() directly without checking its return value, if +pci_register_driver() failed, it returns without destroy the newly created +debugfs, resulting the debugfs of ntb_hw_intel can never be created later. + + intel_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Yuan Can +Acked-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen1.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c +index 093dd20057b92..4f1add57d81de 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c +@@ -2068,12 +2068,17 @@ static struct pci_driver intel_ntb_pci_driver = { + + static int __init intel_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&intel_ntb_pci_driver); ++ ret = pci_register_driver(&intel_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(intel_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/tmp-5.10/ntb-ntb_tool-add-check-for-devm_kcalloc.patch b/tmp-5.10/ntb-ntb_tool-add-check-for-devm_kcalloc.patch new file mode 100644 index 00000000000..5f429a789e6 --- /dev/null +++ b/tmp-5.10/ntb-ntb_tool-add-check-for-devm_kcalloc.patch @@ -0,0 +1,39 @@ +From 8b3f4f715a23299487155e9d8bd3d2eb1e0c320c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 11:32:44 +0800 +Subject: NTB: ntb_tool: Add check for devm_kcalloc + +From: Jiasheng Jiang + +[ Upstream commit 2790143f09938776a3b4f69685b380bae8fd06c7 ] + +As the devm_kcalloc may return NULL pointer, +it should be better to add check for the return +value, as same as the others. + +Fixes: 7f46c8b3a552 ("NTB: ntb_tool: Add full multi-port NTB API support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Serge Semin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/test/ntb_tool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c +index 5ee0afa621a95..eeeb4b1c97d2c 100644 +--- a/drivers/ntb/test/ntb_tool.c ++++ b/drivers/ntb/test/ntb_tool.c +@@ -998,6 +998,8 @@ static int tool_init_mws(struct tool_ctx *tc) + tc->peers[pidx].outmws = + devm_kcalloc(&tc->ntb->dev, tc->peers[pidx].outmw_cnt, + sizeof(*tc->peers[pidx].outmws), GFP_KERNEL); ++ if (tc->peers[pidx].outmws == NULL) ++ return -ENOMEM; + + for (widx = 0; widx < tc->peers[pidx].outmw_cnt; widx++) { + tc->peers[pidx].outmws[widx].pidx = pidx; +-- +2.39.2 + diff --git a/tmp-5.10/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch b/tmp-5.10/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch new file mode 100644 index 00000000000..8d734829721 --- /dev/null +++ b/tmp-5.10/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch @@ -0,0 +1,42 @@ +From 38ff45890011895a2d3548a48689e979c73e0e5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 23:19:17 +0800 +Subject: NTB: ntb_transport: fix possible memory leak while device_register() + fails + +From: Yang Yingliang + +[ Upstream commit 8623ccbfc55d962e19a3537652803676ad7acb90 ] + +If device_register() returns error, the name allocated by +dev_set_name() need be freed. As comment of device_register() +says, it should use put_device() to give up the reference in +the error path. So fix this by calling put_device(), then the +name can be freed in kobject_cleanup(), and client_dev is freed +in ntb_transport_client_release(). + +Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support") +Signed-off-by: Yang Yingliang +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/ntb_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c +index 4a02561cfb965..d18cb44765603 100644 +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -412,7 +412,7 @@ int ntb_transport_register_client_dev(char *device_name) + + rc = device_register(dev); + if (rc) { +- kfree(client_dev); ++ put_device(dev); + goto err; + } + +-- +2.39.2 + diff --git a/tmp-5.10/nubus-partially-revert-proc_create_single_data-conversion.patch b/tmp-5.10/nubus-partially-revert-proc_create_single_data-conversion.patch new file mode 100644 index 00000000000..2f39db401cb --- /dev/null +++ b/tmp-5.10/nubus-partially-revert-proc_create_single_data-conversion.patch @@ -0,0 +1,117 @@ +From 0e96647cff9224db564a1cee6efccb13dbe11ee2 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Tue, 14 Mar 2023 19:51:59 +1100 +Subject: nubus: Partially revert proc_create_single_data() conversion + +From: Finn Thain + +commit 0e96647cff9224db564a1cee6efccb13dbe11ee2 upstream. + +The conversion to proc_create_single_data() introduced a regression +whereby reading a file in /proc/bus/nubus results in a seg fault: + + # grep -r . /proc/bus/nubus/e/ + Data read fault at 0x00000020 in Super Data (pc=0x1074c2) + BAD KERNEL BUSERR + Oops: 00000000 + Modules linked in: + PC: [<001074c2>] PDE_DATA+0xc/0x16 + SR: 2010 SP: 38284958 a2: 01152370 + d0: 00000001 d1: 01013000 d2: 01002790 d3: 00000000 + d4: 00000001 d5: 0008ce2e a0: 00000000 a1: 00222a40 + Process grep (pid: 45, task=142f8727) + Frame format=B ssw=074d isc=2008 isb=4e5e daddr=00000020 dobuf=01199e70 + baddr=001074c8 dibuf=ffffffff ver=f + Stack from 01199e48: + 01199e70 00222a58 01002790 00000000 011a3000 01199eb0 015000c0 00000000 + 00000000 01199ec0 01199ec0 000d551a 011a3000 00000001 00000000 00018000 + d003f000 00000003 00000001 0002800d 01052840 01199fa8 c01f8000 00000000 + 00000029 0b532b80 00000000 00000000 00000029 0b532b80 01199ee4 00103640 + 011198c0 d003f000 00018000 01199fa8 00000000 011198c0 00000000 01199f4c + 000b3344 011198c0 d003f000 00018000 01199fa8 00000000 00018000 011198c0 + Call Trace: [<00222a58>] nubus_proc_rsrc_show+0x18/0xa0 + [<000d551a>] seq_read+0xc4/0x510 + [<00018000>] fp_fcos+0x2/0x82 + [<0002800d>] __sys_setreuid+0x115/0x1c6 + [<00103640>] proc_reg_read+0x5c/0xb0 + [<00018000>] fp_fcos+0x2/0x82 + [<000b3344>] __vfs_read+0x2c/0x13c + [<00018000>] fp_fcos+0x2/0x82 + [<00018000>] fp_fcos+0x2/0x82 + [<000b8aa2>] sys_statx+0x60/0x7e + [<000b34b6>] vfs_read+0x62/0x12a + [<00018000>] fp_fcos+0x2/0x82 + [<00018000>] fp_fcos+0x2/0x82 + [<000b39c2>] ksys_read+0x48/0xbe + [<00018000>] fp_fcos+0x2/0x82 + [<000b3a4e>] sys_read+0x16/0x1a + [<00018000>] fp_fcos+0x2/0x82 + [<00002b84>] syscall+0x8/0xc + [<00018000>] fp_fcos+0x2/0x82 + [<0000c016>] not_ext+0xa/0x18 + Code: 4e5e 4e75 4e56 0000 206e 0008 2068 ffe8 <2068> 0020 2008 4e5e 4e75 4e56 0000 2f0b 206e 0008 2068 0004 2668 0020 206b ffe8 + Disabling lock debugging due to kernel taint + + Segmentation fault + +The proc_create_single_data() conversion does not work because +single_open(file, nubus_proc_rsrc_show, PDE_DATA(inode)) is not +equivalent to the original code. + +Fixes: 3f3942aca6da ("proc: introduce proc_create_single{,_data}") +Cc: Christoph Hellwig +Cc: stable@vger.kernel.org # 5.6+ +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/d4e2a586e793cc8d9442595684ab8a077c0fe726.1678783919.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nubus/proc.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/drivers/nubus/proc.c ++++ b/drivers/nubus/proc.c +@@ -137,6 +137,18 @@ static int nubus_proc_rsrc_show(struct s + return 0; + } + ++static int nubus_rsrc_proc_open(struct inode *inode, struct file *file) ++{ ++ return single_open(file, nubus_proc_rsrc_show, inode); ++} ++ ++static const struct proc_ops nubus_rsrc_proc_ops = { ++ .proc_open = nubus_rsrc_proc_open, ++ .proc_read = seq_read, ++ .proc_lseek = seq_lseek, ++ .proc_release = single_release, ++}; ++ + void nubus_proc_add_rsrc_mem(struct proc_dir_entry *procdir, + const struct nubus_dirent *ent, + unsigned int size) +@@ -152,8 +164,8 @@ void nubus_proc_add_rsrc_mem(struct proc + pde_data = nubus_proc_alloc_pde_data(nubus_dirptr(ent), size); + else + pde_data = NULL; +- proc_create_single_data(name, S_IFREG | 0444, procdir, +- nubus_proc_rsrc_show, pde_data); ++ proc_create_data(name, S_IFREG | 0444, procdir, ++ &nubus_rsrc_proc_ops, pde_data); + } + + void nubus_proc_add_rsrc(struct proc_dir_entry *procdir, +@@ -166,9 +178,9 @@ void nubus_proc_add_rsrc(struct proc_dir + return; + + snprintf(name, sizeof(name), "%x", ent->type); +- proc_create_single_data(name, S_IFREG | 0444, procdir, +- nubus_proc_rsrc_show, +- nubus_proc_alloc_pde_data(data, 0)); ++ proc_create_data(name, S_IFREG | 0444, procdir, ++ &nubus_rsrc_proc_ops, ++ nubus_proc_alloc_pde_data(data, 0)); + } + + /* diff --git a/tmp-5.10/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch b/tmp-5.10/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch new file mode 100644 index 00000000000..6d20415c506 --- /dev/null +++ b/tmp-5.10/nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch @@ -0,0 +1,41 @@ +From 90f48bef4f8592b123adc792884d4b154d75b5b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:26:20 +0800 +Subject: nvme-pci: fix DMA direction of unmapping integrity data + +From: Ming Lei + +[ Upstream commit b8f6446b6853768cb99e7c201bddce69ca60c15e ] + +DMA direction should be taken in dma_unmap_page() for unmapping integrity +data. + +Fix this DMA direction, and reported in Guangwu's test. + +Reported-by: Guangwu Zhang +Fixes: 4aedb705437f ("nvme-pci: split metadata handling from nvme_map_data / nvme_unmap_data") +Signed-off-by: Ming Lei +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index c47512da9872a..3aaead9b3a570 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -968,7 +968,8 @@ static void nvme_pci_complete_rq(struct request *req) + + if (blk_integrity_rq(req)) + dma_unmap_page(dev->dev, iod->meta_dma, +- rq_integrity_vec(req)->bv_len, rq_data_dir(req)); ++ rq_integrity_vec(req)->bv_len, rq_dma_dir(req)); ++ + if (blk_rq_nr_phys_segments(req)) + nvme_unmap_data(dev, req); + nvme_complete_rq(req); +-- +2.39.2 + diff --git a/tmp-5.10/octeontx2-af-fix-mapping-for-nix-block-from-cgx-conn.patch b/tmp-5.10/octeontx2-af-fix-mapping-for-nix-block-from-cgx-conn.patch new file mode 100644 index 00000000000..a3d7dcff016 --- /dev/null +++ b/tmp-5.10/octeontx2-af-fix-mapping-for-nix-block-from-cgx-conn.patch @@ -0,0 +1,74 @@ +From bb16ae2faa353f02be59aff76b3e99415779429e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 11:58:43 +0530 +Subject: octeontx2-af: Fix mapping for NIX block from CGX connection + +From: Hariprasad Kelam + +[ Upstream commit 2e7bc57b976bb016c6569a54d95c1b8d88f9450a ] + +Firmware configures NIX block mapping for all MAC blocks. +The current implementation reads the configuration and +creates the mapping between RVU PF and NIX blocks. But +this configuration is only valid for silicons that support +multiple blocks. For all other silicons, all MAC blocks +map to NIX0. + +This patch corrects the mapping by adding a check for the same. + +Fixes: c5a73b632b90 ("octeontx2-af: Map NIX block from CGX connection") +Signed-off-by: Hariprasad Kelam +Signed-off-by: Sunil Goutham +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 11 +++++++++++ + drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c | 2 +- + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h +index fc6d785b98ddd..ec9a291e866c7 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h +@@ -20,6 +20,7 @@ + #define PCI_DEVID_OCTEONTX2_RVU_AF 0xA065 + + /* Subsystem Device ID */ ++#define PCI_SUBSYS_DEVID_98XX 0xB100 + #define PCI_SUBSYS_DEVID_96XX 0xB200 + + /* PCI BAR nos */ +@@ -403,6 +404,16 @@ static inline bool is_rvu_96xx_B0(struct rvu *rvu) + (pdev->subsystem_device == PCI_SUBSYS_DEVID_96XX); + } + ++static inline bool is_rvu_supports_nix1(struct rvu *rvu) ++{ ++ struct pci_dev *pdev = rvu->pdev; ++ ++ if (pdev->subsystem_device == PCI_SUBSYS_DEVID_98XX) ++ return true; ++ ++ return false; ++} ++ + /* Function Prototypes + * RVU + */ +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c +index 6c6b411e78fd8..83743e15326d7 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c +@@ -84,7 +84,7 @@ static void rvu_map_cgx_nix_block(struct rvu *rvu, int pf, + p2x = cgx_lmac_get_p2x(cgx_id, lmac_id); + /* Firmware sets P2X_SELECT as either NIX0 or NIX1 */ + pfvf->nix_blkaddr = BLKADDR_NIX0; +- if (p2x == CMR_P2X_SEL_NIX1) ++ if (is_rvu_supports_nix1(rvu) && p2x == CMR_P2X_SEL_NIX1) + pfvf->nix_blkaddr = BLKADDR_NIX1; + } + +-- +2.39.2 + diff --git a/tmp-5.10/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch b/tmp-5.10/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch new file mode 100644 index 00000000000..e242d7f32cc --- /dev/null +++ b/tmp-5.10/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch @@ -0,0 +1,43 @@ +From eb43108a06c518908542e1d2996bcadd3efaf26b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jul 2023 15:07:41 +0530 +Subject: octeontx2-pf: Dont allocate BPIDs for LBK interfaces + +From: Geetha sowjanya + +[ Upstream commit 8fcd7c7b3a38ab5e452f542fda8f7940e77e479a ] + +Current driver enables backpressure for LBK interfaces. +But these interfaces do not support this feature. +Hence, this patch fixes the issue by skipping the +backpressure configuration for these interfaces. + +Fixes: 75f36270990c ("octeontx2-pf: Support to enable/disable pause frames via ethtool"). +Signed-off-by: Geetha sowjanya +Signed-off-by: Sunil Goutham +Link: https://lore.kernel.org/r/20230716093741.28063-1-gakula@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 54aeb276b9a0a..000dd89c4baff 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1311,8 +1311,9 @@ static int otx2_init_hw_resources(struct otx2_nic *pf) + if (err) + goto err_free_npa_lf; + +- /* Enable backpressure */ +- otx2_nix_config_bp(pf, true); ++ /* Enable backpressure for CGX mapped PF/VFs */ ++ if (!is_otx2_lbkvf(pf->pdev)) ++ otx2_nix_config_bp(pf, true); + + /* Init Auras and pools used by NIX RQ, for free buffer ptrs */ + err = otx2_rq_aura_pool_init(pf); +-- +2.39.2 + diff --git a/tmp-5.10/ovl-update-of-dentry-revalidate-flags-after-copy-up.patch b/tmp-5.10/ovl-update-of-dentry-revalidate-flags-after-copy-up.patch new file mode 100644 index 00000000000..32b6b70cc5d --- /dev/null +++ b/tmp-5.10/ovl-update-of-dentry-revalidate-flags-after-copy-up.patch @@ -0,0 +1,163 @@ +From 4b954ef1a2294dd5e09be30c5ffb49868f85aadf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Apr 2023 11:29:59 +0300 +Subject: ovl: update of dentry revalidate flags after copy up + +From: Amir Goldstein + +[ Upstream commit b07d5cc93e1b28df47a72c519d09d0a836043613 ] + +After copy up, we may need to update d_flags if upper dentry is on a +remote fs and lower dentries are not. + +Add helpers to allow incremental update of the revalidate flags. + +Fixes: bccece1ead36 ("ovl: allow remote upper") +Reviewed-by: Gao Xiang +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +--- + fs/overlayfs/copy_up.c | 2 ++ + fs/overlayfs/dir.c | 3 +-- + fs/overlayfs/export.c | 3 +-- + fs/overlayfs/namei.c | 3 +-- + fs/overlayfs/overlayfs.h | 6 ++++-- + fs/overlayfs/super.c | 2 +- + fs/overlayfs/util.c | 24 ++++++++++++++++++++---- + 7 files changed, 30 insertions(+), 13 deletions(-) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index e466c58f9ec4c..7ef3c87f8a23d 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -475,6 +475,7 @@ static int ovl_link_up(struct ovl_copy_up_ctx *c) + /* Restore timestamps on parent (best effort) */ + ovl_set_timestamps(upperdir, &c->pstat); + ovl_dentry_set_upper_alias(c->dentry); ++ ovl_dentry_update_reval(c->dentry, upper); + } + } + inode_unlock(udir); +@@ -762,6 +763,7 @@ static int ovl_do_copy_up(struct ovl_copy_up_ctx *c) + inode_unlock(udir); + + ovl_dentry_set_upper_alias(c->dentry); ++ ovl_dentry_update_reval(c->dentry, ovl_dentry_upper(c->dentry)); + } + + out: +diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c +index 8ebd9f2b1c95b..a7021c87bfcb0 100644 +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -266,8 +266,7 @@ static int ovl_instantiate(struct dentry *dentry, struct inode *inode, + + ovl_dir_modified(dentry->d_parent, false); + ovl_dentry_set_upper_alias(dentry); +- ovl_dentry_update_reval(dentry, newdentry, +- DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE); ++ ovl_dentry_init_reval(dentry, newdentry); + + if (!hardlink) { + /* +diff --git a/fs/overlayfs/export.c b/fs/overlayfs/export.c +index 44118f0ab0b31..f981283177ecd 100644 +--- a/fs/overlayfs/export.c ++++ b/fs/overlayfs/export.c +@@ -324,8 +324,7 @@ static struct dentry *ovl_obtain_alias(struct super_block *sb, + if (upper_alias) + ovl_dentry_set_upper_alias(dentry); + +- ovl_dentry_update_reval(dentry, upper, +- DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE); ++ ovl_dentry_init_reval(dentry, upper); + + return d_instantiate_anon(dentry, inode); + +diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c +index 092812c2f118a..ff5284b86bd56 100644 +--- a/fs/overlayfs/namei.c ++++ b/fs/overlayfs/namei.c +@@ -1095,8 +1095,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry, + ovl_set_flag(OVL_UPPERDATA, inode); + } + +- ovl_dentry_update_reval(dentry, upperdentry, +- DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE); ++ ovl_dentry_init_reval(dentry, upperdentry); + + revert_creds(old_cred); + if (origin_path) { +diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h +index 898de3bf884e4..26f91868fbdaf 100644 +--- a/fs/overlayfs/overlayfs.h ++++ b/fs/overlayfs/overlayfs.h +@@ -257,8 +257,10 @@ bool ovl_index_all(struct super_block *sb); + bool ovl_verify_lower(struct super_block *sb); + struct ovl_entry *ovl_alloc_entry(unsigned int numlower); + bool ovl_dentry_remote(struct dentry *dentry); +-void ovl_dentry_update_reval(struct dentry *dentry, struct dentry *upperdentry, +- unsigned int mask); ++void ovl_dentry_update_reval(struct dentry *dentry, struct dentry *realdentry); ++void ovl_dentry_init_reval(struct dentry *dentry, struct dentry *upperdentry); ++void ovl_dentry_init_flags(struct dentry *dentry, struct dentry *upperdentry, ++ unsigned int mask); + bool ovl_dentry_weird(struct dentry *dentry); + enum ovl_path_type ovl_path_type(struct dentry *dentry); + void ovl_path_upper(struct dentry *dentry, struct path *path); +diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c +index e3cd5a00f880d..5d7df839902df 100644 +--- a/fs/overlayfs/super.c ++++ b/fs/overlayfs/super.c +@@ -1868,7 +1868,7 @@ static struct dentry *ovl_get_root(struct super_block *sb, + ovl_dentry_set_flag(OVL_E_CONNECTED, root); + ovl_set_upperdata(d_inode(root)); + ovl_inode_init(d_inode(root), &oip, ino, fsid); +- ovl_dentry_update_reval(root, upperdentry, DCACHE_OP_WEAK_REVALIDATE); ++ ovl_dentry_init_flags(root, upperdentry, DCACHE_OP_WEAK_REVALIDATE); + + return root; + } +diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c +index e8b14d2c180c6..060f9c99d9b33 100644 +--- a/fs/overlayfs/util.c ++++ b/fs/overlayfs/util.c +@@ -90,14 +90,30 @@ struct ovl_entry *ovl_alloc_entry(unsigned int numlower) + return oe; + } + ++#define OVL_D_REVALIDATE (DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE) ++ + bool ovl_dentry_remote(struct dentry *dentry) + { +- return dentry->d_flags & +- (DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE); ++ return dentry->d_flags & OVL_D_REVALIDATE; ++} ++ ++void ovl_dentry_update_reval(struct dentry *dentry, struct dentry *realdentry) ++{ ++ if (!ovl_dentry_remote(realdentry)) ++ return; ++ ++ spin_lock(&dentry->d_lock); ++ dentry->d_flags |= realdentry->d_flags & OVL_D_REVALIDATE; ++ spin_unlock(&dentry->d_lock); ++} ++ ++void ovl_dentry_init_reval(struct dentry *dentry, struct dentry *upperdentry) ++{ ++ return ovl_dentry_init_flags(dentry, upperdentry, OVL_D_REVALIDATE); + } + +-void ovl_dentry_update_reval(struct dentry *dentry, struct dentry *upperdentry, +- unsigned int mask) ++void ovl_dentry_init_flags(struct dentry *dentry, struct dentry *upperdentry, ++ unsigned int mask) + { + struct ovl_entry *oe = OVL_E(dentry); + unsigned int i, flags = 0; +-- +2.39.2 + diff --git a/tmp-5.10/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch b/tmp-5.10/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch new file mode 100644 index 00000000000..25be5afab0d --- /dev/null +++ b/tmp-5.10/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch @@ -0,0 +1,36 @@ +From 88d341716b83abd355558523186ca488918627ee Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Wed, 7 Jun 2023 18:18:47 +0100 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9235 + +From: Robin Murphy + +commit 88d341716b83abd355558523186ca488918627ee upstream. + +Marvell's own product brief implies the 92xx series are a closely related +family, and sure enough it turns out that 9235 seems to need the same quirk +as the other three, although possibly only when certain ports are used. + +Link: https://lore.kernel.org/linux-iommu/2a699a99-545c-1324-e052-7d2f41fed1ae@yahoo.co.uk/ +Link: https://lore.kernel.org/r/731507e05d70239aec96fcbfab6e65d8ce00edd2.1686157165.git.robin.murphy@arm.com +Reported-by: Jason Adriaanse +Signed-off-by: Robin Murphy +Signed-off-by: Bjorn Helgaas +Reviewed-by: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4123,6 +4123,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9235, ++ quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642, + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645, diff --git a/tmp-5.10/pci-add-pci_clear_master-stub-for-non-config_pci.patch b/tmp-5.10/pci-add-pci_clear_master-stub-for-non-config_pci.patch new file mode 100644 index 00000000000..a6c63b055ba --- /dev/null +++ b/tmp-5.10/pci-add-pci_clear_master-stub-for-non-config_pci.patch @@ -0,0 +1,39 @@ +From 845dcb78132d571d50eab8c8634ee27e3fba36cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 18:27:44 +0800 +Subject: PCI: Add pci_clear_master() stub for non-CONFIG_PCI + +From: Sui Jingfeng + +[ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ] + +Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that +support both PCI and platform devices don't need #ifdefs or extra Kconfig +symbols for the PCI parts. + +[bhelgaas: commit log] +Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()") +Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn +Signed-off-by: Sui Jingfeng +Signed-off-by: Bjorn Helgaas +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + include/linux/pci.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/pci.h b/include/linux/pci.h +index 4cc42ad2f6c52..550e1cdb473fa 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1719,6 +1719,7 @@ static inline struct pci_dev *pci_get_class(unsigned int class, + #define pci_dev_put(dev) do { } while (0) + + static inline void pci_set_master(struct pci_dev *dev) { } ++static inline void pci_clear_master(struct pci_dev *dev) { } + static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; } + static inline void pci_disable_device(struct pci_dev *dev) { } + static inline int pcim_enable_device(struct pci_dev *pdev) { return -EIO; } +-- +2.39.2 + diff --git a/tmp-5.10/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch b/tmp-5.10/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch new file mode 100644 index 00000000000..0a204a18b6a --- /dev/null +++ b/tmp-5.10/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch @@ -0,0 +1,94 @@ +From a2c77802943704838b8d41b060ca5af8e2387aee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 11:40:57 +0800 +Subject: PCI/ASPM: Disable ASPM on MFD function removal to avoid + use-after-free + +From: Ding Hui + +[ Upstream commit 456d8aa37d0f56fc9e985e812496e861dcd6f2f2 ] + +Struct pcie_link_state->downstream is a pointer to the pci_dev of function +0. Previously we retained that pointer when removing function 0, and +subsequent ASPM policy changes dereferenced it, resulting in a +use-after-free warning from KASAN, e.g.: + + # echo 1 > /sys/bus/pci/devices/0000:03:00.0/remove + # echo powersave > /sys/module/pcie_aspm/parameters/policy + + BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500 + Call Trace: + kasan_report+0xae/0xe0 + pcie_config_aspm_link+0x42d/0x500 + pcie_aspm_set_policy+0x8e/0x1a0 + param_attr_store+0x162/0x2c0 + module_attr_store+0x3e/0x80 + +PCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM +Control value in all functions of multi-function devices. + +Disable ASPM and free the pcie_link_state when any child function is +removed so we can discard the dangling pcie_link_state->downstream pointer +and maintain the same ASPM Control configuration for all functions. + +[bhelgaas: commit log and comment] +Debugged-by: Zongquan Qin +Suggested-by: Bjorn Helgaas +Fixes: b5a0a9b59c81 ("PCI/ASPM: Read and set up L1 substate capabilities") +Link: https://lore.kernel.org/r/20230507034057.20970-1-dinghui@sangfor.com.cn +Signed-off-by: Ding Hui +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index ac0557a305aff..51da8ba67d216 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -993,21 +993,24 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + + down_read(&pci_bus_sem); + mutex_lock(&aspm_lock); +- /* +- * All PCIe functions are in one slot, remove one function will remove +- * the whole slot, so just wait until we are the last function left. +- */ +- if (!list_empty(&parent->subordinate->devices)) +- goto out; + + link = parent->link_state; + root = link->root; + parent_link = link->parent; + +- /* All functions are removed, so just disable ASPM for the link */ ++ /* ++ * link->downstream is a pointer to the pci_dev of function 0. If ++ * we remove that function, the pci_dev is about to be deallocated, ++ * so we can't use link->downstream again. Free the link state to ++ * avoid this. ++ * ++ * If we're removing a non-0 function, it's possible we could ++ * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends ++ * programming the same ASPM Control value for all functions of ++ * multi-function devices, so disable ASPM for all of them. ++ */ + pcie_config_aspm_link(link, 0); + list_del(&link->sibling); +- /* Clock PM is for endpoint device */ + free_link_state(link); + + /* Recheck latencies and configure upstream links */ +@@ -1015,7 +1018,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + pcie_update_aspm_capable(root); + pcie_config_aspm_path(parent_link); + } +-out: ++ + mutex_unlock(&aspm_lock); + up_read(&pci_bus_sem); + } +-- +2.39.2 + diff --git a/tmp-5.10/pci-cadence-fix-gen2-link-retraining-process.patch b/tmp-5.10/pci-cadence-fix-gen2-link-retraining-process.patch new file mode 100644 index 00000000000..7feeca459a5 --- /dev/null +++ b/tmp-5.10/pci-cadence-fix-gen2-link-retraining-process.patch @@ -0,0 +1,88 @@ +From 7813ef36b6286c4bbe5203fbf6e761ab5bed682e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 12:38:00 +0530 +Subject: PCI: cadence: Fix Gen2 Link Retraining process + +From: Siddharth Vadapalli + +[ Upstream commit 0e12f830236928b6fadf40d917a7527f0a048d2f ] + +The Link Retraining process is initiated to account for the Gen2 defect in +the Cadence PCIe controller in J721E SoC. The errata corresponding to this +is i2085, documented at: +https://www.ti.com/lit/er/sprz455c/sprz455c.pdf + +The existing workaround implemented for the errata waits for the Data Link +initialization to complete and assumes that the link retraining process +at the Physical Layer has completed. However, it is possible that the +Physical Layer training might be ongoing as indicated by the +PCI_EXP_LNKSTA_LT bit in the PCI_EXP_LNKSTA register. + +Fix the existing workaround, to ensure that the Physical Layer training +has also completed, in addition to the Data Link initialization. + +Link: https://lore.kernel.org/r/20230315070800.1615527-1-s-vadapalli@ti.com +Fixes: 4740b969aaf5 ("PCI: cadence: Retrain Link to work around Gen2 training defect") +Signed-off-by: Siddharth Vadapalli +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Vignesh Raghavendra +Signed-off-by: Sasha Levin +--- + .../controller/cadence/pcie-cadence-host.c | 27 +++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c +index fb96d37a135c1..4d8d15ac51ef4 100644 +--- a/drivers/pci/controller/cadence/pcie-cadence-host.c ++++ b/drivers/pci/controller/cadence/pcie-cadence-host.c +@@ -12,6 +12,8 @@ + + #include "pcie-cadence.h" + ++#define LINK_RETRAIN_TIMEOUT HZ ++ + static u64 bar_max_size[] = { + [RP_BAR0] = _ULL(128 * SZ_2G), + [RP_BAR1] = SZ_2G, +@@ -77,6 +79,27 @@ static struct pci_ops cdns_pcie_host_ops = { + .write = pci_generic_config_write, + }; + ++static int cdns_pcie_host_training_complete(struct cdns_pcie *pcie) ++{ ++ u32 pcie_cap_off = CDNS_PCIE_RP_CAP_OFFSET; ++ unsigned long end_jiffies; ++ u16 lnk_stat; ++ ++ /* Wait for link training to complete. Exit after timeout. */ ++ end_jiffies = jiffies + LINK_RETRAIN_TIMEOUT; ++ do { ++ lnk_stat = cdns_pcie_rp_readw(pcie, pcie_cap_off + PCI_EXP_LNKSTA); ++ if (!(lnk_stat & PCI_EXP_LNKSTA_LT)) ++ break; ++ usleep_range(0, 1000); ++ } while (time_before(jiffies, end_jiffies)); ++ ++ if (!(lnk_stat & PCI_EXP_LNKSTA_LT)) ++ return 0; ++ ++ return -ETIMEDOUT; ++} ++ + static int cdns_pcie_host_wait_for_link(struct cdns_pcie *pcie) + { + struct device *dev = pcie->dev; +@@ -118,6 +141,10 @@ static int cdns_pcie_retrain(struct cdns_pcie *pcie) + cdns_pcie_rp_writew(pcie, pcie_cap_off + PCI_EXP_LNKCTL, + lnk_ctl); + ++ ret = cdns_pcie_host_training_complete(pcie); ++ if (ret) ++ return ret; ++ + ret = cdns_pcie_host_wait_for_link(pcie); + } + return ret; +-- +2.39.2 + diff --git a/tmp-5.10/pci-ftpci100-release-the-clock-resources.patch b/tmp-5.10/pci-ftpci100-release-the-clock-resources.patch new file mode 100644 index 00000000000..6fff1480140 --- /dev/null +++ b/tmp-5.10/pci-ftpci100-release-the-clock-resources.patch @@ -0,0 +1,75 @@ +From 8bd23dfb062b88c2044b2b4aa4e6cd08c2a2808a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 12:36:41 +0800 +Subject: PCI: ftpci100: Release the clock resources + +From: Junyan Ye + +[ Upstream commit c60738de85f40b0b9f5cb23c21f9246e5a47908c ] + +Smatch reported: +1. drivers/pci/controller/pci-ftpci100.c:526 faraday_pci_probe() warn: +'clk' from clk_prepare_enable() not released on lines: 442,451,462,478,512,517. +2. drivers/pci/controller/pci-ftpci100.c:526 faraday_pci_probe() warn: +'p->bus_clk' from clk_prepare_enable() not released on lines: 451,462,478,512,517. + +The clock resource is obtained by devm_clk_get(), and then +clk_prepare_enable() makes the clock resource ready for use. After that, +clk_disable_unprepare() should be called to release the clock resource +when it is no longer needed. However, while doing some error handling +in faraday_pci_probe(), clk_disable_unprepare() is not called to release +clk and p->bus_clk before returning. These return lines are exactly 442, +451, 462, 478, 512, 517. + +Fix this warning by replacing devm_clk_get() with devm_clk_get_enabled(), +which is equivalent to devm_clk_get() + clk_prepare_enable(). And with +devm_clk_get_enabled(), the clock will automatically be disabled, +unprepared and freed when the device is unbound from the bus. + +Link: https://lore.kernel.org/r/20230508043641.23807-1-yejunyan@hust.edu.cn +Fixes: b3c433efb8a3 ("PCI: faraday: Fix wrong pointer passed to PTR_ERR()") +Fixes: 2eeb02b28579 ("PCI: faraday: Add clock handling") +Fixes: 783a862563f7 ("PCI: faraday: Use pci_parse_request_of_pci_ranges()") +Fixes: d3c68e0a7e34 ("PCI: faraday: Add Faraday Technology FTPCI100 PCI Host Bridge driver") +Fixes: f1e8bd21e39e ("PCI: faraday: Convert IRQ masking to raw PCI config accessors") +Signed-off-by: Junyan Ye +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Dongliang Mu +Reviewed-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-ftpci100.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/drivers/pci/controller/pci-ftpci100.c b/drivers/pci/controller/pci-ftpci100.c +index aefef1986201a..80cfea5d9f122 100644 +--- a/drivers/pci/controller/pci-ftpci100.c ++++ b/drivers/pci/controller/pci-ftpci100.c +@@ -442,22 +442,12 @@ static int faraday_pci_probe(struct platform_device *pdev) + p->dev = dev; + + /* Retrieve and enable optional clocks */ +- clk = devm_clk_get(dev, "PCLK"); ++ clk = devm_clk_get_enabled(dev, "PCLK"); + if (IS_ERR(clk)) + return PTR_ERR(clk); +- ret = clk_prepare_enable(clk); +- if (ret) { +- dev_err(dev, "could not prepare PCLK\n"); +- return ret; +- } +- p->bus_clk = devm_clk_get(dev, "PCICLK"); ++ p->bus_clk = devm_clk_get_enabled(dev, "PCICLK"); + if (IS_ERR(p->bus_clk)) + return PTR_ERR(p->bus_clk); +- ret = clk_prepare_enable(p->bus_clk); +- if (ret) { +- dev_err(dev, "could not prepare PCICLK\n"); +- return ret; +- } + + p->base = devm_platform_ioremap_resource(pdev, 0); + if (IS_ERR(p->base)) +-- +2.39.2 + diff --git a/tmp-5.10/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch b/tmp-5.10/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch new file mode 100644 index 00000000000..0e9efb477f5 --- /dev/null +++ b/tmp-5.10/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch @@ -0,0 +1,74 @@ +From 76c408ea4d347b0ca5a0a1113a4723b6f82b121c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 10:15:18 +0800 +Subject: PCI: pciehp: Cancel bringup sequence if card is not present + +From: Rongguang Wei + +[ Upstream commit e8afd0d9fccc27c8ad263db5cf5952cfcf72d6fe ] + +If a PCIe hotplug slot has an Attention Button, the normal hot-add flow is: + + - Slot is empty and slot power is off + - User inserts card in slot and presses Attention Button + - OS blinks Power Indicator for 5 seconds + - After 5 seconds, OS turns on Power Indicator, turns on slot power, and + enumerates the device + +Previously, if a user pressed the Attention Button on an *empty* slot, +pciehp logged the following messages and blinked the Power Indicator +until a second button press: + + [0.000] pciehp: Button press: will power on in 5 sec + [0.001] # Power Indicator starts blinking + [5.001] # 5 second timeout; slot is empty, so we should cancel the + request to power on and turn off Power Indicator + + [7.000] # Power Indicator still blinking + [8.000] # possible card insertion + [9.000] pciehp: Button press: canceling request to power on + +The first button press incorrectly left the slot in BLINKINGON_STATE, so +the second was interpreted as a "cancel power on" event regardless of +whether a card was present. + +If the slot is empty, turn off the Power Indicator and return from +BLINKINGON_STATE to OFF_STATE after 5 seconds, effectively canceling the +request to power on. Putting the slot in OFF_STATE also means the second +button press will correctly request a slot power on if the slot is +occupied. + +[bhelgaas: commit log] +Link: https://lore.kernel.org/r/20230512021518.336460-1-clementwei90@163.com +Fixes: d331710ea78f ("PCI: pciehp: Become resilient to missed events") +Suggested-by: Lukas Wunner +Signed-off-by: Rongguang Wei +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pciehp_ctrl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c +index 529c348084401..32baba1b7f131 100644 +--- a/drivers/pci/hotplug/pciehp_ctrl.c ++++ b/drivers/pci/hotplug/pciehp_ctrl.c +@@ -256,6 +256,14 @@ void pciehp_handle_presence_or_link_change(struct controller *ctrl, u32 events) + present = pciehp_card_present(ctrl); + link_active = pciehp_check_link_active(ctrl); + if (present <= 0 && link_active <= 0) { ++ if (ctrl->state == BLINKINGON_STATE) { ++ ctrl->state = OFF_STATE; ++ cancel_delayed_work(&ctrl->button_work); ++ pciehp_set_indicators(ctrl, PCI_EXP_SLTCTL_PWR_IND_OFF, ++ INDICATOR_NOOP); ++ ctrl_info(ctrl, "Slot(%s): Card not present\n", ++ slot_name(ctrl)); ++ } + mutex_unlock(&ctrl->state_lock); + return; + } +-- +2.39.2 + diff --git a/tmp-5.10/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch b/tmp-5.10/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch new file mode 100644 index 00000000000..ff32596aae7 --- /dev/null +++ b/tmp-5.10/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch @@ -0,0 +1,46 @@ +From 9e30fd26f43b89cb6b4e850a86caa2e50dedb454 Mon Sep 17 00:00:00 2001 +From: Ondrej Zary +Date: Wed, 14 Jun 2023 09:42:53 +0200 +Subject: PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold + +From: Ondrej Zary + +commit 9e30fd26f43b89cb6b4e850a86caa2e50dedb454 upstream. + +The quirk for Elo i2 introduced in commit 92597f97a40b ("PCI/PM: Avoid +putting Elo i2 PCIe Ports in D3cold") is also needed by EloPOS E2/S2/H2 +which uses the same Continental Z2 board. + +Change the quirk to match the board instead of system. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215715 +Link: https://lore.kernel.org/r/20230614074253.22318-1-linux@zary.sk +Signed-off-by: Ondrej Zary +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2830,13 +2830,13 @@ static const struct dmi_system_id bridge + { + /* + * Downstream device is not accessible after putting a root port +- * into D3cold and back into D0 on Elo i2. ++ * into D3cold and back into D0 on Elo Continental Z2 board + */ +- .ident = "Elo i2", ++ .ident = "Elo Continental Z2", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Elo Touch Solutions"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Elo i2"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "RevB"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "Elo Touch Solutions"), ++ DMI_MATCH(DMI_BOARD_NAME, "Geminilake"), ++ DMI_MATCH(DMI_BOARD_VERSION, "Continental Z2"), + }, + }, + #endif diff --git a/tmp-5.10/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch b/tmp-5.10/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch new file mode 100644 index 00000000000..3107819134a --- /dev/null +++ b/tmp-5.10/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch @@ -0,0 +1,34 @@ +From a33d700e8eea76c62120cb3dbf5e01328f18319a Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 19 Jun 2023 20:34:00 +0530 +Subject: PCI: qcom: Disable write access to read only registers for IP v2.3.3 + +From: Manivannan Sadhasivam + +commit a33d700e8eea76c62120cb3dbf5e01328f18319a upstream. + +In the post init sequence of v2.9.0, write access to read only registers +are not disabled after updating the registers. Fix it by disabling the +access after register update. + +Link: https://lore.kernel.org/r/20230619150408.8468-2-manivannan.sadhasivam@linaro.org +Fixes: 5d76117f070d ("PCI: qcom: Add support for IPQ8074 PCIe controller") +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Lorenzo Pieralisi +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-qcom.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -771,6 +771,8 @@ static int qcom_pcie_get_resources_2_4_0 + return PTR_ERR(res->phy_ahb_reset); + } + ++ dw_pcie_dbi_ro_wr_dis(pci); ++ + return 0; + } + diff --git a/tmp-5.10/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch b/tmp-5.10/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch new file mode 100644 index 00000000000..169b3435669 --- /dev/null +++ b/tmp-5.10/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch @@ -0,0 +1,81 @@ +From 9dd3c7c4c8c3f7f010d9cdb7c3f42506d93c9527 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:51 +0200 +Subject: PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked + +From: Rick Wertenbroek + +commit 9dd3c7c4c8c3f7f010d9cdb7c3f42506d93c9527 upstream. + +The RK3399 PCIe controller should wait until the PHY PLLs are locked. +Add poll and timeout to wait for PHY PLLs to be locked. If they cannot +be locked generate error message and jump to error handler. Accessing +registers in the PHY clock domain when PLLs are not locked causes hang +The PHY PLLs status is checked through a side channel register. +This is documented in the TRM section 17.5.8.1 "PCIe Initialization +Sequence". + +Link: https://lore.kernel.org/r/20230418074700.1083505-5-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip.c | 17 +++++++++++++++++ + drivers/pci/controller/pcie-rockchip.h | 2 ++ + 2 files changed, 19 insertions(+) + +--- a/drivers/pci/controller/pcie-rockchip.c ++++ b/drivers/pci/controller/pcie-rockchip.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -153,6 +154,12 @@ int rockchip_pcie_parse_dt(struct rockch + } + EXPORT_SYMBOL_GPL(rockchip_pcie_parse_dt); + ++#define rockchip_pcie_read_addr(addr) rockchip_pcie_read(rockchip, addr) ++/* 100 ms max wait time for PHY PLLs to lock */ ++#define RK_PHY_PLL_LOCK_TIMEOUT_US 100000 ++/* Sleep should be less than 20ms */ ++#define RK_PHY_PLL_LOCK_SLEEP_US 1000 ++ + int rockchip_pcie_init_port(struct rockchip_pcie *rockchip) + { + struct device *dev = rockchip->dev; +@@ -254,6 +261,16 @@ int rockchip_pcie_init_port(struct rockc + } + } + ++ err = readx_poll_timeout(rockchip_pcie_read_addr, ++ PCIE_CLIENT_SIDE_BAND_STATUS, ++ regs, !(regs & PCIE_CLIENT_PHY_ST), ++ RK_PHY_PLL_LOCK_SLEEP_US, ++ RK_PHY_PLL_LOCK_TIMEOUT_US); ++ if (err) { ++ dev_err(dev, "PHY PLLs could not lock, %d\n", err); ++ goto err_power_off_phy; ++ } ++ + /* + * Please don't reorder the deassert sequence of the following + * four reset pins. +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -37,6 +37,8 @@ + #define PCIE_CLIENT_MODE_EP HIWORD_UPDATE(0x0040, 0) + #define PCIE_CLIENT_GEN_SEL_1 HIWORD_UPDATE(0x0080, 0) + #define PCIE_CLIENT_GEN_SEL_2 HIWORD_UPDATE_BIT(0x0080) ++#define PCIE_CLIENT_SIDE_BAND_STATUS (PCIE_CLIENT_BASE + 0x20) ++#define PCIE_CLIENT_PHY_ST BIT(12) + #define PCIE_CLIENT_DEBUG_OUT_0 (PCIE_CLIENT_BASE + 0x3c) + #define PCIE_CLIENT_DEBUG_LTSSM_MASK GENMASK(5, 0) + #define PCIE_CLIENT_DEBUG_LTSSM_L1 0x18 diff --git a/tmp-5.10/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch b/tmp-5.10/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch new file mode 100644 index 00000000000..4efbbf440da --- /dev/null +++ b/tmp-5.10/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch @@ -0,0 +1,40 @@ +From f397fd4ac1fa3afcabd8cee030f953ccaed2a364 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:50 +0200 +Subject: PCI: rockchip: Assert PCI Configuration Enable bit after probe + +From: Rick Wertenbroek + +commit f397fd4ac1fa3afcabd8cee030f953ccaed2a364 upstream. + +Assert PCI Configuration Enable bit after probe. When this bit is left to +0 in the endpoint mode, the RK3399 PCIe endpoint core will generate +configuration request retry status (CRS) messages back to the root complex. +Assert this bit after probe to allow the RK3399 PCIe endpoint core to reply +to configuration requests from the root complex. +This is documented in section 17.5.8.1.2 of the RK3399 TRM. + +Link: https://lore.kernel.org/r/20230418074700.1083505-4-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -631,6 +631,9 @@ static int rockchip_pcie_ep_probe(struct + + ep->irq_pci_addr = ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR; + ++ rockchip_pcie_write(rockchip, PCIE_CLIENT_CONF_ENABLE, ++ PCIE_CLIENT_CONFIG); ++ + return 0; + err_epc_mem_exit: + pci_epc_mem_exit(epc); diff --git a/tmp-5.10/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch b/tmp-5.10/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch new file mode 100644 index 00000000000..0be84b0cf03 --- /dev/null +++ b/tmp-5.10/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch @@ -0,0 +1,113 @@ +From 166e89d99dd85a856343cca51eee781b793801f2 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:54 +0200 +Subject: PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core + +From: Rick Wertenbroek + +commit 166e89d99dd85a856343cca51eee781b793801f2 upstream. + +Fix legacy IRQ generation for RK3399 PCIe endpoint core according to +the technical reference manual (TRM). Assert and deassert legacy +interrupt (INTx) through the legacy interrupt control register +("PCIE_CLIENT_LEGACY_INT_CTRL") instead of manually generating a PCIe +message. The generation of the legacy interrupt was tested and validated +with the PCIe endpoint test driver. + +Link: https://lore.kernel.org/r/20230418074700.1083505-8-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 45 +++++++----------------------- + drivers/pci/controller/pcie-rockchip.h | 6 +++- + 2 files changed, 16 insertions(+), 35 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -347,48 +347,25 @@ static int rockchip_pcie_ep_get_msi(stru + } + + static void rockchip_pcie_ep_assert_intx(struct rockchip_pcie_ep *ep, u8 fn, +- u8 intx, bool is_asserted) ++ u8 intx, bool do_assert) + { + struct rockchip_pcie *rockchip = &ep->rockchip; +- u32 r = ep->max_regions - 1; +- u32 offset; +- u32 status; +- u8 msg_code; +- +- if (unlikely(ep->irq_pci_addr != ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR || +- ep->irq_pci_fn != fn)) { +- rockchip_pcie_prog_ep_ob_atu(rockchip, fn, r, +- AXI_WRAPPER_NOR_MSG, +- ep->irq_phys_addr, 0, 0); +- ep->irq_pci_addr = ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR; +- ep->irq_pci_fn = fn; +- } + + intx &= 3; +- if (is_asserted) { ++ ++ if (do_assert) { + ep->irq_pending |= BIT(intx); +- msg_code = ROCKCHIP_PCIE_MSG_CODE_ASSERT_INTA + intx; ++ rockchip_pcie_write(rockchip, ++ PCIE_CLIENT_INT_IN_ASSERT | ++ PCIE_CLIENT_INT_PEND_ST_PEND, ++ PCIE_CLIENT_LEGACY_INT_CTRL); + } else { + ep->irq_pending &= ~BIT(intx); +- msg_code = ROCKCHIP_PCIE_MSG_CODE_DEASSERT_INTA + intx; ++ rockchip_pcie_write(rockchip, ++ PCIE_CLIENT_INT_IN_DEASSERT | ++ PCIE_CLIENT_INT_PEND_ST_NORMAL, ++ PCIE_CLIENT_LEGACY_INT_CTRL); + } +- +- status = rockchip_pcie_read(rockchip, +- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +- ROCKCHIP_PCIE_EP_CMD_STATUS); +- status &= ROCKCHIP_PCIE_EP_CMD_STATUS_IS; +- +- if ((status != 0) ^ (ep->irq_pending != 0)) { +- status ^= ROCKCHIP_PCIE_EP_CMD_STATUS_IS; +- rockchip_pcie_write(rockchip, status, +- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +- ROCKCHIP_PCIE_EP_CMD_STATUS); +- } +- +- offset = +- ROCKCHIP_PCIE_MSG_ROUTING(ROCKCHIP_PCIE_MSG_ROUTING_LOCAL_INTX) | +- ROCKCHIP_PCIE_MSG_CODE(msg_code) | ROCKCHIP_PCIE_MSG_NO_DATA; +- writel(0, ep->irq_cpu_addr + offset); + } + + static int rockchip_pcie_ep_send_legacy_irq(struct rockchip_pcie_ep *ep, u8 fn, +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -37,6 +37,11 @@ + #define PCIE_CLIENT_MODE_EP HIWORD_UPDATE(0x0040, 0) + #define PCIE_CLIENT_GEN_SEL_1 HIWORD_UPDATE(0x0080, 0) + #define PCIE_CLIENT_GEN_SEL_2 HIWORD_UPDATE_BIT(0x0080) ++#define PCIE_CLIENT_LEGACY_INT_CTRL (PCIE_CLIENT_BASE + 0x0c) ++#define PCIE_CLIENT_INT_IN_ASSERT HIWORD_UPDATE_BIT(0x0002) ++#define PCIE_CLIENT_INT_IN_DEASSERT HIWORD_UPDATE(0x0002, 0) ++#define PCIE_CLIENT_INT_PEND_ST_PEND HIWORD_UPDATE_BIT(0x0001) ++#define PCIE_CLIENT_INT_PEND_ST_NORMAL HIWORD_UPDATE(0x0001, 0) + #define PCIE_CLIENT_SIDE_BAND_STATUS (PCIE_CLIENT_BASE + 0x20) + #define PCIE_CLIENT_PHY_ST BIT(12) + #define PCIE_CLIENT_DEBUG_OUT_0 (PCIE_CLIENT_BASE + 0x3c) +@@ -234,7 +239,6 @@ + #define ROCKCHIP_PCIE_EP_MSI_CTRL_ME BIT(16) + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP BIT(24) + #define ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR 0x1 +-#define ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR 0x3 + #define ROCKCHIP_PCIE_EP_FUNC_BASE(fn) (((fn) << 12) & GENMASK(19, 12)) + #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR0(fn, bar) \ + (PCIE_RC_RP_ATS_BASE + 0x0840 + (fn) * 0x0040 + (bar) * 0x0008) diff --git a/tmp-5.10/pci-rockchip-set-address-alignment-for-endpoint-mode.patch b/tmp-5.10/pci-rockchip-set-address-alignment-for-endpoint-mode.patch new file mode 100644 index 00000000000..9091d7598b9 --- /dev/null +++ b/tmp-5.10/pci-rockchip-set-address-alignment-for-endpoint-mode.patch @@ -0,0 +1,35 @@ +From 7e6689b34a815bd379dfdbe9855d36f395ef056c Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 18 Apr 2023 09:46:58 +0200 +Subject: PCI: rockchip: Set address alignment for endpoint mode + +From: Damien Le Moal + +commit 7e6689b34a815bd379dfdbe9855d36f395ef056c upstream. + +The address translation unit of the rockchip EP controller does not use +the lower 8 bits of a PCIe-space address to map local memory. Thus we +must set the align feature field to 256 to let the user know about this +constraint. + +Link: https://lore.kernel.org/r/20230418074700.1083505-12-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Signed-off-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -485,6 +485,7 @@ static const struct pci_epc_features roc + .linkup_notifier = false, + .msi_capable = true, + .msix_capable = false, ++ .align = 256, + }; + + static const struct pci_epc_features* diff --git a/tmp-5.10/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch b/tmp-5.10/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch new file mode 100644 index 00000000000..f2ff2aea147 --- /dev/null +++ b/tmp-5.10/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch @@ -0,0 +1,76 @@ +From 8962b2cb39119cbda4fc69a1f83957824f102f81 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:56 +0200 +Subject: PCI: rockchip: Use u32 variable to access 32-bit registers + +From: Rick Wertenbroek + +commit 8962b2cb39119cbda4fc69a1f83957824f102f81 upstream. + +Previously u16 variables were used to access 32-bit registers, this +resulted in not all of the data being read from the registers. Also +the left shift of more than 16-bits would result in moving data out +of the variable. Use u32 variables to access 32-bit registers + +Link: https://lore.kernel.org/r/20230418074700.1083505-10-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 10 +++++----- + drivers/pci/controller/pcie-rockchip.h | 1 + + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -314,15 +314,15 @@ static int rockchip_pcie_ep_set_msi(stru + { + struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); + struct rockchip_pcie *rockchip = &ep->rockchip; +- u16 flags; ++ u32 flags; + + flags = rockchip_pcie_read(rockchip, + ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + + ROCKCHIP_PCIE_EP_MSI_CTRL_REG); + flags &= ~ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_MASK; + flags |= +- ((multi_msg_cap << 1) << ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET) | +- PCI_MSI_FLAGS_64BIT; ++ (multi_msg_cap << ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET) | ++ (PCI_MSI_FLAGS_64BIT << ROCKCHIP_PCIE_EP_MSI_FLAGS_OFFSET); + flags &= ~ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP; + rockchip_pcie_write(rockchip, flags, + ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +@@ -334,7 +334,7 @@ static int rockchip_pcie_ep_get_msi(stru + { + struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); + struct rockchip_pcie *rockchip = &ep->rockchip; +- u16 flags; ++ u32 flags; + + flags = rockchip_pcie_read(rockchip, + ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +@@ -395,7 +395,7 @@ static int rockchip_pcie_ep_send_msi_irq + u8 interrupt_num) + { + struct rockchip_pcie *rockchip = &ep->rockchip; +- u16 flags, mme, data, data_mask; ++ u32 flags, mme, data, data_mask; + u8 msi_count; + u64 pci_addr, pci_addr_mask = 0xff; + +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -232,6 +232,7 @@ + #define ROCKCHIP_PCIE_EP_CMD_STATUS 0x4 + #define ROCKCHIP_PCIE_EP_CMD_STATUS_IS BIT(19) + #define ROCKCHIP_PCIE_EP_MSI_CTRL_REG 0x90 ++#define ROCKCHIP_PCIE_EP_MSI_FLAGS_OFFSET 16 + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET 17 + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_MASK GENMASK(19, 17) + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MME_OFFSET 20 diff --git a/tmp-5.10/pci-rockchip-write-pci-device-id-to-correct-register.patch b/tmp-5.10/pci-rockchip-write-pci-device-id-to-correct-register.patch new file mode 100644 index 00000000000..261c43d4c83 --- /dev/null +++ b/tmp-5.10/pci-rockchip-write-pci-device-id-to-correct-register.patch @@ -0,0 +1,60 @@ +From 1f1c42ece18de365c976a060f3c8eb481b038e3a Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:49 +0200 +Subject: PCI: rockchip: Write PCI Device ID to correct register + +From: Rick Wertenbroek + +commit 1f1c42ece18de365c976a060f3c8eb481b038e3a upstream. + +Write PCI Device ID (DID) to the correct register. The Device ID was not +updated through the correct register. Device ID was written to a read-only +register and therefore did not work. The Device ID is now set through the +correct register. This is documented in the RK3399 TRM section 17.6.6.1.1 + +Link: https://lore.kernel.org/r/20230418074700.1083505-3-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 6 ++++-- + drivers/pci/controller/pcie-rockchip.h | 2 ++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -125,6 +125,7 @@ static void rockchip_pcie_prog_ep_ob_atu + static int rockchip_pcie_ep_write_header(struct pci_epc *epc, u8 fn, + struct pci_epf_header *hdr) + { ++ u32 reg; + struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); + struct rockchip_pcie *rockchip = &ep->rockchip; + +@@ -137,8 +138,9 @@ static int rockchip_pcie_ep_write_header + PCIE_CORE_CONFIG_VENDOR); + } + +- rockchip_pcie_write(rockchip, hdr->deviceid << 16, +- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + PCI_VENDOR_ID); ++ reg = rockchip_pcie_read(rockchip, PCIE_EP_CONFIG_DID_VID); ++ reg = (reg & 0xFFFF) | (hdr->deviceid << 16); ++ rockchip_pcie_write(rockchip, reg, PCIE_EP_CONFIG_DID_VID); + + rockchip_pcie_write(rockchip, + hdr->revid | +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -132,6 +132,8 @@ + #define PCIE_RC_RP_ATS_BASE 0x400000 + #define PCIE_RC_CONFIG_NORMAL_BASE 0x800000 + #define PCIE_RC_CONFIG_BASE 0xa00000 ++#define PCIE_EP_CONFIG_BASE 0xa00000 ++#define PCIE_EP_CONFIG_DID_VID (PCIE_EP_CONFIG_BASE + 0x00) + #define PCIE_RC_CONFIG_RID_CCR (PCIE_RC_CONFIG_BASE + 0x08) + #define PCIE_RC_CONFIG_SCC_SHIFT 16 + #define PCIE_RC_CONFIG_DCR (PCIE_RC_CONFIG_BASE + 0xc4) diff --git a/tmp-5.10/perf-arm-cmn-fix-dtc-reset.patch b/tmp-5.10/perf-arm-cmn-fix-dtc-reset.patch new file mode 100644 index 00000000000..348ead519d5 --- /dev/null +++ b/tmp-5.10/perf-arm-cmn-fix-dtc-reset.patch @@ -0,0 +1,58 @@ +From 3195003f3d8632e1770a6f306d15c154a3b7e815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 May 2023 17:44:32 +0100 +Subject: perf/arm-cmn: Fix DTC reset + +From: Robin Murphy + +[ Upstream commit 71746c995cac92fcf6a65661b51211cf2009d7f0 ] + +It turns out that my naive DTC reset logic fails to work as intended, +since, after checking with the hardware designers, the PMU actually +needs to be fully enabled in order to correctly clear any pending +overflows. Therefore, invert the sequence to start with turning on both +enables so that we can reliably get the DTCs into a known state, then +moving to our normal counters-stopped state from there. Since all the +DTM counters have already been unpaired during the initial discovery +pass, we just need to additionally reset the cycle counters to ensure +that no other unexpected overflows occur during this period. + +Fixes: 0ba64770a2f2 ("perf: Add Arm CMN-600 PMU driver") +Reported-by: Geoff Blake +Signed-off-by: Robin Murphy +Link: https://lore.kernel.org/r/0ea4559261ea394f827c9aee5168c77a60aaee03.1684946389.git.robin.murphy@arm.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/arm-cmn.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/perf/arm-cmn.c b/drivers/perf/arm-cmn.c +index bb019e3839888..36061aaf026c8 100644 +--- a/drivers/perf/arm-cmn.c ++++ b/drivers/perf/arm-cmn.c +@@ -1254,9 +1254,10 @@ static int arm_cmn_init_dtc(struct arm_cmn *cmn, struct arm_cmn_node *dn, int id + if (dtc->irq < 0) + return dtc->irq; + +- writel_relaxed(0, dtc->base + CMN_DT_PMCR); ++ writel_relaxed(CMN_DT_DTC_CTL_DT_EN, dtc->base + CMN_DT_DTC_CTL); ++ writel_relaxed(CMN_DT_PMCR_PMU_EN | CMN_DT_PMCR_OVFL_INTR_EN, dtc->base + CMN_DT_PMCR); ++ writeq_relaxed(0, dtc->base + CMN_DT_PMCCNTR); + writel_relaxed(0x1ff, dtc->base + CMN_DT_PMOVSR_CLR); +- writel_relaxed(CMN_DT_PMCR_OVFL_INTR_EN, dtc->base + CMN_DT_PMCR); + + /* We do at least know that a DTC's XP must be in that DTC's domain */ + xp = arm_cmn_node_to_xp(dn); +@@ -1303,7 +1304,7 @@ static int arm_cmn_init_dtcs(struct arm_cmn *cmn) + dn->type = CMN_TYPE_RNI; + } + +- writel_relaxed(CMN_DT_DTC_CTL_DT_EN, cmn->dtc[0].base + CMN_DT_DTC_CTL); ++ arm_cmn_set_state(cmn, CMN_STATE_DISABLED); + + return 0; + } +-- +2.39.2 + diff --git a/tmp-5.10/perf-bench-add-missing-setlocale-call-to-allow-usage.patch b/tmp-5.10/perf-bench-add-missing-setlocale-call-to-allow-usage.patch new file mode 100644 index 00000000000..dfd3c5a92b0 --- /dev/null +++ b/tmp-5.10/perf-bench-add-missing-setlocale-call-to-allow-usage.patch @@ -0,0 +1,79 @@ +From e28c7b563899e05f44bbbc0213b34a0103b60b4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 15:38:25 -0300 +Subject: perf bench: Add missing setlocale() call to allow usage of %'d style + formatting + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 16203e9cd01896b4244100a8e3fb9f6e612ab2b1 ] + +Without this we were not getting the thousands separator for big +numbers. + +Noticed while developing 'perf bench uprobe', but the use of %' predates +that, for instance 'perf bench syscall' uses it. + +Before: + + # perf bench uprobe all + # Running uprobe/baseline benchmark... + # Executed 1000 usleep(1000) calls + Total time: 1054082243ns + + 1054082.243000 nsecs/op + + # + +After: + + # perf bench uprobe all + # Running uprobe/baseline benchmark... + # Executed 1,000 usleep(1000) calls + Total time: 1,053,715,144ns + + 1,053,715.144000 nsecs/op + + # + +Fixes: c2a08203052f8975 ("perf bench: Add basic syscall benchmark") +Cc: Adrian Hunter +Cc: Andre Fredette +Cc: Clark Williams +Cc: Dave Tucker +Cc: Davidlohr Bueso +Cc: Derek Barbosa +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Tiezhu Yang +Link: https://lore.kernel.org/lkml/ZH3lcepZ4tBYr1jv@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-bench.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/builtin-bench.c b/tools/perf/builtin-bench.c +index 609a941ae2963..fb3029495c23c 100644 +--- a/tools/perf/builtin-bench.c ++++ b/tools/perf/builtin-bench.c +@@ -21,6 +21,7 @@ + #include "builtin.h" + #include "bench/bench.h" + ++#include + #include + #include + #include +@@ -247,6 +248,7 @@ int cmd_bench(int argc, const char **argv) + + /* Unbuffered output */ + setvbuf(stdout, NULL, _IONBF, 0); ++ setlocale(LC_ALL, ""); + + if (argc < 2) { + /* No collection specified. */ +-- +2.39.2 + diff --git a/tmp-5.10/perf-bench-use-unbuffered-output-when-pipe-tee-ing-t.patch b/tmp-5.10/perf-bench-use-unbuffered-output-when-pipe-tee-ing-t.patch new file mode 100644 index 00000000000..af44d8258e3 --- /dev/null +++ b/tmp-5.10/perf-bench-use-unbuffered-output-when-pipe-tee-ing-t.patch @@ -0,0 +1,101 @@ +From 8201231b1c9bdae247ab23e09a3a6e95869c717e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Nov 2021 08:14:08 +0200 +Subject: perf bench: Use unbuffered output when pipe/tee'ing to a file + +From: Sohaib Mohamed + +[ Upstream commit f0a29c9647ff8bbb424641f79bc1894e83dec218 ] + +The output of 'perf bench' gets buffered when I pipe it to a file or to +tee, in such a way that I can see it only at the end. + +E.g. + + $ perf bench internals synthesize -t + < output comes out fine after each test run > + + $ perf bench internals synthesize -t | tee file.txt + < output comes out only at the end of all tests > + +This patch resolves this issue for 'bench' and 'test' subcommands. + +See, also: + + $ perf bench mem all | tee file.txt + $ perf bench sched all | tee file.txt + $ perf bench internals all -t | tee file.txt + $ perf bench internals all | tee file.txt + +Committer testing: + +It really gets staggered, i.e. outputs in bursts, when the buffer fills +up and has to be drained to make up space for more output. + +Suggested-by: Riccardo Mancini +Signed-off-by: Sohaib Mohamed +Tested-by: Arnaldo Carvalho de Melo +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Fabian Hemmer +Cc: Ian Rogers +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20211119061409.78004-1-sohaib.amhmd@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 16203e9cd018 ("perf bench: Add missing setlocale() call to allow usage of %'d style formatting") +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-bench.c | 5 +++-- + tools/perf/tests/builtin-test.c | 3 +++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-bench.c b/tools/perf/builtin-bench.c +index 62a7b7420a448..609a941ae2963 100644 +--- a/tools/perf/builtin-bench.c ++++ b/tools/perf/builtin-bench.c +@@ -225,7 +225,6 @@ static void run_collection(struct collection *coll) + if (!bench->fn) + break; + printf("# Running %s/%s benchmark...\n", coll->name, bench->name); +- fflush(stdout); + + argv[1] = bench->name; + run_bench(coll->name, bench->name, bench->fn, 1, argv); +@@ -246,6 +245,9 @@ int cmd_bench(int argc, const char **argv) + struct collection *coll; + int ret = 0; + ++ /* Unbuffered output */ ++ setvbuf(stdout, NULL, _IONBF, 0); ++ + if (argc < 2) { + /* No collection specified. */ + print_usage(); +@@ -299,7 +301,6 @@ int cmd_bench(int argc, const char **argv) + + if (bench_format == BENCH_FORMAT_DEFAULT) + printf("# Running '%s/%s' benchmark:\n", coll->name, bench->name); +- fflush(stdout); + ret = run_bench(coll->name, bench->name, bench->fn, argc-1, argv+1); + goto end; + } +diff --git a/tools/perf/tests/builtin-test.c b/tools/perf/tests/builtin-test.c +index 132bdb3e6c31a..73c911dd0c2ca 100644 +--- a/tools/perf/tests/builtin-test.c ++++ b/tools/perf/tests/builtin-test.c +@@ -793,6 +793,9 @@ int cmd_test(int argc, const char **argv) + if (ret < 0) + return ret; + ++ /* Unbuffered output */ ++ setvbuf(stdout, NULL, _IONBF, 0); ++ + argc = parse_options_subcommand(argc, argv, test_options, test_subcommands, test_usage, 0); + if (argc >= 1 && !strcmp(argv[0], "list")) + return perf_test__list(argc - 1, argv + 1); +-- +2.39.2 + diff --git a/tmp-5.10/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch b/tmp-5.10/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch new file mode 100644 index 00000000000..b4016bff444 --- /dev/null +++ b/tmp-5.10/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch @@ -0,0 +1,45 @@ +From afc9137bd4a179e2ec35946840e665b3ea36f5c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 16:41:01 -0700 +Subject: perf dwarf-aux: Fix off-by-one in die_get_varname() + +From: Namhyung Kim + +[ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ] + +The die_get_varname() returns "(unknown_type)" string if it failed to +find a type for the variable. But it had a space before the opening +parenthesis and it made the closing parenthesis cut off due to the +off-by-one in the string length (14). + +Signed-off-by: Namhyung Kim +Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index f8a10d5148f6f..443374a77c8dc 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -1081,7 +1081,7 @@ int die_get_varname(Dwarf_Die *vr_die, struct strbuf *buf) + ret = die_get_typename(vr_die, buf); + if (ret < 0) { + pr_debug("Failed to get type, make it unknown.\n"); +- ret = strbuf_add(buf, " (unknown_type)", 14); ++ ret = strbuf_add(buf, "(unknown_type)", 14); + } + + return ret < 0 ? ret : strbuf_addf(buf, "\t%s", dwarf_diename(vr_die)); +-- +2.39.2 + diff --git a/tmp-5.10/perf-ibs-fix-interface-via-core-pmu-events.patch b/tmp-5.10/perf-ibs-fix-interface-via-core-pmu-events.patch new file mode 100644 index 00000000000..42eeec48ebf --- /dev/null +++ b/tmp-5.10/perf-ibs-fix-interface-via-core-pmu-events.patch @@ -0,0 +1,164 @@ +From f5702368ee74168d7e8437fd0421f50a92c21bb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 16:30:01 +0530 +Subject: perf/ibs: Fix interface via core pmu events + +From: Ravi Bangoria + +[ Upstream commit 2fad201fe38ff9a692acedb1990ece2c52a29f95 ] + +Although, IBS pmus can be invoked via their own interface, indirect +IBS invocation via core pmu events is also supported with fixed set +of events: cpu-cycles:p, r076:p (same as cpu-cycles:p) and r0C1:p +(micro-ops) for user convenience. + +This indirect IBS invocation is broken since commit 66d258c5b048 +("perf/core: Optimize perf_init_event()"), which added RAW pmu under +'pmu_idr' list and thus if event_init() fails with RAW pmu, it started +returning error instead of trying other pmus. + +Forward precise events from core pmu to IBS by overwriting 'type' and +'config' in the kernel copy of perf_event_attr. Overwriting will cause +perf_init_event() to retry with updated 'type' and 'config', which will +automatically forward event to IBS pmu. + +Without patch: + $ sudo ./perf record -C 0 -e r076:p -- sleep 1 + Error: + The r076:p event is not supported. + +With patch: + $ sudo ./perf record -C 0 -e r076:p -- sleep 1 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.341 MB perf.data (37 samples) ] + +Fixes: 66d258c5b048 ("perf/core: Optimize perf_init_event()") +Reported-by: Stephane Eranian +Signed-off-by: Ravi Bangoria +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20230504110003.2548-3-ravi.bangoria@amd.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/amd/core.c | 2 +- + arch/x86/events/amd/ibs.c | 53 +++++++++++++++---------------- + arch/x86/include/asm/perf_event.h | 2 ++ + 3 files changed, 29 insertions(+), 28 deletions(-) + +diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c +index 52eba415928a3..afc955340f81c 100644 +--- a/arch/x86/events/amd/core.c ++++ b/arch/x86/events/amd/core.c +@@ -364,7 +364,7 @@ static int amd_pmu_hw_config(struct perf_event *event) + + /* pass precise event sampling to ibs: */ + if (event->attr.precise_ip && get_ibs_caps()) +- return -ENOENT; ++ return forward_event_to_ibs(event); + + if (has_branch_stack(event)) + return -EOPNOTSUPP; +diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c +index 8a85658a24cc1..354d52e17ef55 100644 +--- a/arch/x86/events/amd/ibs.c ++++ b/arch/x86/events/amd/ibs.c +@@ -202,7 +202,7 @@ static struct perf_ibs *get_ibs_pmu(int type) + } + + /* +- * Use IBS for precise event sampling: ++ * core pmu config -> IBS config + * + * perf record -a -e cpu-cycles:p ... # use ibs op counting cycle count + * perf record -a -e r076:p ... # same as -e cpu-cycles:p +@@ -211,25 +211,9 @@ static struct perf_ibs *get_ibs_pmu(int type) + * IbsOpCntCtl (bit 19) of IBS Execution Control Register (IbsOpCtl, + * MSRC001_1033) is used to select either cycle or micro-ops counting + * mode. +- * +- * The rip of IBS samples has skid 0. Thus, IBS supports precise +- * levels 1 and 2 and the PERF_EFLAGS_EXACT is set. In rare cases the +- * rip is invalid when IBS was not able to record the rip correctly. +- * We clear PERF_EFLAGS_EXACT and take the rip from pt_regs then. +- * + */ +-static int perf_ibs_precise_event(struct perf_event *event, u64 *config) ++static int core_pmu_ibs_config(struct perf_event *event, u64 *config) + { +- switch (event->attr.precise_ip) { +- case 0: +- return -ENOENT; +- case 1: +- case 2: +- break; +- default: +- return -EOPNOTSUPP; +- } +- + switch (event->attr.type) { + case PERF_TYPE_HARDWARE: + switch (event->attr.config) { +@@ -255,22 +239,37 @@ static int perf_ibs_precise_event(struct perf_event *event, u64 *config) + return -EOPNOTSUPP; + } + ++/* ++ * The rip of IBS samples has skid 0. Thus, IBS supports precise ++ * levels 1 and 2 and the PERF_EFLAGS_EXACT is set. In rare cases the ++ * rip is invalid when IBS was not able to record the rip correctly. ++ * We clear PERF_EFLAGS_EXACT and take the rip from pt_regs then. ++ */ ++int forward_event_to_ibs(struct perf_event *event) ++{ ++ u64 config = 0; ++ ++ if (!event->attr.precise_ip || event->attr.precise_ip > 2) ++ return -EOPNOTSUPP; ++ ++ if (!core_pmu_ibs_config(event, &config)) { ++ event->attr.type = perf_ibs_op.pmu.type; ++ event->attr.config = config; ++ } ++ return -ENOENT; ++} ++ + static int perf_ibs_init(struct perf_event *event) + { + struct hw_perf_event *hwc = &event->hw; + struct perf_ibs *perf_ibs; + u64 max_cnt, config; +- int ret; + + perf_ibs = get_ibs_pmu(event->attr.type); +- if (perf_ibs) { +- config = event->attr.config; +- } else { +- perf_ibs = &perf_ibs_op; +- ret = perf_ibs_precise_event(event, &config); +- if (ret) +- return ret; +- } ++ if (!perf_ibs) ++ return -ENOENT; ++ ++ config = event->attr.config; + + if (event->pmu != &perf_ibs->pmu) + return -ENOENT; +diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h +index b9a7fd0a27e2d..a4e4bbb7795d3 100644 +--- a/arch/x86/include/asm/perf_event.h ++++ b/arch/x86/include/asm/perf_event.h +@@ -412,8 +412,10 @@ struct pebs_xmm { + + #ifdef CONFIG_X86_LOCAL_APIC + extern u32 get_ibs_caps(void); ++extern int forward_event_to_ibs(struct perf_event *event); + #else + static inline u32 get_ibs_caps(void) { return 0; } ++static inline int forward_event_to_ibs(struct perf_event *event) { return -ENOENT; } + #endif + + #ifdef CONFIG_PERF_EVENTS +-- +2.39.2 + diff --git a/tmp-5.10/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/tmp-5.10/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch new file mode 100644 index 00000000000..ac282bd2634 --- /dev/null +++ b/tmp-5.10/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch @@ -0,0 +1,115 @@ +From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Georg=20M=C3=BCller?= +Date: Wed, 28 Jun 2023 10:45:50 +0200 +Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Georg Müller + +commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream. + +This patch adds a test to validate that 'perf probe' works for binaries +where DWARF info is split into multiple CUs + +Signed-off-by: Georg Müller +Acked-by: Masami Hiramatsu (Google) +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: regressions@lists.linux.dev +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++ + 1 file changed, 77 insertions(+) + create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh + +--- /dev/null ++++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +@@ -0,0 +1,77 @@ ++#!/bin/bash ++# test perf probe of function from different CU ++# SPDX-License-Identifier: GPL-2.0 ++ ++set -e ++ ++temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) ++ ++cleanup() ++{ ++ trap - EXIT TERM INT ++ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then ++ echo "--- Cleaning up ---" ++ perf probe -x ${temp_dir}/testfile -d foo ++ rm -f "${temp_dir}/"* ++ rmdir "${temp_dir}" ++ fi ++} ++ ++trap_cleanup() ++{ ++ cleanup ++ exit 1 ++} ++ ++trap trap_cleanup EXIT TERM INT ++ ++cat > ${temp_dir}/testfile-foo.h << EOF ++struct t ++{ ++ int *p; ++ int c; ++}; ++ ++extern int foo (int i, struct t *t); ++EOF ++ ++cat > ${temp_dir}/testfile-foo.c << EOF ++#include "testfile-foo.h" ++ ++int ++foo (int i, struct t *t) ++{ ++ int j, res = 0; ++ for (j = 0; j < i && j < t->c; j++) ++ res += t->p[j]; ++ ++ return res; ++} ++EOF ++ ++cat > ${temp_dir}/testfile-main.c << EOF ++#include "testfile-foo.h" ++ ++static struct t g; ++ ++int ++main (int argc, char **argv) ++{ ++ int i; ++ int j[argc]; ++ g.c = argc; ++ g.p = j; ++ for (i = 0; i < argc; i++) ++ j[i] = (int) argv[i][0]; ++ return foo (3, &g); ++} ++EOF ++ ++gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o ++gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o ++gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o ++ ++perf probe -x ${temp_dir}/testfile --funcs foo ++perf probe -x ${temp_dir}/testfile foo ++ ++cleanup diff --git a/tmp-5.10/perf-script-fix-allocation-of-evsel-priv-related-to-.patch b/tmp-5.10/perf-script-fix-allocation-of-evsel-priv-related-to-.patch new file mode 100644 index 00000000000..1df3551be70 --- /dev/null +++ b/tmp-5.10/perf-script-fix-allocation-of-evsel-priv-related-to-.patch @@ -0,0 +1,100 @@ +From f50d14617f42085af74c4bf2ec8c0040a60641ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 16:11:10 -0300 +Subject: perf script: Fix allocation of evsel->priv related to per-event dump + files + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 36d3e4138e1b6cc9ab179f3f397b5548f8b1eaae ] + +When printing output we may want to generate per event files, where the +--per-event-dump option should be used, creating perf.data.EVENT.dump +files instead of printing to stdout. + +The callback thar processes event thus expects that evsel->priv->fp +should point to either the per-event FILE descriptor or to stdout. + +The a3af66f51bd0bca7 ("perf script: Fix crash because of missing +evsel->priv") changeset fixed a case where evsel->priv wasn't setup, +thus set to NULL, causing a segfault when trying to access +evsel->priv->fp. + +But it did it for the non --per-event-dump case by allocating a 'struct +perf_evsel_script' just to set its ->fp to stdout. + +Since evsel->priv is only freed when --per-event-dump is used, we ended +up with a memory leak, detected using ASAN. + +Fix it by using the same method as perf_script__setup_per_event_dump(), +and reuse that static 'struct perf_evsel_script'. + +Also check if evsel_script__new() failed. + +Fixes: a3af66f51bd0bca7 ("perf script: Fix crash because of missing evsel->priv") +Reported-by: Ian Rogers +Tested-by: Ian Rogers +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Ravi Bangoria +Link: https://lore.kernel.org/lkml/ZH+F0wGAWV14zvMP@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-script.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index 5651714e527c5..85befbacb2a44 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -2146,6 +2146,9 @@ static int process_sample_event(struct perf_tool *tool, + return 0; + } + ++// Used when scr->per_event_dump is not set ++static struct evsel_script es_stdout; ++ + static int process_attr(struct perf_tool *tool, union perf_event *event, + struct evlist **pevlist) + { +@@ -2154,7 +2157,6 @@ static int process_attr(struct perf_tool *tool, union perf_event *event, + struct evsel *evsel, *pos; + u64 sample_type; + int err; +- static struct evsel_script *es; + + err = perf_event__process_attr(tool, event, pevlist); + if (err) +@@ -2164,14 +2166,13 @@ static int process_attr(struct perf_tool *tool, union perf_event *event, + evsel = evlist__last(*pevlist); + + if (!evsel->priv) { +- if (scr->per_event_dump) { ++ if (scr->per_event_dump) { + evsel->priv = evsel_script__new(evsel, scr->session->data); +- } else { +- es = zalloc(sizeof(*es)); +- if (!es) ++ if (!evsel->priv) + return -ENOMEM; +- es->fp = stdout; +- evsel->priv = es; ++ } else { // Replicate what is done in perf_script__setup_per_event_dump() ++ es_stdout.fp = stdout; ++ evsel->priv = &es_stdout; + } + } + +@@ -2455,7 +2456,6 @@ static int perf_script__fopen_per_event_dump(struct perf_script *script) + static int perf_script__setup_per_event_dump(struct perf_script *script) + { + struct evsel *evsel; +- static struct evsel_script es_stdout; + + if (script->per_event_dump) + return perf_script__fopen_per_event_dump(script); +-- +2.39.2 + diff --git a/tmp-5.10/perf-script-fixup-struct-evsel_script-method-prefix.patch b/tmp-5.10/perf-script-fixup-struct-evsel_script-method-prefix.patch new file mode 100644 index 00000000000..56f0dbfa830 --- /dev/null +++ b/tmp-5.10/perf-script-fixup-struct-evsel_script-method-prefix.patch @@ -0,0 +1,93 @@ +From 5b24663f20196fd75452e5152d8e1df6f9e97d49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 08:59:21 -0300 +Subject: perf script: Fixup 'struct evsel_script' method prefix + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 297e69bfa4c7aa27259dd456af1377e868337043 ] + +They all operate on 'struct evsel_script' instances, so should be +prefixed with evsel_script__, not with perf_evsel_script__. + +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 36d3e4138e1b ("perf script: Fix allocation of evsel->priv related to per-event dump files") +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-script.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c +index 5109d01619eed..5651714e527c5 100644 +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -295,8 +295,7 @@ static inline struct evsel_script *evsel_script(struct evsel *evsel) + return (struct evsel_script *)evsel->priv; + } + +-static struct evsel_script *perf_evsel_script__new(struct evsel *evsel, +- struct perf_data *data) ++static struct evsel_script *evsel_script__new(struct evsel *evsel, struct perf_data *data) + { + struct evsel_script *es = zalloc(sizeof(*es)); + +@@ -316,7 +315,7 @@ static struct evsel_script *perf_evsel_script__new(struct evsel *evsel, + return NULL; + } + +-static void perf_evsel_script__delete(struct evsel_script *es) ++static void evsel_script__delete(struct evsel_script *es) + { + zfree(&es->filename); + fclose(es->fp); +@@ -324,7 +323,7 @@ static void perf_evsel_script__delete(struct evsel_script *es) + free(es); + } + +-static int perf_evsel_script__fprintf(struct evsel_script *es, FILE *fp) ++static int evsel_script__fprintf(struct evsel_script *es, FILE *fp) + { + struct stat st; + +@@ -2166,8 +2165,7 @@ static int process_attr(struct perf_tool *tool, union perf_event *event, + + if (!evsel->priv) { + if (scr->per_event_dump) { +- evsel->priv = perf_evsel_script__new(evsel, +- scr->session->data); ++ evsel->priv = evsel_script__new(evsel, scr->session->data); + } else { + es = zalloc(sizeof(*es)); + if (!es) +@@ -2422,7 +2420,7 @@ static void perf_script__fclose_per_event_dump(struct perf_script *script) + evlist__for_each_entry(evlist, evsel) { + if (!evsel->priv) + break; +- perf_evsel_script__delete(evsel->priv); ++ evsel_script__delete(evsel->priv); + evsel->priv = NULL; + } + } +@@ -2442,7 +2440,7 @@ static int perf_script__fopen_per_event_dump(struct perf_script *script) + if (evsel->priv != NULL) + continue; + +- evsel->priv = perf_evsel_script__new(evsel, script->session->data); ++ evsel->priv = evsel_script__new(evsel, script->session->data); + if (evsel->priv == NULL) + goto out_err_fclose; + } +@@ -2477,8 +2475,8 @@ static void perf_script__exit_per_event_dump_stats(struct perf_script *script) + evlist__for_each_entry(script->session->evlist, evsel) { + struct evsel_script *es = evsel->priv; + +- perf_evsel_script__fprintf(es, stdout); +- perf_evsel_script__delete(es); ++ evsel_script__fprintf(es, stdout); ++ evsel_script__delete(es); + evsel->priv = NULL; + } + } +-- +2.39.2 + diff --git a/tmp-5.10/phy-tegra-xusb-check-return-value-of-devm_kzalloc.patch b/tmp-5.10/phy-tegra-xusb-check-return-value-of-devm_kzalloc.patch new file mode 100644 index 00000000000..a96836cf494 --- /dev/null +++ b/tmp-5.10/phy-tegra-xusb-check-return-value-of-devm_kzalloc.patch @@ -0,0 +1,40 @@ +From 9152640949d6706d102e5bf745dfee50d395f878 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 10:39:50 +0300 +Subject: phy: tegra: xusb: check return value of devm_kzalloc() + +From: Claudiu Beznea + +[ Upstream commit 44faada0f38fc333d392af04c343b0e23f8f5d81 ] + +devm_kzalloc() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: f67213cee2b3 ("phy: tegra: xusb: Add usb-role-switch support") +Signed-off-by: Claudiu Beznea +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20230531073950.145339-1-claudiu.beznea@microchip.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/tegra/xusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c +index f93be3c4a4a6e..8f11b293c48d1 100644 +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -663,6 +663,9 @@ static int tegra_xusb_setup_usb_role_switch(struct tegra_xusb_port *port) + port->dev.driver = devm_kzalloc(&port->dev, + sizeof(struct device_driver), + GFP_KERNEL); ++ if (!port->dev.driver) ++ return -ENOMEM; ++ + port->dev.driver->owner = THIS_MODULE; + + port->usb_role_sw = usb_role_switch_register(&port->dev, +-- +2.39.2 + diff --git a/tmp-5.10/phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch b/tmp-5.10/phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch new file mode 100644 index 00000000000..4266f954b6b --- /dev/null +++ b/tmp-5.10/phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch @@ -0,0 +1,40 @@ +From c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d Mon Sep 17 00:00:00 2001 +From: EJ Hsu +Date: Fri, 9 Jun 2023 14:29:32 +0800 +Subject: phy: tegra: xusb: Clear the driver reference in usb-phy dev + +From: EJ Hsu + +commit c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d upstream. + +For the dual-role port, it will assign the phy dev to usb-phy dev and +use the port dev driver as the dev driver of usb-phy. + +When we try to destroy the port dev, it will destroy its dev driver +as well. But we did not remove the reference from usb-phy dev. This +might cause the use-after-free issue in KASAN. + +Fixes: e8f7d2f409a1 ("phy: tegra: xusb: Add usb-phy support") +Cc: stable@vger.kernel.org + +Signed-off-by: EJ Hsu +Signed-off-by: Haotien Hsu +Acked-by: Thierry Reding +Acked-by: Jon Hunter +Link: https://lore.kernel.org/r/20230609062932.3276509-1-haotienh@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/tegra/xusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -556,6 +556,7 @@ static void tegra_xusb_port_unregister(s + usb_role_switch_unregister(port->usb_role_sw); + cancel_work_sync(&port->usb_phy_work); + usb_remove_phy(&port->usb_phy); ++ port->usb_phy.dev->driver = NULL; + } + + if (port->ops->remove) diff --git a/tmp-5.10/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch b/tmp-5.10/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch new file mode 100644 index 00000000000..f3d1ccf3114 --- /dev/null +++ b/tmp-5.10/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch @@ -0,0 +1,77 @@ +From 968ab9261627fa305307e3935ca1a32fcddd36cb Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 21 Apr 2023 07:06:21 -0500 +Subject: pinctrl: amd: Detect internal GPIO0 debounce handling + +From: Mario Limonciello + +commit 968ab9261627fa305307e3935ca1a32fcddd36cb upstream. + +commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe") +had a mistake in loop iteration 63 that it would clear offset 0xFC instead +of 0x100. Offset 0xFC is actually `WAKE_INT_MASTER_REG`. This was +clearing bits 13 and 15 from the register which significantly changed the +expected handling for some platforms for GPIO0. + +commit b26cd9325be4 ("pinctrl: amd: Disable and mask interrupts on resume") +actually fixed this bug, but lead to regressions on Lenovo Z13 and some +other systems. This is because there was no handling in the driver for bit +15 debounce behavior. + +Quoting a public BKDG: +``` +EnWinBlueBtn. Read-write. Reset: 0. 0=GPIO0 detect debounced power button; +Power button override is 4 seconds. 1=GPIO0 detect debounced power button +in S3/S5/S0i3, and detect "pressed less than 2 seconds" and "pressed 2~10 +seconds" in S0; Power button override is 10 seconds +``` + +Cross referencing the same master register in Windows it's obvious that +Windows doesn't use debounce values in this configuration. So align the +Linux driver to do this as well. This fixes wake on lid when +WAKE_INT_MASTER_REG is properly programmed. + +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217315 +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20230421120625.3366-2-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 7 +++++++ + drivers/pinctrl/pinctrl-amd.h | 1 + + 2 files changed, 8 insertions(+) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -126,6 +126,12 @@ static int amd_gpio_set_debounce(struct + struct amd_gpio *gpio_dev = gpiochip_get_data(gc); + + raw_spin_lock_irqsave(&gpio_dev->lock, flags); ++ ++ /* Use special handling for Pin0 debounce */ ++ pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); ++ if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) ++ debounce = 0; ++ + pin_reg = readl(gpio_dev->base + offset * 4); + + if (debounce) { +@@ -215,6 +221,7 @@ static void amd_gpio_dbg_show(struct seq + char *output_value; + char *output_enable; + ++ seq_printf(s, "WAKE_INT_MASTER_REG: 0x%08x\n", readl(gpio_dev->base + WAKE_INT_MASTER_REG)); + for (bank = 0; bank < gpio_dev->hwbank_num; bank++) { + seq_printf(s, "GPIO bank%d\t", bank); + +--- a/drivers/pinctrl/pinctrl-amd.h ++++ b/drivers/pinctrl/pinctrl-amd.h +@@ -17,6 +17,7 @@ + #define AMD_GPIO_PINS_BANK3 32 + + #define WAKE_INT_MASTER_REG 0xfc ++#define INTERNAL_GPIO0_DEBOUNCE (1 << 15) + #define EOI_MASK (1 << 29) + + #define WAKE_INT_STATUS_REG0 0x2f8 diff --git a/tmp-5.10/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch b/tmp-5.10/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch new file mode 100644 index 00000000000..8f44365fde4 --- /dev/null +++ b/tmp-5.10/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch @@ -0,0 +1,39 @@ +From a855724dc08b8cb0c13ab1e065a4922f1e5a7552 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 21 Apr 2023 07:06:22 -0500 +Subject: pinctrl: amd: Fix mistake in handling clearing pins at startup + +From: Mario Limonciello + +commit a855724dc08b8cb0c13ab1e065a4922f1e5a7552 upstream. + +commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe") +had a mistake in loop iteration 63 that it would clear offset 0xFC instead +of 0x100. Offset 0xFC is actually `WAKE_INT_MASTER_REG`. This was +clearing bits 13 and 15 from the register which significantly changed the +expected handling for some platforms for GPIO0. + +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217315 +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20230421120625.3366-3-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -784,9 +784,9 @@ static void amd_gpio_irq_init(struct amd + + raw_spin_lock_irqsave(&gpio_dev->lock, flags); + +- pin_reg = readl(gpio_dev->base + i * 4); ++ pin_reg = readl(gpio_dev->base + pin * 4); + pin_reg &= ~mask; +- writel(pin_reg, gpio_dev->base + i * 4); ++ writel(pin_reg, gpio_dev->base + pin * 4); + + raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); + } diff --git a/tmp-5.10/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch b/tmp-5.10/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch new file mode 100644 index 00000000000..ecc4ed3699e --- /dev/null +++ b/tmp-5.10/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch @@ -0,0 +1,40 @@ +From 0d5ace1a07f7e846d0f6d972af60d05515599d0b Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 5 Jul 2023 08:30:02 -0500 +Subject: pinctrl: amd: Only use special debounce behavior for GPIO 0 + +From: Mario Limonciello + +commit 0d5ace1a07f7e846d0f6d972af60d05515599d0b upstream. + +It's uncommon to use debounce on any other pin, but technically +we should only set debounce to 0 when working off GPIO0. + +Cc: stable@vger.kernel.org +Tested-by: Jan Visser +Fixes: 968ab9261627 ("pinctrl: amd: Detect internal GPIO0 debounce handling") +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20230705133005.577-2-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -128,9 +128,11 @@ static int amd_gpio_set_debounce(struct + raw_spin_lock_irqsave(&gpio_dev->lock, flags); + + /* Use special handling for Pin0 debounce */ +- pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); +- if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) +- debounce = 0; ++ if (offset == 0) { ++ pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); ++ if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) ++ debounce = 0; ++ } + + pin_reg = readl(gpio_dev->base + offset * 4); + diff --git a/tmp-5.10/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch b/tmp-5.10/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch new file mode 100644 index 00000000000..d2e788cf364 --- /dev/null +++ b/tmp-5.10/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch @@ -0,0 +1,108 @@ +From 741cf68c3c6d048f2b4d89cb79ed4807e70aba81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 08:30:03 -0500 +Subject: pinctrl: amd: Use amd_pinconf_set() for all config options + +From: Mario Limonciello + +[ Upstream commit 635a750d958e158e17af0f524bedc484b27fbb93 ] + +On ASUS TUF A16 it is reported that the ITE5570 ACPI device connected to +GPIO 7 is causing an interrupt storm. This issue doesn't happen on +Windows. + +Comparing the GPIO register configuration between Windows and Linux +bit 20 has been configured as a pull up on Windows, but not on Linux. +Checking GPIO declaration from the firmware it is clear it *should* have +been a pull up on Linux as well. + +``` +GpioInt (Level, ActiveLow, Exclusive, PullUp, 0x0000, + "\\_SB.GPIO", 0x00, ResourceConsumer, ,) +{ // Pin list +0x0007 +} +``` + +On Linux amd_gpio_set_config() is currently only used for programming +the debounce. Actually the GPIO core calls it with all the arguments +that are supported by a GPIO, pinctrl-amd just responds `-ENOTSUPP`. + +To solve this issue expand amd_gpio_set_config() to support the other +arguments amd_pinconf_set() supports, namely `PIN_CONFIG_BIAS_PULL_DOWN`, +`PIN_CONFIG_BIAS_PULL_UP`, and `PIN_CONFIG_DRIVE_STRENGTH`. + +Reported-by: Nik P +Reported-by: Nathan Schulte +Reported-by: Friedrich Vock +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217336 +Reported-by: dridri85@gmail.com +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217493 +Link: https://lore.kernel.org/linux-input/20230530154058.17594-1-friedrich.vock@gmx.de/ +Tested-by: Jan Visser +Fixes: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") +Signed-off-by: Mario Limonciello +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230705133005.577-3-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-amd.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c +index 0d71151575eef..3a05ebb9aa253 100644 +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -189,18 +189,6 @@ static int amd_gpio_set_debounce(struct gpio_chip *gc, unsigned offset, + return ret; + } + +-static int amd_gpio_set_config(struct gpio_chip *gc, unsigned offset, +- unsigned long config) +-{ +- u32 debounce; +- +- if (pinconf_to_config_param(config) != PIN_CONFIG_INPUT_DEBOUNCE) +- return -ENOTSUPP; +- +- debounce = pinconf_to_config_argument(config); +- return amd_gpio_set_debounce(gc, offset, debounce); +-} +- + #ifdef CONFIG_DEBUG_FS + static void amd_gpio_dbg_show(struct seq_file *s, struct gpio_chip *gc) + { +@@ -676,7 +664,7 @@ static int amd_pinconf_get(struct pinctrl_dev *pctldev, + } + + static int amd_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin, +- unsigned long *configs, unsigned num_configs) ++ unsigned long *configs, unsigned int num_configs) + { + int i; + u32 arg; +@@ -766,6 +754,20 @@ static int amd_pinconf_group_set(struct pinctrl_dev *pctldev, + return 0; + } + ++static int amd_gpio_set_config(struct gpio_chip *gc, unsigned int pin, ++ unsigned long config) ++{ ++ struct amd_gpio *gpio_dev = gpiochip_get_data(gc); ++ ++ if (pinconf_to_config_param(config) == PIN_CONFIG_INPUT_DEBOUNCE) { ++ u32 debounce = pinconf_to_config_argument(config); ++ ++ return amd_gpio_set_debounce(gc, pin, debounce); ++ } ++ ++ return amd_pinconf_set(gpio_dev->pctrl, pin, &config, 1); ++} ++ + static const struct pinconf_ops amd_pinconf_ops = { + .pin_config_get = amd_pinconf_get, + .pin_config_set = amd_pinconf_set, +-- +2.39.2 + diff --git a/tmp-5.10/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch b/tmp-5.10/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch new file mode 100644 index 00000000000..d051c8f405e --- /dev/null +++ b/tmp-5.10/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch @@ -0,0 +1,41 @@ +From db07635fac6fc2c41c24cb46c3712f64503cf367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 13:53:33 +0300 +Subject: pinctrl: at91-pio4: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller") +Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") +Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") +Signed-off-by: Claudiu Beznea +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c +index 315a6c4d9ade0..bf8aa0ea35d1b 100644 +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -1083,6 +1083,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev) + /* Pin naming convention: P(bank_name)(bank_pin_number). */ + pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d", + bank + 'A', line); ++ if (!pin_desc[i].name) ++ return -ENOMEM; + + group->name = group_names[i] = pin_desc[i].name; + group->pin = pin_desc[i].number; +-- +2.39.2 + diff --git a/tmp-5.10/pinctrl-bcm2835-handle-gpiochip_add_pin_range-errors.patch b/tmp-5.10/pinctrl-bcm2835-handle-gpiochip_add_pin_range-errors.patch new file mode 100644 index 00000000000..2b89377b58d --- /dev/null +++ b/tmp-5.10/pinctrl-bcm2835-handle-gpiochip_add_pin_range-errors.patch @@ -0,0 +1,41 @@ +From c26e9bb0254a0a6a468fba391773407fc226511e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Apr 2023 23:43:41 +0200 +Subject: pinctrl: bcm2835: Handle gpiochip_add_pin_range() errors + +From: Christophe JAILLET + +[ Upstream commit cdf7e616120065007687fe1df0412154f259daec ] + +gpiochip_add_pin_range() can fail, so better return its error code than +a hard coded '0'. + +Fixes: d2b67744fd99 ("pinctrl: bcm2835: implement hook for missing gpio-ranges") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/98c3b5890bb72415145c9fe4e1d974711edae376.1681681402.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/bcm/pinctrl-bcm2835.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/bcm/pinctrl-bcm2835.c b/drivers/pinctrl/bcm/pinctrl-bcm2835.c +index c7ae9f900b532..e3f49d0ed0298 100644 +--- a/drivers/pinctrl/bcm/pinctrl-bcm2835.c ++++ b/drivers/pinctrl/bcm/pinctrl-bcm2835.c +@@ -359,10 +359,8 @@ static int bcm2835_of_gpio_ranges_fallback(struct gpio_chip *gc, + if (!pctldev) + return 0; + +- gpiochip_add_pin_range(gc, pinctrl_dev_get_devname(pctldev), 0, 0, +- gc->ngpio); +- +- return 0; ++ return gpiochip_add_pin_range(gc, pinctrl_dev_get_devname(pctldev), 0, 0, ++ gc->ngpio); + } + + static const struct gpio_chip bcm2835_gpio_chip = { +-- +2.39.2 + diff --git a/tmp-5.10/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch b/tmp-5.10/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch new file mode 100644 index 00000000000..c87fbc08029 --- /dev/null +++ b/tmp-5.10/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch @@ -0,0 +1,57 @@ +From fcc2fa46d02b5b2033a4f0420c183a2e8168ca6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 17:37:34 +0300 +Subject: pinctrl: cherryview: Return correct value if pin in push-pull mode + +From: Andy Shevchenko + +[ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ] + +Currently the getter returns ENOTSUPP on pin configured in +the push-pull mode. Fix this by adding the missed switch case. + +Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config") +Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support") +Acked-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c +index 2ed17cdf946d1..44caada37b71f 100644 +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -945,11 +945,6 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned int pin, + + break; + +- case PIN_CONFIG_DRIVE_OPEN_DRAIN: +- if (!(ctrl1 & CHV_PADCTRL1_ODEN)) +- return -EINVAL; +- break; +- + case PIN_CONFIG_BIAS_HIGH_IMPEDANCE: { + u32 cfg; + +@@ -959,6 +954,16 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned int pin, + return -EINVAL; + + break; ++ ++ case PIN_CONFIG_DRIVE_PUSH_PULL: ++ if (ctrl1 & CHV_PADCTRL1_ODEN) ++ return -EINVAL; ++ break; ++ ++ case PIN_CONFIG_DRIVE_OPEN_DRAIN: ++ if (!(ctrl1 & CHV_PADCTRL1_ODEN)) ++ return -EINVAL; ++ break; + } + + default: +-- +2.39.2 + diff --git a/tmp-5.10/platform-x86-wmi-break-possible-infinite-loop-when-p.patch b/tmp-5.10/platform-x86-wmi-break-possible-infinite-loop-when-p.patch new file mode 100644 index 00000000000..8b72a463740 --- /dev/null +++ b/tmp-5.10/platform-x86-wmi-break-possible-infinite-loop-when-p.patch @@ -0,0 +1,84 @@ +From 0933ab92bd2131f9808f5c3297b0767d3cb65a9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 18:11:54 +0300 +Subject: platform/x86: wmi: Break possible infinite loop when parsing GUID + +From: Andy Shevchenko + +[ Upstream commit 028e6e204ace1f080cfeacd72c50397eb8ae8883 ] + +The while-loop may break on one of the two conditions, either ID string +is empty or GUID matches. The second one, may never be reached if the +parsed string is not correct GUID. In such a case the loop will never +advance to check the next ID. + +Break possible infinite loop by factoring out guid_parse_and_compare() +helper which may be moved to the generic header for everyone later on +and preventing from similar mistake in the future. + +Interestingly that firstly it appeared when WMI was turned into a bus +driver, but later when duplicated GUIDs were checked, the while-loop +has been replaced by for-loop and hence no mistake made again. + +Fixes: a48e23385fcf ("platform/x86: wmi: add context pointer field to struct wmi_device_id") +Fixes: 844af950da94 ("platform/x86: wmi: Turn WMI into a bus driver") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230621151155.78279-1-andriy.shevchenko@linux.intel.com +Tested-by: Armin Wolf +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 5e4c03f7db7c0..567c28705cb1b 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -130,6 +130,16 @@ static bool find_guid(const char *guid_string, struct wmi_block **out) + return false; + } + ++static bool guid_parse_and_compare(const char *string, const guid_t *guid) ++{ ++ guid_t guid_input; ++ ++ if (guid_parse(string, &guid_input)) ++ return false; ++ ++ return guid_equal(&guid_input, guid); ++} ++ + static const void *find_guid_context(struct wmi_block *wblock, + struct wmi_driver *wdriver) + { +@@ -142,11 +152,7 @@ static const void *find_guid_context(struct wmi_block *wblock, + + id = wdriver->id_table; + while (*id->guid_string) { +- guid_t guid_input; +- +- if (guid_parse(id->guid_string, &guid_input)) +- continue; +- if (guid_equal(&wblock->gblock.guid, &guid_input)) ++ if (guid_parse_and_compare(id->guid_string, &wblock->gblock.guid)) + return id->context; + id++; + } +@@ -804,11 +810,7 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + return 0; + + while (*id->guid_string) { +- guid_t driver_guid; +- +- if (WARN_ON(guid_parse(id->guid_string, &driver_guid))) +- continue; +- if (guid_equal(&driver_guid, &wblock->gblock.guid)) ++ if (guid_parse_and_compare(id->guid_string, &wblock->gblock.guid)) + return 1; + + id++; +-- +2.39.2 + diff --git a/tmp-5.10/platform-x86-wmi-move-variables.patch b/tmp-5.10/platform-x86-wmi-move-variables.patch new file mode 100644 index 00000000000..c6a9f372333 --- /dev/null +++ b/tmp-5.10/platform-x86-wmi-move-variables.patch @@ -0,0 +1,80 @@ +From 2b2a2dfecf816da3761256e2e96ac17431e4840c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:56:10 +0000 +Subject: platform/x86: wmi: move variables +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit f5431bf1e6781e876bdc8ae10fb1e7da6f1aa9b5 ] + +Move some variables in order to keep them +in the narrowest possible scope. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-22-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 18c4080d4a71e..5e4c03f7db7c0 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -134,7 +134,6 @@ static const void *find_guid_context(struct wmi_block *wblock, + struct wmi_driver *wdriver) + { + const struct wmi_device_id *id; +- guid_t guid_input; + + if (wblock == NULL || wdriver == NULL) + return NULL; +@@ -143,6 +142,8 @@ static const void *find_guid_context(struct wmi_block *wblock, + + id = wdriver->id_table; + while (*id->guid_string) { ++ guid_t guid_input; ++ + if (guid_parse(id->guid_string, &guid_input)) + continue; + if (guid_equal(&wblock->gblock.guid, &guid_input)) +@@ -615,7 +616,6 @@ acpi_status wmi_get_event_data(u32 event, struct acpi_buffer *out) + { + struct acpi_object_list input; + union acpi_object params[1]; +- struct guid_block *gblock; + struct wmi_block *wblock; + + input.count = 1; +@@ -624,7 +624,7 @@ acpi_status wmi_get_event_data(u32 event, struct acpi_buffer *out) + params[0].integer.value = event; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- gblock = &wblock->gblock; ++ struct guid_block *gblock = &wblock->gblock; + + if ((gblock->flags & ACPI_WMI_EVENT) && + (gblock->notify_id == event)) +@@ -1281,12 +1281,11 @@ acpi_wmi_ec_space_handler(u32 function, acpi_physical_address address, + static void acpi_wmi_notify_handler(acpi_handle handle, u32 event, + void *context) + { +- struct guid_block *block; + struct wmi_block *wblock; + bool found_it = false; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- block = &wblock->gblock; ++ struct guid_block *block = &wblock->gblock; + + if (wblock->acpi_device->handle == handle && + (block->flags & ACPI_WMI_EVENT) && +-- +2.39.2 + diff --git a/tmp-5.10/platform-x86-wmi-remove-unnecessary-argument.patch b/tmp-5.10/platform-x86-wmi-remove-unnecessary-argument.patch new file mode 100644 index 00000000000..b34586d641e --- /dev/null +++ b/tmp-5.10/platform-x86-wmi-remove-unnecessary-argument.patch @@ -0,0 +1,75 @@ +From 8f06216a815ddd37f9408c5f4f4167c790cc507e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:55:16 +0000 +Subject: platform/x86: wmi: remove unnecessary argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 84eacf7e6413d5e2d2f4f9dddf9216c18a3631cf ] + +The GUID block is available for `wmi_create_device()` +through `wblock->gblock`. Use that consistently in +the function instead of using a mix of `gblock` and +`wblock->gblock`. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-8-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 1f80b26281628..9a6dc2717e1d4 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -1042,7 +1042,6 @@ static const struct device_type wmi_type_data = { + }; + + static int wmi_create_device(struct device *wmi_bus_dev, +- const struct guid_block *gblock, + struct wmi_block *wblock, + struct acpi_device *device) + { +@@ -1050,12 +1049,12 @@ static int wmi_create_device(struct device *wmi_bus_dev, + char method[5]; + int result; + +- if (gblock->flags & ACPI_WMI_EVENT) { ++ if (wblock->gblock.flags & ACPI_WMI_EVENT) { + wblock->dev.dev.type = &wmi_type_event; + goto out_init; + } + +- if (gblock->flags & ACPI_WMI_METHOD) { ++ if (wblock->gblock.flags & ACPI_WMI_METHOD) { + wblock->dev.dev.type = &wmi_type_method; + mutex_init(&wblock->char_mutex); + goto out_init; +@@ -1105,7 +1104,7 @@ static int wmi_create_device(struct device *wmi_bus_dev, + wblock->dev.dev.bus = &wmi_bus_type; + wblock->dev.dev.parent = wmi_bus_dev; + +- dev_set_name(&wblock->dev.dev, "%pUL", gblock->guid); ++ dev_set_name(&wblock->dev.dev, "%pUL", wblock->gblock.guid); + + device_initialize(&wblock->dev.dev); + +@@ -1197,7 +1196,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + wblock->acpi_device = device; + wblock->gblock = gblock[i]; + +- retval = wmi_create_device(wmi_bus_dev, &gblock[i], wblock, device); ++ retval = wmi_create_device(wmi_bus_dev, wblock, device); + if (retval) { + kfree(wblock); + continue; +-- +2.39.2 + diff --git a/tmp-5.10/platform-x86-wmi-use-guid_t-and-guid_equal.patch b/tmp-5.10/platform-x86-wmi-use-guid_t-and-guid_equal.patch new file mode 100644 index 00000000000..b71731e768b --- /dev/null +++ b/tmp-5.10/platform-x86-wmi-use-guid_t-and-guid_equal.patch @@ -0,0 +1,177 @@ +From 41fd3e4cb930244953bc634c695a4d13fc02655a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:55:39 +0000 +Subject: platform/x86: wmi: use guid_t and guid_equal() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 67f472fdacf4a691b1c3c20c27800b23ce31e2de ] + +Instead of hard-coding a 16 long byte array, +use the available `guid_t` type and related methods. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-15-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 9a6dc2717e1d4..18c4080d4a71e 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -40,7 +40,7 @@ MODULE_LICENSE("GPL"); + static LIST_HEAD(wmi_block_list); + + struct guid_block { +- char guid[16]; ++ guid_t guid; + union { + char object_id[2]; + struct { +@@ -121,7 +121,7 @@ static bool find_guid(const char *guid_string, struct wmi_block **out) + list_for_each_entry(wblock, &wmi_block_list, list) { + block = &wblock->gblock; + +- if (memcmp(block->guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->guid, &guid_input)) { + if (out) + *out = wblock; + return true; +@@ -145,7 +145,7 @@ static const void *find_guid_context(struct wmi_block *wblock, + while (*id->guid_string) { + if (guid_parse(id->guid_string, &guid_input)) + continue; +- if (!memcmp(wblock->gblock.guid, &guid_input, 16)) ++ if (guid_equal(&wblock->gblock.guid, &guid_input)) + return id->context; + id++; + } +@@ -457,7 +457,7 @@ EXPORT_SYMBOL_GPL(wmi_set_block); + + static void wmi_dump_wdg(const struct guid_block *g) + { +- pr_info("%pUL:\n", g->guid); ++ pr_info("%pUL:\n", &g->guid); + if (g->flags & ACPI_WMI_EVENT) + pr_info("\tnotify_id: 0x%02X\n", g->notify_id); + else +@@ -539,7 +539,7 @@ wmi_notify_handler handler, void *data) + list_for_each_entry(block, &wmi_block_list, list) { + acpi_status wmi_status; + +- if (memcmp(block->gblock.guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->gblock.guid, &guid_input)) { + if (block->handler && + block->handler != wmi_notify_debug) + return AE_ALREADY_ACQUIRED; +@@ -579,7 +579,7 @@ acpi_status wmi_remove_notify_handler(const char *guid) + list_for_each_entry(block, &wmi_block_list, list) { + acpi_status wmi_status; + +- if (memcmp(block->gblock.guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->gblock.guid, &guid_input)) { + if (!block->handler || + block->handler == wmi_notify_debug) + return AE_NULL_ENTRY; +@@ -685,7 +685,7 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- return sprintf(buf, "wmi:%pUL\n", wblock->gblock.guid); ++ return sprintf(buf, "wmi:%pUL\n", &wblock->gblock.guid); + } + static DEVICE_ATTR_RO(modalias); + +@@ -694,7 +694,7 @@ static ssize_t guid_show(struct device *dev, struct device_attribute *attr, + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- return sprintf(buf, "%pUL\n", wblock->gblock.guid); ++ return sprintf(buf, "%pUL\n", &wblock->gblock.guid); + } + static DEVICE_ATTR_RO(guid); + +@@ -777,10 +777,10 @@ static int wmi_dev_uevent(struct device *dev, struct kobj_uevent_env *env) + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- if (add_uevent_var(env, "MODALIAS=wmi:%pUL", wblock->gblock.guid)) ++ if (add_uevent_var(env, "MODALIAS=wmi:%pUL", &wblock->gblock.guid)) + return -ENOMEM; + +- if (add_uevent_var(env, "WMI_GUID=%pUL", wblock->gblock.guid)) ++ if (add_uevent_var(env, "WMI_GUID=%pUL", &wblock->gblock.guid)) + return -ENOMEM; + + return 0; +@@ -808,7 +808,7 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + + if (WARN_ON(guid_parse(id->guid_string, &driver_guid))) + continue; +- if (!memcmp(&driver_guid, wblock->gblock.guid, 16)) ++ if (guid_equal(&driver_guid, &wblock->gblock.guid)) + return 1; + + id++; +@@ -1104,7 +1104,7 @@ static int wmi_create_device(struct device *wmi_bus_dev, + wblock->dev.dev.bus = &wmi_bus_type; + wblock->dev.dev.parent = wmi_bus_dev; + +- dev_set_name(&wblock->dev.dev, "%pUL", wblock->gblock.guid); ++ dev_set_name(&wblock->dev.dev, "%pUL", &wblock->gblock.guid); + + device_initialize(&wblock->dev.dev); + +@@ -1124,12 +1124,12 @@ static void wmi_free_devices(struct acpi_device *device) + } + } + +-static bool guid_already_parsed(struct acpi_device *device, const u8 *guid) ++static bool guid_already_parsed(struct acpi_device *device, const guid_t *guid) + { + struct wmi_block *wblock; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- if (memcmp(wblock->gblock.guid, guid, 16) == 0) { ++ if (guid_equal(&wblock->gblock.guid, guid)) { + /* + * Because we historically didn't track the relationship + * between GUIDs and ACPI nodes, we don't know whether +@@ -1184,7 +1184,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + * case yet, so for now, we'll just ignore the duplicate + * for device creation. + */ +- if (guid_already_parsed(device, gblock[i].guid)) ++ if (guid_already_parsed(device, &gblock[i].guid)) + continue; + + wblock = kzalloc(sizeof(struct wmi_block), GFP_KERNEL); +@@ -1221,7 +1221,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + retval = device_add(&wblock->dev.dev); + if (retval) { + dev_err(wmi_bus_dev, "failed to register %pUL\n", +- wblock->gblock.guid); ++ &wblock->gblock.guid); + if (debug_event) + wmi_method_enable(wblock, 0); + list_del(&wblock->list); +@@ -1335,7 +1335,7 @@ static void acpi_wmi_notify_handler(acpi_handle handle, u32 event, + } + + if (debug_event) +- pr_info("DEBUG Event GUID: %pUL\n", wblock->gblock.guid); ++ pr_info("DEBUG Event GUID: %pUL\n", &wblock->gblock.guid); + + acpi_bus_generate_netlink_event( + wblock->acpi_device->pnp.device_class, +-- +2.39.2 + diff --git a/tmp-5.10/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch b/tmp-5.10/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch new file mode 100644 index 00000000000..03e2812f373 --- /dev/null +++ b/tmp-5.10/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch @@ -0,0 +1,48 @@ +From 6a6104aac6c8a023d4854fd70f10ddde3046bfbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 06:07:43 -0700 +Subject: PM: domains: fix integer overflow issues in genpd_parse_state() + +From: Nikita Zhandarovich + +[ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ] + +Currently, while calculating residency and latency values, right +operands may overflow if resulting values are big enough. + +To prevent this, albeit unlikely case, play it safe and convert +right operands to left ones' type s64. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT") +Signed-off-by: Nikita Zhandarovich +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/domain.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index d0ba5459ce0b9..8a90f08c9682b 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2763,10 +2763,10 @@ static int genpd_parse_state(struct genpd_power_state *genpd_state, + + err = of_property_read_u32(state_node, "min-residency-us", &residency); + if (!err) +- genpd_state->residency_ns = 1000 * residency; ++ genpd_state->residency_ns = 1000LL * residency; + +- genpd_state->power_on_latency_ns = 1000 * exit_latency; +- genpd_state->power_off_latency_ns = 1000 * entry_latency; ++ genpd_state->power_on_latency_ns = 1000LL * exit_latency; ++ genpd_state->power_off_latency_ns = 1000LL * entry_latency; + genpd_state->fwnode = &state_node->fwnode; + + return 0; +-- +2.39.2 + diff --git a/tmp-5.10/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch b/tmp-5.10/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch new file mode 100644 index 00000000000..fd19ac90a33 --- /dev/null +++ b/tmp-5.10/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch @@ -0,0 +1,115 @@ +From 5216cc0ac2f214c416f34fe068087b14cdecf74c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 20:58:47 +0200 +Subject: posix-timers: Ensure timer ID search-loop limit is valid + +From: Thomas Gleixner + +[ Upstream commit 8ce8849dd1e78dadcee0ec9acbd259d239b7069f ] + +posix_timer_add() tries to allocate a posix timer ID by starting from the +cached ID which was stored by the last successful allocation. + +This is done in a loop searching the ID space for a free slot one by +one. The loop has to terminate when the search wrapped around to the +starting point. + +But that's racy vs. establishing the starting point. That is read out +lockless, which leads to the following problem: + +CPU0 CPU1 +posix_timer_add() + start = sig->posix_timer_id; + lock(hash_lock); + ... posix_timer_add() + if (++sig->posix_timer_id < 0) + start = sig->posix_timer_id; + sig->posix_timer_id = 0; + +So CPU1 can observe a negative start value, i.e. -1, and the loop break +never happens because the condition can never be true: + + if (sig->posix_timer_id == start) + break; + +While this is unlikely to ever turn into an endless loop as the ID space is +huge (INT_MAX), the racy read of the start value caught the attention of +KCSAN and Dmitry unearthed that incorrectness. + +Rewrite it so that all id operations are under the hash lock. + +Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com +Reported-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/87bkhzdn6g.ffs@tglx +Signed-off-by: Sasha Levin +--- + include/linux/sched/signal.h | 2 +- + kernel/time/posix-timers.c | 31 ++++++++++++++++++------------- + 2 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h +index ae60f838ebb92..2c634010cc7bd 100644 +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -125,7 +125,7 @@ struct signal_struct { + #ifdef CONFIG_POSIX_TIMERS + + /* POSIX.1b Interval Timers */ +- int posix_timer_id; ++ unsigned int next_posix_timer_id; + struct list_head posix_timers; + + /* ITIMER_REAL timer for the process */ +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index 6d12a724d2b6b..29569b1c3d8c8 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -140,25 +140,30 @@ static struct k_itimer *posix_timer_by_id(timer_t id) + static int posix_timer_add(struct k_itimer *timer) + { + struct signal_struct *sig = current->signal; +- int first_free_id = sig->posix_timer_id; + struct hlist_head *head; +- int ret = -ENOENT; ++ unsigned int cnt, id; + +- do { ++ /* ++ * FIXME: Replace this by a per signal struct xarray once there is ++ * a plan to handle the resulting CRIU regression gracefully. ++ */ ++ for (cnt = 0; cnt <= INT_MAX; cnt++) { + spin_lock(&hash_lock); +- head = &posix_timers_hashtable[hash(sig, sig->posix_timer_id)]; +- if (!__posix_timers_find(head, sig, sig->posix_timer_id)) { ++ id = sig->next_posix_timer_id; ++ ++ /* Write the next ID back. Clamp it to the positive space */ ++ sig->next_posix_timer_id = (id + 1) & INT_MAX; ++ ++ head = &posix_timers_hashtable[hash(sig, id)]; ++ if (!__posix_timers_find(head, sig, id)) { + hlist_add_head_rcu(&timer->t_hash, head); +- ret = sig->posix_timer_id; ++ spin_unlock(&hash_lock); ++ return id; + } +- if (++sig->posix_timer_id < 0) +- sig->posix_timer_id = 0; +- if ((sig->posix_timer_id == first_free_id) && (ret == -ENOENT)) +- /* Loop over all possible ids completed */ +- ret = -EAGAIN; + spin_unlock(&hash_lock); +- } while (ret == -ENOENT); +- return ret; ++ } ++ /* POSIX return code when no timer ID could be allocated */ ++ return -EAGAIN; + } + + static inline void unlock_timer(struct k_itimer *timr, unsigned long flags) +-- +2.39.2 + diff --git a/tmp-5.10/posix-timers-prevent-rt-livelock-in-itimer_delete.patch b/tmp-5.10/posix-timers-prevent-rt-livelock-in-itimer_delete.patch new file mode 100644 index 00000000000..ed9b7b7dd3e --- /dev/null +++ b/tmp-5.10/posix-timers-prevent-rt-livelock-in-itimer_delete.patch @@ -0,0 +1,110 @@ +From d15cf54b63c6091588114eab3a271062045e29df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 22:16:34 +0200 +Subject: posix-timers: Prevent RT livelock in itimer_delete() + +From: Thomas Gleixner + +[ Upstream commit 9d9e522010eb5685d8b53e8a24320653d9d4cbbf ] + +itimer_delete() has a retry loop when the timer is concurrently expired. On +non-RT kernels this just spin-waits until the timer callback has completed, +except for posix CPU timers which have HAVE_POSIX_CPU_TIMERS_TASK_WORK +enabled. + +In that case and on RT kernels the existing task could live lock when +preempting the task which does the timer delivery. + +Replace spin_unlock() with an invocation of timer_wait_running() to handle +it the same way as the other retry loops in the posix timer code. + +Fixes: ec8f954a40da ("posix-timers: Use a callback for cancel synchronization on PREEMPT_RT") +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/87v8g7c50d.ffs@tglx +Signed-off-by: Sasha Levin +--- + kernel/time/posix-timers.c | 43 +++++++++++++++++++++++++++++++------- + 1 file changed, 35 insertions(+), 8 deletions(-) + +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index d089627f2f2b4..6d12a724d2b6b 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -1037,27 +1037,52 @@ SYSCALL_DEFINE1(timer_delete, timer_t, timer_id) + } + + /* +- * return timer owned by the process, used by exit_itimers ++ * Delete a timer if it is armed, remove it from the hash and schedule it ++ * for RCU freeing. + */ + static void itimer_delete(struct k_itimer *timer) + { +-retry_delete: +- spin_lock_irq(&timer->it_lock); ++ unsigned long flags; ++ ++ /* ++ * irqsave is required to make timer_wait_running() work. ++ */ ++ spin_lock_irqsave(&timer->it_lock, flags); + ++retry_delete: ++ /* ++ * Even if the timer is not longer accessible from other tasks ++ * it still might be armed and queued in the underlying timer ++ * mechanism. Worse, that timer mechanism might run the expiry ++ * function concurrently. ++ */ + if (timer_delete_hook(timer) == TIMER_RETRY) { +- spin_unlock_irq(&timer->it_lock); ++ /* ++ * Timer is expired concurrently, prevent livelocks ++ * and pointless spinning on RT. ++ * ++ * timer_wait_running() drops timer::it_lock, which opens ++ * the possibility for another task to delete the timer. ++ * ++ * That's not possible here because this is invoked from ++ * do_exit() only for the last thread of the thread group. ++ * So no other task can access and delete that timer. ++ */ ++ if (WARN_ON_ONCE(timer_wait_running(timer, &flags) != timer)) ++ return; ++ + goto retry_delete; + } + list_del(&timer->list); + +- spin_unlock_irq(&timer->it_lock); ++ spin_unlock_irqrestore(&timer->it_lock, flags); + release_posix_timer(timer, IT_ID_SET); + } + + /* +- * This is called by do_exit or de_thread, only when nobody else can +- * modify the signal->posix_timers list. Yet we need sighand->siglock +- * to prevent the race with /proc/pid/timers. ++ * Invoked from do_exit() when the last thread of a thread group exits. ++ * At that point no other task can access the timers of the dying ++ * task anymore. + */ + void exit_itimers(struct task_struct *tsk) + { +@@ -1067,10 +1092,12 @@ void exit_itimers(struct task_struct *tsk) + if (list_empty(&tsk->signal->posix_timers)) + return; + ++ /* Protect against concurrent read via /proc/$PID/timers */ + spin_lock_irq(&tsk->sighand->siglock); + list_replace_init(&tsk->signal->posix_timers, &timers); + spin_unlock_irq(&tsk->sighand->siglock); + ++ /* The timers are not longer accessible via tsk::signal */ + while (!list_empty(&timers)) { + tmr = list_first_entry(&timers, struct k_itimer, list); + itimer_delete(tmr); +-- +2.39.2 + diff --git a/tmp-5.10/powercap-rapl-fix-config_iosf_mbi-dependency.patch b/tmp-5.10/powercap-rapl-fix-config_iosf_mbi-dependency.patch new file mode 100644 index 00000000000..8f952e00503 --- /dev/null +++ b/tmp-5.10/powercap-rapl-fix-config_iosf_mbi-dependency.patch @@ -0,0 +1,73 @@ +From a832e611e3d16bdaa0233ebfcadc3325333fa81a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 22:00:00 +0800 +Subject: powercap: RAPL: Fix CONFIG_IOSF_MBI dependency + +From: Zhang Rui + +[ Upstream commit 4658fe81b3f8afe8adf37734ec5fe595d90415c6 ] + +After commit 3382388d7148 ("intel_rapl: abstract RAPL common code"), +accessing to IOSF_MBI interface is done in the RAPL common code. + +Thus it is the CONFIG_INTEL_RAPL_CORE that has dependency of +CONFIG_IOSF_MBI, while CONFIG_INTEL_RAPL_MSR does not. + +This problem was not exposed previously because all the previous RAPL +common code users, aka, the RAPL MSR and MMIO I/F drivers, have +CONFIG_IOSF_MBI selected. + +Fix the CONFIG_IOSF_MBI dependency in RAPL code. This also fixes a build +time failure when the RAPL TPMI I/F driver is introduced without +selecting CONFIG_IOSF_MBI. + +x86_64-linux-ld: vmlinux.o: in function `set_floor_freq_atom': +intel_rapl_common.c:(.text+0x2dac9b8): undefined reference to `iosf_mbi_write' +x86_64-linux-ld: intel_rapl_common.c:(.text+0x2daca66): undefined reference to `iosf_mbi_read' + +Reference to iosf_mbi.h is also removed from the RAPL MSR I/F driver. + +Fixes: 3382388d7148 ("intel_rapl: abstract RAPL common code") +Reported-by: Arnd Bergmann +Link: https://lore.kernel.org/all/20230601213246.3271412-1-arnd@kernel.org +Signed-off-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/Kconfig | 4 +++- + drivers/powercap/intel_rapl_msr.c | 1 - + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/powercap/Kconfig b/drivers/powercap/Kconfig +index bc228725346b4..0e4b2c214a70a 100644 +--- a/drivers/powercap/Kconfig ++++ b/drivers/powercap/Kconfig +@@ -18,10 +18,12 @@ if POWERCAP + # Client driver configurations go here. + config INTEL_RAPL_CORE + tristate ++ depends on PCI ++ select IOSF_MBI + + config INTEL_RAPL + tristate "Intel RAPL Support via MSR Interface" +- depends on X86 && IOSF_MBI ++ depends on X86 && PCI + select INTEL_RAPL_CORE + help + This enables support for the Intel Running Average Power Limit (RAPL) +diff --git a/drivers/powercap/intel_rapl_msr.c b/drivers/powercap/intel_rapl_msr.c +index 1646808d354ce..6b68e5ed20812 100644 +--- a/drivers/powercap/intel_rapl_msr.c ++++ b/drivers/powercap/intel_rapl_msr.c +@@ -22,7 +22,6 @@ + #include + #include + +-#include + #include + #include + +-- +2.39.2 + diff --git a/tmp-5.10/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch b/tmp-5.10/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch new file mode 100644 index 00000000000..29871f2950d --- /dev/null +++ b/tmp-5.10/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch @@ -0,0 +1,46 @@ +From 0f240778bab757a888333add6ecfa11edfa1d07d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 22:47:12 -0700 +Subject: powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 39f49684036d24af800ff194c33c7b2653c591d7 ] + +In a randconfig with CONFIG_SERIAL_CPM=m and +CONFIG_PPC_EARLY_DEBUG_CPM=y, there is a build error: +ERROR: modpost: "udbg_putc" [drivers/tty/serial/cpm_uart/cpm_uart.ko] undefined! + +Prevent the build error by allowing PPC_EARLY_DEBUG_CPM only when +SERIAL_CPM=y. + +Fixes: c374e00e17f1 ("[POWERPC] Add early debug console for CPM serial ports.") +Signed-off-by: Randy Dunlap +Reviewed-by: Pali Rohár +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230701054714.30512-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug +index 52abca88b5b2b..e03fb91544206 100644 +--- a/arch/powerpc/Kconfig.debug ++++ b/arch/powerpc/Kconfig.debug +@@ -234,7 +234,7 @@ config PPC_EARLY_DEBUG_40x + + config PPC_EARLY_DEBUG_CPM + bool "Early serial debugging for Freescale CPM-based serial ports" +- depends on SERIAL_CPM ++ depends on SERIAL_CPM=y + help + Select this to enable early debugging for Freescale chips + using a CPM-based serial port. This assumes that the bootwrapper +-- +2.39.2 + diff --git a/tmp-5.10/powerpc-book3s64-mm-fix-directmap-stats-in-proc-memi.patch b/tmp-5.10/powerpc-book3s64-mm-fix-directmap-stats-in-proc-memi.patch new file mode 100644 index 00000000000..6ef496027bc --- /dev/null +++ b/tmp-5.10/powerpc-book3s64-mm-fix-directmap-stats-in-proc-memi.patch @@ -0,0 +1,158 @@ +From 631b33d7ac0c03998e8835c41fed91c3c870f3b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 16:38:13 +0530 +Subject: powerpc/book3s64/mm: Fix DirectMap stats in /proc/meminfo + +From: Aneesh Kumar K.V + +[ Upstream commit 0da90af431abc3f497a38ec9ef6e43b0d0dabe80 ] + +On memory unplug reduce DirectMap page count correctly. +root@ubuntu-guest:# grep Direct /proc/meminfo +DirectMap4k: 0 kB +DirectMap64k: 0 kB +DirectMap2M: 115343360 kB +DirectMap1G: 0 kB + +Before fix: +root@ubuntu-guest:# ndctl disable-namespace all +disabled 1 namespace +root@ubuntu-guest:# grep Direct /proc/meminfo +DirectMap4k: 0 kB +DirectMap64k: 0 kB +DirectMap2M: 115343360 kB +DirectMap1G: 0 kB + +After fix: +root@ubuntu-guest:# ndctl disable-namespace all +disabled 1 namespace +root@ubuntu-guest:# grep Direct /proc/meminfo +DirectMap4k: 0 kB +DirectMap64k: 0 kB +DirectMap2M: 104857600 kB +DirectMap1G: 0 kB + +Fixes: a2dc009afa9a ("powerpc/mm/book3s/radix: Add mapping statistics") +Signed-off-by: Aneesh Kumar K.V +Tested-by: Sachin Sant > +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230616110826.344417-4-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/book3s64/radix_pgtable.c | 34 +++++++++++++++--------- + 1 file changed, 22 insertions(+), 12 deletions(-) + +diff --git a/arch/powerpc/mm/book3s64/radix_pgtable.c b/arch/powerpc/mm/book3s64/radix_pgtable.c +index 44239e0acf8ea..3728c17de87e9 100644 +--- a/arch/powerpc/mm/book3s64/radix_pgtable.c ++++ b/arch/powerpc/mm/book3s64/radix_pgtable.c +@@ -783,9 +783,9 @@ static void free_pud_table(pud_t *pud_start, p4d_t *p4d) + } + + static void remove_pte_table(pte_t *pte_start, unsigned long addr, +- unsigned long end) ++ unsigned long end, bool direct) + { +- unsigned long next; ++ unsigned long next, pages = 0; + pte_t *pte; + + pte = pte_start + pte_index(addr); +@@ -807,13 +807,16 @@ static void remove_pte_table(pte_t *pte_start, unsigned long addr, + } + + pte_clear(&init_mm, addr, pte); ++ pages++; + } ++ if (direct) ++ update_page_count(mmu_virtual_psize, -pages); + } + + static void __meminit remove_pmd_table(pmd_t *pmd_start, unsigned long addr, +- unsigned long end) ++ unsigned long end, bool direct) + { +- unsigned long next; ++ unsigned long next, pages = 0; + pte_t *pte_base; + pmd_t *pmd; + +@@ -831,19 +834,22 @@ static void __meminit remove_pmd_table(pmd_t *pmd_start, unsigned long addr, + continue; + } + pte_clear(&init_mm, addr, (pte_t *)pmd); ++ pages++; + continue; + } + + pte_base = (pte_t *)pmd_page_vaddr(*pmd); +- remove_pte_table(pte_base, addr, next); ++ remove_pte_table(pte_base, addr, next, direct); + free_pte_table(pte_base, pmd); + } ++ if (direct) ++ update_page_count(MMU_PAGE_2M, -pages); + } + + static void __meminit remove_pud_table(pud_t *pud_start, unsigned long addr, +- unsigned long end) ++ unsigned long end, bool direct) + { +- unsigned long next; ++ unsigned long next, pages = 0; + pmd_t *pmd_base; + pud_t *pud; + +@@ -861,16 +867,20 @@ static void __meminit remove_pud_table(pud_t *pud_start, unsigned long addr, + continue; + } + pte_clear(&init_mm, addr, (pte_t *)pud); ++ pages++; + continue; + } + + pmd_base = pud_pgtable(*pud); +- remove_pmd_table(pmd_base, addr, next); ++ remove_pmd_table(pmd_base, addr, next, direct); + free_pmd_table(pmd_base, pud); + } ++ if (direct) ++ update_page_count(MMU_PAGE_1G, -pages); + } + +-static void __meminit remove_pagetable(unsigned long start, unsigned long end) ++static void __meminit remove_pagetable(unsigned long start, unsigned long end, ++ bool direct) + { + unsigned long addr, next; + pud_t *pud_base; +@@ -899,7 +909,7 @@ static void __meminit remove_pagetable(unsigned long start, unsigned long end) + } + + pud_base = p4d_pgtable(*p4d); +- remove_pud_table(pud_base, addr, next); ++ remove_pud_table(pud_base, addr, next, direct); + free_pud_table(pud_base, p4d); + } + +@@ -922,7 +932,7 @@ int __meminit radix__create_section_mapping(unsigned long start, + + int __meminit radix__remove_section_mapping(unsigned long start, unsigned long end) + { +- remove_pagetable(start, end); ++ remove_pagetable(start, end, true); + return 0; + } + #endif /* CONFIG_MEMORY_HOTPLUG */ +@@ -958,7 +968,7 @@ int __meminit radix__vmemmap_create_mapping(unsigned long start, + #ifdef CONFIG_MEMORY_HOTPLUG + void __meminit radix__vmemmap_remove_mapping(unsigned long start, unsigned long page_size) + { +- remove_pagetable(start, start + page_size); ++ remove_pagetable(start, start + page_size, false); + } + #endif + #endif +-- +2.39.2 + diff --git a/tmp-5.10/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch b/tmp-5.10/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch new file mode 100644 index 00000000000..fa179d913f9 --- /dev/null +++ b/tmp-5.10/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch @@ -0,0 +1,49 @@ +From 25ea739ea1d4d3de41acc4f4eb2d1a97eee0eb75 Mon Sep 17 00:00:00 2001 +From: Naveen N Rao +Date: Tue, 30 May 2023 11:44:36 +0530 +Subject: powerpc: Fail build if using recordmcount with binutils v2.37 + +From: Naveen N Rao + +commit 25ea739ea1d4d3de41acc4f4eb2d1a97eee0eb75 upstream. + +binutils v2.37 drops unused section symbols, which prevents recordmcount +from capturing mcount locations in sections that have no non-weak +symbols. This results in a build failure with a message such as: + Cannot find symbol for section 12: .text.perf_callchain_kernel. + kernel/events/callchain.o: failed + +The change to binutils was reverted for v2.38, so this behavior is +specific to binutils v2.37: +https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c09c8b42021180eee9495bd50d8b35e683d3901b + +Objtool is able to cope with such sections, so this issue is specific to +recordmcount. + +Fail the build and print a warning if binutils v2.37 is detected and if +we are using recordmcount. + +Cc: stable@vger.kernel.org +Suggested-by: Joel Stanley +Signed-off-by: Naveen N Rao +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230530061436.56925-1-naveen@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Makefile | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -429,3 +429,11 @@ checkbin: + echo -n '*** Please use a different binutils version.' ; \ + false ; \ + fi ++ @if test "x${CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT}" = "xy" -a \ ++ "x${CONFIG_LD_IS_BFD}" = "xy" -a \ ++ "${CONFIG_LD_VERSION}" = "23700" ; then \ ++ echo -n '*** binutils 2.37 drops unused section symbols, which recordmcount ' ; \ ++ echo 'is unable to handle.' ; \ ++ echo '*** Please use a different binutils version.' ; \ ++ false ; \ ++ fi diff --git a/tmp-5.10/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch b/tmp-5.10/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch new file mode 100644 index 00000000000..2f206ff1ace --- /dev/null +++ b/tmp-5.10/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch @@ -0,0 +1,40 @@ +From 77ce992044466d4b35641b1f2fb12da039ba5fc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 16:38:15 +0530 +Subject: powerpc/mm/dax: Fix the condition when checking if altmap vmemap can + cross-boundary + +From: Aneesh Kumar K.V + +[ Upstream commit c8eebc4a99f15280654f23e914e746c40a516e50 ] + +Without this fix, the last subsection vmemmap can end up in memory even if +the namespace is created with -M mem and has sufficient space in the altmap +area. + +Fixes: cf387d9644d8 ("libnvdimm/altmap: Track namespace boundaries in altmap") +Signed-off-by: Aneesh Kumar K.V +Tested-by: Sachin Sant > +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230616110826.344417-6-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/init_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/mm/init_64.c b/arch/powerpc/mm/init_64.c +index 386be136026e8..b76cd49d521b9 100644 +--- a/arch/powerpc/mm/init_64.c ++++ b/arch/powerpc/mm/init_64.c +@@ -188,7 +188,7 @@ static bool altmap_cross_boundary(struct vmem_altmap *altmap, unsigned long star + unsigned long nr_pfn = page_size / sizeof(struct page); + unsigned long start_pfn = page_to_pfn((struct page *)start); + +- if ((start_pfn + nr_pfn) > altmap->end_pfn) ++ if ((start_pfn + nr_pfn - 1) > altmap->end_pfn) + return true; + + if (start_pfn < altmap->base_pfn) +-- +2.39.2 + diff --git a/tmp-5.10/powerpc-powernv-sriov-perform-null-check-on-iov-befo.patch b/tmp-5.10/powerpc-powernv-sriov-perform-null-check-on-iov-befo.patch new file mode 100644 index 00000000000..35c29aeea8d --- /dev/null +++ b/tmp-5.10/powerpc-powernv-sriov-perform-null-check-on-iov-befo.patch @@ -0,0 +1,53 @@ +From b9fedeaff1af375340534c593f09910cf0453940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 10:58:49 +0100 +Subject: powerpc/powernv/sriov: perform null check on iov before dereferencing + iov + +From: Colin Ian King + +[ Upstream commit f4f913c980bc6abe0ccfe88fe3909c125afe4a2d ] + +Currently pointer iov is being dereferenced before the null check of iov +which can lead to null pointer dereference errors. Fix this by moving the +iov null check before the dereferencing. + +Detected using cppcheck static analysis: +linux/arch/powerpc/platforms/powernv/pci-sriov.c:597:12: warning: Either +the condition '!iov' is redundant or there is possible null pointer +dereference: iov. [nullPointerRedundantCheck] + num_vfs = iov->num_vfs; + ^ + +Fixes: 052da31d45fc ("powerpc/powernv/sriov: De-indent setup and teardown") +Signed-off-by: Colin Ian King +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230608095849.1147969-1-colin.i.king@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/pci-sriov.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/platforms/powernv/pci-sriov.c b/arch/powerpc/platforms/powernv/pci-sriov.c +index 28aac933a4391..e3e52ff2cbf58 100644 +--- a/arch/powerpc/platforms/powernv/pci-sriov.c ++++ b/arch/powerpc/platforms/powernv/pci-sriov.c +@@ -600,12 +600,12 @@ static void pnv_pci_sriov_disable(struct pci_dev *pdev) + struct pnv_iov_data *iov; + + iov = pnv_iov_get(pdev); +- num_vfs = iov->num_vfs; +- base_pe = iov->vf_pe_arr[0].pe_number; +- + if (WARN_ON(!iov)) + return; + ++ num_vfs = iov->num_vfs; ++ base_pe = iov->vf_pe_arr[0].pe_number; ++ + /* Release VF PEs */ + pnv_ioda_release_vf_PE(pdev); + +-- +2.39.2 + diff --git a/tmp-5.10/pptp-fix-fib-lookup-calls.patch b/tmp-5.10/pptp-fix-fib-lookup-calls.patch new file mode 100644 index 00000000000..c99f814b79a --- /dev/null +++ b/tmp-5.10/pptp-fix-fib-lookup-calls.patch @@ -0,0 +1,116 @@ +From 1b82f8063aceae2163cf6b762c67068e8ba9b803 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 19:14:46 +0200 +Subject: pptp: Fix fib lookup calls. + +From: Guillaume Nault + +[ Upstream commit 84bef5b6037c15180ef88ac4216dc621d16df1a6 ] + +PPTP uses pppox sockets (struct pppox_sock). These sockets don't embed +an inet_sock structure, so it's invalid to call inet_sk() on them. + +Therefore, the ip_route_output_ports() call in pptp_connect() has two +problems: + + * The tos variable is set with RT_CONN_FLAGS(sk), which calls + inet_sk() on the pppox socket. + + * ip_route_output_ports() tries to retrieve routing flags using + inet_sk_flowi_flags(), which is also going to call inet_sk() on the + pppox socket. + +While PPTP doesn't use inet sockets, it's actually really layered on +top of IP and therefore needs a proper way to do fib lookups. So let's +define pptp_route_output() to get a struct rtable from a pptp socket. +Let's also replace the ip_route_output_ports() call of pptp_xmit() for +consistency. + +In practice, this means that: + + * pptp_connect() sets ->flowi4_tos and ->flowi4_flags to zero instead + of using bits of unrelated struct pppox_sock fields. + + * pptp_xmit() now respects ->sk_mark and ->sk_uid. + + * pptp_xmit() now calls the security_sk_classify_flow() security + hook, thus allowing to set ->flowic_secid. + + * pptp_xmit() now passes the pppox socket to xfrm_lookup_route(). + +Found by code inspection. + +Fixes: 00959ade36ac ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)") +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/pptp.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c +index ee5058445d06e..05a75b5a8b680 100644 +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -128,6 +129,23 @@ static void del_chan(struct pppox_sock *sock) + spin_unlock(&chan_lock); + } + ++static struct rtable *pptp_route_output(struct pppox_sock *po, ++ struct flowi4 *fl4) ++{ ++ struct sock *sk = &po->sk; ++ struct net *net; ++ ++ net = sock_net(sk); ++ flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark, 0, ++ RT_SCOPE_UNIVERSE, IPPROTO_GRE, 0, ++ po->proto.pptp.dst_addr.sin_addr.s_addr, ++ po->proto.pptp.src_addr.sin_addr.s_addr, ++ 0, 0, sock_net_uid(net, sk)); ++ security_sk_classify_flow(sk, flowi4_to_flowi_common(fl4)); ++ ++ return ip_route_output_flow(net, fl4, sk); ++} ++ + static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + { + struct sock *sk = (struct sock *) chan->private; +@@ -151,11 +169,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + if (sk_pppox(po)->sk_state & PPPOX_DEAD) + goto tx_error; + +- rt = ip_route_output_ports(net, &fl4, NULL, +- opt->dst_addr.sin_addr.s_addr, +- opt->src_addr.sin_addr.s_addr, +- 0, 0, IPPROTO_GRE, +- RT_TOS(0), sk->sk_bound_dev_if); ++ rt = pptp_route_output(po, &fl4); + if (IS_ERR(rt)) + goto tx_error; + +@@ -440,12 +454,7 @@ static int pptp_connect(struct socket *sock, struct sockaddr *uservaddr, + po->chan.private = sk; + po->chan.ops = &pptp_chan_ops; + +- rt = ip_route_output_ports(sock_net(sk), &fl4, sk, +- opt->dst_addr.sin_addr.s_addr, +- opt->src_addr.sin_addr.s_addr, +- 0, 0, +- IPPROTO_GRE, RT_CONN_FLAGS(sk), +- sk->sk_bound_dev_if); ++ rt = pptp_route_output(po, &fl4); + if (IS_ERR(rt)) { + error = -EHOSTUNREACH; + goto end; +-- +2.39.2 + diff --git a/tmp-5.10/pstore-ram-add-check-for-kstrdup.patch b/tmp-5.10/pstore-ram-add-check-for-kstrdup.patch new file mode 100644 index 00000000000..45ce146cd53 --- /dev/null +++ b/tmp-5.10/pstore-ram-add-check-for-kstrdup.patch @@ -0,0 +1,37 @@ +From 253fd2f1c371d27fb17f253939ff6842e608b89f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 17:37:33 +0800 +Subject: pstore/ram: Add check for kstrdup + +From: Jiasheng Jiang + +[ Upstream commit d97038d5ec2062733c1e016caf9baaf68cf64ea1 ] + +Add check for the return value of kstrdup() and return the error +if it fails in order to avoid NULL pointer dereference. + +Fixes: e163fdb3f7f8 ("pstore/ram: Regularize prz label allocation lifetime") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230614093733.36048-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + fs/pstore/ram_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c +index 184cb97c83bdd..b6183f1f4ebcf 100644 +--- a/fs/pstore/ram_core.c ++++ b/fs/pstore/ram_core.c +@@ -577,6 +577,8 @@ struct persistent_ram_zone *persistent_ram_new(phys_addr_t start, size_t size, + raw_spin_lock_init(&prz->buffer_lock); + prz->flags = flags; + prz->label = kstrdup(label, GFP_KERNEL); ++ if (!prz->label) ++ goto err; + + ret = persistent_ram_buffer_map(start, size, prz, memtype); + if (ret) +-- +2.39.2 + diff --git a/tmp-5.10/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch b/tmp-5.10/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch new file mode 100644 index 00000000000..d158516bfeb --- /dev/null +++ b/tmp-5.10/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch @@ -0,0 +1,48 @@ +From 4592e1dab1571866f9190655b7b95d5e4b005f8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 14:58:39 +0800 +Subject: pwm: imx-tpm: force 'real_period' to be zero in suspend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fancy Fang + +[ Upstream commit 661dfb7f46298e53f6c3deaa772fa527aae86193 ] + +During suspend, all the tpm registers will lose values. +So the 'real_period' value of struct 'imx_tpm_pwm_chip' +should be forced to be zero to force the period update +code can be executed after system resume back. + +Signed-off-by: Fancy Fang +Signed-off-by: Clark Wang +Acked-by: Uwe Kleine-König +Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support") +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-imx-tpm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/pwm/pwm-imx-tpm.c b/drivers/pwm/pwm-imx-tpm.c +index fcdf6befb8389..871527b78aa46 100644 +--- a/drivers/pwm/pwm-imx-tpm.c ++++ b/drivers/pwm/pwm-imx-tpm.c +@@ -403,6 +403,13 @@ static int __maybe_unused pwm_imx_tpm_suspend(struct device *dev) + if (tpm->enable_count > 0) + return -EBUSY; + ++ /* ++ * Force 'real_period' to be zero to force period update code ++ * can be executed after system resume back, since suspend causes ++ * the period related registers to become their reset values. ++ */ ++ tpm->real_period = 0; ++ + clk_disable_unprepare(tpm->clk); + + return 0; +-- +2.39.2 + diff --git a/tmp-5.10/pwm-sysfs-do-not-apply-state-to-already-disabled-pwm.patch b/tmp-5.10/pwm-sysfs-do-not-apply-state-to-already-disabled-pwm.patch new file mode 100644 index 00000000000..36c31b4906b --- /dev/null +++ b/tmp-5.10/pwm-sysfs-do-not-apply-state-to-already-disabled-pwm.patch @@ -0,0 +1,90 @@ +From d56d21af6bf877d438e82645843f9c44de95ebea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:47:36 +0200 +Subject: pwm: sysfs: Do not apply state to already disabled PWMs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Vasut + +[ Upstream commit 38ba83598633373f47951384cfc389181c8d1bed ] + +If the PWM is exported but not enabled, do not call pwm_class_apply_state(). +First of all, in this case, period may still be unconfigured and this would +make pwm_class_apply_state() return -EINVAL, and then suspend would fail. +Second, it makes little sense to apply state onto PWM that is not enabled +before suspend. + +Failing case: +" +$ echo 1 > /sys/class/pwm/pwmchip4/export +$ echo mem > /sys/power/state +... +pwm pwmchip4: PM: dpm_run_callback(): pwm_class_suspend+0x1/0xa8 returns -22 +pwm pwmchip4: PM: failed to suspend: error -22 +PM: Some devices failed to suspend, or early wake event detected +" + +Working case: +" +$ echo 1 > /sys/class/pwm/pwmchip4/export +$ echo 100 > /sys/class/pwm/pwmchip4/pwm1/period +$ echo 10 > /sys/class/pwm/pwmchip4/pwm1/duty_cycle +$ echo mem > /sys/power/state +... +" + +Do not call pwm_class_apply_state() in case the PWM is disabled +to fix this issue. + +Fixes: 7fd4edc57bbae ("pwm: sysfs: Add suspend/resume support") +Signed-off-by: Marek Vasut +Fixes: ef2bf4997f7d ("pwm: Improve args checking in pwm_apply_state()") +Reviewed-by: Brian Norris +Reviewed-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/sysfs.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/pwm/sysfs.c b/drivers/pwm/sysfs.c +index 9903c3a7ecedc..b8417a8d2ef97 100644 +--- a/drivers/pwm/sysfs.c ++++ b/drivers/pwm/sysfs.c +@@ -424,6 +424,13 @@ static int pwm_class_resume_npwm(struct device *parent, unsigned int npwm) + if (!export) + continue; + ++ /* If pwmchip was not enabled before suspend, do nothing. */ ++ if (!export->suspend.enabled) { ++ /* release lock taken in pwm_class_get_state */ ++ mutex_unlock(&export->lock); ++ continue; ++ } ++ + state.enabled = export->suspend.enabled; + ret = pwm_class_apply_state(export, pwm, &state); + if (ret < 0) +@@ -448,7 +455,17 @@ static int __maybe_unused pwm_class_suspend(struct device *parent) + if (!export) + continue; + ++ /* ++ * If pwmchip was not enabled before suspend, save ++ * state for resume time and do nothing else. ++ */ + export->suspend = state; ++ if (!state.enabled) { ++ /* release lock taken in pwm_class_get_state */ ++ mutex_unlock(&export->lock); ++ continue; ++ } ++ + state.enabled = false; + ret = pwm_class_apply_state(export, pwm, &state); + if (ret < 0) { +-- +2.39.2 + diff --git a/tmp-5.10/radeon-avoid-double-free-in-ci_dpm_init.patch b/tmp-5.10/radeon-avoid-double-free-in-ci_dpm_init.patch new file mode 100644 index 00000000000..8a3989f6465 --- /dev/null +++ b/tmp-5.10/radeon-avoid-double-free-in-ci_dpm_init.patch @@ -0,0 +1,110 @@ +From e112d9a2739ab59beb21f353942726227a2d643b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 08:12:28 -0700 +Subject: radeon: avoid double free in ci_dpm_init() + +From: Nikita Zhandarovich + +[ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ] + +Several calls to ci_dpm_fini() will attempt to free resources that +either have been freed before or haven't been allocated yet. This +may lead to undefined or dangerous behaviour. + +For instance, if r600_parse_extended_power_table() fails, it might +call r600_free_extended_power_table() as will ci_dpm_fini() later +during error handling. + +Fix this by only freeing pointers to objects previously allocated. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") +Co-developed-by: Natalia Petrova +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ci_dpm.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index 886e9959496fe..f98df826972c9 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -5541,6 +5541,7 @@ static int ci_parse_power_table(struct radeon_device *rdev) + u8 frev, crev; + u8 *power_state_offset; + struct ci_ps *ps; ++ int ret; + + if (!atom_parse_data_header(mode_info->atom_context, index, NULL, + &frev, &crev, &data_offset)) +@@ -5570,11 +5571,15 @@ static int ci_parse_power_table(struct radeon_device *rdev) + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; +- if (!rdev->pm.power_state[i].clock_info) +- return -EINVAL; ++ if (!rdev->pm.power_state[i].clock_info) { ++ ret = -EINVAL; ++ goto err_free_ps; ++ } + ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL); +- if (ps == NULL) +- return -ENOMEM; ++ if (ps == NULL) { ++ ret = -ENOMEM; ++ goto err_free_ps; ++ } + rdev->pm.dpm.ps[i].ps_priv = ps; + ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i], + non_clock_info, +@@ -5614,6 +5619,12 @@ static int ci_parse_power_table(struct radeon_device *rdev) + } + + return 0; ++ ++err_free_ps: ++ for (i = 0; i < rdev->pm.dpm.num_ps; i++) ++ kfree(rdev->pm.dpm.ps[i].ps_priv); ++ kfree(rdev->pm.dpm.ps); ++ return ret; + } + + static int ci_get_vbios_boot_values(struct radeon_device *rdev, +@@ -5702,25 +5713,26 @@ int ci_dpm_init(struct radeon_device *rdev) + + ret = ci_get_vbios_boot_values(rdev, &pi->vbios_boot_state); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_get_platform_caps(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_parse_extended_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = ci_parse_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); ++ r600_free_extended_power_table(rdev); + return ret; + } + +-- +2.39.2 + diff --git a/tmp-5.10/rcu-rcuscale-move-rcu_scale_-after-kfree_scale_clean.patch b/tmp-5.10/rcu-rcuscale-move-rcu_scale_-after-kfree_scale_clean.patch new file mode 100644 index 00000000000..4b96a2b3240 --- /dev/null +++ b/tmp-5.10/rcu-rcuscale-move-rcu_scale_-after-kfree_scale_clean.patch @@ -0,0 +1,245 @@ +From 7548fc01e80b9606a4672a30186f437c97c092f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 19:42:40 +0800 +Subject: rcu/rcuscale: Move rcu_scale_*() after kfree_scale_cleanup() + +From: Qiuxu Zhuo + +[ Upstream commit bf5ddd736509a7d9077c0b6793e6f0852214dbea ] + +This code-movement-only commit moves the rcu_scale_cleanup() and +rcu_scale_shutdown() functions to follow kfree_scale_cleanup(). +This is code movement is in preparation for a bug-fix patch that invokes +kfree_scale_cleanup() from rcu_scale_cleanup(). + +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Paul E. McKenney +Reviewed-by: Joel Fernandes (Google) +Stable-dep-of: 23fc8df26dea ("rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale") +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcuscale.c | 194 +++++++++++++++++++++--------------------- + 1 file changed, 97 insertions(+), 97 deletions(-) + +diff --git a/kernel/rcu/rcuscale.c b/kernel/rcu/rcuscale.c +index 74be0b6438fb3..dfc6172ffe1d2 100644 +--- a/kernel/rcu/rcuscale.c ++++ b/kernel/rcu/rcuscale.c +@@ -470,89 +470,6 @@ rcu_scale_print_module_parms(struct rcu_scale_ops *cur_ops, const char *tag) + scale_type, tag, nrealreaders, nrealwriters, verbose, shutdown); + } + +-static void +-rcu_scale_cleanup(void) +-{ +- int i; +- int j; +- int ngps = 0; +- u64 *wdp; +- u64 *wdpp; +- +- /* +- * Would like warning at start, but everything is expedited +- * during the mid-boot phase, so have to wait till the end. +- */ +- if (rcu_gp_is_expedited() && !rcu_gp_is_normal() && !gp_exp) +- SCALEOUT_ERRSTRING("All grace periods expedited, no normal ones to measure!"); +- if (rcu_gp_is_normal() && gp_exp) +- SCALEOUT_ERRSTRING("All grace periods normal, no expedited ones to measure!"); +- if (gp_exp && gp_async) +- SCALEOUT_ERRSTRING("No expedited async GPs, so went with async!"); +- +- if (torture_cleanup_begin()) +- return; +- if (!cur_ops) { +- torture_cleanup_end(); +- return; +- } +- +- if (reader_tasks) { +- for (i = 0; i < nrealreaders; i++) +- torture_stop_kthread(rcu_scale_reader, +- reader_tasks[i]); +- kfree(reader_tasks); +- } +- +- if (writer_tasks) { +- for (i = 0; i < nrealwriters; i++) { +- torture_stop_kthread(rcu_scale_writer, +- writer_tasks[i]); +- if (!writer_n_durations) +- continue; +- j = writer_n_durations[i]; +- pr_alert("%s%s writer %d gps: %d\n", +- scale_type, SCALE_FLAG, i, j); +- ngps += j; +- } +- pr_alert("%s%s start: %llu end: %llu duration: %llu gps: %d batches: %ld\n", +- scale_type, SCALE_FLAG, +- t_rcu_scale_writer_started, t_rcu_scale_writer_finished, +- t_rcu_scale_writer_finished - +- t_rcu_scale_writer_started, +- ngps, +- rcuscale_seq_diff(b_rcu_gp_test_finished, +- b_rcu_gp_test_started)); +- for (i = 0; i < nrealwriters; i++) { +- if (!writer_durations) +- break; +- if (!writer_n_durations) +- continue; +- wdpp = writer_durations[i]; +- if (!wdpp) +- continue; +- for (j = 0; j < writer_n_durations[i]; j++) { +- wdp = &wdpp[j]; +- pr_alert("%s%s %4d writer-duration: %5d %llu\n", +- scale_type, SCALE_FLAG, +- i, j, *wdp); +- if (j % 100 == 0) +- schedule_timeout_uninterruptible(1); +- } +- kfree(writer_durations[i]); +- } +- kfree(writer_tasks); +- kfree(writer_durations); +- kfree(writer_n_durations); +- } +- +- /* Do torture-type-specific cleanup operations. */ +- if (cur_ops->cleanup != NULL) +- cur_ops->cleanup(); +- +- torture_cleanup_end(); +-} +- + /* + * Return the number if non-negative. If -1, the number of CPUs. + * If less than -1, that much less than the number of CPUs, but +@@ -572,20 +489,6 @@ static int compute_real(int n) + return nr; + } + +-/* +- * RCU scalability shutdown kthread. Just waits to be awakened, then shuts +- * down system. +- */ +-static int +-rcu_scale_shutdown(void *arg) +-{ +- wait_event_idle(shutdown_wq, atomic_read(&n_rcu_scale_writer_finished) >= nrealwriters); +- smp_mb(); /* Wake before output. */ +- rcu_scale_cleanup(); +- kernel_power_off(); +- return -EINVAL; +-} +- + /* + * kfree_rcu() scalability tests: Start a kfree_rcu() loop on all CPUs for number + * of iterations and measure total time and number of GP for all iterations to complete. +@@ -747,6 +650,103 @@ kfree_scale_init(void) + return firsterr; + } + ++static void ++rcu_scale_cleanup(void) ++{ ++ int i; ++ int j; ++ int ngps = 0; ++ u64 *wdp; ++ u64 *wdpp; ++ ++ /* ++ * Would like warning at start, but everything is expedited ++ * during the mid-boot phase, so have to wait till the end. ++ */ ++ if (rcu_gp_is_expedited() && !rcu_gp_is_normal() && !gp_exp) ++ SCALEOUT_ERRSTRING("All grace periods expedited, no normal ones to measure!"); ++ if (rcu_gp_is_normal() && gp_exp) ++ SCALEOUT_ERRSTRING("All grace periods normal, no expedited ones to measure!"); ++ if (gp_exp && gp_async) ++ SCALEOUT_ERRSTRING("No expedited async GPs, so went with async!"); ++ ++ if (torture_cleanup_begin()) ++ return; ++ if (!cur_ops) { ++ torture_cleanup_end(); ++ return; ++ } ++ ++ if (reader_tasks) { ++ for (i = 0; i < nrealreaders; i++) ++ torture_stop_kthread(rcu_scale_reader, ++ reader_tasks[i]); ++ kfree(reader_tasks); ++ } ++ ++ if (writer_tasks) { ++ for (i = 0; i < nrealwriters; i++) { ++ torture_stop_kthread(rcu_scale_writer, ++ writer_tasks[i]); ++ if (!writer_n_durations) ++ continue; ++ j = writer_n_durations[i]; ++ pr_alert("%s%s writer %d gps: %d\n", ++ scale_type, SCALE_FLAG, i, j); ++ ngps += j; ++ } ++ pr_alert("%s%s start: %llu end: %llu duration: %llu gps: %d batches: %ld\n", ++ scale_type, SCALE_FLAG, ++ t_rcu_scale_writer_started, t_rcu_scale_writer_finished, ++ t_rcu_scale_writer_finished - ++ t_rcu_scale_writer_started, ++ ngps, ++ rcuscale_seq_diff(b_rcu_gp_test_finished, ++ b_rcu_gp_test_started)); ++ for (i = 0; i < nrealwriters; i++) { ++ if (!writer_durations) ++ break; ++ if (!writer_n_durations) ++ continue; ++ wdpp = writer_durations[i]; ++ if (!wdpp) ++ continue; ++ for (j = 0; j < writer_n_durations[i]; j++) { ++ wdp = &wdpp[j]; ++ pr_alert("%s%s %4d writer-duration: %5d %llu\n", ++ scale_type, SCALE_FLAG, ++ i, j, *wdp); ++ if (j % 100 == 0) ++ schedule_timeout_uninterruptible(1); ++ } ++ kfree(writer_durations[i]); ++ } ++ kfree(writer_tasks); ++ kfree(writer_durations); ++ kfree(writer_n_durations); ++ } ++ ++ /* Do torture-type-specific cleanup operations. */ ++ if (cur_ops->cleanup != NULL) ++ cur_ops->cleanup(); ++ ++ torture_cleanup_end(); ++} ++ ++/* ++ * RCU scalability shutdown kthread. Just waits to be awakened, then shuts ++ * down system. ++ */ ++static int ++rcu_scale_shutdown(void *arg) ++{ ++ wait_event_idle(shutdown_wq, atomic_read(&n_rcu_scale_writer_finished) >= nrealwriters); ++ smp_mb(); /* Wake before output. */ ++ rcu_scale_cleanup(); ++ kernel_power_off(); ++ return -EINVAL; ++} ++ + static int __init + rcu_scale_init(void) + { +-- +2.39.2 + diff --git a/tmp-5.10/rcu-rcuscale-stop-kfree_scale_thread-thread-s-after-.patch b/tmp-5.10/rcu-rcuscale-stop-kfree_scale_thread-thread-s-after-.patch new file mode 100644 index 00000000000..b3c9ff8eeae --- /dev/null +++ b/tmp-5.10/rcu-rcuscale-stop-kfree_scale_thread-thread-s-after-.patch @@ -0,0 +1,81 @@ +From 1965bc7265d6f394a191236a6abb0745253b69d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 19:42:41 +0800 +Subject: rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading + rcuscale + +From: Qiuxu Zhuo + +[ Upstream commit 23fc8df26dead16687ae6eb47b0561a4a832e2f6 ] + +Running the 'kfree_rcu_test' test case [1] results in a splat [2]. +The root cause is the kfree_scale_thread thread(s) continue running +after unloading the rcuscale module. This commit fixes that isue by +invoking kfree_scale_cleanup() from rcu_scale_cleanup() when removing +the rcuscale module. + +[1] modprobe rcuscale kfree_rcu_test=1 + // After some time + rmmod rcuscale + rmmod torture + +[2] BUG: unable to handle page fault for address: ffffffffc0601a87 + #PF: supervisor instruction fetch in kernel mode + #PF: error_code(0x0010) - not-present page + PGD 11de4f067 P4D 11de4f067 PUD 11de51067 PMD 112f4d067 PTE 0 + Oops: 0010 [#1] PREEMPT SMP NOPTI + CPU: 1 PID: 1798 Comm: kfree_scale_thr Not tainted 6.3.0-rc1-rcu+ #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 + RIP: 0010:0xffffffffc0601a87 + Code: Unable to access opcode bytes at 0xffffffffc0601a5d. + RSP: 0018:ffffb25bc2e57e18 EFLAGS: 00010297 + RAX: 0000000000000000 RBX: ffffffffc061f0b6 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffffffff962fd0de RDI: ffffffff962fd0de + RBP: ffffb25bc2e57ea8 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 + R13: 0000000000000000 R14: 000000000000000a R15: 00000000001c1dbe + FS: 0000000000000000(0000) GS:ffff921fa2200000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffffffc0601a5d CR3: 000000011de4c006 CR4: 0000000000370ee0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + ? kvfree_call_rcu+0xf0/0x3a0 + ? kthread+0xf3/0x120 + ? kthread_complete_and_exit+0x20/0x20 + ? ret_from_fork+0x1f/0x30 + + Modules linked in: rfkill sunrpc ... [last unloaded: torture] + CR2: ffffffffc0601a87 + ---[ end trace 0000000000000000 ]--- + +Fixes: e6e78b004fa7 ("rcuperf: Add kfree_rcu() performance Tests") +Reviewed-by: Davidlohr Bueso +Reviewed-by: Joel Fernandes (Google) +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcuscale.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/rcu/rcuscale.c b/kernel/rcu/rcuscale.c +index dfc6172ffe1d2..6c05365ed80fc 100644 +--- a/kernel/rcu/rcuscale.c ++++ b/kernel/rcu/rcuscale.c +@@ -670,6 +670,11 @@ rcu_scale_cleanup(void) + if (gp_exp && gp_async) + SCALEOUT_ERRSTRING("No expedited async GPs, so went with async!"); + ++ if (kfree_rcu_test) { ++ kfree_scale_cleanup(); ++ return; ++ } ++ + if (torture_cleanup_begin()) + return; + if (!cur_ops) { +-- +2.39.2 + diff --git a/tmp-5.10/rcu-tasks-mark-trc_reader_nesting-data-races.patch b/tmp-5.10/rcu-tasks-mark-trc_reader_nesting-data-races.patch new file mode 100644 index 00000000000..4be75dca683 --- /dev/null +++ b/tmp-5.10/rcu-tasks-mark-trc_reader_nesting-data-races.patch @@ -0,0 +1,80 @@ +From stable-owner@vger.kernel.org Sat Jul 15 02:47:26 2023 +From: "Joel Fernandes (Google)" +Date: Sat, 15 Jul 2023 00:47:09 +0000 +Subject: rcu-tasks: Mark ->trc_reader_nesting data races +To: stable@vger.kernel.org +Cc: "Joel Fernandes (Google)" , "Paul E . McKenney" +Message-ID: <20230715004711.2938489-2-joel@joelfernandes.org> + +From: "Paul E. McKenney" + +[ Upstream commit bdb0cca0d11060fce8a8a44588ac1470c25d62bc ] + +There are several ->trc_reader_nesting data races that are too +low-probability for KCSAN to notice, but which will happen sooner or +later. This commit therefore marks these accesses, and comments one +that cannot race. + +Cc: # 5.10.x +Signed-off-by: Paul E. McKenney +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/rcu/tasks.h | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -848,7 +848,7 @@ static void trc_read_check_handler(void + + // If the task is not in a read-side critical section, and + // if this is the last reader, awaken the grace-period kthread. +- if (likely(!t->trc_reader_nesting)) { ++ if (likely(!READ_ONCE(t->trc_reader_nesting))) { + if (WARN_ON_ONCE(atomic_dec_and_test(&trc_n_readers_need_end))) + wake_up(&trc_wait); + // Mark as checked after decrement to avoid false +@@ -857,7 +857,7 @@ static void trc_read_check_handler(void + goto reset_ipi; + } + // If we are racing with an rcu_read_unlock_trace(), try again later. +- if (unlikely(t->trc_reader_nesting < 0)) { ++ if (unlikely(READ_ONCE(t->trc_reader_nesting) < 0)) { + if (WARN_ON_ONCE(atomic_dec_and_test(&trc_n_readers_need_end))) + wake_up(&trc_wait); + goto reset_ipi; +@@ -904,6 +904,7 @@ static bool trc_inspect_reader(struct ta + n_heavy_reader_ofl_updates++; + in_qs = true; + } else { ++ // The task is not running, so C-language access is safe. + in_qs = likely(!t->trc_reader_nesting); + } + +@@ -936,7 +937,7 @@ static void trc_wait_for_one_reader(stru + // The current task had better be in a quiescent state. + if (t == current) { + t->trc_reader_checked = true; +- WARN_ON_ONCE(t->trc_reader_nesting); ++ WARN_ON_ONCE(READ_ONCE(t->trc_reader_nesting)); + return; + } + +@@ -1046,7 +1047,7 @@ static void show_stalled_task_trace(stru + ".I"[READ_ONCE(t->trc_ipi_to_cpu) > 0], + ".i"[is_idle_task(t)], + ".N"[cpu > 0 && tick_nohz_full_cpu(cpu)], +- t->trc_reader_nesting, ++ READ_ONCE(t->trc_reader_nesting), + " N"[!!t->trc_reader_special.b.need_qs], + cpu); + sched_show_task(t); +@@ -1141,7 +1142,7 @@ static void rcu_tasks_trace_postgp(struc + static void exit_tasks_rcu_finish_trace(struct task_struct *t) + { + WRITE_ONCE(t->trc_reader_checked, true); +- WARN_ON_ONCE(t->trc_reader_nesting); ++ WARN_ON_ONCE(READ_ONCE(t->trc_reader_nesting)); + WRITE_ONCE(t->trc_reader_nesting, 0); + if (WARN_ON_ONCE(READ_ONCE(t->trc_reader_special.b.need_qs))) + rcu_read_unlock_trace_special(t, 0); diff --git a/tmp-5.10/rcu-tasks-mark-trc_reader_special.b.need_qs-data-races.patch b/tmp-5.10/rcu-tasks-mark-trc_reader_special.b.need_qs-data-races.patch new file mode 100644 index 00000000000..68b40575251 --- /dev/null +++ b/tmp-5.10/rcu-tasks-mark-trc_reader_special.b.need_qs-data-races.patch @@ -0,0 +1,62 @@ +From stable-owner@vger.kernel.org Sat Jul 15 02:47:26 2023 +From: "Joel Fernandes (Google)" +Date: Sat, 15 Jul 2023 00:47:10 +0000 +Subject: rcu-tasks: Mark ->trc_reader_special.b.need_qs data races +To: stable@vger.kernel.org +Cc: "Joel Fernandes (Google)" , "Paul E . McKenney" +Message-ID: <20230715004711.2938489-3-joel@joelfernandes.org> + +From: "Paul E. McKenney" + +[ Upstream commit f8ab3fad80dddf3f2cecb53983063c4431058ca1 ] + +There are several ->trc_reader_special.b.need_qs data races that are +too low-probability for KCSAN to notice, but which will happen sooner +or later. This commit therefore marks these accesses. + +Cc: # 5.10.x +Signed-off-by: Paul E. McKenney +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/rcu/tasks.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -801,7 +801,7 @@ static DEFINE_IRQ_WORK(rcu_tasks_trace_i + /* If we are the last reader, wake up the grace-period kthread. */ + void rcu_read_unlock_trace_special(struct task_struct *t, int nesting) + { +- int nq = t->trc_reader_special.b.need_qs; ++ int nq = READ_ONCE(t->trc_reader_special.b.need_qs); + + if (IS_ENABLED(CONFIG_TASKS_TRACE_RCU_READ_MB) && + t->trc_reader_special.b.need_mb) +@@ -867,7 +867,7 @@ static void trc_read_check_handler(void + // Get here if the task is in a read-side critical section. Set + // its state so that it will awaken the grace-period kthread upon + // exit from that critical section. +- WARN_ON_ONCE(t->trc_reader_special.b.need_qs); ++ WARN_ON_ONCE(READ_ONCE(t->trc_reader_special.b.need_qs)); + WRITE_ONCE(t->trc_reader_special.b.need_qs, true); + + reset_ipi: +@@ -919,7 +919,7 @@ static bool trc_inspect_reader(struct ta + // state so that it will awaken the grace-period kthread upon exit + // from that critical section. + atomic_inc(&trc_n_readers_need_end); // One more to wait on. +- WARN_ON_ONCE(t->trc_reader_special.b.need_qs); ++ WARN_ON_ONCE(READ_ONCE(t->trc_reader_special.b.need_qs)); + WRITE_ONCE(t->trc_reader_special.b.need_qs, true); + return true; + } +@@ -1048,7 +1048,7 @@ static void show_stalled_task_trace(stru + ".i"[is_idle_task(t)], + ".N"[cpu > 0 && tick_nohz_full_cpu(cpu)], + READ_ONCE(t->trc_reader_nesting), +- " N"[!!t->trc_reader_special.b.need_qs], ++ " N"[!!READ_ONCE(t->trc_reader_special.b.need_qs)], + cpu); + sched_show_task(t); + } diff --git a/tmp-5.10/rcu-tasks-simplify-trc_read_check_handler-atomic-operations.patch b/tmp-5.10/rcu-tasks-simplify-trc_read_check_handler-atomic-operations.patch new file mode 100644 index 00000000000..6ec53fbd110 --- /dev/null +++ b/tmp-5.10/rcu-tasks-simplify-trc_read_check_handler-atomic-operations.patch @@ -0,0 +1,92 @@ +From stable-owner@vger.kernel.org Sat Jul 15 02:47:26 2023 +From: "Joel Fernandes (Google)" +Date: Sat, 15 Jul 2023 00:47:11 +0000 +Subject: rcu-tasks: Simplify trc_read_check_handler() atomic operations +To: stable@vger.kernel.org +Cc: "Joel Fernandes (Google)" , "Paul E . McKenney" +Message-ID: <20230715004711.2938489-4-joel@joelfernandes.org> + +From: "Paul E. McKenney" + +[ Upstream commit 96017bf9039763a2e02dcc6adaa18592cd73a39d ] + +Currently, trc_wait_for_one_reader() atomically increments +the trc_n_readers_need_end counter before sending the IPI +invoking trc_read_check_handler(). All failure paths out of +trc_read_check_handler() and also from the smp_call_function_single() +within trc_wait_for_one_reader() must carefully atomically decrement +this counter. This is more complex than it needs to be. + +This commit therefore simplifies things and saves a few lines of +code by dispensing with the atomic decrements in favor of having +trc_read_check_handler() do the atomic increment only in the success case. +In theory, this represents no change in functionality. + +Cc: # 5.10.x +Signed-off-by: Paul E. McKenney +Signed-off-by: Joel Fernandes (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/rcu/tasks.h | 20 +++----------------- + 1 file changed, 3 insertions(+), 17 deletions(-) + +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -841,32 +841,24 @@ static void trc_read_check_handler(void + + // If the task is no longer running on this CPU, leave. + if (unlikely(texp != t)) { +- if (WARN_ON_ONCE(atomic_dec_and_test(&trc_n_readers_need_end))) +- wake_up(&trc_wait); + goto reset_ipi; // Already on holdout list, so will check later. + } + + // If the task is not in a read-side critical section, and + // if this is the last reader, awaken the grace-period kthread. + if (likely(!READ_ONCE(t->trc_reader_nesting))) { +- if (WARN_ON_ONCE(atomic_dec_and_test(&trc_n_readers_need_end))) +- wake_up(&trc_wait); +- // Mark as checked after decrement to avoid false +- // positives on the above WARN_ON_ONCE(). + WRITE_ONCE(t->trc_reader_checked, true); + goto reset_ipi; + } + // If we are racing with an rcu_read_unlock_trace(), try again later. +- if (unlikely(READ_ONCE(t->trc_reader_nesting) < 0)) { +- if (WARN_ON_ONCE(atomic_dec_and_test(&trc_n_readers_need_end))) +- wake_up(&trc_wait); ++ if (unlikely(READ_ONCE(t->trc_reader_nesting) < 0)) + goto reset_ipi; +- } + WRITE_ONCE(t->trc_reader_checked, true); + + // Get here if the task is in a read-side critical section. Set + // its state so that it will awaken the grace-period kthread upon + // exit from that critical section. ++ atomic_inc(&trc_n_readers_need_end); // One more to wait on. + WARN_ON_ONCE(READ_ONCE(t->trc_reader_special.b.need_qs)); + WRITE_ONCE(t->trc_reader_special.b.need_qs, true); + +@@ -960,21 +952,15 @@ static void trc_wait_for_one_reader(stru + if (per_cpu(trc_ipi_to_cpu, cpu) || t->trc_ipi_to_cpu >= 0) + return; + +- atomic_inc(&trc_n_readers_need_end); + per_cpu(trc_ipi_to_cpu, cpu) = true; + t->trc_ipi_to_cpu = cpu; + rcu_tasks_trace.n_ipis++; +- if (smp_call_function_single(cpu, +- trc_read_check_handler, t, 0)) { ++ if (smp_call_function_single(cpu, trc_read_check_handler, t, 0)) { + // Just in case there is some other reason for + // failure than the target CPU being offline. + rcu_tasks_trace.n_ipis_fails++; + per_cpu(trc_ipi_to_cpu, cpu) = false; + t->trc_ipi_to_cpu = cpu; +- if (atomic_dec_and_test(&trc_n_readers_need_end)) { +- WARN_ON_ONCE(1); +- wake_up(&trc_wait); +- } + } + } + } diff --git a/tmp-5.10/rcuscale-always-log-error-message.patch b/tmp-5.10/rcuscale-always-log-error-message.patch new file mode 100644 index 00000000000..efd5b838813 --- /dev/null +++ b/tmp-5.10/rcuscale-always-log-error-message.patch @@ -0,0 +1,71 @@ +From 46a475b7221c6553082f6cc77d500c0ff436faa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 17:40:28 +0800 +Subject: rcuscale: Always log error message + +From: Li Zhijian + +[ Upstream commit 86e7ed1bd57d020e35d430542bf5d689c3200568 ] + +Unconditionally log messages corresponding to errors. + +Acked-by: Davidlohr Bueso +Signed-off-by: Li Zhijian +Signed-off-by: Paul E. McKenney +Stable-dep-of: 23fc8df26dea ("rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale") +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcuscale.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/kernel/rcu/rcuscale.c b/kernel/rcu/rcuscale.c +index 28bc688e2705c..4452c3c4060ce 100644 +--- a/kernel/rcu/rcuscale.c ++++ b/kernel/rcu/rcuscale.c +@@ -49,8 +49,8 @@ MODULE_AUTHOR("Paul E. McKenney "); + pr_alert("%s" SCALE_FLAG " %s\n", scale_type, s) + #define VERBOSE_SCALEOUT_STRING(s) \ + do { if (verbose) pr_alert("%s" SCALE_FLAG " %s\n", scale_type, s); } while (0) +-#define VERBOSE_SCALEOUT_ERRSTRING(s) \ +- do { if (verbose) pr_alert("%s" SCALE_FLAG "!!! %s\n", scale_type, s); } while (0) ++#define SCALEOUT_ERRSTRING(s) \ ++ pr_alert("%s" SCALE_FLAG "!!! %s\n", scale_type, s) + + /* + * The intended use cases for the nreaders and nwriters module parameters +@@ -484,11 +484,11 @@ rcu_scale_cleanup(void) + * during the mid-boot phase, so have to wait till the end. + */ + if (rcu_gp_is_expedited() && !rcu_gp_is_normal() && !gp_exp) +- VERBOSE_SCALEOUT_ERRSTRING("All grace periods expedited, no normal ones to measure!"); ++ SCALEOUT_ERRSTRING("All grace periods expedited, no normal ones to measure!"); + if (rcu_gp_is_normal() && gp_exp) +- VERBOSE_SCALEOUT_ERRSTRING("All grace periods normal, no expedited ones to measure!"); ++ SCALEOUT_ERRSTRING("All grace periods normal, no expedited ones to measure!"); + if (gp_exp && gp_async) +- VERBOSE_SCALEOUT_ERRSTRING("No expedited async GPs, so went with async!"); ++ SCALEOUT_ERRSTRING("No expedited async GPs, so went with async!"); + + if (torture_cleanup_begin()) + return; +@@ -803,7 +803,7 @@ rcu_scale_init(void) + reader_tasks = kcalloc(nrealreaders, sizeof(reader_tasks[0]), + GFP_KERNEL); + if (reader_tasks == NULL) { +- VERBOSE_SCALEOUT_ERRSTRING("out of memory"); ++ SCALEOUT_ERRSTRING("out of memory"); + firsterr = -ENOMEM; + goto unwind; + } +@@ -823,7 +823,7 @@ rcu_scale_init(void) + kcalloc(nrealwriters, sizeof(*writer_n_durations), + GFP_KERNEL); + if (!writer_tasks || !writer_durations || !writer_n_durations) { +- VERBOSE_SCALEOUT_ERRSTRING("out of memory"); ++ SCALEOUT_ERRSTRING("out of memory"); + firsterr = -ENOMEM; + goto unwind; + } +-- +2.39.2 + diff --git a/tmp-5.10/rcuscale-console-output-claims-too-few-grace-periods.patch b/tmp-5.10/rcuscale-console-output-claims-too-few-grace-periods.patch new file mode 100644 index 00000000000..fd54c6e639d --- /dev/null +++ b/tmp-5.10/rcuscale-console-output-claims-too-few-grace-periods.patch @@ -0,0 +1,69 @@ +From 591fd16b7111931d0aea43cd526dbc7f5978cce7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jun 2021 18:37:08 +0800 +Subject: rcuscale: Console output claims too few grace periods + +From: Jiangong.Han + +[ Upstream commit 811192c5f24bfd7246ce9ce06f668d8c408bf39b ] + +The rcuscale console output claims N grace periods, numbered from zero +to N, which means that there were really N+1 grace periods. The root +cause of this bug is that rcu_scale_writer() stores the number of the +last grace period (numbered from zero) into writer_n_durations[me] +instead of the number of grace periods. This commit therefore assigns +the actual number of grace periods to writer_n_durations[me], and also +makes the corresponding adjustment to the loop outputting per-grace-period +measurements. + +Sample of old console output: + rcu-scale: writer 0 gps: 133 + ...... + rcu-scale: 0 writer-duration: 0 44003961 + rcu-scale: 0 writer-duration: 1 32003582 + ...... + rcu-scale: 0 writer-duration: 132 28004391 + rcu-scale: 0 writer-duration: 133 27996410 + +Sample of new console output: + rcu-scale: writer 0 gps: 134 + ...... + rcu-scale: 0 writer-duration: 0 44003961 + rcu-scale: 0 writer-duration: 1 32003582 + ...... + rcu-scale: 0 writer-duration: 132 28004391 + rcu-scale: 0 writer-duration: 133 27996410 + +Signed-off-by: Jiangong.Han +Signed-off-by: Paul E. McKenney +Stable-dep-of: 23fc8df26dea ("rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale") +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcuscale.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/rcu/rcuscale.c b/kernel/rcu/rcuscale.c +index 2819b95479af9..28bc688e2705c 100644 +--- a/kernel/rcu/rcuscale.c ++++ b/kernel/rcu/rcuscale.c +@@ -457,7 +457,7 @@ rcu_scale_writer(void *arg) + if (gp_async) { + cur_ops->gp_barrier(); + } +- writer_n_durations[me] = i_max; ++ writer_n_durations[me] = i_max + 1; + torture_kthread_stopping("rcu_scale_writer"); + return 0; + } +@@ -531,7 +531,7 @@ rcu_scale_cleanup(void) + wdpp = writer_durations[i]; + if (!wdpp) + continue; +- for (j = 0; j <= writer_n_durations[i]; j++) { ++ for (j = 0; j < writer_n_durations[i]; j++) { + wdp = &wdpp[j]; + pr_alert("%s%s %4d writer-duration: %5d %llu\n", + scale_type, SCALE_FLAG, +-- +2.39.2 + diff --git a/tmp-5.10/rcuscale-move-shutdown-from-wait_event-to-wait_event.patch b/tmp-5.10/rcuscale-move-shutdown-from-wait_event-to-wait_event.patch new file mode 100644 index 00000000000..c5cc5b5d739 --- /dev/null +++ b/tmp-5.10/rcuscale-move-shutdown-from-wait_event-to-wait_event.patch @@ -0,0 +1,57 @@ +From 63ca538c1874b5f0d7f97111cbbbfe36c54f4999 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 12:08:54 -0800 +Subject: rcuscale: Move shutdown from wait_event() to wait_event_idle() + +From: Paul E. McKenney + +[ Upstream commit ef1ef3d47677dc191b88650a9f7f91413452cc1b ] + +The rcu_scale_shutdown() and kfree_scale_shutdown() kthreads/functions +use wait_event() to wait for the rcuscale test to complete. However, +each updater thread in such a test waits for at least 100 grace periods. +If each grace period takes more than 1.2 seconds, which is long, but +not insanely so, this can trigger the hung-task timeout. + +This commit therefore replaces those wait_event() calls with calls to +wait_event_idle(), which do not trigger the hung-task timeout. + +Reported-by: kernel test robot +Reported-by: Liam Howlett +Signed-off-by: Paul E. McKenney +Tested-by: Yujie Liu +Signed-off-by: Boqun Feng +Stable-dep-of: 23fc8df26dea ("rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale") +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcuscale.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/kernel/rcu/rcuscale.c b/kernel/rcu/rcuscale.c +index 4452c3c4060ce..74be0b6438fb3 100644 +--- a/kernel/rcu/rcuscale.c ++++ b/kernel/rcu/rcuscale.c +@@ -579,8 +579,7 @@ static int compute_real(int n) + static int + rcu_scale_shutdown(void *arg) + { +- wait_event(shutdown_wq, +- atomic_read(&n_rcu_scale_writer_finished) >= nrealwriters); ++ wait_event_idle(shutdown_wq, atomic_read(&n_rcu_scale_writer_finished) >= nrealwriters); + smp_mb(); /* Wake before output. */ + rcu_scale_cleanup(); + kernel_power_off(); +@@ -693,8 +692,8 @@ kfree_scale_cleanup(void) + static int + kfree_scale_shutdown(void *arg) + { +- wait_event(shutdown_wq, +- atomic_read(&n_kfree_scale_thread_ended) >= kfree_nrealthreads); ++ wait_event_idle(shutdown_wq, ++ atomic_read(&n_kfree_scale_thread_ended) >= kfree_nrealthreads); + + smp_mb(); /* Wake before output. */ + +-- +2.39.2 + diff --git a/tmp-5.10/rdma-bnxt_re-avoid-calling-wake_up-threads-from-spin.patch b/tmp-5.10/rdma-bnxt_re-avoid-calling-wake_up-threads-from-spin.patch new file mode 100644 index 00000000000..e0fb98ec19a --- /dev/null +++ b/tmp-5.10/rdma-bnxt_re-avoid-calling-wake_up-threads-from-spin.patch @@ -0,0 +1,99 @@ +From dfc2eaddd983d360db9f483b54cf845e9c2652de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 04:01:39 -0700 +Subject: RDMA/bnxt_re: Avoid calling wake_up threads from spin_lock context + +From: Kashyap Desai + +[ Upstream commit 3099bcdc19b701f732f638ee45679858c08559bb ] + +bnxt_qplib_service_creq can be called from interrupt or tasklet or +process context. So the function take irq variant of spin_lock. +But when wake_up is invoked with the lock held, it is putting the +calling context to sleep. + +[exception RIP: __wake_up_common+190] +RIP: ffffffffb7539d7e RSP: ffffa73300207ad8 RFLAGS: 00000083 +RAX: 0000000000000001 RBX: ffff91fa295f69b8 RCX: dead000000000200 +RDX: ffffa733344af940 RSI: ffffa73336527940 RDI: ffffa73336527940 +RBP: 000000000000001c R8: 0000000000000002 R9: 00000000000299c0 +R10: 0000017230de82c5 R11: 0000000000000002 R12: ffffa73300207b28 +R13: 0000000000000000 R14: ffffa733341bf928 R15: 0000000000000000 +ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + +Call the wakeup after releasing the lock. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Kashyap Desai +Signed-off-by: Selvin Xavier +Link: https://lore.kernel.org/r/1686308514-11996-3-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 212e5cd82d0db..2b0c3a86293cf 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -295,7 +295,8 @@ static int bnxt_qplib_process_func_event(struct bnxt_qplib_rcfw *rcfw, + } + + static int bnxt_qplib_process_qp_event(struct bnxt_qplib_rcfw *rcfw, +- struct creq_qp_event *qp_event) ++ struct creq_qp_event *qp_event, ++ u32 *num_wait) + { + struct creq_qp_error_notification *err_event; + struct bnxt_qplib_hwq *hwq = &rcfw->cmdq.hwq; +@@ -304,6 +305,7 @@ static int bnxt_qplib_process_qp_event(struct bnxt_qplib_rcfw *rcfw, + u16 cbit, blocked = 0; + struct pci_dev *pdev; + unsigned long flags; ++ u32 wait_cmds = 0; + __le16 mcookie; + u16 cookie; + int rc = 0; +@@ -363,9 +365,10 @@ static int bnxt_qplib_process_qp_event(struct bnxt_qplib_rcfw *rcfw, + crsqe->req_size = 0; + + if (!blocked) +- wake_up(&rcfw->cmdq.waitq); ++ wait_cmds++; + spin_unlock_irqrestore(&hwq->lock, flags); + } ++ *num_wait += wait_cmds; + return rc; + } + +@@ -379,6 +382,7 @@ static void bnxt_qplib_service_creq(struct tasklet_struct *t) + struct creq_base *creqe; + u32 sw_cons, raw_cons; + unsigned long flags; ++ u32 num_wakeup = 0; + + /* Service the CREQ until budget is over */ + spin_lock_irqsave(&hwq->lock, flags); +@@ -397,7 +401,8 @@ static void bnxt_qplib_service_creq(struct tasklet_struct *t) + switch (type) { + case CREQ_BASE_TYPE_QP_EVENT: + bnxt_qplib_process_qp_event +- (rcfw, (struct creq_qp_event *)creqe); ++ (rcfw, (struct creq_qp_event *)creqe, ++ &num_wakeup); + creq->stats.creq_qp_event_processed++; + break; + case CREQ_BASE_TYPE_FUNC_EVENT: +@@ -425,6 +430,8 @@ static void bnxt_qplib_service_creq(struct tasklet_struct *t) + rcfw->res->cctx, true); + } + spin_unlock_irqrestore(&hwq->lock, flags); ++ if (num_wakeup) ++ wake_up_nr(&rcfw->cmdq.waitq, num_wakeup); + } + + static irqreturn_t bnxt_qplib_creq_irq(int irq, void *dev_instance) +-- +2.39.2 + diff --git a/tmp-5.10/rdma-bnxt_re-disable-kill-tasklet-only-if-it-is-enab.patch b/tmp-5.10/rdma-bnxt_re-disable-kill-tasklet-only-if-it-is-enab.patch new file mode 100644 index 00000000000..3bc57fde624 --- /dev/null +++ b/tmp-5.10/rdma-bnxt_re-disable-kill-tasklet-only-if-it-is-enab.patch @@ -0,0 +1,150 @@ +From 3ee401205cdbd0e0df8cf108fddde7c8915376e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 23:48:11 -0700 +Subject: RDMA/bnxt_re: Disable/kill tasklet only if it is enabled + +From: Selvin Xavier + +[ Upstream commit ab112ee7899d6171da5acd77a7ed7ae103f488de ] + +When the ulp hook to start the IRQ fails because the rings are not +available, tasklets are not enabled. In this case when the driver is +unloaded, driver calls CREQ tasklet_kill. This causes an indefinite hang +as the tasklet is not enabled. + +Driver shouldn't call tasklet_kill if it is not enabled. So using the +creq->requested and nq->requested flags to identify if both tasklets/irqs +are registered. Checking this flag while scheduling the tasklet from +ISR. Also, added a cleanup for disabling tasklet, in case request_irq +fails during start_irq. + +Check for return value for bnxt_qplib_rcfw_start_irq and in case the +bnxt_qplib_rcfw_start_irq fails, return bnxt_re_start_irq without +attempting to start NQ IRQs. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/1684478897-12247-2-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 12 +++++++++--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 16 ++++++++++------ + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 14 +++++++++----- + 3 files changed, 28 insertions(+), 14 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index 9ef6aea29ff16..bdde44286d562 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -294,15 +294,21 @@ static void bnxt_re_start_irq(void *handle, struct bnxt_msix_entry *ent) + for (indx = 0; indx < rdev->num_msix; indx++) + rdev->msix_entries[indx].vector = ent[indx].vector; + +- bnxt_qplib_rcfw_start_irq(rcfw, msix_ent[BNXT_RE_AEQ_IDX].vector, +- false); ++ rc = bnxt_qplib_rcfw_start_irq(rcfw, msix_ent[BNXT_RE_AEQ_IDX].vector, ++ false); ++ if (rc) { ++ ibdev_warn(&rdev->ibdev, "Failed to reinit CREQ\n"); ++ return; ++ } + for (indx = BNXT_RE_NQ_IDX ; indx < rdev->num_msix; indx++) { + nq = &rdev->nq[indx - 1]; + rc = bnxt_qplib_nq_start_irq(nq, indx - 1, + msix_ent[indx].vector, false); +- if (rc) ++ if (rc) { + ibdev_warn(&rdev->ibdev, "Failed to reinit NQ index %d\n", + indx - 1); ++ return; ++ } + } + } + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index b26a89187a192..9eba4b39c7032 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -404,6 +404,9 @@ static irqreturn_t bnxt_qplib_nq_irq(int irq, void *dev_instance) + + void bnxt_qplib_nq_stop_irq(struct bnxt_qplib_nq *nq, bool kill) + { ++ if (!nq->requested) ++ return; ++ + tasklet_disable(&nq->nq_tasklet); + /* Mask h/w interrupt */ + bnxt_qplib_ring_nq_db(&nq->nq_db.dbinfo, nq->res->cctx, false); +@@ -411,11 +414,10 @@ void bnxt_qplib_nq_stop_irq(struct bnxt_qplib_nq *nq, bool kill) + synchronize_irq(nq->msix_vec); + if (kill) + tasklet_kill(&nq->nq_tasklet); +- if (nq->requested) { +- irq_set_affinity_hint(nq->msix_vec, NULL); +- free_irq(nq->msix_vec, nq); +- nq->requested = false; +- } ++ ++ irq_set_affinity_hint(nq->msix_vec, NULL); ++ free_irq(nq->msix_vec, nq); ++ nq->requested = false; + } + + void bnxt_qplib_disable_nq(struct bnxt_qplib_nq *nq) +@@ -454,8 +456,10 @@ int bnxt_qplib_nq_start_irq(struct bnxt_qplib_nq *nq, int nq_indx, + + snprintf(nq->name, sizeof(nq->name), "bnxt_qplib_nq-%d", nq_indx); + rc = request_irq(nq->msix_vec, bnxt_qplib_nq_irq, 0, nq->name, nq); +- if (rc) ++ if (rc) { ++ tasklet_disable(&nq->nq_tasklet); + return rc; ++ } + + cpumask_clear(&nq->mask); + cpumask_set_cpu(nq_indx, &nq->mask); +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 5759027914b01..a111e880276f3 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -633,6 +633,10 @@ void bnxt_qplib_rcfw_stop_irq(struct bnxt_qplib_rcfw *rcfw, bool kill) + struct bnxt_qplib_creq_ctx *creq; + + creq = &rcfw->creq; ++ ++ if (!creq->requested) ++ return; ++ + tasklet_disable(&creq->creq_tasklet); + /* Mask h/w interrupts */ + bnxt_qplib_ring_nq_db(&creq->creq_db.dbinfo, rcfw->res->cctx, false); +@@ -641,10 +645,8 @@ void bnxt_qplib_rcfw_stop_irq(struct bnxt_qplib_rcfw *rcfw, bool kill) + if (kill) + tasklet_kill(&creq->creq_tasklet); + +- if (creq->requested) { +- free_irq(creq->msix_vec, rcfw); +- creq->requested = false; +- } ++ free_irq(creq->msix_vec, rcfw); ++ creq->requested = false; + } + + void bnxt_qplib_disable_rcfw_channel(struct bnxt_qplib_rcfw *rcfw) +@@ -690,8 +692,10 @@ int bnxt_qplib_rcfw_start_irq(struct bnxt_qplib_rcfw *rcfw, int msix_vector, + tasklet_enable(&creq->creq_tasklet); + rc = request_irq(creq->msix_vec, bnxt_qplib_creq_irq, 0, + "bnxt_qplib_creq", rcfw); +- if (rc) ++ if (rc) { ++ tasklet_disable(&creq->creq_tasklet); + return rc; ++ } + creq->requested = true; + + bnxt_qplib_ring_nq_db(&creq->creq_db.dbinfo, rcfw->res->cctx, true); +-- +2.39.2 + diff --git a/tmp-5.10/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch b/tmp-5.10/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch new file mode 100644 index 00000000000..652bd45605d --- /dev/null +++ b/tmp-5.10/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch @@ -0,0 +1,44 @@ +From ea89cf3200bd215b64fb9fc34b4f171d99e261ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 23:48:15 -0700 +Subject: RDMA/bnxt_re: Fix to remove an unnecessary log + +From: Kalesh AP + +[ Upstream commit 43774bc156614346fe5dacabc8e8c229167f2536 ] + +During destroy_qp, driver sets the qp handle in the existing CQEs +belonging to the QP being destroyed to NULL. As a result, a poll_cq after +destroy_qp can report unnecessary messages. Remove this noise from system +logs. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/1684478897-12247-6-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index d6b7c0d1f6766..d44b6a5c90b57 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -2732,11 +2732,8 @@ static int bnxt_qplib_cq_process_terminal(struct bnxt_qplib_cq *cq, + + qp = (struct bnxt_qplib_qp *)((unsigned long) + le64_to_cpu(hwcqe->qp_handle)); +- if (!qp) { +- dev_err(&cq->hwq.pdev->dev, +- "FP: CQ Process terminal qp is NULL\n"); ++ if (!qp) + return -EINVAL; +- } + + /* Must block new posting of SQ and RQ */ + qp->state = CMDQ_MODIFY_QP_NEW_STATE_ERR; +-- +2.39.2 + diff --git a/tmp-5.10/rdma-bnxt_re-fix-to-remove-unnecessary-return-labels.patch b/tmp-5.10/rdma-bnxt_re-fix-to-remove-unnecessary-return-labels.patch new file mode 100644 index 00000000000..c6e50c20e05 --- /dev/null +++ b/tmp-5.10/rdma-bnxt_re-fix-to-remove-unnecessary-return-labels.patch @@ -0,0 +1,66 @@ +From 7ec0bd906934d3631bbbbe26874757ac88fe75df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 23:48:12 -0700 +Subject: RDMA/bnxt_re: Fix to remove unnecessary return labels + +From: Kalesh AP + +[ Upstream commit 9b3ee47796f529e5bc31a355d6cb756d68a7079a ] + +If there is no cleanup needed then just return directly. This cleans up +the code and improve readability. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/1684478897-12247-3-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Kashyap Desai +Reviewed-by: Saravanan Vajravel +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 9eba4b39c7032..b4b180652c0a0 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -1603,7 +1603,7 @@ static int bnxt_qplib_put_inline(struct bnxt_qplib_qp *qp, + il_src = (void *)wqe->sg_list[indx].addr; + t_len += len; + if (t_len > qp->max_inline_data) +- goto bad; ++ return -ENOMEM; + while (len) { + if (pull_dst) { + pull_dst = false; +@@ -1627,8 +1627,6 @@ static int bnxt_qplib_put_inline(struct bnxt_qplib_qp *qp, + } + + return t_len; +-bad: +- return -ENOMEM; + } + + static u32 bnxt_qplib_put_sges(struct bnxt_qplib_hwq *hwq, +@@ -2058,7 +2056,7 @@ int bnxt_qplib_create_cq(struct bnxt_qplib_res *res, struct bnxt_qplib_cq *cq) + hwq_attr.sginfo = &cq->sg_info; + rc = bnxt_qplib_alloc_init_hwq(&cq->hwq, &hwq_attr); + if (rc) +- goto exit; ++ return rc; + + RCFW_CMD_PREP(req, CREATE_CQ, cmd_flags); + +@@ -2099,7 +2097,6 @@ int bnxt_qplib_create_cq(struct bnxt_qplib_res *res, struct bnxt_qplib_cq *cq) + + fail: + bnxt_qplib_free_hwq(res, &cq->hwq); +-exit: + return rc; + } + +-- +2.39.2 + diff --git a/tmp-5.10/rdma-bnxt_re-remove-a-redundant-check-inside-bnxt_re.patch b/tmp-5.10/rdma-bnxt_re-remove-a-redundant-check-inside-bnxt_re.patch new file mode 100644 index 00000000000..fc5290fa3e5 --- /dev/null +++ b/tmp-5.10/rdma-bnxt_re-remove-a-redundant-check-inside-bnxt_re.patch @@ -0,0 +1,54 @@ +From f6be9a1bbeaeb6557e6767d81235b3cdac5ed7b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 23:48:14 -0700 +Subject: RDMA/bnxt_re: Remove a redundant check inside bnxt_re_update_gid + +From: Kalesh AP + +[ Upstream commit b989f90cef0af48aa5679b6a75476371705ec53c ] + +The NULL check inside bnxt_re_update_gid() always return false. If +sgid_tbl->tbl is not allocated, then dev_init would have failed. + +Fixes: 5fac5b1b297f ("RDMA/bnxt_re: Add vlan tag for untagged RoCE traffic when PFC is configured") +Link: https://lore.kernel.org/r/1684478897-12247-5-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Saravanan Vajravel +Reviewed-by: Damodharam Ammepalli +Reviewed-by: Ajit Khaparde +Signed-off-by: Selvin Xavier +Signed-off-by: Kalesh AP +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/main.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c +index bdde44286d562..8a618769915d5 100644 +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1191,12 +1191,6 @@ static int bnxt_re_update_gid(struct bnxt_re_dev *rdev) + if (!ib_device_try_get(&rdev->ibdev)) + return 0; + +- if (!sgid_tbl) { +- ibdev_err(&rdev->ibdev, "QPLIB: SGID table not allocated"); +- rc = -EINVAL; +- goto out; +- } +- + for (index = 0; index < sgid_tbl->active; index++) { + gid_idx = sgid_tbl->hw_id[index]; + +@@ -1214,7 +1208,7 @@ static int bnxt_re_update_gid(struct bnxt_re_dev *rdev) + rc = bnxt_qplib_update_sgid(sgid_tbl, &gid, gid_idx, + rdev->qplib_res.netdev->dev_addr); + } +-out: ++ + ib_device_put(&rdev->ibdev); + return rc; + } +-- +2.39.2 + diff --git a/tmp-5.10/rdma-bnxt_re-use-unique-names-while-registering-inte.patch b/tmp-5.10/rdma-bnxt_re-use-unique-names-while-registering-inte.patch new file mode 100644 index 00000000000..ee8320f842e --- /dev/null +++ b/tmp-5.10/rdma-bnxt_re-use-unique-names-while-registering-inte.patch @@ -0,0 +1,157 @@ +From 6a28dec9e8c7d7ef91a213d4cd4889c604e765e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 23:48:13 -0700 +Subject: RDMA/bnxt_re: Use unique names while registering interrupts + +From: Kalesh AP + +[ Upstream commit ff2e4bfd162cf66a112a81509e419805add44d64 ] + +bnxt_re currently uses the names "bnxt_qplib_creq" and "bnxt_qplib_nq-0" +while registering IRQs. There is no way to distinguish the IRQs of +different device ports when there are multiple IB devices registered. +This could make the scenarios worse where one want to pin IRQs of a device +port to certain CPUs. + +Fixed the code to use unique names which has PCI BDF information while +registering interrupts like: "bnxt_re-nq-0@pci:0000:65:00.0" and +"bnxt_re-creq@pci:0000:65:00.1". + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/1684478897-12247-4-git-send-email-selvin.xavier@broadcom.com +Reviewed-by: Bhargava Chenna Marreddy +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 12 ++++++++++-- + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 15 +++++++++++++-- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 1 + + 4 files changed, 25 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index b4b180652c0a0..d6b7c0d1f6766 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -417,6 +417,8 @@ void bnxt_qplib_nq_stop_irq(struct bnxt_qplib_nq *nq, bool kill) + + irq_set_affinity_hint(nq->msix_vec, NULL); + free_irq(nq->msix_vec, nq); ++ kfree(nq->name); ++ nq->name = NULL; + nq->requested = false; + } + +@@ -443,6 +445,7 @@ void bnxt_qplib_disable_nq(struct bnxt_qplib_nq *nq) + int bnxt_qplib_nq_start_irq(struct bnxt_qplib_nq *nq, int nq_indx, + int msix_vector, bool need_init) + { ++ struct bnxt_qplib_res *res = nq->res; + int rc; + + if (nq->requested) +@@ -454,9 +457,14 @@ int bnxt_qplib_nq_start_irq(struct bnxt_qplib_nq *nq, int nq_indx, + else + tasklet_enable(&nq->nq_tasklet); + +- snprintf(nq->name, sizeof(nq->name), "bnxt_qplib_nq-%d", nq_indx); ++ nq->name = kasprintf(GFP_KERNEL, "bnxt_re-nq-%d@pci:%s", ++ nq_indx, pci_name(res->pdev)); ++ if (!nq->name) ++ return -ENOMEM; + rc = request_irq(nq->msix_vec, bnxt_qplib_nq_irq, 0, nq->name, nq); + if (rc) { ++ kfree(nq->name); ++ nq->name = NULL; + tasklet_disable(&nq->nq_tasklet); + return rc; + } +@@ -470,7 +478,7 @@ int bnxt_qplib_nq_start_irq(struct bnxt_qplib_nq *nq, int nq_indx, + nq->msix_vec, nq_indx); + } + nq->requested = true; +- bnxt_qplib_ring_nq_db(&nq->nq_db.dbinfo, nq->res->cctx, true); ++ bnxt_qplib_ring_nq_db(&nq->nq_db.dbinfo, res->cctx, true); + + return rc; + } +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +index f50784405e27e..667f93d90045e 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h +@@ -469,7 +469,7 @@ typedef int (*srqn_handler_t)(struct bnxt_qplib_nq *nq, + struct bnxt_qplib_nq { + struct pci_dev *pdev; + struct bnxt_qplib_res *res; +- char name[32]; ++ char *name; + struct bnxt_qplib_hwq hwq; + struct bnxt_qplib_nq_db nq_db; + u16 ring_id; +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index a111e880276f3..4836bc433f53c 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -646,6 +646,8 @@ void bnxt_qplib_rcfw_stop_irq(struct bnxt_qplib_rcfw *rcfw, bool kill) + tasklet_kill(&creq->creq_tasklet); + + free_irq(creq->msix_vec, rcfw); ++ kfree(creq->irq_name); ++ creq->irq_name = NULL; + creq->requested = false; + } + +@@ -678,9 +680,11 @@ int bnxt_qplib_rcfw_start_irq(struct bnxt_qplib_rcfw *rcfw, int msix_vector, + bool need_init) + { + struct bnxt_qplib_creq_ctx *creq; ++ struct bnxt_qplib_res *res; + int rc; + + creq = &rcfw->creq; ++ res = rcfw->res; + + if (creq->requested) + return -EFAULT; +@@ -690,15 +694,22 @@ int bnxt_qplib_rcfw_start_irq(struct bnxt_qplib_rcfw *rcfw, int msix_vector, + tasklet_setup(&creq->creq_tasklet, bnxt_qplib_service_creq); + else + tasklet_enable(&creq->creq_tasklet); ++ ++ creq->irq_name = kasprintf(GFP_KERNEL, "bnxt_re-creq@pci:%s", ++ pci_name(res->pdev)); ++ if (!creq->irq_name) ++ return -ENOMEM; + rc = request_irq(creq->msix_vec, bnxt_qplib_creq_irq, 0, +- "bnxt_qplib_creq", rcfw); ++ creq->irq_name, rcfw); + if (rc) { ++ kfree(creq->irq_name); ++ creq->irq_name = NULL; + tasklet_disable(&creq->creq_tasklet); + return rc; + } + creq->requested = true; + +- bnxt_qplib_ring_nq_db(&creq->creq_db.dbinfo, rcfw->res->cctx, true); ++ bnxt_qplib_ring_nq_db(&creq->creq_db.dbinfo, res->cctx, true); + + return 0; + } +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h +index 6953f4e53dd20..7df7170c80e06 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h +@@ -172,6 +172,7 @@ struct bnxt_qplib_creq_ctx { + u16 ring_id; + int msix_vec; + bool requested; /*irq handler installed */ ++ char *irq_name; + }; + + /* RCFW Communication Channels */ +-- +2.39.2 + diff --git a/tmp-5.10/rdma-bnxt_re-wraparound-mbox-producer-index.patch b/tmp-5.10/rdma-bnxt_re-wraparound-mbox-producer-index.patch new file mode 100644 index 00000000000..aa09291b37e --- /dev/null +++ b/tmp-5.10/rdma-bnxt_re-wraparound-mbox-producer-index.patch @@ -0,0 +1,55 @@ +From 54c09a12193dd1084d4576dd27888ec66110c85a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 04:01:38 -0700 +Subject: RDMA/bnxt_re: wraparound mbox producer index + +From: Kashyap Desai + +[ Upstream commit 0af91306e17ef3d18e5f100aa58aa787869118af ] + +Driver is not handling the wraparound of the mbox producer index correctly. +Currently the wraparound happens once u32 max is reached. + +Bit 31 of the producer index register is special and should be set +only once for the first command. Because the producer index overflow +setting bit31 after a long time, FW goes to initialization sequence +and this causes FW hang. + +Fix is to wraparound the mbox producer index once it reaches u16 max. + +Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code") +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Kashyap Desai +Signed-off-by: Selvin Xavier +Link: https://lore.kernel.org/r/1686308514-11996-2-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 4836bc433f53c..212e5cd82d0db 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -181,7 +181,7 @@ static int __send_message(struct bnxt_qplib_rcfw *rcfw, struct cmdq_base *req, + } while (size > 0); + cmdq->seq_num++; + +- cmdq_prod = hwq->prod; ++ cmdq_prod = hwq->prod & 0xFFFF; + if (test_bit(FIRMWARE_FIRST_FLAG, &cmdq->flags)) { + /* The very first doorbell write + * is required to set this flag +@@ -595,7 +595,7 @@ int bnxt_qplib_alloc_rcfw_channel(struct bnxt_qplib_res *res, + rcfw->cmdq_depth = BNXT_QPLIB_CMDQE_MAX_CNT_8192; + + sginfo.pgsize = bnxt_qplib_cmdqe_page_size(rcfw->cmdq_depth); +- hwq_attr.depth = rcfw->cmdq_depth; ++ hwq_attr.depth = rcfw->cmdq_depth & 0x7FFFFFFF; + hwq_attr.stride = BNXT_QPLIB_CMDQE_UNITS; + hwq_attr.type = HWQ_TYPE_CTX; + if (bnxt_qplib_alloc_init_hwq(&cmdq->hwq, &hwq_attr)) { +-- +2.39.2 + diff --git a/tmp-5.10/rdma-cma-ensure-rdma_addr_cancel-happens-before-issuing-more-requests.patch b/tmp-5.10/rdma-cma-ensure-rdma_addr_cancel-happens-before-issuing-more-requests.patch new file mode 100644 index 00000000000..5f32bb8ba86 --- /dev/null +++ b/tmp-5.10/rdma-cma-ensure-rdma_addr_cancel-happens-before-issuing-more-requests.patch @@ -0,0 +1,126 @@ +From 305d568b72f17f674155a2a8275f865f207b3808 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Thu, 16 Sep 2021 15:34:46 -0300 +Subject: RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests + +From: Jason Gunthorpe + +commit 305d568b72f17f674155a2a8275f865f207b3808 upstream. + +The FSM can run in a circle allowing rdma_resolve_ip() to be called twice +on the same id_priv. While this cannot happen without going through the +work, it violates the invariant that the same address resolution +background request cannot be active twice. + + CPU 1 CPU 2 + +rdma_resolve_addr(): + RDMA_CM_IDLE -> RDMA_CM_ADDR_QUERY + rdma_resolve_ip(addr_handler) #1 + + process_one_req(): for #1 + addr_handler(): + RDMA_CM_ADDR_QUERY -> RDMA_CM_ADDR_BOUND + mutex_unlock(&id_priv->handler_mutex); + [.. handler still running ..] + +rdma_resolve_addr(): + RDMA_CM_ADDR_BOUND -> RDMA_CM_ADDR_QUERY + rdma_resolve_ip(addr_handler) + !! two requests are now on the req_list + +rdma_destroy_id(): + destroy_id_handler_unlock(): + _destroy_id(): + cma_cancel_operation(): + rdma_addr_cancel() + + // process_one_req() self removes it + spin_lock_bh(&lock); + cancel_delayed_work(&req->work); + if (!list_empty(&req->list)) == true + + ! rdma_addr_cancel() returns after process_on_req #1 is done + + kfree(id_priv) + + process_one_req(): for #2 + addr_handler(): + mutex_lock(&id_priv->handler_mutex); + !! Use after free on id_priv + +rdma_addr_cancel() expects there to be one req on the list and only +cancels the first one. The self-removal behavior of the work only happens +after the handler has returned. This yields a situations where the +req_list can have two reqs for the same "handle" but rdma_addr_cancel() +only cancels the first one. + +The second req remains active beyond rdma_destroy_id() and will +use-after-free id_priv once it inevitably triggers. + +Fix this by remembering if the id_priv has called rdma_resolve_ip() and +always cancel before calling it again. This ensures the req_list never +gets more than one item in it and doesn't cost anything in the normal flow +that never uses this strange error path. + +Link: https://lore.kernel.org/r/0-v1-3bc675b8006d+22-syz_cancel_uaf_jgg@nvidia.com +Cc: stable@vger.kernel.org +Fixes: e51060f08a61 ("IB: IP address based RDMA connection manager") +Reported-by: syzbot+dc3dfba010d7671e05f5@syzkaller.appspotmail.com +Signed-off-by: Jason Gunthorpe +Signed-off-by: Anton Gusev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 23 +++++++++++++++++++++++ + drivers/infiniband/core/cma_priv.h | 1 + + 2 files changed, 24 insertions(+) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1792,6 +1792,14 @@ static void cma_cancel_operation(struct + { + switch (state) { + case RDMA_CM_ADDR_QUERY: ++ /* ++ * We can avoid doing the rdma_addr_cancel() based on state, ++ * only RDMA_CM_ADDR_QUERY has a work that could still execute. ++ * Notice that the addr_handler work could still be exiting ++ * outside this state, however due to the interaction with the ++ * handler_mutex the work is guaranteed not to touch id_priv ++ * during exit. ++ */ + rdma_addr_cancel(&id_priv->id.route.addr.dev_addr); + break; + case RDMA_CM_ROUTE_QUERY: +@@ -3401,6 +3409,21 @@ int rdma_resolve_addr(struct rdma_cm_id + if (dst_addr->sa_family == AF_IB) { + ret = cma_resolve_ib_addr(id_priv); + } else { ++ /* ++ * The FSM can return back to RDMA_CM_ADDR_BOUND after ++ * rdma_resolve_ip() is called, eg through the error ++ * path in addr_handler(). If this happens the existing ++ * request must be canceled before issuing a new one. ++ * Since canceling a request is a bit slow and this ++ * oddball path is rare, keep track once a request has ++ * been issued. The track turns out to be a permanent ++ * state since this is the only cancel as it is ++ * immediately before rdma_resolve_ip(). ++ */ ++ if (id_priv->used_resolve_ip) ++ rdma_addr_cancel(&id->route.addr.dev_addr); ++ else ++ id_priv->used_resolve_ip = 1; + ret = rdma_resolve_ip(cma_src_addr(id_priv), dst_addr, + &id->route.addr.dev_addr, + timeout_ms, addr_handler, +--- a/drivers/infiniband/core/cma_priv.h ++++ b/drivers/infiniband/core/cma_priv.h +@@ -89,6 +89,7 @@ struct rdma_id_private { + u8 reuseaddr; + u8 afonly; + u8 timeout; ++ u8 used_resolve_ip; + enum ib_gid_type gid_type; + + /* diff --git a/tmp-5.10/rdma-hns-clean-the-hardware-related-code-for-hem.patch b/tmp-5.10/rdma-hns-clean-the-hardware-related-code-for-hem.patch new file mode 100644 index 00000000000..c5f91b87df0 --- /dev/null +++ b/tmp-5.10/rdma-hns-clean-the-hardware-related-code-for-hem.patch @@ -0,0 +1,293 @@ +From 53f496bf76935e63babb5d74abce170baabbc63e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 17:29:55 +0800 +Subject: RDMA/hns: Clean the hardware related code for HEM + +From: Xi Wang + +[ Upstream commit 68e11a6086b10e1a88d2b2c8432299f595db748d ] + +Move the HIP06 related code to the hw v1 source file for HEM. + +Link: https://lore.kernel.org/r/1621589395-2435-6-git-send-email-liweihang@huawei.com +Signed-off-by: Xi Wang +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Stable-dep-of: cf5b608fb0e3 ("RDMA/hns: Fix hns_roce_table_get return value") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_device.h | 2 - + drivers/infiniband/hw/hns/hns_roce_hem.c | 82 +-------------------- + drivers/infiniband/hw/hns/hns_roce_hem.h | 9 +-- + drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 77 +++++++++++++++++++ + drivers/infiniband/hw/hns/hns_roce_hw_v1.h | 5 ++ + 5 files changed, 85 insertions(+), 90 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_device.h b/drivers/infiniband/hw/hns/hns_roce_device.h +index d9aa7424d2902..09b5e4935c2ca 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_device.h ++++ b/drivers/infiniband/hw/hns/hns_roce_device.h +@@ -46,8 +46,6 @@ + + #define HNS_ROCE_IB_MIN_SQ_STRIDE 6 + +-#define HNS_ROCE_BA_SIZE (32 * 4096) +- + #define BA_BYTE_LEN 8 + + /* Hardware specification only for v1 engine */ +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index 831e9476c6284..3c3187f22216a 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -36,9 +36,6 @@ + #include "hns_roce_hem.h" + #include "hns_roce_common.h" + +-#define DMA_ADDR_T_SHIFT 12 +-#define BT_BA_SHIFT 32 +- + #define HEM_INDEX_BUF BIT(0) + #define HEM_INDEX_L0 BIT(1) + #define HEM_INDEX_L1 BIT(2) +@@ -326,81 +323,6 @@ void hns_roce_free_hem(struct hns_roce_dev *hr_dev, struct hns_roce_hem *hem) + kfree(hem); + } + +-static int hns_roce_set_hem(struct hns_roce_dev *hr_dev, +- struct hns_roce_hem_table *table, unsigned long obj) +-{ +- spinlock_t *lock = &hr_dev->bt_cmd_lock; +- struct device *dev = hr_dev->dev; +- struct hns_roce_hem_iter iter; +- void __iomem *bt_cmd; +- __le32 bt_cmd_val[2]; +- __le32 bt_cmd_h = 0; +- unsigned long flags; +- __le32 bt_cmd_l; +- int ret = 0; +- u64 bt_ba; +- long end; +- +- /* Find the HEM(Hardware Entry Memory) entry */ +- unsigned long i = (obj & (table->num_obj - 1)) / +- (table->table_chunk_size / table->obj_size); +- +- switch (table->type) { +- case HEM_TYPE_QPC: +- case HEM_TYPE_MTPT: +- case HEM_TYPE_CQC: +- case HEM_TYPE_SRQC: +- roce_set_field(bt_cmd_h, ROCEE_BT_CMD_H_ROCEE_BT_CMD_MDF_M, +- ROCEE_BT_CMD_H_ROCEE_BT_CMD_MDF_S, table->type); +- break; +- default: +- return ret; +- } +- +- roce_set_field(bt_cmd_h, ROCEE_BT_CMD_H_ROCEE_BT_CMD_IN_MDF_M, +- ROCEE_BT_CMD_H_ROCEE_BT_CMD_IN_MDF_S, obj); +- roce_set_bit(bt_cmd_h, ROCEE_BT_CMD_H_ROCEE_BT_CMD_S, 0); +- roce_set_bit(bt_cmd_h, ROCEE_BT_CMD_H_ROCEE_BT_CMD_HW_SYNS_S, 1); +- +- /* Currently iter only a chunk */ +- for (hns_roce_hem_first(table->hem[i], &iter); +- !hns_roce_hem_last(&iter); hns_roce_hem_next(&iter)) { +- bt_ba = hns_roce_hem_addr(&iter) >> DMA_ADDR_T_SHIFT; +- +- spin_lock_irqsave(lock, flags); +- +- bt_cmd = hr_dev->reg_base + ROCEE_BT_CMD_H_REG; +- +- end = HW_SYNC_TIMEOUT_MSECS; +- while (end > 0) { +- if (!(readl(bt_cmd) >> BT_CMD_SYNC_SHIFT)) +- break; +- +- mdelay(HW_SYNC_SLEEP_TIME_INTERVAL); +- end -= HW_SYNC_SLEEP_TIME_INTERVAL; +- } +- +- if (end <= 0) { +- dev_err(dev, "Write bt_cmd err,hw_sync is not zero.\n"); +- spin_unlock_irqrestore(lock, flags); +- return -EBUSY; +- } +- +- bt_cmd_l = cpu_to_le32(bt_ba); +- roce_set_field(bt_cmd_h, ROCEE_BT_CMD_H_ROCEE_BT_CMD_BA_H_M, +- ROCEE_BT_CMD_H_ROCEE_BT_CMD_BA_H_S, +- bt_ba >> BT_BA_SHIFT); +- +- bt_cmd_val[0] = bt_cmd_l; +- bt_cmd_val[1] = bt_cmd_h; +- hns_roce_write64_k(bt_cmd_val, +- hr_dev->reg_base + ROCEE_BT_CMD_L_REG); +- spin_unlock_irqrestore(lock, flags); +- } +- +- return ret; +-} +- + static int calc_hem_config(struct hns_roce_dev *hr_dev, + struct hns_roce_hem_table *table, unsigned long obj, + struct hns_roce_hem_mhop *mhop, +@@ -666,7 +588,7 @@ int hns_roce_table_get(struct hns_roce_dev *hr_dev, + } + + /* Set HEM base address(128K/page, pa) to Hardware */ +- if (hns_roce_set_hem(hr_dev, table, obj)) { ++ if (hr_dev->hw->set_hem(hr_dev, table, obj, HEM_HOP_STEP_DIRECT)) { + hns_roce_free_hem(hr_dev, table->hem[i]); + table->hem[i] = NULL; + ret = -ENODEV; +@@ -771,7 +693,7 @@ void hns_roce_table_put(struct hns_roce_dev *hr_dev, + &table->mutex)) + return; + +- if (hr_dev->hw->clear_hem(hr_dev, table, obj, 0)) ++ if (hr_dev->hw->clear_hem(hr_dev, table, obj, HEM_HOP_STEP_DIRECT)) + dev_warn(dev, "failed to clear HEM base address.\n"); + + hns_roce_free_hem(hr_dev, table->hem[i]); +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h +index 03d44e2efa473..b7617786b1005 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.h +@@ -34,9 +34,7 @@ + #ifndef _HNS_ROCE_HEM_H + #define _HNS_ROCE_HEM_H + +-#define HW_SYNC_SLEEP_TIME_INTERVAL 20 +-#define HW_SYNC_TIMEOUT_MSECS (25 * HW_SYNC_SLEEP_TIME_INTERVAL) +-#define BT_CMD_SYNC_SHIFT 31 ++#define HEM_HOP_STEP_DIRECT 0xff + + enum { + /* MAP HEM(Hardware Entry Memory) */ +@@ -73,11 +71,6 @@ enum { + (type >= HEM_TYPE_MTT && hop_num == 1) || \ + (type >= HEM_TYPE_MTT && hop_num == HNS_ROCE_HOP_NUM_0)) + +-enum { +- HNS_ROCE_HEM_PAGE_SHIFT = 12, +- HNS_ROCE_HEM_PAGE_SIZE = 1 << HNS_ROCE_HEM_PAGE_SHIFT, +-}; +- + struct hns_roce_hem_chunk { + struct list_head list; + int npages; +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +index cec705b58a847..6f9b024d4ff7c 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +@@ -450,6 +450,82 @@ static void hns_roce_set_db_event_mode(struct hns_roce_dev *hr_dev, + roce_write(hr_dev, ROCEE_GLB_CFG_REG, val); + } + ++static int hns_roce_v1_set_hem(struct hns_roce_dev *hr_dev, ++ struct hns_roce_hem_table *table, int obj, ++ int step_idx) ++{ ++ spinlock_t *lock = &hr_dev->bt_cmd_lock; ++ struct device *dev = hr_dev->dev; ++ struct hns_roce_hem_iter iter; ++ void __iomem *bt_cmd; ++ __le32 bt_cmd_val[2]; ++ __le32 bt_cmd_h = 0; ++ unsigned long flags; ++ __le32 bt_cmd_l; ++ int ret = 0; ++ u64 bt_ba; ++ long end; ++ ++ /* Find the HEM(Hardware Entry Memory) entry */ ++ unsigned long i = (obj & (table->num_obj - 1)) / ++ (table->table_chunk_size / table->obj_size); ++ ++ switch (table->type) { ++ case HEM_TYPE_QPC: ++ case HEM_TYPE_MTPT: ++ case HEM_TYPE_CQC: ++ case HEM_TYPE_SRQC: ++ roce_set_field(bt_cmd_h, ROCEE_BT_CMD_H_ROCEE_BT_CMD_MDF_M, ++ ROCEE_BT_CMD_H_ROCEE_BT_CMD_MDF_S, table->type); ++ break; ++ default: ++ return ret; ++ } ++ ++ roce_set_field(bt_cmd_h, ROCEE_BT_CMD_H_ROCEE_BT_CMD_IN_MDF_M, ++ ROCEE_BT_CMD_H_ROCEE_BT_CMD_IN_MDF_S, obj); ++ roce_set_bit(bt_cmd_h, ROCEE_BT_CMD_H_ROCEE_BT_CMD_S, 0); ++ roce_set_bit(bt_cmd_h, ROCEE_BT_CMD_H_ROCEE_BT_CMD_HW_SYNS_S, 1); ++ ++ /* Currently iter only a chunk */ ++ for (hns_roce_hem_first(table->hem[i], &iter); ++ !hns_roce_hem_last(&iter); hns_roce_hem_next(&iter)) { ++ bt_ba = hns_roce_hem_addr(&iter) >> HNS_HW_PAGE_SHIFT; ++ ++ spin_lock_irqsave(lock, flags); ++ ++ bt_cmd = hr_dev->reg_base + ROCEE_BT_CMD_H_REG; ++ ++ end = HW_SYNC_TIMEOUT_MSECS; ++ while (end > 0) { ++ if (!(readl(bt_cmd) >> BT_CMD_SYNC_SHIFT)) ++ break; ++ ++ mdelay(HW_SYNC_SLEEP_TIME_INTERVAL); ++ end -= HW_SYNC_SLEEP_TIME_INTERVAL; ++ } ++ ++ if (end <= 0) { ++ dev_err(dev, "Write bt_cmd err,hw_sync is not zero.\n"); ++ spin_unlock_irqrestore(lock, flags); ++ return -EBUSY; ++ } ++ ++ bt_cmd_l = cpu_to_le32(bt_ba); ++ roce_set_field(bt_cmd_h, ROCEE_BT_CMD_H_ROCEE_BT_CMD_BA_H_M, ++ ROCEE_BT_CMD_H_ROCEE_BT_CMD_BA_H_S, ++ upper_32_bits(bt_ba)); ++ ++ bt_cmd_val[0] = bt_cmd_l; ++ bt_cmd_val[1] = bt_cmd_h; ++ hns_roce_write64_k(bt_cmd_val, ++ hr_dev->reg_base + ROCEE_BT_CMD_L_REG); ++ spin_unlock_irqrestore(lock, flags); ++ } ++ ++ return ret; ++} ++ + static void hns_roce_set_db_ext_mode(struct hns_roce_dev *hr_dev, u32 sdb_mode, + u32 odb_mode) + { +@@ -4358,6 +4434,7 @@ static const struct hns_roce_hw hns_roce_hw_v1 = { + .set_mtu = hns_roce_v1_set_mtu, + .write_mtpt = hns_roce_v1_write_mtpt, + .write_cqc = hns_roce_v1_write_cqc, ++ .set_hem = hns_roce_v1_set_hem, + .clear_hem = hns_roce_v1_clear_hem, + .modify_qp = hns_roce_v1_modify_qp, + .query_qp = hns_roce_v1_query_qp, +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.h b/drivers/infiniband/hw/hns/hns_roce_hw_v1.h +index 46ab0a321d211..9ff1a41ddec3f 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.h +@@ -1042,6 +1042,11 @@ struct hns_roce_db_table { + struct hns_roce_ext_db *ext_db; + }; + ++#define HW_SYNC_SLEEP_TIME_INTERVAL 20 ++#define HW_SYNC_TIMEOUT_MSECS (25 * HW_SYNC_SLEEP_TIME_INTERVAL) ++#define BT_CMD_SYNC_SHIFT 31 ++#define HNS_ROCE_BA_SIZE (32 * 4096) ++ + struct hns_roce_bt_table { + struct hns_roce_buf_list qpc_buf; + struct hns_roce_buf_list mtpt_buf; +-- +2.39.2 + diff --git a/tmp-5.10/rdma-hns-fix-coding-style-issues.patch b/tmp-5.10/rdma-hns-fix-coding-style-issues.patch new file mode 100644 index 00000000000..f6f52bb42f9 --- /dev/null +++ b/tmp-5.10/rdma-hns-fix-coding-style-issues.patch @@ -0,0 +1,453 @@ +From 83250f546c46886d2c3e823f2bf72e73a533c707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Dec 2020 09:37:33 +0800 +Subject: RDMA/hns: Fix coding style issues + +From: Lang Cheng + +[ Upstream commit dc93a0d987fcfe93b132871e72d4ea5aff36dd5c ] + +Just format the code without modifying anything, including fixing some +redundant and missing blanks and spaces and changing the variable +definition order. + +Link: https://lore.kernel.org/r/1607650657-35992-8-git-send-email-liweihang@huawei.com +Signed-off-by: Lang Cheng +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Stable-dep-of: cf5b608fb0e3 ("RDMA/hns: Fix hns_roce_table_get return value") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_cmd.c | 27 +++++++++++----------- + drivers/infiniband/hw/hns/hns_roce_cmd.h | 4 ++-- + drivers/infiniband/hw/hns/hns_roce_cq.c | 2 +- + drivers/infiniband/hw/hns/hns_roce_hem.c | 20 ++++++++-------- + drivers/infiniband/hw/hns/hns_roce_hem.h | 2 +- + drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 9 +++----- + drivers/infiniband/hw/hns/hns_roce_hw_v1.h | 2 +- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 9 +++----- + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 6 ++--- + drivers/infiniband/hw/hns/hns_roce_main.c | 6 ++--- + drivers/infiniband/hw/hns/hns_roce_mr.c | 4 ++-- + drivers/infiniband/hw/hns/hns_roce_qp.c | 2 +- + drivers/infiniband/hw/hns/hns_roce_srq.c | 1 - + 13 files changed, 43 insertions(+), 51 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_cmd.c b/drivers/infiniband/hw/hns/hns_roce_cmd.c +index 455d533dd7c4a..c493d7644b577 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_cmd.c ++++ b/drivers/infiniband/hw/hns/hns_roce_cmd.c +@@ -36,9 +36,9 @@ + #include "hns_roce_device.h" + #include "hns_roce_cmd.h" + +-#define CMD_POLL_TOKEN 0xffff +-#define CMD_MAX_NUM 32 +-#define CMD_TOKEN_MASK 0x1f ++#define CMD_POLL_TOKEN 0xffff ++#define CMD_MAX_NUM 32 ++#define CMD_TOKEN_MASK 0x1f + + static int hns_roce_cmd_mbox_post_hw(struct hns_roce_dev *hr_dev, u64 in_param, + u64 out_param, u32 in_modifier, +@@ -93,8 +93,8 @@ static int hns_roce_cmd_mbox_poll(struct hns_roce_dev *hr_dev, u64 in_param, + void hns_roce_cmd_event(struct hns_roce_dev *hr_dev, u16 token, u8 status, + u64 out_param) + { +- struct hns_roce_cmd_context +- *context = &hr_dev->cmd.context[token & hr_dev->cmd.token_mask]; ++ struct hns_roce_cmd_context *context = ++ &hr_dev->cmd.context[token % hr_dev->cmd.max_cmds]; + + if (token != context->token) + return; +@@ -164,8 +164,8 @@ static int hns_roce_cmd_mbox_wait(struct hns_roce_dev *hr_dev, u64 in_param, + int ret; + + down(&hr_dev->cmd.event_sem); +- ret = __hns_roce_cmd_mbox_wait(hr_dev, in_param, out_param, +- in_modifier, op_modifier, op, timeout); ++ ret = __hns_roce_cmd_mbox_wait(hr_dev, in_param, out_param, in_modifier, ++ op_modifier, op, timeout); + up(&hr_dev->cmd.event_sem); + + return ret; +@@ -231,9 +231,8 @@ int hns_roce_cmd_use_events(struct hns_roce_dev *hr_dev) + struct hns_roce_cmdq *hr_cmd = &hr_dev->cmd; + int i; + +- hr_cmd->context = kmalloc_array(hr_cmd->max_cmds, +- sizeof(*hr_cmd->context), +- GFP_KERNEL); ++ hr_cmd->context = ++ kcalloc(hr_cmd->max_cmds, sizeof(*hr_cmd->context), GFP_KERNEL); + if (!hr_cmd->context) + return -ENOMEM; + +@@ -262,8 +261,8 @@ void hns_roce_cmd_use_polling(struct hns_roce_dev *hr_dev) + hr_cmd->use_events = 0; + } + +-struct hns_roce_cmd_mailbox +- *hns_roce_alloc_cmd_mailbox(struct hns_roce_dev *hr_dev) ++struct hns_roce_cmd_mailbox * ++hns_roce_alloc_cmd_mailbox(struct hns_roce_dev *hr_dev) + { + struct hns_roce_cmd_mailbox *mailbox; + +@@ -271,8 +270,8 @@ struct hns_roce_cmd_mailbox + if (!mailbox) + return ERR_PTR(-ENOMEM); + +- mailbox->buf = dma_pool_alloc(hr_dev->cmd.pool, GFP_KERNEL, +- &mailbox->dma); ++ mailbox->buf = ++ dma_pool_alloc(hr_dev->cmd.pool, GFP_KERNEL, &mailbox->dma); + if (!mailbox->buf) { + kfree(mailbox); + return ERR_PTR(-ENOMEM); +diff --git a/drivers/infiniband/hw/hns/hns_roce_cmd.h b/drivers/infiniband/hw/hns/hns_roce_cmd.h +index 1915bacaded0a..8e63b827f28cc 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_cmd.h ++++ b/drivers/infiniband/hw/hns/hns_roce_cmd.h +@@ -143,8 +143,8 @@ int hns_roce_cmd_mbox(struct hns_roce_dev *hr_dev, u64 in_param, u64 out_param, + unsigned long in_modifier, u8 op_modifier, u16 op, + unsigned long timeout); + +-struct hns_roce_cmd_mailbox +- *hns_roce_alloc_cmd_mailbox(struct hns_roce_dev *hr_dev); ++struct hns_roce_cmd_mailbox * ++hns_roce_alloc_cmd_mailbox(struct hns_roce_dev *hr_dev); + void hns_roce_free_cmd_mailbox(struct hns_roce_dev *hr_dev, + struct hns_roce_cmd_mailbox *mailbox); + +diff --git a/drivers/infiniband/hw/hns/hns_roce_cq.c b/drivers/infiniband/hw/hns/hns_roce_cq.c +index 8a6bded9c11cb..9200e6477e1ed 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_cq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_cq.c +@@ -41,9 +41,9 @@ + + static int alloc_cqc(struct hns_roce_dev *hr_dev, struct hns_roce_cq *hr_cq) + { ++ struct ib_device *ibdev = &hr_dev->ib_dev; + struct hns_roce_cmd_mailbox *mailbox; + struct hns_roce_cq_table *cq_table; +- struct ib_device *ibdev = &hr_dev->ib_dev; + u64 mtts[MTT_MIN_COUNT] = { 0 }; + dma_addr_t dma_handle; + int ret; +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index c880a8be7e3cd..edc287a0a91a1 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -198,9 +198,9 @@ int hns_roce_calc_hem_mhop(struct hns_roce_dev *hr_dev, + { + struct device *dev = hr_dev->dev; + u32 chunk_ba_num; ++ u32 chunk_size; + u32 table_idx; + u32 bt_num; +- u32 chunk_size; + + if (get_hem_table_config(hr_dev, mhop, table->type)) + return -EINVAL; +@@ -332,15 +332,15 @@ static int hns_roce_set_hem(struct hns_roce_dev *hr_dev, + { + spinlock_t *lock = &hr_dev->bt_cmd_lock; + struct device *dev = hr_dev->dev; +- long end; +- unsigned long flags; + struct hns_roce_hem_iter iter; + void __iomem *bt_cmd; + __le32 bt_cmd_val[2]; + __le32 bt_cmd_h = 0; ++ unsigned long flags; + __le32 bt_cmd_l; +- u64 bt_ba; + int ret = 0; ++ u64 bt_ba; ++ long end; + + /* Find the HEM(Hardware Entry Memory) entry */ + unsigned long i = (obj & (table->num_obj - 1)) / +@@ -640,8 +640,8 @@ int hns_roce_table_get(struct hns_roce_dev *hr_dev, + struct hns_roce_hem_table *table, unsigned long obj) + { + struct device *dev = hr_dev->dev; +- int ret = 0; + unsigned long i; ++ int ret = 0; + + if (hns_roce_check_whether_mhop(hr_dev, table->type)) + return hns_roce_table_mhop_get(hr_dev, table, obj); +@@ -789,14 +789,14 @@ void *hns_roce_table_find(struct hns_roce_dev *hr_dev, + struct hns_roce_hem_chunk *chunk; + struct hns_roce_hem_mhop mhop; + struct hns_roce_hem *hem; +- void *addr = NULL; + unsigned long mhop_obj = obj; + unsigned long obj_per_chunk; + unsigned long idx_offset; + int offset, dma_offset; ++ void *addr = NULL; ++ u32 hem_idx = 0; + int length; + int i, j; +- u32 hem_idx = 0; + + if (!table->lowmem) + return NULL; +@@ -966,8 +966,8 @@ static void hns_roce_cleanup_mhop_hem_table(struct hns_roce_dev *hr_dev, + { + struct hns_roce_hem_mhop mhop; + u32 buf_chunk_size; +- int i; + u64 obj; ++ int i; + + if (hns_roce_calc_hem_mhop(hr_dev, table, NULL, &mhop)) + return; +@@ -1298,8 +1298,8 @@ static int hem_list_alloc_root_bt(struct hns_roce_dev *hr_dev, + const struct hns_roce_buf_region *regions, + int region_cnt) + { +- struct roce_hem_item *hem, *temp_hem, *root_hem; + struct list_head temp_list[HNS_ROCE_MAX_BT_REGION]; ++ struct roce_hem_item *hem, *temp_hem, *root_hem; + const struct hns_roce_buf_region *r; + struct list_head temp_root; + struct list_head temp_btm; +@@ -1404,8 +1404,8 @@ int hns_roce_hem_list_request(struct hns_roce_dev *hr_dev, + { + const struct hns_roce_buf_region *r; + int ofs, end; +- int ret; + int unit; ++ int ret; + int i; + + if (region_cnt > HNS_ROCE_MAX_BT_REGION) { +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h +index b34c940077bb5..112243d112c23 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.h +@@ -174,4 +174,4 @@ static inline dma_addr_t hns_roce_hem_addr(struct hns_roce_hem_iter *iter) + return sg_dma_address(&iter->chunk->mem[iter->page_idx]); + } + +-#endif /*_HNS_ROCE_HEM_H*/ ++#endif /* _HNS_ROCE_HEM_H */ +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +index b3d5ba8ef439a..cec705b58a847 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +@@ -239,7 +239,7 @@ static int hns_roce_v1_post_send(struct ib_qp *ibqp, + break; + } + +- /*Ctrl field, ctrl set type: sig, solic, imm, fence */ ++ /* Ctrl field, ctrl set type: sig, solic, imm, fence */ + /* SO wait for conforming application scenarios */ + ctrl->flag |= (wr->send_flags & IB_SEND_SIGNALED ? + cpu_to_le32(HNS_ROCE_WQE_CQ_NOTIFY) : 0) | +@@ -300,7 +300,7 @@ static int hns_roce_v1_post_send(struct ib_qp *ibqp, + } + ctrl->flag |= cpu_to_le32(HNS_ROCE_WQE_INLINE); + } else { +- /*sqe num is two */ ++ /* sqe num is two */ + for (i = 0; i < wr->num_sge; i++) + set_data_seg(dseg + i, wr->sg_list + i); + +@@ -1165,7 +1165,7 @@ static int hns_roce_raq_init(struct hns_roce_dev *hr_dev) + } + raq->e_raq_buf->map = addr; + +- /* Configure raq extended address. 48bit 4K align*/ ++ /* Configure raq extended address. 48bit 4K align */ + roce_write(hr_dev, ROCEE_EXT_RAQ_REG, raq->e_raq_buf->map >> 12); + + /* Configure raq_shift */ +@@ -2760,7 +2760,6 @@ static int hns_roce_v1_m_qp(struct ib_qp *ibqp, const struct ib_qp_attr *attr, + roce_set_field(context->qpc_bytes_16, + QP_CONTEXT_QPC_BYTES_16_QP_NUM_M, + QP_CONTEXT_QPC_BYTES_16_QP_NUM_S, hr_qp->qpn); +- + } else if (cur_state == IB_QPS_INIT && new_state == IB_QPS_INIT) { + roce_set_field(context->qpc_bytes_4, + QP_CONTEXT_QPC_BYTES_4_TRANSPORT_SERVICE_TYPE_M, +@@ -3793,7 +3792,6 @@ static int hns_roce_v1_aeq_int(struct hns_roce_dev *hr_dev, + int event_type; + + while ((aeqe = next_aeqe_sw_v1(eq))) { +- + /* Make sure we read the AEQ entry after we have checked the + * ownership bit + */ +@@ -3898,7 +3896,6 @@ static int hns_roce_v1_ceq_int(struct hns_roce_dev *hr_dev, + u32 cqn; + + while ((ceqe = next_ceqe_sw_v1(eq))) { +- + /* Make sure we read CEQ entry after we have checked the + * ownership bit + */ +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.h b/drivers/infiniband/hw/hns/hns_roce_hw_v1.h +index ffd0156080f52..46ab0a321d211 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.h +@@ -419,7 +419,7 @@ struct hns_roce_wqe_data_seg { + + struct hns_roce_wqe_raddr_seg { + __le32 rkey; +- __le32 len;/* reserved */ ++ __le32 len; /* reserved */ + __le64 raddr; + }; + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 76ed547b76ea7..322f341f41458 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -1028,8 +1028,8 @@ static int hns_roce_v2_rst_process_cmd(struct hns_roce_dev *hr_dev) + struct hns_roce_v2_priv *priv = hr_dev->priv; + struct hnae3_handle *handle = priv->handle; + const struct hnae3_ae_ops *ops = handle->ae_algo->ops; +- unsigned long instance_stage; /* the current instance stage */ +- unsigned long reset_stage; /* the current reset stage */ ++ unsigned long instance_stage; /* the current instance stage */ ++ unsigned long reset_stage; /* the current reset stage */ + unsigned long reset_cnt; + bool sw_resetting; + bool hw_resetting; +@@ -2434,7 +2434,6 @@ static int hns_roce_init_link_table(struct hns_roce_dev *hr_dev, + if (i < (pg_num - 1)) + entry[i].blk_ba1_nxt_ptr |= + (i + 1) << HNS_ROCE_LINK_TABLE_NXT_PTR_S; +- + } + link_tbl->npages = pg_num; + link_tbl->pg_sz = buf_chk_sz; +@@ -5540,16 +5539,14 @@ static int hns_roce_v2_aeq_int(struct hns_roce_dev *hr_dev, + case HNS_ROCE_EVENT_TYPE_CQ_OVERFLOW: + hns_roce_cq_event(hr_dev, cqn, event_type); + break; +- case HNS_ROCE_EVENT_TYPE_DB_OVERFLOW: +- break; + case HNS_ROCE_EVENT_TYPE_MB: + hns_roce_cmd_event(hr_dev, + le16_to_cpu(aeqe->event.cmd.token), + aeqe->event.cmd.status, + le64_to_cpu(aeqe->event.cmd.out_param)); + break; ++ case HNS_ROCE_EVENT_TYPE_DB_OVERFLOW: + case HNS_ROCE_EVENT_TYPE_CEQ_OVERFLOW: +- break; + case HNS_ROCE_EVENT_TYPE_FLR: + break; + default: +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index 8a92faeb3d237..8948d2b5577d5 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -440,7 +440,7 @@ struct hns_roce_srq_context { + #define SRQC_BYTE_60_SRQ_DB_RECORD_ADDR_S 1 + #define SRQC_BYTE_60_SRQ_DB_RECORD_ADDR_M GENMASK(31, 1) + +-enum{ ++enum { + V2_MPT_ST_VALID = 0x1, + V2_MPT_ST_FREE = 0x2, + }; +@@ -1076,9 +1076,9 @@ struct hns_roce_v2_ud_send_wqe { + __le32 dmac; + __le32 byte_48; + u8 dgid[GID_LEN_V2]; +- + }; +-#define V2_UD_SEND_WQE_BYTE_4_OPCODE_S 0 ++ ++#define V2_UD_SEND_WQE_BYTE_4_OPCODE_S 0 + #define V2_UD_SEND_WQE_BYTE_4_OPCODE_M GENMASK(4, 0) + + #define V2_UD_SEND_WQE_BYTE_4_OWNER_S 7 +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index 8cc2dae269aff..90cbd15f64415 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -582,8 +582,8 @@ static int hns_roce_register_device(struct hns_roce_dev *hr_dev) + + static int hns_roce_init_hem(struct hns_roce_dev *hr_dev) + { +- int ret; + struct device *dev = hr_dev->dev; ++ int ret; + + ret = hns_roce_init_hem_table(hr_dev, &hr_dev->mr_table.mtpt_table, + HEM_TYPE_MTPT, hr_dev->caps.mtpt_entry_sz, +@@ -723,8 +723,8 @@ static int hns_roce_init_hem(struct hns_roce_dev *hr_dev) + */ + static int hns_roce_setup_hca(struct hns_roce_dev *hr_dev) + { +- int ret; + struct device *dev = hr_dev->dev; ++ int ret; + + spin_lock_init(&hr_dev->sm_lock); + spin_lock_init(&hr_dev->bt_cmd_lock); +@@ -847,8 +847,8 @@ void hns_roce_handle_device_err(struct hns_roce_dev *hr_dev) + + int hns_roce_init(struct hns_roce_dev *hr_dev) + { +- int ret; + struct device *dev = hr_dev->dev; ++ int ret; + + if (hr_dev->hw->reset) { + ret = hr_dev->hw->reset(hr_dev, true); +diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c +index 1c342a7bd7dff..d5b3b10e0a807 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_mr.c ++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c +@@ -167,10 +167,10 @@ static void hns_roce_mr_free(struct hns_roce_dev *hr_dev, + static int hns_roce_mr_enable(struct hns_roce_dev *hr_dev, + struct hns_roce_mr *mr) + { +- int ret; + unsigned long mtpt_idx = key_to_hw_index(mr->key); +- struct device *dev = hr_dev->dev; + struct hns_roce_cmd_mailbox *mailbox; ++ struct device *dev = hr_dev->dev; ++ int ret; + + /* Allocate mailbox memory */ + mailbox = hns_roce_alloc_cmd_mailbox(hr_dev); +diff --git a/drivers/infiniband/hw/hns/hns_roce_qp.c b/drivers/infiniband/hw/hns/hns_roce_qp.c +index 6fe98af7741b5..c42c6761382d1 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -114,8 +114,8 @@ void hns_roce_qp_event(struct hns_roce_dev *hr_dev, u32 qpn, int event_type) + static void hns_roce_ib_qp_event(struct hns_roce_qp *hr_qp, + enum hns_roce_event type) + { +- struct ib_event event; + struct ib_qp *ibqp = &hr_qp->ibqp; ++ struct ib_event event; + + if (ibqp->event_handler) { + event.device = ibqp->device; +diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c +index 08df97e0a6654..02e2416b5fed6 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_srq.c ++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c +@@ -245,7 +245,6 @@ static int alloc_srq_idx(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq, + err = -ENOMEM; + goto err_idx_mtr; + } +- + } + + return 0; +-- +2.39.2 + diff --git a/tmp-5.10/rdma-hns-fix-hns_roce_table_get-return-value.patch b/tmp-5.10/rdma-hns-fix-hns_roce_table_get-return-value.patch new file mode 100644 index 00000000000..b1b581b039c --- /dev/null +++ b/tmp-5.10/rdma-hns-fix-hns_roce_table_get-return-value.patch @@ -0,0 +1,45 @@ +From 542b277f62895ed776c839d9db5590db488d77c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 20:16:40 +0800 +Subject: RDMA/hns: Fix hns_roce_table_get return value + +From: Chengchang Tang + +[ Upstream commit cf5b608fb0e369c473a8303cad6ddb386505e5b8 ] + +The return value of set_hem has been fixed to ENODEV, which will lead a +diagnostic information missing. + +Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") +Link: https://lore.kernel.org/r/20230523121641.3132102-3-huangjunxian6@hisilicon.com +Signed-off-by: Chengchang Tang +Signed-off-by: Junxian Huang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index 3c3187f22216a..854b41c14774d 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -588,11 +588,12 @@ int hns_roce_table_get(struct hns_roce_dev *hr_dev, + } + + /* Set HEM base address(128K/page, pa) to Hardware */ +- if (hr_dev->hw->set_hem(hr_dev, table, obj, HEM_HOP_STEP_DIRECT)) { ++ ret = hr_dev->hw->set_hem(hr_dev, table, obj, HEM_HOP_STEP_DIRECT); ++ if (ret) { + hns_roce_free_hem(hr_dev, table->hem[i]); + table->hem[i] = NULL; +- ret = -ENODEV; +- dev_err(dev, "set HEM base address to HW failed.\n"); ++ dev_err(dev, "set HEM base address to HW failed, ret = %d.\n", ++ ret); + goto out; + } + +-- +2.39.2 + diff --git a/tmp-5.10/rdma-hns-use-refcount_t-apis-for-hem.patch b/tmp-5.10/rdma-hns-use-refcount_t-apis-for-hem.patch new file mode 100644 index 00000000000..38ee28c358c --- /dev/null +++ b/tmp-5.10/rdma-hns-use-refcount_t-apis-for-hem.patch @@ -0,0 +1,128 @@ +From f5f03e27fab0ffedbb5f2578859539bdde5fd8c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 17:29:54 +0800 +Subject: RDMA/hns: Use refcount_t APIs for HEM + +From: Weihang Li + +[ Upstream commit 82eb481da64586ccd287b2b2c5a086202c65e7eb ] + +refcount_t is better than integer for reference counting, it will WARN on +overflow/underflow and avoid use-after-free risks. + +Link: https://lore.kernel.org/r/1621589395-2435-5-git-send-email-liweihang@huawei.com +Signed-off-by: Weihang Li +Signed-off-by: Jason Gunthorpe +Stable-dep-of: cf5b608fb0e3 ("RDMA/hns: Fix hns_roce_table_get return value") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hem.c | 32 +++++++++++------------- + drivers/infiniband/hw/hns/hns_roce_hem.h | 4 +-- + 2 files changed, 17 insertions(+), 19 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c +index edc287a0a91a1..831e9476c6284 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.c +@@ -260,7 +260,6 @@ static struct hns_roce_hem *hns_roce_alloc_hem(struct hns_roce_dev *hr_dev, + if (!hem) + return NULL; + +- hem->refcount = 0; + INIT_LIST_HEAD(&hem->chunk_list); + + order = get_order(hem_alloc_size); +@@ -607,7 +606,7 @@ static int hns_roce_table_mhop_get(struct hns_roce_dev *hr_dev, + + mutex_lock(&table->mutex); + if (table->hem[index.buf]) { +- ++table->hem[index.buf]->refcount; ++ refcount_inc(&table->hem[index.buf]->refcount); + goto out; + } + +@@ -626,7 +625,7 @@ static int hns_roce_table_mhop_get(struct hns_roce_dev *hr_dev, + } + } + +- ++table->hem[index.buf]->refcount; ++ refcount_set(&table->hem[index.buf]->refcount, 1); + goto out; + + err_alloc: +@@ -652,7 +651,7 @@ int hns_roce_table_get(struct hns_roce_dev *hr_dev, + mutex_lock(&table->mutex); + + if (table->hem[i]) { +- ++table->hem[i]->refcount; ++ refcount_inc(&table->hem[i]->refcount); + goto out; + } + +@@ -675,7 +674,7 @@ int hns_roce_table_get(struct hns_roce_dev *hr_dev, + goto out; + } + +- ++table->hem[i]->refcount; ++ refcount_set(&table->hem[i]->refcount, 1); + out: + mutex_unlock(&table->mutex); + return ret; +@@ -742,11 +741,11 @@ static void hns_roce_table_mhop_put(struct hns_roce_dev *hr_dev, + return; + } + +- mutex_lock(&table->mutex); +- if (check_refcount && (--table->hem[index.buf]->refcount > 0)) { +- mutex_unlock(&table->mutex); ++ if (!check_refcount) ++ mutex_lock(&table->mutex); ++ else if (!refcount_dec_and_mutex_lock(&table->hem[index.buf]->refcount, ++ &table->mutex)) + return; +- } + + clear_mhop_hem(hr_dev, table, obj, &mhop, &index); + free_mhop_hem(hr_dev, table, &mhop, &index); +@@ -768,16 +767,15 @@ void hns_roce_table_put(struct hns_roce_dev *hr_dev, + i = (obj & (table->num_obj - 1)) / + (table->table_chunk_size / table->obj_size); + +- mutex_lock(&table->mutex); ++ if (!refcount_dec_and_mutex_lock(&table->hem[i]->refcount, ++ &table->mutex)) ++ return; + +- if (--table->hem[i]->refcount == 0) { +- /* Clear HEM base address */ +- if (hr_dev->hw->clear_hem(hr_dev, table, obj, 0)) +- dev_warn(dev, "Clear HEM base address failed.\n"); ++ if (hr_dev->hw->clear_hem(hr_dev, table, obj, 0)) ++ dev_warn(dev, "failed to clear HEM base address.\n"); + +- hns_roce_free_hem(hr_dev, table->hem[i]); +- table->hem[i] = NULL; +- } ++ hns_roce_free_hem(hr_dev, table->hem[i]); ++ table->hem[i] = NULL; + + mutex_unlock(&table->mutex); + } +diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h +index 112243d112c23..03d44e2efa473 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hem.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hem.h +@@ -87,8 +87,8 @@ struct hns_roce_hem_chunk { + }; + + struct hns_roce_hem { +- struct list_head chunk_list; +- int refcount; ++ struct list_head chunk_list; ++ refcount_t refcount; + }; + + struct hns_roce_hem_iter { +-- +2.39.2 + diff --git a/tmp-5.10/rdma-remove-uverbs_ex_cmd_mask-values-that-are-linke.patch b/tmp-5.10/rdma-remove-uverbs_ex_cmd_mask-values-that-are-linke.patch new file mode 100644 index 00000000000..9f72f6bcaf8 --- /dev/null +++ b/tmp-5.10/rdma-remove-uverbs_ex_cmd_mask-values-that-are-linke.patch @@ -0,0 +1,207 @@ +From a74d833260a058ea18ce5e9026933f2466fa75ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Oct 2020 20:20:02 -0300 +Subject: RDMA: Remove uverbs_ex_cmd_mask values that are linked to functions + +From: Jason Gunthorpe + +[ Upstream commit b8e3130dd96b7b2d6d92e62dcd1515af30212fe2 ] + +Since a while now the uverbs layer checks if the driver implements a +function before allowing the ucmd to proceed. This largely obsoletes the +cmd_mask stuff, but there is some tricky bits in drivers preventing it +from being removed. + +Remove the easy elements of uverbs_ex_cmd_mask by pre-setting them in the +core code. These are triggered soley based on the related ops function +pointer. + +query_device_ex is not triggered based on an op, but all drivers already +implement something compatible with the extension, so enable it globally +too. + +Link: https://lore.kernel.org/r/2-v1-caa70ba3d1ab+1436e-ucmd_mask_jgg@nvidia.com +Signed-off-by: Jason Gunthorpe +Stable-dep-of: cf5b608fb0e3 ("RDMA/hns: Fix hns_roce_table_get return value") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 11 +++++++++++ + drivers/infiniband/core/uverbs_cmd.c | 2 +- + drivers/infiniband/hw/efa/efa_main.c | 3 --- + drivers/infiniband/hw/hns/hns_roce_hw_v1.c | 7 ------- + drivers/infiniband/hw/hns/hns_roce_main.c | 2 -- + drivers/infiniband/hw/mlx4/main.c | 14 +------------- + drivers/infiniband/hw/mlx5/main.c | 14 ++------------ + 7 files changed, 15 insertions(+), 38 deletions(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 5b7abcf102fe9..3c29fd04b3016 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -600,6 +600,17 @@ struct ib_device *_ib_alloc_device(size_t size) + init_completion(&device->unreg_completion); + INIT_WORK(&device->unregistration_work, ib_unregister_work); + ++ device->uverbs_ex_cmd_mask = ++ BIT_ULL(IB_USER_VERBS_EX_CMD_CREATE_FLOW) | ++ BIT_ULL(IB_USER_VERBS_EX_CMD_CREATE_RWQ_IND_TBL) | ++ BIT_ULL(IB_USER_VERBS_EX_CMD_CREATE_WQ) | ++ BIT_ULL(IB_USER_VERBS_EX_CMD_DESTROY_FLOW) | ++ BIT_ULL(IB_USER_VERBS_EX_CMD_DESTROY_RWQ_IND_TBL) | ++ BIT_ULL(IB_USER_VERBS_EX_CMD_DESTROY_WQ) | ++ BIT_ULL(IB_USER_VERBS_EX_CMD_MODIFY_CQ) | ++ BIT_ULL(IB_USER_VERBS_EX_CMD_MODIFY_WQ) | ++ BIT_ULL(IB_USER_VERBS_EX_CMD_QUERY_DEVICE); ++ + return device; + } + EXPORT_SYMBOL(_ib_alloc_device); +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index 09cf470c08d65..158f9eadc4e95 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -3778,7 +3778,7 @@ const struct uapi_definition uverbs_def_write_intf[] = { + IB_USER_VERBS_EX_CMD_MODIFY_CQ, + ib_uverbs_ex_modify_cq, + UAPI_DEF_WRITE_I(struct ib_uverbs_ex_modify_cq), +- UAPI_DEF_METHOD_NEEDS_FN(create_cq))), ++ UAPI_DEF_METHOD_NEEDS_FN(modify_cq))), + + DECLARE_UVERBS_OBJECT( + UVERBS_OBJECT_DEVICE, +diff --git a/drivers/infiniband/hw/efa/efa_main.c b/drivers/infiniband/hw/efa/efa_main.c +index ffdd18f4217f5..cd41cd114ab63 100644 +--- a/drivers/infiniband/hw/efa/efa_main.c ++++ b/drivers/infiniband/hw/efa/efa_main.c +@@ -326,9 +326,6 @@ static int efa_ib_device_add(struct efa_dev *dev) + (1ull << IB_USER_VERBS_CMD_CREATE_AH) | + (1ull << IB_USER_VERBS_CMD_DESTROY_AH); + +- dev->ibdev.uverbs_ex_cmd_mask = +- (1ull << IB_USER_VERBS_EX_CMD_QUERY_DEVICE); +- + ib_set_device_ops(&dev->ibdev, &efa_dev_ops); + + err = ib_register_device(&dev->ibdev, "efa_%d", &pdev->dev); +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +index 5f4d8a32ed6d9..b3d5ba8ef439a 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v1.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v1.c +@@ -2062,11 +2062,6 @@ static void hns_roce_v1_write_cqc(struct hns_roce_dev *hr_dev, + CQ_CONTEXT_CQC_BYTE_32_CQ_CONS_IDX_S, 0); + } + +-static int hns_roce_v1_modify_cq(struct ib_cq *cq, u16 cq_count, u16 cq_period) +-{ +- return -EOPNOTSUPP; +-} +- + static int hns_roce_v1_req_notify_cq(struct ib_cq *ibcq, + enum ib_cq_notify_flags flags) + { +@@ -4347,7 +4342,6 @@ static void hns_roce_v1_cleanup_eq_table(struct hns_roce_dev *hr_dev) + + static const struct ib_device_ops hns_roce_v1_dev_ops = { + .destroy_qp = hns_roce_v1_destroy_qp, +- .modify_cq = hns_roce_v1_modify_cq, + .poll_cq = hns_roce_v1_poll_cq, + .post_recv = hns_roce_v1_post_recv, + .post_send = hns_roce_v1_post_send, +@@ -4367,7 +4361,6 @@ static const struct hns_roce_hw hns_roce_hw_v1 = { + .set_mtu = hns_roce_v1_set_mtu, + .write_mtpt = hns_roce_v1_write_mtpt, + .write_cqc = hns_roce_v1_write_cqc, +- .modify_cq = hns_roce_v1_modify_cq, + .clear_hem = hns_roce_v1_clear_hem, + .modify_qp = hns_roce_v1_modify_qp, + .query_qp = hns_roce_v1_query_qp, +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index 1e8b3e4ef1b17..8cc2dae269aff 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -511,8 +511,6 @@ static int hns_roce_register_device(struct hns_roce_dev *hr_dev) + (1ULL << IB_USER_VERBS_CMD_QUERY_QP) | + (1ULL << IB_USER_VERBS_CMD_DESTROY_QP); + +- ib_dev->uverbs_ex_cmd_mask |= (1ULL << IB_USER_VERBS_EX_CMD_MODIFY_CQ); +- + if (hr_dev->caps.flags & HNS_ROCE_CAP_FLAG_REREG_MR) { + ib_dev->uverbs_cmd_mask |= (1ULL << IB_USER_VERBS_CMD_REREG_MR); + ib_set_device_ops(ib_dev, &hns_roce_dev_mr_ops); +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c +index 05c7200751e50..c62cdd6456962 100644 +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -2682,8 +2682,6 @@ static void *mlx4_ib_add(struct mlx4_dev *dev) + + ib_set_device_ops(&ibdev->ib_dev, &mlx4_ib_dev_ops); + ibdev->ib_dev.uverbs_ex_cmd_mask |= +- (1ull << IB_USER_VERBS_EX_CMD_MODIFY_CQ) | +- (1ull << IB_USER_VERBS_EX_CMD_QUERY_DEVICE) | + (1ull << IB_USER_VERBS_EX_CMD_CREATE_CQ) | + (1ull << IB_USER_VERBS_EX_CMD_CREATE_QP); + +@@ -2691,15 +2689,8 @@ static void *mlx4_ib_add(struct mlx4_dev *dev) + ((mlx4_ib_port_link_layer(&ibdev->ib_dev, 1) == + IB_LINK_LAYER_ETHERNET) || + (mlx4_ib_port_link_layer(&ibdev->ib_dev, 2) == +- IB_LINK_LAYER_ETHERNET))) { +- ibdev->ib_dev.uverbs_ex_cmd_mask |= +- (1ull << IB_USER_VERBS_EX_CMD_CREATE_WQ) | +- (1ull << IB_USER_VERBS_EX_CMD_MODIFY_WQ) | +- (1ull << IB_USER_VERBS_EX_CMD_DESTROY_WQ) | +- (1ull << IB_USER_VERBS_EX_CMD_CREATE_RWQ_IND_TBL) | +- (1ull << IB_USER_VERBS_EX_CMD_DESTROY_RWQ_IND_TBL); ++ IB_LINK_LAYER_ETHERNET))) + ib_set_device_ops(&ibdev->ib_dev, &mlx4_ib_dev_wq_ops); +- } + + if (dev->caps.flags & MLX4_DEV_CAP_FLAG_MEM_WINDOW || + dev->caps.bmme_flags & MLX4_BMME_FLAG_TYPE_2_WIN) { +@@ -2718,9 +2709,6 @@ static void *mlx4_ib_add(struct mlx4_dev *dev) + + if (check_flow_steering_support(dev)) { + ibdev->steering_support = MLX4_STEERING_MODE_DEVICE_MANAGED; +- ibdev->ib_dev.uverbs_ex_cmd_mask |= +- (1ull << IB_USER_VERBS_EX_CMD_CREATE_FLOW) | +- (1ull << IB_USER_VERBS_EX_CMD_DESTROY_FLOW); + ib_set_device_ops(&ibdev->ib_dev, &mlx4_ib_dev_fs_ops); + } + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 39ba7005f2c4c..215d6618839be 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -4180,14 +4180,10 @@ static int mlx5_ib_stage_caps_init(struct mlx5_ib_dev *dev) + (1ull << IB_USER_VERBS_CMD_DESTROY_SRQ) | + (1ull << IB_USER_VERBS_CMD_CREATE_XSRQ) | + (1ull << IB_USER_VERBS_CMD_OPEN_QP); +- dev->ib_dev.uverbs_ex_cmd_mask = +- (1ull << IB_USER_VERBS_EX_CMD_QUERY_DEVICE) | ++ dev->ib_dev.uverbs_ex_cmd_mask |= + (1ull << IB_USER_VERBS_EX_CMD_CREATE_CQ) | + (1ull << IB_USER_VERBS_EX_CMD_CREATE_QP) | +- (1ull << IB_USER_VERBS_EX_CMD_MODIFY_QP) | +- (1ull << IB_USER_VERBS_EX_CMD_MODIFY_CQ) | +- (1ull << IB_USER_VERBS_EX_CMD_CREATE_FLOW) | +- (1ull << IB_USER_VERBS_EX_CMD_DESTROY_FLOW); ++ (1ull << IB_USER_VERBS_EX_CMD_MODIFY_QP); + + if (MLX5_CAP_GEN(mdev, ipoib_enhanced_offloads) && + IS_ENABLED(CONFIG_MLX5_CORE_IPOIB)) +@@ -4290,12 +4286,6 @@ static int mlx5_ib_roce_init(struct mlx5_ib_dev *dev) + ll = mlx5_port_type_cap_to_rdma_ll(port_type_cap); + + if (ll == IB_LINK_LAYER_ETHERNET) { +- dev->ib_dev.uverbs_ex_cmd_mask |= +- (1ull << IB_USER_VERBS_EX_CMD_CREATE_WQ) | +- (1ull << IB_USER_VERBS_EX_CMD_MODIFY_WQ) | +- (1ull << IB_USER_VERBS_EX_CMD_DESTROY_WQ) | +- (1ull << IB_USER_VERBS_EX_CMD_CREATE_RWQ_IND_TBL) | +- (1ull << IB_USER_VERBS_EX_CMD_DESTROY_RWQ_IND_TBL); + ib_set_device_ops(&dev->ib_dev, &mlx5_ib_dev_common_roce_ops); + + port_num = mlx5_core_native_port_num(dev->mdev) - 1; +-- +2.39.2 + diff --git a/tmp-5.10/regmap-account-for-register-length-in-smbus-i-o-limits.patch b/tmp-5.10/regmap-account-for-register-length-in-smbus-i-o-limits.patch new file mode 100644 index 00000000000..b920fc52b6d --- /dev/null +++ b/tmp-5.10/regmap-account-for-register-length-in-smbus-i-o-limits.patch @@ -0,0 +1,54 @@ +From 0c9d2eb5e94792fe64019008a04d4df5e57625af Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 12 Jul 2023 12:16:40 +0100 +Subject: regmap: Account for register length in SMBus I/O limits + +From: Mark Brown + +commit 0c9d2eb5e94792fe64019008a04d4df5e57625af upstream. + +The SMBus I2C buses have limits on the size of transfers they can do but +do not factor in the register length meaning we may try to do a transfer +longer than our length limit, the core will not take care of this. +Future changes will factor this out into the core but there are a number +of users that assume current behaviour so let's just do something +conservative here. + +This does not take account padding bits but practically speaking these +are very rarely if ever used on I2C buses given that they generally run +slowly enough to mean there's no issue. + +Cc: stable@kernel.org +Signed-off-by: Mark Brown +Reviewed-by: Xu Yilun +Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-2-80e2aed22e83@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-i2c.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/base/regmap/regmap-i2c.c ++++ b/drivers/base/regmap/regmap-i2c.c +@@ -242,8 +242,8 @@ static int regmap_i2c_smbus_i2c_read(voi + static const struct regmap_bus regmap_i2c_smbus_i2c_block = { + .write = regmap_i2c_smbus_i2c_write, + .read = regmap_i2c_smbus_i2c_read, +- .max_raw_read = I2C_SMBUS_BLOCK_MAX, +- .max_raw_write = I2C_SMBUS_BLOCK_MAX, ++ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 1, ++ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 1, + }; + + static int regmap_i2c_smbus_i2c_write_reg16(void *context, const void *data, +@@ -299,8 +299,8 @@ static int regmap_i2c_smbus_i2c_read_reg + static const struct regmap_bus regmap_i2c_smbus_i2c_block_reg16 = { + .write = regmap_i2c_smbus_i2c_write_reg16, + .read = regmap_i2c_smbus_i2c_read_reg16, +- .max_raw_read = I2C_SMBUS_BLOCK_MAX, +- .max_raw_write = I2C_SMBUS_BLOCK_MAX, ++ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 2, ++ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 2, + }; + + static const struct regmap_bus *regmap_get_i2c_bus(struct i2c_client *i2c, diff --git a/tmp-5.10/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch b/tmp-5.10/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch new file mode 100644 index 00000000000..c2b21d326fc --- /dev/null +++ b/tmp-5.10/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch @@ -0,0 +1,64 @@ +From bc64734825c59e18a27ac266b07e14944c111fd8 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 12 Jul 2023 12:16:39 +0100 +Subject: regmap: Drop initial version of maximum transfer length fixes + +From: Mark Brown + +commit bc64734825c59e18a27ac266b07e14944c111fd8 upstream. + +When problems were noticed with the register address not being taken +into account when limiting raw transfers with I2C devices we fixed this +in the core. Unfortunately it has subsequently been realised that a lot +of buses were relying on the prior behaviour, partly due to unclear +documentation not making it obvious what was intended in the core. This +is all more involved to fix than is sensible for a fix commit so let's +just drop the original fixes, a separate commit will fix the originally +observed problem in an I2C specific way + +Fixes: 3981514180c9 ("regmap: Account for register length when chunking") +Fixes: c8e796895e23 ("regmap: spi-avmm: Fix regmap_bus max_raw_write") +Signed-off-by: Mark Brown +Reviewed-by: Xu Yilun +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-1-80e2aed22e83@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-spi-avmm.c | 2 +- + drivers/base/regmap/regmap.c | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/base/regmap/regmap-spi-avmm.c ++++ b/drivers/base/regmap/regmap-spi-avmm.c +@@ -666,7 +666,7 @@ static const struct regmap_bus regmap_sp + .reg_format_endian_default = REGMAP_ENDIAN_NATIVE, + .val_format_endian_default = REGMAP_ENDIAN_NATIVE, + .max_raw_read = SPI_AVMM_VAL_SIZE * MAX_READ_CNT, +- .max_raw_write = SPI_AVMM_REG_SIZE + SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, ++ .max_raw_write = SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, + .free_context = spi_avmm_bridge_ctx_free, + }; + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1998,8 +1998,6 @@ int _regmap_raw_write(struct regmap *map + size_t val_count = val_len / val_bytes; + size_t chunk_count, chunk_bytes; + size_t chunk_regs = val_count; +- size_t max_data = map->max_raw_write - map->format.reg_bytes - +- map->format.pad_bytes; + int ret, i; + + if (!val_count) +@@ -2007,8 +2005,8 @@ int _regmap_raw_write(struct regmap *map + + if (map->use_single_write) + chunk_regs = 1; +- else if (map->max_raw_write && val_len > max_data) +- chunk_regs = max_data / val_bytes; ++ else if (map->max_raw_write && val_len > map->max_raw_write) ++ chunk_regs = map->max_raw_write / val_bytes; + + chunk_count = val_count / chunk_regs; + chunk_bytes = chunk_regs * val_bytes; diff --git a/tmp-5.10/regulator-core-fix-more-error-checking-for-debugfs_c.patch b/tmp-5.10/regulator-core-fix-more-error-checking-for-debugfs_c.patch new file mode 100644 index 00000000000..0dae95c294c --- /dev/null +++ b/tmp-5.10/regulator-core-fix-more-error-checking-for-debugfs_c.patch @@ -0,0 +1,40 @@ +From 2f2c35957d80a482001fb79b1fa3fd1549acaba1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 13:13:58 +0200 +Subject: regulator: core: Fix more error checking for debugfs_create_dir() + +From: Geert Uytterhoeven + +[ Upstream commit 2715bb11cfff964aa33946847f9527cfbd4874f5 ] + +In case of failure, debugfs_create_dir() does not return NULL, but an +error pointer. Most incorrect error checks were fixed, but the one in +create_regulator() was forgotten. + +Fix the remaining error check. + +Fixes: 2bf1c45be3b8f3a3 ("regulator: Fix error checking for debugfs_create_dir") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/ee980a108b5854dd8ce3630f8f673e784e057d17.1685013051.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index f5ab74683b58a..e4ff64d28c778 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1751,7 +1751,7 @@ static struct regulator *create_regulator(struct regulator_dev *rdev, + + if (err != -EEXIST) + regulator->debugfs = debugfs_create_dir(supply_name, rdev->debugfs); +- if (!regulator->debugfs) { ++ if (IS_ERR(regulator->debugfs)) { + rdev_dbg(rdev, "Failed to create debugfs directory\n"); + } else { + debugfs_create_u32("uA_load", 0444, regulator->debugfs, +-- +2.39.2 + diff --git a/tmp-5.10/regulator-core-streamline-debugfs-operations.patch b/tmp-5.10/regulator-core-streamline-debugfs-operations.patch new file mode 100644 index 00000000000..538349ece62 --- /dev/null +++ b/tmp-5.10/regulator-core-streamline-debugfs-operations.patch @@ -0,0 +1,100 @@ +From 67a1eeb8763cf618d13e3e65e0620ff493b2790c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 13:13:59 +0200 +Subject: regulator: core: Streamline debugfs operations + +From: Geert Uytterhoeven + +[ Upstream commit 08880713ceec023dd94d634f1e8902728c385939 ] + +If CONFIG_DEBUG_FS is not set: + + regulator: Failed to create debugfs directory + ... + regulator-dummy: Failed to create debugfs directory + +As per the comments for debugfs_create_dir(), errors returned by this +function should be expected, and ignored: + + * If debugfs is not enabled in the kernel, the value -%ENODEV will be + * returned. + * + * NOTE: it's expected that most callers should _ignore_ the errors returned + * by this function. Other debugfs functions handle the fact that the "dentry" + * passed to them could be an error and they don't crash in that case. + * Drivers should generally work fine even if debugfs fails to init anyway. + +Adhere to the debugfs spirit, and streamline all operations by: + 1. Demoting the importance of the printed error messages to debug + level, like is already done in create_regulator(), + 2. Further ignoring any returned errors, as by design, all debugfs + functions are no-ops when passed an error pointer. + +Fixes: 2bf1c45be3b8f3a3 ("regulator: Fix error checking for debugfs_create_dir") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/2f8bb6e113359ddfab7b59e4d4274bd4c06d6d0a.1685013051.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index e4ff64d28c778..52b75779dbb7e 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1751,19 +1751,17 @@ static struct regulator *create_regulator(struct regulator_dev *rdev, + + if (err != -EEXIST) + regulator->debugfs = debugfs_create_dir(supply_name, rdev->debugfs); +- if (IS_ERR(regulator->debugfs)) { ++ if (IS_ERR(regulator->debugfs)) + rdev_dbg(rdev, "Failed to create debugfs directory\n"); +- } else { +- debugfs_create_u32("uA_load", 0444, regulator->debugfs, +- ®ulator->uA_load); +- debugfs_create_u32("min_uV", 0444, regulator->debugfs, +- ®ulator->voltage[PM_SUSPEND_ON].min_uV); +- debugfs_create_u32("max_uV", 0444, regulator->debugfs, +- ®ulator->voltage[PM_SUSPEND_ON].max_uV); +- debugfs_create_file("constraint_flags", 0444, +- regulator->debugfs, regulator, +- &constraint_flags_fops); +- } ++ ++ debugfs_create_u32("uA_load", 0444, regulator->debugfs, ++ ®ulator->uA_load); ++ debugfs_create_u32("min_uV", 0444, regulator->debugfs, ++ ®ulator->voltage[PM_SUSPEND_ON].min_uV); ++ debugfs_create_u32("max_uV", 0444, regulator->debugfs, ++ ®ulator->voltage[PM_SUSPEND_ON].max_uV); ++ debugfs_create_file("constraint_flags", 0444, regulator->debugfs, ++ regulator, &constraint_flags_fops); + + /* + * Check now if the regulator is an always on regulator - if +@@ -5032,10 +5030,8 @@ static void rdev_init_debugfs(struct regulator_dev *rdev) + } + + rdev->debugfs = debugfs_create_dir(rname, debugfs_root); +- if (IS_ERR(rdev->debugfs)) { +- rdev_warn(rdev, "Failed to create debugfs directory\n"); +- return; +- } ++ if (IS_ERR(rdev->debugfs)) ++ rdev_dbg(rdev, "Failed to create debugfs directory\n"); + + debugfs_create_u32("use_count", 0444, rdev->debugfs, + &rdev->use_count); +@@ -5938,7 +5934,7 @@ static int __init regulator_init(void) + + debugfs_root = debugfs_create_dir("regulator", NULL); + if (IS_ERR(debugfs_root)) +- pr_warn("regulator: Failed to create debugfs directory\n"); ++ pr_debug("regulator: Failed to create debugfs directory\n"); + + #ifdef CONFIG_DEBUG_FS + debugfs_create_file("supply_map", 0444, debugfs_root, NULL, +-- +2.39.2 + diff --git a/tmp-5.10/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch b/tmp-5.10/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch new file mode 100644 index 00000000000..6c75b41db7a --- /dev/null +++ b/tmp-5.10/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch @@ -0,0 +1,139 @@ +From a82d62f708545d22859584e0e0620da8e3759bbc Mon Sep 17 00:00:00 2001 +From: Jiaqing Zhao +Date: Mon, 19 Jun 2023 15:57:44 +0000 +Subject: Revert "8250: add support for ASIX devices with a FIFO bug" + +From: Jiaqing Zhao + +commit a82d62f708545d22859584e0e0620da8e3759bbc upstream. + +This reverts commit eb26dfe8aa7eeb5a5aa0b7574550125f8aa4c3b3. + +Commit eb26dfe8aa7e ("8250: add support for ASIX devices with a FIFO +bug") merged on Jul 13, 2012 adds a quirk for PCI_VENDOR_ID_ASIX +(0x9710). But that ID is the same as PCI_VENDOR_ID_NETMOS defined in +1f8b061050c7 ("[PATCH] Netmos parallel/serial/combo support") merged +on Mar 28, 2005. In pci_serial_quirks array, the NetMos entry always +takes precedence over the ASIX entry even since it was initially +merged, code in that commit is always unreachable. + +In my tests, adding the FIFO workaround to pci_netmos_init() makes no +difference, and the vendor driver also does not have such workaround. +Given that the code was never used for over a decade, it's safe to +revert it. + +Also, the real PCI_VENDOR_ID_ASIX should be 0x125b, which is used on +their newer AX99100 PCIe serial controllers released on 2016. The FIFO +workaround should not be intended for these newer controllers, and it +was never implemented in vendor driver. + +Fixes: eb26dfe8aa7e ("8250: add support for ASIX devices with a FIFO bug") +Cc: stable +Signed-off-by: Jiaqing Zhao +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230619155743.827859-1-jiaqing.zhao@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250.h | 1 - + drivers/tty/serial/8250/8250_pci.c | 19 ------------------- + drivers/tty/serial/8250/8250_port.c | 11 +++-------- + include/linux/serial_8250.h | 1 - + 4 files changed, 3 insertions(+), 29 deletions(-) + +--- a/drivers/tty/serial/8250/8250.h ++++ b/drivers/tty/serial/8250/8250.h +@@ -87,7 +87,6 @@ struct serial8250_config { + #define UART_BUG_TXEN (1 << 1) /* UART has buggy TX IIR status */ + #define UART_BUG_NOMSR (1 << 2) /* UART has buggy MSR status bits (Au1x00) */ + #define UART_BUG_THRE (1 << 3) /* UART has buggy THRE reassertion */ +-#define UART_BUG_PARITY (1 << 4) /* UART mishandles parity if FIFO enabled */ + #define UART_BUG_TXRACE (1 << 5) /* UART Tx fails to set remote DR */ + + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1044,14 +1044,6 @@ static int pci_oxsemi_tornado_init(struc + return number_uarts; + } + +-static int pci_asix_setup(struct serial_private *priv, +- const struct pciserial_board *board, +- struct uart_8250_port *port, int idx) +-{ +- port->bugs |= UART_BUG_PARITY; +- return pci_default_setup(priv, board, port, idx); +-} +- + /* Quatech devices have their own extra interface features */ + + struct quatech_feature { +@@ -1874,7 +1866,6 @@ pci_moxa_setup(struct serial_private *pr + #define PCI_DEVICE_ID_WCH_CH355_4S 0x7173 + #define PCI_VENDOR_ID_AGESTAR 0x5372 + #define PCI_DEVICE_ID_AGESTAR_9375 0x6872 +-#define PCI_VENDOR_ID_ASIX 0x9710 + #define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a + #define PCI_DEVICE_ID_AMCC_ADDIDATA_APCI7800 0x818e + +@@ -2685,16 +2676,6 @@ static struct pci_serial_quirk pci_seria + .setup = pci_wch_ch38x_setup, + }, + /* +- * ASIX devices with FIFO bug +- */ +- { +- .vendor = PCI_VENDOR_ID_ASIX, +- .device = PCI_ANY_ID, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .setup = pci_asix_setup, +- }, +- /* + * Broadcom TruManage (NetXtreme) + */ + { +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2577,11 +2577,8 @@ static unsigned char serial8250_compute_ + + if (c_cflag & CSTOPB) + cval |= UART_LCR_STOP; +- if (c_cflag & PARENB) { ++ if (c_cflag & PARENB) + cval |= UART_LCR_PARITY; +- if (up->bugs & UART_BUG_PARITY) +- up->fifo_bug = true; +- } + if (!(c_cflag & PARODD)) + cval |= UART_LCR_EPAR; + #ifdef CMSPAR +@@ -2744,8 +2741,7 @@ serial8250_do_set_termios(struct uart_po + up->lcr = cval; /* Save computed LCR */ + + if (up->capabilities & UART_CAP_FIFO && port->fifosize > 1) { +- /* NOTE: If fifo_bug is not set, a user can set RX_trigger. */ +- if ((baud < 2400 && !up->dma) || up->fifo_bug) { ++ if (baud < 2400 && !up->dma) { + up->fcr &= ~UART_FCR_TRIGGER_MASK; + up->fcr |= UART_FCR_TRIGGER_1; + } +@@ -3081,8 +3077,7 @@ static int do_set_rxtrig(struct tty_port + struct uart_8250_port *up = up_to_u8250p(uport); + int rxtrig; + +- if (!(up->capabilities & UART_CAP_FIFO) || uport->fifosize <= 1 || +- up->fifo_bug) ++ if (!(up->capabilities & UART_CAP_FIFO) || uport->fifosize <= 1) + return -EINVAL; + + rxtrig = bytes_to_fcr_rxtrig(up, bytes); +--- a/include/linux/serial_8250.h ++++ b/include/linux/serial_8250.h +@@ -98,7 +98,6 @@ struct uart_8250_port { + struct list_head list; /* ports on this IRQ */ + u32 capabilities; /* port capabilities */ + unsigned short bugs; /* port bugs */ +- bool fifo_bug; /* min RX trigger if enabled */ + unsigned int tx_loadsz; /* transmit fifo load size */ + unsigned char acr; + unsigned char fcr; diff --git a/tmp-5.10/revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch b/tmp-5.10/revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch new file mode 100644 index 00000000000..1f5963ffc17 --- /dev/null +++ b/tmp-5.10/revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch @@ -0,0 +1,66 @@ +From cde3c9d7e2a359e337216855dcb333a19daaa436 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 1 Jun 2023 12:58:23 +0200 +Subject: Revert "f2fs: fix potential corruption when moving a directory" + +From: Jan Kara + +commit cde3c9d7e2a359e337216855dcb333a19daaa436 upstream. + +This reverts commit d94772154e524b329a168678836745d2773a6e02. The +locking is going to be provided by VFS. + +CC: Jaegeuk Kim +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Message-Id: <20230601105830.13168-3-jack@suse.cz> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/namei.c | 16 +--------------- + 1 file changed, 1 insertion(+), 15 deletions(-) + +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -969,20 +969,12 @@ static int f2fs_rename(struct inode *old + goto out; + } + +- /* +- * Copied from ext4_rename: we need to protect against old.inode +- * directory getting converted from inline directory format into +- * a normal one. +- */ +- if (S_ISDIR(old_inode->i_mode)) +- inode_lock_nested(old_inode, I_MUTEX_NONDIR2); +- + err = -ENOENT; + old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page); + if (!old_entry) { + if (IS_ERR(old_page)) + err = PTR_ERR(old_page); +- goto out_unlock_old; ++ goto out; + } + + if (S_ISDIR(old_inode->i_mode)) { +@@ -1090,9 +1082,6 @@ static int f2fs_rename(struct inode *old + + f2fs_unlock_op(sbi); + +- if (S_ISDIR(old_inode->i_mode)) +- inode_unlock(old_inode); +- + if (IS_DIRSYNC(old_dir) || IS_DIRSYNC(new_dir)) + f2fs_sync_fs(sbi->sb, 1); + +@@ -1107,9 +1096,6 @@ out_dir: + f2fs_put_page(old_dir_page, 0); + out_old: + f2fs_put_page(old_page, 0); +-out_unlock_old: +- if (S_ISDIR(old_inode->i_mode)) +- inode_unlock(old_inode); + out: + if (whiteout) + iput(whiteout); diff --git a/tmp-5.10/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/tmp-5.10/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch new file mode 100644 index 00000000000..281ca059aeb --- /dev/null +++ b/tmp-5.10/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch @@ -0,0 +1,113 @@ +From d1fa5bb6bc29cd8905517b4deeaed2ae8621e919 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:59:18 -0700 +Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash + table" + +From: Kuniyuki Iwashima + +[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] + +This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. + +Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in +ehash table") reversed the order in how a socket is inserted into ehash +to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are +swapped. However, it introduced another lookup failure. + +The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU +and does not have SOCK_RCU_FREE, so the socket could be reused even while +it is being referenced on another CPU doing RCU lookup. + +Let's say a socket is reused and inserted into the same hash bucket during +lookup. After the blamed commit, a new socket is inserted at the end of +the list. If that happens, we will skip sockets placed after the previous +position of the reused socket, resulting in ehash lookup failure. + +As described in Documentation/RCU/rculist_nulls.rst, we should insert a +new socket at the head of the list to avoid such an issue. + +This issue, the swap-lookup-failure, and another variant reported in [0] +can all be handled properly by adding a locked ehash lookup suggested by +Eric Dumazet [1]. + +However, this issue could occur for every packet, thus more likely than +the other two races, so let's revert the change for now. + +Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] +Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] +Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 ++--------------- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 6 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 79bf550c9dfc5..ad050f8476b8e 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -571,20 +571,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_hashed(osk); +- if (ret) { +- /* Before deleting the node, we insert a new one to make +- * sure that the look-up-sk process would not miss either +- * of them and that at least one node would exist in ehash +- * table all the time. Otherwise there's a tiny chance +- * that lookup process could find nothing in ehash table. +- */ +- __sk_nulls_add_node_tail_rcu(sk, list); +- sk_nulls_del_node_init_rcu(osk); +- } +- goto unlock; +- } +- if (found_dup_sk) { ++ ret = sk_nulls_del_node_init_rcu(osk); ++ } else if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -593,7 +581,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + +-unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index a00102d7c7fd4..c411c87ae865f 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -81,10 +81,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_tail_rcu(&tw->tw_node, list); ++ hlist_nulls_add_head_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -120,7 +120,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.2 + diff --git a/tmp-5.10/revert-thermal-drivers-mediatek-use-devm_of_iomap-to-avoid-resource-leak-in-mtk_thermal_probe.patch b/tmp-5.10/revert-thermal-drivers-mediatek-use-devm_of_iomap-to-avoid-resource-leak-in-mtk_thermal_probe.patch new file mode 100644 index 00000000000..7286d40867a --- /dev/null +++ b/tmp-5.10/revert-thermal-drivers-mediatek-use-devm_of_iomap-to-avoid-resource-leak-in-mtk_thermal_probe.patch @@ -0,0 +1,61 @@ +From 86edac7d3888c715fe3a81bd61f3617ecfe2e1dd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo?= +Date: Thu, 25 May 2023 14:18:11 +0200 +Subject: Revert "thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo Cañuelo + +commit 86edac7d3888c715fe3a81bd61f3617ecfe2e1dd upstream. + +This reverts commit f05c7b7d9ea9477fcc388476c6f4ade8c66d2d26. + +That change was causing a regression in the generic-adc-thermal-probed +bootrr test as reported in the kernelci-results list [1]. +A proper rework will take longer, so revert it for now. + +[1] https://groups.io/g/kernelci-results/message/42660 + +Fixes: f05c7b7d9ea9 ("thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak in mtk_thermal_probe") +Signed-off-by: Ricardo Cañuelo +Suggested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20230525121811.3360268-1-ricardo.canuelo@collabora.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/mtk_thermal.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +--- a/drivers/thermal/mtk_thermal.c ++++ b/drivers/thermal/mtk_thermal.c +@@ -1026,12 +1026,7 @@ static int mtk_thermal_probe(struct plat + return -ENODEV; + } + +- auxadc_base = devm_of_iomap(&pdev->dev, auxadc, 0, NULL); +- if (IS_ERR(auxadc_base)) { +- of_node_put(auxadc); +- return PTR_ERR(auxadc_base); +- } +- ++ auxadc_base = of_iomap(auxadc, 0); + auxadc_phys_base = of_get_phys_base(auxadc); + + of_node_put(auxadc); +@@ -1047,12 +1042,7 @@ static int mtk_thermal_probe(struct plat + return -ENODEV; + } + +- apmixed_base = devm_of_iomap(&pdev->dev, apmixedsys, 0, NULL); +- if (IS_ERR(apmixed_base)) { +- of_node_put(apmixedsys); +- return PTR_ERR(apmixed_base); +- } +- ++ apmixed_base = of_iomap(apmixedsys, 0); + apmixed_phys_base = of_get_phys_base(apmixedsys); + + of_node_put(apmixedsys); diff --git a/tmp-5.10/revert-usb-common-usb-conn-gpio-set-last-role-to-unk.patch b/tmp-5.10/revert-usb-common-usb-conn-gpio-set-last-role-to-unk.patch new file mode 100644 index 00000000000..74894f2ad38 --- /dev/null +++ b/tmp-5.10/revert-usb-common-usb-conn-gpio-set-last-role-to-unk.patch @@ -0,0 +1,98 @@ +From 5378cc17c09e9dfef20e89a34d6051dbc80a0651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:30:35 +0200 +Subject: Revert "usb: common: usb-conn-gpio: Set last role to unknown before + initial detection" + +From: Greg Kroah-Hartman + +[ Upstream commit df49f2a0ac4a34c0cb4b5c233fcfa0add644c43c ] + +This reverts commit edd60d24bd858cef165274e4cd6cab43bdc58d15. + +Heikki reports that this should not be a global flag just to work around +one broken driver and should be fixed differently, so revert it. + +Reported-by: Heikki Krogerus +Fixes: edd60d24bd85 ("usb: common: usb-conn-gpio: Set last role to unknown before initial detection") +Link: https://lore.kernel.org/r/ZImE4L3YgABnCIsP@kuha.fi.intel.com +Cc: Prashanth K +Cc: AngeloGioacchino Del Regno +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/cdns3/core.c | 2 -- + drivers/usb/common/usb-conn-gpio.c | 3 --- + drivers/usb/musb/jz4740.c | 2 -- + drivers/usb/roles/intel-xhci-usb-role-switch.c | 2 -- + include/linux/usb/role.h | 1 - + 5 files changed, 10 deletions(-) + +diff --git a/drivers/usb/cdns3/core.c b/drivers/usb/cdns3/core.c +index e5fe640b2bb01..8fe7420de033d 100644 +--- a/drivers/usb/cdns3/core.c ++++ b/drivers/usb/cdns3/core.c +@@ -243,8 +243,6 @@ static enum usb_role cdns3_hw_role_state_machine(struct cdns3 *cdns) + if (!vbus) + role = USB_ROLE_NONE; + break; +- default: +- break; + } + + dev_dbg(cdns->dev, "role %d -> %d\n", cdns->role, role); +diff --git a/drivers/usb/common/usb-conn-gpio.c b/drivers/usb/common/usb-conn-gpio.c +index 5754e467c16a8..c9545a4eff664 100644 +--- a/drivers/usb/common/usb-conn-gpio.c ++++ b/drivers/usb/common/usb-conn-gpio.c +@@ -276,9 +276,6 @@ static int usb_conn_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, info); + +- /* Set last role to unknown before performing the initial detection */ +- info->last_role = USB_ROLE_UNKNOWN; +- + /* Perform initial detection */ + usb_conn_queue_dwork(info, 0); + +diff --git a/drivers/usb/musb/jz4740.c b/drivers/usb/musb/jz4740.c +index f283629091ec4..c4fe1f4cd17a3 100644 +--- a/drivers/usb/musb/jz4740.c ++++ b/drivers/usb/musb/jz4740.c +@@ -91,8 +91,6 @@ static int jz4740_musb_role_switch_set(struct usb_role_switch *sw, + case USB_ROLE_HOST: + atomic_notifier_call_chain(&phy->notifier, USB_EVENT_ID, phy); + break; +- default: +- break; + } + + return 0; +diff --git a/drivers/usb/roles/intel-xhci-usb-role-switch.c b/drivers/usb/roles/intel-xhci-usb-role-switch.c +index 4d6a3dd06e011..5c96e929acea0 100644 +--- a/drivers/usb/roles/intel-xhci-usb-role-switch.c ++++ b/drivers/usb/roles/intel-xhci-usb-role-switch.c +@@ -97,8 +97,6 @@ static int intel_xhci_usb_set_role(struct usb_role_switch *sw, + val |= SW_VBUS_VALID; + drd_config = DRD_CONFIG_STATIC_DEVICE; + break; +- default: +- break; + } + val |= SW_IDPIN_EN; + if (data->enable_sw_switch) { +diff --git a/include/linux/usb/role.h b/include/linux/usb/role.h +index aecfce46d3544..b9ccaeb8a4aef 100644 +--- a/include/linux/usb/role.h ++++ b/include/linux/usb/role.h +@@ -11,7 +11,6 @@ enum usb_role { + USB_ROLE_NONE, + USB_ROLE_HOST, + USB_ROLE_DEVICE, +- USB_ROLE_UNKNOWN, + }; + + typedef int (*usb_role_switch_set_t)(struct usb_role_switch *sw, +-- +2.39.2 + diff --git a/tmp-5.10/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch b/tmp-5.10/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch new file mode 100644 index 00000000000..682154f93ed --- /dev/null +++ b/tmp-5.10/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch @@ -0,0 +1,128 @@ +From 7e42907f3a7b4ce3a2d1757f6d78336984daf8f5 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Sun, 9 Jul 2023 06:51:44 +0800 +Subject: ring-buffer: Fix deadloop issue on reading trace_pipe + +From: Zheng Yejian + +commit 7e42907f3a7b4ce3a2d1757f6d78336984daf8f5 upstream. + +Soft lockup occurs when reading file 'trace_pipe': + + watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488] + [...] + RIP: 0010:ring_buffer_empty_cpu+0xed/0x170 + RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246 + RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb + RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218 + RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f + R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901 + R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000 + [...] + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + __find_next_entry+0x1a8/0x4b0 + ? peek_next_entry+0x250/0x250 + ? down_write+0xa5/0x120 + ? down_write_killable+0x130/0x130 + trace_find_next_entry_inc+0x3b/0x1d0 + tracing_read_pipe+0x423/0xae0 + ? tracing_splice_read_pipe+0xcb0/0xcb0 + vfs_read+0x16b/0x490 + ksys_read+0x105/0x210 + ? __ia32_sys_pwrite64+0x200/0x200 + ? switch_fpu_return+0x108/0x220 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +Through the vmcore, I found it's because in tracing_read_pipe(), +ring_buffer_empty_cpu() found some buffer is not empty but then it +cannot read anything due to "rb_num_of_entries() == 0" always true, +Then it infinitely loop the procedure due to user buffer not been +filled, see following code path: + + tracing_read_pipe() { + ... ... + waitagain: + tracing_wait_pipe() // 1. find non-empty buffer here + trace_find_next_entry_inc() // 2. loop here try to find an entry + __find_next_entry() + ring_buffer_empty_cpu(); // 3. find non-empty buffer + peek_next_entry() // 4. but peek always return NULL + ring_buffer_peek() + rb_buffer_peek() + rb_get_reader_page() + // 5. because rb_num_of_entries() == 0 always true here + // then return NULL + // 6. user buffer not been filled so goto 'waitgain' + // and eventually leads to an deadloop in kernel!!! + } + +By some analyzing, I found that when resetting ringbuffer, the 'entries' +of its pages are not all cleared (see rb_reset_cpu()). Then when reducing +the ringbuffer, and if some reduced pages exist dirty 'entries' data, they +will be added into 'cpu_buffer->overrun' (see rb_remove_pages()), which +cause wrong 'overrun' count and eventually cause the deadloop issue. + +To fix it, we need to clear every pages in rb_reset_cpu(). + +Link: https://lore.kernel.org/linux-trace-kernel/20230708225144.3785600-1-zhengyejian1@huawei.com + +Cc: stable@vger.kernel.org +Fixes: a5fb833172eca ("ring-buffer: Fix uninitialized read_stamp") +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4954,28 +4954,34 @@ unsigned long ring_buffer_size(struct tr + } + EXPORT_SYMBOL_GPL(ring_buffer_size); + ++static void rb_clear_buffer_page(struct buffer_page *page) ++{ ++ local_set(&page->write, 0); ++ local_set(&page->entries, 0); ++ rb_init_page(page->page); ++ page->read = 0; ++} ++ + static void + rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) + { ++ struct buffer_page *page; ++ + rb_head_page_deactivate(cpu_buffer); + + cpu_buffer->head_page + = list_entry(cpu_buffer->pages, struct buffer_page, list); +- local_set(&cpu_buffer->head_page->write, 0); +- local_set(&cpu_buffer->head_page->entries, 0); +- local_set(&cpu_buffer->head_page->page->commit, 0); +- +- cpu_buffer->head_page->read = 0; ++ rb_clear_buffer_page(cpu_buffer->head_page); ++ list_for_each_entry(page, cpu_buffer->pages, list) { ++ rb_clear_buffer_page(page); ++ } + + cpu_buffer->tail_page = cpu_buffer->head_page; + cpu_buffer->commit_page = cpu_buffer->head_page; + + INIT_LIST_HEAD(&cpu_buffer->reader_page->list); + INIT_LIST_HEAD(&cpu_buffer->new_pages); +- local_set(&cpu_buffer->reader_page->write, 0); +- local_set(&cpu_buffer->reader_page->entries, 0); +- local_set(&cpu_buffer->reader_page->page->commit, 0); +- cpu_buffer->reader_page->read = 0; ++ rb_clear_buffer_page(cpu_buffer->reader_page); + + local_set(&cpu_buffer->entries_bytes, 0); + local_set(&cpu_buffer->overrun, 0); diff --git a/tmp-5.10/riscv-bpf-avoid-breaking-w-x.patch b/tmp-5.10/riscv-bpf-avoid-breaking-w-x.patch new file mode 100644 index 00000000000..dc317b5c188 --- /dev/null +++ b/tmp-5.10/riscv-bpf-avoid-breaking-w-x.patch @@ -0,0 +1,45 @@ +From 4050c9f9f0d0ac97014d29d95259e3be1ebede8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 02:25:21 +0800 +Subject: riscv: bpf: Avoid breaking W^X + +From: Jisheng Zhang + +[ Upstream commit fc8504765ec5e812135b8ccafca7101069a0c6d8 ] + +We allocate Non-executable pages, then call bpf_jit_binary_lock_ro() +to enable executable permission after mapping them read-only. This is +to prepare for STRICT_MODULE_RWX in following patch. + +Signed-off-by: Jisheng Zhang +Signed-off-by: Palmer Dabbelt +Stable-dep-of: c56fb2aab235 ("riscv, bpf: Fix inconsistent JIT image generation") +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c +index e295c9eed9e93..5d247198c30d3 100644 +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -153,6 +153,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + bpf_flush_icache(jit_data->header, ctx->insns + ctx->ninsns); + + if (!prog->is_func || extra_pass) { ++ bpf_jit_binary_lock_ro(jit_data->header); + out_offset: + kfree(ctx->offset); + kfree(jit_data); +@@ -170,7 +171,7 @@ void *bpf_jit_alloc_exec(unsigned long size) + { + return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, + BPF_JIT_REGION_END, GFP_KERNEL, +- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, ++ PAGE_KERNEL, 0, NUMA_NO_NODE, + __builtin_return_address(0)); + } + +-- +2.39.2 + diff --git a/tmp-5.10/riscv-bpf-fix-inconsistent-jit-image-generation.patch b/tmp-5.10/riscv-bpf-fix-inconsistent-jit-image-generation.patch new file mode 100644 index 00000000000..96f8fc15ac6 --- /dev/null +++ b/tmp-5.10/riscv-bpf-fix-inconsistent-jit-image-generation.patch @@ -0,0 +1,137 @@ +From 1630d20fd0e8a85705dd35377dedae41556087dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 09:41:31 +0200 +Subject: riscv, bpf: Fix inconsistent JIT image generation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Björn Töpel + +[ Upstream commit c56fb2aab23505bb7160d06097c8de100b82b851 ] + +In order to generate the prologue and epilogue, the BPF JIT needs to +know which registers that are clobbered. Therefore, the during +pre-final passes, the prologue is generated after the body of the +program body-prologue-epilogue. Then, in the final pass, a proper +prologue-body-epilogue JITted image is generated. + +This scheme has worked most of the time. However, for some large +programs with many jumps, e.g. the test_kmod.sh BPF selftest with +hardening enabled (blinding constants), this has shown to be +incorrect. For the final pass, when the proper prologue-body-epilogue +is generated, the image has not converged. This will lead to that the +final image will have incorrect jump offsets. The following is an +excerpt from an incorrect image: + + | ... + | 3b8: 00c50663 beq a0,a2,3c4 <.text+0x3c4> + | 3bc: 0020e317 auipc t1,0x20e + | 3c0: 49630067 jalr zero,1174(t1) # 20e852 <.text+0x20e852> + | ... + | 20e84c: 8796 c.mv a5,t0 + | 20e84e: 6422 c.ldsp s0,8(sp) # Epilogue start + | 20e850: 6141 c.addi16sp sp,16 + | 20e852: 853e c.mv a0,a5 # Incorrect jump target + | 20e854: 8082 c.jr ra + +The image has shrunk, and the epilogue offset is incorrect in the +final pass. + +Correct the problem by always generating proper prologue-body-epilogue +outputs, which means that the first pass will only generate the body +to track what registers that are touched. + +Fixes: 2353ecc6f91f ("bpf, riscv: add BPF JIT for RV64G") +Signed-off-by: Björn Töpel +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230710074131.19596-1-bjorn@kernel.org +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit.h | 6 +++--- + arch/riscv/net/bpf_jit_core.c | 19 +++++++++++++------ + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit.h b/arch/riscv/net/bpf_jit.h +index ab0cd6d10ccf3..ef336fe160044 100644 +--- a/arch/riscv/net/bpf_jit.h ++++ b/arch/riscv/net/bpf_jit.h +@@ -69,7 +69,7 @@ struct rv_jit_context { + struct bpf_prog *prog; + u16 *insns; /* RV insns */ + int ninsns; +- int body_len; ++ int prologue_len; + int epilogue_offset; + int *offset; /* BPF to RV */ + unsigned long flags; +@@ -215,8 +215,8 @@ static inline int rv_offset(int insn, int off, struct rv_jit_context *ctx) + int from, to; + + off++; /* BPF branch is from PC+1, RV is from PC */ +- from = (insn > 0) ? ctx->offset[insn - 1] : 0; +- to = (insn + off > 0) ? ctx->offset[insn + off - 1] : 0; ++ from = (insn > 0) ? ctx->offset[insn - 1] : ctx->prologue_len; ++ to = (insn + off > 0) ? ctx->offset[insn + off - 1] : ctx->prologue_len; + return ninsns_rvoff(to - from); + } + +diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c +index 750b15c319d5d..ef17bc8055d4c 100644 +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -43,7 +43,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + { + bool tmp_blinded = false, extra_pass = false; + struct bpf_prog *tmp, *orig_prog = prog; +- int pass = 0, prev_ninsns = 0, prologue_len, i; ++ int pass = 0, prev_ninsns = 0, i; + struct rv_jit_data *jit_data; + struct rv_jit_context *ctx; + unsigned int image_size = 0; +@@ -83,6 +83,12 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + prog = orig_prog; + goto out_offset; + } ++ ++ if (build_body(ctx, extra_pass, NULL)) { ++ prog = orig_prog; ++ goto out_offset; ++ } ++ + for (i = 0; i < prog->len; i++) { + prev_ninsns += 32; + ctx->offset[i] = prev_ninsns; +@@ -91,12 +97,15 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + for (i = 0; i < NR_JIT_ITERATIONS; i++) { + pass++; + ctx->ninsns = 0; ++ ++ bpf_jit_build_prologue(ctx); ++ ctx->prologue_len = ctx->ninsns; ++ + if (build_body(ctx, extra_pass, ctx->offset)) { + prog = orig_prog; + goto out_offset; + } +- ctx->body_len = ctx->ninsns; +- bpf_jit_build_prologue(ctx); ++ + ctx->epilogue_offset = ctx->ninsns; + bpf_jit_build_epilogue(ctx); + +@@ -155,10 +164,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + + if (!prog->is_func || extra_pass) { + bpf_jit_binary_lock_ro(jit_data->header); +- prologue_len = ctx->epilogue_offset - ctx->body_len; + for (i = 0; i < prog->len; i++) +- ctx->offset[i] = ninsns_rvoff(prologue_len + +- ctx->offset[i]); ++ ctx->offset[i] = ninsns_rvoff(ctx->offset[i]); + bpf_prog_fill_jited_linfo(prog, ctx->offset); + out_offset: + kfree(ctx->offset); +-- +2.39.2 + diff --git a/tmp-5.10/riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch b/tmp-5.10/riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch new file mode 100644 index 00000000000..1166c62f4d7 --- /dev/null +++ b/tmp-5.10/riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch @@ -0,0 +1,69 @@ +From 6d498f474443359b0bee68babcd44efc6cf38cbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Mar 2021 02:24:54 +0800 +Subject: riscv: bpf: Move bpf_jit_alloc_exec() and bpf_jit_free_exec() to core + +From: Jisheng Zhang + +[ Upstream commit 1d27d854425faec98f352cf88ec3e2a8844429a4 ] + +We will drop the executable permissions of the code pages from the +mapping at allocation time soon. Move bpf_jit_alloc_exec() and +bpf_jit_free_exec() to bpf_jit_core.c so that they can be shared by +both RV64I and RV32I. + +Signed-off-by: Jisheng Zhang +Acked-by: Luke Nelson +Signed-off-by: Palmer Dabbelt +Stable-dep-of: c56fb2aab235 ("riscv, bpf: Fix inconsistent JIT image generation") +Signed-off-by: Sasha Levin +--- + arch/riscv/net/bpf_jit_comp64.c | 13 ------------- + arch/riscv/net/bpf_jit_core.c | 13 +++++++++++++ + 2 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c +index c113ae818b14e..053dc83e323b6 100644 +--- a/arch/riscv/net/bpf_jit_comp64.c ++++ b/arch/riscv/net/bpf_jit_comp64.c +@@ -1144,16 +1144,3 @@ void bpf_jit_build_epilogue(struct rv_jit_context *ctx) + { + __build_epilogue(false, ctx); + } +- +-void *bpf_jit_alloc_exec(unsigned long size) +-{ +- return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, +- BPF_JIT_REGION_END, GFP_KERNEL, +- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, +- __builtin_return_address(0)); +-} +- +-void bpf_jit_free_exec(void *addr) +-{ +- return vfree(addr); +-} +diff --git a/arch/riscv/net/bpf_jit_core.c b/arch/riscv/net/bpf_jit_core.c +index cbf7d2414886e..e295c9eed9e93 100644 +--- a/arch/riscv/net/bpf_jit_core.c ++++ b/arch/riscv/net/bpf_jit_core.c +@@ -165,3 +165,16 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) + tmp : orig_prog); + return prog; + } ++ ++void *bpf_jit_alloc_exec(unsigned long size) ++{ ++ return __vmalloc_node_range(size, PAGE_SIZE, BPF_JIT_REGION_START, ++ BPF_JIT_REGION_END, GFP_KERNEL, ++ PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE, ++ __builtin_return_address(0)); ++} ++ ++void bpf_jit_free_exec(void *addr) ++{ ++ return vfree(addr); ++} +-- +2.39.2 + diff --git a/tmp-5.10/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch b/tmp-5.10/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch new file mode 100644 index 00000000000..3dd0e8dfc8c --- /dev/null +++ b/tmp-5.10/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch @@ -0,0 +1,40 @@ +From 4b0af61a4ee065f767f031ad661c1d87dfca9472 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 21:11:42 +0200 +Subject: rtc: st-lpc: Release some resources in st_rtc_probe() in case of + error + +From: Christophe JAILLET + +[ Upstream commit 06c6e1b01d9261f03629cefd1f3553503291e6cf ] + +If an error occurs after clk_get(), the corresponding resources should be +released. + +Use devm_clk_get() to fix it. + +Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/866af6adbc7454a7b4505eb6c28fbdc86ccff39e.1686251455.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-st-lpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c +index 7d53f7e2febcc..c4ea3f3f08844 100644 +--- a/drivers/rtc/rtc-st-lpc.c ++++ b/drivers/rtc/rtc-st-lpc.c +@@ -228,7 +228,7 @@ static int st_rtc_probe(struct platform_device *pdev) + enable_irq_wake(rtc->irq); + disable_irq(rtc->irq); + +- rtc->clk = clk_get(&pdev->dev, NULL); ++ rtc->clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(rtc->clk)) { + dev_err(&pdev->dev, "Unable to request clock\n"); + return PTR_ERR(rtc->clk); +-- +2.39.2 + diff --git a/tmp-5.10/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch b/tmp-5.10/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch new file mode 100644 index 00000000000..343eca25c18 --- /dev/null +++ b/tmp-5.10/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch @@ -0,0 +1,167 @@ +From 4f48749d354cf146c71193323ebd3fdcded68944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jun 2023 13:51:08 +0300 +Subject: rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO + +From: Edwin Peer + +[ Upstream commit fa0e21fa44438a0e856d42224bfa24641d37b979 ] + +This filter already exists for excluding IPv6 SNMP stats. Extend its +definition to also exclude IFLA_VF_INFO stats in RTM_GETLINK. + +This patch constitutes a partial fix for a netlink attribute nesting +overflow bug in IFLA_VFINFO_LIST. By excluding the stats when the +requester doesn't need them, the truncation of the VF list is avoided. + +While it was technically only the stats added in commit c5a9f6f0ab40 +("net/core: Add drop counters to VF statistics") breaking the camel's +back, the appreciable size of the stats data should never have been +included without due consideration for the maximum number of VFs +supported by PCI. + +Fixes: 3b766cd83232 ("net/core: Add reading VF statistics through the PF netdevice") +Fixes: c5a9f6f0ab40 ("net/core: Add drop counters to VF statistics") +Signed-off-by: Edwin Peer +Cc: Edwin Peer +Signed-off-by: Gal Pressman +Link: https://lore.kernel.org/r/20230611105108.122586-1-gal@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 96 +++++++++++++++++++++++--------------------- + 1 file changed, 51 insertions(+), 45 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 3c9c2d6e3b92e..888ff53c8144d 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -929,24 +929,27 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev, + nla_total_size(sizeof(struct ifla_vf_rate)) + + nla_total_size(sizeof(struct ifla_vf_link_state)) + + nla_total_size(sizeof(struct ifla_vf_rss_query_en)) + +- nla_total_size(0) + /* nest IFLA_VF_STATS */ +- /* IFLA_VF_STATS_RX_PACKETS */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_TX_PACKETS */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_RX_BYTES */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_TX_BYTES */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_BROADCAST */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_MULTICAST */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_RX_DROPPED */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_TX_DROPPED */ +- nla_total_size_64bit(sizeof(__u64)) + + nla_total_size(sizeof(struct ifla_vf_trust))); ++ if (~ext_filter_mask & RTEXT_FILTER_SKIP_STATS) { ++ size += num_vfs * ++ (nla_total_size(0) + /* nest IFLA_VF_STATS */ ++ /* IFLA_VF_STATS_RX_PACKETS */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_TX_PACKETS */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_RX_BYTES */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_TX_BYTES */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_BROADCAST */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_MULTICAST */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_RX_DROPPED */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_TX_DROPPED */ ++ nla_total_size_64bit(sizeof(__u64))); ++ } + return size; + } else + return 0; +@@ -1221,7 +1224,8 @@ static noinline_for_stack int rtnl_fill_stats(struct sk_buff *skb, + static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, + struct net_device *dev, + int vfs_num, +- struct nlattr *vfinfo) ++ struct nlattr *vfinfo, ++ u32 ext_filter_mask) + { + struct ifla_vf_rss_query_en vf_rss_query_en; + struct nlattr *vf, *vfstats, *vfvlanlist; +@@ -1327,33 +1331,35 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, + goto nla_put_vf_failure; + } + nla_nest_end(skb, vfvlanlist); +- memset(&vf_stats, 0, sizeof(vf_stats)); +- if (dev->netdev_ops->ndo_get_vf_stats) +- dev->netdev_ops->ndo_get_vf_stats(dev, vfs_num, +- &vf_stats); +- vfstats = nla_nest_start_noflag(skb, IFLA_VF_STATS); +- if (!vfstats) +- goto nla_put_vf_failure; +- if (nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_PACKETS, +- vf_stats.rx_packets, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_PACKETS, +- vf_stats.tx_packets, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_BYTES, +- vf_stats.rx_bytes, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_BYTES, +- vf_stats.tx_bytes, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_BROADCAST, +- vf_stats.broadcast, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_MULTICAST, +- vf_stats.multicast, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_DROPPED, +- vf_stats.rx_dropped, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_DROPPED, +- vf_stats.tx_dropped, IFLA_VF_STATS_PAD)) { +- nla_nest_cancel(skb, vfstats); +- goto nla_put_vf_failure; ++ if (~ext_filter_mask & RTEXT_FILTER_SKIP_STATS) { ++ memset(&vf_stats, 0, sizeof(vf_stats)); ++ if (dev->netdev_ops->ndo_get_vf_stats) ++ dev->netdev_ops->ndo_get_vf_stats(dev, vfs_num, ++ &vf_stats); ++ vfstats = nla_nest_start_noflag(skb, IFLA_VF_STATS); ++ if (!vfstats) ++ goto nla_put_vf_failure; ++ if (nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_PACKETS, ++ vf_stats.rx_packets, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_PACKETS, ++ vf_stats.tx_packets, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_BYTES, ++ vf_stats.rx_bytes, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_BYTES, ++ vf_stats.tx_bytes, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_BROADCAST, ++ vf_stats.broadcast, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_MULTICAST, ++ vf_stats.multicast, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_DROPPED, ++ vf_stats.rx_dropped, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_DROPPED, ++ vf_stats.tx_dropped, IFLA_VF_STATS_PAD)) { ++ nla_nest_cancel(skb, vfstats); ++ goto nla_put_vf_failure; ++ } ++ nla_nest_end(skb, vfstats); + } +- nla_nest_end(skb, vfstats); + nla_nest_end(skb, vf); + return 0; + +@@ -1386,7 +1392,7 @@ static noinline_for_stack int rtnl_fill_vf(struct sk_buff *skb, + return -EMSGSIZE; + + for (i = 0; i < num_vfs; i++) { +- if (rtnl_fill_vfinfo(skb, dev, i, vfinfo)) ++ if (rtnl_fill_vfinfo(skb, dev, i, vfinfo, ext_filter_mask)) + return -EMSGSIZE; + } + +-- +2.39.2 + diff --git a/tmp-5.10/s390-decompressor-fix-misaligned-symbol-build-error.patch b/tmp-5.10/s390-decompressor-fix-misaligned-symbol-build-error.patch new file mode 100644 index 00000000000..9cb5506dc2d --- /dev/null +++ b/tmp-5.10/s390-decompressor-fix-misaligned-symbol-build-error.patch @@ -0,0 +1,53 @@ +From 938f0c35d7d93a822ab9c9728e3205e8e57409d0 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Thu, 22 Jun 2023 14:55:08 +0200 +Subject: s390/decompressor: fix misaligned symbol build error + +From: Heiko Carstens + +commit 938f0c35d7d93a822ab9c9728e3205e8e57409d0 upstream. + +Nathan Chancellor reported a kernel build error on Fedora 39: + +$ clang --version | head -1 +clang version 16.0.5 (Fedora 16.0.5-1.fc39) + +$ s390x-linux-gnu-ld --version | head -1 +GNU ld version 2.40-1.fc39 + +$ make -skj"$(nproc)" ARCH=s390 CC=clang CROSS_COMPILE=s390x-linux-gnu- olddefconfig all +s390x-linux-gnu-ld: arch/s390/boot/startup.o(.text+0x5b4): misaligned symbol `_decompressor_end' (0x35b0f) for relocation R_390_PC32DBL +make[3]: *** [.../arch/s390/boot/Makefile:78: arch/s390/boot/vmlinux] Error 1 + +It turned out that the problem with misaligned symbols on s390 was fixed +with commit 80ddf5ce1c92 ("s390: always build relocatable kernel") for the +kernel image, but did not take into account that the decompressor uses its +own set of CFLAGS, which come without -fPIE. + +Add the -fPIE flag also to the decompresser CFLAGS to fix this. + +Reported-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Reported-by: CKI +Suggested-by: Ulrich Weigand +Link: https://github.com/ClangBuiltLinux/linux/issues/1747 +Link: https://lore.kernel.org/32935.123062114500601371@us-mta-9.us.mimecast.lan/ +Link: https://lore.kernel.org/r/20230622125508.1068457-1-hca@linux.ibm.com +Cc: +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/s390/Makefile ++++ b/arch/s390/Makefile +@@ -29,6 +29,7 @@ KBUILD_CFLAGS_DECOMPRESSOR += -fno-delet + KBUILD_CFLAGS_DECOMPRESSOR += -fno-asynchronous-unwind-tables + KBUILD_CFLAGS_DECOMPRESSOR += -ffreestanding + KBUILD_CFLAGS_DECOMPRESSOR += -fno-stack-protector ++KBUILD_CFLAGS_DECOMPRESSOR += -fPIE + KBUILD_CFLAGS_DECOMPRESSOR += $(call cc-disable-warning, address-of-packed-member) + KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO),-g) + KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO_DWARF4), $(call cc-option, -gdwarf-4,)) diff --git a/tmp-5.10/s390-qeth-fix-vipa-deletion.patch b/tmp-5.10/s390-qeth-fix-vipa-deletion.patch new file mode 100644 index 00000000000..44be9c0530e --- /dev/null +++ b/tmp-5.10/s390-qeth-fix-vipa-deletion.patch @@ -0,0 +1,42 @@ +From a23164cf3031718aad56a1992d2079b9551e1e6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 16:41:21 +0200 +Subject: s390/qeth: Fix vipa deletion + +From: Thorsten Winkler + +[ Upstream commit 80de809bd35e2a8999edf9f5aaa2d8de18921f11 ] + +Change boolean parameter of function "qeth_l3_vipa_store" inside the +"qeth_l3_dev_vipa_del4_store" function from "true" to "false" because +"true" is used for adding a virtual ip address and "false" for deleting. + +Fixes: 2390166a6b45 ("s390/qeth: clean up L3 sysfs code") + +Reviewed-by: Alexandra Winter +Reviewed-by: Wenjia Zhang +Signed-off-by: Thorsten Winkler +Signed-off-by: Alexandra Winter +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/qeth_l3_sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/s390/net/qeth_l3_sys.c b/drivers/s390/net/qeth_l3_sys.c +index 997fbb7006a7c..316f8622f3ccb 100644 +--- a/drivers/s390/net/qeth_l3_sys.c ++++ b/drivers/s390/net/qeth_l3_sys.c +@@ -652,7 +652,7 @@ static QETH_DEVICE_ATTR(vipa_add4, add4, 0644, + static ssize_t qeth_l3_dev_vipa_del4_store(struct device *dev, + struct device_attribute *attr, const char *buf, size_t count) + { +- return qeth_l3_vipa_store(dev, buf, true, count, QETH_PROT_IPV4); ++ return qeth_l3_vipa_store(dev, buf, false, count, QETH_PROT_IPV4); + } + + static QETH_DEVICE_ATTR(vipa_del4, del4, 0200, NULL, +-- +2.39.2 + diff --git a/tmp-5.10/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch b/tmp-5.10/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch new file mode 100644 index 00000000000..f906af6e5a6 --- /dev/null +++ b/tmp-5.10/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch @@ -0,0 +1,36 @@ +From b0512fd8896309815a1a22bc71a99058624bf569 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 16:50:58 +0800 +Subject: samples/bpf: Fix buffer overflow in tcp_basertt + +From: Pengcheng Yang + +[ Upstream commit f4dea9689c5fea3d07170c2cb0703e216f1a0922 ] + +Using sizeof(nv) or strlen(nv)+1 is correct. + +Fixes: c890063e4404 ("bpf: sample BPF_SOCKET_OPS_BASE_RTT program") +Signed-off-by: Pengcheng Yang +Link: https://lore.kernel.org/r/1683276658-2860-1-git-send-email-yangpc@wangsu.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + samples/bpf/tcp_basertt_kern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/bpf/tcp_basertt_kern.c b/samples/bpf/tcp_basertt_kern.c +index 8dfe09a92feca..822b0742b8154 100644 +--- a/samples/bpf/tcp_basertt_kern.c ++++ b/samples/bpf/tcp_basertt_kern.c +@@ -47,7 +47,7 @@ int bpf_basertt(struct bpf_sock_ops *skops) + case BPF_SOCK_OPS_BASE_RTT: + n = bpf_getsockopt(skops, SOL_TCP, TCP_CONGESTION, + cong, sizeof(cong)); +- if (!n && !__builtin_memcmp(cong, nv, sizeof(nv)+1)) { ++ if (!n && !__builtin_memcmp(cong, nv, sizeof(nv))) { + /* Set base_rtt to 80us */ + rv = 80; + } else if (n) { +-- +2.39.2 + diff --git a/tmp-5.10/samples-ftrace-save-required-argument-registers-in-sample-trampolines.patch b/tmp-5.10/samples-ftrace-save-required-argument-registers-in-sample-trampolines.patch new file mode 100644 index 00000000000..1617059cd58 --- /dev/null +++ b/tmp-5.10/samples-ftrace-save-required-argument-registers-in-sample-trampolines.patch @@ -0,0 +1,68 @@ +From 8564c315876ab86fcaf8e7f558d6a84cb2ce5590 Mon Sep 17 00:00:00 2001 +From: Florent Revest +Date: Thu, 27 Apr 2023 16:06:59 +0200 +Subject: samples: ftrace: Save required argument registers in sample trampolines + +From: Florent Revest + +commit 8564c315876ab86fcaf8e7f558d6a84cb2ce5590 upstream. + +The ftrace-direct-too sample traces the handle_mm_fault function whose +signature changed since the introduction of the sample. Since: +commit bce617edecad ("mm: do page fault accounting in handle_mm_fault") +handle_mm_fault now has 4 arguments. Therefore, the sample trampoline +should save 4 argument registers. + +s390 saves all argument registers already so it does not need a change +but x86_64 needs an extra push and pop. + +This also evolves the signature of the tracing function to make it +mirror the signature of the traced function. + +Link: https://lkml.kernel.org/r/20230427140700.625241-2-revest@chromium.org + +Cc: stable@vger.kernel.org +Fixes: bce617edecad ("mm: do page fault accounting in handle_mm_fault") +Reviewed-by: Steven Rostedt (Google) +Reviewed-by: Mark Rutland +Acked-by: Catalin Marinas +Signed-off-by: Florent Revest +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + samples/ftrace/ftrace-direct-too.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/samples/ftrace/ftrace-direct-too.c ++++ b/samples/ftrace/ftrace-direct-too.c +@@ -4,14 +4,14 @@ + #include /* for handle_mm_fault() */ + #include + +-extern void my_direct_func(struct vm_area_struct *vma, +- unsigned long address, unsigned int flags); ++extern void my_direct_func(struct vm_area_struct *vma, unsigned long address, ++ unsigned int flags, struct pt_regs *regs); + +-void my_direct_func(struct vm_area_struct *vma, +- unsigned long address, unsigned int flags) ++void my_direct_func(struct vm_area_struct *vma, unsigned long address, ++ unsigned int flags, struct pt_regs *regs) + { +- trace_printk("handle mm fault vma=%p address=%lx flags=%x\n", +- vma, address, flags); ++ trace_printk("handle mm fault vma=%p address=%lx flags=%x regs=%p\n", ++ vma, address, flags, regs); + } + + extern void my_tramp(void *); +@@ -26,7 +26,9 @@ asm ( + " pushq %rdi\n" + " pushq %rsi\n" + " pushq %rdx\n" ++" pushq %rcx\n" + " call my_direct_func\n" ++" popq %rcx\n" + " popq %rdx\n" + " popq %rsi\n" + " popq %rdi\n" diff --git a/tmp-5.10/sched-fair-don-t-balance-task-to-its-current-running.patch b/tmp-5.10/sched-fair-don-t-balance-task-to-its-current-running.patch new file mode 100644 index 00000000000..15bd35ed36b --- /dev/null +++ b/tmp-5.10/sched-fair-don-t-balance-task-to-its-current-running.patch @@ -0,0 +1,96 @@ +From aa9c2e9964e704506bf2f729c9f37c606e5f134c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 16:25:07 +0800 +Subject: sched/fair: Don't balance task to its current running CPU + +From: Yicong Yang + +[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] + +We've run into the case that the balancer tries to balance a migration +disabled task and trigger the warning in set_task_cpu() like below: + + ------------[ cut here ]------------ + WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 + Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> + CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 + Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 + pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : set_task_cpu+0x188/0x240 + lr : load_balance+0x5d0/0xc60 + sp : ffff80000803bc70 + x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 + x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 + x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 + x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 + x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 + x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 + x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e + x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a + x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 + Call trace: + set_task_cpu+0x188/0x240 + load_balance+0x5d0/0xc60 + rebalance_domains+0x26c/0x380 + _nohz_idle_balance.isra.0+0x1e0/0x370 + run_rebalance_domains+0x6c/0x80 + __do_softirq+0x128/0x3d8 + ____do_softirq+0x18/0x24 + call_on_irq_stack+0x2c/0x38 + do_softirq_own_stack+0x24/0x3c + __irq_exit_rcu+0xcc/0xf4 + irq_exit_rcu+0x18/0x24 + el1_interrupt+0x4c/0xe4 + el1h_64_irq_handler+0x18/0x2c + el1h_64_irq+0x74/0x78 + arch_cpu_idle+0x18/0x4c + default_idle_call+0x58/0x194 + do_idle+0x244/0x2b0 + cpu_startup_entry+0x30/0x3c + secondary_start_kernel+0x14c/0x190 + __secondary_switched+0xb0/0xb4 + ---[ end trace 0000000000000000 ]--- + +Further investigation shows that the warning is superfluous, the migration +disabled task is just going to be migrated to its current running CPU. +This is because that on load balance if the dst_cpu is not allowed by the +task, we'll re-select a new_dst_cpu as a candidate. If no task can be +balanced to dst_cpu we'll try to balance the task to the new_dst_cpu +instead. In this case when the migration disabled task is not on CPU it +only allows to run on its current CPU, load balance will select its +current CPU as new_dst_cpu and later triggers the warning above. + +The new_dst_cpu is chosen from the env->dst_grpmask. Currently it +contains CPUs in sched_group_span() and if we have overlapped groups it's +possible to run into this case. This patch makes env->dst_grpmask of +group_balance_mask() which exclude any CPUs from the busiest group and +solve the issue. For balancing in a domain with no overlapped groups +the behaviour keeps same as before. + +Suggested-by: Vincent Guittot +Signed-off-by: Yicong Yang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 45c1d03aff735..d53f57ac76094 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -9883,7 +9883,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, + .sd = sd, + .dst_cpu = this_cpu, + .dst_rq = this_rq, +- .dst_grpmask = sched_group_span(sd->groups), ++ .dst_grpmask = group_balance_mask(sd->groups), + .idle = idle, + .loop_break = sched_nr_migrate_break, + .cpus = cpus, +-- +2.39.2 + diff --git a/tmp-5.10/scripts-tags.sh-resolve-gtags-empty-index-generation.patch b/tmp-5.10/scripts-tags.sh-resolve-gtags-empty-index-generation.patch new file mode 100644 index 00000000000..5103e9ca5f1 --- /dev/null +++ b/tmp-5.10/scripts-tags.sh-resolve-gtags-empty-index-generation.patch @@ -0,0 +1,65 @@ +From e1b37563caffc410bb4b55f153ccb14dede66815 Mon Sep 17 00:00:00 2001 +From: "Ahmed S. Darwish" +Date: Mon, 15 May 2023 19:32:16 +0200 +Subject: scripts/tags.sh: Resolve gtags empty index generation + +From: Ahmed S. Darwish + +commit e1b37563caffc410bb4b55f153ccb14dede66815 upstream. + +gtags considers any file outside of its current working directory +"outside the source tree" and refuses to index it. For O= kernel builds, +or when "make" is invoked from a directory other then the kernel source +tree, gtags ignores the entire kernel source and generates an empty +index. + +Force-set gtags current working directory to the kernel source tree. + +Due to commit 9da0763bdd82 ("kbuild: Use relative path when building in +a subdir of the source tree"), if the kernel build is done in a +sub-directory of the kernel source tree, the kernel Makefile will set +the kernel's $srctree to ".." for shorter compile-time and run-time +warnings. Consequently, the list of files to be indexed will be in the +"../*" form, rendering all such paths invalid once gtags switches to the +kernel source tree as its current working directory. + +If gtags indexing is requested and the build directory is not the kernel +source tree, index all files in absolute-path form. + +Note, indexing in absolute-path form will not affect the generated +index, as paths in gtags indices are always relative to the gtags "root +directory" anyway (as evidenced by "gtags --dump"). + +Signed-off-by: Ahmed S. Darwish +Cc: +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/tags.sh | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/scripts/tags.sh ++++ b/scripts/tags.sh +@@ -32,6 +32,13 @@ else + ignore="$ignore ( -path ${tree}tools ) -prune -o" + fi + ++# gtags(1) refuses to index any file outside of its current working dir. ++# If gtags indexing is requested and the build output directory is not ++# the kernel source tree, index all files in absolute-path form. ++if [[ "$1" == "gtags" && -n "${tree}" ]]; then ++ tree=$(realpath "$tree")/ ++fi ++ + # Detect if ALLSOURCE_ARCHS is set. If not, we assume SRCARCH + if [ "${ALLSOURCE_ARCHS}" = "" ]; then + ALLSOURCE_ARCHS=${SRCARCH} +@@ -131,7 +138,7 @@ docscope() + + dogtags() + { +- all_target_sources | gtags -i -f - ++ all_target_sources | gtags -i -C "${tree:-.}" -f - "$PWD" + } + + # Basic regular expressions with an optional /kind-spec/ for ctags and diff --git a/tmp-5.10/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch b/tmp-5.10/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch new file mode 100644 index 00000000000..0686c5c8623 --- /dev/null +++ b/tmp-5.10/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch @@ -0,0 +1,47 @@ +From 1fb398af11fd2ef8c67757ff37867b82d408ddce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 22:12:55 +0800 +Subject: scsi: 3w-xxxx: Add error handling for initialization failure in + tw_probe() + +From: Yuchen Yang + +[ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ] + +Smatch complains that: + +tw_probe() warn: missing error code 'retval' + +This patch adds error checking to tw_probe() to handle initialization +failure. If tw_reset_sequence() function returns a non-zero value, the +function will return -EINVAL to indicate initialization failure. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yuchen Yang +Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/3w-xxxx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c +index fb6444d0409cf..211a25351e7d4 100644 +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -2308,8 +2308,10 @@ static int tw_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id) + TW_DISABLE_INTERRUPTS(tw_dev); + + /* Initialize the card */ +- if (tw_reset_sequence(tw_dev)) ++ if (tw_reset_sequence(tw_dev)) { ++ retval = -EINVAL; + goto out_release_mem_region; ++ } + + /* Set host specific parameters */ + host->max_id = TW_MAX_UNITS; +-- +2.39.2 + diff --git a/tmp-5.10/scsi-qedf-fix-null-dereference-in-error-handling.patch b/tmp-5.10/scsi-qedf-fix-null-dereference-in-error-handling.patch new file mode 100644 index 00000000000..dc6dfbed301 --- /dev/null +++ b/tmp-5.10/scsi-qedf-fix-null-dereference-in-error-handling.patch @@ -0,0 +1,47 @@ +From bb6b7c102298ac20051979240acafa9ccfb30b12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 May 2023 22:00:21 +0800 +Subject: scsi: qedf: Fix NULL dereference in error handling + +From: Jinhong Zhu + +[ Upstream commit f025312b089474a54e4859f3453771314d9e3d4f ] + +Smatch reported: + +drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues() +warn: missing unwind goto? + +At this point in the function, nothing has been allocated so we can return +directly. In particular the "qedf->global_queues" have not been allocated +so calling qedf_free_global_queues() will lead to a NULL dereference when +we check if (!gl[i]) and "gl" is NULL. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Signed-off-by: Jinhong Zhu +Link: https://lore.kernel.org/r/20230502140022.2852-1-jinhongzhu@hust.edu.cn +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index f48ef47546f4d..b33cb1172f31d 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -3042,9 +3042,8 @@ static int qedf_alloc_global_queues(struct qedf_ctx *qedf) + * addresses of our queues + */ + if (!qedf->p_cpuq) { +- status = -EINVAL; + QEDF_ERR(&qedf->dbg_ctx, "p_cpuq is NULL.\n"); +- goto mem_alloc_failure; ++ return -EINVAL; + } + + qedf->global_queues = kzalloc((sizeof(struct global_queue *) +-- +2.39.2 + diff --git a/tmp-5.10/scsi-qla2xxx-array-index-may-go-out-of-bound.patch b/tmp-5.10/scsi-qla2xxx-array-index-may-go-out-of-bound.patch new file mode 100644 index 00000000000..e24163e5d96 --- /dev/null +++ b/tmp-5.10/scsi-qla2xxx-array-index-may-go-out-of-bound.patch @@ -0,0 +1,36 @@ +From d721b591b95cf3f290f8a7cbe90aa2ee0368388d Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 7 Jun 2023 17:08:36 +0530 +Subject: scsi: qla2xxx: Array index may go out of bound + +From: Nilesh Javali + +commit d721b591b95cf3f290f8a7cbe90aa2ee0368388d upstream. + +Klocwork reports array 'vha->host_str' of size 16 may use index value(s) +16..19. Use snprintf() instead of sprintf(). + +Cc: stable@vger.kernel.org +Co-developed-by: Bikash Hazarika +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-2-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -4877,7 +4877,8 @@ struct scsi_qla_host *qla2x00_create_hos + } + INIT_DELAYED_WORK(&vha->scan.scan_work, qla_scan_work_fn); + +- sprintf(vha->host_str, "%s_%lu", QLA2XXX_DRIVER_NAME, vha->host_no); ++ snprintf(vha->host_str, sizeof(vha->host_str), "%s_%lu", ++ QLA2XXX_DRIVER_NAME, vha->host_no); + ql_dbg(ql_dbg_init, vha, 0x0041, + "Allocated the host=%p hw=%p vha=%p dev_name=%s", + vha->host, vha->hw, vha, diff --git a/tmp-5.10/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch b/tmp-5.10/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch new file mode 100644 index 00000000000..74d6249a1a0 --- /dev/null +++ b/tmp-5.10/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch @@ -0,0 +1,37 @@ +From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 7 Jun 2023 17:08:39 +0530 +Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() + +From: Nilesh Javali + +commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream. + +Klocwork reported warning of rport maybe NULL and will be dereferenced. +rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. + +Check valid rport returned by fc_bsg_to_rport(). + +Cc: stable@vger.kernel.org +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -268,6 +268,10 @@ qla2x00_process_els(struct bsg_job *bsg_ + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { + rport = fc_bsg_to_rport(bsg_job); ++ if (!rport) { ++ rval = -ENOMEM; ++ goto done; ++ } + fcport = *(fc_port_t **) rport->dd_data; + host = rport_to_shost(rport); + vha = shost_priv(host); diff --git a/tmp-5.10/scsi-qla2xxx-correct-the-index-of-array.patch b/tmp-5.10/scsi-qla2xxx-correct-the-index-of-array.patch new file mode 100644 index 00000000000..f1f18d62683 --- /dev/null +++ b/tmp-5.10/scsi-qla2xxx-correct-the-index-of-array.patch @@ -0,0 +1,51 @@ +From b1b9d3825df4c757d653d0b1df66f084835db9c3 Mon Sep 17 00:00:00 2001 +From: Bikash Hazarika +Date: Wed, 7 Jun 2023 17:08:42 +0530 +Subject: scsi: qla2xxx: Correct the index of array + +From: Bikash Hazarika + +commit b1b9d3825df4c757d653d0b1df66f084835db9c3 upstream. + +Klocwork reported array 'port_dstate_str' of size 10 may use index value(s) +10..15. + +Add a fix to correct the index of array. + +Cc: stable@vger.kernel.org +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-8-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_inline.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_inline.h ++++ b/drivers/scsi/qla2xxx/qla_inline.h +@@ -109,11 +109,13 @@ qla2x00_set_fcport_disc_state(fc_port_t + { + int old_val; + uint8_t shiftbits, mask; ++ uint8_t port_dstate_str_sz; + + /* This will have to change when the max no. of states > 16 */ + shiftbits = 4; + mask = (1 << shiftbits) - 1; + ++ port_dstate_str_sz = sizeof(port_dstate_str) / sizeof(char *); + fcport->disc_state = state; + while (1) { + old_val = atomic_read(&fcport->shadow_disc_state); +@@ -121,7 +123,8 @@ qla2x00_set_fcport_disc_state(fc_port_t + old_val, (old_val << shiftbits) | state)) { + ql_dbg(ql_dbg_disc, fcport->vha, 0x2134, + "FCPort %8phC disc_state transition: %s to %s - portid=%06x.\n", +- fcport->port_name, port_dstate_str[old_val & mask], ++ fcport->port_name, (old_val & mask) < port_dstate_str_sz ? ++ port_dstate_str[old_val & mask] : "Unknown", + port_dstate_str[state], fcport->d_id.b24); + return; + } diff --git a/tmp-5.10/scsi-qla2xxx-fix-buffer-overrun.patch b/tmp-5.10/scsi-qla2xxx-fix-buffer-overrun.patch new file mode 100644 index 00000000000..5fd92e44c99 --- /dev/null +++ b/tmp-5.10/scsi-qla2xxx-fix-buffer-overrun.patch @@ -0,0 +1,38 @@ +From b68710a8094fdffe8dd4f7a82c82649f479bb453 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Wed, 7 Jun 2023 17:08:40 +0530 +Subject: scsi: qla2xxx: Fix buffer overrun + +From: Quinn Tran + +commit b68710a8094fdffe8dd4f7a82c82649f479bb453 upstream. + +Klocwork warning: Buffer Overflow - Array Index Out of Bounds + +Driver uses fc_els_flogi to calculate size of buffer. The actual buffer is +nested inside of fc_els_flogi which is smaller. + +Replace structure name to allow proper size calculation. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-6-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -5107,7 +5107,7 @@ static void qla_get_login_template(scsi_ + __be32 *q; + + memset(ha->init_cb, 0, ha->init_cb_size); +- sz = min_t(int, sizeof(struct fc_els_flogi), ha->init_cb_size); ++ sz = min_t(int, sizeof(struct fc_els_csp), ha->init_cb_size); + rval = qla24xx_get_port_login_templ(vha, ha->init_cb_dma, + ha->init_cb, sz); + if (rval != QLA_SUCCESS) { diff --git a/tmp-5.10/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch b/tmp-5.10/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch new file mode 100644 index 00000000000..a708f5dfc3a --- /dev/null +++ b/tmp-5.10/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch @@ -0,0 +1,38 @@ +From 5804ed9cd312ce0843bff3fc159ae27613447512 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 13:58:47 +0300 +Subject: scsi: qla2xxx: Fix error code in qla2x00_start_sp() + +From: Dan Carpenter + +[ Upstream commit e579b007eff3ff8d29d59d16214cd85fb9e573f7 ] + +This should be negative -EAGAIN instead of positive. The callers treat +non-zero error codes the same so it doesn't really impact runtime beyond +some trivial differences to debug output. + +Fixes: 80676d054e5a ("scsi: qla2xxx: Fix session cleanup hang") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/49866d28-4cfe-47b0-842b-78f110e61aab@moroto.mountain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_iocb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c +index e54cc2a761dd4..f0af76c3de7e3 100644 +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -3713,7 +3713,7 @@ qla2x00_start_sp(srb_t *sp) + spin_lock_irqsave(qp->qp_lock_ptr, flags); + pkt = __qla2x00_alloc_iocbs(sp->qpair, sp); + if (!pkt) { +- rval = EAGAIN; ++ rval = -EAGAIN; + ql_log(ql_log_warn, vha, 0x700c, + "qla2x00_alloc_iocbs failed.\n"); + goto done; +-- +2.39.2 + diff --git a/tmp-5.10/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch b/tmp-5.10/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..e580ecb4a9f --- /dev/null +++ b/tmp-5.10/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,35 @@ +From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001 +From: Bikash Hazarika +Date: Wed, 7 Jun 2023 17:08:37 +0530 +Subject: scsi: qla2xxx: Fix potential NULL pointer dereference + +From: Bikash Hazarika + +commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream. + +Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate +pointer before dereferencing the pointer. + +Cc: stable@vger.kernel.org +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_iocb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -601,7 +601,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s + put_unaligned_le32(COMMAND_TYPE_6, &cmd_pkt->entry_type); + + /* No data transfer */ +- if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) { ++ if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE || ++ tot_dsds == 0) { + cmd_pkt->byte_count = cpu_to_le32(0); + return 0; + } diff --git a/tmp-5.10/scsi-qla2xxx-pointer-may-be-dereferenced.patch b/tmp-5.10/scsi-qla2xxx-pointer-may-be-dereferenced.patch new file mode 100644 index 00000000000..965163462ff --- /dev/null +++ b/tmp-5.10/scsi-qla2xxx-pointer-may-be-dereferenced.patch @@ -0,0 +1,36 @@ +From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001 +From: Shreyas Deodhar +Date: Wed, 7 Jun 2023 17:08:41 +0530 +Subject: scsi: qla2xxx: Pointer may be dereferenced + +From: Shreyas Deodhar + +commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream. + +Klocwork tool reported pointer 'rport' returned from call to function +fc_bsg_to_rport() may be NULL and will be dereferenced. + +Add a fix to validate rport before dereferencing. + +Cc: stable@vger.kernel.org +Signed-off-by: Shreyas Deodhar +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -2545,6 +2545,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_ + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { + rport = fc_bsg_to_rport(bsg_job); ++ if (!rport) ++ return ret; + host = rport_to_shost(rport); + vha = shost_priv(host); + } else { diff --git a/tmp-5.10/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch b/tmp-5.10/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch new file mode 100644 index 00000000000..81f1290cdf2 --- /dev/null +++ b/tmp-5.10/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch @@ -0,0 +1,91 @@ +From 20fce500b232b970e40312a9c97e7f3b6d7a709c Mon Sep 17 00:00:00 2001 +From: Manish Rangankar +Date: Thu, 15 Jun 2023 13:16:33 +0530 +Subject: scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue + +From: Manish Rangankar + +commit 20fce500b232b970e40312a9c97e7f3b6d7a709c upstream. + +System crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up +gets called for uninitialized wait queue sp->nvme_ls_waitq. + + qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0 + qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11 + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + PGD 0 P4D 0 + Oops: 0000 [#1] SMP NOPTI + Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 + Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc] + RIP: 0010:__wake_up_common+0x4c/0x190 + RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086 + RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000 + RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320 + RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8 + R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20 + R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + __wake_up_common_lock+0x7c/0xc0 + qla_nvme_ls_req+0x355/0x4c0 [qla2xxx] + ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc] + ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc] + ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc] + +Remove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed +previously in the commits tagged Fixed: below. + +Fixes: 219d27d7147e ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands") +Fixes: 5621b0dd7453 ("scsi: qla2xxx: Simpify unregistration of FC-NVMe local/remote ports") +Cc: stable@vger.kernel.org +Signed-off-by: Manish Rangankar +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230615074633.12721-1-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 1 - + drivers/scsi/qla2xxx/qla_nvme.c | 3 --- + 2 files changed, 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -639,7 +639,6 @@ typedef struct srb { + struct iocb_resource iores; + struct kref cmd_kref; /* need to migrate ref_count over to this */ + void *priv; +- wait_queue_head_t nvme_ls_waitq; + struct fc_port *fcport; + struct scsi_qla_host *vha; + unsigned int start_timer:1; +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -331,7 +331,6 @@ static int qla_nvme_ls_req(struct nvme_f + if (rval != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x700e, + "qla2x00_start_sp failed = %d\n", rval); +- wake_up(&sp->nvme_ls_waitq); + sp->priv = NULL; + priv->sp = NULL; + qla2x00_rel_sp(sp); +@@ -590,7 +589,6 @@ static int qla_nvme_post_cmd(struct nvme + if (!sp) + return -EBUSY; + +- init_waitqueue_head(&sp->nvme_ls_waitq); + kref_init(&sp->cmd_kref); + spin_lock_init(&priv->cmd_lock); + sp->priv = priv; +@@ -608,7 +606,6 @@ static int qla_nvme_post_cmd(struct nvme + if (rval != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x212d, + "qla2x00_start_nvme_mq failed = %d\n", rval); +- wake_up(&sp->nvme_ls_waitq); + sp->priv = NULL; + priv->sp = NULL; + qla2xxx_rel_qpair_sp(sp->qpair, sp); diff --git a/tmp-5.10/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch b/tmp-5.10/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch new file mode 100644 index 00000000000..9de46b98135 --- /dev/null +++ b/tmp-5.10/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch @@ -0,0 +1,71 @@ +From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 28 Apr 2023 00:53:38 -0700 +Subject: scsi: qla2xxx: Wait for io return on terminate rport + +From: Quinn Tran + +commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream. + +System crash due to use after free. +Current code allows terminate_rport_io to exit before making +sure all IOs has returned. For FCP-2 device, IO's can hang +on in HW because driver has not tear down the session in FW at +first sign of cable pull. When dev_loss_tmo timer pops, +terminate_rport_io is called and upper layer is about to +free various resources. Terminate_rport_io trigger qla to do +the final cleanup, but the cleanup might not be fast enough where it +leave qla still holding on to the same resource. + +Wait for IO's to return to upper layer before resources are freed. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_attr.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2698,6 +2698,7 @@ static void + qla2x00_terminate_rport_io(struct fc_rport *rport) + { + fc_port_t *fcport = *(fc_port_t **)rport->dd_data; ++ scsi_qla_host_t *vha; + + if (!fcport) + return; +@@ -2707,9 +2708,12 @@ qla2x00_terminate_rport_io(struct fc_rpo + + if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags)) + return; ++ vha = fcport->vha; + + if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) { + qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16); ++ qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, ++ 0, WAIT_TARGET); + return; + } + /* +@@ -2724,6 +2728,15 @@ qla2x00_terminate_rport_io(struct fc_rpo + else + qla2x00_port_logout(fcport->vha, fcport); + } ++ ++ /* check for any straggling io left behind */ ++ if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) { ++ ql_log(ql_log_warn, vha, 0x300b, ++ "IO not return. Resetting. \n"); ++ set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags); ++ qla2xxx_wake_dpc(vha); ++ qla2x00_wait_for_chip_reset(vha); ++ } + } + + static int diff --git a/tmp-5.10/sctp-add-bpf_bypass_getsockopt-proto-callback.patch b/tmp-5.10/sctp-add-bpf_bypass_getsockopt-proto-callback.patch new file mode 100644 index 00000000000..39f6444a52e --- /dev/null +++ b/tmp-5.10/sctp-add-bpf_bypass_getsockopt-proto-callback.patch @@ -0,0 +1,93 @@ +From 5237efe2699ffcf1896deec8e44b4f19b11e2715 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 15:25:06 +0200 +Subject: sctp: add bpf_bypass_getsockopt proto callback + +From: Alexander Mikhalitsyn + +[ Upstream commit 2598619e012cee5273a2821441b9a051ad931249 ] + +Implement ->bpf_bypass_getsockopt proto callback and filter out +SCTP_SOCKOPT_PEELOFF, SCTP_SOCKOPT_PEELOFF_FLAGS and SCTP_SOCKOPT_CONNECTX3 +socket options from running eBPF hook on them. + +SCTP_SOCKOPT_PEELOFF and SCTP_SOCKOPT_PEELOFF_FLAGS options do fd_install(), +and if BPF_CGROUP_RUN_PROG_GETSOCKOPT hook returns an error after success of +the original handler sctp_getsockopt(...), userspace will receive an error +from getsockopt syscall and will be not aware that fd was successfully +installed into a fdtable. + +As pointed by Marcelo Ricardo Leitner it seems reasonable to skip +bpf getsockopt hook for SCTP_SOCKOPT_CONNECTX3 sockopt too. +Because internaly, it triggers connect() and if error is masked +then userspace will be confused. + +This patch was born as a result of discussion around a new SCM_PIDFD interface: +https://lore.kernel.org/all/20230413133355.350571-3-aleksandr.mikhalitsyn@canonical.com/ + +Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks") +Cc: Daniel Borkmann +Cc: Christian Brauner +Cc: Stanislav Fomichev +Cc: Neil Horman +Cc: Marcelo Ricardo Leitner +Cc: Xin Long +Cc: linux-sctp@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: netdev@vger.kernel.org +Suggested-by: Stanislav Fomichev +Acked-by: Stanislav Fomichev +Signed-off-by: Alexander Mikhalitsyn +Acked-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 35d3eee26ea56..4a7f811abae4e 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8039,6 +8039,22 @@ static int sctp_getsockopt(struct sock *sk, int level, int optname, + return retval; + } + ++static bool sctp_bpf_bypass_getsockopt(int level, int optname) ++{ ++ if (level == SOL_SCTP) { ++ switch (optname) { ++ case SCTP_SOCKOPT_PEELOFF: ++ case SCTP_SOCKOPT_PEELOFF_FLAGS: ++ case SCTP_SOCKOPT_CONNECTX3: ++ return true; ++ default: ++ return false; ++ } ++ } ++ ++ return false; ++} ++ + static int sctp_hash(struct sock *sk) + { + /* STUB */ +@@ -9407,6 +9423,7 @@ struct proto sctp_prot = { + .shutdown = sctp_shutdown, + .setsockopt = sctp_setsockopt, + .getsockopt = sctp_getsockopt, ++ .bpf_bypass_getsockopt = sctp_bpf_bypass_getsockopt, + .sendmsg = sctp_sendmsg, + .recvmsg = sctp_recvmsg, + .bind = sctp_bind, +@@ -9459,6 +9476,7 @@ struct proto sctpv6_prot = { + .shutdown = sctp_shutdown, + .setsockopt = sctp_setsockopt, + .getsockopt = sctp_getsockopt, ++ .bpf_bypass_getsockopt = sctp_bpf_bypass_getsockopt, + .sendmsg = sctp_sendmsg, + .recvmsg = sctp_recvmsg, + .bind = sctp_bind, +-- +2.39.2 + diff --git a/tmp-5.10/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch b/tmp-5.10/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch new file mode 100644 index 00000000000..6e346dbaee8 --- /dev/null +++ b/tmp-5.10/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch @@ -0,0 +1,57 @@ +From 1cc4ab56e1d27a0d6137a81c1e74445de942045f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 12:03:40 +0000 +Subject: sctp: fix potential deadlock on &net->sctp.addr_wq_lock + +From: Chengfeng Ye + +[ Upstream commit 6feb37b3b06e9049e20dcf7e23998f92c9c5be9a ] + +As &net->sctp.addr_wq_lock is also acquired by the timer +sctp_addr_wq_timeout_handler() in protocal.c, the same lock acquisition +at sctp_auto_asconf_init() seems should disable irq since it is called +from sctp_accept() under process context. + +Possible deadlock scenario: +sctp_accept() + -> sctp_sock_migrate() + -> sctp_auto_asconf_init() + -> spin_lock(&net->sctp.addr_wq_lock) + + -> sctp_addr_wq_timeout_handler() + -> spin_lock_bh(&net->sctp.addr_wq_lock); (deadlock here) + +This flaw was found using an experimental static analysis tool we are +developing for irq-related deadlock. + +The tentative patch fix the potential deadlock by spin_lock_bh(). + +Signed-off-by: Chengfeng Ye +Fixes: 34e5b0118685 ("sctp: delay auto_asconf init until binding the first addr") +Acked-by: Xin Long +Link: https://lore.kernel.org/r/20230627120340.19432-1-dg573847474@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 4a7f811abae4e..534364bb871a3 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -362,9 +362,9 @@ static void sctp_auto_asconf_init(struct sctp_sock *sp) + struct net *net = sock_net(&sp->inet.sk); + + if (net->sctp.default_auto_asconf) { +- spin_lock(&net->sctp.addr_wq_lock); ++ spin_lock_bh(&net->sctp.addr_wq_lock); + list_add_tail(&sp->auto_asconf_list, &net->sctp.auto_asconf_splist); +- spin_unlock(&net->sctp.addr_wq_lock); ++ spin_unlock_bh(&net->sctp.addr_wq_lock); + sp->do_auto_asconf = 1; + } + } +-- +2.39.2 + diff --git a/tmp-5.10/security-keys-modify-mismatched-function-name.patch b/tmp-5.10/security-keys-modify-mismatched-function-name.patch new file mode 100644 index 00000000000..f7dc30780a8 --- /dev/null +++ b/tmp-5.10/security-keys-modify-mismatched-function-name.patch @@ -0,0 +1,40 @@ +From 8d91e0fbb055599545d4e65cfad02a225ea28d82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 10:18:25 +0800 +Subject: security: keys: Modify mismatched function name + +From: Jiapeng Chong + +[ Upstream commit 2a4152742025c5f21482e8cebc581702a0fa5b01 ] + +No functional modification involved. + +security/keys/trusted-keys/trusted_tpm2.c:203: warning: expecting prototype for tpm_buf_append_auth(). Prototype was for tpm2_buf_append_auth() instead. + +Fixes: 2e19e10131a0 ("KEYS: trusted: Move TPM2 trusted keys code") +Reported-by: Abaci Robot +Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=5524 +Signed-off-by: Jiapeng Chong +Reviewed-by: Paul Moore +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + security/keys/trusted-keys/trusted_tpm2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c +index 4c19d3abddbee..65f68856414a6 100644 +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -21,7 +21,7 @@ static struct tpm2_hash tpm2_hash_map[] = { + }; + + /** +- * tpm_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. ++ * tpm2_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. + * + * @buf: an allocated tpm_buf instance + * @session_handle: session handle +-- +2.39.2 + diff --git a/tmp-5.10/selftests-bpf-add-verifier-test-for-ptr_to_mem-spill.patch b/tmp-5.10/selftests-bpf-add-verifier-test-for-ptr_to_mem-spill.patch new file mode 100644 index 00000000000..7465b19b384 --- /dev/null +++ b/tmp-5.10/selftests-bpf-add-verifier-test-for-ptr_to_mem-spill.patch @@ -0,0 +1,109 @@ +From 4237e9f4a96228ccc8a7abe5e4b30834323cd353 Mon Sep 17 00:00:00 2001 +From: Gilad Reti +Date: Wed, 13 Jan 2021 07:38:08 +0200 +Subject: selftests/bpf: Add verifier test for PTR_TO_MEM spill + +From: Gilad Reti + +commit 4237e9f4a96228ccc8a7abe5e4b30834323cd353 upstream. + +Add a test to check that the verifier is able to recognize spilling of +PTR_TO_MEM registers, by reserving a ringbuf buffer, forcing the spill +of a pointer holding the buffer address to the stack, filling it back +in from the stack and writing to the memory area pointed by it. + +The patch was partially contributed by CyberArk Software, Inc. + +Signed-off-by: Gilad Reti +Signed-off-by: Alexei Starovoitov +Acked-by: Yonghong Song +Acked-by: KP Singh +Link: https://lore.kernel.org/bpf/20210113053810.13518-2-gilad.reti@gmail.com +Cc: Lorenz Bauer +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_verifier.c | 12 ++++++++ + tools/testing/selftests/bpf/verifier/spill_fill.c | 30 ++++++++++++++++++++++ + 2 files changed, 41 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/bpf/test_verifier.c ++++ b/tools/testing/selftests/bpf/test_verifier.c +@@ -50,7 +50,7 @@ + #define MAX_INSNS BPF_MAXINSNS + #define MAX_TEST_INSNS 1000000 + #define MAX_FIXUPS 8 +-#define MAX_NR_MAPS 20 ++#define MAX_NR_MAPS 21 + #define MAX_TEST_RUNS 8 + #define POINTER_VALUE 0xcafe4all + #define TEST_DATA_LEN 64 +@@ -87,6 +87,7 @@ struct bpf_test { + int fixup_sk_storage_map[MAX_FIXUPS]; + int fixup_map_event_output[MAX_FIXUPS]; + int fixup_map_reuseport_array[MAX_FIXUPS]; ++ int fixup_map_ringbuf[MAX_FIXUPS]; + const char *errstr; + const char *errstr_unpriv; + uint32_t insn_processed; +@@ -640,6 +641,7 @@ static void do_test_fixup(struct bpf_tes + int *fixup_sk_storage_map = test->fixup_sk_storage_map; + int *fixup_map_event_output = test->fixup_map_event_output; + int *fixup_map_reuseport_array = test->fixup_map_reuseport_array; ++ int *fixup_map_ringbuf = test->fixup_map_ringbuf; + + if (test->fill_helper) { + test->fill_insns = calloc(MAX_TEST_INSNS, sizeof(struct bpf_insn)); +@@ -817,6 +819,14 @@ static void do_test_fixup(struct bpf_tes + fixup_map_reuseport_array++; + } while (*fixup_map_reuseport_array); + } ++ if (*fixup_map_ringbuf) { ++ map_fds[20] = create_map(BPF_MAP_TYPE_RINGBUF, 0, ++ 0, 4096); ++ do { ++ prog[*fixup_map_ringbuf].imm = map_fds[20]; ++ fixup_map_ringbuf++; ++ } while (*fixup_map_ringbuf); ++ } + } + + struct libcap { +--- a/tools/testing/selftests/bpf/verifier/spill_fill.c ++++ b/tools/testing/selftests/bpf/verifier/spill_fill.c +@@ -29,6 +29,36 @@ + .result_unpriv = ACCEPT, + }, + { ++ "check valid spill/fill, ptr to mem", ++ .insns = { ++ /* reserve 8 byte ringbuf memory */ ++ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), ++ BPF_LD_MAP_FD(BPF_REG_1, 0), ++ BPF_MOV64_IMM(BPF_REG_2, 8), ++ BPF_MOV64_IMM(BPF_REG_3, 0), ++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve), ++ /* store a pointer to the reserved memory in R6 */ ++ BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), ++ /* check whether the reservation was successful */ ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), ++ /* spill R6(mem) into the stack */ ++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), ++ /* fill it back in R7 */ ++ BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8), ++ /* should be able to access *(R7) = 0 */ ++ BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0), ++ /* submit the reserved ringbuf memory */ ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), ++ BPF_MOV64_IMM(BPF_REG_2, 0), ++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .fixup_map_ringbuf = { 1 }, ++ .result = ACCEPT, ++ .result_unpriv = ACCEPT, ++}, ++{ + "check corrupted spill/fill", + .insns = { + /* spill R1(ctx) into stack */ diff --git a/tmp-5.10/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch b/tmp-5.10/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch new file mode 100644 index 00000000000..db3e530d321 --- /dev/null +++ b/tmp-5.10/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch @@ -0,0 +1,40 @@ +From 60665650fdbfd3d71145d0f63c21e45e313f606a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 23:03:34 +0200 +Subject: selftests: rtnetlink: remove netdevsim device after ipsec offload + test + +From: Sabrina Dubroca + +[ Upstream commit 5f789f103671fec3733ebe756e56adf15c90c21d ] + +On systems where netdevsim is built-in or loaded before the test +starts, kci_test_ipsec_offload doesn't remove the netdevsim device it +created during the test. + +Fixes: e05b2d141fef ("netdevsim: move netdev creation/destruction to dev probe") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Simon Horman +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/e1cb94f4f82f4eca4a444feec4488a1323396357.1687466906.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/rtnetlink.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh +index c3a905923ef29..cbf166df57da7 100755 +--- a/tools/testing/selftests/net/rtnetlink.sh ++++ b/tools/testing/selftests/net/rtnetlink.sh +@@ -835,6 +835,7 @@ EOF + fi + + # clean up any leftovers ++ echo 0 > /sys/bus/netdevsim/del_device + $probed && rmmod netdevsim + + if [ $ret -ne 0 ]; then +-- +2.39.2 + diff --git a/tmp-5.10/selftests-tc-add-ct-action-kconfig-dep.patch b/tmp-5.10/selftests-tc-add-ct-action-kconfig-dep.patch new file mode 100644 index 00000000000..7fda7e0d332 --- /dev/null +++ b/tmp-5.10/selftests-tc-add-ct-action-kconfig-dep.patch @@ -0,0 +1,43 @@ +From 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:45 +0200 +Subject: selftests: tc: add 'ct' action kconfig dep + +From: Matthieu Baerts + +commit 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 upstream. + +When looking for something else in LKFT reports [1], I noticed most of +the tests were skipped because the "teardown stage" did not complete +successfully. + +Pedro found out this is due to the fact CONFIG_NF_FLOW_TABLE is required +but not listed in the 'config' file. Adding it to the list fixes the +issues on LKFT side. CONFIG_NET_ACT_CT is now set to 'm' in the final +kconfig. + +Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Tested-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-2-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/tc-testing/config ++++ b/tools/testing/selftests/tc-testing/config +@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m + CONFIG_NF_CONNTRACK_MARK=y + CONFIG_NF_CONNTRACK_ZONES=y + CONFIG_NF_CONNTRACK_LABELS=y ++CONFIG_NF_FLOW_TABLE=m + CONFIG_NF_NAT=m + + CONFIG_NET_SCHED=y diff --git a/tmp-5.10/selftests-tc-set-timeout-to-15-minutes.patch b/tmp-5.10/selftests-tc-set-timeout-to-15-minutes.patch new file mode 100644 index 00000000000..ea00bbfff7d --- /dev/null +++ b/tmp-5.10/selftests-tc-set-timeout-to-15-minutes.patch @@ -0,0 +1,43 @@ +From fda05798c22a354efde09a76bdfc276b2d591829 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:44 +0200 +Subject: selftests: tc: set timeout to 15 minutes + +From: Matthieu Baerts + +commit fda05798c22a354efde09a76bdfc276b2d591829 upstream. + +When looking for something else in LKFT reports [1], I noticed that the +TC selftest ended with a timeout error: + + not ok 1 selftests: tc-testing: tdc.sh # TIMEOUT 45 seconds + +The timeout had been introduced 3 years ago, see the Fixes commit below. + +This timeout is only in place when executing the selftests via the +kselftests runner scripts. I guess this is not what most TC devs are +using and nobody noticed the issue before. + +The new timeout is set to 15 minutes as suggested by Pedro [2]. It looks +like it is plenty more time than what it takes in "normal" conditions. + +Fixes: 852c8cbf34d3 ("selftests/kselftest/runner.sh: Add 45 second timeout per test") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Reviewed-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-1-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/settings | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tools/testing/selftests/tc-testing/settings + +--- /dev/null ++++ b/tools/testing/selftests/tc-testing/settings +@@ -0,0 +1 @@ ++timeout=900 diff --git a/tmp-5.10/serial-8250-lock-port-for-stop_rx-in-omap8250_irq.patch b/tmp-5.10/serial-8250-lock-port-for-stop_rx-in-omap8250_irq.patch new file mode 100644 index 00000000000..7f8fe978d88 --- /dev/null +++ b/tmp-5.10/serial-8250-lock-port-for-stop_rx-in-omap8250_irq.patch @@ -0,0 +1,39 @@ +From e04546ffa851be423fd130d38c68ef1fb1b77508 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 11:37:54 +0206 +Subject: serial: 8250: lock port for stop_rx() in omap8250_irq() + +From: John Ogness + +[ Upstream commit ca73a892c5bec4b08a2fa22b3015e98ed905abb7 ] + +The uarts_ops stop_rx() callback expects that the port->lock is +taken and interrupts are disabled. + +Fixes: 1fe0e1fa3209 ("serial: 8250_omap: Handle optional overrun-throttle-ms property") +Signed-off-by: John Ogness +Reviewed-by: Tony Lindgren +Link: https://lore.kernel.org/r/20230525093159.223817-4-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index 6b255e1633fd4..6043d4fa08cc2 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -655,7 +655,9 @@ static irqreturn_t omap8250_irq(int irq, void *dev_id) + + up->ier = port->serial_in(port, UART_IER); + if (up->ier & (UART_IER_RLSI | UART_IER_RDI)) { ++ spin_lock(&port->lock); + port->ops->stop_rx(port); ++ spin_unlock(&port->lock); + } else { + /* Keep restarting the timer until + * the input overrun subsides. +-- +2.39.2 + diff --git a/tmp-5.10/serial-8250-lock-port-for-uart_ier-access-in-omap825.patch b/tmp-5.10/serial-8250-lock-port-for-uart_ier-access-in-omap825.patch new file mode 100644 index 00000000000..ddb652ad6fd --- /dev/null +++ b/tmp-5.10/serial-8250-lock-port-for-uart_ier-access-in-omap825.patch @@ -0,0 +1,57 @@ +From 1935ecdb4cad47562049cf28d628af768af28a5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 11:37:58 +0206 +Subject: serial: 8250: lock port for UART_IER access in omap8250_irq() + +From: John Ogness + +[ Upstream commit 25614735a647693c1260f253dc3ab32127697806 ] + +omap8250_irq() accesses UART_IER. This register is modified twice +by each console write (serial8250_console_write()) under the port +lock. omap8250_irq() must also take the port lock to guanentee +synchronized access to UART_IER. + +Since the port lock is already being taken for the stop_rx() callback +and since it is safe to call cancel_delayed_work() while holding the +port lock, simply extend the port lock region to include UART_IER +access. + +Fixes: 1fe0e1fa3209 ("serial: 8250_omap: Handle optional overrun-throttle-ms property") +Signed-off-by: John Ogness +Reviewed-by: Tony Lindgren +Link: https://lore.kernel.org/r/20230525093159.223817-8-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index 6043d4fa08cc2..af39a2c4c2eee 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -653,17 +653,18 @@ static irqreturn_t omap8250_irq(int irq, void *dev_id) + if ((lsr & UART_LSR_OE) && up->overrun_backoff_time_ms > 0) { + unsigned long delay; + ++ /* Synchronize UART_IER access against the console. */ ++ spin_lock(&port->lock); + up->ier = port->serial_in(port, UART_IER); + if (up->ier & (UART_IER_RLSI | UART_IER_RDI)) { +- spin_lock(&port->lock); + port->ops->stop_rx(port); +- spin_unlock(&port->lock); + } else { + /* Keep restarting the timer until + * the input overrun subsides. + */ + cancel_delayed_work(&up->overrun_backoff); + } ++ spin_unlock(&port->lock); + + delay = msecs_to_jiffies(up->overrun_backoff_time_ms); + schedule_delayed_work(&up->overrun_backoff, delay); +-- +2.39.2 + diff --git a/tmp-5.10/serial-8250-omap-fix-freeing-of-resources-on-failed-.patch b/tmp-5.10/serial-8250-omap-fix-freeing-of-resources-on-failed-.patch new file mode 100644 index 00000000000..ec56646f61e --- /dev/null +++ b/tmp-5.10/serial-8250-omap-fix-freeing-of-resources-on-failed-.patch @@ -0,0 +1,42 @@ +From 1ceb0cfae3f147ed45511758f1bc7e136eee2fdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 11:20:11 +0300 +Subject: serial: 8250: omap: Fix freeing of resources on failed register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tony Lindgren + +[ Upstream commit b9ab22c2bc8652324a803b3e2be69838920b4025 ] + +If serial8250_register_8250_port() fails, the SoC can hang as the +deferred PMQoS work will still run as is not flushed and removed. + +Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver") +Signed-off-by: Tony Lindgren +Reviewed-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20230508082014.23083-2-tony@atomide.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index 483fff3a95c9e..6b255e1633fd4 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1469,7 +1469,9 @@ static int omap8250_probe(struct platform_device *pdev) + err: + pm_runtime_dont_use_autosuspend(&pdev->dev); + pm_runtime_put_sync(&pdev->dev); ++ flush_work(&priv->qos_work); + pm_runtime_disable(&pdev->dev); ++ cpu_latency_qos_remove_request(&priv->pm_qos_request); + return ret; + } + +-- +2.39.2 + diff --git a/tmp-5.10/serial-8250_omap-use-force_suspend-and-resume-for-sy.patch b/tmp-5.10/serial-8250_omap-use-force_suspend-and-resume-for-sy.patch new file mode 100644 index 00000000000..e4ac719301e --- /dev/null +++ b/tmp-5.10/serial-8250_omap-use-force_suspend-and-resume-for-sy.patch @@ -0,0 +1,78 @@ +From 781c0a0ccf31f9b540f2b9b464dff8229c4ee2d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 07:59:19 +0300 +Subject: serial: 8250_omap: Use force_suspend and resume for system suspend + +From: Tony Lindgren + +[ Upstream commit 20a41a62618df85f3a2981008edec5cadd785e0a ] + +We should not rely on autosuspend timeout for system suspend. Instead, +let's use force_suspend and force_resume functions. Otherwise the serial +port controller device may not be idled on suspend. + +As we are doing a register write on suspend to configure the serial port, +we still need to runtime PM resume the port on suspend. + +While at it, let's switch to pm_runtime_resume_and_get() and check for +errors returned. And let's add the missing line break before return to the +suspend function while at it. + +Fixes: 09d8b2bdbc5c ("serial: 8250: omap: Provide ability to enable/disable UART as wakeup source") +Signed-off-by: Tony Lindgren +Tested-by: Dhruva Gole +Message-ID: <20230614045922.4798-1-tony@atomide.com> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index af39a2c4c2eee..e26ac3f42e05c 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1521,25 +1521,35 @@ static int omap8250_suspend(struct device *dev) + { + struct omap8250_priv *priv = dev_get_drvdata(dev); + struct uart_8250_port *up = serial8250_get_port(priv->line); ++ int err; + + serial8250_suspend_port(priv->line); + +- pm_runtime_get_sync(dev); ++ err = pm_runtime_resume_and_get(dev); ++ if (err) ++ return err; + if (!device_may_wakeup(dev)) + priv->wer = 0; + serial_out(up, UART_OMAP_WER, priv->wer); +- pm_runtime_mark_last_busy(dev); +- pm_runtime_put_autosuspend(dev); +- ++ err = pm_runtime_force_suspend(dev); + flush_work(&priv->qos_work); +- return 0; ++ ++ return err; + } + + static int omap8250_resume(struct device *dev) + { + struct omap8250_priv *priv = dev_get_drvdata(dev); ++ int err; + ++ err = pm_runtime_force_resume(dev); ++ if (err) ++ return err; + serial8250_resume_port(priv->line); ++ /* Paired with pm_runtime_resume_and_get() in omap8250_suspend() */ ++ pm_runtime_mark_last_busy(dev); ++ pm_runtime_put_autosuspend(dev); ++ + return 0; + } + #else +-- +2.39.2 + diff --git a/tmp-5.10/serial-atmel-don-t-enable-irqs-prematurely.patch b/tmp-5.10/serial-atmel-don-t-enable-irqs-prematurely.patch new file mode 100644 index 00000000000..ef5da09ec7b --- /dev/null +++ b/tmp-5.10/serial-atmel-don-t-enable-irqs-prematurely.patch @@ -0,0 +1,45 @@ +From 27a826837ec9a3e94cc44bd9328b8289b0fcecd7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 19 Jun 2023 12:45:17 +0300 +Subject: serial: atmel: don't enable IRQs prematurely + +From: Dan Carpenter + +commit 27a826837ec9a3e94cc44bd9328b8289b0fcecd7 upstream. + +The atmel_complete_tx_dma() function disables IRQs at the start +of the function by calling spin_lock_irqsave(&port->lock, flags); +There is no need to disable them a second time using the +spin_lock_irq() function and, in fact, doing so is a bug because +it will enable IRQs prematurely when we call spin_unlock_irq(). + +Just use spin_lock/unlock() instead without disabling or enabling +IRQs. + +Fixes: 08f738be88bb ("serial: at91: add tx dma support") +Signed-off-by: Dan Carpenter +Reviewed-by: Jiri Slaby +Acked-by: Richard Genoud +Link: https://lore.kernel.org/r/cb7c39a9-c004-4673-92e1-be4e34b85368@moroto.mountain +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/atmel_serial.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -873,11 +873,11 @@ static void atmel_complete_tx_dma(void * + + port->icount.tx += atmel_port->tx_len; + +- spin_lock_irq(&atmel_port->lock_tx); ++ spin_lock(&atmel_port->lock_tx); + async_tx_ack(atmel_port->desc_tx); + atmel_port->cookie_tx = -EINVAL; + atmel_port->desc_tx = NULL; +- spin_unlock_irq(&atmel_port->lock_tx); ++ spin_unlock(&atmel_port->lock_tx); + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) + uart_write_wakeup(port); diff --git a/tmp-5.10/series b/tmp-5.10/series new file mode 100644 index 00000000000..cd224b7ef1d --- /dev/null +++ b/tmp-5.10/series @@ -0,0 +1,512 @@ +media-atomisp-fix-variable-dereferenced-before-check-asd.patch +x86-microcode-amd-load-late-on-both-threads-too.patch +x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch +can-isotp-isotp_sendmsg-fix-return-error-fix-on-tx-path.patch +video-imsttfb-check-for-ioremap-failures.patch +fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch +hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch +hid-logitech-hidpp-add-hidpp_quirk_delayed_init-for-the-t651.patch +revert-thermal-drivers-mediatek-use-devm_of_iomap-to-avoid-resource-leak-in-mtk_thermal_probe.patch +scripts-tags.sh-resolve-gtags-empty-index-generation.patch +drm-amdgpu-validate-vm-ioctl-flags.patch +nubus-partially-revert-proc_create_single_data-conversion.patch +fs-pipe-reveal-missing-function-protoypes.patch +x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch +blk-iocost-use-spin_lock_irqsave-in-adjust_inuse_and.patch +md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch +md-raid10-fix-overflow-of-md-safe_mode_delay.patch +md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch +md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch +md-raid10-fix-io-loss-while-replacement-replace-rdev.patch +irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch +irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch +posix-timers-prevent-rt-livelock-in-itimer_delete.patch +tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch +clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch +pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch +perf-arm-cmn-fix-dtc-reset.patch +powercap-rapl-fix-config_iosf_mbi-dependency.patch +arm-9303-1-kprobes-avoid-missing-declaration-warning.patch +cpufreq-intel_pstate-fix-energy_performance_preferen.patch +thermal-drivers-sun8i-fix-some-error-handling-paths-.patch +rcuscale-console-output-claims-too-few-grace-periods.patch +rcuscale-always-log-error-message.patch +rcuscale-move-shutdown-from-wait_event-to-wait_event.patch +rcu-rcuscale-move-rcu_scale_-after-kfree_scale_clean.patch +rcu-rcuscale-stop-kfree_scale_thread-thread-s-after-.patch +perf-ibs-fix-interface-via-core-pmu-events.patch +x86-mm-fix-__swp_entry_to_pte-for-xen-pv-guests.patch +evm-complete-description-of-evm_inode_setattr.patch +ima-fix-build-warnings.patch +pstore-ram-add-check-for-kstrdup.patch +igc-enable-and-fix-rx-hash-usage-by-netstack.patch +wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch +wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch +samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch +spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch +wifi-wilc1000-fix-for-absent-rsn-capabilities-wfa-te.patch +wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch +bpf-remove-extra-lock_sock-for-tcp_zerocopy_receive.patch +sctp-add-bpf_bypass_getsockopt-proto-callback.patch +libbpf-fix-offsetof-and-container_of-to-work-with-co.patch +nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch +nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch +bpftool-jit-limited-misreported-as-negative-value-on.patch +regulator-core-fix-more-error-checking-for-debugfs_c.patch +regulator-core-streamline-debugfs-operations.patch +wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch +wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch +wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch +wl3501_cs-fix-misspelling-and-provide-missing-docume.patch +net-create-netdev-dev_addr-assignment-helpers.patch +wl3501_cs-use-eth_hw_addr_set.patch +wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch +wifi-ray_cs-utilize-strnlen-in-parse_addr.patch +wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch +wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch +wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch +wifi-rsi-do-not-configure-wowlan-in-shutdown-hook-if.patch +wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch +watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch +watchdog-perf-more-properly-prevent-false-positives-.patch +kexec-fix-a-memory-leak-in-crash_shrink_memory.patch +memstick-r592-make-memstick_debug_get_tpc_name-stati.patch +wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch +rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch +wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch +wifi-cfg80211-rewrite-merging-of-inherited-elements.patch +wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch +igc-fix-race-condition-in-ptp-tx-code.patch +net-stmmac-fix-double-serdes-powerdown.patch +netlink-fix-potential-deadlock-in-netlink_set_err.patch +netlink-do-not-hard-code-device-address-lenth-in-fdb.patch +selftests-rtnetlink-remove-netdevsim-device-after-ip.patch +gtp-fix-use-after-free-in-__gtp_encap_destroy.patch +net-axienet-move-reset-before-64-bit-dma-detection.patch +sfc-fix-crash-when-reading-stats-while-nic-is-resett.patch +nfc-llcp-simplify-llcp_sock_connect-error-paths.patch +net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch +lib-ts_bm-reset-initial-match-offset-for-every-block.patch +netfilter-conntrack-dccp-copy-entire-header-to-stack.patch +netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch +ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch +netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch +radeon-avoid-double-free-in-ci_dpm_init.patch +drm-amd-display-explicitly-specify-update-type-per-p.patch +input-drv260x-sleep-between-polling-go-bit.patch +drm-bridge-tc358768-always-enable-hs-video-mode.patch +drm-bridge-tc358768-fix-pll-parameters-computation.patch +drm-bridge-tc358768-fix-pll-target-frequency.patch +drm-bridge-tc358768-fix-tclk_zerocnt-computation.patch +drm-bridge-tc358768-add-atomic_get_input_bus_fmts-im.patch +drm-bridge-tc358768-fix-tclk_trailcnt-computation.patch +drm-bridge-tc358768-fix-ths_zerocnt-computation.patch +drm-bridge-tc358768-fix-txtagocnt-computation.patch +drm-bridge-tc358768-fix-ths_trailcnt-computation.patch +drm-vram-helper-fix-function-names-in-vram-helper-do.patch +arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch +arm-dts-meson8b-correct-uart_b-and-uart_c-clock-refe.patch +input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch +drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch +drm-panel-sharp-ls043t1le01-adjust-mode-settings.patch +arm-dts-stm32-move-ethernet-mac-eeprom-from-som-to-c.patch +bus-ti-sysc-fix-dispc-quirk-masking-bool-variables.patch +arm64-dts-microchip-sparx5-do-not-use-psci-on-refere.patch +rdma-bnxt_re-disable-kill-tasklet-only-if-it-is-enab.patch +rdma-bnxt_re-fix-to-remove-unnecessary-return-labels.patch +rdma-bnxt_re-use-unique-names-while-registering-inte.patch +rdma-bnxt_re-remove-a-redundant-check-inside-bnxt_re.patch +rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch +arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch +arm64-dts-qcom-msm8916-correct-camss-unit-address.patch +arm64-dts-qcom-msm8994-correct-spmi-unit-address.patch +arm64-dts-qcom-msm8996-correct-camss-unit-address.patch +drm-panel-simple-fix-active-size-for-ampire-am-48027.patch +arm-ep93xx-fix-missing-prototype-warnings.patch +arm-omap2-fix-missing-tick_broadcast-prototype.patch +arm64-dts-qcom-apq8096-fix-fixed-regulator-name-prop.patch +arm-dts-stm32-shorten-the-av96-hdmi-sound-card-name.patch +memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch +asoc-es8316-increment-max-value-for-alc-capture-targ.patch +asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch +arm-dts-meson8-correct-uart_b-and-uart_c-clock-refer.patch +soc-fsl-qe-fix-usb.c-build-errors.patch +ib-hfi1-use-bitmap_zalloc-when-applicable.patch +ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch +ib-hfi1-fix-wrong-mmu_node-used-for-user-sdma-packet.patch +rdma-remove-uverbs_ex_cmd_mask-values-that-are-linke.patch +rdma-hns-fix-coding-style-issues.patch +rdma-hns-use-refcount_t-apis-for-hem.patch +rdma-hns-clean-the-hardware-related-code-for-hem.patch +rdma-hns-fix-hns_roce_table_get-return-value.patch +arm-dts-iwg20d-q7-common-fix-backlight-pwm-specifier.patch +arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch +fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch +arm64-dts-ti-k3-j7200-fix-physical-address-of-pin.patch +arm-dts-stm32-fix-audio-routing-on-stm32mp15xx-dhcom.patch +arm-dts-stm32-fix-i2s-endpoint-format-property-for-s.patch +hwmon-gsc-hwmon-fix-fan-pwm-temperature-scaling.patch +hwmon-adm1275-enable-adm1272-temperature-reporting.patch +hwmon-adm1275-allow-setting-sample-averaging.patch +hwmon-pmbus-adm1275-fix-problems-with-temperature-mo.patch +arm-dts-bcm5301x-fix-duplex-full-full-duplex.patch +drm-amdkfd-fix-potential-deallocation-of-previously-.patch +drm-radeon-fix-possible-division-by-zero-errors.patch +amdgpu-validate-offset_in_bo-of-drm_amdgpu_gem_va.patch +rdma-bnxt_re-wraparound-mbox-producer-index.patch +rdma-bnxt_re-avoid-calling-wake_up-threads-from-spin.patch +clk-imx-clk-imx8mn-fix-memory-leak-in-imx8mn_clocks_.patch +clk-imx-clk-imx8mp-improve-error-handling-in-imx8mp_.patch +clk-tegra-tegra124-emc-fix-potential-memory-leak.patch +alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch +drm-msm-dpu-do-not-enable-color-management-if-dspps-.patch +drm-msm-dp-free-resources-after-unregistering-them.patch +clk-vc5-check-memory-returned-by-kasprintf.patch +clk-cdce925-check-return-value-of-kasprintf.patch +clk-si5341-allow-different-output-vdd_sel-values.patch +clk-si5341-add-sysfs-properties-to-allow-checking-re.patch +clk-si5341-return-error-if-one-synth-clock-registrat.patch +clk-si5341-check-return-value-of-devm_-kasprintf.patch +clk-si5341-free-unused-memory-on-probe-failure.patch +clk-keystone-sci-clk-check-return-value-of-kasprintf.patch +clk-ti-clkctrl-check-return-value-of-kasprintf.patch +drivers-meson-secure-pwrc-always-enable-dma-domain.patch +ovl-update-of-dentry-revalidate-flags-after-copy-up.patch +asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch +pci-cadence-fix-gen2-link-retraining-process.patch +scsi-qedf-fix-null-dereference-in-error-handling.patch +pinctrl-bcm2835-handle-gpiochip_add_pin_range-errors.patch +pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch +scsi-3w-xxxx-add-error-handling-for-initialization-f.patch +pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch +pci-ftpci100-release-the-clock-resources.patch +pci-add-pci_clear_master-stub-for-non-config_pci.patch +perf-bench-use-unbuffered-output-when-pipe-tee-ing-t.patch +perf-bench-add-missing-setlocale-call-to-allow-usage.patch +pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch +kcsan-don-t-expect-64-bits-atomic-builtins-from-32-b.patch +perf-script-fixup-struct-evsel_script-method-prefix.patch +perf-script-fix-allocation-of-evsel-priv-related-to-.patch +perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch +pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch +powerpc-powernv-sriov-perform-null-check-on-iov-befo.patch +mm-rename-pud_page_vaddr-to-pud_pgtable-and-make-it-.patch +mm-rename-p4d_page_vaddr-to-p4d_pgtable-and-make-it-.patch +powerpc-book3s64-mm-fix-directmap-stats-in-proc-memi.patch +powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch +hwrng-virtio-add-an-internal-buffer.patch +hwrng-virtio-don-t-wait-on-cleanup.patch +hwrng-virtio-don-t-waste-entropy.patch +hwrng-virtio-always-add-a-pending-request.patch +hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch +crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch +modpost-fix-section-mismatch-message-for-r_arm_abs32.patch +modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch +crypto-marvell-cesa-fix-type-mismatch-warning.patch +modpost-fix-off-by-one-in-is_executable_section.patch +arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch +nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch +dax-fix-dax_mapping_release-use-after-free.patch +dax-introduce-alloc_dev_dax_id.patch +hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch +io_uring-ensure-iopoll-locks-around-deferred-work.patch +usb-serial-option-add-lara-r6-01b-pids.patch +usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch +phy-tegra-xusb-clear-the-driver-reference-in-usb-phy-dev.patch +block-fix-signed-int-overflow-in-amiga-partition-support.patch +block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch +sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch +w1-w1_therm-fix-locking-behavior-in-convert_t.patch +w1-fix-loop-in-w1_fini.patch +sh-j2-use-ioremap-to-translate-device-tree-address-i.patch +serial-8250-omap-fix-freeing-of-resources-on-failed-.patch +clk-qcom-gcc-ipq6018-use-floor-ops-for-sdcc-clocks.patch +media-usb-check-az6007_read-return-value.patch +media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch +media-usb-siano-fix-warning-due-to-null-work_func_t-.patch +clk-qcom-reset-allow-specifying-custom-reset-delay.patch +clk-qcom-reset-support-resetting-multiple-bits.patch +clk-qcom-ipq6018-fix-networking-resets.patch +usb-dwc3-qcom-fix-potential-memory-leak.patch +usb-gadget-u_serial-add-null-pointer-check-in-gseria.patch +extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch +extcon-fix-kernel-doc-of-property-capability-fields-.patch +usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch +usb-hide-unused-usbfs_notify_suspend-resume-function.patch +serial-8250-lock-port-for-stop_rx-in-omap8250_irq.patch +serial-8250-lock-port-for-uart_ier-access-in-omap825.patch +kernfs-fix-missing-kernfs_idr_lock-to-remove-an-id-f.patch +coresight-fix-loss-of-connection-info-when-a-module-.patch +mfd-rt5033-drop-rt5033-battery-sub-device.patch +media-venus-helpers-fix-align-of-non-power-of-two.patch +media-atomisp-gmin_platform-fix-out_len-in-gmin_get_.patch +kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch +usb-dwc3-qcom-release-the-correct-resources-in-dwc3_.patch +usb-dwc3-qcom-fix-an-error-handling-path-in-dwc3_qco.patch +usb-common-usb-conn-gpio-set-last-role-to-unknown-be.patch +usb-dwc3-meson-g12a-fix-an-error-handling-path-in-dw.patch +mfd-intel-lpss-add-missing-check-for-platform_get_re.patch +revert-usb-common-usb-conn-gpio-set-last-role-to-unk.patch +serial-8250_omap-use-force_suspend-and-resume-for-sy.patch +test_firmware-return-enomem-instead-of-enospc-on-fai.patch +mfd-stmfx-fix-error-path-in-stmfx_chip_init.patch +mfd-stmfx-nullify-stmfx-vdd-in-case-of-error.patch +kvm-s390-vsie-fix-the-length-of-apcb-bitmap.patch +mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch +phy-tegra-xusb-check-return-value-of-devm_kzalloc.patch +pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch +pwm-sysfs-do-not-apply-state-to-already-disabled-pwm.patch +rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch +media-cec-i2c-ch7322-also-select-regmap.patch +sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch +add-module_firmware-for-firmware_tg357766.patch +net-dsa-vsc73xx-fix-mtu-configuration.patch +spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch +mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch +f2fs-fix-error-path-handling-in-truncate_dnode.patch +octeontx2-af-fix-mapping-for-nix-block-from-cgx-conn.patch +powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch +net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch +tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch +xsk-honor-so_bindtodevice-on-bind.patch +net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch +pptp-fix-fib-lookup-calls.patch +net-dsa-tag_sja1105-fix-mac-da-patching-from-meta-fr.patch +s390-qeth-fix-vipa-deletion.patch +sh-dma-fix-dma-channel-offset-calculation.patch +apparmor-fix-missing-error-check-for-rhashtable_inse.patch +i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch +i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch +alsa-jack-fix-mutex-call-in-snd_jack_report.patch +i2c-qup-add-missing-unwind-goto-in-qup_i2c_probe.patch +nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch +io_uring-wait-interruptibly-for-request-completions-on-exit.patch +mmc-core-disable-trim-on-kingston-emmc04g-m627.patch +mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch +mmc-mmci-set-probe_prefer_asynchronous.patch +mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch +bcache-fixup-btree_cache_wait-list-damage.patch +bcache-remove-unnecessary-null-point-check-in-node-allocations.patch +bcache-fix-__bch_btree_node_alloc-to-make-the-failure-behavior-consistent.patch +um-use-host_dir-for-mrproper.patch +integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch +autofs-use-flexible-array-in-ioctl-structure.patch +shmem-use-ramfs_kill_sb-for-kill_sb-method-of-ramfs-based-tmpfs.patch +jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch +fs-avoid-empty-option-when-generating-legacy-mount-string.patch +ext4-remove-ext4-locking-of-moved-directory.patch +revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch +fs-establish-locking-order-for-unrelated-directories.patch +fs-lock-moved-directories.patch +btrfs-add-handling-for-raid1c23-dup-to-btrfs_reduce_alloc_profile.patch +btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch +asoc-mediatek-mt8173-fix-irq-error-path.patch +asoc-mediatek-mt8173-fix-snd_soc_component_initialize-error-path.patch +arm-orion5x-fix-d2net-gpio-initialization.patch +leds-trigger-netdev-recheck-netdev_led_mode_linkup-on-dev-rename.patch +fs-no-need-to-check-source.patch +fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch +tpm-tpm_tis-claim-locality-in-interrupt-handler.patch +selftests-bpf-add-verifier-test-for-ptr_to_mem-spill.patch +block-add-overflow-checks-for-amiga-partition-support.patch +sh-pgtable-3level-fix-cast-to-pointer-from-integer-of-different-size.patch +netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch +netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch +netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch +netfilter-nf_tables-fix-chain-binding-transaction-logic.patch +netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch +netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch +netfilter-nf_tables-reject-unbound-chain-set-before-commit-phase.patch +netfilter-nftables-rename-set-element-data-activation-deactivation-functions.patch +netfilter-nf_tables-drop-map-element-references-from-preparation-phase.patch +netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch +netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch +netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch +netfilter-nf_tables-do-not-ignore-genmask-when-looking-up-chain-by-id.patch +netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch +wireguard-queueing-use-saner-cpu-selection-wrapping.patch +wireguard-netlink-send-staged-packets-when-setting-initial-private-key.patch +tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch +rcu-tasks-mark-trc_reader_nesting-data-races.patch +rcu-tasks-mark-trc_reader_special.b.need_qs-data-races.patch +rcu-tasks-simplify-trc_read_check_handler-atomic-operations.patch +block-partition-fix-signedness-issue-for-amiga-partitions.patch +io_uring-use-io_schedule-in-cqring-wait.patch +io_uring-add-reschedule-point-to-handle_tw_list.patch +net-lan743x-don-t-sleep-in-atomic-context.patch +workqueue-clean-up-work_-constant-types-clarify-masking.patch +drm-panel-simple-add-connector_type-for-innolux_at04.patch +drm-panel-simple-add-powertip-ph800480t013-drm_displ.patch +igc-remove-delay-during-tx-ring-configuration.patch +net-mlx5e-fix-double-free-in-mlx5e_destroy_flow_tabl.patch +net-mlx5e-check-for-not_ready-flag-state-after-locki.patch +igc-set-tp-bit-in-supported-and-advertising-fields-o.patch +scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch +net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch +net-sched-cls_fw-fix-improper-refcount-update-leads-.patch +gve-set-default-duplex-configuration-to-full.patch +ionic-remove-warn_on-to-prevent-panic_on_warn.patch +net-bgmac-postpone-turning-irqs-off-to-avoid-soc-han.patch +net-prevent-skb-corruption-on-frag-list-segmentation.patch +icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch +udp6-fix-udp6_ehashfn-typo.patch +ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch +ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch +ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch +ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch +ntb-ntb_tool-add-check-for-devm_kcalloc.patch +ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch +platform-x86-wmi-remove-unnecessary-argument.patch +platform-x86-wmi-use-guid_t-and-guid_equal.patch +platform-x86-wmi-move-variables.patch +platform-x86-wmi-break-possible-infinite-loop-when-p.patch +igc-fix-launchtime-before-start-of-cycle.patch +igc-fix-inserting-of-empty-frame-for-launchtime.patch +riscv-bpf-move-bpf_jit_alloc_exec-and-bpf_jit_free_e.patch +riscv-bpf-avoid-breaking-w-x.patch +bpf-riscv-support-riscv-jit-to-provide-bpf_line_info.patch +riscv-bpf-fix-inconsistent-jit-image-generation.patch +erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch +wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch +net-sched-flower-ensure-both-minimum-and-maximum-por.patch +netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch +net-sched-make-psched_mtu-rtnl-less-safe.patch +net-sched-sch_qfq-refactor-parsing-of-netlink-parame.patch +net-sched-sch_qfq-account-for-stab-overhead-in-qfq_e.patch +nvme-pci-fix-dma-direction-of-unmapping-integrity-da.patch +f2fs-fix-to-avoid-null-pointer-dereference-f2fs_write_end_io.patch +pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch +pinctrl-amd-detect-internal-gpio0-debounce-handling.patch +pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch +tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch +mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch +net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch +powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch +misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch +erofs-fix-compact-4b-support-for-16k-block-size.patch +mips-loongson-fix-cpu_probe_loongson-again.patch +ext4-fix-reusing-stale-buffer-heads-from-last-failed-mounting.patch +ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch +ext4-get-block-from-bh-in-ext4_free_blocks-for-fast-commit-replay.patch +ext4-fix-wrong-unit-use-in-ext4_mb_new_blocks.patch +ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch +ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch +jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch +hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch +pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch +pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch +pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch +pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch +pci-rockchip-write-pci-device-id-to-correct-register.patch +pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch +pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch +pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch +pci-rockchip-set-address-alignment-for-endpoint-mode.patch +misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch +misc-pci_endpoint_test-re-init-completion-for-every-test.patch +md-raid0-add-discard-support-for-the-original-layout.patch +fs-dlm-return-positive-pid-value-for-f_getlk.patch +drm-atomic-allow-vblank-enabled-self-refresh-disable.patch +drm-rockchip-vop-leave-vblank-enabled-in-self-refresh.patch +drm-amd-display-correct-dmub_fw_version-macro.patch +serial-atmel-don-t-enable-irqs-prematurely.patch +tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch +tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch +firmware-stratix10-svc-fix-a-potential-resource-leak-in-svc_create_memory_pool.patch +ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch +xhci-fix-resume-issue-of-some-zhaoxin-hosts.patch +xhci-fix-trb-prefetch-issue-of-zhaoxin-hosts.patch +xhci-show-zhaoxin-xhci-root-hub-speed-correctly.patch +meson-saradc-fix-clock-divider-mask-length.patch +revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch +s390-decompressor-fix-misaligned-symbol-build-error.patch +tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch +samples-ftrace-save-required-argument-registers-in-sample-trampolines.patch +net-ena-fix-shift-out-of-bounds-in-exponential-backoff.patch +ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch +xtensa-iss-fix-call-to-split_if_spec.patch +tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch +tracing-probes-fix-not-to-count-error-code-to-total-length.patch +scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch +scsi-qla2xxx-array-index-may-go-out-of-bound.patch +scsi-qla2xxx-fix-buffer-overrun.patch +scsi-qla2xxx-fix-potential-null-pointer-dereference.patch +scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch +scsi-qla2xxx-correct-the-index-of-array.patch +scsi-qla2xxx-pointer-may-be-dereferenced.patch +scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch +net-sched-sch_qfq-reintroduce-lmax-bound-check-for-mtu.patch +rdma-cma-ensure-rdma_addr_cancel-happens-before-issuing-more-requests.patch +drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch +alsa-hda-realtek-remove-3k-pull-low-procedure.patch +alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch +keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch +perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch +btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch +fuse-revalidate-don-t-invalidate-if-interrupted.patch +selftests-tc-set-timeout-to-15-minutes.patch +selftests-tc-add-ct-action-kconfig-dep.patch +regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch +regmap-account-for-register-length-in-smbus-i-o-limits.patch +can-bcm-fix-uaf-in-bcm_proc_show.patch +drm-client-fix-memory-leak-in-drm_client_target_cloned.patch +drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch +asoc-fsl_sai-disable-bit-clock-with-transmitter.patch +ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +debugobjects-recheck-debug_objects_enabled-before-re.patch +nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch +md-fix-data-corruption-for-raid456-when-reshape-rest.patch +md-raid10-prevent-soft-lockup-while-flush-writes.patch +posix-timers-ensure-timer-id-search-loop-limit-is-va.patch +btrfs-add-xxhash-to-fast-checksum-implementations.patch +acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch +acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch +acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch +arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch +arm64-mm-fix-va-range-sanity-check.patch +sched-fair-don-t-balance-task-to-its-current-running.patch +wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch +bpf-address-kcsan-report-on-bpf_lru_list.patch +devlink-report-devlink_port_type_warn-source-device.patch +wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +igb-fix-igb_down-hung-on-surprise-removal.patch +spi-bcm63xx-fix-max-prepend-length.patch +fbdev-imxfb-warn-about-invalid-left-right-margin.patch +pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch +net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +bridge-add-extack-warning-when-enabling-stp-in-netns.patch +iavf-fix-use-after-free-in-free_netdev.patch +iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch +security-keys-modify-mismatched-function-name.patch +octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch +tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch +net-ipv4-use-kfree_sensitive-instead-of-kfree.patch +net-ipv6-check-return-value-of-pskb_trim.patch +revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +llc-don-t-drop-packet-from-non-root-netns.patch +netfilter-nf_tables-fix-spurious-set-element-inserti.patch +netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +netfilter-nft_set_pipapo-fix-improper-element-remova.patch +netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch +netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch +tcp-annotate-data-races-around-tp-tcp_tx_delay.patch +tcp-annotate-data-races-around-tp-keepalive_time.patch +tcp-annotate-data-races-around-tp-keepalive_intvl.patch +tcp-annotate-data-races-around-tp-keepalive_probes.patch +net-introduce-net.ipv4.tcp_migrate_req.patch +tcp-fix-data-races-around-sysctl_tcp_syn-ack-_retrie.patch +tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch +tcp-annotate-data-races-around-tp-linger2.patch +tcp-annotate-data-races-around-rskq_defer_accept.patch +tcp-annotate-data-races-around-tp-notsent_lowat.patch +tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch +tcp-annotate-data-races-around-fastopenq.max_qlen.patch +net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch +tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch +tracing-fix-memory-leak-of-iter-temp-when-reading-trace_pipe.patch +ftrace-store-the-order-of-pages-allocated-in-ftrace_page.patch +ftrace-fix-possible-warning-on-checking-all-pages-used-in-ftrace_process_locs.patch +x86-cpu-amd-move-the-errata-checking-functionality-up.patch +x86-cpu-amd-add-a-zenbleed-fix.patch diff --git a/tmp-5.10/sfc-fix-crash-when-reading-stats-while-nic-is-resett.patch b/tmp-5.10/sfc-fix-crash-when-reading-stats-while-nic-is-resett.patch new file mode 100644 index 00000000000..9047b7b1bd8 --- /dev/null +++ b/tmp-5.10/sfc-fix-crash-when-reading-stats-while-nic-is-resett.patch @@ -0,0 +1,70 @@ +From 75963a2c89109d639fc38a89fce752d54f6e1349 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jun 2023 15:34:48 +0100 +Subject: sfc: fix crash when reading stats while NIC is resetting + +From: Edward Cree + +[ Upstream commit d1b355438b8325a486f087e506d412c4e852f37b ] + +efx_net_stats() (.ndo_get_stats64) can be called during an ethtool + selftest, during which time nic_data->mc_stats is NULL as the NIC has + been fini'd. In this case do not attempt to fetch the latest stats + from the hardware, else we will crash on a NULL dereference: + BUG: kernel NULL pointer dereference, address: 0000000000000038 + RIP efx_nic_update_stats + abridged calltrace: + efx_ef10_update_stats_pf + efx_net_stats + dev_get_stats + dev_seq_printf_stats +Skipping the read is safe, we will simply give out stale stats. +To ensure that the free in efx_ef10_fini_nic() does not race against + efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the + efx->stats_lock in fini_nic (it is already held across update_stats). + +Fixes: d3142c193dca ("sfc: refactor EF10 stats handling") +Reviewed-by: Pieter Jansen van Vuuren +Signed-off-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 32654fe1f8b59..3f53b5ea78410 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -1297,8 +1297,10 @@ static void efx_ef10_fini_nic(struct efx_nic *efx) + { + struct efx_ef10_nic_data *nic_data = efx->nic_data; + ++ spin_lock_bh(&efx->stats_lock); + kfree(nic_data->mc_stats); + nic_data->mc_stats = NULL; ++ spin_unlock_bh(&efx->stats_lock); + } + + static int efx_ef10_init_nic(struct efx_nic *efx) +@@ -1836,9 +1838,14 @@ static size_t efx_ef10_update_stats_pf(struct efx_nic *efx, u64 *full_stats, + + efx_ef10_get_stat_mask(efx, mask); + +- efx_nic_copy_stats(efx, nic_data->mc_stats); +- efx_nic_update_stats(efx_ef10_stat_desc, EF10_STAT_COUNT, +- mask, stats, nic_data->mc_stats, false); ++ /* If NIC was fini'd (probably resetting), then we can't read ++ * updated stats right now. ++ */ ++ if (nic_data->mc_stats) { ++ efx_nic_copy_stats(efx, nic_data->mc_stats); ++ efx_nic_update_stats(efx_ef10_stat_desc, EF10_STAT_COUNT, ++ mask, stats, nic_data->mc_stats, false); ++ } + + /* Update derived statistics */ + efx_nic_fix_nodesc_drop_stat(efx, +-- +2.39.2 + diff --git a/tmp-5.10/sh-dma-fix-dma-channel-offset-calculation.patch b/tmp-5.10/sh-dma-fix-dma-channel-offset-calculation.patch new file mode 100644 index 00000000000..859e76e0638 --- /dev/null +++ b/tmp-5.10/sh-dma-fix-dma-channel-offset-calculation.patch @@ -0,0 +1,103 @@ +From 731a521c132fa62459bfe6c23768a5c7485f3f77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 18:44:50 +0200 +Subject: sh: dma: Fix DMA channel offset calculation + +From: Artur Rojek + +[ Upstream commit e82e47584847129a20b8c9f4a1dcde09374fb0e0 ] + +Various SoCs of the SH3, SH4 and SH4A family, which use this driver, +feature a differing number of DMA channels, which can be distributed +between up to two DMAC modules. The existing implementation fails to +correctly accommodate for all those variations, resulting in wrong +channel offset calculations and leading to kernel panics. + +Rewrite dma_base_addr() in order to properly calculate channel offsets +in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that +the correct DMAC module base is selected for the DMAOR register. + +Fixes: 7f47c7189b3e8f19 ("sh: dma: More legacy cpu dma chainsawing.") +Signed-off-by: Artur Rojek +Reviewed-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/20230527164452.64797-2-contact@artur-rojek.eu +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/drivers/dma/dma-sh.c | 37 +++++++++++++++++++++++------------- + 1 file changed, 24 insertions(+), 13 deletions(-) + +diff --git a/arch/sh/drivers/dma/dma-sh.c b/arch/sh/drivers/dma/dma-sh.c +index 96c626c2cd0a4..306fba1564e5e 100644 +--- a/arch/sh/drivers/dma/dma-sh.c ++++ b/arch/sh/drivers/dma/dma-sh.c +@@ -18,6 +18,18 @@ + #include + #include + ++/* ++ * Some of the SoCs feature two DMAC modules. In such a case, the channels are ++ * distributed equally among them. ++ */ ++#ifdef SH_DMAC_BASE1 ++#define SH_DMAC_NR_MD_CH (CONFIG_NR_ONCHIP_DMA_CHANNELS / 2) ++#else ++#define SH_DMAC_NR_MD_CH CONFIG_NR_ONCHIP_DMA_CHANNELS ++#endif ++ ++#define SH_DMAC_CH_SZ 0x10 ++ + /* + * Define the default configuration for dual address memory-memory transfer. + * The 0x400 value represents auto-request, external->external. +@@ -29,7 +41,7 @@ static unsigned long dma_find_base(unsigned int chan) + unsigned long base = SH_DMAC_BASE0; + + #ifdef SH_DMAC_BASE1 +- if (chan >= 6) ++ if (chan >= SH_DMAC_NR_MD_CH) + base = SH_DMAC_BASE1; + #endif + +@@ -40,13 +52,13 @@ static unsigned long dma_base_addr(unsigned int chan) + { + unsigned long base = dma_find_base(chan); + +- /* Normalize offset calculation */ +- if (chan >= 9) +- chan -= 6; +- if (chan >= 4) +- base += 0x10; ++ chan = (chan % SH_DMAC_NR_MD_CH) * SH_DMAC_CH_SZ; ++ ++ /* DMAOR is placed inside the channel register space. Step over it. */ ++ if (chan >= DMAOR) ++ base += SH_DMAC_CH_SZ; + +- return base + (chan * 0x10); ++ return base + chan; + } + + #ifdef CONFIG_SH_DMA_IRQ_MULTI +@@ -250,12 +262,11 @@ static int sh_dmac_get_dma_residue(struct dma_channel *chan) + #define NR_DMAOR 1 + #endif + +-/* +- * DMAOR bases are broken out amongst channel groups. DMAOR0 manages +- * channels 0 - 5, DMAOR1 6 - 11 (optional). +- */ +-#define dmaor_read_reg(n) __raw_readw(dma_find_base((n)*6)) +-#define dmaor_write_reg(n, data) __raw_writew(data, dma_find_base(n)*6) ++#define dmaor_read_reg(n) __raw_readw(dma_find_base((n) * \ ++ SH_DMAC_NR_MD_CH) + DMAOR) ++#define dmaor_write_reg(n, data) __raw_writew(data, \ ++ dma_find_base((n) * \ ++ SH_DMAC_NR_MD_CH) + DMAOR) + + static inline int dmaor_reset(int no) + { +-- +2.39.2 + diff --git a/tmp-5.10/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch b/tmp-5.10/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch new file mode 100644 index 00000000000..3b14ba61982 --- /dev/null +++ b/tmp-5.10/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch @@ -0,0 +1,44 @@ +From 97fe66e0c7b29b04014c904df6bcdf68cb49dc7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 14:57:41 +0200 +Subject: sh: j2: Use ioremap() to translate device tree address into kernel + memory + +From: John Paul Adrian Glaubitz + +[ Upstream commit bc9d1f0cecd2407cfb2364a7d4be2f52d1d46a9d ] + +Addresses the following warning when building j2_defconfig: + +arch/sh/kernel/cpu/sh2/probe.c: In function 'scan_cache': +arch/sh/kernel/cpu/sh2/probe.c:24:16: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] + 24 | j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node); + | + +Fixes: 5a846abad07f ("sh: add support for J-Core J2 processor") +Reviewed-by: Geert Uytterhoeven +Tested-by: Rob Landley +Signed-off-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/20230503125746.331835-1-glaubitz@physik.fu-berlin.de +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/kernel/cpu/sh2/probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sh/kernel/cpu/sh2/probe.c b/arch/sh/kernel/cpu/sh2/probe.c +index d342ea08843f6..70a07f4f2142f 100644 +--- a/arch/sh/kernel/cpu/sh2/probe.c ++++ b/arch/sh/kernel/cpu/sh2/probe.c +@@ -21,7 +21,7 @@ static int __init scan_cache(unsigned long node, const char *uname, + if (!of_flat_dt_is_compatible(node, "jcore,cache")) + return 0; + +- j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node); ++ j2_ccr_base = ioremap(of_flat_dt_translate_address(node), 4); + + return 1; + } +-- +2.39.2 + diff --git a/tmp-5.10/sh-pgtable-3level-fix-cast-to-pointer-from-integer-of-different-size.patch b/tmp-5.10/sh-pgtable-3level-fix-cast-to-pointer-from-integer-of-different-size.patch new file mode 100644 index 00000000000..37ad158bc7f --- /dev/null +++ b/tmp-5.10/sh-pgtable-3level-fix-cast-to-pointer-from-integer-of-different-size.patch @@ -0,0 +1,49 @@ +From 8518e694203d0bfd202ea4a80356785b6992322e Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 15 Sep 2021 15:50:04 +0200 +Subject: sh: pgtable-3level: Fix cast to pointer from integer of different size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +commit 8518e694203d0bfd202ea4a80356785b6992322e upstream. + +If X2TLB=y (CPU_SHX2=y or CPU_SHX3=y, e.g. migor_defconfig), pgd_t.pgd +is "unsigned long long", causing: + + In file included from arch/sh/include/asm/pgtable.h:13, + from include/linux/pgtable.h:6, + from include/linux/mm.h:33, + from arch/sh/kernel/asm-offsets.c:14: + arch/sh/include/asm/pgtable-3level.h: In function ‘pud_pgtable’: + arch/sh/include/asm/pgtable-3level.h:37:9: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] + 37 | return (pmd_t *)pud_val(pud); + | ^ + +Fix this by adding an intermediate cast to "unsigned long", which is +basically what the old code did before. + +Fixes: 9cf6fa2458443118 ("mm: rename pud_page_vaddr to pud_pgtable and make it return pmd_t *") +Signed-off-by: Geert Uytterhoeven +Tested-by: Daniel Palmer +Acked-by: Rob Landley +Tested-by: John Paul Adrian Glaubitz +Signed-off-by: Rich Felker +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/include/asm/pgtable-3level.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sh/include/asm/pgtable-3level.h ++++ b/arch/sh/include/asm/pgtable-3level.h +@@ -34,7 +34,7 @@ typedef struct { unsigned long long pmd; + + static inline pmd_t *pud_pgtable(pud_t pud) + { +- return (pmd_t *)pud_val(pud); ++ return (pmd_t *)(unsigned long)pud_val(pud); + } + + /* only used by the stubbed out hugetlb gup code, should never be called */ diff --git a/tmp-5.10/shmem-use-ramfs_kill_sb-for-kill_sb-method-of-ramfs-based-tmpfs.patch b/tmp-5.10/shmem-use-ramfs_kill_sb-for-kill_sb-method-of-ramfs-based-tmpfs.patch new file mode 100644 index 00000000000..85b751e990d --- /dev/null +++ b/tmp-5.10/shmem-use-ramfs_kill_sb-for-kill_sb-method-of-ramfs-based-tmpfs.patch @@ -0,0 +1,60 @@ +From 36ce9d76b0a93bae799e27e4f5ac35478c676592 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Wed, 7 Jun 2023 18:15:23 +0200 +Subject: shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs + +From: Roberto Sassu + +commit 36ce9d76b0a93bae799e27e4f5ac35478c676592 upstream. + +As the ramfs-based tmpfs uses ramfs_init_fs_context() for the +init_fs_context method, which allocates fc->s_fs_info, use ramfs_kill_sb() +to free it and avoid a memory leak. + +Link: https://lkml.kernel.org/r/20230607161523.2876433-1-roberto.sassu@huaweicloud.com +Fixes: c3b1b1cbf002 ("ramfs: add support for "mode=" mount option") +Signed-off-by: Roberto Sassu +Cc: Hugh Dickins +Cc: David Howells +Cc: Al Viro +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ramfs/inode.c | 2 +- + include/linux/ramfs.h | 1 + + mm/shmem.c | 2 +- + 3 files changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/ramfs/inode.c ++++ b/fs/ramfs/inode.c +@@ -264,7 +264,7 @@ int ramfs_init_fs_context(struct fs_cont + return 0; + } + +-static void ramfs_kill_sb(struct super_block *sb) ++void ramfs_kill_sb(struct super_block *sb) + { + kfree(sb->s_fs_info); + kill_litter_super(sb); +--- a/include/linux/ramfs.h ++++ b/include/linux/ramfs.h +@@ -7,6 +7,7 @@ + struct inode *ramfs_get_inode(struct super_block *sb, const struct inode *dir, + umode_t mode, dev_t dev); + extern int ramfs_init_fs_context(struct fs_context *fc); ++extern void ramfs_kill_sb(struct super_block *sb); + + #ifdef CONFIG_MMU + static inline int +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -4128,7 +4128,7 @@ static struct file_system_type shmem_fs_ + .name = "tmpfs", + .init_fs_context = ramfs_init_fs_context, + .parameters = ramfs_fs_parameters, +- .kill_sb = kill_litter_super, ++ .kill_sb = ramfs_kill_sb, + .fs_flags = FS_USERNS_MOUNT, + }; + diff --git a/tmp-5.10/soc-fsl-qe-fix-usb.c-build-errors.patch b/tmp-5.10/soc-fsl-qe-fix-usb.c-build-errors.patch new file mode 100644 index 00000000000..a1fd5d6df2e --- /dev/null +++ b/tmp-5.10/soc-fsl-qe-fix-usb.c-build-errors.patch @@ -0,0 +1,60 @@ +From ec706adb07b98dbc5afeb6fddaf93f6a968e95a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 May 2023 15:52:16 -0700 +Subject: soc/fsl/qe: fix usb.c build errors + +From: Randy Dunlap + +[ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ] + +Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set. +This happens when PPC_EP88XC is set, which selects CPM1 & CPM. +When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE +being set. When USB_FSL_QE is set, QE_USB deafults to y, which +causes build errors when QUICC_ENGINE is not set. Making +QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y. + +Fixes these build errors: + +drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set': +usb.c:(.text+0x1e): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg' +powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock' +powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock' + +Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/ +Suggested-by: Michael Ellerman +Cc: Christophe Leroy +Cc: Leo Li +Cc: Masahiro Yamada +Cc: Nicolas Schier +Cc: Qiang Zhao +Cc: linuxppc-dev +Cc: linux-arm-kernel@lists.infradead.org +Cc: Kumar Gala +Acked-by: Nicolas Schier +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/fsl/qe/Kconfig b/drivers/soc/fsl/qe/Kconfig +index 357c5800b112f..7afa796dbbb89 100644 +--- a/drivers/soc/fsl/qe/Kconfig ++++ b/drivers/soc/fsl/qe/Kconfig +@@ -39,6 +39,7 @@ config QE_TDM + + config QE_USB + bool ++ depends on QUICC_ENGINE + default y if USB_FSL_QE + help + QE USB Controller support +-- +2.39.2 + diff --git a/tmp-5.10/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch b/tmp-5.10/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch new file mode 100644 index 00000000000..ab8f8f449c9 --- /dev/null +++ b/tmp-5.10/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch @@ -0,0 +1,58 @@ +From a7692e53092aedda2ec73543a8ad9107b6f98caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 15:43:05 +0200 +Subject: spi: bcm-qspi: return error if neither hif_mspi nor mspi is available + +From: Jonas Gorski + +[ Upstream commit 7c1f23ad34fcdace50275a6aa1e1969b41c6233f ] + +If neither a "hif_mspi" nor "mspi" resource is present, the driver will +just early exit in probe but still return success. Apart from not doing +anything meaningful, this would then also lead to a null pointer access +on removal, as platform_get_drvdata() would return NULL, which it would +then try to dereference when trying to unregister the spi master. + +Fix this by unconditionally calling devm_ioremap_resource(), as it can +handle a NULL res and will then return a viable ERR_PTR() if we get one. + +The "return 0;" was previously a "goto qspi_resource_err;" where then +ret was returned, but since ret was still initialized to 0 at this place +this was a valid conversion in 63c5395bb7a9 ("spi: bcm-qspi: Fix +use-after-free on unbind"). The issue was not introduced by this commit, +only made more obvious. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Jonas Gorski +Reviewed-by: Kamal Dasu +Link: https://lore.kernel.org/r/20230629134306.95823-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm-qspi.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index 766b00350e391..2c734ea0784b7 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1369,13 +1369,9 @@ int bcm_qspi_probe(struct platform_device *pdev, + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, + "mspi"); + +- if (res) { +- qspi->base[MSPI] = devm_ioremap_resource(dev, res); +- if (IS_ERR(qspi->base[MSPI])) +- return PTR_ERR(qspi->base[MSPI]); +- } else { +- return 0; +- } ++ qspi->base[MSPI] = devm_ioremap_resource(dev, res); ++ if (IS_ERR(qspi->base[MSPI])) ++ return PTR_ERR(qspi->base[MSPI]); + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi"); + if (res) { +-- +2.39.2 + diff --git a/tmp-5.10/spi-bcm63xx-fix-max-prepend-length.patch b/tmp-5.10/spi-bcm63xx-fix-max-prepend-length.patch new file mode 100644 index 00000000000..11c43be47eb --- /dev/null +++ b/tmp-5.10/spi-bcm63xx-fix-max-prepend-length.patch @@ -0,0 +1,47 @@ +From 082784b88b3b03b8a09a0673da1c9ab07da22836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:14:52 +0200 +Subject: spi: bcm63xx: fix max prepend length + +From: Jonas Gorski + +[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] + +The command word is defined as following: + + /* Command */ + #define SPI_CMD_COMMAND_SHIFT 0 + #define SPI_CMD_DEVICE_ID_SHIFT 4 + #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 + #define SPI_CMD_ONE_BYTE_SHIFT 11 + #define SPI_CMD_ONE_WIRE_SHIFT 12 + +If the prepend byte count field starts at bit 8, and the next defined +bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and +thus the max value is 7, not 15. + +Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") +Signed-off-by: Jonas Gorski +Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index 96d075e633f43..d36384fef0d71 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -126,7 +126,7 @@ enum bcm63xx_regs_spi { + SPI_MSG_DATA_SIZE, + }; + +-#define BCM63XX_SPI_MAX_PREPEND 15 ++#define BCM63XX_SPI_MAX_PREPEND 7 + + #define BCM63XX_SPI_MAX_CS 8 + #define BCM63XX_SPI_BUS_NUM 0 +-- +2.39.2 + diff --git a/tmp-5.10/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch b/tmp-5.10/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch new file mode 100644 index 00000000000..455b366d55e --- /dev/null +++ b/tmp-5.10/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch @@ -0,0 +1,44 @@ +From 5a4420ed4d3e181af89d6f23db6cdd734c65c78b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 14:12:08 +0530 +Subject: spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG + +From: Vijaya Krishna Nivarthi + +[ Upstream commit 5fd7c99ecf45c8ee8a9b1268f0ffc91cc6271da2 ] + +The CS_TOGGLE bit when set is supposed to instruct FW to +toggle CS line between words. The driver with intent of +disabling this behaviour has been unsetting BIT(0). This has +not caused any trouble so far because the original BIT(1) +is untouched and BIT(0) likely wasn't being used. + +Correct this to prevent a potential future bug. + +Signed-off-by: Vijaya Krishna Nivarthi +--- + drivers/spi/spi-geni-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-geni-qcom.c b/drivers/spi/spi-geni-qcom.c +index 01ef79f15b024..be259c685cc80 100644 +--- a/drivers/spi/spi-geni-qcom.c ++++ b/drivers/spi/spi-geni-qcom.c +@@ -32,7 +32,7 @@ + #define CS_DEMUX_OUTPUT_SEL GENMASK(3, 0) + + #define SE_SPI_TRANS_CFG 0x25c +-#define CS_TOGGLE BIT(0) ++#define CS_TOGGLE BIT(1) + + #define SE_SPI_WORD_LEN 0x268 + #define WORD_LEN_MSK GENMASK(9, 0) +-- +2.39.2 + diff --git a/tmp-5.10/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch b/tmp-5.10/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch new file mode 100644 index 00000000000..bc896864a21 --- /dev/null +++ b/tmp-5.10/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch @@ -0,0 +1,138 @@ +From fc80fc2d4e39137869da3150ee169b40bf879287 Mon Sep 17 00:00:00 2001 +From: Ding Hui +Date: Mon, 15 May 2023 10:13:07 +0800 +Subject: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() + +From: Ding Hui + +commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream. + +After the listener svc_sock is freed, and before invoking svc_tcp_accept() +for the established child sock, there is a window that the newsock +retaining a freed listener svc_sock in sk_user_data which cloning from +parent. In the race window, if data is received on the newsock, we will +observe use-after-free report in svc_tcp_listen_data_ready(). + +Reproduce by two tasks: + +1. while :; do rpc.nfsd 0 ; rpc.nfsd; done +2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done + +KASAN report: + + ================================================================== + BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + Read of size 8 at addr ffff888139d96228 by task nc/102553 + CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 + Call Trace: + + dump_stack_lvl+0x33/0x50 + print_address_description.constprop.0+0x27/0x310 + print_report+0x3e/0x70 + kasan_report+0xae/0xe0 + svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + tcp_data_queue+0x9f4/0x20e0 + tcp_rcv_established+0x666/0x1f60 + tcp_v4_do_rcv+0x51c/0x850 + tcp_v4_rcv+0x23fc/0x2e80 + ip_protocol_deliver_rcu+0x62/0x300 + ip_local_deliver_finish+0x267/0x350 + ip_local_deliver+0x18b/0x2d0 + ip_rcv+0x2fb/0x370 + __netif_receive_skb_one_core+0x166/0x1b0 + process_backlog+0x24c/0x5e0 + __napi_poll+0xa2/0x500 + net_rx_action+0x854/0xc90 + __do_softirq+0x1bb/0x5de + do_softirq+0xcb/0x100 + + + ... + + + Allocated by task 102371: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x7b/0x90 + svc_setup_socket+0x52/0x4f0 [sunrpc] + svc_addsock+0x20d/0x400 [sunrpc] + __write_ports_addfd+0x209/0x390 [nfsd] + write_ports+0x239/0x2c0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + + Freed by task 102551: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0x106/0x190 + __kmem_cache_free+0x133/0x270 + svc_xprt_free+0x1e2/0x350 [sunrpc] + svc_xprt_destroy_all+0x25a/0x440 [sunrpc] + nfsd_put+0x125/0x240 [nfsd] + nfsd_svc+0x2cb/0x3c0 [nfsd] + write_threads+0x1ac/0x2a0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() +if state != TCP_LISTEN, that will avoid dereferencing svsk for all +child socket. + +Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/ +Fixes: fa9251afc33c ("SUNRPC: Call the default socket callbacks instead of open coding") +Signed-off-by: Ding Hui +Cc: +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/svcsock.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -692,12 +692,6 @@ static void svc_tcp_listen_data_ready(st + { + struct svc_sock *svsk = (struct svc_sock *)sk->sk_user_data; + +- if (svsk) { +- /* Refer to svc_setup_socket() for details. */ +- rmb(); +- svsk->sk_odata(sk); +- } +- + /* + * This callback may called twice when a new connection + * is established as a child socket inherits everything +@@ -706,13 +700,18 @@ static void svc_tcp_listen_data_ready(st + * when one of child sockets become ESTABLISHED. + * 2) data_ready method of the child socket may be called + * when it receives data before the socket is accepted. +- * In case of 2, we should ignore it silently. ++ * In case of 2, we should ignore it silently and DO NOT ++ * dereference svsk. + */ +- if (sk->sk_state == TCP_LISTEN) { +- if (svsk) { +- set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); +- svc_xprt_enqueue(&svsk->sk_xprt); +- } ++ if (sk->sk_state != TCP_LISTEN) ++ return; ++ ++ if (svsk) { ++ /* Refer to svc_setup_socket() for details. */ ++ rmb(); ++ svsk->sk_odata(sk); ++ set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); ++ svc_xprt_enqueue(&svsk->sk_xprt); + } + } + diff --git a/tmp-5.10/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/tmp-5.10/tcp-annotate-data-races-around-fastopenq.max_qlen.patch new file mode 100644 index 00000000000..6b743df5d9a --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-fastopenq.max_qlen.patch @@ -0,0 +1,77 @@ +From bed93777d170210391d32a46a87d0ff63de6c8f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:57 +0000 +Subject: tcp: annotate data-races around fastopenq.max_qlen + +From: Eric Dumazet + +[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] + +This field can be read locklessly. + +Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_fastopen.c | 6 ++++-- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index 6e3340379d85f..11a98144bda0b 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -473,7 +473,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) + struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; + int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); + +- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); ++ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); + } + + static inline void tcp_move_syn(struct tcp_sock *tp, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 0a5f61b3423bf..3dd9b76f40559 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3894,7 +3894,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_FASTOPEN: +- val = icsk->icsk_accept_queue.fastopenq.max_qlen; ++ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); + break; + + case TCP_FASTOPEN_CONNECT: +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 39fb037ce5f3f..92d63cf3e50b9 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -312,6 +312,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, + static bool tcp_fastopen_queue_check(struct sock *sk) + { + struct fastopen_queue *fastopenq; ++ int max_qlen; + + /* Make sure the listener has enabled fastopen, and we don't + * exceed the max # of pending TFO requests allowed before trying +@@ -324,10 +325,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) + * temporarily vs a server not supporting Fast Open at all. + */ + fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; +- if (fastopenq->max_qlen == 0) ++ max_qlen = READ_ONCE(fastopenq->max_qlen); ++ if (max_qlen == 0) + return false; + +- if (fastopenq->qlen >= fastopenq->max_qlen) { ++ if (fastopenq->qlen >= max_qlen) { + struct request_sock *req1; + spin_lock(&fastopenq->lock); + req1 = fastopenq->rskq_rst_head; +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch b/tmp-5.10/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch new file mode 100644 index 00000000000..ff24feea4cc --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch @@ -0,0 +1,69 @@ +From 367637dea0336c607dbac022703f9f6b302ec390 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:52 +0000 +Subject: tcp: annotate data-races around icsk->icsk_syn_retries + +From: Eric Dumazet + +[ Upstream commit 3a037f0f3c4bfe44518f2fbb478aa2f99a9cd8bb ] + +do_tcp_getsockopt() and reqsk_timer_handler() read +icsk->icsk_syn_retries while another cpu might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/tcp.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index dfea3088bc7e9..5f71a1c74e7e0 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -740,7 +740,7 @@ static void reqsk_timer_handler(struct timer_list *t) + if (inet_sk_state_load(sk_listener) != TCP_LISTEN) + goto drop; + +- max_syn_ack_retries = icsk->icsk_syn_retries ? : ++ max_syn_ack_retries = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_synack_retries); + /* Normally all the openreqs are young and become mature + * (i.e. converted to established socket) for first timeout. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index fc4d560909b50..e172348fc5c61 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3072,7 +3072,7 @@ int tcp_sock_set_syncnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- inet_csk(sk)->icsk_syn_retries = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_syn_retries, val); + release_sock(sk); + return 0; + } +@@ -3337,7 +3337,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_SYNCNT) + err = -EINVAL; + else +- icsk->icsk_syn_retries = val; ++ WRITE_ONCE(icsk->icsk_syn_retries, val); + break; + + case TCP_SAVE_SYN: +@@ -3743,7 +3743,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = keepalive_probes(tp); + break; + case TCP_SYNCNT: +- val = icsk->icsk_syn_retries ? : ++ val = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch b/tmp-5.10/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch new file mode 100644 index 00000000000..2271c6a9fe7 --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch @@ -0,0 +1,54 @@ +From e752652992c7b8660dfb5cf676d65f0a1e9064e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:56 +0000 +Subject: tcp: annotate data-races around icsk->icsk_user_timeout + +From: Eric Dumazet + +[ Upstream commit 26023e91e12c68669db416b97234328a03d8e499 ] + +This field can be read locklessly from do_tcp_getsockopt() + +Fixes: dca43c75e7e5 ("tcp: Add TCP_USER_TIMEOUT socket option.") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-11-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 8a441dfd258d5..0a5f61b3423bf 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3081,7 +3081,7 @@ EXPORT_SYMBOL(tcp_sock_set_syncnt); + void tcp_sock_set_user_timeout(struct sock *sk, u32 val) + { + lock_sock(sk); +- inet_csk(sk)->icsk_user_timeout = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_user_timeout, val); + release_sock(sk); + } + EXPORT_SYMBOL(tcp_sock_set_user_timeout); +@@ -3393,7 +3393,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 0) + err = -EINVAL; + else +- icsk->icsk_user_timeout = val; ++ WRITE_ONCE(icsk->icsk_user_timeout, val); + break; + + case TCP_FASTOPEN: +@@ -3890,7 +3890,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_USER_TIMEOUT: +- val = icsk->icsk_user_timeout; ++ val = READ_ONCE(icsk->icsk_user_timeout); + break; + + case TCP_FASTOPEN: +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-around-rskq_defer_accept.patch b/tmp-5.10/tcp-annotate-data-races-around-rskq_defer_accept.patch new file mode 100644 index 00000000000..143612ae199 --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-rskq_defer_accept.patch @@ -0,0 +1,53 @@ +From e50601d4ffb95bdbf617214b868758b651bcfb2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:54 +0000 +Subject: tcp: annotate data-races around rskq_defer_accept + +From: Eric Dumazet + +[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] + +do_tcp_getsockopt() reads rskq_defer_accept while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index f7c951463d9cf..50d674d35e520 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3359,9 +3359,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_DEFER_ACCEPT: + /* Translate value in seconds to number of retransmits */ +- icsk->icsk_accept_queue.rskq_defer_accept = +- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, +- TCP_RTO_MAX / HZ); ++ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, ++ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ)); + break; + + case TCP_WINDOW_CLAMP: +@@ -3752,8 +3752,9 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; + case TCP_DEFER_ACCEPT: +- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, +- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); ++ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); ++ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ); + break; + case TCP_WINDOW_CLAMP: + val = tp->window_clamp; +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch b/tmp-5.10/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch new file mode 100644 index 00000000000..0fb2d9a0b1c --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch @@ -0,0 +1,184 @@ +From fc732a1c785d31fce9b0f37f48a3ca54429ef2d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:44:45 +0000 +Subject: tcp: annotate data-races around tcp_rsk(req)->ts_recent + +From: Eric Dumazet + +[ Upstream commit eba20811f32652bc1a52d5e7cc403859b86390d9 ] + +TCP request sockets are lockless, tcp_rsk(req)->ts_recent +can change while being read by another cpu as syzbot noticed. + +This is harmless, but we should annotate the known races. + +Note that tcp_check_req() changes req->ts_recent a bit early, +we might change this in the future. + +BUG: KCSAN: data-race in tcp_check_req / tcp_check_req + +write to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 1: +tcp_check_req+0x694/0xc70 net/ipv4/tcp_minisocks.c:762 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +do_softirq+0x7e/0xb0 kernel/softirq.c:472 +__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:396 +local_bh_enable+0x1f/0x20 include/linux/bottom_half.h:33 +rcu_read_unlock_bh include/linux/rcupdate.h:843 [inline] +__dev_queue_xmit+0xabb/0x1d10 net/core/dev.c:4271 +dev_queue_xmit include/linux/netdevice.h:3088 [inline] +neigh_hh_output include/net/neighbour.h:528 [inline] +neigh_output include/net/neighbour.h:542 [inline] +ip_finish_output2+0x700/0x840 net/ipv4/ip_output.c:229 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:317 +NF_HOOK_COND include/linux/netfilter.h:292 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:431 +dst_output include/net/dst.h:458 [inline] +ip_local_out net/ipv4/ip_output.c:126 [inline] +__ip_queue_xmit+0xa4d/0xa70 net/ipv4/ip_output.c:533 +ip_queue_xmit+0x38/0x40 net/ipv4/ip_output.c:547 +__tcp_transmit_skb+0x1194/0x16e0 net/ipv4/tcp_output.c:1399 +tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] +tcp_write_xmit+0x13ff/0x2fd0 net/ipv4/tcp_output.c:2693 +__tcp_push_pending_frames+0x6a/0x1a0 net/ipv4/tcp_output.c:2877 +tcp_push_pending_frames include/net/tcp.h:1952 [inline] +__tcp_sock_set_cork net/ipv4/tcp.c:3336 [inline] +tcp_sock_set_cork+0xe8/0x100 net/ipv4/tcp.c:3343 +rds_tcp_xmit_path_complete+0x3b/0x40 net/rds/tcp_send.c:52 +rds_send_xmit+0xf8d/0x1420 net/rds/send.c:422 +rds_send_worker+0x42/0x1d0 net/rds/threads.c:200 +process_one_work+0x3e6/0x750 kernel/workqueue.c:2408 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2555 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +read to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 0: +tcp_check_req+0x32a/0xc70 net/ipv4/tcp_minisocks.c:622 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x1cd237f1 -> 0x1cd237f2 + +Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717144445.653164-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 2 +- + net/ipv4/tcp_minisocks.c | 9 ++++++--- + net/ipv4/tcp_output.c | 2 +- + net/ipv6/tcp_ipv6.c | 2 +- + 4 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index d62d5d7764ade..b40780fde7915 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -960,7 +960,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, ++ READ_ONCE(req->ts_recent), + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index 8d854feebdb00..01e27620b7ee5 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -523,7 +523,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, + newtp->max_window = newtp->snd_wnd; + + if (newtp->rx_opt.tstamp_ok) { +- newtp->rx_opt.ts_recent = req->ts_recent; ++ newtp->rx_opt.ts_recent = READ_ONCE(req->ts_recent); + newtp->rx_opt.ts_recent_stamp = ktime_get_seconds(); + newtp->tcp_header_len = sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED; + } else { +@@ -586,7 +586,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + tcp_parse_options(sock_net(sk), skb, &tmp_opt, 0, NULL); + + if (tmp_opt.saw_tstamp) { +- tmp_opt.ts_recent = req->ts_recent; ++ tmp_opt.ts_recent = READ_ONCE(req->ts_recent); + if (tmp_opt.rcv_tsecr) + tmp_opt.rcv_tsecr -= tcp_rsk(req)->ts_off; + /* We do not store true stamp, but it is not required, +@@ -726,8 +726,11 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + + /* In sequence, PAWS is OK. */ + ++ /* TODO: We probably should defer ts_recent change once ++ * we take ownership of @req. ++ */ + if (tmp_opt.saw_tstamp && !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt)) +- req->ts_recent = tmp_opt.rcv_tsval; ++ WRITE_ONCE(req->ts_recent, tmp_opt.rcv_tsval); + + if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn) { + /* Truncate SYN, it is out of window starting +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index e4ad274ec7a30..86e896351364e 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -874,7 +874,7 @@ static unsigned int tcp_synack_options(const struct sock *sk, + if (likely(ireq->tstamp_ok)) { + opts->options |= OPTION_TS; + opts->tsval = tcp_skb_timestamp(skb) + tcp_rsk(req)->ts_off; +- opts->tsecr = req->ts_recent; ++ opts->tsecr = READ_ONCE(req->ts_recent); + remaining -= TCPOLEN_TSTAMP_ALIGNED; + } + if (likely(ireq->sack_ok)) { +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 5392aebd48f1e..79d6f6ea3c546 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1151,7 +1151,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, sk->sk_bound_dev_if, ++ READ_ONCE(req->ts_recent), sk->sk_bound_dev_if, + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), + ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority); + } +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_intvl.patch b/tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_intvl.patch new file mode 100644 index 00000000000..f1bca89db23 --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_intvl.patch @@ -0,0 +1,68 @@ +From 93d79268fd6e764464c76730da750ee51106f127 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:50 +0000 +Subject: tcp: annotate data-races around tp->keepalive_intvl + +From: Eric Dumazet + +[ Upstream commit 5ecf9d4f52ff2f1d4d44c9b68bc75688e82f13b4 ] + +do_tcp_getsockopt() reads tp->keepalive_intvl while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-5-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 92de7c049f19e..428f84f6e0d0c 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1451,9 +1451,14 @@ void tcp_leave_memory_pressure(struct sock *sk); + static inline int keepalive_intvl_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepintvl() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_intvl); + +- return tp->keepalive_intvl ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); + } + + static inline int keepalive_time_when(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 053e4880d8f0f..b5a05b0984146 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3126,7 +3126,7 @@ int tcp_sock_set_keepintvl(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tcp_sk(sk)->keepalive_intvl, val * HZ); + release_sock(sk); + return 0; + } +@@ -3324,7 +3324,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPINTVL) + err = -EINVAL; + else +- tp->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tp->keepalive_intvl, val * HZ); + break; + case TCP_KEEPCNT: + if (val < 1 || val > MAX_TCP_KEEPCNT) +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_probes.patch b/tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_probes.patch new file mode 100644 index 00000000000..75e60dcd015 --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_probes.patch @@ -0,0 +1,69 @@ +From b96f0c21c9566b9083c9bbedaf421e2d62a1763f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:51 +0000 +Subject: tcp: annotate data-races around tp->keepalive_probes + +From: Eric Dumazet + +[ Upstream commit 6e5e1de616bf5f3df1769abc9292191dfad9110a ] + +do_tcp_getsockopt() reads tp->keepalive_probes while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 5 +++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 428f84f6e0d0c..be81a930b91fa 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1475,9 +1475,14 @@ static inline int keepalive_time_when(const struct tcp_sock *tp) + static inline int keepalive_probes(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepcnt() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_probes); + +- return tp->keepalive_probes ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); + } + + static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index b5a05b0984146..80212bb0400c2 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3138,7 +3138,8 @@ int tcp_sock_set_keepcnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_probes = val; ++ /* Paired with READ_ONCE() in keepalive_probes() */ ++ WRITE_ONCE(tcp_sk(sk)->keepalive_probes, val); + release_sock(sk); + return 0; + } +@@ -3330,7 +3331,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPCNT) + err = -EINVAL; + else +- tp->keepalive_probes = val; ++ WRITE_ONCE(tp->keepalive_probes, val); + break; + case TCP_SYNCNT: + if (val < 1 || val > MAX_TCP_SYNCNT) +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_time.patch b/tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_time.patch new file mode 100644 index 00000000000..3b9d3c3ab6f --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-tp-keepalive_time.patch @@ -0,0 +1,58 @@ +From 58df9721b9e37d7f9babeb82251fd4793e391f78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:49 +0000 +Subject: tcp: annotate data-races around tp->keepalive_time + +From: Eric Dumazet + +[ Upstream commit 4164245c76ff906c9086758e1c3f87082a7f5ef5 ] + +do_tcp_getsockopt() reads tp->keepalive_time while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 7 +++++-- + net/ipv4/tcp.c | 3 ++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index e231101e5001b..92de7c049f19e 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1459,9 +1459,12 @@ static inline int keepalive_intvl_when(const struct tcp_sock *tp) + static inline int keepalive_time_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; + +- return tp->keepalive_time ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepidle_locked() */ ++ val = READ_ONCE(tp->keepalive_time); ++ ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); + } + + static inline int keepalive_probes(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 39919d1436cea..053e4880d8f0f 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3093,7 +3093,8 @@ int tcp_sock_set_keepidle_locked(struct sock *sk, int val) + if (val < 1 || val > MAX_TCP_KEEPIDLE) + return -EINVAL; + +- tp->keepalive_time = val * HZ; ++ /* Paired with WRITE_ONCE() in keepalive_time_when() */ ++ WRITE_ONCE(tp->keepalive_time, val * HZ); + if (sock_flag(sk, SOCK_KEEPOPEN) && + !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) { + u32 elapsed = keepalive_time_elapsed(tp); +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-around-tp-linger2.patch b/tmp-5.10/tcp-annotate-data-races-around-tp-linger2.patch new file mode 100644 index 00000000000..969891e0072 --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-tp-linger2.patch @@ -0,0 +1,52 @@ +From d718041fee098bdedeaae7c3a2d86ad19178270a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:53 +0000 +Subject: tcp: annotate data-races around tp->linger2 + +From: Eric Dumazet + +[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] + +do_tcp_getsockopt() reads tp->linger2 while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index e172348fc5c61..f7c951463d9cf 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3350,11 +3350,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_LINGER2: + if (val < 0) +- tp->linger2 = -1; ++ WRITE_ONCE(tp->linger2, -1); + else if (val > TCP_FIN_TIMEOUT_MAX / HZ) +- tp->linger2 = TCP_FIN_TIMEOUT_MAX; ++ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); + else +- tp->linger2 = val * HZ; ++ WRITE_ONCE(tp->linger2, val * HZ); + break; + + case TCP_DEFER_ACCEPT: +@@ -3747,7 +3747,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +- val = tp->linger2; ++ val = READ_ONCE(tp->linger2); + if (val >= 0) + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/tmp-5.10/tcp-annotate-data-races-around-tp-notsent_lowat.patch new file mode 100644 index 00000000000..78ff68aa0e7 --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-tp-notsent_lowat.patch @@ -0,0 +1,64 @@ +From c4dae4f69b56617886cbd40d67654642369cc696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:55 +0000 +Subject: tcp: annotate data-races around tp->notsent_lowat + +From: Eric Dumazet + +[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] + +tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() +and tcp_poll(). + +Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 6 +++++- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index be81a930b91fa..dcca41f3a2240 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1991,7 +1991,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); +- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); ++ u32 val; ++ ++ val = READ_ONCE(tp->notsent_lowat); ++ ++ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); + } + + /* @wake is one when sk_stream_write_space() calls us. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 50d674d35e520..8a441dfd258d5 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3437,7 +3437,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + err = tcp_repair_set_window(tp, optval, optlen); + break; + case TCP_NOTSENT_LOWAT: +- tp->notsent_lowat = val; ++ WRITE_ONCE(tp->notsent_lowat, val); + sk->sk_write_space(sk); + break; + case TCP_INQ: +@@ -3913,7 +3913,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = tcp_time_stamp_raw() + tp->tsoffset; + break; + case TCP_NOTSENT_LOWAT: +- val = tp->notsent_lowat; ++ val = READ_ONCE(tp->notsent_lowat); + break; + case TCP_INQ: + val = tp->recvmsg_inq; +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch b/tmp-5.10/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch new file mode 100644 index 00000000000..cc3844b275a --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch @@ -0,0 +1,46 @@ +From 1fecea20f22ac90b576cacdac0fb8d3346f91456 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:47 +0000 +Subject: tcp: annotate data-races around tp->tcp_tx_delay + +From: Eric Dumazet + +[ Upstream commit 348b81b68b13ebd489a3e6a46aa1c384c731c919 ] + +do_tcp_getsockopt() reads tp->tcp_tx_delay while another cpu +might change its value. + +Fixes: a842fe1425cb ("tcp: add optional per socket transmit delay") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index cc42ceadc1127..39919d1436cea 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3447,7 +3447,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + case TCP_TX_DELAY: + if (val) + tcp_enable_tx_delay(); +- tp->tcp_tx_delay = val; ++ WRITE_ONCE(tp->tcp_tx_delay, val); + break; + default: + err = -ENOPROTOOPT; +@@ -3902,7 +3902,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_TX_DELAY: +- val = tp->tcp_tx_delay; ++ val = READ_ONCE(tp->tcp_tx_delay); + break; + + case TCP_TIMESTAMP: +-- +2.39.2 + diff --git a/tmp-5.10/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch b/tmp-5.10/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch new file mode 100644 index 00000000000..2b9b13fd82d --- /dev/null +++ b/tmp-5.10/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch @@ -0,0 +1,55 @@ +From f25d79666df40516251a72a68221c1bfe512a836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 16:41:50 +0000 +Subject: tcp: annotate data races in __tcp_oow_rate_limited() + +From: Eric Dumazet + +[ Upstream commit 998127cdb4699b9d470a9348ffe9f1154346be5f ] + +request sockets are lockless, __tcp_oow_rate_limited() could be called +on the same object from different cpus. This is harmless. + +Add READ_ONCE()/WRITE_ONCE() annotations to avoid a KCSAN report. + +Fixes: 4ce7e93cb3fe ("tcp: rate limit ACK sent by SYN_RECV request sockets") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index b98b7920c4029..d6dfbb88dcf5b 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3560,8 +3560,11 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32 + static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, + u32 *last_oow_ack_time) + { +- if (*last_oow_ack_time) { +- s32 elapsed = (s32)(tcp_jiffies32 - *last_oow_ack_time); ++ /* Paired with the WRITE_ONCE() in this function. */ ++ u32 val = READ_ONCE(*last_oow_ack_time); ++ ++ if (val) { ++ s32 elapsed = (s32)(tcp_jiffies32 - val); + + if (0 <= elapsed && + elapsed < READ_ONCE(net->ipv4.sysctl_tcp_invalid_ratelimit)) { +@@ -3570,7 +3573,10 @@ static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, + } + } + +- *last_oow_ack_time = tcp_jiffies32; ++ /* Paired with the prior READ_ONCE() and with itself, ++ * as we might be lockless. ++ */ ++ WRITE_ONCE(*last_oow_ack_time, tcp_jiffies32); + + return false; /* not rate-limited: go ahead, send dupack now! */ + } +-- +2.39.2 + diff --git a/tmp-5.10/tcp-fix-data-races-around-sysctl_tcp_syn-ack-_retrie.patch b/tmp-5.10/tcp-fix-data-races-around-sysctl_tcp_syn-ack-_retrie.patch new file mode 100644 index 00000000000..748eda21b25 --- /dev/null +++ b/tmp-5.10/tcp-fix-data-races-around-sysctl_tcp_syn-ack-_retrie.patch @@ -0,0 +1,86 @@ +From 5609bae549edcfd300f49a00a4e0dbb2f54a59ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 10:17:46 -0700 +Subject: tcp: Fix data-races around sysctl_tcp_syn(ack)?_retries. + +From: Kuniyuki Iwashima + +[ Upstream commit 20a3b1c0f603e8c55c3396abd12dfcfb523e4d3c ] + +While reading sysctl_tcp_syn(ack)?_retries, they can be changed +concurrently. Thus, we need to add READ_ONCE() to their readers. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Stable-dep-of: 3a037f0f3c4b ("tcp: annotate data-races around icsk->icsk_syn_retries") +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 3 ++- + net/ipv4/tcp.c | 3 ++- + net/ipv4/tcp_timer.c | 10 +++++++--- + 3 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 406305aaec904..dfea3088bc7e9 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -740,7 +740,8 @@ static void reqsk_timer_handler(struct timer_list *t) + if (inet_sk_state_load(sk_listener) != TCP_LISTEN) + goto drop; + +- max_syn_ack_retries = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_synack_retries; ++ max_syn_ack_retries = icsk->icsk_syn_retries ? : ++ READ_ONCE(net->ipv4.sysctl_tcp_synack_retries); + /* Normally all the openreqs are young and become mature + * (i.e. converted to established socket) for first timeout. + * If synack was not acknowledged for 1 second, it means +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 80212bb0400c2..fc4d560909b50 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3743,7 +3743,8 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = keepalive_probes(tp); + break; + case TCP_SYNCNT: +- val = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; ++ val = icsk->icsk_syn_retries ? : ++ READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: + val = tp->linger2; +diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c +index 888683f2ff3ee..715fdfa3e2ae9 100644 +--- a/net/ipv4/tcp_timer.c ++++ b/net/ipv4/tcp_timer.c +@@ -239,7 +239,8 @@ static int tcp_write_timeout(struct sock *sk) + if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) { + if (icsk->icsk_retransmits) + __dst_negative_advice(sk); +- retry_until = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; ++ retry_until = icsk->icsk_syn_retries ? : ++ READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + expired = icsk->icsk_retransmits >= retry_until; + } else { + if (retransmits_timed_out(sk, READ_ONCE(net->ipv4.sysctl_tcp_retries1), 0)) { +@@ -406,12 +407,15 @@ abort: tcp_write_err(sk); + static void tcp_fastopen_synack_timer(struct sock *sk, struct request_sock *req) + { + struct inet_connection_sock *icsk = inet_csk(sk); +- int max_retries = icsk->icsk_syn_retries ? : +- sock_net(sk)->ipv4.sysctl_tcp_synack_retries + 1; /* add one more retry for fastopen */ + struct tcp_sock *tp = tcp_sk(sk); ++ int max_retries; + + req->rsk_ops->syn_ack_timeout(req); + ++ /* add one more retry for fastopen */ ++ max_retries = icsk->icsk_syn_retries ? : ++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_synack_retries) + 1; ++ + if (req->num_timeout >= max_retries) { + tcp_write_err(sk); + return; +-- +2.39.2 + diff --git a/tmp-5.10/test_firmware-return-enomem-instead-of-enospc-on-fai.patch b/tmp-5.10/test_firmware-return-enomem-instead-of-enospc-on-fai.patch new file mode 100644 index 00000000000..e32ff4ee68e --- /dev/null +++ b/tmp-5.10/test_firmware-return-enomem-instead-of-enospc-on-fai.patch @@ -0,0 +1,111 @@ +From 17797b7cf019961cd918bb457acf44a6137aec70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 09:08:10 +0200 +Subject: test_firmware: return ENOMEM instead of ENOSPC on failed memory + allocation + +From: Mirsad Goran Todorovac + +[ Upstream commit 7dae593cd226a0bca61201cf85ceb9335cf63682 ] + +In a couple of situations like + + name = kstrndup(buf, count, GFP_KERNEL); + if (!name) + return -ENOSPC; + +the error is not actually "No space left on device", but "Out of memory". + +It is semantically correct to return -ENOMEM in all failed kstrndup() +and kzalloc() cases in this driver, as it is not a problem with disk +space, but with kernel memory allocator failing allocation. + +The semantically correct should be: + + name = kstrndup(buf, count, GFP_KERNEL); + if (!name) + return -ENOMEM; + +Cc: Dan Carpenter +Cc: Takashi Iwai +Cc: Kees Cook +Cc: "Luis R. Rodriguez" +Cc: Scott Branden +Cc: Hans de Goede +Cc: Brian Norris +Fixes: c92316bf8e948 ("test_firmware: add batched firmware tests") +Fixes: 0a8adf584759c ("test: add firmware_class loader test") +Fixes: 548193cba2a7d ("test_firmware: add support for firmware_request_platform") +Fixes: eb910947c82f9 ("test: firmware_class: add asynchronous request trigger") +Fixes: 061132d2b9c95 ("test_firmware: add test custom fallback trigger") +Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf") +Signed-off-by: Mirsad Goran Todorovac +Reviewed-by: Dan Carpenter +Message-ID: <20230606070808.9300-1-mirsad.todorovac@alu.unizg.hr> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/test_firmware.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/test_firmware.c b/lib/test_firmware.c +index ed0455a9ded87..25dc9eb6c902b 100644 +--- a/lib/test_firmware.c ++++ b/lib/test_firmware.c +@@ -183,7 +183,7 @@ static int __kstrncpy(char **dst, const char *name, size_t count, gfp_t gfp) + { + *dst = kstrndup(name, count, gfp); + if (!*dst) +- return -ENOSPC; ++ return -ENOMEM; + return count; + } + +@@ -606,7 +606,7 @@ static ssize_t trigger_request_store(struct device *dev, + + name = kstrndup(buf, count, GFP_KERNEL); + if (!name) +- return -ENOSPC; ++ return -ENOMEM; + + pr_info("loading '%s'\n", name); + +@@ -654,7 +654,7 @@ static ssize_t trigger_request_platform_store(struct device *dev, + + name = kstrndup(buf, count, GFP_KERNEL); + if (!name) +- return -ENOSPC; ++ return -ENOMEM; + + pr_info("inserting test platform fw '%s'\n", name); + efi_embedded_fw.name = name; +@@ -707,7 +707,7 @@ static ssize_t trigger_async_request_store(struct device *dev, + + name = kstrndup(buf, count, GFP_KERNEL); + if (!name) +- return -ENOSPC; ++ return -ENOMEM; + + pr_info("loading '%s'\n", name); + +@@ -752,7 +752,7 @@ static ssize_t trigger_custom_fallback_store(struct device *dev, + + name = kstrndup(buf, count, GFP_KERNEL); + if (!name) +- return -ENOSPC; ++ return -ENOMEM; + + pr_info("loading '%s' using custom fallback mechanism\n", name); + +@@ -803,7 +803,7 @@ static int test_fw_run_batch_request(void *data) + + test_buf = kzalloc(TEST_FIRMWARE_BUF_SIZE, GFP_KERNEL); + if (!test_buf) +- return -ENOSPC; ++ return -ENOMEM; + + if (test_fw_config->partial) + req->rc = request_partial_firmware_into_buf +-- +2.39.2 + diff --git a/tmp-5.10/thermal-drivers-sun8i-fix-some-error-handling-paths-.patch b/tmp-5.10/thermal-drivers-sun8i-fix-some-error-handling-paths-.patch new file mode 100644 index 00000000000..cb35349595b --- /dev/null +++ b/tmp-5.10/thermal-drivers-sun8i-fix-some-error-handling-paths-.patch @@ -0,0 +1,144 @@ +From bdd8bf3b2f77d51a8ff4faa845a851b60c3f5537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 May 2023 20:46:05 +0200 +Subject: thermal/drivers/sun8i: Fix some error handling paths in + sun8i_ths_probe() + +From: Christophe JAILLET + +[ Upstream commit 89382022b370dfd34eaae9c863baa123fcd4d132 ] + +Should an error occur after calling sun8i_ths_resource_init() in the probe +function, some resources need to be released, as already done in the +.remove() function. + +Switch to the devm_clk_get_enabled() helper and add a new devm_action to +turn sun8i_ths_resource_init() into a fully managed function. + +Move the place where reset_control_deassert() is called so that the +recommended order of reset release/clock enable steps is kept. +A64 manual states that: + + 3.3.6.4. Gating and reset + + Make sure that the reset signal has been released before the release of + module clock gating; + +This fixes the issue and removes some LoC at the same time. + +Fixes: dccc5c3b6f30 ("thermal/drivers/sun8i: Add thermal driver for H6/H5/H3/A64/A83T/R40") +Signed-off-by: Christophe JAILLET +Acked-by: Maxime Ripard +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/a8ae84bd2dc4b55fe428f8e20f31438bf8bb6762.1684089931.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/thermal/sun8i_thermal.c | 55 +++++++++++---------------------- + 1 file changed, 18 insertions(+), 37 deletions(-) + +diff --git a/drivers/thermal/sun8i_thermal.c b/drivers/thermal/sun8i_thermal.c +index f8b13071a6f42..e053b06280172 100644 +--- a/drivers/thermal/sun8i_thermal.c ++++ b/drivers/thermal/sun8i_thermal.c +@@ -318,6 +318,11 @@ static int sun8i_ths_calibrate(struct ths_device *tmdev) + return ret; + } + ++static void sun8i_ths_reset_control_assert(void *data) ++{ ++ reset_control_assert(data); ++} ++ + static int sun8i_ths_resource_init(struct ths_device *tmdev) + { + struct device *dev = tmdev->dev; +@@ -338,47 +343,35 @@ static int sun8i_ths_resource_init(struct ths_device *tmdev) + if (IS_ERR(tmdev->reset)) + return PTR_ERR(tmdev->reset); + +- tmdev->bus_clk = devm_clk_get(&pdev->dev, "bus"); ++ ret = reset_control_deassert(tmdev->reset); ++ if (ret) ++ return ret; ++ ++ ret = devm_add_action_or_reset(dev, sun8i_ths_reset_control_assert, ++ tmdev->reset); ++ if (ret) ++ return ret; ++ ++ tmdev->bus_clk = devm_clk_get_enabled(&pdev->dev, "bus"); + if (IS_ERR(tmdev->bus_clk)) + return PTR_ERR(tmdev->bus_clk); + } + + if (tmdev->chip->has_mod_clk) { +- tmdev->mod_clk = devm_clk_get(&pdev->dev, "mod"); ++ tmdev->mod_clk = devm_clk_get_enabled(&pdev->dev, "mod"); + if (IS_ERR(tmdev->mod_clk)) + return PTR_ERR(tmdev->mod_clk); + } + +- ret = reset_control_deassert(tmdev->reset); +- if (ret) +- return ret; +- +- ret = clk_prepare_enable(tmdev->bus_clk); +- if (ret) +- goto assert_reset; +- + ret = clk_set_rate(tmdev->mod_clk, 24000000); + if (ret) +- goto bus_disable; +- +- ret = clk_prepare_enable(tmdev->mod_clk); +- if (ret) +- goto bus_disable; ++ return ret; + + ret = sun8i_ths_calibrate(tmdev); + if (ret) +- goto mod_disable; ++ return ret; + + return 0; +- +-mod_disable: +- clk_disable_unprepare(tmdev->mod_clk); +-bus_disable: +- clk_disable_unprepare(tmdev->bus_clk); +-assert_reset: +- reset_control_assert(tmdev->reset); +- +- return ret; + } + + static int sun8i_h3_thermal_init(struct ths_device *tmdev) +@@ -529,17 +522,6 @@ static int sun8i_ths_probe(struct platform_device *pdev) + return 0; + } + +-static int sun8i_ths_remove(struct platform_device *pdev) +-{ +- struct ths_device *tmdev = platform_get_drvdata(pdev); +- +- clk_disable_unprepare(tmdev->mod_clk); +- clk_disable_unprepare(tmdev->bus_clk); +- reset_control_assert(tmdev->reset); +- +- return 0; +-} +- + static const struct ths_thermal_chip sun8i_a83t_ths = { + .sensor_num = 3, + .scale = 705, +@@ -641,7 +623,6 @@ MODULE_DEVICE_TABLE(of, of_ths_match); + + static struct platform_driver ths_driver = { + .probe = sun8i_ths_probe, +- .remove = sun8i_ths_remove, + .driver = { + .name = "sun8i-thermal", + .of_match_table = of_ths_match, +-- +2.39.2 + diff --git a/tmp-5.10/tpm-tpm_tis-claim-locality-in-interrupt-handler.patch b/tmp-5.10/tpm-tpm_tis-claim-locality-in-interrupt-handler.patch new file mode 100644 index 00000000000..958bfde0828 --- /dev/null +++ b/tmp-5.10/tpm-tpm_tis-claim-locality-in-interrupt-handler.patch @@ -0,0 +1,39 @@ +From 0e069265bce5a40c4eee52e2364bbbd4dabee94a Mon Sep 17 00:00:00 2001 +From: Lino Sanfilippo +Date: Thu, 24 Nov 2022 14:55:35 +0100 +Subject: tpm, tpm_tis: Claim locality in interrupt handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lino Sanfilippo + +commit 0e069265bce5a40c4eee52e2364bbbd4dabee94a upstream. + +Writing the TPM_INT_STATUS register in the interrupt handler to clear the +interrupts only has effect if a locality is held. Since this is not +guaranteed at the time the interrupt is fired, claim the locality +explicitly in the handler. + +Signed-off-by: Lino Sanfilippo +Tested-by: Michael Niewöhner +Tested-by: Jarkko Sakkinen +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -731,7 +731,9 @@ static irqreturn_t tis_int_handler(int d + wake_up_interruptible(&priv->int_queue); + + /* Clear interrupts handled with TPM_EOI */ ++ tpm_tis_request_locality(chip, 0); + rc = tpm_tis_write32(priv, TPM_INT_STATUS(priv->locality), interrupt); ++ tpm_tis_relinquish_locality(chip, 0); + if (rc < 0) + return IRQ_NONE; + diff --git a/tmp-5.10/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch b/tmp-5.10/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch new file mode 100644 index 00000000000..7ac9e6786dc --- /dev/null +++ b/tmp-5.10/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch @@ -0,0 +1,80 @@ +From f4032d615f90970d6c3ac1d9c0bce3351eb4445c Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Tue, 16 May 2023 01:25:54 +0300 +Subject: tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation + +From: Jarkko Sakkinen + +commit f4032d615f90970d6c3ac1d9c0bce3351eb4445c upstream. + +/dev/vtpmx is made visible before 'workqueue' is initialized, which can +lead to a memory corruption in the worst case scenario. + +Address this by initializing 'workqueue' as the very first step of the +driver initialization. + +Cc: stable@vger.kernel.org +Fixes: 6f99612e2500 ("tpm: Proxy driver for supporting multiple emulated TPMs") +Reviewed-by: Stefan Berger +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_vtpm_proxy.c | 30 +++++++----------------------- + 1 file changed, 7 insertions(+), 23 deletions(-) + +--- a/drivers/char/tpm/tpm_vtpm_proxy.c ++++ b/drivers/char/tpm/tpm_vtpm_proxy.c +@@ -683,37 +683,21 @@ static struct miscdevice vtpmx_miscdev = + .fops = &vtpmx_fops, + }; + +-static int vtpmx_init(void) +-{ +- return misc_register(&vtpmx_miscdev); +-} +- +-static void vtpmx_cleanup(void) +-{ +- misc_deregister(&vtpmx_miscdev); +-} +- + static int __init vtpm_module_init(void) + { + int rc; + +- rc = vtpmx_init(); +- if (rc) { +- pr_err("couldn't create vtpmx device\n"); +- return rc; +- } +- + workqueue = create_workqueue("tpm-vtpm"); + if (!workqueue) { + pr_err("couldn't create workqueue\n"); +- rc = -ENOMEM; +- goto err_vtpmx_cleanup; ++ return -ENOMEM; + } + +- return 0; +- +-err_vtpmx_cleanup: +- vtpmx_cleanup(); ++ rc = misc_register(&vtpmx_miscdev); ++ if (rc) { ++ pr_err("couldn't create vtpmx device\n"); ++ destroy_workqueue(workqueue); ++ } + + return rc; + } +@@ -721,7 +705,7 @@ err_vtpmx_cleanup: + static void __exit vtpm_module_exit(void) + { + destroy_workqueue(workqueue); +- vtpmx_cleanup(); ++ misc_deregister(&vtpmx_miscdev); + } + + module_init(vtpm_module_init); diff --git a/tmp-5.10/tracing-fix-memory-leak-of-iter-temp-when-reading-trace_pipe.patch b/tmp-5.10/tracing-fix-memory-leak-of-iter-temp-when-reading-trace_pipe.patch new file mode 100644 index 00000000000..f08e75d7e81 --- /dev/null +++ b/tmp-5.10/tracing-fix-memory-leak-of-iter-temp-when-reading-trace_pipe.patch @@ -0,0 +1,54 @@ +From d5a821896360cc8b93a15bd888fabc858c038dc0 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Thu, 13 Jul 2023 22:14:35 +0800 +Subject: tracing: Fix memory leak of iter->temp when reading trace_pipe + +From: Zheng Yejian + +commit d5a821896360cc8b93a15bd888fabc858c038dc0 upstream. + +kmemleak reports: + unreferenced object 0xffff88814d14e200 (size 256): + comm "cat", pid 336, jiffies 4294871818 (age 779.490s) + hex dump (first 32 bytes): + 04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00 ................ + 0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff .........Z...... + backtrace: + [] __kmalloc+0x4f/0x140 + [] trace_find_next_entry+0xbb/0x1d0 + [] trace_print_lat_context+0xaf/0x4e0 + [] print_trace_line+0x3e0/0x950 + [] tracing_read_pipe+0x2d9/0x5a0 + [] vfs_read+0x143/0x520 + [] ksys_read+0xbd/0x160 + [] do_syscall_64+0x3f/0x90 + [] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +when reading file 'trace_pipe', 'iter->temp' is allocated or relocated +in trace_find_next_entry() but not freed before 'trace_pipe' is closed. + +To fix it, free 'iter->temp' in tracing_release_pipe(). + +Link: https://lore.kernel.org/linux-trace-kernel/20230713141435.1133021-1-zhengyejian1@huawei.com + +Cc: stable@vger.kernel.org +Fixes: ff895103a84ab ("tracing: Save off entry when peeking at next entry") +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +[Fix conflict due to lack of 649e72070cbbb8600eb823833e4748f5a0815116] +Signed-off-by: Zheng Yejian +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -6250,6 +6250,7 @@ static int tracing_release_pipe(struct i + mutex_unlock(&trace_types_lock); + + free_cpumask_var(iter->started); ++ kfree(iter->temp); + mutex_destroy(&iter->mutex); + kfree(iter); + diff --git a/tmp-5.10/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch b/tmp-5.10/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch new file mode 100644 index 00000000000..f501e10ac2e --- /dev/null +++ b/tmp-5.10/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch @@ -0,0 +1,61 @@ +From 02b0095e2fbbc060560c1065f86a211d91e27b26 Mon Sep 17 00:00:00 2001 +From: Mateusz Stachyra +Date: Tue, 4 Jul 2023 12:27:06 +0200 +Subject: tracing: Fix null pointer dereference in tracing_err_log_open() + +From: Mateusz Stachyra + +commit 02b0095e2fbbc060560c1065f86a211d91e27b26 upstream. + +Fix an issue in function 'tracing_err_log_open'. +The function doesn't call 'seq_open' if the file is opened only with +write permissions, which results in 'file->private_data' being left as null. +If we then use 'lseek' on that opened file, 'seq_lseek' dereferences +'file->private_data' in 'mutex_lock(&m->lock)', resulting in a kernel panic. +Writing to this node requires root privileges, therefore this bug +has very little security impact. + +Tracefs node: /sys/kernel/tracing/error_log + +Example Kernel panic: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 +Call trace: + mutex_lock+0x30/0x110 + seq_lseek+0x34/0xb8 + __arm64_sys_lseek+0x6c/0xb8 + invoke_syscall+0x58/0x13c + el0_svc_common+0xc4/0x10c + do_el0_svc+0x24/0x98 + el0_svc+0x24/0x88 + el0t_64_sync_handler+0x84/0xe4 + el0t_64_sync+0x1b4/0x1b8 +Code: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02) +---[ end trace 561d1b49c12cf8a5 ]--- +Kernel panic - not syncing: Oops: Fatal exception + +Link: https://lore.kernel.org/linux-trace-kernel/20230703155237eucms1p4dfb6a19caa14c79eb6c823d127b39024@eucms1p4 +Link: https://lore.kernel.org/linux-trace-kernel/20230704102706eucms1p30d7ecdcc287f46ad67679fc8491b2e0f@eucms1p3 + +Cc: stable@vger.kernel.org +Fixes: 8a062902be725 ("tracing: Add tracing error log") +Signed-off-by: Mateusz Stachyra +Suggested-by: Steven Rostedt +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7529,7 +7529,7 @@ static const struct file_operations trac + .open = tracing_err_log_open, + .write = tracing_err_log_write, + .read = seq_read, +- .llseek = seq_lseek, ++ .llseek = tracing_lseek, + .release = tracing_err_log_release, + }; + diff --git a/tmp-5.10/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch b/tmp-5.10/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch new file mode 100644 index 00000000000..b54285b4359 --- /dev/null +++ b/tmp-5.10/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch @@ -0,0 +1,127 @@ +From 6018b585e8c6fa7d85d4b38d9ce49a5b67be7078 Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Wed, 12 Jul 2023 22:30:21 +0000 +Subject: tracing/histograms: Add histograms to hist_vars if they have referenced variables + +From: Mohamed Khalfella + +commit 6018b585e8c6fa7d85d4b38d9ce49a5b67be7078 upstream. + +Hist triggers can have referenced variables without having direct +variables fields. This can be the case if referenced variables are added +for trigger actions. In this case the newly added references will not +have field variables. Not taking such referenced variables into +consideration can result in a bug where it would be possible to remove +hist trigger with variables being refenced. This will result in a bug +that is easily reproducable like so + +$ cd /sys/kernel/tracing +$ echo 'synthetic_sys_enter char[] comm; long id' >> synthetic_events +$ echo 'hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger +$ echo 'hist:keys=common_pid.execname,id.syscall:onmatch(raw_syscalls.sys_enter).synthetic_sys_enter($comm, id)' >> events/raw_syscalls/sys_enter/trigger +$ echo '!hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger + +[ 100.263533] ================================================================== +[ 100.264634] BUG: KASAN: slab-use-after-free in resolve_var_refs+0xc7/0x180 +[ 100.265520] Read of size 8 at addr ffff88810375d0f0 by task bash/439 +[ 100.266320] +[ 100.266533] CPU: 2 PID: 439 Comm: bash Not tainted 6.5.0-rc1 #4 +[ 100.267277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 +[ 100.268561] Call Trace: +[ 100.268902] +[ 100.269189] dump_stack_lvl+0x4c/0x70 +[ 100.269680] print_report+0xc5/0x600 +[ 100.270165] ? resolve_var_refs+0xc7/0x180 +[ 100.270697] ? kasan_complete_mode_report_info+0x80/0x1f0 +[ 100.271389] ? resolve_var_refs+0xc7/0x180 +[ 100.271913] kasan_report+0xbd/0x100 +[ 100.272380] ? resolve_var_refs+0xc7/0x180 +[ 100.272920] __asan_load8+0x71/0xa0 +[ 100.273377] resolve_var_refs+0xc7/0x180 +[ 100.273888] event_hist_trigger+0x749/0x860 +[ 100.274505] ? kasan_save_stack+0x2a/0x50 +[ 100.275024] ? kasan_set_track+0x29/0x40 +[ 100.275536] ? __pfx_event_hist_trigger+0x10/0x10 +[ 100.276138] ? ksys_write+0xd1/0x170 +[ 100.276607] ? do_syscall_64+0x3c/0x90 +[ 100.277099] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 100.277771] ? destroy_hist_data+0x446/0x470 +[ 100.278324] ? event_hist_trigger_parse+0xa6c/0x3860 +[ 100.278962] ? __pfx_event_hist_trigger_parse+0x10/0x10 +[ 100.279627] ? __kasan_check_write+0x18/0x20 +[ 100.280177] ? mutex_unlock+0x85/0xd0 +[ 100.280660] ? __pfx_mutex_unlock+0x10/0x10 +[ 100.281200] ? kfree+0x7b/0x120 +[ 100.281619] ? ____kasan_slab_free+0x15d/0x1d0 +[ 100.282197] ? event_trigger_write+0xac/0x100 +[ 100.282764] ? __kasan_slab_free+0x16/0x20 +[ 100.283293] ? __kmem_cache_free+0x153/0x2f0 +[ 100.283844] ? sched_mm_cid_remote_clear+0xb1/0x250 +[ 100.284550] ? __pfx_sched_mm_cid_remote_clear+0x10/0x10 +[ 100.285221] ? event_trigger_write+0xbc/0x100 +[ 100.285781] ? __kasan_check_read+0x15/0x20 +[ 100.286321] ? __bitmap_weight+0x66/0xa0 +[ 100.286833] ? _find_next_bit+0x46/0xe0 +[ 100.287334] ? task_mm_cid_work+0x37f/0x450 +[ 100.287872] event_triggers_call+0x84/0x150 +[ 100.288408] trace_event_buffer_commit+0x339/0x430 +[ 100.289073] ? ring_buffer_event_data+0x3f/0x60 +[ 100.292189] trace_event_raw_event_sys_enter+0x8b/0xe0 +[ 100.295434] syscall_trace_enter.constprop.0+0x18f/0x1b0 +[ 100.298653] syscall_enter_from_user_mode+0x32/0x40 +[ 100.301808] do_syscall_64+0x1a/0x90 +[ 100.304748] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 100.307775] RIP: 0033:0x7f686c75c1cb +[ 100.310617] Code: 73 01 c3 48 8b 0d 65 3c 10 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 21 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 3c 10 00 f7 d8 64 89 01 48 +[ 100.317847] RSP: 002b:00007ffc60137a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000021 +[ 100.321200] RAX: ffffffffffffffda RBX: 000055f566469ea0 RCX: 00007f686c75c1cb +[ 100.324631] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 000000000000000a +[ 100.328104] RBP: 00007ffc60137ac0 R08: 00007f686c818460 R09: 000000000000000a +[ 100.331509] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 +[ 100.334992] R13: 0000000000000007 R14: 000000000000000a R15: 0000000000000007 +[ 100.338381] + +We hit the bug because when second hist trigger has was created +has_hist_vars() returned false because hist trigger did not have +variables. As a result of that save_hist_vars() was not called to add +the trigger to trace_array->hist_vars. Later on when we attempted to +remove the first histogram find_any_var_ref() failed to detect it is +being used because it did not find the second trigger in hist_vars list. + +With this change we wait until trigger actions are created so we can take +into consideration if hist trigger has variable references. Also, now we +check the return value of save_hist_vars() and fail trigger creation if +save_hist_vars() fails. + +Link: https://lore.kernel.org/linux-trace-kernel/20230712223021.636335-1-mkhalfella@purestorage.com + +Cc: stable@vger.kernel.org +Fixes: 067fe038e70f6 ("tracing: Add variable reference handling to hist triggers") +Signed-off-by: Mohamed Khalfella +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -5817,13 +5817,15 @@ static int event_hist_trigger_func(struc + if (get_named_trigger_data(trigger_data)) + goto enable; + +- if (has_hist_vars(hist_data)) +- save_hist_vars(hist_data); +- + ret = create_actions(hist_data); + if (ret) + goto out_unreg; + ++ if (has_hist_vars(hist_data) || hist_data->n_var_refs) { ++ if (save_hist_vars(hist_data)) ++ goto out_unreg; ++ } ++ + ret = tracing_map_init(hist_data->map); + if (ret) + goto out_unreg; diff --git a/tmp-5.10/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch b/tmp-5.10/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch new file mode 100644 index 00000000000..f616cfa4a82 --- /dev/null +++ b/tmp-5.10/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch @@ -0,0 +1,38 @@ +From 4b8b3905165ef98386a3c06f196c85d21292d029 Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Fri, 14 Jul 2023 20:33:41 +0000 +Subject: tracing/histograms: Return an error if we fail to add histogram to hist_vars list + +From: Mohamed Khalfella + +commit 4b8b3905165ef98386a3c06f196c85d21292d029 upstream. + +Commit 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if +they have referenced variables") added a check to fail histogram creation +if save_hist_vars() failed to add histogram to hist_vars list. But the +commit failed to set ret to failed return code before jumping to +unregister histogram, fix it. + +Link: https://lore.kernel.org/linux-trace-kernel/20230714203341.51396-1-mkhalfella@purestorage.com + +Cc: stable@vger.kernel.org +Fixes: 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if they have referenced variables") +Signed-off-by: Mohamed Khalfella +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -5822,7 +5822,8 @@ static int event_hist_trigger_func(struc + goto out_unreg; + + if (has_hist_vars(hist_data) || hist_data->n_var_refs) { +- if (save_hist_vars(hist_data)) ++ ret = save_hist_vars(hist_data); ++ if (ret) + goto out_unreg; + } + diff --git a/tmp-5.10/tracing-probes-fix-not-to-count-error-code-to-total-length.patch b/tmp-5.10/tracing-probes-fix-not-to-count-error-code-to-total-length.patch new file mode 100644 index 00000000000..60fcee2e7ad --- /dev/null +++ b/tmp-5.10/tracing-probes-fix-not-to-count-error-code-to-total-length.patch @@ -0,0 +1,38 @@ +From b41326b5e0f82e93592c4366359917b5d67b529f Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 11 Jul 2023 23:15:38 +0900 +Subject: tracing/probes: Fix not to count error code to total length + +From: Masami Hiramatsu (Google) + +commit b41326b5e0f82e93592c4366359917b5d67b529f upstream. + +Fix not to count the error code (which is minus value) to the total +used length of array, because it can mess up the return code of +process_fetch_insn_bottom(). Also clear the 'ret' value because it +will be used for calculating next data_loc entry. + +Link: https://lore.kernel.org/all/168908493827.123124.2175257289106364229.stgit@devnote2/ + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/all/8819b154-2ba1-43c3-98a2-cbde20892023@moroto.mountain/ +Fixes: 9b960a38835f ("tracing: probeevent: Unify fetch_insn processing common part") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe_tmpl.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace_probe_tmpl.h ++++ b/kernel/trace/trace_probe_tmpl.h +@@ -143,6 +143,8 @@ stage3: + array: + /* the last stage: Loop on array */ + if (code->op == FETCH_OP_LP_ARRAY) { ++ if (ret < 0) ++ ret = 0; + total += ret; + if (++i < code->param) { + code = s3; diff --git a/tmp-5.10/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch b/tmp-5.10/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch new file mode 100644 index 00000000000..d53ac850ef2 --- /dev/null +++ b/tmp-5.10/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch @@ -0,0 +1,47 @@ +From f7ad98f39d66ad65432fb53bebb736745261a335 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 16:38:54 +0200 +Subject: tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode(). + +From: Sebastian Andrzej Siewior + +[ Upstream commit 2951580ba6adb082bb6b7154a5ecb24e7c1f7569 ] + +The trace output for the HRTIMER_MODE_.*_HARD modes is seen as a number +since these modes are not decoded. The author was not aware of the fancy +decoding function which makes the life easier. + +Extend decode_hrtimer_mode() with the additional HRTIMER_MODE_.*_HARD +modes. + +Fixes: ae6683d815895 ("hrtimer: Introduce HARD expiry mode") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Reviewed-by: Mukesh Ojha +Acked-by: Steven Rostedt (Google) +Link: https://lore.kernel.org/r/20230418143854.8vHWQKLM@linutronix.de +Signed-off-by: Sasha Levin +--- + include/trace/events/timer.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h +index 40e9b5a12732d..5c540ccabcac9 100644 +--- a/include/trace/events/timer.h ++++ b/include/trace/events/timer.h +@@ -156,7 +156,11 @@ DEFINE_EVENT(timer_class, timer_cancel, + { HRTIMER_MODE_ABS_SOFT, "ABS|SOFT" }, \ + { HRTIMER_MODE_REL_SOFT, "REL|SOFT" }, \ + { HRTIMER_MODE_ABS_PINNED_SOFT, "ABS|PINNED|SOFT" }, \ +- { HRTIMER_MODE_REL_PINNED_SOFT, "REL|PINNED|SOFT" }) ++ { HRTIMER_MODE_REL_PINNED_SOFT, "REL|PINNED|SOFT" }, \ ++ { HRTIMER_MODE_ABS_HARD, "ABS|HARD" }, \ ++ { HRTIMER_MODE_REL_HARD, "REL|HARD" }, \ ++ { HRTIMER_MODE_ABS_PINNED_HARD, "ABS|PINNED|HARD" }, \ ++ { HRTIMER_MODE_REL_PINNED_HARD, "REL|PINNED|HARD" }) + + /** + * hrtimer_init - called when the hrtimer is initialized +-- +2.39.2 + diff --git a/tmp-5.10/tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch b/tmp-5.10/tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch new file mode 100644 index 00000000000..ebd8f7a7c6e --- /dev/null +++ b/tmp-5.10/tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch @@ -0,0 +1,29 @@ +From e0edfdc15863ec80a1d9ac6e174dbccc00206dd0 Mon Sep 17 00:00:00 2001 +From: Sherry Sun +Date: Mon, 19 Jun 2023 16:06:13 +0800 +Subject: tty: serial: fsl_lpuart: add earlycon for imx8ulp platform + +From: Sherry Sun + +commit e0edfdc15863ec80a1d9ac6e174dbccc00206dd0 upstream. + +Add earlycon support for imx8ulp platform. + +Signed-off-by: Sherry Sun +Cc: stable +Link: https://lore.kernel.org/r/20230619080613.16522-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -2589,6 +2589,7 @@ OF_EARLYCON_DECLARE(lpuart, "fsl,vf610-l + OF_EARLYCON_DECLARE(lpuart32, "fsl,ls1021a-lpuart", lpuart32_early_console_setup); + OF_EARLYCON_DECLARE(lpuart32, "fsl,ls1028a-lpuart", ls1028a_early_console_setup); + OF_EARLYCON_DECLARE(lpuart32, "fsl,imx7ulp-lpuart", lpuart32_imx_early_console_setup); ++OF_EARLYCON_DECLARE(lpuart32, "fsl,imx8ulp-lpuart", lpuart32_imx_early_console_setup); + OF_EARLYCON_DECLARE(lpuart32, "fsl,imx8qxp-lpuart", lpuart32_imx_early_console_setup); + EARLYCON_DECLARE(lpuart, lpuart_early_console_setup); + EARLYCON_DECLARE(lpuart32, lpuart32_early_console_setup); diff --git a/tmp-5.10/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch b/tmp-5.10/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch new file mode 100644 index 00000000000..80ad737e390 --- /dev/null +++ b/tmp-5.10/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch @@ -0,0 +1,40 @@ +From a9c09546e903f1068acfa38e1ee18bded7114b37 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 10 Jun 2023 17:59:25 +0200 +Subject: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error + +From: Christophe JAILLET + +commit a9c09546e903f1068acfa38e1ee18bded7114b37 upstream. + +If clk_get_rate() fails, the clk that has just been allocated needs to be +freed. + +Cc: # v3.3+ +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Andi Shyti +Fixes: 5f5a7a5578c5 ("serial: samsung: switch to clkdev based clock lookup") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jiri Slaby +Message-ID: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/samsung_tty.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/samsung_tty.c ++++ b/drivers/tty/serial/samsung_tty.c +@@ -1313,8 +1313,12 @@ static unsigned int s3c24xx_serial_getcl + continue; + + rate = clk_get_rate(clk); +- if (!rate) ++ if (!rate) { ++ dev_err(ourport->port.dev, ++ "Failed to get clock rate for %s.\n", clkname); ++ clk_put(clk); + continue; ++ } + + if (ourport->info->has_divslot) { + unsigned long div = rate / req_baud; diff --git a/tmp-5.10/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch b/tmp-5.10/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch new file mode 100644 index 00000000000..416517ba83c --- /dev/null +++ b/tmp-5.10/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch @@ -0,0 +1,48 @@ +From 832e231cff476102e8204a9e7bddfe5c6154a375 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 10 Jun 2023 17:59:26 +0200 +Subject: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk + +From: Christophe JAILLET + +commit 832e231cff476102e8204a9e7bddfe5c6154a375 upstream. + +When the best clk is searched, we iterate over all possible clk. + +If we find a better match, the previous one, if any, needs to be freed. +If a better match has already been found, we still need to free the new +one, otherwise it leaks. + +Cc: # v3.3+ +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Andi Shyti +Fixes: 5f5a7a5578c5 ("serial: samsung: switch to clkdev based clock lookup") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jiri Slaby +Message-ID: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/samsung_tty.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/samsung_tty.c ++++ b/drivers/tty/serial/samsung_tty.c +@@ -1344,10 +1344,18 @@ static unsigned int s3c24xx_serial_getcl + calc_deviation = -calc_deviation; + + if (calc_deviation < deviation) { ++ /* ++ * If we find a better clk, release the previous one, if ++ * any. ++ */ ++ if (!IS_ERR(*best_clk)) ++ clk_put(*best_clk); + *best_clk = clk; + best_quot = quot; + *clk_num = cnt; + deviation = calc_deviation; ++ } else { ++ clk_put(clk); + } + } + diff --git a/tmp-5.10/udp6-fix-udp6_ehashfn-typo.patch b/tmp-5.10/udp6-fix-udp6_ehashfn-typo.patch new file mode 100644 index 00000000000..bb54a6e7102 --- /dev/null +++ b/tmp-5.10/udp6-fix-udp6_ehashfn-typo.patch @@ -0,0 +1,40 @@ +From 279a8ca0c53b60a63609bd8055b756cfb4af296a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 08:29:58 +0000 +Subject: udp6: fix udp6_ehashfn() typo + +From: Eric Dumazet + +[ Upstream commit 51d03e2f2203e76ed02d33fb5ffbb5fc85ffaf54 ] + +Amit Klein reported that udp6_ehash_secret was initialized but never used. + +Fixes: 1bbdceef1e53 ("inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once") +Reported-by: Amit Klein +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Cc: Willem de Bruijn +Cc: David Ahern +Cc: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 19c0721399d9e..788bb19f32e99 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -87,7 +87,7 @@ static u32 udp6_ehashfn(const struct net *net, + fhash = __ipv6_addr_jhash(faddr, udp_ipv6_hash_secret); + + return __inet6_ehashfn(lhash, lport, fhash, fport, +- udp_ipv6_hash_secret + net_hash_mix(net)); ++ udp6_ehash_secret + net_hash_mix(net)); + } + + int udp_v6_get_port(struct sock *sk, unsigned short snum) +-- +2.39.2 + diff --git a/tmp-5.10/um-use-host_dir-for-mrproper.patch b/tmp-5.10/um-use-host_dir-for-mrproper.patch new file mode 100644 index 00000000000..02d7727bb6b --- /dev/null +++ b/tmp-5.10/um-use-host_dir-for-mrproper.patch @@ -0,0 +1,40 @@ +From a5a319ec2c2236bb96d147c16196d2f1f3799301 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 6 Jun 2023 15:24:45 -0700 +Subject: um: Use HOST_DIR for mrproper + +From: Kees Cook + +commit a5a319ec2c2236bb96d147c16196d2f1f3799301 upstream. + +When HEADER_ARCH was introduced, the MRPROPER_FILES (then MRPROPER_DIRS) +list wasn't adjusted, leaving SUBARCH as part of the path argument. +This resulted in the "mrproper" target not cleaning up arch/x86/... when +SUBARCH was specified. Since HOST_DIR is arch/$(HEADER_ARCH), use it +instead to get the correct path. + +Cc: Richard Weinberger +Cc: Anton Ivanov +Cc: Johannes Berg +Cc: Azeem Shaikh +Cc: linux-um@lists.infradead.org +Fixes: 7bbe7204e937 ("um: merge Makefile-{i386,x86_64}") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230606222442.never.807-kees@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/um/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/um/Makefile ++++ b/arch/um/Makefile +@@ -147,7 +147,7 @@ export LDFLAGS_vmlinux := $(LDFLAGS_EXEC + # When cleaning we don't include .config, so we don't include + # TT or skas makefiles and don't clean skas_ptregs.h. + CLEAN_FILES += linux x.i gmon.out +-MRPROPER_FILES += arch/$(SUBARCH)/include/generated ++MRPROPER_FILES += $(HOST_DIR)/include/generated + + archclean: + @find . \( -name '*.bb' -o -name '*.bbg' -o -name '*.da' \ diff --git a/tmp-5.10/usb-common-usb-conn-gpio-set-last-role-to-unknown-be.patch b/tmp-5.10/usb-common-usb-conn-gpio-set-last-role-to-unknown-be.patch new file mode 100644 index 00000000000..676a96829f6 --- /dev/null +++ b/tmp-5.10/usb-common-usb-conn-gpio-set-last-role-to-unknown-be.patch @@ -0,0 +1,104 @@ +From eb8fc2a64847dbcfd11c88be40942375df3c5293 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 20:11:14 +0530 +Subject: usb: common: usb-conn-gpio: Set last role to unknown before initial + detection + +From: Prashanth K + +[ Upstream commit edd60d24bd858cef165274e4cd6cab43bdc58d15 ] + +Currently if we bootup a device without cable connected, then +usb-conn-gpio won't call set_role() since last_role is same as +current role. This happens because during probe last_role gets +initialised to zero. + +To avoid this, added a new constant in enum usb_role, last_role +is set to USB_ROLE_UNKNOWN before performing initial detection. + +While at it, also handle default case for the usb_role switch +in cdns3, intel-xhci-usb-role-switch & musb/jz4740 to avoid +build warnings. + +Fixes: 4602f3bff266 ("usb: common: add USB GPIO based connection detection driver") +Signed-off-by: Prashanth K +Reviewed-by: AngeloGioacchino Del Regno +Message-ID: <1685544074-17337-1-git-send-email-quic_prashk@quicinc.com> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/cdns3/core.c | 2 ++ + drivers/usb/common/usb-conn-gpio.c | 3 +++ + drivers/usb/musb/jz4740.c | 2 ++ + drivers/usb/roles/intel-xhci-usb-role-switch.c | 2 ++ + include/linux/usb/role.h | 1 + + 5 files changed, 10 insertions(+) + +diff --git a/drivers/usb/cdns3/core.c b/drivers/usb/cdns3/core.c +index 8fe7420de033d..e5fe640b2bb01 100644 +--- a/drivers/usb/cdns3/core.c ++++ b/drivers/usb/cdns3/core.c +@@ -243,6 +243,8 @@ static enum usb_role cdns3_hw_role_state_machine(struct cdns3 *cdns) + if (!vbus) + role = USB_ROLE_NONE; + break; ++ default: ++ break; + } + + dev_dbg(cdns->dev, "role %d -> %d\n", cdns->role, role); +diff --git a/drivers/usb/common/usb-conn-gpio.c b/drivers/usb/common/usb-conn-gpio.c +index c9545a4eff664..5754e467c16a8 100644 +--- a/drivers/usb/common/usb-conn-gpio.c ++++ b/drivers/usb/common/usb-conn-gpio.c +@@ -276,6 +276,9 @@ static int usb_conn_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, info); + ++ /* Set last role to unknown before performing the initial detection */ ++ info->last_role = USB_ROLE_UNKNOWN; ++ + /* Perform initial detection */ + usb_conn_queue_dwork(info, 0); + +diff --git a/drivers/usb/musb/jz4740.c b/drivers/usb/musb/jz4740.c +index c4fe1f4cd17a3..f283629091ec4 100644 +--- a/drivers/usb/musb/jz4740.c ++++ b/drivers/usb/musb/jz4740.c +@@ -91,6 +91,8 @@ static int jz4740_musb_role_switch_set(struct usb_role_switch *sw, + case USB_ROLE_HOST: + atomic_notifier_call_chain(&phy->notifier, USB_EVENT_ID, phy); + break; ++ default: ++ break; + } + + return 0; +diff --git a/drivers/usb/roles/intel-xhci-usb-role-switch.c b/drivers/usb/roles/intel-xhci-usb-role-switch.c +index 5c96e929acea0..4d6a3dd06e011 100644 +--- a/drivers/usb/roles/intel-xhci-usb-role-switch.c ++++ b/drivers/usb/roles/intel-xhci-usb-role-switch.c +@@ -97,6 +97,8 @@ static int intel_xhci_usb_set_role(struct usb_role_switch *sw, + val |= SW_VBUS_VALID; + drd_config = DRD_CONFIG_STATIC_DEVICE; + break; ++ default: ++ break; + } + val |= SW_IDPIN_EN; + if (data->enable_sw_switch) { +diff --git a/include/linux/usb/role.h b/include/linux/usb/role.h +index b9ccaeb8a4aef..aecfce46d3544 100644 +--- a/include/linux/usb/role.h ++++ b/include/linux/usb/role.h +@@ -11,6 +11,7 @@ enum usb_role { + USB_ROLE_NONE, + USB_ROLE_HOST, + USB_ROLE_DEVICE, ++ USB_ROLE_UNKNOWN, + }; + + typedef int (*usb_role_switch_set_t)(struct usb_role_switch *sw, +-- +2.39.2 + diff --git a/tmp-5.10/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch b/tmp-5.10/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch new file mode 100644 index 00000000000..bb6f51e78cd --- /dev/null +++ b/tmp-5.10/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch @@ -0,0 +1,52 @@ +From c0aabed9cabe057309779a9e26fe86a113d24dad Mon Sep 17 00:00:00 2001 +From: Krishna Kurapati +Date: Sun, 18 Jun 2023 17:39:49 +0530 +Subject: usb: dwc3: gadget: Propagate core init errors to UDC during pullup + +From: Krishna Kurapati + +commit c0aabed9cabe057309779a9e26fe86a113d24dad upstream. + +In scenarios where pullup relies on resume (get sync) to initialize +the controller and set the run stop bit, then core_init is followed by +gadget_resume which will eventually set run stop bit. + +But in cases where the core_init fails, the return value is not sent +back to udc appropriately. So according to UDC the controller has +started but in reality we never set the run stop bit. + +On systems like Android, there are uevents sent to HAL depending on +whether the configfs_bind / configfs_disconnect were invoked. In the +above mentioned scnenario, if the core init fails, the run stop won't +be set and the cable plug-out won't result in generation of any +disconnect event and userspace would never get any uevent regarding +cable plug out and we never call pullup(0) again. Furthermore none of +the next Plug-In/Plug-Out's would be known to configfs. + +Return back the appropriate result to UDC to let the userspace/ +configfs know that the pullup failed so they can take appropriate +action. + +Fixes: 77adb8bdf422 ("usb: dwc3: gadget: Allow runtime suspend if UDC unbinded") +Cc: stable +Signed-off-by: Krishna Kurapati +Acked-by: Thinh Nguyen +Message-ID: <20230618120949.14868-1-quic_kriskura@quicinc.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2215,7 +2215,9 @@ static int dwc3_gadget_pullup(struct usb + ret = pm_runtime_get_sync(dwc->dev); + if (!ret || ret < 0) { + pm_runtime_put(dwc->dev); +- return 0; ++ if (ret < 0) ++ pm_runtime_set_suspended(dwc->dev); ++ return ret; + } + + if (dwc->pullups_connected == is_on) { diff --git a/tmp-5.10/usb-dwc3-meson-g12a-fix-an-error-handling-path-in-dw.patch b/tmp-5.10/usb-dwc3-meson-g12a-fix-an-error-handling-path-in-dw.patch new file mode 100644 index 00000000000..254b380ef19 --- /dev/null +++ b/tmp-5.10/usb-dwc3-meson-g12a-fix-an-error-handling-path-in-dw.patch @@ -0,0 +1,51 @@ +From fd910a041cf4e6fc1c4440671fb6c4bd11fb9ccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jun 2023 15:32:52 +0200 +Subject: usb: dwc3-meson-g12a: Fix an error handling path in + dwc3_meson_g12a_probe() + +From: Christophe JAILLET + +[ Upstream commit 01052b91c9808e3c3b068ae2721cb728ec9aa4c0 ] + +If dwc3_meson_g12a_otg_init() fails, resources allocated by the previous +of_platform_populate() call should be released, as already done in the +error handling path. + +Fixes: 1e355f21d3fb ("usb: dwc3: Add Amlogic A1 DWC3 glue") +Signed-off-by: Christophe JAILLET +Reviewed-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Message-ID: <9d28466de1808ccc756b4cc25fc72c482d133d13.1686403934.git.christophe.jaillet@wanadoo.fr> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-meson-g12a.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/dwc3-meson-g12a.c b/drivers/usb/dwc3/dwc3-meson-g12a.c +index d0f9b7c296b0d..69ec06efd7f25 100644 +--- a/drivers/usb/dwc3/dwc3-meson-g12a.c ++++ b/drivers/usb/dwc3/dwc3-meson-g12a.c +@@ -805,7 +805,7 @@ static int dwc3_meson_g12a_probe(struct platform_device *pdev) + + ret = dwc3_meson_g12a_otg_init(pdev, priv); + if (ret) +- goto err_phys_power; ++ goto err_plat_depopulate; + + pm_runtime_set_active(dev); + pm_runtime_enable(dev); +@@ -813,6 +813,9 @@ static int dwc3_meson_g12a_probe(struct platform_device *pdev) + + return 0; + ++err_plat_depopulate: ++ of_platform_depopulate(dev); ++ + err_phys_power: + for (i = 0 ; i < PHY_COUNT ; ++i) + phy_power_off(priv->phys[i]); +-- +2.39.2 + diff --git a/tmp-5.10/usb-dwc3-qcom-fix-an-error-handling-path-in-dwc3_qco.patch b/tmp-5.10/usb-dwc3-qcom-fix-an-error-handling-path-in-dwc3_qco.patch new file mode 100644 index 00000000000..9a466e9d065 --- /dev/null +++ b/tmp-5.10/usb-dwc3-qcom-fix-an-error-handling-path-in-dwc3_qco.patch @@ -0,0 +1,38 @@ +From 7dc8d5747ba55a0b0f530c77546a57589a944efd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 16:56:34 +0200 +Subject: usb: dwc3: qcom: Fix an error handling path in dwc3_qcom_probe() + +From: Christophe JAILLET + +[ Upstream commit 4a944da707123686d372ec01ea60056902fadf35 ] + +If dwc3_qcom_create_urs_usb_platdev() fails, some resources still need to +be released, as already done in the other error handling path of the +probe. + +Fixes: c25c210f590e ("usb: dwc3: qcom: add URS Host support for sdm845 ACPI boot") +Signed-off-by: Christophe JAILLET +Reviewed-by: Andrew Halaney +Message-ID: +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -786,9 +786,10 @@ static int dwc3_qcom_probe(struct platfo + if (IS_ERR_OR_NULL(qcom->urs_usb)) { + dev_err(dev, "failed to create URS USB platdev\n"); + if (!qcom->urs_usb) +- return -ENODEV; ++ ret = -ENODEV; + else +- return PTR_ERR(qcom->urs_usb); ++ ret = PTR_ERR(qcom->urs_usb); ++ goto clk_disable; + } + } + } diff --git a/tmp-5.10/usb-dwc3-qcom-fix-potential-memory-leak.patch b/tmp-5.10/usb-dwc3-qcom-fix-potential-memory-leak.patch new file mode 100644 index 00000000000..18cf9040852 --- /dev/null +++ b/tmp-5.10/usb-dwc3-qcom-fix-potential-memory-leak.patch @@ -0,0 +1,53 @@ +From fb8aa9d3e968fd937733b98fc8e1f4e697d276c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 20:25:18 +0300 +Subject: usb: dwc3: qcom: Fix potential memory leak + +From: Vladislav Efanov + +[ Upstream commit 097fb3ee710d4de83b8d4f5589e8ee13e0f0541e ] + +Function dwc3_qcom_probe() allocates memory for resource structure +which is pointed by parent_res pointer. This memory is not +freed. This leads to memory leak. Use stack memory to prevent +memory leak. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI") +Signed-off-by: Vladislav Efanov +Acked-by: Shawn Guo +Link: https://lore.kernel.org/r/20230517172518.442591-1-VEfanov@ispras.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index dac13fe978110..5c66efb05d7f7 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -722,6 +722,7 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + struct dwc3_qcom *qcom; + struct resource *res, *parent_res = NULL; ++ struct resource local_res; + int ret, i; + bool ignore_pipe_clk; + +@@ -772,9 +773,8 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + if (np) { + parent_res = res; + } else { +- parent_res = kmemdup(res, sizeof(struct resource), GFP_KERNEL); +- if (!parent_res) +- return -ENOMEM; ++ memcpy(&local_res, res, sizeof(struct resource)); ++ parent_res = &local_res; + + parent_res->start = res->start + + qcom->acpi_pdata->qscratch_base_offset; +-- +2.39.2 + diff --git a/tmp-5.10/usb-dwc3-qcom-release-the-correct-resources-in-dwc3_.patch b/tmp-5.10/usb-dwc3-qcom-release-the-correct-resources-in-dwc3_.patch new file mode 100644 index 00000000000..9972c7ef1c3 --- /dev/null +++ b/tmp-5.10/usb-dwc3-qcom-release-the-correct-resources-in-dwc3_.patch @@ -0,0 +1,44 @@ +From 60f2f5faedb22fb1ad6fa5d30d485b819d00dd67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 17:04:37 +0200 +Subject: usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove() + +From: Christophe JAILLET + +[ Upstream commit 8fd95da2cfb5046c4bb5a3cdc9eb7963ba8b10dd ] + +In the probe, some resources are allocated with +dwc3_qcom_of_register_core() or dwc3_qcom_acpi_register_core(). The +corresponding resources are already coorectly freed in the error handling +path of the probe, but not in the remove function. + +Fix it. + +Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI") +Signed-off-by: Christophe JAILLET +Reviewed-by: Andrew Halaney +Message-ID: +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -869,10 +869,14 @@ reset_assert: + static int dwc3_qcom_remove(struct platform_device *pdev) + { + struct dwc3_qcom *qcom = platform_get_drvdata(pdev); ++ struct device_node *np = pdev->dev.of_node; + struct device *dev = &pdev->dev; + int i; + +- of_platform_depopulate(dev); ++ if (np) ++ of_platform_depopulate(&pdev->dev); ++ else ++ platform_device_put(pdev); + + for (i = qcom->num_clocks - 1; i >= 0; i--) { + clk_disable_unprepare(qcom->clks[i]); diff --git a/tmp-5.10/usb-gadget-u_serial-add-null-pointer-check-in-gseria.patch b/tmp-5.10/usb-gadget-u_serial-add-null-pointer-check-in-gseria.patch new file mode 100644 index 00000000000..bedb01098c5 --- /dev/null +++ b/tmp-5.10/usb-gadget-u_serial-add-null-pointer-check-in-gseria.patch @@ -0,0 +1,56 @@ +From 9c6603d6c648bb23a9361fded55c17f0d9564702 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 14:48:37 +0530 +Subject: usb: gadget: u_serial: Add null pointer check in gserial_suspend + +From: Prashanth K + +[ Upstream commit 2f6ecb89fe8feb2b60a53325b0eeb9866d88909a ] + +Consider a case where gserial_disconnect has already cleared +gser->ioport. And if gserial_suspend gets called afterwards, +it will lead to accessing of gser->ioport and thus causing +null pointer dereference. + +Avoid this by adding a null pointer check. Added a static +spinlock to prevent gser->ioport from becoming null after +the newly added null pointer check. + +Fixes: aba3a8d01d62 ("usb: gadget: u_serial: add suspend resume callbacks") +Signed-off-by: Prashanth K +Link: https://lore.kernel.org/r/1683278317-11774-1-git-send-email-quic_prashk@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_serial.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c +index 7b54e814aefb1..3b5a6430e2418 100644 +--- a/drivers/usb/gadget/function/u_serial.c ++++ b/drivers/usb/gadget/function/u_serial.c +@@ -1421,10 +1421,19 @@ EXPORT_SYMBOL_GPL(gserial_disconnect); + + void gserial_suspend(struct gserial *gser) + { +- struct gs_port *port = gser->ioport; ++ struct gs_port *port; + unsigned long flags; + +- spin_lock_irqsave(&port->port_lock, flags); ++ spin_lock_irqsave(&serial_port_lock, flags); ++ port = gser->ioport; ++ ++ if (!port) { ++ spin_unlock_irqrestore(&serial_port_lock, flags); ++ return; ++ } ++ ++ spin_lock(&port->port_lock); ++ spin_unlock(&serial_port_lock); + port->suspended = true; + spin_unlock_irqrestore(&port->port_lock, flags); + } +-- +2.39.2 + diff --git a/tmp-5.10/usb-hide-unused-usbfs_notify_suspend-resume-function.patch b/tmp-5.10/usb-hide-unused-usbfs_notify_suspend-resume-function.patch new file mode 100644 index 00000000000..a22eef97a2b --- /dev/null +++ b/tmp-5.10/usb-hide-unused-usbfs_notify_suspend-resume-function.patch @@ -0,0 +1,52 @@ +From ea33f695609edcb6ffaa9fcb8469a48a4f6a1dff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:17:42 +0200 +Subject: usb: hide unused usbfs_notify_suspend/resume functions + +From: Arnd Bergmann + +[ Upstream commit 8e6bd945e6dde64fbc60ec3fe252164493a8d3a2 ] + +The declaration is in an #ifdef, which causes warnings when building +with 'make W=1' and without CONFIG_PM: + +drivers/usb/core/devio.c:742:6: error: no previous prototype for 'usbfs_notify_suspend' +drivers/usb/core/devio.c:747:6: error: no previous prototype for 'usbfs_notify_resume' + +Use the same #ifdef check around the function definitions to avoid +the warnings and slightly shrink the USB core. + +Fixes: 7794f486ed0b ("usbfs: Add ioctls for runtime power management") +Signed-off-by: Arnd Bergmann +Reviewed-by: Sebastian Reichel +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20230516202103.558301-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/devio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 2fe29319de441..1b95035d179f3 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -734,6 +734,7 @@ static int driver_resume(struct usb_interface *intf) + return 0; + } + ++#ifdef CONFIG_PM + /* The following routines apply to the entire device, not interfaces */ + void usbfs_notify_suspend(struct usb_device *udev) + { +@@ -752,6 +753,7 @@ void usbfs_notify_resume(struct usb_device *udev) + } + mutex_unlock(&usbfs_mutex); + } ++#endif + + struct usb_driver usbfs_driver = { + .name = "usbfs", +-- +2.39.2 + diff --git a/tmp-5.10/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch b/tmp-5.10/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch new file mode 100644 index 00000000000..c5fe8bb678e --- /dev/null +++ b/tmp-5.10/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch @@ -0,0 +1,43 @@ +From 6b2333021ee64e7c9925f344fb751a65056f36ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 22:08:31 +0800 +Subject: usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() + +From: Li Yang + +[ Upstream commit 342161c11403ea00e9febc16baab1d883d589d04 ] + +Smatch reports: +drivers/usb/phy/phy-tahvo.c: tahvo_usb_probe() +warn: missing unwind goto? + +After geting irq, if ret < 0, it will return without error handling to +free memory. +Just add error handling to fix this problem. + +Fixes: 0d45a1373e66 ("usb: phy: tahvo: add IRQ check") +Signed-off-by: Li Yang +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230420140832.9110-1-lidaxian@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-tahvo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/phy/phy-tahvo.c b/drivers/usb/phy/phy-tahvo.c +index a3e043e3e4aae..d0672b6712985 100644 +--- a/drivers/usb/phy/phy-tahvo.c ++++ b/drivers/usb/phy/phy-tahvo.c +@@ -395,7 +395,7 @@ static int tahvo_usb_probe(struct platform_device *pdev) + + tu->irq = ret = platform_get_irq(pdev, 0); + if (ret < 0) +- return ret; ++ goto err_remove_phy; + ret = request_threaded_irq(tu->irq, NULL, tahvo_usb_vbus_interrupt, + IRQF_ONESHOT, + "tahvo-vbus", tu); +-- +2.39.2 + diff --git a/tmp-5.10/usb-serial-option-add-lara-r6-01b-pids.patch b/tmp-5.10/usb-serial-option-add-lara-r6-01b-pids.patch new file mode 100644 index 00000000000..2e014e97597 --- /dev/null +++ b/tmp-5.10/usb-serial-option-add-lara-r6-01b-pids.patch @@ -0,0 +1,65 @@ +From ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Thu, 22 Jun 2023 11:29:21 +0200 +Subject: USB: serial: option: add LARA-R6 01B PIDs + +From: Davide Tronchin + +commit ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 upstream. + +The new LARA-R6 product variant identified by the "01B" string can be +configured (by AT interface) in three different USB modes: + +* Default mode (Vendor ID: 0x1546 Product ID: 0x1311) with 4 serial +interfaces + +* RmNet mode (Vendor ID: 0x1546 Product ID: 0x1312) with 4 serial +interfaces and 1 RmNet virtual network interface + +* CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1313) with 4 serial +interface and 1 CDC-ECM virtual network interface +The first 4 interfaces of all the 3 USB configurations (default, RmNet, +CDC-ECM) are the same. + +In default mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions + +In RmNet mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions +If 4: RMNET interface + +In CDC-ECM mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions +If 4: CDC-ECM interface + +Signed-off-by: Davide Tronchin +Link: https://lore.kernel.org/r/20230622092921.12651-1-davide.tronchin.94@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1151,6 +1151,10 @@ static const struct usb_device_id option + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, + /* u-blox products */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1311) }, /* u-blox LARA-R6 01B */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1312), /* u-blox LARA-R6 01B (RMNET) */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(UBLOX_VENDOR_ID, 0x1313, 0xff) }, /* u-blox LARA-R6 01B (ECM) */ + { USB_DEVICE(UBLOX_VENDOR_ID, 0x1341) }, /* u-blox LARA-L6 */ + { USB_DEVICE(UBLOX_VENDOR_ID, 0x1342), /* u-blox LARA-L6 (RMNET) */ + .driver_info = RSVD(4) }, diff --git a/tmp-5.10/video-imsttfb-check-for-ioremap-failures.patch b/tmp-5.10/video-imsttfb-check-for-ioremap-failures.patch new file mode 100644 index 00000000000..3e35f3886b9 --- /dev/null +++ b/tmp-5.10/video-imsttfb-check-for-ioremap-failures.patch @@ -0,0 +1,77 @@ +From 13b7c0390a5d3840e1e2cda8f44a310fdbb982de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 3 May 2021 13:57:34 +0200 +Subject: video: imsttfb: check for ioremap() failures + +From: Greg Kroah-Hartman + +commit 13b7c0390a5d3840e1e2cda8f44a310fdbb982de upstream. + +We should check if ioremap() were to somehow fail in imsttfb_probe() and +handle the unwinding of the resources allocated here properly. + +Ideally if anyone cares about this driver (it's for a PowerMac era PCI +display card), they wouldn't even be using fbdev anymore. Or the devm_* +apis could be used, but that's just extra work for diminishing +returns... + +Cc: Finn Thain +Cc: Bartlomiej Zolnierkiewicz +Reviewed-by: Rob Herring +Link: https://lore.kernel.org/r/20210503115736.2104747-68-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/imsttfb.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/video/fbdev/imsttfb.c ++++ b/drivers/video/fbdev/imsttfb.c +@@ -1469,6 +1469,7 @@ static int imsttfb_probe(struct pci_dev + struct imstt_par *par; + struct fb_info *info; + struct device_node *dp; ++ int ret = -ENOMEM; + + dp = pci_device_to_OF_node(pdev); + if(dp) +@@ -1504,23 +1505,37 @@ static int imsttfb_probe(struct pci_dev + default: + printk(KERN_INFO "imsttfb: Device 0x%x unknown, " + "contact maintainer.\n", pdev->device); +- release_mem_region(addr, size); +- framebuffer_release(info); +- return -ENODEV; ++ ret = -ENODEV; ++ goto error; + } + + info->fix.smem_start = addr; + info->screen_base = (__u8 *)ioremap(addr, par->ramdac == IBM ? + 0x400000 : 0x800000); ++ if (!info->screen_base) ++ goto error; + info->fix.mmio_start = addr + 0x800000; + par->dc_regs = ioremap(addr + 0x800000, 0x1000); ++ if (!par->dc_regs) ++ goto error; + par->cmap_regs_phys = addr + 0x840000; + par->cmap_regs = (__u8 *)ioremap(addr + 0x840000, 0x1000); ++ if (!par->cmap_regs) ++ goto error; + info->pseudo_palette = par->palette; + init_imstt(info); + + pci_set_drvdata(pdev, info); + return 0; ++ ++error: ++ if (par->dc_regs) ++ iounmap(par->dc_regs); ++ if (info->screen_base) ++ iounmap(info->screen_base); ++ release_mem_region(addr, size); ++ framebuffer_release(info); ++ return ret; + } + + static void imsttfb_remove(struct pci_dev *pdev) diff --git a/tmp-5.10/w1-fix-loop-in-w1_fini.patch b/tmp-5.10/w1-fix-loop-in-w1_fini.patch new file mode 100644 index 00000000000..05d7f1ff0b7 --- /dev/null +++ b/tmp-5.10/w1-fix-loop-in-w1_fini.patch @@ -0,0 +1,43 @@ +From 6bee1697e281acc3d0c4de3284ec3d2472adb45c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 17:17:45 +0300 +Subject: w1: fix loop in w1_fini() + +From: Dan Carpenter + +[ Upstream commit 83f3fcf96fcc7e5405b37d9424c7ef26bfa203f8 ] + +The __w1_remove_master_device() function calls: + + list_del(&dev->w1_master_entry); + +So presumably this can cause an endless loop. + +Fixes: 7785925dd8e0 ("[PATCH] w1: cleanups.") +Signed-off-by: Dan Carpenter +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/w1/w1.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 15842377c8d2c..1c1a9438f4b6b 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -1228,10 +1228,10 @@ static int __init w1_init(void) + + static void __exit w1_fini(void) + { +- struct w1_master *dev; ++ struct w1_master *dev, *n; + + /* Set netlink removal messages and some cleanup */ +- list_for_each_entry(dev, &w1_masters, w1_master_entry) ++ list_for_each_entry_safe(dev, n, &w1_masters, w1_master_entry) + __w1_remove_master_device(dev); + + w1_fini_netlink(); +-- +2.39.2 + diff --git a/tmp-5.10/w1-w1_therm-fix-locking-behavior-in-convert_t.patch b/tmp-5.10/w1-w1_therm-fix-locking-behavior-in-convert_t.patch new file mode 100644 index 00000000000..f4f473aafba --- /dev/null +++ b/tmp-5.10/w1-w1_therm-fix-locking-behavior-in-convert_t.patch @@ -0,0 +1,91 @@ +From 8d664d6b584cd915e2e90b7653d530af1fc89e86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Apr 2023 13:21:52 +0200 +Subject: w1: w1_therm: fix locking behavior in convert_t + +From: Stefan Wahren + +[ Upstream commit dca5480ab7b77a889088ab7cac81934604510ac7 ] + +The commit 67b392f7b8ed ("w1_therm: optimizing temperature read timings") +accidentially inverted the logic for lock handling of the bus mutex. + +Before: + pullup -> release lock before sleep + no pullup -> release lock after sleep + +After: + pullup -> release lock after sleep + no pullup -> release lock before sleep + +This cause spurious measurements of 85 degree (powerup value) on the +Tarragon board with connected 1-w temperature sensor +(w1_therm.w1_strong_pull=0). + +In the meantime a new feature for polling the conversion +completion has been integrated in these branches with +commit 021da53e65fd ("w1: w1_therm: Add sysfs entries to control +conversion time and driver features"). But this feature isn't +available for parasite power mode, so handle this separately. + +Link: https://lore.kernel.org/regressions/2023042645-attentive-amends-7b0b@gregkh/T/ +Fixes: 67b392f7b8ed ("w1_therm: optimizing temperature read timings") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20230427112152.12313-1-stefan.wahren@i2se.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/w1/slaves/w1_therm.c | 31 ++++++++++++++----------------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/drivers/w1/slaves/w1_therm.c b/drivers/w1/slaves/w1_therm.c +index 6546d029c7fd6..3888643a22f60 100644 +--- a/drivers/w1/slaves/w1_therm.c ++++ b/drivers/w1/slaves/w1_therm.c +@@ -1094,29 +1094,26 @@ static int convert_t(struct w1_slave *sl, struct therm_info *info) + + w1_write_8(dev_master, W1_CONVERT_TEMP); + +- if (strong_pullup) { /*some device need pullup */ ++ if (SLAVE_FEATURES(sl) & W1_THERM_POLL_COMPLETION) { ++ ret = w1_poll_completion(dev_master, W1_POLL_CONVERT_TEMP); ++ if (ret) { ++ dev_dbg(&sl->dev, "%s: Timeout\n", __func__); ++ goto mt_unlock; ++ } ++ mutex_unlock(&dev_master->bus_mutex); ++ } else if (!strong_pullup) { /*no device need pullup */ + sleep_rem = msleep_interruptible(t_conv); + if (sleep_rem != 0) { + ret = -EINTR; + goto mt_unlock; + } + mutex_unlock(&dev_master->bus_mutex); +- } else { /*no device need pullup */ +- if (SLAVE_FEATURES(sl) & W1_THERM_POLL_COMPLETION) { +- ret = w1_poll_completion(dev_master, W1_POLL_CONVERT_TEMP); +- if (ret) { +- dev_dbg(&sl->dev, "%s: Timeout\n", __func__); +- goto mt_unlock; +- } +- mutex_unlock(&dev_master->bus_mutex); +- } else { +- /* Fixed delay */ +- mutex_unlock(&dev_master->bus_mutex); +- sleep_rem = msleep_interruptible(t_conv); +- if (sleep_rem != 0) { +- ret = -EINTR; +- goto dec_refcnt; +- } ++ } else { /*some device need pullup */ ++ mutex_unlock(&dev_master->bus_mutex); ++ sleep_rem = msleep_interruptible(t_conv); ++ if (sleep_rem != 0) { ++ ret = -EINTR; ++ goto dec_refcnt; + } + } + ret = read_scratchpad(sl, info); +-- +2.39.2 + diff --git a/tmp-5.10/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch b/tmp-5.10/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch new file mode 100644 index 00000000000..510b82032ed --- /dev/null +++ b/tmp-5.10/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch @@ -0,0 +1,89 @@ +From b1f41a32c1fdb8a0a4244d5a9f68cd844d7a39e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:25 -0700 +Subject: watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on + correct config + +From: Douglas Anderson + +[ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ] + +Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5. + +This patch series adds the "buddy" hardlockup detector. In brief, the +buddy hardlockup detector can detect hardlockups without arch-level +support by having CPUs checkup on a "buddy" CPU periodically. + +Given the new design of this patch series, testing all combinations is +fairly difficult. I've attempted to make sure that all combinations of +CONFIG_ options are good, but it wouldn't surprise me if I missed +something. I apologize in advance and I'll do my best to fix any +problems that are found. + +This patch (of 18): + +The real watchdog_update_hrtimer_threshold() is defined in +kernel/watchdog_hld.c. That file is included if +CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file +if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP. + +The dummy version of the function in "nmi.h" didn't get that quite right. +While this doesn't appear to be a huge deal, it's nice to make it +consistent. + +It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so +others don't get a double definition, and x86 uses perf lockup detector, +so it gets the out of line version. + +Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid +Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Reviewed-by: Nicholas Piggin +Reviewed-by: Petr Mladek +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Cc: Colin Cross +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/nmi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/nmi.h b/include/linux/nmi.h +index f700ff2df074e..0db377ff8f608 100644 +--- a/include/linux/nmi.h ++++ b/include/linux/nmi.h +@@ -197,7 +197,7 @@ u64 hw_nmi_get_sample_period(int watchdog_thresh); + #endif + + #if defined(CONFIG_HARDLOCKUP_CHECK_TIMESTAMP) && \ +- defined(CONFIG_HARDLOCKUP_DETECTOR) ++ defined(CONFIG_HARDLOCKUP_DETECTOR_PERF) + void watchdog_update_hrtimer_threshold(u64 period); + #else + static inline void watchdog_update_hrtimer_threshold(u64 period) { } +-- +2.39.2 + diff --git a/tmp-5.10/watchdog-perf-more-properly-prevent-false-positives-.patch b/tmp-5.10/watchdog-perf-more-properly-prevent-false-positives-.patch new file mode 100644 index 00000000000..987a3d0d12f --- /dev/null +++ b/tmp-5.10/watchdog-perf-more-properly-prevent-false-positives-.patch @@ -0,0 +1,84 @@ +From cf8ed9cf94968f60ba6e2b6589e4e70d614fc215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:26 -0700 +Subject: watchdog/perf: more properly prevent false positives with turbo modes + +From: Douglas Anderson + +[ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ] + +Currently, in the watchdog_overflow_callback() we first check to see if +the watchdog had been touched and _then_ we handle the workaround for +turbo mode. This order should be reversed. + +Specifically, "touching" the hardlockup detector's watchdog should avoid +lockups being detected for one period that should be roughly the same +regardless of whether we're running turbo or not. That means that we +should do the extra accounting for turbo _before_ we look at (and clear) +the global indicating that we've been touched. + +NOTE: this fix is made based on code inspection. I am not aware of any +reports where the old code would have generated false positives. That +being said, this order seems more correct and also makes it easier down +the line to share code with the "buddy" hardlockup detector. + +Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Colin Cross +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Petr Mladek +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/watchdog_hld.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c +index 247bf0b1582ca..1e8a49dc956e2 100644 +--- a/kernel/watchdog_hld.c ++++ b/kernel/watchdog_hld.c +@@ -114,14 +114,14 @@ static void watchdog_overflow_callback(struct perf_event *event, + /* Ensure the watchdog never gets throttled */ + event->hw.interrupts = 0; + ++ if (!watchdog_check_timestamp()) ++ return; ++ + if (__this_cpu_read(watchdog_nmi_touch) == true) { + __this_cpu_write(watchdog_nmi_touch, false); + return; + } + +- if (!watchdog_check_timestamp()) +- return; +- + /* check for a hardlockup + * This is done by making sure our timer interrupt + * is incrementing. The timer interrupt should have +-- +2.39.2 + diff --git a/tmp-5.10/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch b/tmp-5.10/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch new file mode 100644 index 00000000000..91f85139ff2 --- /dev/null +++ b/tmp-5.10/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch @@ -0,0 +1,47 @@ +From dae3b37a715c8a9b65c38b1aadefc8cf0152d738 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 06:31:54 -0700 +Subject: wifi: airo: avoid uninitialized warning in airo_get_rate() + +From: Randy Dunlap + +[ Upstream commit 9373771aaed17f5c2c38485f785568abe3a9f8c1 ] + +Quieten a gcc (11.3.0) build error or warning by checking the function +call status and returning -EBUSY if the function call failed. +This is similar to what several other wireless drivers do for the +SIOCGIWRATE ioctl call when there is a locking problem. + +drivers/net/wireless/cisco/airo.c: error: 'status_rid.currentXmitRate' is used uninitialized [-Werror=uninitialized] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Randy Dunlap +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/39abf2c7-24a-f167-91da-ed4c5435d1c4@linux-m68k.org +Link: https://lore.kernel.org/r/20230709133154.26206-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/cisco/airo.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c +index 8c9c6bfbaeee7..aa1d12f6f5c3b 100644 +--- a/drivers/net/wireless/cisco/airo.c ++++ b/drivers/net/wireless/cisco/airo.c +@@ -6150,8 +6150,11 @@ static int airo_get_rate(struct net_device *dev, + { + struct airo_info *local = dev->ml_priv; + StatusRid status_rid; /* Card status info */ ++ int ret; + +- readStatusRid(local, &status_rid, 1); ++ ret = readStatusRid(local, &status_rid, 1); ++ if (ret) ++ return -EBUSY; + + vwrq->value = le16_to_cpu(status_rid.currentXmitRate) * 500000; + /* If more than one rate, set auto */ +-- +2.39.2 + diff --git a/tmp-5.10/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch b/tmp-5.10/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch new file mode 100644 index 00000000000..e484d3c942e --- /dev/null +++ b/tmp-5.10/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch @@ -0,0 +1,71 @@ +From 2a0d96a84b6baa7fa82851e9ded05c7368c35b54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 16:54:45 +0200 +Subject: wifi: ath11k: fix registration of 6Ghz-only phy without the full + channel range + +From: Maxime Bizon + +[ Upstream commit e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14 ] + +Because of what seems to be a typo, a 6Ghz-only phy for which the BDF +does not allow the 7115Mhz channel will fail to register: + + WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 + Modules linked in: ath11k_pci sbsa_gwdt + CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 + Hardware name: Freebox V7R Board (DT) + Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : wiphy_register+0x914/0x954 + lr : ieee80211_register_hw+0x67c/0xc10 + sp : ffffff800b123aa0 + x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 + x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 + x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 + x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f + x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd + x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 + x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 + x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 + x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 + Call trace: + wiphy_register+0x914/0x954 + ieee80211_register_hw+0x67c/0xc10 + ath11k_mac_register+0x7c4/0xe10 + ath11k_core_qmi_firmware_ready+0x1f4/0x570 + ath11k_qmi_driver_event_work+0x198/0x590 + process_one_work+0x1b8/0x328 + worker_thread+0x6c/0x414 + kthread+0x100/0x104 + ret_from_fork+0x10/0x20 + ---[ end trace 0000000000000000 ]--- + ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 + ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 + ath11k_pci 0002:01:00.0: failed to create pdev core: -22 + +Signed-off-by: Maxime Bizon +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230421145445.2612280-1-mbizon@freebox.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 67faf62999ded..3170c54c97b74 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -6044,7 +6044,7 @@ static int ath11k_mac_setup_channels_rates(struct ath11k *ar, + } + + if (supported_bands & WMI_HOST_WLAN_5G_CAP) { +- if (reg_cap->high_5ghz_chan >= ATH11K_MAX_6G_FREQ) { ++ if (reg_cap->high_5ghz_chan >= ATH11K_MIN_6G_FREQ) { + channels = kmemdup(ath11k_6ghz_channels, + sizeof(ath11k_6ghz_channels), GFP_KERNEL); + if (!channels) { +-- +2.39.2 + diff --git a/tmp-5.10/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch b/tmp-5.10/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch new file mode 100644 index 00000000000..6a4d9b00485 --- /dev/null +++ b/tmp-5.10/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch @@ -0,0 +1,58 @@ +From b0b831b4f588c5013aec399093c59fb13d34da39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:01 +0300 +Subject: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ] + +For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid +uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should +validate pkt_len before accessing the SKB. + +For example, the obtained SKB may have been badly constructed with +pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr +but after being processed in ath9k_htc_rx_msg() and passed to +ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI +command header which should be located inside its data payload. + +Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit +memory can be referenced. + +Tested on Qualcomm Atheros Communications AR9271 802.11n . + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index 19345b8f7bfd5..d652c647d56b5 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -221,6 +221,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, + if (unlikely(wmi->stopped)) + goto free_skb; + ++ /* Validate the obtained SKB. */ ++ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr))) ++ goto free_skb; ++ + hdr = (struct wmi_cmd_hdr *) skb->data; + cmd_id = be16_to_cpu(hdr->command_id); + +-- +2.39.2 + diff --git a/tmp-5.10/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch b/tmp-5.10/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch new file mode 100644 index 00000000000..05ff372da09 --- /dev/null +++ b/tmp-5.10/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch @@ -0,0 +1,51 @@ +From 8b85f3f8ef8fa82b948c8f47c73dbf2dd7ad6562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 16:46:55 +0300 +Subject: wifi: ath9k: convert msecs to jiffies where needed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ] + +Since 'ieee80211_queue_delayed_work()' expects timeout in +jiffies and not milliseconds, 'msecs_to_jiffies()' should +be used in 'ath_restart_work()' and '__ath9k_flush()'. + +Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work") +Signed-off-by: Dmitry Antipov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index 2bd4d295c9bdf..b2cfc483515c0 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -203,7 +203,7 @@ void ath_cancel_work(struct ath_softc *sc) + void ath_restart_work(struct ath_softc *sc) + { + ieee80211_queue_delayed_work(sc->hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + + if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah)) + ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work, +@@ -2244,7 +2244,7 @@ void __ath9k_flush(struct ieee80211_hw *hw, u32 queues, bool drop, + } + + ieee80211_queue_delayed_work(hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + } + + static bool ath9k_tx_frames_pending(struct ieee80211_hw *hw) +-- +2.39.2 + diff --git a/tmp-5.10/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch b/tmp-5.10/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch new file mode 100644 index 00000000000..5e4235c177c --- /dev/null +++ b/tmp-5.10/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch @@ -0,0 +1,54 @@ +From a1c999d636b80be83d6c7a0696f8e74f6ef974de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 18:03:17 +0300 +Subject: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ] + +A bad USB device is able to construct a service connection response +message with target endpoint being ENDPOINT0 which is reserved for +HTC_CTRL_RSVD_SVC and should not be modified to be used for any other +services. + +Reject such service connection responses. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index fe62ff668f757..99667aba289df 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target, + + if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) { + epid = svc_rspmsg->endpoint_id; +- if (epid < 0 || epid >= ENDPOINT_MAX) ++ ++ /* Check that the received epid for the endpoint to attach ++ * a new service is valid. ENDPOINT0 can't be used here as it ++ * is already reserved for HTC_CTRL_RSVD_SVC service and thus ++ * should not be modified. ++ */ ++ if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX) + return; + + service_id = be16_to_cpu(svc_rspmsg->service_id); +-- +2.39.2 + diff --git a/tmp-5.10/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch b/tmp-5.10/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch new file mode 100644 index 00000000000..02d3bad4443 --- /dev/null +++ b/tmp-5.10/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch @@ -0,0 +1,95 @@ +From a8eb9d66f21e7e1ead2a91b90e0658cff3df7ded Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:00 +0300 +Subject: wifi: ath9k: fix AR9003 mac hardware hang check register offset + calculation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Seiderer + +[ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ] + +Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset +calculation (do not overflow the shift for the second register/queues +above five, use the register layout described in the comments above +ath9k_hw_verify_hang() instead). + +Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003") + +Reported-by: Gregg Wonderly +Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/ +Signed-off-by: Peter Seiderer +Acked-by: Toke Høiland-Jørgensen +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 ++++++++++++++-------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +index 42f00a2a8c800..cf5648188459c 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +@@ -1099,17 +1099,22 @@ static bool ath9k_hw_verify_hang(struct ath_hw *ah, unsigned int queue) + { + u32 dma_dbg_chain, dma_dbg_complete; + u8 dcu_chain_state, dcu_complete_state; ++ unsigned int dbg_reg, reg_offset; + int i; + +- for (i = 0; i < NUM_STATUS_READS; i++) { +- if (queue < 6) +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_4); +- else +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_5); ++ if (queue < 6) { ++ dbg_reg = AR_DMADBG_4; ++ reg_offset = queue * 5; ++ } else { ++ dbg_reg = AR_DMADBG_5; ++ reg_offset = (queue - 6) * 5; ++ } + ++ for (i = 0; i < NUM_STATUS_READS; i++) { ++ dma_dbg_chain = REG_READ(ah, dbg_reg); + dma_dbg_complete = REG_READ(ah, AR_DMADBG_6); + +- dcu_chain_state = (dma_dbg_chain >> (5 * queue)) & 0x1f; ++ dcu_chain_state = (dma_dbg_chain >> reg_offset) & 0x1f; + dcu_complete_state = dma_dbg_complete & 0x3; + + if ((dcu_chain_state != 0x6) || (dcu_complete_state != 0x1)) +@@ -1128,6 +1133,7 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + u8 dcu_chain_state, dcu_complete_state; + bool dcu_wait_frdone = false; + unsigned long chk_dcu = 0; ++ unsigned int reg_offset; + unsigned int i = 0; + + dma_dbg_4 = REG_READ(ah, AR_DMADBG_4); +@@ -1139,12 +1145,15 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + goto exit; + + for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) { +- if (i < 6) ++ if (i < 6) { + chk_dbg = dma_dbg_4; +- else ++ reg_offset = i * 5; ++ } else { + chk_dbg = dma_dbg_5; ++ reg_offset = (i - 6) * 5; ++ } + +- dcu_chain_state = (chk_dbg >> (5 * i)) & 0x1f; ++ dcu_chain_state = (chk_dbg >> reg_offset) & 0x1f; + if (dcu_chain_state == 0x6) { + dcu_wait_frdone = true; + chk_dcu |= BIT(i); +-- +2.39.2 + diff --git a/tmp-5.10/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch b/tmp-5.10/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch new file mode 100644 index 00000000000..62bf55c695e --- /dev/null +++ b/tmp-5.10/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch @@ -0,0 +1,111 @@ +From ddbc319830af208f36ca2850afb00e56b3c05aba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 11:37:44 +0200 +Subject: wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Remi Pommarel + +[ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ] + +On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite +loop if it is called while all txq_fifos have packets that use different +key that the one we are looking for. Fix it by exiting the loop if all +txq_fifos have been checked already. + +Because this loop is called under spin_lock_bh() (see ath_txq_lock) it +causes the following rcu stall: + +rcu: INFO: rcu_sched self-detected stall on CPU +ath10k_pci 0000:01:00.0: failed to read temperature -11 +rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579 + (t=5257 jiffies g=17983297 q=334) +Task dump for CPU 1: +task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a +Call trace: + dump_backtrace+0x0/0x170 + show_stack+0x1c/0x24 + sched_show_task+0x140/0x170 + dump_cpu_task+0x48/0x54 + rcu_dump_cpu_stacks+0xf0/0x134 + rcu_sched_clock_irq+0x8d8/0x9fc + update_process_times+0xa0/0xec + tick_sched_timer+0x5c/0xd0 + __hrtimer_run_queues+0x154/0x320 + hrtimer_interrupt+0x120/0x2f0 + arch_timer_handler_virt+0x38/0x44 + handle_percpu_devid_irq+0x9c/0x1e0 + handle_domain_irq+0x64/0x90 + gic_handle_irq+0x78/0xb0 + call_on_irq_stack+0x28/0x38 + do_interrupt_handler+0x54/0x5c + el1_interrupt+0x2c/0x4c + el1h_64_irq_handler+0x14/0x1c + el1h_64_irq+0x74/0x78 + ath9k_txq_has_key+0x1bc/0x250 [ath9k] + ath9k_set_key+0x1cc/0x3dc [ath9k] + drv_set_key+0x78/0x170 + ieee80211_key_replace+0x564/0x6cc + ieee80211_key_link+0x174/0x220 + ieee80211_add_key+0x11c/0x300 + nl80211_new_key+0x12c/0x330 + genl_family_rcv_msg_doit+0xbc/0x11c + genl_rcv_msg+0xd8/0x1c4 + netlink_rcv_skb+0x40/0x100 + genl_rcv+0x3c/0x50 + netlink_unicast+0x1ec/0x2c0 + netlink_sendmsg+0x198/0x3c0 + ____sys_sendmsg+0x210/0x250 + ___sys_sendmsg+0x78/0xc4 + __sys_sendmsg+0x4c/0x90 + __arm64_sys_sendmsg+0x28/0x30 + invoke_syscall.constprop.0+0x60/0x100 + do_el0_svc+0x48/0xd0 + el0_svc+0x14/0x50 + el0t_64_sync_handler+0xa8/0xb0 + el0t_64_sync+0x158/0x15c + +This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH +from 8 to 2 makes it reasonably easy to reproduce. + +Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it") +Signed-off-by: Remi Pommarel +Tested-by: Nicolas Escande +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index ac354dfc50559..2bd4d295c9bdf 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -850,7 +850,7 @@ static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix) + static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + { + struct ath_hw *ah = sc->sc_ah; +- int i; ++ int i, j; + struct ath_txq *txq; + bool key_in_use = false; + +@@ -868,8 +868,9 @@ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { + int idx = txq->txq_tailidx; + +- while (!key_in_use && +- !list_empty(&txq->txq_fifo[idx])) { ++ for (j = 0; !key_in_use && ++ !list_empty(&txq->txq_fifo[idx]) && ++ j < ATH_TXFIFO_DEPTH; j++) { + key_in_use = ath9k_txq_list_has_key( + &txq->txq_fifo[idx], keyix); + INCR(idx, ATH_TXFIFO_DEPTH); +-- +2.39.2 + diff --git a/tmp-5.10/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch b/tmp-5.10/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch new file mode 100644 index 00000000000..b089b0991e3 --- /dev/null +++ b/tmp-5.10/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch @@ -0,0 +1,59 @@ +From c112f917ef24a41fbbbd1267e0cb04c674789095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:53:14 +0200 +Subject: wifi: atmel: Fix an error handling path in atmel_probe() + +From: Christophe JAILLET + +[ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ] + +Should atmel_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +atmel_probe(), not atmel_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/atmel/atmel_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/atmel/atmel_cs.c b/drivers/net/wireless/atmel/atmel_cs.c +index 368eebefa741e..e64f108d288bb 100644 +--- a/drivers/net/wireless/atmel/atmel_cs.c ++++ b/drivers/net/wireless/atmel/atmel_cs.c +@@ -73,6 +73,7 @@ struct local_info { + static int atmel_probe(struct pcmcia_device *p_dev) + { + struct local_info *local; ++ int ret; + + dev_dbg(&p_dev->dev, "atmel_attach()\n"); + +@@ -83,8 +84,16 @@ static int atmel_probe(struct pcmcia_device *p_dev) + + p_dev->priv = local; + +- return atmel_config(p_dev); +-} /* atmel_attach */ ++ ret = atmel_config(p_dev); ++ if (ret) ++ goto err_free_priv; ++ ++ return 0; ++ ++err_free_priv: ++ kfree(p_dev->priv); ++ return ret; ++} + + static void atmel_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-5.10/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch b/tmp-5.10/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch new file mode 100644 index 00000000000..32735c47592 --- /dev/null +++ b/tmp-5.10/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch @@ -0,0 +1,290 @@ +From a76a968e19d26af3d7b8a654b158449e091829ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 09:54:03 +0300 +Subject: wifi: cfg80211: rewrite merging of inherited elements + +From: Benjamin Berg + +[ Upstream commit dfd9aa3e7a456d57b18021d66472ab7ff8373ab7 ] + +The cfg80211_gen_new_ie function merges the IEs using inheritance rules. +Rewrite this function to fix issues around inheritance rules. In +particular, vendor elements do not require any special handling, as they +are either all inherited or overridden by the subprofile. +Also, add fragmentation handling as this may be needed in some cases. + +This also changes the function to not require making a copy. The new +version could be optimized a bit by explicitly tracking which IEs have +been handled already rather than looking that up again every time. + +Note that a small behavioural change is the removal of the SSID special +handling. This should be fine for the MBSSID element, as the SSID must +be included in the subelement. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Benjamin Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230616094949.bc6152e146db.I2b5f3bc45085e1901e5b5192a674436adaf94748@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 213 ++++++++++++++++++++++++++------------------ + 1 file changed, 124 insertions(+), 89 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index d09dabae56271..671c7f83d5fc3 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -262,117 +262,152 @@ bool cfg80211_is_element_inherited(const struct element *elem, + } + EXPORT_SYMBOL(cfg80211_is_element_inherited); + +-static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, +- const u8 *subelement, size_t subie_len, +- u8 *new_ie, gfp_t gfp) ++static size_t cfg80211_copy_elem_with_frags(const struct element *elem, ++ const u8 *ie, size_t ie_len, ++ u8 **pos, u8 *buf, size_t buf_len) + { +- u8 *pos, *tmp; +- const u8 *tmp_old, *tmp_new; +- const struct element *non_inherit_elem; +- u8 *sub_copy; ++ if (WARN_ON((u8 *)elem < ie || elem->data > ie + ie_len || ++ elem->data + elem->datalen > ie + ie_len)) ++ return 0; + +- /* copy subelement as we need to change its content to +- * mark an ie after it is processed. +- */ +- sub_copy = kmemdup(subelement, subie_len, gfp); +- if (!sub_copy) ++ if (elem->datalen + 2 > buf + buf_len - *pos) + return 0; + +- pos = &new_ie[0]; ++ memcpy(*pos, elem, elem->datalen + 2); ++ *pos += elem->datalen + 2; + +- /* set new ssid */ +- tmp_new = cfg80211_find_ie(WLAN_EID_SSID, sub_copy, subie_len); +- if (tmp_new) { +- memcpy(pos, tmp_new, tmp_new[1] + 2); +- pos += (tmp_new[1] + 2); ++ /* Finish if it is not fragmented */ ++ if (elem->datalen != 255) ++ return *pos - buf; ++ ++ ie_len = ie + ie_len - elem->data - elem->datalen; ++ ie = (const u8 *)elem->data + elem->datalen; ++ ++ for_each_element(elem, ie, ie_len) { ++ if (elem->id != WLAN_EID_FRAGMENT) ++ break; ++ ++ if (elem->datalen + 2 > buf + buf_len - *pos) ++ return 0; ++ ++ memcpy(*pos, elem, elem->datalen + 2); ++ *pos += elem->datalen + 2; ++ ++ if (elem->datalen != 255) ++ break; + } + +- /* get non inheritance list if exists */ +- non_inherit_elem = +- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, +- sub_copy, subie_len); ++ return *pos - buf; ++} + +- /* go through IEs in ie (skip SSID) and subelement, +- * merge them into new_ie ++static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, ++ const u8 *subie, size_t subie_len, ++ u8 *new_ie, size_t new_ie_len) ++{ ++ const struct element *non_inherit_elem, *parent, *sub; ++ u8 *pos = new_ie; ++ u8 id, ext_id; ++ unsigned int match_len; ++ ++ non_inherit_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, ++ subie, subie_len); ++ ++ /* We copy the elements one by one from the parent to the generated ++ * elements. ++ * If they are not inherited (included in subie or in the non ++ * inheritance element), then we copy all occurrences the first time ++ * we see this element type. + */ +- tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); +- tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; +- +- while (tmp_old + 2 - ie <= ielen && +- tmp_old + tmp_old[1] + 2 - ie <= ielen) { +- if (tmp_old[0] == 0) { +- tmp_old++; ++ for_each_element(parent, ie, ielen) { ++ if (parent->id == WLAN_EID_FRAGMENT) + continue; ++ ++ if (parent->id == WLAN_EID_EXTENSION) { ++ if (parent->datalen < 1) ++ continue; ++ ++ id = WLAN_EID_EXTENSION; ++ ext_id = parent->data[0]; ++ match_len = 1; ++ } else { ++ id = parent->id; ++ match_len = 0; + } + +- if (tmp_old[0] == WLAN_EID_EXTENSION) +- tmp = (u8 *)cfg80211_find_ext_ie(tmp_old[2], sub_copy, +- subie_len); +- else +- tmp = (u8 *)cfg80211_find_ie(tmp_old[0], sub_copy, +- subie_len); ++ /* Find first occurrence in subie */ ++ sub = cfg80211_find_elem_match(id, subie, subie_len, ++ &ext_id, match_len, 0); + +- if (!tmp) { +- const struct element *old_elem = (void *)tmp_old; ++ /* Copy from parent if not in subie and inherited */ ++ if (!sub && ++ cfg80211_is_element_inherited(parent, non_inherit_elem)) { ++ if (!cfg80211_copy_elem_with_frags(parent, ++ ie, ielen, ++ &pos, new_ie, ++ new_ie_len)) ++ return 0; + +- /* ie in old ie but not in subelement */ +- if (cfg80211_is_element_inherited(old_elem, +- non_inherit_elem)) { +- memcpy(pos, tmp_old, tmp_old[1] + 2); +- pos += tmp_old[1] + 2; +- } +- } else { +- /* ie in transmitting ie also in subelement, +- * copy from subelement and flag the ie in subelement +- * as copied (by setting eid field to WLAN_EID_SSID, +- * which is skipped anyway). +- * For vendor ie, compare OUI + type + subType to +- * determine if they are the same ie. +- */ +- if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) { +- if (tmp_old[1] >= 5 && tmp[1] >= 5 && +- !memcmp(tmp_old + 2, tmp + 2, 5)) { +- /* same vendor ie, copy from +- * subelement +- */ +- memcpy(pos, tmp, tmp[1] + 2); +- pos += tmp[1] + 2; +- tmp[0] = WLAN_EID_SSID; +- } else { +- memcpy(pos, tmp_old, tmp_old[1] + 2); +- pos += tmp_old[1] + 2; +- } +- } else { +- /* copy ie from subelement into new ie */ +- memcpy(pos, tmp, tmp[1] + 2); +- pos += tmp[1] + 2; +- tmp[0] = WLAN_EID_SSID; +- } ++ continue; + } + +- if (tmp_old + tmp_old[1] + 2 - ie == ielen) +- break; ++ /* Already copied if an earlier element had the same type */ ++ if (cfg80211_find_elem_match(id, ie, (u8 *)parent - ie, ++ &ext_id, match_len, 0)) ++ continue; + +- tmp_old += tmp_old[1] + 2; ++ /* Not inheriting, copy all similar elements from subie */ ++ while (sub) { ++ if (!cfg80211_copy_elem_with_frags(sub, ++ subie, subie_len, ++ &pos, new_ie, ++ new_ie_len)) ++ return 0; ++ ++ sub = cfg80211_find_elem_match(id, ++ sub->data + sub->datalen, ++ subie_len + subie - ++ (sub->data + ++ sub->datalen), ++ &ext_id, match_len, 0); ++ } + } + +- /* go through subelement again to check if there is any ie not +- * copied to new ie, skip ssid, capability, bssid-index ie ++ /* The above misses elements that are included in subie but not in the ++ * parent, so do a pass over subie and append those. ++ * Skip the non-tx BSSID caps and non-inheritance element. + */ +- tmp_new = sub_copy; +- while (tmp_new + 2 - sub_copy <= subie_len && +- tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { +- if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || +- tmp_new[0] == WLAN_EID_SSID)) { +- memcpy(pos, tmp_new, tmp_new[1] + 2); +- pos += tmp_new[1] + 2; ++ for_each_element(sub, subie, subie_len) { ++ if (sub->id == WLAN_EID_NON_TX_BSSID_CAP) ++ continue; ++ ++ if (sub->id == WLAN_EID_FRAGMENT) ++ continue; ++ ++ if (sub->id == WLAN_EID_EXTENSION) { ++ if (sub->datalen < 1) ++ continue; ++ ++ id = WLAN_EID_EXTENSION; ++ ext_id = sub->data[0]; ++ match_len = 1; ++ ++ if (ext_id == WLAN_EID_EXT_NON_INHERITANCE) ++ continue; ++ } else { ++ id = sub->id; ++ match_len = 0; + } +- if (tmp_new + tmp_new[1] + 2 - sub_copy == subie_len) +- break; +- tmp_new += tmp_new[1] + 2; ++ ++ /* Processed if one was included in the parent */ ++ if (cfg80211_find_elem_match(id, ie, ielen, ++ &ext_id, match_len, 0)) ++ continue; ++ ++ if (!cfg80211_copy_elem_with_frags(sub, subie, subie_len, ++ &pos, new_ie, new_ie_len)) ++ return 0; + } + +- kfree(sub_copy); + return pos - new_ie; + } + +@@ -2170,7 +2205,7 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy, + new_ie_len = cfg80211_gen_new_ie(ie, ielen, + profile, + profile_len, new_ie, +- gfp); ++ IEEE80211_MAX_DATA_LEN); + if (!new_ie_len) + continue; + +-- +2.39.2 + diff --git a/tmp-5.10/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/tmp-5.10/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch new file mode 100644 index 00000000000..990be131166 --- /dev/null +++ b/tmp-5.10/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch @@ -0,0 +1,47 @@ +From b227f04f18826febef34fe9ee8ddc24b52cbbdf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:04:02 +0300 +Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow + +From: Johannes Berg + +[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] + +Roee reported various hard-to-debug crashes with pings in +EHT aggregation scenarios. Enabling KASAN showed that we +access the BAID allocation out of bounds, and looking at +the code a bit shows that since the reorder buffer entry +(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug +such as lockdep is enabled, then staring from an agg size +512 we overflow the size calculation, and allocate a much +smaller structure than we should, causing slab corruption +once we initialize this. + +Fix this by simply using u32 instead of u16. + +Reported-by: Roee Goldfiner +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index 09f870c48a4f6..141581fa74c82 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2590,7 +2590,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + } + + if (iwl_mvm_has_new_rx_api(mvm) && start) { +- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); ++ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); + + /* sparse doesn't like the __align() so don't check */ + #ifndef __CHECKER__ +-- +2.39.2 + diff --git a/tmp-5.10/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch b/tmp-5.10/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch new file mode 100644 index 00000000000..0435eb6e7e4 --- /dev/null +++ b/tmp-5.10/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch @@ -0,0 +1,47 @@ +From 4889d88d16da3749c2f55b09c4acd6365d49237a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 12:41:22 +0300 +Subject: wifi: iwlwifi: pull from TXQs with softirqs disabled + +From: Johannes Berg + +[ Upstream commit 96fb6f47db24a712d650b0a9b9074873f273fb0e ] + +In mac80211, it's required that we pull from TXQs by calling +ieee80211_tx_dequeue() only with softirqs disabled. However, +in iwl_mvm_queue_state_change() we're often called with them +enabled, e.g. from flush if anything was flushed, triggering +a mac80211 warning. + +Fix that by disabling the softirqs across the TX call. + +Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230614123446.0feef7fa81db.I4dd62542d955b40dd8f0af34fa4accb9d0d17c7e@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +index 7c61d179895b3..5b173f21e87bf 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -1174,8 +1174,11 @@ static void iwl_mvm_queue_state_change(struct iwl_op_mode *op_mode, + mvmtxq = iwl_mvm_txq_from_mac80211(txq); + mvmtxq->stopped = !start; + +- if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST) ++ if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST) { ++ local_bh_disable(); + iwl_mvm_mac_itxq_xmit(mvm->hw, txq); ++ local_bh_enable(); ++ } + } + + out: +-- +2.39.2 + diff --git a/tmp-5.10/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch b/tmp-5.10/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch new file mode 100644 index 00000000000..882a5168b7a --- /dev/null +++ b/tmp-5.10/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch @@ -0,0 +1,48 @@ +From 227e9a7967ceed7158ea464f193da3e1ea2aa24f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 May 2023 15:53:15 +0200 +Subject: wifi: mwifiex: Fix the size of a memory allocation in + mwifiex_ret_802_11_scan() + +From: Christophe JAILLET + +[ Upstream commit d9aef04fcfa81ee4fb2804a21a3712b7bbd936af ] + +The type of "mwifiex_adapter->nd_info" is "struct cfg80211_wowlan_nd_info", +not "struct cfg80211_wowlan_nd_match". + +Use struct_size() to ease the computation of the needed size. + +The current code over-allocates some memory, so is safe. +But it wastes 32 bytes. + +Fixes: 7d7f07d8c5d3 ("mwifiex: add wowlan net-detect support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7a6074fb056d2181e058a3cc6048d8155c20aec7.1683371982.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index c2a685f63e959..78ef40e315b5c 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2200,9 +2200,9 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv, + + if (nd_config) { + adapter->nd_info = +- kzalloc(sizeof(struct cfg80211_wowlan_nd_match) + +- sizeof(struct cfg80211_wowlan_nd_match *) * +- scan_rsp->number_of_sets, GFP_ATOMIC); ++ kzalloc(struct_size(adapter->nd_info, matches, ++ scan_rsp->number_of_sets), ++ GFP_ATOMIC); + + if (adapter->nd_info) + adapter->nd_info->n_matches = scan_rsp->number_of_sets; +-- +2.39.2 + diff --git a/tmp-5.10/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch b/tmp-5.10/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch new file mode 100644 index 00000000000..82883ea4428 --- /dev/null +++ b/tmp-5.10/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch @@ -0,0 +1,58 @@ +From c84155721d34aafad0d34a01147f2c3955d5ec47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:38:22 +0200 +Subject: wifi: orinoco: Fix an error handling path in orinoco_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ] + +Should orinoco_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +orinoco_cs_probe(), not orinoco_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +index a956f965a1e5e..03bfd2482656c 100644 +--- a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +@@ -96,6 +96,7 @@ orinoco_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + orinoco_cs_hard_reset, NULL); +@@ -107,8 +108,16 @@ orinoco_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return orinoco_cs_config(link); +-} /* orinoco_cs_attach */ ++ ret = orinoco_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void orinoco_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-5.10/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch b/tmp-5.10/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch new file mode 100644 index 00000000000..61e7646ec21 --- /dev/null +++ b/tmp-5.10/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch @@ -0,0 +1,59 @@ +From 7c51d475a1a0793b78e05705900dea03691e091f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:29:46 +0200 +Subject: wifi: orinoco: Fix an error handling path in spectrum_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ] + +Should spectrum_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +spectrum_cs_probe(), not spectrum_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/spectrum_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +index 291ef97ed45ec..841d623c621ac 100644 +--- a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +@@ -157,6 +157,7 @@ spectrum_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + spectrum_cs_hard_reset, +@@ -169,8 +170,16 @@ spectrum_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return spectrum_cs_config(link); +-} /* spectrum_cs_attach */ ++ ret = spectrum_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void spectrum_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-5.10/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch b/tmp-5.10/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch new file mode 100644 index 00000000000..bb0fb895e17 --- /dev/null +++ b/tmp-5.10/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch @@ -0,0 +1,53 @@ +From 3b7b03dfb6a0876494093b5891c89d9964bbdd9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 19:44:14 +0300 +Subject: wifi: ray_cs: Drop useless status variable in parse_addr() + +From: Andy Shevchenko + +[ Upstream commit 4dfc63c002a555a2c3c34d89009532ad803be876 ] + +The status variable assigned only once and used also only once. +Replace it's usage by actual value. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164414.48436-2-andriy.shevchenko@linux.intel.com +Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 5dcd86f81cbf1..95d5ce1b6dfa0 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -1643,7 +1643,6 @@ static int parse_addr(char *in_str, UCHAR *out) + { + int i, k; + int len; +- int status; + + if (in_str == NULL) + return 0; +@@ -1652,7 +1651,6 @@ static int parse_addr(char *in_str, UCHAR *out) + return 0; + memset(out, 0, ADDRLEN); + +- status = 1; + i = 5; + + while (len > 0) { +@@ -1670,7 +1668,7 @@ static int parse_addr(char *in_str, UCHAR *out) + if (!i--) + break; + } +- return status; ++ return 1; + } + + /*===========================================================================*/ +-- +2.39.2 + diff --git a/tmp-5.10/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch b/tmp-5.10/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch new file mode 100644 index 00000000000..3631f04647a --- /dev/null +++ b/tmp-5.10/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch @@ -0,0 +1,69 @@ +From 75416f674d6b3feb81ca413013e0c2a08a4150bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:13:22 +0200 +Subject: wifi: ray_cs: Fix an error handling path in ray_probe() + +From: Christophe JAILLET + +[ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ] + +Should ray_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +ray_probe(), not ray_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 95d5ce1b6dfa0..bf1282702761f 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -270,13 +270,14 @@ static int ray_probe(struct pcmcia_device *p_dev) + { + ray_dev_t *local; + struct net_device *dev; ++ int ret; + + dev_dbg(&p_dev->dev, "ray_attach()\n"); + + /* Allocate space for private device-specific data */ + dev = alloc_etherdev(sizeof(ray_dev_t)); + if (!dev) +- goto fail_alloc_dev; ++ return -ENOMEM; + + local = netdev_priv(dev); + local->finder = p_dev; +@@ -313,11 +314,16 @@ static int ray_probe(struct pcmcia_device *p_dev) + timer_setup(&local->timer, NULL, 0); + + this_device = p_dev; +- return ray_config(p_dev); ++ ret = ray_config(p_dev); ++ if (ret) ++ goto err_free_dev; ++ ++ return 0; + +-fail_alloc_dev: +- return -ENOMEM; +-} /* ray_attach */ ++err_free_dev: ++ free_netdev(dev); ++ return ret; ++} + + static void ray_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-5.10/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch b/tmp-5.10/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch new file mode 100644 index 00000000000..341053fa451 --- /dev/null +++ b/tmp-5.10/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch @@ -0,0 +1,67 @@ +From ca7d3754e4c9c0985830cf1292d19258a9eeac7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 19:44:13 +0300 +Subject: wifi: ray_cs: Utilize strnlen() in parse_addr() + +From: Andy Shevchenko + +[ Upstream commit 9e8e9187673cb24324f9165dd47b2b28f60b0b10 ] + +Instead of doing simple operations and using an additional variable on stack, +utilize strnlen() and reuse len variable. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164414.48436-1-andriy.shevchenko@linux.intel.com +Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 091eea0d958d1..5dcd86f81cbf1 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -1641,31 +1641,29 @@ static void authenticate_timeout(struct timer_list *t) + /*===========================================================================*/ + static int parse_addr(char *in_str, UCHAR *out) + { ++ int i, k; + int len; +- int i, j, k; + int status; + + if (in_str == NULL) + return 0; +- if ((len = strlen(in_str)) < 2) ++ len = strnlen(in_str, ADDRLEN * 2 + 1) - 1; ++ if (len < 1) + return 0; + memset(out, 0, ADDRLEN); + + status = 1; +- j = len - 1; +- if (j > 12) +- j = 12; + i = 5; + +- while (j > 0) { +- if ((k = hex_to_bin(in_str[j--])) != -1) ++ while (len > 0) { ++ if ((k = hex_to_bin(in_str[len--])) != -1) + out[i] = k; + else + return 0; + +- if (j == 0) ++ if (len == 0) + break; +- if ((k = hex_to_bin(in_str[j--])) != -1) ++ if ((k = hex_to_bin(in_str[len--])) != -1) + out[i] += k << 4; + else + return 0; +-- +2.39.2 + diff --git a/tmp-5.10/wifi-rsi-do-not-configure-wowlan-in-shutdown-hook-if.patch b/tmp-5.10/wifi-rsi-do-not-configure-wowlan-in-shutdown-hook-if.patch new file mode 100644 index 00000000000..55554b10c97 --- /dev/null +++ b/tmp-5.10/wifi-rsi-do-not-configure-wowlan-in-shutdown-hook-if.patch @@ -0,0 +1,52 @@ +From 920fbffad648582276372819dc70c810566d03f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 May 2023 00:28:33 +0200 +Subject: wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled + +From: Marek Vasut + +[ Upstream commit b241e260820b68c09586e8a0ae0fc23c0e3215bd ] + +In case WoWlan was never configured during the operation of the system, +the hw->wiphy->wowlan_config will be NULL. rsi_config_wowlan() checks +whether wowlan_config is non-NULL and if it is not, then WARNs about it. +The warning is valid, as during normal operation the rsi_config_wowlan() +should only ever be called with non-NULL wowlan_config. In shutdown this +rsi_config_wowlan() should only ever be called if WoWlan was configured +before by the user. + +Add checks for non-NULL wowlan_config into the shutdown hook. While at it, +check whether the wiphy is also non-NULL before accessing wowlan_config . +Drop the single-use wowlan_config variable, just inline it into function +call. + +Fixes: 16bbc3eb8372 ("rsi: fix null pointer dereference during rsi_shutdown()") +Signed-off-by: Marek Vasut +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230527222833.273741-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c +index 8108f941ccd3f..2c26376faeacc 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -1463,10 +1463,8 @@ static void rsi_shutdown(struct device *dev) + + rsi_dbg(ERR_ZONE, "SDIO Bus shutdown =====>\n"); + +- if (hw) { +- struct cfg80211_wowlan *wowlan = hw->wiphy->wowlan_config; +- +- if (rsi_config_wowlan(adapter, wowlan)) ++ if (hw && hw->wiphy && hw->wiphy->wowlan_config) { ++ if (rsi_config_wowlan(adapter, hw->wiphy->wowlan_config)) + rsi_dbg(ERR_ZONE, "Failed to configure WoWLAN\n"); + } + +-- +2.39.2 + diff --git a/tmp-5.10/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch b/tmp-5.10/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch new file mode 100644 index 00000000000..967fe11a43d --- /dev/null +++ b/tmp-5.10/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch @@ -0,0 +1,41 @@ +From 3abe9358cfab8364f6a71648b31de53a33f61500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 May 2023 00:28:59 +0200 +Subject: wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown + +From: Marek Vasut + +[ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ] + +It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag +indicates to the MMC subsystem to keep the slot powered on during +suspend, but in shutdown the slot should actually be powered off. +Drop this call. + +Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state") +Signed-off-by: Marek Vasut +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c +index 2c26376faeacc..b1d3aea10d7df 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -1479,9 +1479,6 @@ static void rsi_shutdown(struct device *dev) + if (sdev->write_fail) + rsi_dbg(INFO_ZONE, "###### Device is not ready #######\n"); + +- if (rsi_set_sdio_pm_caps(adapter)) +- rsi_dbg(INFO_ZONE, "Setting power management caps failed\n"); +- + rsi_dbg(INFO_ZONE, "***** RSI module shut down *****\n"); + } + +-- +2.39.2 + diff --git a/tmp-5.10/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/tmp-5.10/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch new file mode 100644 index 00000000000..fcd95c5c924 --- /dev/null +++ b/tmp-5.10/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch @@ -0,0 +1,71 @@ +From 448ba391d938b5debce6420f1dd1363b203dd19a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:04:07 -0600 +Subject: wifi: wext-core: Fix -Wstringop-overflow warning in + ioctl_standard_iw_point() + +From: Gustavo A. R. Silva + +[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] + +-Wstringop-overflow is legitimately warning us about extra_size +pontentially being zero at some point, hence potenially ending +up _allocating_ zero bytes of memory for extra pointer and then +trying to access such object in a call to copy_from_user(). + +Fix this by adding a sanity check to ensure we never end up +trying to allocate zero bytes of data for extra pointer, before +continue executing the rest of the code in the function. + +Address the following -Wstringop-overflow warning seen when built +m68k architecture with allyesconfig configuration: + from net/wireless/wext-core.c:11: +In function '_copy_from_user', + inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: +arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] + 48 | #define memset(d, c, n) __builtin_memset(d, c, n) + | ^~~~~~~~~~~~~~~~~~~~~~~~~ +include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' + 153 | memset(to + (n - res), 0, res); + | ^~~~~~ +In function 'kmalloc', + inlined from 'kzalloc' at include/linux/slab.h:694:9, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: +include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' + 577 | return __kmalloc(size, flags); + | ^~~~~~~~~~~~~~~~~~~~~~ + +This help with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/315 +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/wext-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index 76a80a41615be..a57f54bc0e1a7 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -796,6 +796,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, + } + } + ++ /* Sanity-check to ensure we never end up _allocating_ zero ++ * bytes of data for extra. ++ */ ++ if (extra_size <= 0) ++ return -EFAULT; ++ + /* kzalloc() ensures NULL-termination for essid_compat. */ + extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) +-- +2.39.2 + diff --git a/tmp-5.10/wifi-wilc1000-fix-for-absent-rsn-capabilities-wfa-te.patch b/tmp-5.10/wifi-wilc1000-fix-for-absent-rsn-capabilities-wfa-te.patch new file mode 100644 index 00000000000..f65aec80f29 --- /dev/null +++ b/tmp-5.10/wifi-wilc1000-fix-for-absent-rsn-capabilities-wfa-te.patch @@ -0,0 +1,55 @@ +From 3ea91bead1d28599a2f84d59f42573dff97e738c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 18:10:20 +0000 +Subject: wifi: wilc1000: fix for absent RSN capabilities WFA testcase + +From: Amisha Patel + +[ Upstream commit 9ce4bb09123e9754996e358bd808d39f5d112899 ] + +Mandatory WFA testcase +CT_Security_WPA2Personal_STA_RSNEBoundsVerification-AbsentRSNCap, +performs bounds verfication on Beacon and/or Probe response frames. It +failed and observed the reason to be absence of cipher suite and AKM +suite in RSN information. To fix this, enable the RSN flag before extracting RSN +capabilities. + +Fixes: cd21d99e595e ("wifi: wilc1000: validate pairwise and authentication suite offsets") +Signed-off-by: Amisha Patel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230421181005.4865-1-amisha.patel@microchip.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/hif.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c +index b25847799138b..884f45e627a72 100644 +--- a/drivers/net/wireless/microchip/wilc1000/hif.c ++++ b/drivers/net/wireless/microchip/wilc1000/hif.c +@@ -470,6 +470,9 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + int rsn_ie_len = sizeof(struct element) + rsn_ie[1]; + int offset = 8; + ++ param->mode_802_11i = 2; ++ param->rsn_found = true; ++ + /* extract RSN capabilities */ + if (offset < rsn_ie_len) { + /* skip over pairwise suites */ +@@ -479,11 +482,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, + /* skip over authentication suites */ + offset += (rsn_ie[offset] * 4) + 2; + +- if (offset + 1 < rsn_ie_len) { +- param->mode_802_11i = 2; +- param->rsn_found = true; ++ if (offset + 1 < rsn_ie_len) + memcpy(param->rsn_cap, &rsn_ie[offset], 2); +- } + } + } + } +-- +2.39.2 + diff --git a/tmp-5.10/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch b/tmp-5.10/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch new file mode 100644 index 00000000000..56d6a1233d6 --- /dev/null +++ b/tmp-5.10/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch @@ -0,0 +1,66 @@ +From 1fe07891104600cf4221ecd2c760ecba4a6db7d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:05:08 +0200 +Subject: wifi: wl3501_cs: Fix an error handling path in wl3501_probe() + +From: Christophe JAILLET + +[ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ] + +Should wl3501_config() fail, some resources need to be released as already +done in the remove function. + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 7fb2f95134760..c45c4b7cbbaf1 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1862,6 +1862,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + { + struct net_device *dev; + struct wl3501_card *this; ++ int ret; + + /* The io structure describes IO port mapping */ + p_dev->resource[0]->end = 16; +@@ -1873,8 +1874,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + + dev = alloc_etherdev(sizeof(struct wl3501_card)); + if (!dev) +- goto out_link; +- ++ return -ENOMEM; + + dev->netdev_ops = &wl3501_netdev_ops; + dev->watchdog_timeo = 5 * HZ; +@@ -1887,9 +1887,15 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + netif_stop_queue(dev); + p_dev->priv = dev; + +- return wl3501_config(p_dev); +-out_link: +- return -ENOMEM; ++ ret = wl3501_config(p_dev); ++ if (ret) ++ goto out_free_etherdev; ++ ++ return 0; ++ ++out_free_etherdev: ++ free_netdev(dev); ++ return ret; + } + + static int wl3501_config(struct pcmcia_device *link) +-- +2.39.2 + diff --git a/tmp-5.10/wireguard-netlink-send-staged-packets-when-setting-initial-private-key.patch b/tmp-5.10/wireguard-netlink-send-staged-packets-when-setting-initial-private-key.patch new file mode 100644 index 00000000000..160e7f5bbab --- /dev/null +++ b/tmp-5.10/wireguard-netlink-send-staged-packets-when-setting-initial-private-key.patch @@ -0,0 +1,118 @@ +From f58d0a9b4c6a7a5199c3af967e43cc8b654604d4 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Mon, 3 Jul 2023 03:27:05 +0200 +Subject: wireguard: netlink: send staged packets when setting initial private key + +From: Jason A. Donenfeld + +commit f58d0a9b4c6a7a5199c3af967e43cc8b654604d4 upstream. + +Packets bound for peers can queue up prior to the device private key +being set. For example, if persistent keepalive is set, a packet is +queued up to be sent as soon as the device comes up. However, if the +private key hasn't been set yet, the handshake message never sends, and +no timer is armed to retry, since that would be pointless. + +But, if a user later sets a private key, the expectation is that those +queued packets, such as a persistent keepalive, are actually sent. So +adjust the configuration logic to account for this edge case, and add a +test case to make sure this works. + +Maxim noticed this with a wg-quick(8) config to the tune of: + + [Interface] + PostUp = wg set %i private-key somefile + + [Peer] + PublicKey = ... + Endpoint = ... + PersistentKeepalive = 25 + +Here, the private key gets set after the device comes up using a PostUp +script, triggering the bug. + +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Cc: stable@vger.kernel.org +Reported-by: Maxim Cournoyer +Tested-by: Maxim Cournoyer +Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@gmail.com/ +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireguard/netlink.c | 14 ++++++++----- + tools/testing/selftests/wireguard/netns.sh | 30 +++++++++++++++++++++++++---- + 2 files changed, 35 insertions(+), 9 deletions(-) + +--- a/drivers/net/wireguard/netlink.c ++++ b/drivers/net/wireguard/netlink.c +@@ -546,6 +546,7 @@ static int wg_set_device(struct sk_buff + u8 *private_key = nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]); + u8 public_key[NOISE_PUBLIC_KEY_LEN]; + struct wg_peer *peer, *temp; ++ bool send_staged_packets; + + if (!crypto_memneq(wg->static_identity.static_private, + private_key, NOISE_PUBLIC_KEY_LEN)) +@@ -564,14 +565,17 @@ static int wg_set_device(struct sk_buff + } + + down_write(&wg->static_identity.lock); +- wg_noise_set_static_identity_private_key(&wg->static_identity, +- private_key); +- list_for_each_entry_safe(peer, temp, &wg->peer_list, +- peer_list) { ++ send_staged_packets = !wg->static_identity.has_identity && netif_running(wg->dev); ++ wg_noise_set_static_identity_private_key(&wg->static_identity, private_key); ++ send_staged_packets = send_staged_packets && wg->static_identity.has_identity; ++ ++ wg_cookie_checker_precompute_device_keys(&wg->cookie_checker); ++ list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) { + wg_noise_precompute_static_static(peer); + wg_noise_expire_current_peer_keypairs(peer); ++ if (send_staged_packets) ++ wg_packet_send_staged_packets(peer); + } +- wg_cookie_checker_precompute_device_keys(&wg->cookie_checker); + up_write(&wg->static_identity.lock); + } + skip_set_private_key: +--- a/tools/testing/selftests/wireguard/netns.sh ++++ b/tools/testing/selftests/wireguard/netns.sh +@@ -502,10 +502,32 @@ n2 bash -c 'printf 0 > /proc/sys/net/ipv + n1 ping -W 1 -c 1 192.168.241.2 + [[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.3:1" ]] + +-ip1 link del veth1 +-ip1 link del veth3 +-ip1 link del wg0 +-ip2 link del wg0 ++ip1 link del dev veth3 ++ip1 link del dev wg0 ++ip2 link del dev wg0 ++ ++# Make sure persistent keep alives are sent when an adapter comes up ++ip1 link add dev wg0 type wireguard ++n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1 ++read _ _ tx_bytes < <(n1 wg show wg0 transfer) ++[[ $tx_bytes -eq 0 ]] ++ip1 link set dev wg0 up ++read _ _ tx_bytes < <(n1 wg show wg0 transfer) ++[[ $tx_bytes -gt 0 ]] ++ip1 link del dev wg0 ++# This should also happen even if the private key is set later ++ip1 link add dev wg0 type wireguard ++n1 wg set wg0 peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1 ++read _ _ tx_bytes < <(n1 wg show wg0 transfer) ++[[ $tx_bytes -eq 0 ]] ++ip1 link set dev wg0 up ++read _ _ tx_bytes < <(n1 wg show wg0 transfer) ++[[ $tx_bytes -eq 0 ]] ++n1 wg set wg0 private-key <(echo "$key1") ++read _ _ tx_bytes < <(n1 wg show wg0 transfer) ++[[ $tx_bytes -gt 0 ]] ++ip1 link del dev veth1 ++ip1 link del dev wg0 + + # We test that Netlink/IPC is working properly by doing things that usually cause split responses + ip0 link add dev wg0 type wireguard diff --git a/tmp-5.10/wireguard-queueing-use-saner-cpu-selection-wrapping.patch b/tmp-5.10/wireguard-queueing-use-saner-cpu-selection-wrapping.patch new file mode 100644 index 00000000000..ef84e36881a --- /dev/null +++ b/tmp-5.10/wireguard-queueing-use-saner-cpu-selection-wrapping.patch @@ -0,0 +1,111 @@ +From 7387943fa35516f6f8017a3b0e9ce48a3bef9faa Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Mon, 3 Jul 2023 03:27:04 +0200 +Subject: wireguard: queueing: use saner cpu selection wrapping + +From: Jason A. Donenfeld + +commit 7387943fa35516f6f8017a3b0e9ce48a3bef9faa upstream. + +Using `% nr_cpumask_bits` is slow and complicated, and not totally +robust toward dynamic changes to CPU topologies. Rather than storing the +next CPU in the round-robin, just store the last one, and also return +that value. This simplifies the loop drastically into a much more common +pattern. + +Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") +Cc: stable@vger.kernel.org +Reported-by: Linus Torvalds +Tested-by: Manuel Leiner +Signed-off-by: Jason A. Donenfeld +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireguard/queueing.c | 1 + + drivers/net/wireguard/queueing.h | 25 +++++++++++-------------- + drivers/net/wireguard/receive.c | 2 +- + drivers/net/wireguard/send.c | 2 +- + 4 files changed, 14 insertions(+), 16 deletions(-) + +--- a/drivers/net/wireguard/queueing.c ++++ b/drivers/net/wireguard/queueing.c +@@ -28,6 +28,7 @@ int wg_packet_queue_init(struct crypt_qu + int ret; + + memset(queue, 0, sizeof(*queue)); ++ queue->last_cpu = -1; + ret = ptr_ring_init(&queue->ring, len, GFP_KERNEL); + if (ret) + return ret; +--- a/drivers/net/wireguard/queueing.h ++++ b/drivers/net/wireguard/queueing.h +@@ -119,20 +119,17 @@ static inline int wg_cpumask_choose_onli + return cpu; + } + +-/* This function is racy, in the sense that next is unlocked, so it could return +- * the same CPU twice. A race-free version of this would be to instead store an +- * atomic sequence number, do an increment-and-return, and then iterate through +- * every possible CPU until we get to that index -- choose_cpu. However that's +- * a bit slower, and it doesn't seem like this potential race actually +- * introduces any performance loss, so we live with it. ++/* This function is racy, in the sense that it's called while last_cpu is ++ * unlocked, so it could return the same CPU twice. Adding locking or using ++ * atomic sequence numbers is slower though, and the consequences of racing are ++ * harmless, so live with it. + */ +-static inline int wg_cpumask_next_online(int *next) ++static inline int wg_cpumask_next_online(int *last_cpu) + { +- int cpu = *next; +- +- while (unlikely(!cpumask_test_cpu(cpu, cpu_online_mask))) +- cpu = cpumask_next(cpu, cpu_online_mask) % nr_cpumask_bits; +- *next = cpumask_next(cpu, cpu_online_mask) % nr_cpumask_bits; ++ int cpu = cpumask_next(*last_cpu, cpu_online_mask); ++ if (cpu >= nr_cpu_ids) ++ cpu = cpumask_first(cpu_online_mask); ++ *last_cpu = cpu; + return cpu; + } + +@@ -161,7 +158,7 @@ static inline void wg_prev_queue_drop_pe + + static inline int wg_queue_enqueue_per_device_and_peer( + struct crypt_queue *device_queue, struct prev_queue *peer_queue, +- struct sk_buff *skb, struct workqueue_struct *wq, int *next_cpu) ++ struct sk_buff *skb, struct workqueue_struct *wq) + { + int cpu; + +@@ -175,7 +172,7 @@ static inline int wg_queue_enqueue_per_d + /* Then we queue it up in the device queue, which consumes the + * packet as soon as it can. + */ +- cpu = wg_cpumask_next_online(next_cpu); ++ cpu = wg_cpumask_next_online(&device_queue->last_cpu); + if (unlikely(ptr_ring_produce_bh(&device_queue->ring, skb))) + return -EPIPE; + queue_work_on(cpu, wq, &per_cpu_ptr(device_queue->worker, cpu)->work); +--- a/drivers/net/wireguard/receive.c ++++ b/drivers/net/wireguard/receive.c +@@ -531,7 +531,7 @@ static void wg_packet_consume_data(struc + goto err; + + ret = wg_queue_enqueue_per_device_and_peer(&wg->decrypt_queue, &peer->rx_queue, skb, +- wg->packet_crypt_wq, &wg->decrypt_queue.last_cpu); ++ wg->packet_crypt_wq); + if (unlikely(ret == -EPIPE)) + wg_queue_enqueue_per_peer_rx(skb, PACKET_STATE_DEAD); + if (likely(!ret || ret == -EPIPE)) { +--- a/drivers/net/wireguard/send.c ++++ b/drivers/net/wireguard/send.c +@@ -318,7 +318,7 @@ static void wg_packet_create_data(struct + goto err; + + ret = wg_queue_enqueue_per_device_and_peer(&wg->encrypt_queue, &peer->tx_queue, first, +- wg->packet_crypt_wq, &wg->encrypt_queue.last_cpu); ++ wg->packet_crypt_wq); + if (unlikely(ret == -EPIPE)) + wg_queue_enqueue_per_peer_tx(first, PACKET_STATE_DEAD); + err: diff --git a/tmp-5.10/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch b/tmp-5.10/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch new file mode 100644 index 00000000000..15324730d07 --- /dev/null +++ b/tmp-5.10/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch @@ -0,0 +1,64 @@ +From 8c38d9461b6c3569ba36559e3bfa282feb183637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 11:23:53 +0000 +Subject: wl3501_cs: Fix misspelling and provide missing documentation + +From: Lee Jones + +[ Upstream commit 8b8a6f8c3b50193d161c598a6784e721128d6dc3 ] + +Fixes the following W=1 kernel build warning(s): + + In file included from drivers/net/wireless/wl3501_cs.c:57: + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:143: warning: Excess function parameter 'reg_comain' description in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' + +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Fox Chen +Cc: de Melo +Cc: Gustavo Niemeyer +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201102112410.1049272-25-lee.jones@linaro.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index ccf6344ed6fd2..cb71b73853f4e 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -134,7 +134,7 @@ static const struct { + + /** + * iw_valid_channel - validate channel in regulatory domain +- * @reg_comain: regulatory domain ++ * @reg_domain: regulatory domain + * @channel: channel to validate + * + * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. +@@ -458,11 +458,9 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) + /** + * wl3501_send_pkt - Send a packet. + * @this: Card +- * +- * Send a packet. +- * +- * data = Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, ++ * @data: Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, + * data[6] - data[11] is Src MAC Addr) ++ * @len: Packet length + * Ref: IEEE 802.11 + */ + static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) +-- +2.39.2 + diff --git a/tmp-5.10/wl3501_cs-use-eth_hw_addr_set.patch b/tmp-5.10/wl3501_cs-use-eth_hw_addr_set.patch new file mode 100644 index 00000000000..650be48d2bb --- /dev/null +++ b/tmp-5.10/wl3501_cs-use-eth_hw_addr_set.patch @@ -0,0 +1,40 @@ +From 17db231bc4b0d2147547b3c448f5370e55bf7ad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 16:50:20 -0700 +Subject: wl3501_cs: use eth_hw_addr_set() + +From: Jakub Kicinski + +[ Upstream commit 18774612246d036c04ce9fee7f67192f96f48725 ] + +Commit 406f42fa0d3c ("net-next: When a bond have a massive amount +of VLANs...") introduced a rbtree for faster Ethernet address look +up. To maintain netdev->dev_addr in this tree we need to make all +the writes to it got through appropriate helpers. + +Signed-off-by: Jakub Kicinski +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211018235021.1279697-15-kuba@kernel.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index cb71b73853f4e..7351a2c127adc 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1945,8 +1945,7 @@ static int wl3501_config(struct pcmcia_device *link) + goto failed; + } + +- for (i = 0; i < 6; i++) +- dev->dev_addr[i] = ((char *)&this->mac_addr)[i]; ++ eth_hw_addr_set(dev, this->mac_addr); + + /* print probe information */ + printk(KERN_INFO "%s: wl3501 @ 0x%3.3x, IRQ %d, " +-- +2.39.2 + diff --git a/tmp-5.10/workqueue-clean-up-work_-constant-types-clarify-masking.patch b/tmp-5.10/workqueue-clean-up-work_-constant-types-clarify-masking.patch new file mode 100644 index 00000000000..eb8390626ec --- /dev/null +++ b/tmp-5.10/workqueue-clean-up-work_-constant-types-clarify-masking.patch @@ -0,0 +1,140 @@ +From afa4bb778e48d79e4a642ed41e3b4e0de7489a6c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 23 Jun 2023 12:08:14 -0700 +Subject: workqueue: clean up WORK_* constant types, clarify masking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit afa4bb778e48d79e4a642ed41e3b4e0de7489a6c upstream. + +Dave Airlie reports that gcc-13.1.1 has started complaining about some +of the workqueue code in 32-bit arm builds: + + kernel/workqueue.c: In function ‘get_work_pwq’: + kernel/workqueue.c:713:24: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] + 713 | return (void *)(data & WORK_STRUCT_WQ_DATA_MASK); + | ^ + [ ... a couple of other cases ... ] + +and while it's not immediately clear exactly why gcc started complaining +about it now, I suspect it's some C23-induced enum type handlign fixup in +gcc-13 is the cause. + +Whatever the reason for starting to complain, the code and data types +are indeed disgusting enough that the complaint is warranted. + +The wq code ends up creating various "helper constants" (like that +WORK_STRUCT_WQ_DATA_MASK) using an enum type, which is all kinds of +confused. The mask needs to be 'unsigned long', not some unspecified +enum type. + +To make matters worse, the actual "mask and cast to a pointer" is +repeated a couple of times, and the cast isn't even always done to the +right pointer, but - as the error case above - to a 'void *' with then +the compiler finishing the job. + +That's now how we roll in the kernel. + +So create the masks using the proper types rather than some ambiguous +enumeration, and use a nice helper that actually does the type +conversion in one well-defined place. + +Incidentally, this magically makes clang generate better code. That, +admittedly, is really just a sign of clang having been seriously +confused before, and cleaning up the typing unconfuses the compiler too. + +Reported-by: Dave Airlie +Link: https://lore.kernel.org/lkml/CAPM=9twNnV4zMCvrPkw3H-ajZOH-01JVh_kDrxdPYQErz8ZTdA@mail.gmail.com/ +Cc: Arnd Bergmann +Cc: Tejun Heo +Cc: Nick Desaulniers +Cc: Nathan Chancellor +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/workqueue.h | 15 ++++++++------- + kernel/workqueue.c | 13 ++++++++----- + 2 files changed, 16 insertions(+), 12 deletions(-) + +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -73,7 +73,6 @@ enum { + WORK_OFFQ_FLAG_BASE = WORK_STRUCT_COLOR_SHIFT, + + __WORK_OFFQ_CANCELING = WORK_OFFQ_FLAG_BASE, +- WORK_OFFQ_CANCELING = (1 << __WORK_OFFQ_CANCELING), + + /* + * When a work item is off queue, its high bits point to the last +@@ -84,12 +83,6 @@ enum { + WORK_OFFQ_POOL_SHIFT = WORK_OFFQ_FLAG_BASE + WORK_OFFQ_FLAG_BITS, + WORK_OFFQ_LEFT = BITS_PER_LONG - WORK_OFFQ_POOL_SHIFT, + WORK_OFFQ_POOL_BITS = WORK_OFFQ_LEFT <= 31 ? WORK_OFFQ_LEFT : 31, +- WORK_OFFQ_POOL_NONE = (1LU << WORK_OFFQ_POOL_BITS) - 1, +- +- /* convenience constants */ +- WORK_STRUCT_FLAG_MASK = (1UL << WORK_STRUCT_FLAG_BITS) - 1, +- WORK_STRUCT_WQ_DATA_MASK = ~WORK_STRUCT_FLAG_MASK, +- WORK_STRUCT_NO_POOL = (unsigned long)WORK_OFFQ_POOL_NONE << WORK_OFFQ_POOL_SHIFT, + + /* bit mask for work_busy() return values */ + WORK_BUSY_PENDING = 1 << 0, +@@ -99,6 +92,14 @@ enum { + WORKER_DESC_LEN = 24, + }; + ++/* Convenience constants - of type 'unsigned long', not 'enum'! */ ++#define WORK_OFFQ_CANCELING (1ul << __WORK_OFFQ_CANCELING) ++#define WORK_OFFQ_POOL_NONE ((1ul << WORK_OFFQ_POOL_BITS) - 1) ++#define WORK_STRUCT_NO_POOL (WORK_OFFQ_POOL_NONE << WORK_OFFQ_POOL_SHIFT) ++ ++#define WORK_STRUCT_FLAG_MASK ((1ul << WORK_STRUCT_FLAG_BITS) - 1) ++#define WORK_STRUCT_WQ_DATA_MASK (~WORK_STRUCT_FLAG_MASK) ++ + struct work_struct { + atomic_long_t data; + struct list_head entry; +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -679,12 +679,17 @@ static void clear_work_data(struct work_ + set_work_data(work, WORK_STRUCT_NO_POOL, 0); + } + ++static inline struct pool_workqueue *work_struct_pwq(unsigned long data) ++{ ++ return (struct pool_workqueue *)(data & WORK_STRUCT_WQ_DATA_MASK); ++} ++ + static struct pool_workqueue *get_work_pwq(struct work_struct *work) + { + unsigned long data = atomic_long_read(&work->data); + + if (data & WORK_STRUCT_PWQ) +- return (void *)(data & WORK_STRUCT_WQ_DATA_MASK); ++ return work_struct_pwq(data); + else + return NULL; + } +@@ -712,8 +717,7 @@ static struct worker_pool *get_work_pool + assert_rcu_or_pool_mutex(); + + if (data & WORK_STRUCT_PWQ) +- return ((struct pool_workqueue *) +- (data & WORK_STRUCT_WQ_DATA_MASK))->pool; ++ return work_struct_pwq(data)->pool; + + pool_id = data >> WORK_OFFQ_POOL_SHIFT; + if (pool_id == WORK_OFFQ_POOL_NONE) +@@ -734,8 +738,7 @@ static int get_work_pool_id(struct work_ + unsigned long data = atomic_long_read(&work->data); + + if (data & WORK_STRUCT_PWQ) +- return ((struct pool_workqueue *) +- (data & WORK_STRUCT_WQ_DATA_MASK))->pool->id; ++ return work_struct_pwq(data)->pool->id; + + return data >> WORK_OFFQ_POOL_SHIFT; + } diff --git a/tmp-5.10/x86-cpu-amd-add-a-zenbleed-fix.patch b/tmp-5.10/x86-cpu-amd-add-a-zenbleed-fix.patch new file mode 100644 index 00000000000..e718d1b3f5a --- /dev/null +++ b/tmp-5.10/x86-cpu-amd-add-a-zenbleed-fix.patch @@ -0,0 +1,161 @@ +From b2d362e150f1a48e95b4224e6ad860948f48c158 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:41:28 +0200 +Subject: x86/cpu/amd: Add a Zenbleed fix + +From: "Borislav Petkov (AMD)" + +Upstream commit: 522b1d69219d8f083173819fde04f994aa051a98 + +Add a fix for the Zen2 VZEROUPPER data corruption bug where under +certain circumstances executing VZEROUPPER can cause register +corruption or leak data. + +The optimal fix is through microcode but in the case the proper +microcode revision has not been applied, enable a fallback fix using +a chicken bit. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/microcode.h | 1 + arch/x86/include/asm/microcode_amd.h | 2 + + arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 60 +++++++++++++++++++++++++++++++++++ + arch/x86/kernel/cpu/common.c | 2 + + 5 files changed, 66 insertions(+) + +--- a/arch/x86/include/asm/microcode.h ++++ b/arch/x86/include/asm/microcode.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + struct ucode_patch { + struct list_head plist; +--- a/arch/x86/include/asm/microcode_amd.h ++++ b/arch/x86/include/asm/microcode_amd.h +@@ -48,11 +48,13 @@ extern void __init load_ucode_amd_bsp(un + extern void load_ucode_amd_ap(unsigned int family); + extern int __init save_microcode_in_initrd_amd(unsigned int family); + void reload_ucode_amd(unsigned int cpu); ++extern void amd_check_microcode(void); + #else + static inline void __init load_ucode_amd_bsp(unsigned int family) {} + static inline void load_ucode_amd_ap(unsigned int family) {} + static inline int __init + save_microcode_in_initrd_amd(unsigned int family) { return -EINVAL; } + static inline void reload_ucode_amd(unsigned int cpu) {} ++static inline void amd_check_microcode(void) {} + #endif + #endif /* _ASM_X86_MICROCODE_AMD_H */ +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -497,6 +497,7 @@ + #define MSR_AMD64_DE_CFG 0xc0011029 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT 1 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE BIT_ULL(MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT) ++#define MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT 9 + + #define MSR_AMD64_BU_CFG2 0xc001102a + #define MSR_AMD64_IBSFETCHCTL 0xc0011030 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -71,6 +71,11 @@ static const int amd_erratum_383[] = + static const int amd_erratum_1054[] = + AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); + ++static const int amd_zenbleed[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x30, 0x0, 0x4f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0x60, 0x0, 0x7f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0xa0, 0x0, 0xaf, 0xf)); ++ + static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) + { + int osvw_id = *erratum++; +@@ -1030,6 +1035,47 @@ static void init_amd_zn(struct cpuinfo_x + } + } + ++static bool cpu_has_zenbleed_microcode(void) ++{ ++ u32 good_rev = 0; ++ ++ switch (boot_cpu_data.x86_model) { ++ case 0x30 ... 0x3f: good_rev = 0x0830107a; break; ++ case 0x60 ... 0x67: good_rev = 0x0860010b; break; ++ case 0x68 ... 0x6f: good_rev = 0x08608105; break; ++ case 0x70 ... 0x7f: good_rev = 0x08701032; break; ++ case 0xa0 ... 0xaf: good_rev = 0x08a00008; break; ++ ++ default: ++ return false; ++ break; ++ } ++ ++ if (boot_cpu_data.microcode < good_rev) ++ return false; ++ ++ return true; ++} ++ ++static void zenbleed_check(struct cpuinfo_x86 *c) ++{ ++ if (!cpu_has_amd_erratum(c, amd_zenbleed)) ++ return; ++ ++ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ return; ++ ++ if (!cpu_has(c, X86_FEATURE_AVX)) ++ return; ++ ++ if (!cpu_has_zenbleed_microcode()) { ++ pr_notice_once("Zenbleed: please update your microcode for the most optimal fix\n"); ++ msr_set_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } else { ++ msr_clear_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + early_init_amd(c); +@@ -1120,6 +1166,8 @@ static void init_amd(struct cpuinfo_x86 + msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT); + + check_null_seg_clears_base(c); ++ ++ zenbleed_check(c); + } + + #ifdef CONFIG_X86_32 +@@ -1233,3 +1281,15 @@ void set_dr_addr_mask(unsigned long mask + break; + } + } ++ ++static void zenbleed_check_cpu(void *unused) ++{ ++ struct cpuinfo_x86 *c = &cpu_data(smp_processor_id()); ++ ++ zenbleed_check(c); ++} ++ ++void amd_check_microcode(void) ++{ ++ on_each_cpu(zenbleed_check_cpu, NULL, 1); ++} +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -2165,6 +2165,8 @@ void microcode_check(struct cpuinfo_x86 + + perf_check_microcode(); + ++ amd_check_microcode(); ++ + store_cpu_caps(&curr_info); + + if (!memcmp(&prev_info->x86_capability, &curr_info.x86_capability, diff --git a/tmp-5.10/x86-cpu-amd-move-the-errata-checking-functionality-up.patch b/tmp-5.10/x86-cpu-amd-move-the-errata-checking-functionality-up.patch new file mode 100644 index 00000000000..0fe43e3d8a4 --- /dev/null +++ b/tmp-5.10/x86-cpu-amd-move-the-errata-checking-functionality-up.patch @@ -0,0 +1,181 @@ +From 334baad709246598bfd30587a0e98b0d90f3f596 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:31:32 +0200 +Subject: x86/cpu/amd: Move the errata checking functionality up + +From: "Borislav Petkov (AMD)" + +Upstream commit: 8b6f687743dacce83dbb0c7cfacf88bab00f808a + +Avoid new and remove old forward declarations. + +No functional changes. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 139 ++++++++++++++++++++++------------------------ + 1 file changed, 67 insertions(+), 72 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -28,11 +28,6 @@ + + #include "cpu.h" + +-static const int amd_erratum_383[]; +-static const int amd_erratum_400[]; +-static const int amd_erratum_1054[]; +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); +- + /* + * nodes_per_socket: Stores the number of nodes per socket. + * Refer to Fam15h Models 00-0fh BKDG - CPUID Fn8000_001E_ECX +@@ -40,6 +35,73 @@ static bool cpu_has_amd_erratum(struct c + */ + static u32 nodes_per_socket = 1; + ++/* ++ * AMD errata checking ++ * ++ * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or ++ * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that ++ * have an OSVW id assigned, which it takes as first argument. Both take a ++ * variable number of family-specific model-stepping ranges created by ++ * AMD_MODEL_RANGE(). ++ * ++ * Example: ++ * ++ * const int amd_erratum_319[] = ++ * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), ++ * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), ++ * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); ++ */ ++ ++#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } ++#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } ++#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ ++ ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) ++#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) ++#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) ++#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) ++ ++static const int amd_erratum_400[] = ++ AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), ++ AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); ++ ++static const int amd_erratum_383[] = ++ AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); ++ ++/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ ++static const int amd_erratum_1054[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); ++ ++static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) ++{ ++ int osvw_id = *erratum++; ++ u32 range; ++ u32 ms; ++ ++ if (osvw_id >= 0 && osvw_id < 65536 && ++ cpu_has(cpu, X86_FEATURE_OSVW)) { ++ u64 osvw_len; ++ ++ rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); ++ if (osvw_id < osvw_len) { ++ u64 osvw_bits; ++ ++ rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), ++ osvw_bits); ++ return osvw_bits & (1ULL << (osvw_id & 0x3f)); ++ } ++ } ++ ++ /* OSVW unavailable or ID unknown, match family-model-stepping range */ ++ ms = (cpu->x86_model << 4) | cpu->x86_stepping; ++ while ((range = *erratum++)) ++ if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && ++ (ms >= AMD_MODEL_RANGE_START(range)) && ++ (ms <= AMD_MODEL_RANGE_END(range))) ++ return true; ++ ++ return false; ++} ++ + static inline int rdmsrl_amd_safe(unsigned msr, unsigned long long *p) + { + u32 gprs[8] = { 0 }; +@@ -1153,73 +1215,6 @@ static const struct cpu_dev amd_cpu_dev + + cpu_dev_register(amd_cpu_dev); + +-/* +- * AMD errata checking +- * +- * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or +- * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that +- * have an OSVW id assigned, which it takes as first argument. Both take a +- * variable number of family-specific model-stepping ranges created by +- * AMD_MODEL_RANGE(). +- * +- * Example: +- * +- * const int amd_erratum_319[] = +- * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), +- * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), +- * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); +- */ +- +-#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } +-#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } +-#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ +- ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) +-#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) +-#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) +-#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) +- +-static const int amd_erratum_400[] = +- AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), +- AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); +- +-static const int amd_erratum_383[] = +- AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); +- +-/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ +-static const int amd_erratum_1054[] = +- AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); +- +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) +-{ +- int osvw_id = *erratum++; +- u32 range; +- u32 ms; +- +- if (osvw_id >= 0 && osvw_id < 65536 && +- cpu_has(cpu, X86_FEATURE_OSVW)) { +- u64 osvw_len; +- +- rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); +- if (osvw_id < osvw_len) { +- u64 osvw_bits; +- +- rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), +- osvw_bits); +- return osvw_bits & (1ULL << (osvw_id & 0x3f)); +- } +- } +- +- /* OSVW unavailable or ID unknown, match family-model-stepping range */ +- ms = (cpu->x86_model << 4) | cpu->x86_stepping; +- while ((range = *erratum++)) +- if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && +- (ms >= AMD_MODEL_RANGE_START(range)) && +- (ms <= AMD_MODEL_RANGE_END(range))) +- return true; +- +- return false; +-} +- + void set_dr_addr_mask(unsigned long mask, int dr) + { + if (!boot_cpu_has(X86_FEATURE_BPEXT)) diff --git a/tmp-5.10/x86-microcode-amd-load-late-on-both-threads-too.patch b/tmp-5.10/x86-microcode-amd-load-late-on-both-threads-too.patch new file mode 100644 index 00000000000..6348e1be3de --- /dev/null +++ b/tmp-5.10/x86-microcode-amd-load-late-on-both-threads-too.patch @@ -0,0 +1,30 @@ +From a32b0f0db3f396f1c9be2fe621e77c09ec3d8e7d Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Tue, 2 May 2023 19:53:50 +0200 +Subject: x86/microcode/AMD: Load late on both threads too + +From: Borislav Petkov (AMD) + +commit a32b0f0db3f396f1c9be2fe621e77c09ec3d8e7d upstream. + +Do the same as early loading - load on both threads. + +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/r/20230605141332.25948-1-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/microcode/amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -700,7 +700,7 @@ static enum ucode_state apply_microcode_ + rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy); + + /* need to apply patch? */ +- if (rev >= mc_amd->hdr.patch_id) { ++ if (rev > mc_amd->hdr.patch_id) { + ret = UCODE_OK; + goto out; + } diff --git a/tmp-5.10/x86-mm-fix-__swp_entry_to_pte-for-xen-pv-guests.patch b/tmp-5.10/x86-mm-fix-__swp_entry_to_pte-for-xen-pv-guests.patch new file mode 100644 index 00000000000..8f048a226d8 --- /dev/null +++ b/tmp-5.10/x86-mm-fix-__swp_entry_to_pte-for-xen-pv-guests.patch @@ -0,0 +1,47 @@ +From 007fafcff383149f46dba3c47dc37afd7e29db32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 13:32:59 +0100 +Subject: x86/mm: Fix __swp_entry_to_pte() for Xen PV guests + +From: Juergen Gross + +[ Upstream commit 0f88130e8a6fd185b0aeb5d8e286083735f2585a ] + +Normally __swp_entry_to_pte() is never called with a value translating +to a valid PTE. The only known exception is pte_swap_tests(), resulting +in a WARN splat in Xen PV guests, as __pte_to_swp_entry() did +translate the PFN of the valid PTE to a guest local PFN, while +__swp_entry_to_pte() doesn't do the opposite translation. + +Fix that by using __pte() in __swp_entry_to_pte() instead of open +coding the native variant of it. + +For correctness do the similar conversion for __swp_entry_to_pmd(). + +Fixes: 05289402d717 ("mm/debug_vm_pgtable: add tests validating arch helpers for core MM features") +Signed-off-by: Juergen Gross +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20230306123259.12461-1-jgross@suse.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/pgtable_64.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h +index 56d0399a0cd16..dd520b44e89cc 100644 +--- a/arch/x86/include/asm/pgtable_64.h ++++ b/arch/x86/include/asm/pgtable_64.h +@@ -235,8 +235,8 @@ static inline void native_pgd_clear(pgd_t *pgd) + + #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val((pte)) }) + #define __pmd_to_swp_entry(pmd) ((swp_entry_t) { pmd_val((pmd)) }) +-#define __swp_entry_to_pte(x) ((pte_t) { .pte = (x).val }) +-#define __swp_entry_to_pmd(x) ((pmd_t) { .pmd = (x).val }) ++#define __swp_entry_to_pte(x) (__pte((x).val)) ++#define __swp_entry_to_pmd(x) (__pmd((x).val)) + + extern int kern_addr_valid(unsigned long addr); + extern void cleanup_highmap(void); +-- +2.39.2 + diff --git a/tmp-5.10/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch b/tmp-5.10/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch new file mode 100644 index 00000000000..a208f8bc9cf --- /dev/null +++ b/tmp-5.10/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch @@ -0,0 +1,55 @@ +From f906861f841781539273d274cbace0847588efd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 14:04:48 +0800 +Subject: x86/resctrl: Only show tasks' pid in current pid namespace + +From: Shawn Wang + +[ Upstream commit 2997d94b5dd0e8b10076f5e0b6f18410c73e28bd ] + +When writing a task id to the "tasks" file in an rdtgroup, +rdtgroup_tasks_write() treats the pid as a number in the current pid +namespace. But when reading the "tasks" file, rdtgroup_tasks_show() shows +the list of global pids from the init namespace, which is confusing and +incorrect. + +To be more robust, let the "tasks" file only show pids in the current pid +namespace. + +Fixes: e02737d5b826 ("x86/intel_rdt: Add tasks files") +Signed-off-by: Shawn Wang +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Reinette Chatre +Acked-by: Fenghua Yu +Tested-by: Reinette Chatre +Link: https://lore.kernel.org/all/20230116071246.97717-1-shawnwang@linux.alibaba.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +index 1a943743cfe4b..1e73b6fae3b4c 100644 +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -715,11 +715,15 @@ static ssize_t rdtgroup_tasks_write(struct kernfs_open_file *of, + static void show_rdt_tasks(struct rdtgroup *r, struct seq_file *s) + { + struct task_struct *p, *t; ++ pid_t pid; + + rcu_read_lock(); + for_each_process_thread(p, t) { +- if (is_closid_match(t, r) || is_rmid_match(t, r)) +- seq_printf(s, "%d\n", t->pid); ++ if (is_closid_match(t, r) || is_rmid_match(t, r)) { ++ pid = task_pid_vnr(t); ++ if (pid) ++ seq_printf(s, "%d\n", pid); ++ } + } + rcu_read_unlock(); + } +-- +2.39.2 + diff --git a/tmp-5.10/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch b/tmp-5.10/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch new file mode 100644 index 00000000000..a6f0a56cedd --- /dev/null +++ b/tmp-5.10/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch @@ -0,0 +1,91 @@ +From f9c9987bf52f4e42e940ae217333ebb5a4c3b506 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 15 Jun 2023 22:33:55 +0200 +Subject: x86/smp: Use dedicated cache-line for mwait_play_dead() + +From: Thomas Gleixner + +commit f9c9987bf52f4e42e940ae217333ebb5a4c3b506 upstream. + +Monitoring idletask::thread_info::flags in mwait_play_dead() has been an +obvious choice as all what is needed is a cache line which is not written +by other CPUs. + +But there is a use case where a "dead" CPU needs to be brought out of +MWAIT: kexec(). + +This is required as kexec() can overwrite text, pagetables, stacks and the +monitored cacheline of the original kernel. The latter causes MWAIT to +resume execution which obviously causes havoc on the kexec kernel which +results usually in triple faults. + +Use a dedicated per CPU storage to prepare for that. + +Signed-off-by: Thomas Gleixner +Reviewed-by: Ashok Raj +Reviewed-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230615193330.434553750@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/smpboot.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -100,6 +100,17 @@ DEFINE_PER_CPU_READ_MOSTLY(cpumask_var_t + DEFINE_PER_CPU_READ_MOSTLY(struct cpuinfo_x86, cpu_info); + EXPORT_PER_CPU_SYMBOL(cpu_info); + ++struct mwait_cpu_dead { ++ unsigned int control; ++ unsigned int status; ++}; ++ ++/* ++ * Cache line aligned data for mwait_play_dead(). Separate on purpose so ++ * that it's unlikely to be touched by other CPUs. ++ */ ++static DEFINE_PER_CPU_ALIGNED(struct mwait_cpu_dead, mwait_cpu_dead); ++ + /* Logical package management. We might want to allocate that dynamically */ + unsigned int __max_logical_packages __read_mostly; + EXPORT_SYMBOL(__max_logical_packages); +@@ -1674,10 +1685,10 @@ EXPORT_SYMBOL_GPL(cond_wakeup_cpu0); + */ + static inline void mwait_play_dead(void) + { ++ struct mwait_cpu_dead *md = this_cpu_ptr(&mwait_cpu_dead); + unsigned int eax, ebx, ecx, edx; + unsigned int highest_cstate = 0; + unsigned int highest_subcstate = 0; +- void *mwait_ptr; + int i; + + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || +@@ -1712,13 +1723,6 @@ static inline void mwait_play_dead(void) + (highest_subcstate - 1); + } + +- /* +- * This should be a memory location in a cache line which is +- * unlikely to be touched by other processors. The actual +- * content is immaterial as it is not actually modified in any way. +- */ +- mwait_ptr = ¤t_thread_info()->flags; +- + wbinvd(); + + while (1) { +@@ -1730,9 +1734,9 @@ static inline void mwait_play_dead(void) + * case where we return around the loop. + */ + mb(); +- clflush(mwait_ptr); ++ clflush(md); + mb(); +- __monitor(mwait_ptr, 0, 0); ++ __monitor(md, 0, 0); + mb(); + __mwait(eax, 0); + diff --git a/tmp-5.10/xhci-fix-resume-issue-of-some-zhaoxin-hosts.patch b/tmp-5.10/xhci-fix-resume-issue-of-some-zhaoxin-hosts.patch new file mode 100644 index 00000000000..b0b6fb6b8aa --- /dev/null +++ b/tmp-5.10/xhci-fix-resume-issue-of-some-zhaoxin-hosts.patch @@ -0,0 +1,38 @@ +From f927728186f0de1167262d6a632f9f7e96433d1a Mon Sep 17 00:00:00 2001 +From: Weitao Wang +Date: Fri, 2 Jun 2023 17:40:06 +0300 +Subject: xhci: Fix resume issue of some ZHAOXIN hosts + +From: Weitao Wang + +commit f927728186f0de1167262d6a632f9f7e96433d1a upstream. + +On ZHAOXIN ZX-100 project, xHCI can't work normally after resume +from system Sx state. To fix this issue, when resume from system +Sx state, reinitialize xHCI instead of restore. +So, Add XHCI_RESET_ON_RESUME quirk for ZX-100 to fix issue of +resuming from system Sx state. + +Cc: stable@vger.kernel.org +Signed-off-by: Weitao Wang +Signed-off-by: Mathias Nyman +Message-ID: <20230602144009.1225632-9-mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -330,6 +330,11 @@ static void xhci_pci_quirks(struct devic + pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_4)) + xhci->quirks |= XHCI_NO_SOFT_RETRY; + ++ if (pdev->vendor == PCI_VENDOR_ID_ZHAOXIN) { ++ if (pdev->device == 0x9202) ++ xhci->quirks |= XHCI_RESET_ON_RESUME; ++ } ++ + /* xHC spec requires PCI devices to support D3hot and D3cold */ + if (xhci->hci_version >= 0x120) + xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW; diff --git a/tmp-5.10/xhci-fix-trb-prefetch-issue-of-zhaoxin-hosts.patch b/tmp-5.10/xhci-fix-trb-prefetch-issue-of-zhaoxin-hosts.patch new file mode 100644 index 00000000000..2d4cbdb831d --- /dev/null +++ b/tmp-5.10/xhci-fix-trb-prefetch-issue-of-zhaoxin-hosts.patch @@ -0,0 +1,71 @@ +From 2a865a652299f5666f3b785cbe758c5f57453036 Mon Sep 17 00:00:00 2001 +From: Weitao Wang +Date: Fri, 2 Jun 2023 17:40:07 +0300 +Subject: xhci: Fix TRB prefetch issue of ZHAOXIN hosts + +From: Weitao Wang + +commit 2a865a652299f5666f3b785cbe758c5f57453036 upstream. + +On some ZHAOXIN hosts, xHCI will prefetch TRB for performance +improvement. However this TRB prefetch mechanism may cross page boundary, +which may access memory not allocated by xHCI driver. In order to fix +this issue, two pages was allocated for a segment and only the first +page will be used. And add a quirk XHCI_ZHAOXIN_TRB_FETCH for this issue. + +Cc: stable@vger.kernel.org +Signed-off-by: Weitao Wang +Signed-off-by: Mathias Nyman +Message-ID: <20230602144009.1225632-10-mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mem.c | 8 ++++++-- + drivers/usb/host/xhci-pci.c | 7 ++++++- + drivers/usb/host/xhci.h | 1 + + 3 files changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -2472,8 +2472,12 @@ int xhci_mem_init(struct xhci_hcd *xhci, + * and our use of dma addresses in the trb_address_map radix tree needs + * TRB_SEGMENT_SIZE alignment, so we pick the greater alignment need. + */ +- xhci->segment_pool = dma_pool_create("xHCI ring segments", dev, +- TRB_SEGMENT_SIZE, TRB_SEGMENT_SIZE, xhci->page_size); ++ if (xhci->quirks & XHCI_ZHAOXIN_TRB_FETCH) ++ xhci->segment_pool = dma_pool_create("xHCI ring segments", dev, ++ TRB_SEGMENT_SIZE * 2, TRB_SEGMENT_SIZE * 2, xhci->page_size * 2); ++ else ++ xhci->segment_pool = dma_pool_create("xHCI ring segments", dev, ++ TRB_SEGMENT_SIZE, TRB_SEGMENT_SIZE, xhci->page_size); + + /* See Table 46 and Note on Figure 55 */ + xhci->device_pool = dma_pool_create("xHCI input/output contexts", dev, +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -331,8 +331,13 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_NO_SOFT_RETRY; + + if (pdev->vendor == PCI_VENDOR_ID_ZHAOXIN) { +- if (pdev->device == 0x9202) ++ if (pdev->device == 0x9202) { + xhci->quirks |= XHCI_RESET_ON_RESUME; ++ xhci->quirks |= XHCI_ZHAOXIN_TRB_FETCH; ++ } ++ ++ if (pdev->device == 0x9203) ++ xhci->quirks |= XHCI_ZHAOXIN_TRB_FETCH; + } + + /* xHC spec requires PCI devices to support D3hot and D3cold */ +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1895,6 +1895,7 @@ struct xhci_hcd { + #define XHCI_EP_CTX_BROKEN_DCS BIT_ULL(42) + #define XHCI_SUSPEND_RESUME_CLKS BIT_ULL(43) + #define XHCI_RESET_TO_DEFAULT BIT_ULL(44) ++#define XHCI_ZHAOXIN_TRB_FETCH BIT_ULL(45) + + unsigned int num_active_eps; + unsigned int limit_active_eps; diff --git a/tmp-5.10/xhci-show-zhaoxin-xhci-root-hub-speed-correctly.patch b/tmp-5.10/xhci-show-zhaoxin-xhci-root-hub-speed-correctly.patch new file mode 100644 index 00000000000..9cc08a75c8a --- /dev/null +++ b/tmp-5.10/xhci-show-zhaoxin-xhci-root-hub-speed-correctly.patch @@ -0,0 +1,127 @@ +From d9b0328d0b8b8298dfdc97cd8e0e2371d4bcc97b Mon Sep 17 00:00:00 2001 +From: Weitao Wang +Date: Fri, 2 Jun 2023 17:40:08 +0300 +Subject: xhci: Show ZHAOXIN xHCI root hub speed correctly + +From: Weitao Wang + +commit d9b0328d0b8b8298dfdc97cd8e0e2371d4bcc97b upstream. + +Some ZHAOXIN xHCI controllers follow usb3.1 spec, but only support +gen1 speed 5Gbps. While in Linux kernel, if xHCI suspport usb3.1, +root hub speed will show on 10Gbps. +To fix this issue of ZHAOXIN xHCI platforms, read usb speed ID +supported by xHCI to determine root hub speed. And add a quirk +XHCI_ZHAOXIN_HOST for this issue. + +[fix warning about uninitialized symbol -Mathias] + +Suggested-by: Mathias Nyman +Cc: stable@vger.kernel.org +Signed-off-by: Weitao Wang +Signed-off-by: Mathias Nyman +Message-ID: <20230602144009.1225632-11-mathias.nyman@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mem.c | 31 ++++++++++++++++++++++++------- + drivers/usb/host/xhci-pci.c | 2 ++ + drivers/usb/host/xhci.h | 1 + + 3 files changed, 27 insertions(+), 7 deletions(-) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -2146,7 +2146,7 @@ static void xhci_add_in_port(struct xhci + { + u32 temp, port_offset, port_count; + int i; +- u8 major_revision, minor_revision; ++ u8 major_revision, minor_revision, tmp_minor_revision; + struct xhci_hub *rhub; + struct device *dev = xhci_to_hcd(xhci)->self.sysdev; + struct xhci_port_cap *port_cap; +@@ -2166,6 +2166,15 @@ static void xhci_add_in_port(struct xhci + */ + if (minor_revision > 0x00 && minor_revision < 0x10) + minor_revision <<= 4; ++ /* ++ * Some zhaoxin's xHCI controller that follow usb3.1 spec ++ * but only support Gen1. ++ */ ++ if (xhci->quirks & XHCI_ZHAOXIN_HOST) { ++ tmp_minor_revision = minor_revision; ++ minor_revision = 0; ++ } ++ + } else if (major_revision <= 0x02) { + rhub = &xhci->usb2_rhub; + } else { +@@ -2175,10 +2184,6 @@ static void xhci_add_in_port(struct xhci + /* Ignoring port protocol we can't understand. FIXME */ + return; + } +- rhub->maj_rev = XHCI_EXT_PORT_MAJOR(temp); +- +- if (rhub->min_rev < minor_revision) +- rhub->min_rev = minor_revision; + + /* Port offset and count in the third dword, see section 7.2 */ + temp = readl(addr + 2); +@@ -2197,8 +2202,6 @@ static void xhci_add_in_port(struct xhci + if (xhci->num_port_caps > max_caps) + return; + +- port_cap->maj_rev = major_revision; +- port_cap->min_rev = minor_revision; + port_cap->psi_count = XHCI_EXT_PORT_PSIC(temp); + + if (port_cap->psi_count) { +@@ -2219,6 +2222,11 @@ static void xhci_add_in_port(struct xhci + XHCI_EXT_PORT_PSIV(port_cap->psi[i - 1]))) + port_cap->psi_uid_count++; + ++ if (xhci->quirks & XHCI_ZHAOXIN_HOST && ++ major_revision == 0x03 && ++ XHCI_EXT_PORT_PSIV(port_cap->psi[i]) >= 5) ++ minor_revision = tmp_minor_revision; ++ + xhci_dbg(xhci, "PSIV:%d PSIE:%d PLT:%d PFD:%d LP:%d PSIM:%d\n", + XHCI_EXT_PORT_PSIV(port_cap->psi[i]), + XHCI_EXT_PORT_PSIE(port_cap->psi[i]), +@@ -2228,6 +2236,15 @@ static void xhci_add_in_port(struct xhci + XHCI_EXT_PORT_PSIM(port_cap->psi[i])); + } + } ++ ++ rhub->maj_rev = major_revision; ++ ++ if (rhub->min_rev < minor_revision) ++ rhub->min_rev = minor_revision; ++ ++ port_cap->maj_rev = major_revision; ++ port_cap->min_rev = minor_revision; ++ + /* cache usb2 port capabilities */ + if (major_revision < 0x03 && xhci->num_ext_caps < max_caps) + xhci->ext_caps[xhci->num_ext_caps++] = temp; +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -331,6 +331,8 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_NO_SOFT_RETRY; + + if (pdev->vendor == PCI_VENDOR_ID_ZHAOXIN) { ++ xhci->quirks |= XHCI_ZHAOXIN_HOST; ++ + if (pdev->device == 0x9202) { + xhci->quirks |= XHCI_RESET_ON_RESUME; + xhci->quirks |= XHCI_ZHAOXIN_TRB_FETCH; +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1896,6 +1896,7 @@ struct xhci_hcd { + #define XHCI_SUSPEND_RESUME_CLKS BIT_ULL(43) + #define XHCI_RESET_TO_DEFAULT BIT_ULL(44) + #define XHCI_ZHAOXIN_TRB_FETCH BIT_ULL(45) ++#define XHCI_ZHAOXIN_HOST BIT_ULL(46) + + unsigned int num_active_eps; + unsigned int limit_active_eps; diff --git a/tmp-5.10/xsk-honor-so_bindtodevice-on-bind.patch b/tmp-5.10/xsk-honor-so_bindtodevice-on-bind.patch new file mode 100644 index 00000000000..77bd72da16f --- /dev/null +++ b/tmp-5.10/xsk-honor-so_bindtodevice-on-bind.patch @@ -0,0 +1,101 @@ +From 198b68b22a3059cfd752bbf523e80136a6ac56af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 19:53:29 +0200 +Subject: xsk: Honor SO_BINDTODEVICE on bind + +From: Ilya Maximets + +[ Upstream commit f7306acec9aae9893d15e745c8791124d42ab10a ] + +Initial creation of an AF_XDP socket requires CAP_NET_RAW capability. A +privileged process might create the socket and pass it to a non-privileged +process for later use. However, that process will be able to bind the socket +to any network interface. Even though it will not be able to receive any +traffic without modification of the BPF map, the situation is not ideal. + +Sockets already have a mechanism that can be used to restrict what interface +they can be attached to. That is SO_BINDTODEVICE. + +To change the SO_BINDTODEVICE binding the process will need CAP_NET_RAW. + +Make xsk_bind() honor the SO_BINDTODEVICE in order to allow safer workflow +when non-privileged process is using AF_XDP. + +The intended workflow is following: + + 1. First process creates a bare socket with socket(AF_XDP, ...). + 2. First process loads the XSK program to the interface. + 3. First process adds the socket fd to a BPF map. + 4. First process ties socket fd to a particular interface using + SO_BINDTODEVICE. + 5. First process sends socket fd to a second process. + 6. Second process allocates UMEM. + 7. Second process binds socket to the interface with bind(...). + 8. Second process sends/receives the traffic. + +All the steps above are possible today if the first process is privileged +and the second one has sufficient RLIMIT_MEMLOCK and no capabilities. +However, the second process will be able to bind the socket to any interface +it wants on step 7 and send traffic from it. With the proposed change, the +second process will be able to bind the socket only to a specific interface +chosen by the first process at step 4. + +Fixes: 965a99098443 ("xsk: add support for bind for Rx") +Signed-off-by: Ilya Maximets +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Acked-by: John Fastabend +Acked-by: Jason Wang +Link: https://lore.kernel.org/bpf/20230703175329.3259672-1-i.maximets@ovn.org +Signed-off-by: Sasha Levin +--- + Documentation/networking/af_xdp.rst | 9 +++++++++ + net/xdp/xsk.c | 5 +++++ + 2 files changed, 14 insertions(+) + +diff --git a/Documentation/networking/af_xdp.rst b/Documentation/networking/af_xdp.rst +index 2ccc5644cc98a..70623cb135d3c 100644 +--- a/Documentation/networking/af_xdp.rst ++++ b/Documentation/networking/af_xdp.rst +@@ -433,6 +433,15 @@ start N bytes into the buffer leaving the first N bytes for the + application to use. The final option is the flags field, but it will + be dealt with in separate sections for each UMEM flag. + ++SO_BINDTODEVICE setsockopt ++-------------------------- ++ ++This is a generic SOL_SOCKET option that can be used to tie AF_XDP ++socket to a particular network interface. It is useful when a socket ++is created by a privileged process and passed to a non-privileged one. ++Once the option is set, kernel will refuse attempts to bind that socket ++to a different interface. Updating the value requires CAP_NET_RAW. ++ + XDP_STATISTICS getsockopt + ------------------------- + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 691841dc6d334..d04f91f4d09df 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -667,6 +667,7 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) + struct sock *sk = sock->sk; + struct xdp_sock *xs = xdp_sk(sk); + struct net_device *dev; ++ int bound_dev_if; + u32 flags, qid; + int err = 0; + +@@ -680,6 +681,10 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) + XDP_USE_NEED_WAKEUP)) + return -EINVAL; + ++ bound_dev_if = READ_ONCE(sk->sk_bound_dev_if); ++ if (bound_dev_if && bound_dev_if != sxdp->sxdp_ifindex) ++ return -EINVAL; ++ + rtnl_lock(); + mutex_lock(&xs->mutex); + if (xs->state != XSK_READY) { +-- +2.39.2 + diff --git a/tmp-5.10/xtensa-iss-fix-call-to-split_if_spec.patch b/tmp-5.10/xtensa-iss-fix-call-to-split_if_spec.patch new file mode 100644 index 00000000000..9d44f1d6a98 --- /dev/null +++ b/tmp-5.10/xtensa-iss-fix-call-to-split_if_spec.patch @@ -0,0 +1,34 @@ +From bc8d5916541fa19ca5bc598eb51a5f78eb891a36 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Mon, 3 Jul 2023 11:01:42 -0700 +Subject: xtensa: ISS: fix call to split_if_spec + +From: Max Filippov + +commit bc8d5916541fa19ca5bc598eb51a5f78eb891a36 upstream. + +split_if_spec expects a NULL-pointer as an end marker for the argument +list, but tuntap_probe never supplied that terminating NULL. As a result +incorrectly formatted interface specification string may cause a crash +because of the random memory access. Fix that by adding NULL terminator +to the split_if_spec argument list. + +Cc: stable@vger.kernel.org +Fixes: 7282bee78798 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 8") +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + arch/xtensa/platforms/iss/network.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/xtensa/platforms/iss/network.c ++++ b/arch/xtensa/platforms/iss/network.c +@@ -231,7 +231,7 @@ static int tuntap_probe(struct iss_net_p + + init += sizeof(TRANSPORT_TUNTAP_NAME) - 1; + if (*init == ',') { +- rem = split_if_spec(init + 1, &mac_str, &dev_name); ++ rem = split_if_spec(init + 1, &mac_str, &dev_name, NULL); + if (rem != NULL) { + pr_err("%s: extra garbage on specification : '%s'\n", + dev->name, rem); diff --git a/tmp-5.15/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch b/tmp-5.15/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch new file mode 100644 index 00000000000..7369250645b --- /dev/null +++ b/tmp-5.15/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch @@ -0,0 +1,150 @@ +From 94faffdcc73e679db09c8c47b4adc0c0a00201dd Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Wed, 10 May 2023 19:39:05 +0200 +Subject: [PATCH AUTOSEL 4.14 2/9] ALSA: emu10k1: roll up loops in DSP setup + code for Audigy +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.14.320 + +[ Upstream commit 8cabf83c7aa54530e699be56249fb44f9505c4f3 ] + +There is no apparent reason for the massive code duplication. + +Signed-off-by: Oswald Buddenhagen +Link: https://lore.kernel.org/r/20230510173917.3073107-3-oswald.buddenhagen@gmx.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/emu10k1/emufx.c | 112 +++------------------------------------------- + 1 file changed, 9 insertions(+), 103 deletions(-) + +--- a/sound/pci/emu10k1/emufx.c ++++ b/sound/pci/emu10k1/emufx.c +@@ -1563,14 +1563,8 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_G + gpr += 2; + + /* Master volume (will be renamed later) */ +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS)); ++ for (z = 0; z < 8; z++) ++ A_OP(icode, &ptr, iMAC0, A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS)); + snd_emu10k1_init_mono_control(&controls[nctl++], "Wave Master Playback Volume", gpr, 0); + gpr += 2; + +@@ -1654,102 +1648,14 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_G + dev_dbg(emu->card->dev, "emufx.c: gpr=0x%x, tmp=0x%x\n", + gpr, tmp); + */ +- /* For the EMU1010: How to get 32bit values from the DSP. High 16bits into L, low 16bits into R. */ +- /* A_P16VIN(0) is delayed by one sample, +- * so all other A_P16VIN channels will need to also be delayed +- */ +- /* Left ADC in. 1 of 2 */ + snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_P16VIN(0x0), A_FXBUS2(0) ); +- /* Right ADC in 1 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- /* Delaying by one sample: instead of copying the input +- * value A_P16VIN to output A_FXBUS2 as in the first channel, +- * we use an auxiliary register, delaying the value by one +- * sample +- */ +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(2) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x1), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(4) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x2), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(6) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x3), A_C_00000000, A_C_00000000); +- /* For 96kHz mode */ +- /* Left ADC in. 2 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0x8) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x4), A_C_00000000, A_C_00000000); +- /* Right ADC in 2 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xa) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x5), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xc) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x6), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xe) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x7), A_C_00000000, A_C_00000000); +- /* Pavel Hofman - we still have voices, A_FXBUS2s, and +- * A_P16VINs available - +- * let's add 8 more capture channels - total of 16 +- */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x10)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x8), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x12)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x9), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x14)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xa), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x16)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xb), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x18)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xc), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1a)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xd), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1c)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xe), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1e)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xf), +- A_C_00000000, A_C_00000000); ++ /* A_P16VIN(0) is delayed by one sample, so all other A_P16VIN channels ++ * will need to also be delayed; we use an auxiliary register for that. */ ++ for (z = 1; z < 0x10; z++) { ++ snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr), A_FXBUS2(z * 2) ); ++ A_OP(icode, &ptr, iACC3, A_GPR(gpr), A_P16VIN(z), A_C_00000000, A_C_00000000); ++ gpr_map[gpr++] = 0x00000000; ++ } + } + + #if 0 diff --git a/tmp-5.15/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch b/tmp-5.15/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch new file mode 100644 index 00000000000..d740600c6b7 --- /dev/null +++ b/tmp-5.15/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch @@ -0,0 +1,32 @@ +From c250ef8954eda2024c8861c36e9fc1b589481fe7 Mon Sep 17 00:00:00 2001 +From: Christoffer Sandberg +Date: Tue, 18 Jul 2023 16:57:22 +0200 +Subject: ALSA: hda/realtek: Add quirk for Clevo NS70AU + +From: Christoffer Sandberg + +commit c250ef8954eda2024c8861c36e9fc1b589481fe7 upstream. + +Fixes headset detection on Clevo NS70AU. + +Co-developed-by: Werner Sembach +Signed-off-by: Werner Sembach +Signed-off-by: Christoffer Sandberg +Cc: +Link: https://lore.kernel.org/r/20230718145722.10592-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9207,6 +9207,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x5157, "Clevo W517GU1", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x51a1, "Clevo NS50MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x51b1, "Clevo NS50AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x51b3, "Clevo NS70AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x5630, "Clevo NP50RNJS", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70a1, "Clevo NB70T[HJK]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70b3, "Clevo NK70SB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/tmp-5.15/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch b/tmp-5.15/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch new file mode 100644 index 00000000000..0c3c7a7fefc --- /dev/null +++ b/tmp-5.15/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch @@ -0,0 +1,73 @@ +From 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Tue, 18 Jul 2023 18:12:41 +0200 +Subject: ALSA: hda/realtek: Enable Mute LED on HP Laptop 15s-eq2xxx + +From: Luka Guzenko + +commit 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 upstream. + +The HP Laptop 15s-eq2xxx uses ALC236 codec and controls the mute LED using +COEF 0x07 index 1. No existing quirk covers this configuration. +Adds a new quirk and enables it for the device. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20230718161241.393181-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4617,6 +4617,21 @@ static void alc236_fixup_hp_mute_led_coe + } + } + ++static void alc236_fixup_hp_mute_led_coefbit2(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ spec->mute_led_polarity = 0; ++ spec->mute_led_coef.idx = 0x07; ++ spec->mute_led_coef.mask = 1; ++ spec->mute_led_coef.on = 1; ++ spec->mute_led_coef.off = 0; ++ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set); ++ } ++} ++ + /* turn on/off mic-mute LED per capture hook by coef bit */ + static int coef_micmute_led_set(struct led_classdev *led_cdev, + enum led_brightness brightness) +@@ -6935,6 +6950,7 @@ enum { + ALC285_FIXUP_HP_GPIO_LED, + ALC285_FIXUP_HP_MUTE_LED, + ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED, ++ ALC236_FIXUP_HP_MUTE_LED_COEFBIT2, + ALC236_FIXUP_HP_GPIO_LED, + ALC236_FIXUP_HP_MUTE_LED, + ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, +@@ -8308,6 +8324,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_hp_spectre_x360_mute_led, + }, ++ [ALC236_FIXUP_HP_MUTE_LED_COEFBIT2] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc236_fixup_hp_mute_led_coefbit2, ++ }, + [ALC236_FIXUP_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc236_fixup_hp_gpio_led, +@@ -9068,6 +9088,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x887a, "HP Laptop 15s-eq2xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x888d, "HP ZBook Power 15.6 inch G8 Mobile Workstation PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8895, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED), diff --git a/tmp-5.15/alsa-hda-realtek-remove-3k-pull-low-procedure.patch b/tmp-5.15/alsa-hda-realtek-remove-3k-pull-low-procedure.patch new file mode 100644 index 00000000000..528d0808bcb --- /dev/null +++ b/tmp-5.15/alsa-hda-realtek-remove-3k-pull-low-procedure.patch @@ -0,0 +1,66 @@ +From 69ea4c9d02b7947cdd612335a61cc1a02e544ccd Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Thu, 13 Jul 2023 15:57:13 +0800 +Subject: ALSA: hda/realtek - remove 3k pull low procedure + +From: Kailang Yang + +commit 69ea4c9d02b7947cdd612335a61cc1a02e544ccd upstream. + +This was the ALC283 depop procedure. +Maybe this procedure wasn't suitable with new codec. +So, let us remove it. But HP 15z-fc000 must do 3k pull low. If it +reboot with plugged headset, +it will have errors show don't find codec error messages. Run 3k pull +low will solve issues. +So, let AMD chipset will run this for workarround. + +Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue") +Signed-off-by: Kailang Yang +Cc: +Reported-by: Joseph C. Sible +Closes: https://lore.kernel.org/r/CABpewhE4REgn9RJZduuEU6Z_ijXNeQWnrxO1tg70Gkw=F8qNYg@mail.gmail.com/ +Link: https://lore.kernel.org/r/4678992299664babac4403d9978e7ba7@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -120,6 +120,7 @@ struct alc_spec { + unsigned int ultra_low_power:1; + unsigned int has_hs_key:1; + unsigned int no_internal_mic_pin:1; ++ unsigned int en_3kpull_low:1; + + /* for PLL fix */ + hda_nid_t pll_nid; +@@ -3616,6 +3617,7 @@ static void alc256_shutup(struct hda_cod + if (!hp_pin) + hp_pin = 0x21; + ++ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ + hp_pin_sense = snd_hda_jack_detect(codec, hp_pin); + + if (hp_pin_sense) +@@ -3632,8 +3634,7 @@ static void alc256_shutup(struct hda_cod + /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly + * when booting with headset plugged. So skip setting it for the codec alc257 + */ +- if (codec->core.vendor_id != 0x10ec0236 && +- codec->core.vendor_id != 0x10ec0257) ++ if (spec->en_3kpull_low) + alc_update_coef_idx(codec, 0x46, 0, 3 << 12); + + if (!spec->no_shutup_pins) +@@ -10146,6 +10147,8 @@ static int patch_alc269(struct hda_codec + spec->shutup = alc256_shutup; + spec->init_hook = alc256_init; + spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ ++ if (codec->bus->pci->vendor == PCI_VENDOR_ID_AMD) ++ spec->en_3kpull_low = true; + break; + case 0x10ec0257: + spec->codec_variant = ALC269_TYPE_ALC257; diff --git a/tmp-5.15/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch b/tmp-5.15/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..c414aa4221c --- /dev/null +++ b/tmp-5.15/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,157 @@ +From a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:16 +0200 +Subject: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove + +From: Johan Hovold + +commit a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 upstream. + +The MBHC resources must be released on component probe failure and +removal so can not be tied to the lifetime of the component device. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component: + + snd-sc8280xp sound: ASoC: failed to instantiate card -517 + genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) + wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 + wcd938x_codec audio-codec: mbhc initialization failed + wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16 + snd-sc8280xp sound: ASoC: failed to instantiate card -16 + +Fixes: 0e5c9e7ff899 ("ASoC: codecs: wcd: add multi button Headset detection support") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-7-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd-mbhc-v2.c | 57 +++++++++++++++++++++++++++++------------ + 1 file changed, 41 insertions(+), 16 deletions(-) + +--- a/sound/soc/codecs/wcd-mbhc-v2.c ++++ b/sound/soc/codecs/wcd-mbhc-v2.c +@@ -1370,7 +1370,7 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn + return ERR_PTR(-EINVAL); + } + +- mbhc = devm_kzalloc(dev, sizeof(*mbhc), GFP_KERNEL); ++ mbhc = kzalloc(sizeof(*mbhc), GFP_KERNEL); + if (!mbhc) + return ERR_PTR(-ENOMEM); + +@@ -1390,61 +1390,76 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn + + INIT_WORK(&mbhc->correct_plug_swch, wcd_correct_swch_plug); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_sw_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_sw_intr, NULL, + wcd_mbhc_mech_plug_detect_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "mbhc sw intr", mbhc); + if (ret) +- goto err; ++ goto err_free_mbhc; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_press_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_press_intr, NULL, + wcd_mbhc_btn_press_handler, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Button Press detect", mbhc); + if (ret) +- goto err; ++ goto err_free_sw_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_release_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_release_intr, NULL, + wcd_mbhc_btn_release_handler, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Button Release detect", mbhc); + if (ret) +- goto err; ++ goto err_free_btn_press_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_ins_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_ins_intr, NULL, + wcd_mbhc_adc_hs_ins_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Elect Insert", mbhc); + if (ret) +- goto err; ++ goto err_free_btn_release_intr; + + disable_irq_nosync(mbhc->intr_ids->mbhc_hs_ins_intr); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_rem_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_rem_intr, NULL, + wcd_mbhc_adc_hs_rem_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Elect Remove", mbhc); + if (ret) +- goto err; ++ goto err_free_hs_ins_intr; + + disable_irq_nosync(mbhc->intr_ids->mbhc_hs_rem_intr); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_left_ocp, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->hph_left_ocp, NULL, + wcd_mbhc_hphl_ocp_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPH_L OCP detect", mbhc); + if (ret) +- goto err; ++ goto err_free_hs_rem_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_right_ocp, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->hph_right_ocp, NULL, + wcd_mbhc_hphr_ocp_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPH_R OCP detect", mbhc); + if (ret) +- goto err; ++ goto err_free_hph_left_ocp; + + return mbhc; +-err: ++ ++err_free_hph_left_ocp: ++ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); ++err_free_hs_rem_intr: ++ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); ++err_free_hs_ins_intr: ++ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); ++err_free_btn_release_intr: ++ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); ++err_free_btn_press_intr: ++ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); ++err_free_sw_intr: ++ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); ++err_free_mbhc: ++ kfree(mbhc); ++ + dev_err(dev, "Failed to request mbhc interrupts %d\n", ret); + + return ERR_PTR(ret); +@@ -1453,9 +1468,19 @@ EXPORT_SYMBOL(wcd_mbhc_init); + + void wcd_mbhc_deinit(struct wcd_mbhc *mbhc) + { ++ free_irq(mbhc->intr_ids->hph_right_ocp, mbhc); ++ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); ++ + mutex_lock(&mbhc->lock); + wcd_cancel_hs_detect_plug(mbhc, &mbhc->correct_plug_swch); + mutex_unlock(&mbhc->lock); ++ ++ kfree(mbhc); + } + EXPORT_SYMBOL(wcd_mbhc_deinit); + diff --git a/tmp-5.15/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch b/tmp-5.15/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..c86cf2752f1 --- /dev/null +++ b/tmp-5.15/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,54 @@ +From 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:15 +0200 +Subject: ASoC: codecs: wcd934x: fix resource leaks on component remove + +From: Johan Hovold + +commit 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 upstream. + +Make sure to release allocated MBHC resources also on component remove. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component. + +Fixes: 9fb9b1690f0b ("ASoC: codecs: wcd934x: add mbhc support") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-6-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd934x.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -3044,6 +3044,17 @@ static int wcd934x_mbhc_init(struct snd_ + + return 0; + } ++ ++static void wcd934x_mbhc_deinit(struct snd_soc_component *component) ++{ ++ struct wcd934x_codec *wcd = snd_soc_component_get_drvdata(component); ++ ++ if (!wcd->mbhc) ++ return; ++ ++ wcd_mbhc_deinit(wcd->mbhc); ++} ++ + static int wcd934x_comp_probe(struct snd_soc_component *component) + { + struct wcd934x_codec *wcd = dev_get_drvdata(component->dev); +@@ -3077,6 +3088,7 @@ static void wcd934x_comp_remove(struct s + { + struct wcd934x_codec *wcd = dev_get_drvdata(comp->dev); + ++ wcd934x_mbhc_deinit(comp); + wcd_clsh_ctrl_free(wcd->clsh_ctrl); + } + diff --git a/tmp-5.15/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch b/tmp-5.15/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch new file mode 100644 index 00000000000..b2b13e4cbad --- /dev/null +++ b/tmp-5.15/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch @@ -0,0 +1,54 @@ +From 85a61b1ce461a3f62f1019e5e6423c393c542bff Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 30 Jun 2023 14:03:18 +0200 +Subject: ASoC: codecs: wcd938x: fix codec initialisation race + +From: Johan Hovold + +commit 85a61b1ce461a3f62f1019e5e6423c393c542bff upstream. + +Make sure to resume the codec and soundwire device before trying to read +the codec variant and configure the device during component probe. + +This specifically avoids interpreting (a masked and shifted) -EBUSY +errno as the variant: + + wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 + +when the soundwire device happens to be suspended, which in turn +prevents some headphone controls from being registered. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Reported-by: Steev Klimaszewski +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230630120318.6571-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -4091,6 +4091,10 @@ static int wcd938x_soc_codec_probe(struc + + snd_soc_component_init_regmap(component, wcd938x->regmap); + ++ ret = pm_runtime_resume_and_get(dev); ++ if (ret < 0) ++ return ret; ++ + wcd938x->variant = snd_soc_component_read_field(component, + WCD938X_DIGITAL_EFUSE_REG_0, + WCD938X_ID_MASK); +@@ -4108,6 +4112,8 @@ static int wcd938x_soc_codec_probe(struc + (WCD938X_DIGITAL_INTR_LEVEL_0 + i), 0); + } + ++ pm_runtime_put(dev); ++ + wcd938x->hphr_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, + WCD938X_IRQ_HPHR_PDM_WD_INT); + wcd938x->hphl_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, diff --git a/tmp-5.15/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch b/tmp-5.15/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch new file mode 100644 index 00000000000..ec03aa12b41 --- /dev/null +++ b/tmp-5.15/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch @@ -0,0 +1,37 @@ +From ed0dd9205bf69593edb495cb4b086dbae96a3f05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:13 +0200 +Subject: ASoC: codecs: wcd938x: fix missing clsh ctrl error handling + +From: Johan Hovold + +commit ed0dd9205bf69593edb495cb4b086dbae96a3f05 upstream. + +Allocation of the clash control structure may fail so add the missing +error handling to avoid dereferencing an error pointer. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-4-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -4086,6 +4086,10 @@ static int wcd938x_soc_codec_probe(struc + WCD938X_ID_MASK); + + wcd938x->clsh_info = wcd_clsh_ctrl_alloc(component, WCD938X); ++ if (IS_ERR(wcd938x->clsh_info)) { ++ pm_runtime_put(dev); ++ return PTR_ERR(wcd938x->clsh_info); ++ } + + wcd938x_io_init(wcd938x); + /* Set all interrupts as edge triggered */ diff --git a/tmp-5.15/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch b/tmp-5.15/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch new file mode 100644 index 00000000000..7ae5bed3247 --- /dev/null +++ b/tmp-5.15/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch @@ -0,0 +1,51 @@ +From 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 3 Jul 2023 14:47:01 +0200 +Subject: ASoC: codecs: wcd938x: fix missing mbhc init error handling + +From: Johan Hovold + +commit 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 upstream. + +MBHC initialisation can fail so add the missing error handling to avoid +dereferencing an error pointer when later configuring the jack: + + Unable to handle kernel paging request at virtual address fffffffffffffff8 + + pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] + lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] + + Call trace: + wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] + wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] + snd_soc_component_set_jack+0x28/0x8c [snd_soc_core] + qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common] + sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp] + snd_soc_link_init+0x28/0x90 [snd_soc_core] + snd_soc_bind_card+0x628/0xbfc [snd_soc_core] + snd_soc_register_card+0xec/0x104 [snd_soc_core] + devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core] + sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp] + +Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") +Cc: stable@vger.kernel.org # 5.15 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230703124701.11734-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3621,6 +3621,8 @@ static int wcd938x_mbhc_init(struct snd_ + WCD938X_IRQ_HPHR_OCP_INT); + + wcd938x->wcd_mbhc = wcd_mbhc_init(component, &mbhc_cb, intr_ids, wcd_mbhc_fields, true); ++ if (IS_ERR(wcd938x->wcd_mbhc)) ++ return PTR_ERR(wcd938x->wcd_mbhc); + + snd_soc_add_component_controls(component, impedance_detect_controls, + ARRAY_SIZE(impedance_detect_controls)); diff --git a/tmp-5.15/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch b/tmp-5.15/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..75dac863899 --- /dev/null +++ b/tmp-5.15/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,151 @@ +From a3406f87775fee986876e03f93a84385f54d5999 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:14 +0200 +Subject: ASoC: codecs: wcd938x: fix resource leaks on component remove + +From: Johan Hovold + +commit a3406f87775fee986876e03f93a84385f54d5999 upstream. + +Make sure to release allocated resources on component probe failure and +on remove. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component: + + snd-sc8280xp sound: ASoC: failed to instantiate card -517 + genirq: Flags mismatch irq 289. 00002001 (HPHR PDM WD INT) vs. 00002001 (HPHR PDM WD INT) + wcd938x_codec audio-codec: Failed to request HPHR WD interrupt (-16) + genirq: Flags mismatch irq 290. 00002001 (HPHL PDM WD INT) vs. 00002001 (HPHL PDM WD INT) + wcd938x_codec audio-codec: Failed to request HPHL WD interrupt (-16) + genirq: Flags mismatch irq 291. 00002001 (AUX PDM WD INT) vs. 00002001 (AUX PDM WD INT) + wcd938x_codec audio-codec: Failed to request Aux WD interrupt (-16) + genirq: Flags mismatch irq 292. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) + wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-5-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 55 +++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 48 insertions(+), 7 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3629,6 +3629,14 @@ static int wcd938x_mbhc_init(struct snd_ + + return 0; + } ++ ++static void wcd938x_mbhc_deinit(struct snd_soc_component *component) ++{ ++ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ ++ wcd_mbhc_deinit(wcd938x->wcd_mbhc); ++} ++ + /* END MBHC */ + + static const struct snd_kcontrol_new wcd938x_snd_controls[] = { +@@ -4109,20 +4117,26 @@ static int wcd938x_soc_codec_probe(struc + ret = request_threaded_irq(wcd938x->hphr_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPHR PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request HPHR WD interrupt (%d)\n", ret); ++ goto err_free_clsh_ctrl; ++ } + + ret = request_threaded_irq(wcd938x->hphl_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPHL PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request HPHL WD interrupt (%d)\n", ret); ++ goto err_free_hphr_pdm_wd_int; ++ } + + ret = request_threaded_irq(wcd938x->aux_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "AUX PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request Aux WD interrupt (%d)\n", ret); ++ goto err_free_hphl_pdm_wd_int; ++ } + + /* Disable watchdog interrupt for HPH and AUX */ + disable_irq_nosync(wcd938x->hphr_pdm_wd_int); +@@ -4137,7 +4151,7 @@ static int wcd938x_soc_codec_probe(struc + dev_err(component->dev, + "%s: Failed to add snd ctrls for variant: %d\n", + __func__, wcd938x->variant); +- goto err; ++ goto err_free_aux_pdm_wd_int; + } + break; + case WCD9385: +@@ -4147,7 +4161,7 @@ static int wcd938x_soc_codec_probe(struc + dev_err(component->dev, + "%s: Failed to add snd ctrls for variant: %d\n", + __func__, wcd938x->variant); +- goto err; ++ goto err_free_aux_pdm_wd_int; + } + break; + default: +@@ -4155,12 +4169,38 @@ static int wcd938x_soc_codec_probe(struc + } + + ret = wcd938x_mbhc_init(component); +- if (ret) ++ if (ret) { + dev_err(component->dev, "mbhc initialization failed\n"); +-err: ++ goto err_free_aux_pdm_wd_int; ++ } ++ ++ return 0; ++ ++err_free_aux_pdm_wd_int: ++ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); ++err_free_hphl_pdm_wd_int: ++ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); ++err_free_hphr_pdm_wd_int: ++ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); ++err_free_clsh_ctrl: ++ wcd_clsh_ctrl_free(wcd938x->clsh_info); ++ + return ret; + } + ++static void wcd938x_soc_codec_remove(struct snd_soc_component *component) ++{ ++ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ ++ wcd938x_mbhc_deinit(component); ++ ++ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); ++ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); ++ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); ++ ++ wcd_clsh_ctrl_free(wcd938x->clsh_info); ++} ++ + static int wcd938x_codec_set_jack(struct snd_soc_component *comp, + struct snd_soc_jack *jack, void *data) + { +@@ -4177,6 +4217,7 @@ static int wcd938x_codec_set_jack(struct + static const struct snd_soc_component_driver soc_codec_dev_wcd938x = { + .name = "wcd938x_codec", + .probe = wcd938x_soc_codec_probe, ++ .remove = wcd938x_soc_codec_remove, + .controls = wcd938x_snd_controls, + .num_controls = ARRAY_SIZE(wcd938x_snd_controls), + .dapm_widgets = wcd938x_dapm_widgets, diff --git a/tmp-5.15/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch b/tmp-5.15/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch new file mode 100644 index 00000000000..ce4eae53bd4 --- /dev/null +++ b/tmp-5.15/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch @@ -0,0 +1,55 @@ +From 6f49256897083848ce9a59651f6b53fc80462397 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sat, 1 Jul 2023 11:47:23 +0200 +Subject: ASoC: codecs: wcd938x: fix soundwire initialisation race + +From: Johan Hovold + +commit 6f49256897083848ce9a59651f6b53fc80462397 upstream. + +Make sure that the soundwire device used for register accesses has been +enumerated and initialised before trying to read the codec variant +during component probe. + +This specifically avoids interpreting (a masked and shifted) -EBUSY +errno as the variant: + + wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 + +in case the soundwire device has not yet been initialised, which in turn +prevents some headphone controls from being registered. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Reported-by: Steev Klimaszewski +Signed-off-by: Johan Hovold +Tested-by: Steev Klimaszewski +Link: https://lore.kernel.org/r/20230701094723.29379-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -4086,9 +4086,18 @@ static int wcd938x_irq_init(struct wcd93 + static int wcd938x_soc_codec_probe(struct snd_soc_component *component) + { + struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ struct sdw_slave *tx_sdw_dev = wcd938x->tx_sdw_dev; + struct device *dev = component->dev; ++ unsigned long time_left; + int ret, i; + ++ time_left = wait_for_completion_timeout(&tx_sdw_dev->initialization_complete, ++ msecs_to_jiffies(2000)); ++ if (!time_left) { ++ dev_err(dev, "soundwire device init timeout\n"); ++ return -ETIMEDOUT; ++ } ++ + snd_soc_component_init_regmap(component, wcd938x->regmap); + + ret = pm_runtime_resume_and_get(dev); diff --git a/tmp-5.15/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch b/tmp-5.15/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch new file mode 100644 index 00000000000..50b4a8a3654 --- /dev/null +++ b/tmp-5.15/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch @@ -0,0 +1,43 @@ +From 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 Mon Sep 17 00:00:00 2001 +From: Matus Gajdos +Date: Wed, 12 Jul 2023 14:49:33 +0200 +Subject: ASoC: fsl_sai: Disable bit clock with transmitter + +From: Matus Gajdos + +commit 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 upstream. + +Otherwise bit clock remains running writing invalid data to the DAC. + +Signed-off-by: Matus Gajdos +Acked-by: Shengjiu Wang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230712124934.32232-1-matuszpd@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_sai.c | 2 +- + sound/soc/fsl/fsl_sai.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -560,7 +560,7 @@ static void fsl_sai_config_disable(struc + u32 xcsr, count = 100; + + regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), +- FSL_SAI_CSR_TERE, 0); ++ FSL_SAI_CSR_TERE | FSL_SAI_CSR_BCE, 0); + + /* TERE will remain set till the end of current frame */ + do { +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -87,6 +87,7 @@ + /* SAI Transmit/Receive Control Register */ + #define FSL_SAI_CSR_TERE BIT(31) + #define FSL_SAI_CSR_SE BIT(30) ++#define FSL_SAI_CSR_BCE BIT(28) + #define FSL_SAI_CSR_FR BIT(25) + #define FSL_SAI_CSR_SR BIT(24) + #define FSL_SAI_CSR_xF_SHIFT 16 diff --git a/tmp-5.15/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch b/tmp-5.15/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch new file mode 100644 index 00000000000..5939098ebe4 --- /dev/null +++ b/tmp-5.15/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch @@ -0,0 +1,75 @@ +From 5d878bc46d91efb344edfb4d4c2cb618fdc3711b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 21:45:28 +0530 +Subject: bpf: Fix subprog idx logic in check_max_stack_depth + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit ba7b3e7d5f9014be65879ede8fd599cb222901c9 ] + +The assignment to idx in check_max_stack_depth happens once we see a +bpf_pseudo_call or bpf_pseudo_func. This is not an issue as the rest of +the code performs a few checks and then pushes the frame to the frame +stack, except the case of async callbacks. If the async callback case +causes the loop iteration to be skipped, the idx assignment will be +incorrect on the next iteration of the loop. The value stored in the +frame stack (as the subprogno of the current subprog) will be incorrect. + +This leads to incorrect checks and incorrect tail_call_reachable +marking. Save the target subprog in a new variable and only assign to +idx once we are done with the is_async_cb check which may skip pushing +of frame to the frame stack and subsequent stack depth checks and tail +call markings. + +Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230717161530.1238-2-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index bd31aa6407a78..e1848a2a7230a 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3744,7 +3744,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + continue_func: + subprog_end = subprog[idx + 1].start; + for (; i < subprog_end; i++) { +- int next_insn; ++ int next_insn, sidx; + + if (!bpf_pseudo_call(insn + i) && !bpf_pseudo_func(insn + i)) + continue; +@@ -3754,14 +3754,14 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + + /* find the callee */ + next_insn = i + insn[i].imm + 1; +- idx = find_subprog(env, next_insn); +- if (idx < 0) { ++ sidx = find_subprog(env, next_insn); ++ if (sidx < 0) { + WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", + next_insn); + return -EFAULT; + } +- if (subprog[idx].is_async_cb) { +- if (subprog[idx].has_tail_call) { ++ if (subprog[sidx].is_async_cb) { ++ if (subprog[sidx].has_tail_call) { + verbose(env, "verifier bug. subprog has tail_call and async cb\n"); + return -EFAULT; + } +@@ -3770,6 +3770,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + continue; + } + i = next_insn; ++ idx = sidx; + + if (subprog[idx].has_tail_call) + tail_call_reachable = true; +-- +2.39.2 + diff --git a/tmp-5.15/bridge-add-extack-warning-when-enabling-stp-in-netns.patch b/tmp-5.15/bridge-add-extack-warning-when-enabling-stp-in-netns.patch new file mode 100644 index 00000000000..8b5caa663a0 --- /dev/null +++ b/tmp-5.15/bridge-add-extack-warning-when-enabling-stp-in-netns.patch @@ -0,0 +1,71 @@ +From 03d3dddbbcfa6e8eebf8989e2fda7ab701b7ee4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 08:44:49 -0700 +Subject: bridge: Add extack warning when enabling STP in netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 56a16035bb6effb37177867cea94c13a8382f745 ] + +When we create an L2 loop on a bridge in netns, we will see packets storm +even if STP is enabled. + + # unshare -n + # ip link add br0 type bridge + # ip link add veth0 type veth peer name veth1 + # ip link set veth0 master br0 up + # ip link set veth1 master br0 up + # ip link set br0 type bridge stp_state 1 + # ip link set br0 up + # sleep 30 + # ip -s link show br0 + 2: br0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 + link/ether b6:61:98:1c:1c:b5 brd ff:ff:ff:ff:ff:ff + RX: bytes packets errors dropped missed mcast + 956553768 12861249 0 0 0 12861249 <-. Keep + TX: bytes packets errors dropped carrier collsns | increasing + 1027834 11951 0 0 0 0 <-' rapidly + +This is because llc_rcv() drops all packets in non-root netns and BPDU +is dropped. + +Let's add extack warning when enabling STP in netns. + + # unshare -n + # ip link add br0 type bridge + # ip link set br0 type bridge stp_state 1 + Warning: bridge: STP does not work in non-root netns. + +Note this commit will be reverted later when we namespacify the whole LLC +infra. + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Suggested-by: Harry Coin +Link: https://lore.kernel.org/netdev/0f531295-e289-022d-5add-5ceffa0df9bc@quietfountain.com/ +Suggested-by: Ido Schimmel +Signed-off-by: Kuniyuki Iwashima +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_stp_if.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index ba55851fe132c..3326dfced68ab 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -201,6 +201,9 @@ int br_stp_set_enabled(struct net_bridge *br, unsigned long val, + { + ASSERT_RTNL(); + ++ if (!net_eq(dev_net(br->dev), &init_net)) ++ NL_SET_ERR_MSG_MOD(extack, "STP does not work in non-root netns"); ++ + if (br_mrp_enabled(br)) { + NL_SET_ERR_MSG_MOD(extack, + "STP can't be enabled if MRP is already enabled"); +-- +2.39.2 + diff --git a/tmp-5.15/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch b/tmp-5.15/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch new file mode 100644 index 00000000000..9581c7b4ec3 --- /dev/null +++ b/tmp-5.15/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch @@ -0,0 +1,89 @@ +From aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 14 Jul 2023 13:42:06 +0100 +Subject: btrfs: fix warning when putting transaction with qgroups enabled after abort + +From: Filipe Manana + +commit aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 upstream. + +If we have a transaction abort with qgroups enabled we get a warning +triggered when doing the final put on the transaction, like this: + + [552.6789] ------------[ cut here ]------------ + [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6817] Modules linked in: btrfs blake2b_generic xor (...) + [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6821] Code: bd a0 01 00 (...) + [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 + [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 + [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 + [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 + [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 + [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 + [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 + [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 + [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [552.6822] Call Trace: + [552.6822] + [552.6822] ? __warn+0x80/0x130 + [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6824] ? report_bug+0x1f4/0x200 + [552.6824] ? handle_bug+0x42/0x70 + [552.6824] ? exc_invalid_op+0x14/0x70 + [552.6824] ? asm_exc_invalid_op+0x16/0x20 + [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] + [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 + [552.6828] ? try_to_wake_up+0x94/0x5e0 + [552.6828] ? __pfx_process_timeout+0x10/0x10 + [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] + [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] + [552.6832] kthread+0xee/0x120 + [552.6832] ? __pfx_kthread+0x10/0x10 + [552.6832] ret_from_fork+0x29/0x50 + [552.6832] + [552.6832] ---[ end trace 0000000000000000 ]--- + +This corresponds to this line of code: + + void btrfs_put_transaction(struct btrfs_transaction *transaction) + { + (...) + WARN_ON(!RB_EMPTY_ROOT( + &transaction->delayed_refs.dirty_extent_root)); + (...) + } + +The warning happens because btrfs_qgroup_destroy_extent_records(), called +in the transaction abort path, we free all entries from the rbtree +"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we +don't actually empty the rbtree - it's still pointing to nodes that were +freed. + +So set the rbtree's root node to NULL to avoid this warning (assign +RB_ROOT). + +Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Josef Bacik +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -4342,4 +4342,5 @@ void btrfs_qgroup_destroy_extent_records + ulist_free(entry->old_roots); + kfree(entry); + } ++ *root = RB_ROOT; + } diff --git a/tmp-5.15/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch b/tmp-5.15/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch new file mode 100644 index 00000000000..2071c945e33 --- /dev/null +++ b/tmp-5.15/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch @@ -0,0 +1,38 @@ +From f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 3 Jul 2023 12:03:21 +0100 +Subject: btrfs: zoned: fix memory leak after finding block group with super blocks + +From: Filipe Manana + +commit f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 upstream. + +At exclude_super_stripes(), if we happen to find a block group that has +super blocks mapped to it and we are on a zoned filesystem, we error out +as this is not supposed to happen, indicating either a bug or maybe some +memory corruption for example. However we are exiting the function without +freeing the memory allocated for the logical address of the super blocks. +Fix this by freeing the logical address. + +Fixes: 12659251ca5d ("btrfs: implement log-structured superblock for ZONED mode") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Johannes Thumshirn +Reviewed-by: Anand Jain +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -1855,6 +1855,7 @@ static int exclude_super_stripes(struct + + /* Shouldn't have super stripes in sequential zones */ + if (zoned && nr) { ++ kfree(logical); + btrfs_err(fs_info, + "zoned: block group %llu must not contain super block", + cache->start); diff --git a/tmp-5.15/can-bcm-fix-uaf-in-bcm_proc_show.patch b/tmp-5.15/can-bcm-fix-uaf-in-bcm_proc_show.patch new file mode 100644 index 00000000000..37d47836ec2 --- /dev/null +++ b/tmp-5.15/can-bcm-fix-uaf-in-bcm_proc_show.patch @@ -0,0 +1,92 @@ +From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 15 Jul 2023 17:25:43 +0800 +Subject: can: bcm: Fix UAF in bcm_proc_show() + +From: YueHaibing + +commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream. + +BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 +Read of size 8 at addr ffff888155846230 by task cat/7862 + +CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0xd5/0x150 + print_report+0xc1/0x5e0 + kasan_report+0xba/0xf0 + bcm_proc_show+0x969/0xa80 + seq_read_iter+0x4f6/0x1260 + seq_read+0x165/0x210 + proc_reg_read+0x227/0x300 + vfs_read+0x1d5/0x8d0 + ksys_read+0x11e/0x240 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Allocated by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x9e/0xa0 + bcm_sendmsg+0x264b/0x44e0 + sock_sendmsg+0xda/0x180 + ____sys_sendmsg+0x735/0x920 + ___sys_sendmsg+0x11d/0x1b0 + __sys_sendmsg+0xfa/0x1d0 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x27/0x40 + ____kasan_slab_free+0x161/0x1c0 + slab_free_freelist_hook+0x119/0x220 + __kmem_cache_free+0xb4/0x2e0 + rcu_core+0x809/0x1bd0 + +bcm_op is freed before procfs entry be removed in bcm_release(), +this lead to bcm_proc_show() may read the freed bcm_op. + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Signed-off-by: YueHaibing +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1521,6 +1521,12 @@ static int bcm_release(struct socket *so + + lock_sock(sk); + ++#if IS_ENABLED(CONFIG_PROC_FS) ++ /* remove procfs entry */ ++ if (net->can.bcmproc_dir && bo->bcm_proc_read) ++ remove_proc_entry(bo->procname, net->can.bcmproc_dir); ++#endif /* CONFIG_PROC_FS */ ++ + list_for_each_entry_safe(op, next, &bo->tx_ops, list) + bcm_remove_op(op); + +@@ -1556,12 +1562,6 @@ static int bcm_release(struct socket *so + list_for_each_entry_safe(op, next, &bo->rx_ops, list) + bcm_remove_op(op); + +-#if IS_ENABLED(CONFIG_PROC_FS) +- /* remove procfs entry */ +- if (net->can.bcmproc_dir && bo->bcm_proc_read) +- remove_proc_entry(bo->procname, net->can.bcmproc_dir); +-#endif /* CONFIG_PROC_FS */ +- + /* remove device reference */ + if (bo->bound) { + bo->bound = 0; diff --git a/tmp-5.15/can-raw-fix-receiver-memory-leak.patch b/tmp-5.15/can-raw-fix-receiver-memory-leak.patch new file mode 100644 index 00000000000..ba3f572bed9 --- /dev/null +++ b/tmp-5.15/can-raw-fix-receiver-memory-leak.patch @@ -0,0 +1,233 @@ +From ee8b94c8510ce64afe0b87ef548d23e00915fb10 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Tue, 11 Jul 2023 09:17:37 +0800 +Subject: can: raw: fix receiver memory leak + +From: Ziyang Xuan + +commit ee8b94c8510ce64afe0b87ef548d23e00915fb10 upstream. + +Got kmemleak errors with the following ltp can_filter testcase: + +for ((i=1; i<=100; i++)) +do + ./can_filter & + sleep 0.1 +done + +============================================================== +[<00000000db4a4943>] can_rx_register+0x147/0x360 [can] +[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw] +[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0 +[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70 +[<00000000fd468496>] do_syscall_64+0x33/0x40 +[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +It's a bug in the concurrent scenario of unregister_netdevice_many() +and raw_release() as following: + + cpu0 cpu1 +unregister_netdevice_many(can_dev) + unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this + net_set_todo(can_dev) + raw_release(can_socket) + dev = dev_get_by_index(, ro->ifindex); // dev == NULL + if (dev) { // receivers in dev_rcv_lists not free because dev is NULL + raw_disable_allfilters(, dev, ); + dev_put(dev); + } + ... + ro->bound = 0; + ... + +call_netdevice_notifiers(NETDEV_UNREGISTER, ) + raw_notify(, NETDEV_UNREGISTER, ) + if (ro->bound) // invalid because ro->bound has been set 0 + raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed + +Add a net_device pointer member in struct raw_sock to record bound +can_dev, and use rtnl_lock to serialize raw_socket members between +raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use +ro->dev to decide whether to free receivers in dev_rcv_lists. + +Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier") +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/raw.c | 57 ++++++++++++++++++++++++--------------------------------- + 1 file changed, 24 insertions(+), 33 deletions(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -83,6 +83,7 @@ struct raw_sock { + struct sock sk; + int bound; + int ifindex; ++ struct net_device *dev; + struct list_head notifier; + int loopback; + int recv_own_msgs; +@@ -275,7 +276,7 @@ static void raw_notify(struct raw_sock * + if (!net_eq(dev_net(dev), sock_net(sk))) + return; + +- if (ro->ifindex != dev->ifindex) ++ if (ro->dev != dev) + return; + + switch (msg) { +@@ -290,6 +291,7 @@ static void raw_notify(struct raw_sock * + + ro->ifindex = 0; + ro->bound = 0; ++ ro->dev = NULL; + ro->count = 0; + release_sock(sk); + +@@ -335,6 +337,7 @@ static int raw_init(struct sock *sk) + + ro->bound = 0; + ro->ifindex = 0; ++ ro->dev = NULL; + + /* set default filter to single entry dfilter */ + ro->dfilter.can_id = 0; +@@ -382,19 +385,13 @@ static int raw_release(struct socket *so + + lock_sock(sk); + ++ rtnl_lock(); + /* remove current filters & unregister */ + if (ro->bound) { +- if (ro->ifindex) { +- struct net_device *dev; +- +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (dev) { +- raw_disable_allfilters(dev_net(dev), dev, sk); +- dev_put(dev); +- } +- } else { ++ if (ro->dev) ++ raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); ++ else + raw_disable_allfilters(sock_net(sk), NULL, sk); +- } + } + + if (ro->count > 1) +@@ -402,8 +399,10 @@ static int raw_release(struct socket *so + + ro->ifindex = 0; + ro->bound = 0; ++ ro->dev = NULL; + ro->count = 0; + free_percpu(ro->uniq); ++ rtnl_unlock(); + + sock_orphan(sk); + sock->sk = NULL; +@@ -419,6 +418,7 @@ static int raw_bind(struct socket *sock, + struct sockaddr_can *addr = (struct sockaddr_can *)uaddr; + struct sock *sk = sock->sk; + struct raw_sock *ro = raw_sk(sk); ++ struct net_device *dev = NULL; + int ifindex; + int err = 0; + int notify_enetdown = 0; +@@ -428,14 +428,13 @@ static int raw_bind(struct socket *sock, + if (addr->can_family != AF_CAN) + return -EINVAL; + ++ rtnl_lock(); + lock_sock(sk); + + if (ro->bound && addr->can_ifindex == ro->ifindex) + goto out; + + if (addr->can_ifindex) { +- struct net_device *dev; +- + dev = dev_get_by_index(sock_net(sk), addr->can_ifindex); + if (!dev) { + err = -ENODEV; +@@ -464,26 +463,20 @@ static int raw_bind(struct socket *sock, + if (!err) { + if (ro->bound) { + /* unregister old filters */ +- if (ro->ifindex) { +- struct net_device *dev; +- +- dev = dev_get_by_index(sock_net(sk), +- ro->ifindex); +- if (dev) { +- raw_disable_allfilters(dev_net(dev), +- dev, sk); +- dev_put(dev); +- } +- } else { ++ if (ro->dev) ++ raw_disable_allfilters(dev_net(ro->dev), ++ ro->dev, sk); ++ else + raw_disable_allfilters(sock_net(sk), NULL, sk); +- } + } + ro->ifindex = ifindex; + ro->bound = 1; ++ ro->dev = dev; + } + + out: + release_sock(sk); ++ rtnl_unlock(); + + if (notify_enetdown) { + sk->sk_err = ENETDOWN; +@@ -549,9 +542,9 @@ static int raw_setsockopt(struct socket + rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) { +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (!dev) { ++ dev = ro->dev; ++ if (ro->bound && dev) { ++ if (dev->reg_state != NETREG_REGISTERED) { + if (count > 1) + kfree(filter); + err = -ENODEV; +@@ -592,7 +585,6 @@ static int raw_setsockopt(struct socket + ro->count = count; + + out_fil: +- dev_put(dev); + release_sock(sk); + rtnl_unlock(); + +@@ -610,9 +602,9 @@ static int raw_setsockopt(struct socket + rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) { +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (!dev) { ++ dev = ro->dev; ++ if (ro->bound && dev) { ++ if (dev->reg_state != NETREG_REGISTERED) { + err = -ENODEV; + goto out_err; + } +@@ -636,7 +628,6 @@ static int raw_setsockopt(struct socket + ro->err_mask = err_mask; + + out_err: +- dev_put(dev); + release_sock(sk); + rtnl_unlock(); + diff --git a/tmp-5.15/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch b/tmp-5.15/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch new file mode 100644 index 00000000000..115577cb620 --- /dev/null +++ b/tmp-5.15/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch @@ -0,0 +1,42 @@ +From a460beefe77d780ac48f19d39333852a7f93ffc1 Mon Sep 17 00:00:00 2001 +From: Zhikai Zhai +Date: Fri, 30 Jun 2023 11:35:14 +0800 +Subject: drm/amd/display: Disable MPC split by default on special asic + +From: Zhikai Zhai + +commit a460beefe77d780ac48f19d39333852a7f93ffc1 upstream. + +[WHY] +All of pipes will be used when the MPC split enable on the dcn +which just has 2 pipes. Then MPO enter will trigger the minimal +transition which need programe dcn from 2 pipes MPC split to 2 +pipes MPO. This action will cause lag if happen frequently. + +[HOW] +Disable the MPC split for the platform which dcn resource is limited + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Alvin Lee +Acked-by: Alan Liu +Signed-off-by: Zhikai Zhai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c +@@ -193,7 +193,7 @@ static const struct dc_debug_options deb + .timing_trace = false, + .clock_trace = true, + .disable_pplib_clock_request = true, +- .pipe_split_policy = MPC_SPLIT_DYNAMIC, ++ .pipe_split_policy = MPC_SPLIT_AVOID, + .force_single_disp_pipe_split = false, + .disable_dcc = DCC_ENABLE, + .vsr_support = true, diff --git a/tmp-5.15/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch b/tmp-5.15/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch new file mode 100644 index 00000000000..88026fbba32 --- /dev/null +++ b/tmp-5.15/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch @@ -0,0 +1,42 @@ +From 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Thu, 29 Jun 2023 10:35:59 -0400 +Subject: drm/amd/display: Keep PHY active for DP displays on DCN31 + +From: Nicholas Kazlauskas + +commit 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 upstream. + +[Why & How] +Port of a change that went into DCN314 to keep the PHY enabled +when we have a connected and active DP display. + +The PHY can hang if PHY refclk is disabled inadvertently. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Josip Pavic +Acked-by: Alan Liu +Signed-off-by: Nicholas Kazlauskas +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c +@@ -81,6 +81,11 @@ int dcn31_get_active_display_cnt_wa( + stream->signal == SIGNAL_TYPE_DVI_SINGLE_LINK || + stream->signal == SIGNAL_TYPE_DVI_DUAL_LINK) + tmds_present = true; ++ ++ /* Checking stream / link detection ensuring that PHY is active*/ ++ if (dc_is_dp_signal(stream->signal) && !stream->dpms_off) ++ display_count++; ++ + } + + for (i = 0; i < dc->link_count; i++) { diff --git a/tmp-5.15/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch b/tmp-5.15/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch new file mode 100644 index 00000000000..622d5d2472e --- /dev/null +++ b/tmp-5.15/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch @@ -0,0 +1,46 @@ +From 2329cc7a101af1a844fbf706c0724c0baea38365 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:44 +0200 +Subject: drm/client: Fix memory leak in drm_client_modeset_probe + +From: Jocelyn Falempe + +commit 2329cc7a101af1a844fbf706c0724c0baea38365 upstream. + +When a new mode is set to modeset->mode, the previous mode should be freed. +This fixes the following kmemleak report: + +drm_mode_duplicate+0x45/0x220 [drm] +drm_client_modeset_probe+0x944/0xf50 [drm] +__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] +drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] +drm_client_register+0x169/0x240 [drm] +ast_pci_probe+0x142/0x190 [ast] +local_pci_probe+0xdc/0x180 +work_for_cpu_fn+0x4e/0xa0 +process_one_work+0x8b7/0x1540 +worker_thread+0x70a/0xed0 +kthread+0x29f/0x340 +ret_from_fork+0x1f/0x30 + +cc: +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-3-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -865,6 +865,7 @@ int drm_client_modeset_probe(struct drm_ + break; + } + ++ kfree(modeset->mode); + modeset->mode = drm_mode_duplicate(dev, mode); + drm_connector_get(connector); + modeset->connectors[modeset->num_connectors++] = connector; diff --git a/tmp-5.15/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch b/tmp-5.15/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch new file mode 100644 index 00000000000..15b117d6ede --- /dev/null +++ b/tmp-5.15/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch @@ -0,0 +1,68 @@ +From c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:43 +0200 +Subject: drm/client: Fix memory leak in drm_client_target_cloned + +From: Jocelyn Falempe + +commit c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 upstream. + +dmt_mode is allocated and never freed in this function. +It was found with the ast driver, but most drivers using generic fbdev +setup are probably affected. + +This fixes the following kmemleak report: + backtrace: + [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] + [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] + [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] + [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] + [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] + [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] + [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] + [<00000000987f19bb>] local_pci_probe+0xdc/0x180 + [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 + [<0000000000b85301>] process_one_work+0x8b7/0x1540 + [<000000003375b17c>] worker_thread+0x70a/0xed0 + [<00000000b0d43cd9>] kthread+0x29f/0x340 + [<000000008d770833>] ret_from_fork+0x1f/0x30 +unreferenced object 0xff11000333089a00 (size 128): + +cc: +Fixes: 1d42bbc8f7f9 ("drm/fbdev: fix cloning on fbcon") +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-2-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -309,6 +309,9 @@ static bool drm_client_target_cloned(str + can_clone = true; + dmt_mode = drm_mode_find_dmt(dev, 1024, 768, 60, false); + ++ if (!dmt_mode) ++ goto fail; ++ + for (i = 0; i < connector_count; i++) { + if (!enabled[i]) + continue; +@@ -324,11 +327,13 @@ static bool drm_client_target_cloned(str + if (!modes[i]) + can_clone = false; + } ++ kfree(dmt_mode); + + if (can_clone) { + DRM_DEBUG_KMS("can clone using 1024x768\n"); + return true; + } ++fail: + DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); + return false; + } diff --git a/tmp-5.15/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch b/tmp-5.15/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch new file mode 100644 index 00000000000..d11ea5e3f19 --- /dev/null +++ b/tmp-5.15/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch @@ -0,0 +1,38 @@ +From cb9a1518ded05453d730ce932ab36776f662cc91 Mon Sep 17 00:00:00 2001 +From: hackyzh002 +Date: Wed, 19 Apr 2023 20:20:58 +0800 +Subject: [PATCH AUTOSEL 4.14 1/9] drm/radeon: Fix integer overflow in + radeon_cs_parser_init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.14.320 + +[ Upstream commit f828b681d0cd566f86351c0b913e6cb6ed8c7b9c ] + +The type of size is unsigned, if size is 0x40000000, there will be an +integer overflow, size will be zero after size *= sizeof(uint32_t), +will cause uninitialized memory to be referenced later + +Reviewed-by: Christian König +Signed-off-by: hackyzh002 +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -270,7 +270,8 @@ int radeon_cs_parser_init(struct radeon_ + { + struct drm_radeon_cs *cs = data; + uint64_t *chunk_array_ptr; +- unsigned size, i; ++ u64 size; ++ unsigned i; + u32 ring = RADEON_CS_RING_GFX; + s32 priority = 0; + diff --git a/tmp-5.15/ethernet-use-eth_hw_addr_set-instead-of-ether_addr_c.patch b/tmp-5.15/ethernet-use-eth_hw_addr_set-instead-of-ether_addr_c.patch new file mode 100644 index 00000000000..aad2b56b05e --- /dev/null +++ b/tmp-5.15/ethernet-use-eth_hw_addr_set-instead-of-ether_addr_c.patch @@ -0,0 +1,999 @@ +From cd12ac0a14bf764802f5e3677c05dff1639bb7c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Oct 2021 14:32:23 -0700 +Subject: ethernet: use eth_hw_addr_set() instead of ether_addr_copy() + +From: Jakub Kicinski + +[ Upstream commit f3956ebb3bf06ab2266ad5ee2214aed46405810c ] + +Convert Ethernet from ether_addr_copy() to eth_hw_addr_set(): + + @@ + expression dev, np; + @@ + - ether_addr_copy(dev->dev_addr, np) + + eth_hw_addr_set(dev, np) + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Stable-dep-of: 1d6d537dc55d ("net: ethernet: mtk_eth_soc: handle probe deferral") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/agere/et131x.c | 4 ++-- + drivers/net/ethernet/alacritech/slicoss.c | 2 +- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 2 +- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 +- + drivers/net/ethernet/broadcom/bgmac-bcma.c | 2 +- + drivers/net/ethernet/broadcom/bgmac.c | 2 +- + drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c | 2 +- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++-- + drivers/net/ethernet/brocade/bna/bnad.c | 4 ++-- + drivers/net/ethernet/cavium/liquidio/lio_core.c | 2 +- + drivers/net/ethernet/cavium/liquidio/lio_main.c | 2 +- + drivers/net/ethernet/cavium/liquidio/lio_vf_main.c | 2 +- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 3 +-- + drivers/net/ethernet/emulex/benet/be_main.c | 2 +- + drivers/net/ethernet/ethoc.c | 2 +- + drivers/net/ethernet/ezchip/nps_enet.c | 2 +- + drivers/net/ethernet/faraday/ftgmac100.c | 4 ++-- + drivers/net/ethernet/google/gve/gve_adminq.c | 2 +- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 4 ++-- + drivers/net/ethernet/ibm/ibmveth.c | 2 +- + drivers/net/ethernet/ibm/ibmvnic.c | 5 ++--- + drivers/net/ethernet/intel/fm10k/fm10k_netdev.c | 2 +- + drivers/net/ethernet/intel/fm10k/fm10k_pci.c | 4 ++-- + drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++-- + drivers/net/ethernet/intel/iavf/iavf_main.c | 2 +- + drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 4 ++-- + drivers/net/ethernet/intel/ice/ice_main.c | 4 ++-- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 6 +++--- + drivers/net/ethernet/korina.c | 2 +- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++-- + drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 2 +- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 2 +- + drivers/net/ethernet/marvell/prestera/prestera_main.c | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +- + drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 2 +- + drivers/net/ethernet/microchip/enc28j60.c | 4 ++-- + drivers/net/ethernet/microchip/lan743x_main.c | 4 ++-- + drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c | 2 +- + drivers/net/ethernet/microsoft/mana/mana_en.c | 2 +- + drivers/net/ethernet/mscc/ocelot_net.c | 2 +- + drivers/net/ethernet/netronome/nfp/abm/main.c | 2 +- + drivers/net/ethernet/netronome/nfp/nfp_net_main.c | 2 +- + drivers/net/ethernet/netronome/nfp/nfp_netvf_main.c | 2 +- + drivers/net/ethernet/ni/nixge.c | 2 +- + drivers/net/ethernet/qlogic/qede/qede_filter.c | 4 ++-- + drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +- + drivers/net/ethernet/qualcomm/emac/emac.c | 2 +- + drivers/net/ethernet/sfc/ef10_sriov.c | 2 +- + drivers/net/ethernet/sfc/efx.c | 2 +- + drivers/net/ethernet/sfc/efx_common.c | 4 ++-- + drivers/net/ethernet/sfc/falcon/efx.c | 6 +++--- + drivers/net/ethernet/socionext/netsec.c | 2 +- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- + drivers/net/ethernet/ti/cpsw_new.c | 4 ++-- + drivers/net/ethernet/ti/davinci_emac.c | 2 +- + drivers/net/ethernet/ti/netcp_core.c | 2 +- + include/linux/etherdevice.h | 2 +- + 57 files changed, 77 insertions(+), 79 deletions(-) + +diff --git a/drivers/net/ethernet/agere/et131x.c b/drivers/net/ethernet/agere/et131x.c +index 920633161174d..f4edc616388c0 100644 +--- a/drivers/net/ethernet/agere/et131x.c ++++ b/drivers/net/ethernet/agere/et131x.c +@@ -3863,7 +3863,7 @@ static int et131x_change_mtu(struct net_device *netdev, int new_mtu) + + et131x_init_send(adapter); + et131x_hwaddr_init(adapter); +- ether_addr_copy(netdev->dev_addr, adapter->addr); ++ eth_hw_addr_set(netdev, adapter->addr); + + /* Init the device with the new settings */ + et131x_adapter_setup(adapter); +@@ -3966,7 +3966,7 @@ static int et131x_pci_setup(struct pci_dev *pdev, + + netif_napi_add(netdev, &adapter->napi, et131x_poll, 64); + +- ether_addr_copy(netdev->dev_addr, adapter->addr); ++ eth_hw_addr_set(netdev, adapter->addr); + + rc = -ENOMEM; + +diff --git a/drivers/net/ethernet/alacritech/slicoss.c b/drivers/net/ethernet/alacritech/slicoss.c +index 696517eae77f0..82f4f26081021 100644 +--- a/drivers/net/ethernet/alacritech/slicoss.c ++++ b/drivers/net/ethernet/alacritech/slicoss.c +@@ -1660,7 +1660,7 @@ static int slic_read_eeprom(struct slic_device *sdev) + goto free_eeprom; + } + /* set mac address */ +- ether_addr_copy(sdev->netdev->dev_addr, mac[devfn]); ++ eth_hw_addr_set(sdev->netdev, mac[devfn]); + free_eeprom: + dma_free_coherent(&sdev->pdev->dev, SLIC_EEPROM_SIZE, eeprom, paddr); + +diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c +index 23c9750850e98..f3673be4fc087 100644 +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -4119,7 +4119,7 @@ static void ena_set_conf_feat_params(struct ena_adapter *adapter, + ether_addr_copy(adapter->mac_addr, netdev->dev_addr); + } else { + ether_addr_copy(adapter->mac_addr, feat->dev_attr.mac_addr); +- ether_addr_copy(netdev->dev_addr, adapter->mac_addr); ++ eth_hw_addr_set(netdev, adapter->mac_addr); + } + + /* Set offload features */ +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +index ea2e7cd8946da..c52093589d7cf 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -330,7 +330,7 @@ int aq_nic_ndev_register(struct aq_nic_s *self) + { + static u8 mac_addr_permanent[] = AQ_CFG_MAC_ADDR_PERMANENT; + +- ether_addr_copy(self->ndev->dev_addr, mac_addr_permanent); ++ eth_hw_addr_set(self->ndev, mac_addr_permanent); + } + #endif + +diff --git a/drivers/net/ethernet/broadcom/bgmac-bcma.c b/drivers/net/ethernet/broadcom/bgmac-bcma.c +index 92453e68d381b..bdb1b8053b69f 100644 +--- a/drivers/net/ethernet/broadcom/bgmac-bcma.c ++++ b/drivers/net/ethernet/broadcom/bgmac-bcma.c +@@ -150,7 +150,7 @@ static int bgmac_probe(struct bcma_device *core) + err = -ENOTSUPP; + goto err; + } +- ether_addr_copy(bgmac->net_dev->dev_addr, mac); ++ eth_hw_addr_set(bgmac->net_dev, mac); + } + + /* On BCM4706 we need common core to access PHY */ +diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c +index 54ff28c9b2148..a9c99ac81730a 100644 +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -1241,7 +1241,7 @@ static int bgmac_set_mac_address(struct net_device *net_dev, void *addr) + if (ret < 0) + return ret; + +- ether_addr_copy(net_dev->dev_addr, sa->sa_data); ++ eth_hw_addr_set(net_dev, sa->sa_data); + bgmac_write_mac_address(bgmac, net_dev->dev_addr); + + eth_commit_mac_addr_change(net_dev, addr); +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c +index 9401936b74fa2..8eb28e0885820 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c +@@ -475,7 +475,7 @@ static void bnxt_vf_rep_netdev_init(struct bnxt *bp, struct bnxt_vf_rep *vf_rep, + dev->features |= pf_dev->features; + bnxt_vf_rep_eth_addr_gen(bp->pf.mac_addr, vf_rep->vf_idx, + dev->perm_addr); +- ether_addr_copy(dev->dev_addr, dev->perm_addr); ++ eth_hw_addr_set(dev, dev->perm_addr); + /* Set VF-Rep's max-mtu to the corresponding VF's max-mtu */ + if (!bnxt_hwrm_vfr_qcfg(bp, vf_rep, &max_mtu)) + dev->max_mtu = max_mtu; +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 9d4f406408c9d..e036a244b78bf 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -3610,7 +3610,7 @@ static int bcmgenet_set_mac_addr(struct net_device *dev, void *p) + if (netif_running(dev)) + return -EBUSY; + +- ether_addr_copy(dev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(dev, addr->sa_data); + + return 0; + } +@@ -4060,7 +4060,7 @@ static int bcmgenet_probe(struct platform_device *pdev) + bcmgenet_power_up(priv, GENET_POWER_PASSIVE); + + if (pd && !IS_ERR_OR_NULL(pd->mac_address)) +- ether_addr_copy(dev->dev_addr, pd->mac_address); ++ eth_hw_addr_set(dev, pd->mac_address); + else + if (!device_get_mac_address(&pdev->dev, dev->dev_addr, ETH_ALEN)) + if (has_acpi_companion(&pdev->dev)) +diff --git a/drivers/net/ethernet/brocade/bna/bnad.c b/drivers/net/ethernet/brocade/bna/bnad.c +index ba47777d9cff7..b1947fd9a07cc 100644 +--- a/drivers/net/ethernet/brocade/bna/bnad.c ++++ b/drivers/net/ethernet/brocade/bna/bnad.c +@@ -875,7 +875,7 @@ bnad_set_netdev_perm_addr(struct bnad *bnad) + + ether_addr_copy(netdev->perm_addr, bnad->perm_addr); + if (is_zero_ether_addr(netdev->dev_addr)) +- ether_addr_copy(netdev->dev_addr, bnad->perm_addr); ++ eth_hw_addr_set(netdev, bnad->perm_addr); + } + + /* Control Path Handlers */ +@@ -3249,7 +3249,7 @@ bnad_set_mac_address(struct net_device *netdev, void *addr) + + err = bnad_mac_addr_set_locked(bnad, sa->sa_data); + if (!err) +- ether_addr_copy(netdev->dev_addr, sa->sa_data); ++ eth_hw_addr_set(netdev, sa->sa_data); + + spin_unlock_irqrestore(&bnad->bna_lock, flags); + +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_core.c b/drivers/net/ethernet/cavium/liquidio/lio_core.c +index 2a0d64e5797c8..ec7928b54e4a7 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_core.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_core.c +@@ -411,7 +411,7 @@ void octeon_pf_changed_vf_macaddr(struct octeon_device *oct, u8 *mac) + + if (!ether_addr_equal(netdev->dev_addr, mac)) { + macaddr_changed = true; +- ether_addr_copy(netdev->dev_addr, mac); ++ eth_hw_addr_set(netdev, mac); + ether_addr_copy(((u8 *)&lio->linfo.hw_addr) + 2, mac); + call_netdevice_notifiers(NETDEV_CHANGEADDR, netdev); + } +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c +index ae68821dd56d5..443755729d793 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c +@@ -3650,7 +3650,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + + /* Copy MAC Address to OS network device structure */ + +- ether_addr_copy(netdev->dev_addr, mac); ++ eth_hw_addr_set(netdev, mac); + + /* By default all interfaces on a single Octeon uses the same + * tx and rx queues +diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +index f6396ac64006c..8a969a9d4b637 100644 +--- a/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c ++++ b/drivers/net/ethernet/cavium/liquidio/lio_vf_main.c +@@ -2148,7 +2148,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev) + mac[j] = *((u8 *)(((u8 *)&lio->linfo.hw_addr) + 2 + j)); + + /* Copy MAC Address to OS network device structure */ +- ether_addr_copy(netdev->dev_addr, mac); ++ eth_hw_addr_set(netdev, mac); + + if (liquidio_setup_io_queues(octeon_dev, i, + lio->linfo.num_txpciq, +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index b43b97e15a6f0..8418797be205e 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -221,8 +221,7 @@ static void nicvf_handle_mbx_intr(struct nicvf *nic) + nic->tns_mode = mbx.nic_cfg.tns_mode & 0x7F; + nic->node = mbx.nic_cfg.node_id; + if (!nic->set_mac_pending) +- ether_addr_copy(nic->netdev->dev_addr, +- mbx.nic_cfg.mac_addr); ++ eth_hw_addr_set(nic->netdev, mbx.nic_cfg.mac_addr); + nic->sqs_mode = mbx.nic_cfg.sqs_mode; + nic->loopback_supported = mbx.nic_cfg.loopback_supported; + nic->link_up = false; +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index e874b907bfbdf..3ccb955eb6f23 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -369,7 +369,7 @@ static int be_mac_addr_set(struct net_device *netdev, void *p) + /* Remember currently programmed MAC */ + ether_addr_copy(adapter->dev_mac, addr->sa_data); + done: +- ether_addr_copy(netdev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(netdev, addr->sa_data); + dev_info(dev, "MAC address changed to %pM\n", addr->sa_data); + return 0; + err: +diff --git a/drivers/net/ethernet/ethoc.c b/drivers/net/ethernet/ethoc.c +index ed1ed48e74838..e63aef6a9e33a 100644 +--- a/drivers/net/ethernet/ethoc.c ++++ b/drivers/net/ethernet/ethoc.c +@@ -1148,7 +1148,7 @@ static int ethoc_probe(struct platform_device *pdev) + + /* Allow the platform setup code to pass in a MAC address. */ + if (pdata) { +- ether_addr_copy(netdev->dev_addr, pdata->hwaddr); ++ eth_hw_addr_set(netdev, pdata->hwaddr); + priv->phy_id = pdata->phy_id; + } else { + of_get_mac_address(pdev->dev.of_node, netdev->dev_addr); +diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c +index f9a288a6ec8cc..f5935eb5a791c 100644 +--- a/drivers/net/ethernet/ezchip/nps_enet.c ++++ b/drivers/net/ethernet/ezchip/nps_enet.c +@@ -421,7 +421,7 @@ static s32 nps_enet_set_mac_address(struct net_device *ndev, void *p) + + res = eth_mac_addr(ndev, p); + if (!res) { +- ether_addr_copy(ndev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(ndev, addr->sa_data); + nps_enet_set_hw_mac_address(ndev); + } + +diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c +index 4a2dadb91f024..11f76e56d0316 100644 +--- a/drivers/net/ethernet/faraday/ftgmac100.c ++++ b/drivers/net/ethernet/faraday/ftgmac100.c +@@ -186,7 +186,7 @@ static void ftgmac100_initial_mac(struct ftgmac100 *priv) + + addr = device_get_mac_address(priv->dev, mac, ETH_ALEN); + if (addr) { +- ether_addr_copy(priv->netdev->dev_addr, mac); ++ eth_hw_addr_set(priv->netdev, mac); + dev_info(priv->dev, "Read MAC address %pM from device tree\n", + mac); + return; +@@ -203,7 +203,7 @@ static void ftgmac100_initial_mac(struct ftgmac100 *priv) + mac[5] = l & 0xff; + + if (is_valid_ether_addr(mac)) { +- ether_addr_copy(priv->netdev->dev_addr, mac); ++ eth_hw_addr_set(priv->netdev, mac); + dev_info(priv->dev, "Read MAC address %pM from chip\n", mac); + } else { + eth_hw_addr_random(priv->netdev); +diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c +index ce507464f3d62..54d649e5ee65b 100644 +--- a/drivers/net/ethernet/google/gve/gve_adminq.c ++++ b/drivers/net/ethernet/google/gve/gve_adminq.c +@@ -733,7 +733,7 @@ int gve_adminq_describe_device(struct gve_priv *priv) + } + priv->dev->max_mtu = mtu; + priv->num_event_counters = be16_to_cpu(descriptor->counters); +- ether_addr_copy(priv->dev->dev_addr, descriptor->mac); ++ eth_hw_addr_set(priv->dev, descriptor->mac); + mac = descriptor->mac; + dev_info(&priv->pdev->dev, "MAC addr: %pM\n", mac); + priv->tx_pages_per_qpl = be16_to_cpu(descriptor->tx_pages_per_qpl); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index dc835f316d471..2acf50ed6025a 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -2251,7 +2251,7 @@ static int hns3_nic_net_set_mac_address(struct net_device *netdev, void *p) + return ret; + } + +- ether_addr_copy(netdev->dev_addr, mac_addr->sa_data); ++ eth_hw_addr_set(netdev, mac_addr->sa_data); + + return 0; + } +@@ -4921,7 +4921,7 @@ static int hns3_init_mac_addr(struct net_device *netdev) + dev_warn(priv->dev, "using random MAC address %s\n", + format_mac_addr); + } else if (!ether_addr_equal(netdev->dev_addr, mac_addr_temp)) { +- ether_addr_copy(netdev->dev_addr, mac_addr_temp); ++ eth_hw_addr_set(netdev, mac_addr_temp); + ether_addr_copy(netdev->perm_addr, mac_addr_temp); + } else { + return 0; +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 3d9b4f99d357f..77d8db9b8a1d8 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1620,7 +1620,7 @@ static int ibmveth_set_mac_addr(struct net_device *dev, void *p) + return rc; + } + +- ether_addr_copy(dev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(dev, addr->sa_data); + + return 0; + } +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 765dee2e4882e..450b4fd9aa7f7 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -4689,8 +4689,7 @@ static int handle_change_mac_rsp(union ibmvnic_crq *crq, + /* crq->change_mac_addr.mac_addr is the requested one + * crq->change_mac_addr_rsp.mac_addr is the returned valid one. + */ +- ether_addr_copy(netdev->dev_addr, +- &crq->change_mac_addr_rsp.mac_addr[0]); ++ eth_hw_addr_set(netdev, &crq->change_mac_addr_rsp.mac_addr[0]); + ether_addr_copy(adapter->mac_addr, + &crq->change_mac_addr_rsp.mac_addr[0]); + out: +@@ -5658,7 +5657,7 @@ static int ibmvnic_probe(struct vio_dev *dev, const struct vio_device_id *id) + adapter->login_pending = false; + + ether_addr_copy(adapter->mac_addr, mac_addr_p); +- ether_addr_copy(netdev->dev_addr, adapter->mac_addr); ++ eth_hw_addr_set(netdev, adapter->mac_addr); + netdev->irq = dev->irq; + netdev->netdev_ops = &ibmvnic_netdev_ops; + netdev->ethtool_ops = &ibmvnic_ethtool_ops; +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_netdev.c b/drivers/net/ethernet/intel/fm10k/fm10k_netdev.c +index 2fb52bd6fc0e1..2cca9e84e31e1 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_netdev.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_netdev.c +@@ -990,7 +990,7 @@ static int fm10k_set_mac(struct net_device *dev, void *p) + } + + if (!err) { +- ether_addr_copy(dev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(dev, addr->sa_data); + ether_addr_copy(hw->mac.addr, addr->sa_data); + dev->addr_assign_type &= ~NET_ADDR_RANDOM; + } +diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +index adfa2768f024d..b473cb7d7c575 100644 +--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c +@@ -300,7 +300,7 @@ static int fm10k_handle_reset(struct fm10k_intfc *interface) + if (is_valid_ether_addr(hw->mac.perm_addr)) { + ether_addr_copy(hw->mac.addr, hw->mac.perm_addr); + ether_addr_copy(netdev->perm_addr, hw->mac.perm_addr); +- ether_addr_copy(netdev->dev_addr, hw->mac.perm_addr); ++ eth_hw_addr_set(netdev, hw->mac.perm_addr); + netdev->addr_assign_type &= ~NET_ADDR_RANDOM; + } + +@@ -2045,7 +2045,7 @@ static int fm10k_sw_init(struct fm10k_intfc *interface, + netdev->addr_assign_type |= NET_ADDR_RANDOM; + } + +- ether_addr_copy(netdev->dev_addr, hw->mac.addr); ++ eth_hw_addr_set(netdev, hw->mac.addr); + ether_addr_copy(netdev->perm_addr, hw->mac.addr); + + if (!is_valid_ether_addr(netdev->perm_addr)) { +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 8411f277d1355..d3f3874220a31 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -1686,7 +1686,7 @@ static int i40e_set_mac(struct net_device *netdev, void *p) + */ + spin_lock_bh(&vsi->mac_filter_hash_lock); + i40e_del_mac_filter(vsi, netdev->dev_addr); +- ether_addr_copy(netdev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(netdev, addr->sa_data); + i40e_add_mac_filter(vsi, netdev->dev_addr); + spin_unlock_bh(&vsi->mac_filter_hash_lock); + +@@ -13659,7 +13659,7 @@ static int i40e_config_netdev(struct i40e_vsi *vsi) + i40e_add_mac_filter(vsi, broadcast); + spin_unlock_bh(&vsi->mac_filter_hash_lock); + +- ether_addr_copy(netdev->dev_addr, mac_addr); ++ eth_hw_addr_set(netdev, mac_addr); + ether_addr_copy(netdev->perm_addr, mac_addr); + + /* i40iw_net_event() reads 16 bytes from neigh->primary_key */ +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index a3caab0b6fa2a..3e45ca40288ad 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1963,7 +1963,7 @@ static void iavf_init_get_resources(struct iavf_adapter *adapter) + eth_hw_addr_random(netdev); + ether_addr_copy(adapter->hw.mac.addr, netdev->dev_addr); + } else { +- ether_addr_copy(netdev->dev_addr, adapter->hw.mac.addr); ++ eth_hw_addr_set(netdev, adapter->hw.mac.addr); + ether_addr_copy(netdev->perm_addr, adapter->hw.mac.addr); + } + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index c6eb0d0748ea9..262482c694587 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -1726,7 +1726,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + if (!v_retval) + iavf_mac_add_ok(adapter); + if (!ether_addr_equal(netdev->dev_addr, adapter->hw.mac.addr)) +- ether_addr_copy(netdev->dev_addr, adapter->hw.mac.addr); ++ eth_hw_addr_set(netdev, adapter->hw.mac.addr); + break; + case VIRTCHNL_OP_GET_STATS: { + struct iavf_eth_stats *stats = +@@ -1757,7 +1757,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + ether_addr_copy(adapter->hw.mac.addr, netdev->dev_addr); + } else { + /* refresh current mac address if changed */ +- ether_addr_copy(netdev->dev_addr, adapter->hw.mac.addr); ++ eth_hw_addr_set(netdev, adapter->hw.mac.addr); + ether_addr_copy(netdev->perm_addr, + adapter->hw.mac.addr); + } +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index bf9fe385274e1..a18fa054b4fae 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3183,7 +3183,7 @@ static int ice_cfg_netdev(struct ice_vsi *vsi) + if (vsi->type == ICE_VSI_PF) { + SET_NETDEV_DEV(netdev, ice_pf_to_dev(vsi->back)); + ether_addr_copy(mac_addr, vsi->port_info->mac.perm_addr); +- ether_addr_copy(netdev->dev_addr, mac_addr); ++ eth_hw_addr_set(netdev, mac_addr); + ether_addr_copy(netdev->perm_addr, mac_addr); + } + +@@ -5225,7 +5225,7 @@ static int ice_set_mac_address(struct net_device *netdev, void *pi) + netdev_err(netdev, "can't set MAC %pM. filter update failed\n", + mac); + netif_addr_lock_bh(netdev); +- ether_addr_copy(netdev->dev_addr, old_mac); ++ eth_hw_addr_set(netdev, old_mac); + netif_addr_unlock_bh(netdev); + return err; + } +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +index 0e7ff15af9687..3a05e458ded2f 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -2541,7 +2541,7 @@ void ixgbevf_reset(struct ixgbevf_adapter *adapter) + } + + if (is_valid_ether_addr(adapter->hw.mac.addr)) { +- ether_addr_copy(netdev->dev_addr, adapter->hw.mac.addr); ++ eth_hw_addr_set(netdev, adapter->hw.mac.addr); + ether_addr_copy(netdev->perm_addr, adapter->hw.mac.addr); + } + +@@ -3055,7 +3055,7 @@ static int ixgbevf_sw_init(struct ixgbevf_adapter *adapter) + else if (is_zero_ether_addr(adapter->hw.mac.addr)) + dev_info(&pdev->dev, + "MAC address not assigned by administrator.\n"); +- ether_addr_copy(netdev->dev_addr, hw->mac.addr); ++ eth_hw_addr_set(netdev, hw->mac.addr); + } + + if (!is_valid_ether_addr(netdev->dev_addr)) { +@@ -4232,7 +4232,7 @@ static int ixgbevf_set_mac(struct net_device *netdev, void *p) + + ether_addr_copy(hw->mac.addr, addr->sa_data); + ether_addr_copy(hw->mac.perm_addr, addr->sa_data); +- ether_addr_copy(netdev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(netdev, addr->sa_data); + + return 0; + } +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index 3e9f324f1061f..097516af43256 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -1297,7 +1297,7 @@ static int korina_probe(struct platform_device *pdev) + lp = netdev_priv(dev); + + if (mac_addr) +- ether_addr_copy(dev->dev_addr, mac_addr); ++ eth_hw_addr_set(dev, mac_addr); + else if (of_get_mac_address(pdev->dev.of_node, dev->dev_addr) < 0) + eth_hw_addr_random(dev); + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index 524913c28f3b6..ddd4ed34b0f20 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -6087,7 +6087,7 @@ static void mvpp2_port_copy_mac_addr(struct net_device *dev, struct mvpp2 *priv, + + if (fwnode_get_mac_address(fwnode, fw_mac_addr, ETH_ALEN)) { + *mac_from = "firmware node"; +- ether_addr_copy(dev->dev_addr, fw_mac_addr); ++ eth_hw_addr_set(dev, fw_mac_addr); + return; + } + +@@ -6095,7 +6095,7 @@ static void mvpp2_port_copy_mac_addr(struct net_device *dev, struct mvpp2 *priv, + mvpp21_get_mac_address(port, hw_mac_addr); + if (is_valid_ether_addr(hw_mac_addr)) { + *mac_from = "hardware"; +- ether_addr_copy(dev->dev_addr, hw_mac_addr); ++ eth_hw_addr_set(dev, hw_mac_addr); + return; + } + } +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +index a8188b972ccbc..9af22f497a40f 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c +@@ -2333,7 +2333,7 @@ int mvpp2_prs_update_mac_da(struct net_device *dev, const u8 *da) + return err; + + /* Set addr in the device */ +- ether_addr_copy(dev->dev_addr, da); ++ eth_hw_addr_set(dev, da); + + return 0; + } +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +index 2e225309de9ca..b743646993ca2 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c +@@ -188,7 +188,7 @@ static int otx2_hw_get_mac_addr(struct otx2_nic *pfvf, + return PTR_ERR(msghdr); + } + rsp = (struct nix_get_mac_addr_rsp *)msghdr; +- ether_addr_copy(netdev->dev_addr, rsp->mac_addr); ++ eth_hw_addr_set(netdev, rsp->mac_addr); + mutex_unlock(&pfvf->mbox.lock); + + return 0; +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c +index 656c68cfd7ec6..912759ea6ec59 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c +@@ -141,7 +141,7 @@ static int prestera_port_set_mac_address(struct net_device *dev, void *p) + if (err) + return err; + +- ether_addr_copy(dev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(dev, addr->sa_data); + + return 0; + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 82849bed27f4c..fdc4a5a80da41 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3224,7 +3224,7 @@ static int mlx5e_set_mac(struct net_device *netdev, void *addr) + return -EADDRNOTAVAIL; + + netif_addr_lock_bh(netdev); +- ether_addr_copy(netdev->dev_addr, saddr->sa_data); ++ eth_hw_addr_set(netdev, saddr->sa_data); + netif_addr_unlock_bh(netdev); + + mlx5e_nic_set_rx_mode(priv); +diff --git a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c +index 6704f5c1aa32e..b990782c1eb1f 100644 +--- a/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c ++++ b/drivers/net/ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c +@@ -75,7 +75,7 @@ static void mlxbf_gige_initial_mac(struct mlxbf_gige *priv) + u64_to_ether_addr(local_mac, mac); + + if (is_valid_ether_addr(mac)) { +- ether_addr_copy(priv->netdev->dev_addr, mac); ++ eth_hw_addr_set(priv->netdev, mac); + } else { + /* Provide a random MAC if for some reason the device has + * not been configured with a valid MAC address already. +diff --git a/drivers/net/ethernet/microchip/enc28j60.c b/drivers/net/ethernet/microchip/enc28j60.c +index 09cdc2f2e7ffb..bf77e8adffbf3 100644 +--- a/drivers/net/ethernet/microchip/enc28j60.c ++++ b/drivers/net/ethernet/microchip/enc28j60.c +@@ -517,7 +517,7 @@ static int enc28j60_set_mac_address(struct net_device *dev, void *addr) + if (!is_valid_ether_addr(address->sa_data)) + return -EADDRNOTAVAIL; + +- ether_addr_copy(dev->dev_addr, address->sa_data); ++ eth_hw_addr_set(dev, address->sa_data); + return enc28j60_set_hw_macaddr(dev); + } + +@@ -1573,7 +1573,7 @@ static int enc28j60_probe(struct spi_device *spi) + } + + if (device_get_mac_address(&spi->dev, macaddr, sizeof(macaddr))) +- ether_addr_copy(dev->dev_addr, macaddr); ++ eth_hw_addr_set(dev, macaddr); + else + eth_hw_addr_random(dev); + enc28j60_set_hw_macaddr(dev); +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c +index d66ee9bf5558c..a3392c74372a8 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -829,7 +829,7 @@ static int lan743x_mac_init(struct lan743x_adapter *adapter) + eth_random_addr(adapter->mac_address); + } + lan743x_mac_set_address(adapter, adapter->mac_address); +- ether_addr_copy(netdev->dev_addr, adapter->mac_address); ++ eth_hw_addr_set(netdev, adapter->mac_address); + + return 0; + } +@@ -2677,7 +2677,7 @@ static int lan743x_netdev_set_mac_address(struct net_device *netdev, + ret = eth_prepare_mac_addr_change(netdev, sock_addr); + if (ret) + return ret; +- ether_addr_copy(netdev->dev_addr, sock_addr->sa_data); ++ eth_hw_addr_set(netdev, sock_addr->sa_data); + lan743x_mac_set_address(adapter, sock_addr->sa_data); + lan743x_rfe_update_mac_address(adapter); + return 0; +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c b/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c +index 5c7b21ce64edb..a84038db8e1ad 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c +@@ -172,7 +172,7 @@ static int sparx5_set_mac_address(struct net_device *dev, void *p) + sparx5_mact_learn(sparx5, PGID_CPU, addr->sa_data, port->pvid); + + /* Record the address */ +- ether_addr_copy(dev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(dev, addr->sa_data); + + return 0; + } +diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c +index 4b8c239932178..6224b7c21e0af 100644 +--- a/drivers/net/ethernet/microsoft/mana/mana_en.c ++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c +@@ -1619,7 +1619,7 @@ static int mana_init_port(struct net_device *ndev) + if (apc->num_queues > apc->max_queues) + apc->num_queues = apc->max_queues; + +- ether_addr_copy(ndev->dev_addr, apc->mac_addr); ++ eth_hw_addr_set(ndev, apc->mac_addr); + + return 0; + +diff --git a/drivers/net/ethernet/mscc/ocelot_net.c b/drivers/net/ethernet/mscc/ocelot_net.c +index c08c56e07b1d3..da8a4e01d4be3 100644 +--- a/drivers/net/ethernet/mscc/ocelot_net.c ++++ b/drivers/net/ethernet/mscc/ocelot_net.c +@@ -606,7 +606,7 @@ static int ocelot_port_set_mac_address(struct net_device *dev, void *p) + /* Then forget the previous one. */ + ocelot_mact_forget(ocelot, dev->dev_addr, ocelot_port->pvid_vlan.vid); + +- ether_addr_copy(dev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(dev, addr->sa_data); + return 0; + } + +diff --git a/drivers/net/ethernet/netronome/nfp/abm/main.c b/drivers/net/ethernet/netronome/nfp/abm/main.c +index 605a1617b195e..5d3df28c648ff 100644 +--- a/drivers/net/ethernet/netronome/nfp/abm/main.c ++++ b/drivers/net/ethernet/netronome/nfp/abm/main.c +@@ -305,7 +305,7 @@ nfp_abm_vnic_set_mac(struct nfp_pf *pf, struct nfp_abm *abm, struct nfp_net *nn, + return; + } + +- ether_addr_copy(nn->dp.netdev->dev_addr, mac_addr); ++ eth_hw_addr_set(nn->dp.netdev, mac_addr); + ether_addr_copy(nn->dp.netdev->perm_addr, mac_addr); + } + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_main.c b/drivers/net/ethernet/netronome/nfp/nfp_net_main.c +index d10a938013445..74c4bf4d397d8 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_main.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_main.c +@@ -55,7 +55,7 @@ nfp_net_get_mac_addr(struct nfp_pf *pf, struct net_device *netdev, + return; + } + +- ether_addr_copy(netdev->dev_addr, eth_port->mac_addr); ++ eth_hw_addr_set(netdev, eth_port->mac_addr); + ether_addr_copy(netdev->perm_addr, eth_port->mac_addr); + } + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_netvf_main.c b/drivers/net/ethernet/netronome/nfp/nfp_netvf_main.c +index c0e2f4394aef8..87f2268b16d6e 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_netvf_main.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_netvf_main.c +@@ -58,7 +58,7 @@ static void nfp_netvf_get_mac_addr(struct nfp_net *nn) + return; + } + +- ether_addr_copy(nn->dp.netdev->dev_addr, mac_addr); ++ eth_hw_addr_set(nn->dp.netdev, mac_addr); + ether_addr_copy(nn->dp.netdev->perm_addr, mac_addr); + } + +diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c +index 5d0cecf80b380..486fa794b6c7a 100644 +--- a/drivers/net/ethernet/ni/nixge.c ++++ b/drivers/net/ethernet/ni/nixge.c +@@ -1285,7 +1285,7 @@ static int nixge_probe(struct platform_device *pdev) + + mac_addr = nixge_get_nvmem_address(&pdev->dev); + if (mac_addr && is_valid_ether_addr(mac_addr)) { +- ether_addr_copy(ndev->dev_addr, mac_addr); ++ eth_hw_addr_set(ndev, mac_addr); + kfree(mac_addr); + } else { + eth_hw_addr_random(ndev); +diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c +index f99b085b56a54..03c51dd37e1f3 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c +@@ -557,7 +557,7 @@ void qede_force_mac(void *dev, u8 *mac, bool forced) + return; + } + +- ether_addr_copy(edev->ndev->dev_addr, mac); ++ eth_hw_addr_set(edev->ndev, mac); + __qede_unlock(edev); + } + +@@ -1101,7 +1101,7 @@ int qede_set_mac_addr(struct net_device *ndev, void *p) + goto out; + } + +- ether_addr_copy(ndev->dev_addr, addr->sa_data); ++ eth_hw_addr_set(ndev, addr->sa_data); + DP_INFO(edev, "Setting device MAC to %pM\n", addr->sa_data); + + if (edev->state != QEDE_STATE_OPEN) { +diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c +index 41f0a3433c3a2..6c22bfc16ee6b 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -843,7 +843,7 @@ static void qede_init_ndev(struct qede_dev *edev) + ndev->max_mtu = QEDE_MAX_JUMBO_PACKET_SIZE; + + /* Set network device HW mac */ +- ether_addr_copy(edev->ndev->dev_addr, edev->dev_info.common.hw_mac); ++ eth_hw_addr_set(edev->ndev, edev->dev_info.common.hw_mac); + + ndev->mtu = edev->dev_info.common.mtu; + } +diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c +index bb7f3286824f4..94090856cf3a9 100644 +--- a/drivers/net/ethernet/qualcomm/emac/emac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac.c +@@ -550,7 +550,7 @@ static int emac_probe_resources(struct platform_device *pdev, + + /* get mac address */ + if (device_get_mac_address(&pdev->dev, maddr, ETH_ALEN)) +- ether_addr_copy(netdev->dev_addr, maddr); ++ eth_hw_addr_set(netdev, maddr); + else + eth_hw_addr_random(netdev); + +diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c +index f488461a23d1c..eeaecea77cb83 100644 +--- a/drivers/net/ethernet/sfc/ef10_sriov.c ++++ b/drivers/net/ethernet/sfc/ef10_sriov.c +@@ -527,7 +527,7 @@ int efx_ef10_sriov_set_vf_mac(struct efx_nic *efx, int vf_i, u8 *mac) + goto fail; + + if (vf->efx) +- ether_addr_copy(vf->efx->net_dev->dev_addr, mac); ++ eth_hw_addr_set(vf->efx->net_dev, mac); + } + + ether_addr_copy(vf->mac, mac); +diff --git a/drivers/net/ethernet/sfc/efx.c b/drivers/net/ethernet/sfc/efx.c +index 41eb6f9f5596e..bc1f4350360bc 100644 +--- a/drivers/net/ethernet/sfc/efx.c ++++ b/drivers/net/ethernet/sfc/efx.c +@@ -128,7 +128,7 @@ static int efx_probe_port(struct efx_nic *efx) + return rc; + + /* Initialise MAC address to permanent address */ +- ether_addr_copy(efx->net_dev->dev_addr, efx->net_dev->perm_addr); ++ eth_hw_addr_set(efx->net_dev, efx->net_dev->perm_addr); + + return 0; + } +diff --git a/drivers/net/ethernet/sfc/efx_common.c b/drivers/net/ethernet/sfc/efx_common.c +index 6038b7e3e8236..7249ea594b31d 100644 +--- a/drivers/net/ethernet/sfc/efx_common.c ++++ b/drivers/net/ethernet/sfc/efx_common.c +@@ -181,11 +181,11 @@ int efx_set_mac_address(struct net_device *net_dev, void *data) + + /* save old address */ + ether_addr_copy(old_addr, net_dev->dev_addr); +- ether_addr_copy(net_dev->dev_addr, new_addr); ++ eth_hw_addr_set(net_dev, new_addr); + if (efx->type->set_mac_address) { + rc = efx->type->set_mac_address(efx); + if (rc) { +- ether_addr_copy(net_dev->dev_addr, old_addr); ++ eth_hw_addr_set(net_dev, old_addr); + return rc; + } + } +diff --git a/drivers/net/ethernet/sfc/falcon/efx.c b/drivers/net/ethernet/sfc/falcon/efx.c +index 423bdf81200fd..c68837a951f47 100644 +--- a/drivers/net/ethernet/sfc/falcon/efx.c ++++ b/drivers/net/ethernet/sfc/falcon/efx.c +@@ -1044,7 +1044,7 @@ static int ef4_probe_port(struct ef4_nic *efx) + return rc; + + /* Initialise MAC address to permanent address */ +- ether_addr_copy(efx->net_dev->dev_addr, efx->net_dev->perm_addr); ++ eth_hw_addr_set(efx->net_dev, efx->net_dev->perm_addr); + + return 0; + } +@@ -2162,11 +2162,11 @@ static int ef4_set_mac_address(struct net_device *net_dev, void *data) + + /* save old address */ + ether_addr_copy(old_addr, net_dev->dev_addr); +- ether_addr_copy(net_dev->dev_addr, new_addr); ++ eth_hw_addr_set(net_dev, new_addr); + if (efx->type->set_mac_address) { + rc = efx->type->set_mac_address(efx); + if (rc) { +- ether_addr_copy(net_dev->dev_addr, old_addr); ++ eth_hw_addr_set(net_dev, old_addr); + return rc; + } + } +diff --git a/drivers/net/ethernet/socionext/netsec.c b/drivers/net/ethernet/socionext/netsec.c +index f0451911ab8f6..6b8013fb17c38 100644 +--- a/drivers/net/ethernet/socionext/netsec.c ++++ b/drivers/net/ethernet/socionext/netsec.c +@@ -2041,7 +2041,7 @@ static int netsec_probe(struct platform_device *pdev) + + mac = device_get_mac_address(&pdev->dev, macbuf, sizeof(macbuf)); + if (mac) +- ether_addr_copy(ndev->dev_addr, mac); ++ eth_hw_addr_set(ndev, mac); + + if (priv->eeprom_base && + (!mac || !is_valid_ether_addr(ndev->dev_addr))) { +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 692c291d9a01a..daf0779261f3e 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -1981,7 +1981,7 @@ am65_cpsw_nuss_init_port_ndev(struct am65_cpsw_common *common, u32 port_idx) + ndev_priv->msg_enable = AM65_CPSW_DEBUG; + SET_NETDEV_DEV(port->ndev, dev); + +- ether_addr_copy(port->ndev->dev_addr, port->slave.mac_addr); ++ eth_hw_addr_set(port->ndev, port->slave.mac_addr); + + port->ndev->min_mtu = AM65_CPSW_MIN_PACKET_SIZE; + port->ndev->max_mtu = AM65_CPSW_MAX_PACKET_SIZE; +diff --git a/drivers/net/ethernet/ti/cpsw_new.c b/drivers/net/ethernet/ti/cpsw_new.c +index 277c91d135708..0d921f6542d6f 100644 +--- a/drivers/net/ethernet/ti/cpsw_new.c ++++ b/drivers/net/ethernet/ti/cpsw_new.c +@@ -1000,7 +1000,7 @@ static int cpsw_ndo_set_mac_address(struct net_device *ndev, void *p) + flags, vid); + + ether_addr_copy(priv->mac_addr, addr->sa_data); +- ether_addr_copy(ndev->dev_addr, priv->mac_addr); ++ eth_hw_addr_set(ndev, priv->mac_addr); + cpsw_set_slave_mac(&cpsw->slaves[slave_no], priv); + + pm_runtime_put(cpsw->dev); +@@ -1404,7 +1404,7 @@ static int cpsw_create_ports(struct cpsw_common *cpsw) + dev_info(cpsw->dev, "Random MACID = %pM\n", + priv->mac_addr); + } +- ether_addr_copy(ndev->dev_addr, slave_data->mac_addr); ++ eth_hw_addr_set(ndev, slave_data->mac_addr); + ether_addr_copy(priv->mac_addr, slave_data->mac_addr); + + cpsw->slaves[i].ndev = ndev; +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index d243ca5dfde00..fbd6bd80f51f4 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -1911,7 +1911,7 @@ static int davinci_emac_probe(struct platform_device *pdev) + + rc = davinci_emac_try_get_mac(pdev, res_ctrl ? 0 : 1, priv->mac_addr); + if (!rc) +- ether_addr_copy(ndev->dev_addr, priv->mac_addr); ++ eth_hw_addr_set(ndev, priv->mac_addr); + + if (!is_valid_ether_addr(priv->mac_addr)) { + /* Use random MAC if still none obtained. */ +diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c +index 07bdeece1723d..0cd47348890db 100644 +--- a/drivers/net/ethernet/ti/netcp_core.c ++++ b/drivers/net/ethernet/ti/netcp_core.c +@@ -2028,7 +2028,7 @@ static int netcp_create_interface(struct netcp_device *netcp_device, + + emac_arch_get_mac_addr(efuse_mac_addr, efuse, efuse_mac); + if (is_valid_ether_addr(efuse_mac_addr)) +- ether_addr_copy(ndev->dev_addr, efuse_mac_addr); ++ eth_hw_addr_set(ndev, efuse_mac_addr); + else + eth_random_addr(ndev->dev_addr); + +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index 7f28fa702bb72..ca0e26a858bee 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -323,7 +323,7 @@ static inline void eth_hw_addr_inherit(struct net_device *dst, + struct net_device *src) + { + dst->addr_assign_type = src->addr_assign_type; +- ether_addr_copy(dst->dev_addr, src->dev_addr); ++ eth_hw_addr_set(dst, src->dev_addr); + } + + /** +-- +2.39.2 + diff --git a/tmp-5.15/ethernet-use-of_get_ethdev_address.patch b/tmp-5.15/ethernet-use-of_get_ethdev_address.patch new file mode 100644 index 00000000000..0c62daf3eb2 --- /dev/null +++ b/tmp-5.15/ethernet-use-of_get_ethdev_address.patch @@ -0,0 +1,433 @@ +From b1e4ade005154d6ebbab3737b1ef857da763a9ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 18:06:56 -0700 +Subject: ethernet: use of_get_ethdev_address() + +From: Jakub Kicinski + +[ Upstream commit 9ca01b25dffffecf6c59339aad6b4736680e9fa3 ] + +Use the new of_get_ethdev_address() helper for the cases +where dev->dev_addr is passed in directly as the destination. + + @@ + expression dev, np; + @@ + - of_get_mac_address(np, dev->dev_addr) + + of_get_ethdev_address(np, dev) + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Stable-dep-of: 1d6d537dc55d ("net: ethernet: mtk_eth_soc: handle probe deferral") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/allwinner/sun4i-emac.c | 2 +- + drivers/net/ethernet/altera/altera_tse_main.c | 2 +- + drivers/net/ethernet/arc/emac_main.c | 2 +- + drivers/net/ethernet/atheros/ag71xx.c | 2 +- + drivers/net/ethernet/broadcom/bcm4908_enet.c | 2 +- + drivers/net/ethernet/broadcom/bcmsysport.c | 2 +- + drivers/net/ethernet/broadcom/bgmac-bcma.c | 2 +- + drivers/net/ethernet/broadcom/bgmac-platform.c | 2 +- + drivers/net/ethernet/cadence/macb_main.c | 2 +- + drivers/net/ethernet/cavium/octeon/octeon_mgmt.c | 2 +- + drivers/net/ethernet/ethoc.c | 2 +- + drivers/net/ethernet/ezchip/nps_enet.c | 2 +- + drivers/net/ethernet/freescale/fec_mpc52xx.c | 2 +- + drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c | 2 +- + drivers/net/ethernet/freescale/gianfar.c | 2 +- + drivers/net/ethernet/freescale/ucc_geth.c | 2 +- + drivers/net/ethernet/hisilicon/hisi_femac.c | 2 +- + drivers/net/ethernet/hisilicon/hix5hd2_gmac.c | 2 +- + drivers/net/ethernet/korina.c | 2 +- + drivers/net/ethernet/lantiq_xrx200.c | 2 +- + drivers/net/ethernet/litex/litex_liteeth.c | 2 +- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + drivers/net/ethernet/marvell/pxa168_eth.c | 2 +- + drivers/net/ethernet/marvell/sky2.c | 2 +- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- + drivers/net/ethernet/micrel/ks8851_common.c | 2 +- + drivers/net/ethernet/nxp/lpc_eth.c | 2 +- + drivers/net/ethernet/qualcomm/qca_spi.c | 2 +- + drivers/net/ethernet/qualcomm/qca_uart.c | 2 +- + drivers/net/ethernet/renesas/ravb_main.c | 2 +- + drivers/net/ethernet/samsung/sxgbe/sxgbe_platform.c | 2 +- + drivers/net/ethernet/socionext/sni_ave.c | 2 +- + drivers/net/ethernet/ti/netcp_core.c | 2 +- + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +- + 34 files changed, 34 insertions(+), 34 deletions(-) + +--- a/drivers/net/ethernet/allwinner/sun4i-emac.c ++++ b/drivers/net/ethernet/allwinner/sun4i-emac.c +@@ -852,7 +852,7 @@ static int emac_probe(struct platform_de + } + + /* Read MAC-address from DT */ +- ret = of_get_mac_address(np, ndev->dev_addr); ++ ret = of_get_ethdev_address(np, ndev); + if (ret) { + /* if the MAC address is invalid get a random one */ + eth_hw_addr_random(ndev); +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -1531,7 +1531,7 @@ static int altera_tse_probe(struct platf + priv->rx_dma_buf_sz = ALTERA_RXDMABUFFER_SIZE; + + /* get default MAC address from device tree */ +- ret = of_get_mac_address(pdev->dev.of_node, ndev->dev_addr); ++ ret = of_get_ethdev_address(pdev->dev.of_node, ndev); + if (ret) + eth_hw_addr_random(ndev); + +--- a/drivers/net/ethernet/arc/emac_main.c ++++ b/drivers/net/ethernet/arc/emac_main.c +@@ -941,7 +941,7 @@ int arc_emac_probe(struct net_device *nd + } + + /* Get MAC address from device tree */ +- err = of_get_mac_address(dev->of_node, ndev->dev_addr); ++ err = of_get_ethdev_address(dev->of_node, ndev); + if (err) + eth_hw_addr_random(ndev); + +--- a/drivers/net/ethernet/atheros/ag71xx.c ++++ b/drivers/net/ethernet/atheros/ag71xx.c +@@ -1964,7 +1964,7 @@ static int ag71xx_probe(struct platform_ + ag->stop_desc->ctrl = 0; + ag->stop_desc->next = (u32)ag->stop_desc_dma; + +- err = of_get_mac_address(np, ndev->dev_addr); ++ err = of_get_ethdev_address(np, ndev); + if (err) { + netif_err(ag, probe, ndev, "invalid MAC address, using random address\n"); + eth_random_addr(ndev->dev_addr); +--- a/drivers/net/ethernet/broadcom/bcm4908_enet.c ++++ b/drivers/net/ethernet/broadcom/bcm4908_enet.c +@@ -719,7 +719,7 @@ static int bcm4908_enet_probe(struct pla + return err; + + SET_NETDEV_DEV(netdev, &pdev->dev); +- err = of_get_mac_address(dev->of_node, netdev->dev_addr); ++ err = of_get_ethdev_address(dev->of_node, netdev); + if (err) + eth_hw_addr_random(netdev); + netdev->netdev_ops = &bcm4908_enet_netdev_ops; +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -2561,7 +2561,7 @@ static int bcm_sysport_probe(struct plat + } + + /* Initialize netdevice members */ +- ret = of_get_mac_address(dn, dev->dev_addr); ++ ret = of_get_ethdev_address(dn, dev); + if (ret) { + dev_warn(&pdev->dev, "using random Ethernet MAC\n"); + eth_hw_addr_random(dev); +--- a/drivers/net/ethernet/broadcom/bgmac-bcma.c ++++ b/drivers/net/ethernet/broadcom/bgmac-bcma.c +@@ -128,7 +128,7 @@ static int bgmac_probe(struct bcma_devic + + bcma_set_drvdata(core, bgmac); + +- err = of_get_mac_address(bgmac->dev->of_node, bgmac->net_dev->dev_addr); ++ err = of_get_ethdev_address(bgmac->dev->of_node, bgmac->net_dev); + if (err == -EPROBE_DEFER) + return err; + +--- a/drivers/net/ethernet/broadcom/bgmac-platform.c ++++ b/drivers/net/ethernet/broadcom/bgmac-platform.c +@@ -192,7 +192,7 @@ static int bgmac_probe(struct platform_d + bgmac->dev = &pdev->dev; + bgmac->dma_dev = &pdev->dev; + +- ret = of_get_mac_address(np, bgmac->net_dev->dev_addr); ++ ret = of_get_ethdev_address(np, bgmac->net_dev); + if (ret == -EPROBE_DEFER) + return ret; + +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4835,7 +4835,7 @@ static int macb_probe(struct platform_de + if (bp->caps & MACB_CAPS_NEEDS_RSTONUBR) + bp->rx_intr_mask |= MACB_BIT(RXUBR); + +- err = of_get_mac_address(np, bp->dev->dev_addr); ++ err = of_get_ethdev_address(np, bp->dev); + if (err == -EPROBE_DEFER) + goto err_out_free_netdev; + else if (err) +--- a/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c ++++ b/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c +@@ -1501,7 +1501,7 @@ static int octeon_mgmt_probe(struct plat + netdev->min_mtu = 64 - OCTEON_MGMT_RX_HEADROOM; + netdev->max_mtu = 16383 - OCTEON_MGMT_RX_HEADROOM - VLAN_HLEN; + +- result = of_get_mac_address(pdev->dev.of_node, netdev->dev_addr); ++ result = of_get_ethdev_address(pdev->dev.of_node, netdev); + if (result) + eth_hw_addr_random(netdev); + +--- a/drivers/net/ethernet/ethoc.c ++++ b/drivers/net/ethernet/ethoc.c +@@ -1151,7 +1151,7 @@ static int ethoc_probe(struct platform_d + eth_hw_addr_set(netdev, pdata->hwaddr); + priv->phy_id = pdata->phy_id; + } else { +- of_get_mac_address(pdev->dev.of_node, netdev->dev_addr); ++ of_get_ethdev_address(pdev->dev.of_node, netdev); + priv->phy_id = -1; + } + +--- a/drivers/net/ethernet/ezchip/nps_enet.c ++++ b/drivers/net/ethernet/ezchip/nps_enet.c +@@ -601,7 +601,7 @@ static s32 nps_enet_probe(struct platfor + dev_dbg(dev, "Registers base address is 0x%p\n", priv->regs_base); + + /* set kernel MAC address to dev */ +- err = of_get_mac_address(dev->of_node, ndev->dev_addr); ++ err = of_get_ethdev_address(dev->of_node, ndev); + if (err) + eth_hw_addr_random(ndev); + +--- a/drivers/net/ethernet/freescale/fec_mpc52xx.c ++++ b/drivers/net/ethernet/freescale/fec_mpc52xx.c +@@ -890,7 +890,7 @@ static int mpc52xx_fec_probe(struct plat + * + * First try to read MAC address from DT + */ +- rv = of_get_mac_address(np, ndev->dev_addr); ++ rv = of_get_ethdev_address(np, ndev); + if (rv) { + struct mpc52xx_fec __iomem *fec = priv->fec; + +--- a/drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c ++++ b/drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c +@@ -1005,7 +1005,7 @@ static int fs_enet_probe(struct platform + spin_lock_init(&fep->lock); + spin_lock_init(&fep->tx_lock); + +- of_get_mac_address(ofdev->dev.of_node, ndev->dev_addr); ++ of_get_ethdev_address(ofdev->dev.of_node, ndev); + + ret = fep->ops->allocate_bd(ndev); + if (ret) +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -753,7 +753,7 @@ static int gfar_of_init(struct platform_ + if (stash_len || stash_idx) + priv->device_flags |= FSL_GIANFAR_DEV_HAS_BUF_STASHING; + +- err = of_get_mac_address(np, dev->dev_addr); ++ err = of_get_ethdev_address(np, dev); + if (err) { + eth_hw_addr_random(dev); + dev_info(&ofdev->dev, "Using random MAC address: %pM\n", dev->dev_addr); +--- a/drivers/net/ethernet/freescale/ucc_geth.c ++++ b/drivers/net/ethernet/freescale/ucc_geth.c +@@ -3731,7 +3731,7 @@ static int ucc_geth_probe(struct platfor + goto err_free_netdev; + } + +- of_get_mac_address(np, dev->dev_addr); ++ of_get_ethdev_address(np, dev); + + ugeth->ug_info = ug_info; + ugeth->dev = device; +--- a/drivers/net/ethernet/hisilicon/hisi_femac.c ++++ b/drivers/net/ethernet/hisilicon/hisi_femac.c +@@ -841,7 +841,7 @@ static int hisi_femac_drv_probe(struct p + (unsigned long)phy->phy_id, + phy_modes(phy->interface)); + +- ret = of_get_mac_address(node, ndev->dev_addr); ++ ret = of_get_ethdev_address(node, ndev); + if (ret) { + eth_hw_addr_random(ndev); + dev_warn(dev, "using random MAC address %pM\n", +--- a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c ++++ b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c +@@ -1219,7 +1219,7 @@ static int hix5hd2_dev_probe(struct plat + goto out_phy_node; + } + +- ret = of_get_mac_address(node, ndev->dev_addr); ++ ret = of_get_ethdev_address(node, ndev); + if (ret) { + eth_hw_addr_random(ndev); + netdev_warn(ndev, "using random MAC address %pM\n", +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -1298,7 +1298,7 @@ static int korina_probe(struct platform_ + + if (mac_addr) + eth_hw_addr_set(dev, mac_addr); +- else if (of_get_mac_address(pdev->dev.of_node, dev->dev_addr) < 0) ++ else if (of_get_ethdev_address(pdev->dev.of_node, dev) < 0) + eth_hw_addr_random(dev); + + clk = devm_clk_get_optional(&pdev->dev, "mdioclk"); +--- a/drivers/net/ethernet/lantiq_xrx200.c ++++ b/drivers/net/ethernet/lantiq_xrx200.c +@@ -474,7 +474,7 @@ static int xrx200_probe(struct platform_ + return PTR_ERR(priv->clk); + } + +- err = of_get_mac_address(np, net_dev->dev_addr); ++ err = of_get_ethdev_address(np, net_dev); + if (err) + eth_hw_addr_random(net_dev); + +--- a/drivers/net/ethernet/litex/litex_liteeth.c ++++ b/drivers/net/ethernet/litex/litex_liteeth.c +@@ -266,7 +266,7 @@ static int liteeth_probe(struct platform + priv->tx_base = buf_base + priv->num_rx_slots * priv->slot_size; + priv->tx_slot = 0; + +- err = of_get_mac_address(pdev->dev.of_node, netdev->dev_addr); ++ err = of_get_ethdev_address(pdev->dev.of_node, netdev); + if (err) + eth_hw_addr_random(netdev); + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -5242,7 +5242,7 @@ static int mvneta_probe(struct platform_ + goto err_free_ports; + } + +- err = of_get_mac_address(dn, dev->dev_addr); ++ err = of_get_ethdev_address(dn, dev); + if (!err) { + mac_from = "device tree"; + } else { +--- a/drivers/net/ethernet/marvell/pxa168_eth.c ++++ b/drivers/net/ethernet/marvell/pxa168_eth.c +@@ -1434,7 +1434,7 @@ static int pxa168_eth_probe(struct platf + + INIT_WORK(&pep->tx_timeout_task, pxa168_eth_tx_timeout_task); + +- err = of_get_mac_address(pdev->dev.of_node, dev->dev_addr); ++ err = of_get_ethdev_address(pdev->dev.of_node, dev); + if (err) { + /* try reading the mac address, if set by the bootloader */ + pxa168_eth_get_mac_address(dev, dev->dev_addr); +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -4802,7 +4802,7 @@ static struct net_device *sky2_init_netd + * 1) from device tree data + * 2) from internal registers set by bootloader + */ +- ret = of_get_mac_address(hw->pdev->dev.of_node, dev->dev_addr); ++ ret = of_get_ethdev_address(hw->pdev->dev.of_node, dev); + if (ret) + memcpy_fromio(dev->dev_addr, hw->regs + B2_MAC_1 + port * 8, + ETH_ALEN); +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -2618,7 +2618,7 @@ static int __init mtk_init(struct net_de + struct mtk_eth *eth = mac->hw; + int ret; + +- ret = of_get_mac_address(mac->of_node, dev->dev_addr); ++ ret = of_get_ethdev_address(mac->of_node, dev); + if (ret) { + /* If the mac address is invalid, use random mac address */ + eth_hw_addr_random(dev); +--- a/drivers/net/ethernet/micrel/ks8851_common.c ++++ b/drivers/net/ethernet/micrel/ks8851_common.c +@@ -195,7 +195,7 @@ static void ks8851_init_mac(struct ks885 + struct net_device *dev = ks->netdev; + int ret; + +- ret = of_get_mac_address(np, dev->dev_addr); ++ ret = of_get_ethdev_address(np, dev); + if (!ret) { + ks8851_write_mac_addr(dev); + return; +--- a/drivers/net/ethernet/nxp/lpc_eth.c ++++ b/drivers/net/ethernet/nxp/lpc_eth.c +@@ -1349,7 +1349,7 @@ static int lpc_eth_drv_probe(struct plat + __lpc_get_mac(pldat, ndev->dev_addr); + + if (!is_valid_ether_addr(ndev->dev_addr)) { +- of_get_mac_address(np, ndev->dev_addr); ++ of_get_ethdev_address(np, ndev); + } + if (!is_valid_ether_addr(ndev->dev_addr)) + eth_hw_addr_random(ndev); +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -967,7 +967,7 @@ qca_spi_probe(struct spi_device *spi) + + spi_set_drvdata(spi, qcaspi_devs); + +- ret = of_get_mac_address(spi->dev.of_node, qca->net_dev->dev_addr); ++ ret = of_get_ethdev_address(spi->dev.of_node, qca->net_dev); + if (ret) { + eth_hw_addr_random(qca->net_dev); + dev_info(&spi->dev, "Using random MAC address: %pM\n", +--- a/drivers/net/ethernet/qualcomm/qca_uart.c ++++ b/drivers/net/ethernet/qualcomm/qca_uart.c +@@ -347,7 +347,7 @@ static int qca_uart_probe(struct serdev_ + + of_property_read_u32(serdev->dev.of_node, "current-speed", &speed); + +- ret = of_get_mac_address(serdev->dev.of_node, qca->net_dev->dev_addr); ++ ret = of_get_ethdev_address(serdev->dev.of_node, qca->net_dev); + if (ret) { + eth_hw_addr_random(qca->net_dev); + dev_info(&serdev->dev, "Using random MAC address: %pM\n", +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -114,7 +114,7 @@ static void ravb_read_mac_address(struct + { + int ret; + +- ret = of_get_mac_address(np, ndev->dev_addr); ++ ret = of_get_ethdev_address(np, ndev); + if (ret) { + u32 mahr = ravb_read(ndev, MAHR); + u32 malr = ravb_read(ndev, MALR); +--- a/drivers/net/ethernet/samsung/sxgbe/sxgbe_platform.c ++++ b/drivers/net/ethernet/samsung/sxgbe/sxgbe_platform.c +@@ -118,7 +118,7 @@ static int sxgbe_platform_probe(struct p + } + + /* Get MAC address if available (DT) */ +- of_get_mac_address(node, priv->dev->dev_addr); ++ of_get_ethdev_address(node, priv->dev); + + /* Get the TX/RX IRQ numbers */ + for (i = 0, chan = 1; i < SXGBE_TX_QUEUES; i++) { +--- a/drivers/net/ethernet/socionext/sni_ave.c ++++ b/drivers/net/ethernet/socionext/sni_ave.c +@@ -1601,7 +1601,7 @@ static int ave_probe(struct platform_dev + + ndev->max_mtu = AVE_MAX_ETHFRAME - (ETH_HLEN + ETH_FCS_LEN); + +- ret = of_get_mac_address(np, ndev->dev_addr); ++ ret = of_get_ethdev_address(np, ndev); + if (ret) { + /* if the mac address is invalid, use random mac address */ + eth_hw_addr_random(ndev); +--- a/drivers/net/ethernet/ti/netcp_core.c ++++ b/drivers/net/ethernet/ti/netcp_core.c +@@ -2035,7 +2035,7 @@ static int netcp_create_interface(struct + devm_iounmap(dev, efuse); + devm_release_mem_region(dev, res.start, size); + } else { +- ret = of_get_mac_address(node_interface, ndev->dev_addr); ++ ret = of_get_ethdev_address(node_interface, ndev); + if (ret) + eth_random_addr(ndev->dev_addr); + } +--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c ++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +@@ -1151,7 +1151,7 @@ static int xemaclite_of_probe(struct pla + lp->tx_ping_pong = get_bool(ofdev, "xlnx,tx-ping-pong"); + lp->rx_ping_pong = get_bool(ofdev, "xlnx,rx-ping-pong"); + +- rc = of_get_mac_address(ofdev->dev.of_node, ndev->dev_addr); ++ rc = of_get_ethdev_address(ofdev->dev.of_node, ndev); + if (rc) { + dev_warn(dev, "No MAC address found, using random\n"); + eth_hw_addr_random(ndev); diff --git a/tmp-5.15/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch b/tmp-5.15/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch new file mode 100644 index 00000000000..ba80a2d73bc --- /dev/null +++ b/tmp-5.15/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch @@ -0,0 +1,54 @@ +From 6909cf5c4101214f4305a62d582a5b93c7e1eb9a Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Mon, 22 May 2023 14:15:20 -0400 +Subject: ext4: correct inline offset when handling xattrs in inode body + +From: Eric Whitney + +commit 6909cf5c4101214f4305a62d582a5b93c7e1eb9a upstream. + +When run on a file system where the inline_data feature has been +enabled, xfstests generic/269, generic/270, and generic/476 cause ext4 +to emit error messages indicating that inline directory entries are +corrupted. This occurs because the inline offset used to locate +inline directory entries in the inode body is not updated when an +xattr in that shared region is deleted and the region is shifted in +memory to recover the space it occupied. If the deleted xattr precedes +the system.data attribute, which points to the inline directory entries, +that attribute will be moved further up in the region. The inline +offset continues to point to whatever is located in system.data's former +location, with unfortunate effects when used to access directory entries +or (presumably) inline data in the inode body. + +Cc: stable@kernel.org +Signed-off-by: Eric Whitney +Link: https://lore.kernel.org/r/20230522181520.1570360-1-enwlinux@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1732,6 +1732,20 @@ static int ext4_xattr_set_entry(struct e + memmove(here, (void *)here + size, + (void *)last - (void *)here + sizeof(__u32)); + memset(last, 0, size); ++ ++ /* ++ * Update i_inline_off - moved ibody region might contain ++ * system.data attribute. Handling a failure here won't ++ * cause other complications for setting an xattr. ++ */ ++ if (!is_block && ext4_has_inline_data(inode)) { ++ ret = ext4_find_inline_data_nolock(inode); ++ if (ret) { ++ ext4_warning_inode(inode, ++ "unable to update i_inline_off"); ++ goto out; ++ } ++ } + } else if (s->not_found) { + /* Insert new name. */ + size_t size = EXT4_XATTR_LEN(name_len); diff --git a/tmp-5.15/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/tmp-5.15/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch new file mode 100644 index 00000000000..e9f9bf5ec36 --- /dev/null +++ b/tmp-5.15/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch @@ -0,0 +1,40 @@ +From 09ba291b1a43d05b5c6559901594b1ae4c7a1d7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 16:16:56 +0800 +Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe + +From: Zhang Shurong + +[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] + +This func misses checking for platform_get_irq()'s call and may passes the +negative error codes to request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. + +Fix this by stop calling request_irq() with invalid IRQ #s. + +Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") +Signed-off-by: Zhang Shurong +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index a8a0a448cdb5e..80f54111baec1 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1732,6 +1732,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) + + /* Now hook interrupt too */ + irq = platform_get_irq(dev, 0); ++ if (irq < 0) ++ return irq; ++ + ret = request_irq(irq, au1200fb_handle_irq, + IRQF_SHARED, "lcd", (void *)dev); + if (ret) { +-- +2.39.2 + diff --git a/tmp-5.15/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/tmp-5.15/fbdev-imxfb-warn-about-invalid-left-right-margin.patch new file mode 100644 index 00000000000..f9ab0de4040 --- /dev/null +++ b/tmp-5.15/fbdev-imxfb-warn-about-invalid-left-right-margin.patch @@ -0,0 +1,43 @@ +From 4221c1d46a5ba8e42b284534336a9f71c98095fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 15:24:37 +0200 +Subject: fbdev: imxfb: warn about invalid left/right margin + +From: Martin Kaiser + +[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] + +Warn about invalid var->left_margin or var->right_margin. Their values +are read from the device tree. + +We store var->left_margin-3 and var->right_margin-1 in register +fields. These fields should be >= 0. + +Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") +Signed-off-by: Martin Kaiser +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index ad598257ab386..cd376a9bfe1b7 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -602,10 +602,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf + if (var->hsync_len < 1 || var->hsync_len > 64) + printk(KERN_ERR "%s: invalid hsync_len %d\n", + info->fix.id, var->hsync_len); +- if (var->left_margin > 255) ++ if (var->left_margin < 3 || var->left_margin > 255) + printk(KERN_ERR "%s: invalid left_margin %d\n", + info->fix.id, var->left_margin); +- if (var->right_margin > 255) ++ if (var->right_margin < 1 || var->right_margin > 255) + printk(KERN_ERR "%s: invalid right_margin %d\n", + info->fix.id, var->right_margin); + if (var->yres < 1 || var->yres > ymax_mask) +-- +2.39.2 + diff --git a/tmp-5.15/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch b/tmp-5.15/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch new file mode 100644 index 00000000000..9596b5e5d8f --- /dev/null +++ b/tmp-5.15/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch @@ -0,0 +1,36 @@ +From 02b146546b30cc6dc399a184fa7e4c3751ac0676 Mon Sep 17 00:00:00 2001 +From: Immad Mir +Date: Fri, 23 Jun 2023 19:17:08 +0530 +Subject: [PATCH AUTOSEL 4.14 9/9] FS: JFS: Check for read-only mounted + filesystem in txBegin +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.14.320 + +[ Upstream commit 95e2b352c03b0a86c5717ba1d24ea20969abcacc ] + + This patch adds a check for read-only mounted filesystem + in txBegin before starting a transaction potentially saving + from NULL pointer deref. + +Signed-off-by: Immad Mir +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_txnmgr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/jfs/jfs_txnmgr.c ++++ b/fs/jfs/jfs_txnmgr.c +@@ -354,6 +354,11 @@ tid_t txBegin(struct super_block *sb, in + jfs_info("txBegin: flag = 0x%x", flag); + log = JFS_SBI(sb)->log; + ++ if (!log) { ++ jfs_error(sb, "read-only filesystem\n"); ++ return 0; ++ } ++ + TXN_LOCK(); + + INCREMENT(TxStat.txBegin); diff --git a/tmp-5.15/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch b/tmp-5.15/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch new file mode 100644 index 00000000000..a17dbd964e1 --- /dev/null +++ b/tmp-5.15/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch @@ -0,0 +1,40 @@ +From 4eae87f4bcf394c701b5e0627338b507007ebd56 Mon Sep 17 00:00:00 2001 +From: Immad Mir +Date: Fri, 23 Jun 2023 19:14:01 +0530 +Subject: [PATCH AUTOSEL 4.14 8/9] FS: JFS: Fix null-ptr-deref Read in txBegin +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.14.320 + +[ Upstream commit 47cfdc338d674d38f4b2f22b7612cc6a2763ba27 ] + + Syzkaller reported an issue where txBegin may be called + on a superblock in a read-only mounted filesystem which leads + to NULL pointer deref. This could be solved by checking if + the filesystem is read-only before calling txBegin, and returning + with appropiate error code. + +Reported-By: syzbot+f1faa20eec55e0c8644c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=be7e52c50c5182cc09a09ea6fc456446b2039de3 + +Signed-off-by: Immad Mir +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/namei.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/jfs/namei.c ++++ b/fs/jfs/namei.c +@@ -799,6 +799,11 @@ static int jfs_link(struct dentry *old_d + if (rc) + goto out; + ++ if (isReadOnly(ip)) { ++ jfs_error(ip->i_sb, "read-only filesystem\n"); ++ return -EROFS; ++ } ++ + tid = txBegin(ip->i_sb, 0); + + mutex_lock_nested(&JFS_IP(dir)->commit_mutex, COMMIT_MUTEX_PARENT); diff --git a/tmp-5.15/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch b/tmp-5.15/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch new file mode 100644 index 00000000000..834786a6a75 --- /dev/null +++ b/tmp-5.15/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch @@ -0,0 +1,83 @@ +From 3a311ae0bb5b7f141cfab45fc7bcc0df9e2c6c0a Mon Sep 17 00:00:00 2001 +From: Yogesh +Date: Thu, 22 Jun 2023 00:07:03 +0530 +Subject: [PATCH AUTOSEL 4.14 6/9] fs: jfs: Fix UBSAN: + array-index-out-of-bounds in dbAllocDmapLev +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.14.320 + +[ Upstream commit 4e302336d5ca1767a06beee7596a72d3bdc8d983 ] + +Syzkaller reported the following issue: + +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6 +index -84 is out of range for type 's8[341]' (aka 'signed char[341]') +CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 + dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965 + dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809 + dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350 + dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874 + dtSplitUp fs/jfs/jfs_dtree.c:974 [inline] + dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863 + jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137 + lookup_open fs/namei.c:3492 [inline] + open_last_lookups fs/namei.c:3560 [inline] + path_openat+0x13df/0x3170 fs/namei.c:3788 + do_filp_open+0x234/0x490 fs/namei.c:3818 + do_sys_openat2+0x13f/0x500 fs/open.c:1356 + do_sys_open fs/open.c:1372 [inline] + __do_sys_openat fs/open.c:1388 [inline] + __se_sys_openat fs/open.c:1383 [inline] + __x64_sys_openat+0x247/0x290 fs/open.c:1383 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f1f4e33f7e9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9 +RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c +RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The bug occurs when the dbAllocDmapLev()function attempts to access +dp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative. + +To rectify this, the patch introduces a safeguard within the +dbAllocDmapLev() function. A check has been added to verify if leafidx is +negative. If it is, the function immediately returns an I/O error, preventing +any further execution that could potentially cause harm. + +Tested via syzbot. + +Reported-by: syzbot+853a6f4dfa3cf37d3aea@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=ae2f5a27a07ae44b0f17 +Signed-off-by: Yogesh +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -2027,6 +2027,9 @@ dbAllocDmapLev(struct bmap * bmp, + if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx)) + return -ENOSPC; + ++ if (leafidx < 0) ++ return -EIO; ++ + /* determine the block number within the file system corresponding + * to the leaf at which free space was found. + */ diff --git a/tmp-5.15/fuse-ioctl-translate-enosys-in-outarg.patch b/tmp-5.15/fuse-ioctl-translate-enosys-in-outarg.patch new file mode 100644 index 00000000000..ffa3f307976 --- /dev/null +++ b/tmp-5.15/fuse-ioctl-translate-enosys-in-outarg.patch @@ -0,0 +1,88 @@ +From 6a567e920fd0451bf29abc418df96c3365925770 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:21 +0200 +Subject: fuse: ioctl: translate ENOSYS in outarg + +From: Miklos Szeredi + +commit 6a567e920fd0451bf29abc418df96c3365925770 upstream. + +Fuse shouldn't return ENOSYS from its ioctl implementation. If userspace +responds with ENOSYS it should be translated to ENOTTY. + +There are two ways to return an error from the IOCTL request: + + - fuse_out_header.error + - fuse_ioctl_out.result + +Commit 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") already fixed this +issue for the first case, but missed the second case. This patch fixes the +second case. + +Reported-by: Jonathan Katz +Closes: https://lore.kernel.org/all/CALKgVmcC1VUV_gJVq70n--omMJZUb4HSh_FqvLTHgNBc+HCLFQ@mail.gmail.com/ +Fixes: 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/ioctl.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/fs/fuse/ioctl.c ++++ b/fs/fuse/ioctl.c +@@ -9,14 +9,23 @@ + #include + #include + +-static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args) ++static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args, ++ struct fuse_ioctl_out *outarg) + { +- ssize_t ret = fuse_simple_request(fm, args); ++ ssize_t ret; ++ ++ args->out_args[0].size = sizeof(*outarg); ++ args->out_args[0].value = outarg; ++ ++ ret = fuse_simple_request(fm, args); + + /* Translate ENOSYS, which shouldn't be returned from fs */ + if (ret == -ENOSYS) + ret = -ENOTTY; + ++ if (ret >= 0 && outarg->result == -ENOSYS) ++ outarg->result = -ENOTTY; ++ + return ret; + } + +@@ -264,13 +273,11 @@ long fuse_do_ioctl(struct file *file, un + } + + ap.args.out_numargs = 2; +- ap.args.out_args[0].size = sizeof(outarg); +- ap.args.out_args[0].value = &outarg; + ap.args.out_args[1].size = out_size; + ap.args.out_pages = true; + ap.args.out_argvar = true; + +- transferred = fuse_send_ioctl(fm, &ap.args); ++ transferred = fuse_send_ioctl(fm, &ap.args, &outarg); + err = transferred; + if (transferred < 0) + goto out; +@@ -399,12 +406,10 @@ static int fuse_priv_ioctl(struct inode + args.in_args[1].size = inarg.in_size; + args.in_args[1].value = ptr; + args.out_numargs = 2; +- args.out_args[0].size = sizeof(outarg); +- args.out_args[0].value = &outarg; + args.out_args[1].size = inarg.out_size; + args.out_args[1].value = ptr; + +- err = fuse_send_ioctl(fm, &args); ++ err = fuse_send_ioctl(fm, &args, &outarg); + if (!err) { + if (outarg.result < 0) + err = outarg.result; diff --git a/tmp-5.15/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/tmp-5.15/fuse-revalidate-don-t-invalidate-if-interrupted.patch new file mode 100644 index 00000000000..08fc64e3e8c --- /dev/null +++ b/tmp-5.15/fuse-revalidate-don-t-invalidate-if-interrupted.patch @@ -0,0 +1,34 @@ +From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:20 +0200 +Subject: fuse: revalidate: don't invalidate if interrupted + +From: Miklos Szeredi + +commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream. + +If the LOOKUP request triggered from fuse_dentry_revalidate() is +interrupted, then the dentry will be invalidated, possibly resulting in +submounts being unmounted. + +Reported-by: Xu Rongbo +Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/ +Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -249,7 +249,7 @@ static int fuse_dentry_revalidate(struct + spin_unlock(&fi->lock); + } + kfree(forget); +- if (ret == -ENOMEM) ++ if (ret == -ENOMEM || ret == -EINTR) + goto out; + if (ret || fuse_invalid_attr(&outarg.attr) || + fuse_stale_inode(inode, outarg.generation, &outarg.attr)) diff --git a/tmp-5.15/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch b/tmp-5.15/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch new file mode 100644 index 00000000000..deca42c33c6 --- /dev/null +++ b/tmp-5.15/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch @@ -0,0 +1,160 @@ +From ed0e0733668b671eb74aa3597cfb6e1322ce544c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:48 +0800 +Subject: iavf: Fix out-of-bounds when setting channels on remove + +From: Ding Hui + +[ Upstream commit 7c4bced3caa749ce468b0c5de711c98476b23a52 ] + +If we set channels greater during iavf_remove(), and waiting reset done +would be timeout, then returned with error but changed num_active_queues +directly, that will lead to OOB like the following logs. Because the +num_active_queues is greater than tx/rx_rings[] allocated actually. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 3506.152887] iavf 0000:41:02.0: Removing device +[ 3510.400799] ================================================================== +[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536 +[ 3510.400823] +[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 3510.400835] Call Trace: +[ 3510.400851] dump_stack+0x71/0xab +[ 3510.400860] print_address_description+0x6b/0x290 +[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400868] kasan_report+0x14a/0x2b0 +[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf] +[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf] +[ 3510.400891] ? wait_woken+0x1d0/0x1d0 +[ 3510.400895] ? notifier_call_chain+0xc1/0x130 +[ 3510.400903] pci_device_remove+0xa8/0x1f0 +[ 3510.400910] device_release_driver_internal+0x1c6/0x460 +[ 3510.400916] pci_stop_bus_device+0x101/0x150 +[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20 +[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420 +[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 3510.400929] ? pci_get_subsys+0x90/0x90 +[ 3510.400932] sriov_disable+0xed/0x3e0 +[ 3510.400936] ? bus_find_device+0x12d/0x1a0 +[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e] +[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 3510.400968] ? pci_get_device+0x7c/0x90 +[ 3510.400970] ? pci_get_subsys+0x90/0x90 +[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 3510.401001] sriov_numvfs_store+0x214/0x290 +[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30 +[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.401011] ? __check_object_size+0x15a/0x350 +[ 3510.401018] kernfs_fop_write+0x280/0x3f0 +[ 3510.401022] vfs_write+0x145/0x440 +[ 3510.401025] ksys_write+0xab/0x160 +[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0 +[ 3510.401031] ? fput_many+0x1a/0x120 +[ 3510.401032] ? filp_close+0xf0/0x130 +[ 3510.401038] do_syscall_64+0xa0/0x370 +[ 3510.401041] ? page_fault+0x8/0x30 +[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 3510.401073] RIP: 0033:0x7f3a9bb842c0 +[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 3510.401080] RSP: 002b:00007ffc05f1fe18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 3510.401083] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f3a9bb842c0 +[ 3510.401085] RDX: 0000000000000002 RSI: 0000000002327408 RDI: 0000000000000001 +[ 3510.401086] RBP: 0000000002327408 R08: 00007f3a9be53780 R09: 00007f3a9c8a4700 +[ 3510.401086] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 3510.401087] R13: 0000000000000001 R14: 00007f3a9be52620 R15: 0000000000000001 +[ 3510.401090] +[ 3510.401093] Allocated by task 76795: +[ 3510.401098] kasan_kmalloc+0xa6/0xd0 +[ 3510.401099] __kmalloc+0xfb/0x200 +[ 3510.401104] iavf_init_interrupt_scheme+0x26f/0x1310 [iavf] +[ 3510.401108] iavf_watchdog_task+0x1d58/0x4050 [iavf] +[ 3510.401114] process_one_work+0x56a/0x11f0 +[ 3510.401115] worker_thread+0x8f/0xf40 +[ 3510.401117] kthread+0x2a0/0x390 +[ 3510.401119] ret_from_fork+0x1f/0x40 +[ 3510.401122] 0xffffffffffffffff +[ 3510.401123] + +In timeout handling, we should keep the original num_active_queues +and reset num_req_queues to 0. + +Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 461f5237a2f88..5af3ae68b7a14 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -1855,7 +1855,7 @@ static int iavf_set_channels(struct net_device *netdev, + } + if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; +- adapter->num_active_queues = num_req; ++ adapter->num_req_queues = 0; + return -EOPNOTSUPP; + } + +-- +2.39.2 + diff --git a/tmp-5.15/iavf-fix-use-after-free-in-free_netdev.patch b/tmp-5.15/iavf-fix-use-after-free-in-free_netdev.patch new file mode 100644 index 00000000000..f28f3a6cae6 --- /dev/null +++ b/tmp-5.15/iavf-fix-use-after-free-in-free_netdev.patch @@ -0,0 +1,215 @@ +From 793fb034d0f828d800cd51aaeae5467a813d0bd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:47 +0800 +Subject: iavf: Fix use-after-free in free_netdev + +From: Ding Hui + +[ Upstream commit 5f4fa1672d98fe99d2297b03add35346f1685d6b ] + +We do netif_napi_add() for all allocated q_vectors[], but potentially +do netif_napi_del() for part of them, then kfree q_vectors and leave +invalid pointers at dev->napi_list. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 4093.900222] ================================================================== +[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390 +[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 +[ 4093.900233] +[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 4093.900239] Call Trace: +[ 4093.900244] dump_stack+0x71/0xab +[ 4093.900249] print_address_description+0x6b/0x290 +[ 4093.900251] ? free_netdev+0x308/0x390 +[ 4093.900252] kasan_report+0x14a/0x2b0 +[ 4093.900254] free_netdev+0x308/0x390 +[ 4093.900261] iavf_remove+0x825/0xd20 [iavf] +[ 4093.900265] pci_device_remove+0xa8/0x1f0 +[ 4093.900268] device_release_driver_internal+0x1c6/0x460 +[ 4093.900271] pci_stop_bus_device+0x101/0x150 +[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 4093.900278] ? pci_get_subsys+0x90/0x90 +[ 4093.900280] sriov_disable+0xed/0x3e0 +[ 4093.900282] ? bus_find_device+0x12d/0x1a0 +[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 4093.900299] ? pci_get_device+0x7c/0x90 +[ 4093.900300] ? pci_get_subsys+0x90/0x90 +[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900318] sriov_numvfs_store+0x214/0x290 +[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30 +[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900323] ? __check_object_size+0x15a/0x350 +[ 4093.900326] kernfs_fop_write+0x280/0x3f0 +[ 4093.900329] vfs_write+0x145/0x440 +[ 4093.900330] ksys_write+0xab/0x160 +[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0 +[ 4093.900334] ? fput_many+0x1a/0x120 +[ 4093.900335] ? filp_close+0xf0/0x130 +[ 4093.900338] do_syscall_64+0xa0/0x370 +[ 4093.900339] ? page_fault+0x8/0x30 +[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900357] RIP: 0033:0x7f16ad4d22c0 +[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 +[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 +[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 +[ 4093.900364] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 4093.900365] R13: 0000000000000001 R14: 00007f16ad7a0620 R15: 0000000000000001 +[ 4093.900367] +[ 4093.900368] Allocated by task 820: +[ 4093.900371] kasan_kmalloc+0xa6/0xd0 +[ 4093.900373] __kmalloc+0xfb/0x200 +[ 4093.900376] iavf_init_interrupt_scheme+0x63b/0x1320 [iavf] +[ 4093.900380] iavf_watchdog_task+0x3d51/0x52c0 [iavf] +[ 4093.900382] process_one_work+0x56a/0x11f0 +[ 4093.900383] worker_thread+0x8f/0xf40 +[ 4093.900384] kthread+0x2a0/0x390 +[ 4093.900385] ret_from_fork+0x1f/0x40 +[ 4093.900387] 0xffffffffffffffff +[ 4093.900387] +[ 4093.900388] Freed by task 6699: +[ 4093.900390] __kasan_slab_free+0x137/0x190 +[ 4093.900391] kfree+0x8b/0x1b0 +[ 4093.900394] iavf_free_q_vectors+0x11d/0x1a0 [iavf] +[ 4093.900397] iavf_remove+0x35a/0xd20 [iavf] +[ 4093.900399] pci_device_remove+0xa8/0x1f0 +[ 4093.900400] device_release_driver_internal+0x1c6/0x460 +[ 4093.900401] pci_stop_bus_device+0x101/0x150 +[ 4093.900402] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900403] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900404] sriov_disable+0xed/0x3e0 +[ 4093.900409] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900415] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900416] sriov_numvfs_store+0x214/0x290 +[ 4093.900417] kernfs_fop_write+0x280/0x3f0 +[ 4093.900418] vfs_write+0x145/0x440 +[ 4093.900419] ksys_write+0xab/0x160 +[ 4093.900420] do_syscall_64+0xa0/0x370 +[ 4093.900421] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900422] 0xffffffffffffffff +[ 4093.900422] +[ 4093.900424] The buggy address belongs to the object at ffff88b4dc144200 + which belongs to the cache kmalloc-8k of size 8192 +[ 4093.900425] The buggy address is located 5184 bytes inside of + 8192-byte region [ffff88b4dc144200, ffff88b4dc146200) +[ 4093.900425] The buggy address belongs to the page: +[ 4093.900427] page:ffffea00d3705000 refcount:1 mapcount:0 mapping:ffff88bf04415c80 index:0x0 compound_mapcount: 0 +[ 4093.900430] flags: 0x10000000008100(slab|head) +[ 4093.900433] raw: 0010000000008100 dead000000000100 dead000000000200 ffff88bf04415c80 +[ 4093.900434] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 +[ 4093.900434] page dumped because: kasan: bad access detected +[ 4093.900435] +[ 4093.900435] Memory state around the buggy address: +[ 4093.900436] ffff88b4dc145500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900437] ffff88b4dc145580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] >ffff88b4dc145600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] ^ +[ 4093.900439] ffff88b4dc145680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ffff88b4dc145700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ================================================================== + +Although the patch #2 (of 2) can avoid the issue triggered by this +repro.sh, there still are other potential risks that if num_active_queues +is changed to less than allocated q_vectors[] by unexpected, the +mismatched netif_napi_add/del() can also cause UAF. + +Since we actually call netif_napi_add() for all allocated q_vectors +unconditionally in iavf_alloc_q_vectors(), so we should fix it by +letting netif_napi_del() match to netif_napi_add(). + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Simon Horman +Reviewed-by: Madhu Chittim +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 3e45ca40288ad..bcceb2ddfea63 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1507,19 +1507,16 @@ static int iavf_alloc_q_vectors(struct iavf_adapter *adapter) + static void iavf_free_q_vectors(struct iavf_adapter *adapter) + { + int q_idx, num_q_vectors; +- int napi_vectors; + + if (!adapter->q_vectors) + return; + + num_q_vectors = adapter->num_msix_vectors - NONQ_VECS; +- napi_vectors = adapter->num_active_queues; + + for (q_idx = 0; q_idx < num_q_vectors; q_idx++) { + struct iavf_q_vector *q_vector = &adapter->q_vectors[q_idx]; + +- if (q_idx < napi_vectors) +- netif_napi_del(&q_vector->napi); ++ netif_napi_del(&q_vector->napi); + } + kfree(adapter->q_vectors); + adapter->q_vectors = NULL; +-- +2.39.2 + diff --git a/tmp-5.15/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch b/tmp-5.15/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch new file mode 100644 index 00000000000..253bd9afbfd --- /dev/null +++ b/tmp-5.15/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch @@ -0,0 +1,73 @@ +From bb43210055434ee1927664f677efc3176833d9d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 10:54:44 -0700 +Subject: igc: Prevent garbled TX queue with XDP ZEROCOPY + +From: Florian Kauer + +[ Upstream commit 78adb4bcf99effbb960c5f9091e2e062509d1030 ] + +In normal operation, each populated queue item has +next_to_watch pointing to the last TX desc of the packet, +while each cleaned item has it set to 0. In particular, +next_to_use that points to the next (necessarily clean) +item to use has next_to_watch set to 0. + +When the TX queue is used both by an application using +AF_XDP with ZEROCOPY as well as a second non-XDP application +generating high traffic, the queue pointers can get in +an invalid state where next_to_use points to an item +where next_to_watch is NOT set to 0. + +However, the implementation assumes at several places +that this is never the case, so if it does hold, +bad things happen. In particular, within the loop inside +of igc_clean_tx_irq(), next_to_clean can overtake next_to_use. +Finally, this prevents any further transmission via +this queue and it never gets unblocked or signaled. +Secondly, if the queue is in this garbled state, +the inner loop of igc_clean_tx_ring() will never terminate, +completely hogging a CPU core. + +The reason is that igc_xdp_xmit_zc() reads next_to_use +before acquiring the lock, and writing it back +(potentially unmodified) later. If it got modified +before locking, the outdated next_to_use is written +pointing to an item that was already used elsewhere +(and thus next_to_watch got written). + +Fixes: 9acf59a752d4 ("igc: Enable TX via AF_XDP zero-copy") +Signed-off-by: Florian Kauer +Reviewed-by: Kurt Kanzenbach +Tested-by: Kurt Kanzenbach +Acked-by: Vinicius Costa Gomes +Reviewed-by: Simon Horman +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230717175444.3217831-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -2748,15 +2748,15 @@ static void igc_xdp_xmit_zc(struct igc_r + struct netdev_queue *nq = txring_txq(ring); + union igc_adv_tx_desc *tx_desc = NULL; + int cpu = smp_processor_id(); +- u16 ntu = ring->next_to_use; + struct xdp_desc xdp_desc; +- u16 budget; ++ u16 budget, ntu; + + if (!netif_carrier_ok(ring->netdev)) + return; + + __netif_tx_lock(nq, cpu); + ++ ntu = ring->next_to_use; + budget = igc_desc_unused(ring); + + while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { diff --git a/tmp-5.15/jbd2-recheck-chechpointing-non-dirty-buffer.patch b/tmp-5.15/jbd2-recheck-chechpointing-non-dirty-buffer.patch new file mode 100644 index 00000000000..2cd2baafb78 --- /dev/null +++ b/tmp-5.15/jbd2-recheck-chechpointing-non-dirty-buffer.patch @@ -0,0 +1,191 @@ +From c2d6fd9d6f35079f1669f0100f05b46708c74b7f Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Tue, 6 Jun 2023 21:59:23 +0800 +Subject: jbd2: recheck chechpointing non-dirty buffer + +From: Zhang Yi + +commit c2d6fd9d6f35079f1669f0100f05b46708c74b7f upstream. + +There is a long-standing metadata corruption issue that happens from +time to time, but it's very difficult to reproduce and analyse, benefit +from the JBD2_CYCLE_RECORD option, we found out that the problem is the +checkpointing process miss to write out some buffers which are raced by +another do_get_write_access(). Looks below for detail. + +jbd2_log_do_checkpoint() //transaction X + //buffer A is dirty and not belones to any transaction + __buffer_relink_io() //move it to the IO list + __flush_batch() + write_dirty_buffer() + do_get_write_access() + clear_buffer_dirty + __jbd2_journal_file_buffer() + //add buffer A to a new transaction Y + lock_buffer(bh) + //doesn't write out + __jbd2_journal_remove_checkpoint() + //finish checkpoint except buffer A + //filesystem corrupt if the new transaction Y isn't fully write out. + +Due to the t_checkpoint_list walking loop in jbd2_log_do_checkpoint() +have already handles waiting for buffers under IO and re-added new +transaction to complete commit, and it also removing cleaned buffers, +this makes sure the list will eventually get empty. So it's fine to +leave buffers on the t_checkpoint_list while flushing out and completely +stop using the t_checkpoint_io_list. + +Cc: stable@vger.kernel.org +Suggested-by: Jan Kara +Signed-off-by: Zhang Yi +Tested-by: Zhihao Cheng +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230606135928.434610-2-yi.zhang@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/checkpoint.c | 102 ++++++++++++++------------------------------------- + 1 file changed, 29 insertions(+), 73 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -58,28 +58,6 @@ static inline void __buffer_unlink(struc + } + + /* +- * Move a buffer from the checkpoint list to the checkpoint io list +- * +- * Called with j_list_lock held +- */ +-static inline void __buffer_relink_io(struct journal_head *jh) +-{ +- transaction_t *transaction = jh->b_cp_transaction; +- +- __buffer_unlink_first(jh); +- +- if (!transaction->t_checkpoint_io_list) { +- jh->b_cpnext = jh->b_cpprev = jh; +- } else { +- jh->b_cpnext = transaction->t_checkpoint_io_list; +- jh->b_cpprev = transaction->t_checkpoint_io_list->b_cpprev; +- jh->b_cpprev->b_cpnext = jh; +- jh->b_cpnext->b_cpprev = jh; +- } +- transaction->t_checkpoint_io_list = jh; +-} +- +-/* + * Check a checkpoint buffer could be release or not. + * + * Requires j_list_lock +@@ -183,6 +161,7 @@ __flush_batch(journal_t *journal, int *b + struct buffer_head *bh = journal->j_chkpt_bhs[i]; + BUFFER_TRACE(bh, "brelse"); + __brelse(bh); ++ journal->j_chkpt_bhs[i] = NULL; + } + *batch_count = 0; + } +@@ -242,6 +221,11 @@ restart: + jh = transaction->t_checkpoint_list; + bh = jh2bh(jh); + ++ /* ++ * The buffer may be writing back, or flushing out in the ++ * last couple of cycles, or re-adding into a new transaction, ++ * need to check it again until it's unlocked. ++ */ + if (buffer_locked(bh)) { + get_bh(bh); + spin_unlock(&journal->j_list_lock); +@@ -287,28 +271,32 @@ restart: + } + if (!buffer_dirty(bh)) { + BUFFER_TRACE(bh, "remove from checkpoint"); +- if (__jbd2_journal_remove_checkpoint(jh)) +- /* The transaction was released; we're done */ ++ /* ++ * If the transaction was released or the checkpoint ++ * list was empty, we're done. ++ */ ++ if (__jbd2_journal_remove_checkpoint(jh) || ++ !transaction->t_checkpoint_list) + goto out; +- continue; ++ } else { ++ /* ++ * We are about to write the buffer, it could be ++ * raced by some other transaction shrink or buffer ++ * re-log logic once we release the j_list_lock, ++ * leave it on the checkpoint list and check status ++ * again to make sure it's clean. ++ */ ++ BUFFER_TRACE(bh, "queue"); ++ get_bh(bh); ++ J_ASSERT_BH(bh, !buffer_jwrite(bh)); ++ journal->j_chkpt_bhs[batch_count++] = bh; ++ transaction->t_chp_stats.cs_written++; ++ transaction->t_checkpoint_list = jh->b_cpnext; + } +- /* +- * Important: we are about to write the buffer, and +- * possibly block, while still holding the journal +- * lock. We cannot afford to let the transaction +- * logic start messing around with this buffer before +- * we write it to disk, as that would break +- * recoverability. +- */ +- BUFFER_TRACE(bh, "queue"); +- get_bh(bh); +- J_ASSERT_BH(bh, !buffer_jwrite(bh)); +- journal->j_chkpt_bhs[batch_count++] = bh; +- __buffer_relink_io(jh); +- transaction->t_chp_stats.cs_written++; ++ + if ((batch_count == JBD2_NR_BATCH) || +- need_resched() || +- spin_needbreak(&journal->j_list_lock)) ++ need_resched() || spin_needbreak(&journal->j_list_lock) || ++ jh2bh(transaction->t_checkpoint_list) == journal->j_chkpt_bhs[0]) + goto unlock_and_flush; + } + +@@ -322,38 +310,6 @@ restart: + goto restart; + } + +- /* +- * Now we issued all of the transaction's buffers, let's deal +- * with the buffers that are out for I/O. +- */ +-restart2: +- /* Did somebody clean up the transaction in the meanwhile? */ +- if (journal->j_checkpoint_transactions != transaction || +- transaction->t_tid != this_tid) +- goto out; +- +- while (transaction->t_checkpoint_io_list) { +- jh = transaction->t_checkpoint_io_list; +- bh = jh2bh(jh); +- if (buffer_locked(bh)) { +- get_bh(bh); +- spin_unlock(&journal->j_list_lock); +- wait_on_buffer(bh); +- /* the journal_head may have gone by now */ +- BUFFER_TRACE(bh, "brelse"); +- __brelse(bh); +- spin_lock(&journal->j_list_lock); +- goto restart2; +- } +- +- /* +- * Now in whatever state the buffer currently is, we +- * know that it has been written out and so we can +- * drop it from the list +- */ +- if (__jbd2_journal_remove_checkpoint(jh)) +- break; +- } + out: + spin_unlock(&journal->j_list_lock); + result = jbd2_cleanup_journal_tail(journal); diff --git a/tmp-5.15/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch b/tmp-5.15/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch new file mode 100644 index 00000000000..75ed3459f73 --- /dev/null +++ b/tmp-5.15/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch @@ -0,0 +1,177 @@ +From d55901522f96082a43b9842d34867363c0cdbac5 Mon Sep 17 00:00:00 2001 +From: Petr Pavlu +Date: Thu, 23 Mar 2023 14:04:12 +0100 +Subject: keys: Fix linking a duplicate key to a keyring's assoc_array + +From: Petr Pavlu + +commit d55901522f96082a43b9842d34867363c0cdbac5 upstream. + +When making a DNS query inside the kernel using dns_query(), the request +code can in rare cases end up creating a duplicate index key in the +assoc_array of the destination keyring. It is eventually found by +a BUG_ON() check in the assoc_array implementation and results in +a crash. + +Example report: +[2158499.700025] kernel BUG at ../lib/assoc_array.c:652! +[2158499.700039] invalid opcode: 0000 [#1] SMP PTI +[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 +[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] +[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 +[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f +[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 +[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 +[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 +[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 +[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 +[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 +[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 +[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 +[2158499.700702] Call Trace: +[2158499.700741] ? key_alloc+0x447/0x4b0 +[2158499.700768] ? __key_link_begin+0x43/0xa0 +[2158499.700790] __key_link_begin+0x43/0xa0 +[2158499.700814] request_key_and_link+0x2c7/0x730 +[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] +[2158499.700873] ? key_default_cmp+0x20/0x20 +[2158499.700898] request_key_tag+0x43/0xa0 +[2158499.700926] dns_query+0x114/0x2ca [dns_resolver] +[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] +[2158499.701164] ? scnprintf+0x49/0x90 +[2158499.701190] ? __switch_to_asm+0x40/0x70 +[2158499.701211] ? __switch_to_asm+0x34/0x70 +[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] +[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] +[2158499.701632] process_one_work+0x1f8/0x3e0 +[2158499.701658] worker_thread+0x2d/0x3f0 +[2158499.701682] ? process_one_work+0x3e0/0x3e0 +[2158499.701703] kthread+0x10d/0x130 +[2158499.701723] ? kthread_park+0xb0/0xb0 +[2158499.701746] ret_from_fork+0x1f/0x40 + +The situation occurs as follows: +* Some kernel facility invokes dns_query() to resolve a hostname, for + example, "abcdef". The function registers its global DNS resolver + cache as current->cred.thread_keyring and passes the query to + request_key_net() -> request_key_tag() -> request_key_and_link(). +* Function request_key_and_link() creates a keyring_search_context + object. Its match_data.cmp method gets set via a call to + type->match_preparse() (resolves to dns_resolver_match_preparse()) to + dns_resolver_cmp(). +* Function request_key_and_link() continues and invokes + search_process_keyrings_rcu() which returns that a given key was not + found. The control is then passed to request_key_and_link() -> + construct_alloc_key(). +* Concurrently to that, a second task similarly makes a DNS query for + "abcdef." and its result gets inserted into the DNS resolver cache. +* Back on the first task, function construct_alloc_key() first runs + __key_link_begin() to determine an assoc_array_edit operation to + insert a new key. Index keys in the array are compared exactly as-is, + using keyring_compare_object(). The operation finds that "abcdef" is + not yet present in the destination keyring. +* Function construct_alloc_key() continues and checks if a given key is + already present on some keyring by again calling + search_process_keyrings_rcu(). This search is done using + dns_resolver_cmp() and "abcdef" gets matched with now present key + "abcdef.". +* The found key is linked on the destination keyring by calling + __key_link() and using the previously calculated assoc_array_edit + operation. This inserts the "abcdef." key in the array but creates + a duplicity because the same index key is already present. + +Fix the problem by postponing __key_link_begin() in +construct_alloc_key() until an actual key which should be linked into +the destination keyring is determined. + +[jarkko@kernel.org: added a fixes tag and cc to stable] +Cc: stable@vger.kernel.org # v5.3+ +Fixes: df593ee23e05 ("keys: Hoist locking out of __key_link_begin()") +Signed-off-by: Petr Pavlu +Reviewed-by: Joey Lee +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/request_key.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -401,17 +401,21 @@ static int construct_alloc_key(struct ke + set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); + + if (dest_keyring) { +- ret = __key_link_lock(dest_keyring, &ctx->index_key); ++ ret = __key_link_lock(dest_keyring, &key->index_key); + if (ret < 0) + goto link_lock_failed; +- ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit); +- if (ret < 0) +- goto link_prealloc_failed; + } + +- /* attach the key to the destination keyring under lock, but we do need ++ /* ++ * Attach the key to the destination keyring under lock, but we do need + * to do another check just in case someone beat us to it whilst we +- * waited for locks */ ++ * waited for locks. ++ * ++ * The caller might specify a comparison function which looks for keys ++ * that do not exactly match but are still equivalent from the caller's ++ * perspective. The __key_link_begin() operation must be done only after ++ * an actual key is determined. ++ */ + mutex_lock(&key_construction_mutex); + + rcu_read_lock(); +@@ -420,12 +424,16 @@ static int construct_alloc_key(struct ke + if (!IS_ERR(key_ref)) + goto key_already_present; + +- if (dest_keyring) ++ if (dest_keyring) { ++ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); ++ if (ret < 0) ++ goto link_alloc_failed; + __key_link(dest_keyring, key, &edit); ++ } + + mutex_unlock(&key_construction_mutex); + if (dest_keyring) +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++ __key_link_end(dest_keyring, &key->index_key, edit); + mutex_unlock(&user->cons_lock); + *_key = key; + kleave(" = 0 [%d]", key_serial(key)); +@@ -438,10 +446,13 @@ key_already_present: + mutex_unlock(&key_construction_mutex); + key = key_ref_to_ptr(key_ref); + if (dest_keyring) { ++ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); ++ if (ret < 0) ++ goto link_alloc_failed_unlocked; + ret = __key_link_check_live_key(dest_keyring, key); + if (ret == 0) + __key_link(dest_keyring, key, &edit); +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++ __key_link_end(dest_keyring, &key->index_key, edit); + if (ret < 0) + goto link_check_failed; + } +@@ -456,8 +467,10 @@ link_check_failed: + kleave(" = %d [linkcheck]", ret); + return ret; + +-link_prealloc_failed: +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++link_alloc_failed: ++ mutex_unlock(&key_construction_mutex); ++link_alloc_failed_unlocked: ++ __key_link_end(dest_keyring, &key->index_key, edit); + link_lock_failed: + mutex_unlock(&user->cons_lock); + key_put(key); diff --git a/tmp-5.15/llc-don-t-drop-packet-from-non-root-netns.patch b/tmp-5.15/llc-don-t-drop-packet-from-non-root-netns.patch new file mode 100644 index 00000000000..5d939ebb6fd --- /dev/null +++ b/tmp-5.15/llc-don-t-drop-packet-from-non-root-netns.patch @@ -0,0 +1,50 @@ +From 89b30c37fc08137056e1e5b35d0ee92268ef0b78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:41:51 -0700 +Subject: llc: Don't drop packet from non-root netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] + +Now these upper layer protocol handlers can be called from llc_rcv() +as sap->rcv_func(), which is registered by llc_sap_open(). + + * function which is passed to register_8022_client() + -> no in-kernel user calls register_8022_client(). + + * snap_rcv() + `- proto->rcvfunc() : registered by register_snap_client() + -> aarp_rcv() and atalk_rcv() drop packets from non-root netns + + * stp_pdu_rcv() + `- garp_protos[]->rcv() : registered by stp_proto_register() + -> garp_pdu_rcv() and br_stp_rcv() are netns-aware + +So, we can safely remove the netns restriction in llc_rcv(). + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index c309b72a58779..7cac441862e21 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -163,9 +163,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, + void (*sta_handler)(struct sk_buff *skb); + void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); + +- if (!net_eq(dev_net(dev), &init_net)) +- goto drop; +- + /* + * When the interface is in promisc. mode, drop all the crap that it + * receives, do not try to analyse it. +-- +2.39.2 + diff --git a/tmp-5.15/mips-dec-prom-address-warray-bounds-warning.patch b/tmp-5.15/mips-dec-prom-address-warray-bounds-warning.patch new file mode 100644 index 00000000000..60b7fdc9d4d --- /dev/null +++ b/tmp-5.15/mips-dec-prom-address-warray-bounds-warning.patch @@ -0,0 +1,51 @@ +From 9cd6870b3a886b304a46f07e941ddfb43069cbad Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 22 Jun 2023 17:43:57 -0600 +Subject: [PATCH AUTOSEL 4.14 7/9] MIPS: dec: prom: Address -Warray-bounds + warning +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.14.320 + +[ Upstream commit 7b191b9b55df2a844bd32d1d380f47a7df1c2896 ] + +Zero-length arrays are deprecated, and we are replacing them with flexible +array members instead. So, replace zero-length array with flexible-array +member in struct memmap. + +Address the following warning found after building (with GCC-13) mips64 +with decstation_64_defconfig: +In function 'rex_setup_memory_region', + inlined from 'prom_meminit' at arch/mips/dec/prom/memory.c:91:3: +arch/mips/dec/prom/memory.c:72:31: error: array subscript i is outside array bounds of 'unsigned char[0]' [-Werror=array-bounds=] + 72 | if (bm->bitmap[i] == 0xff) + | ~~~~~~~~~~^~~ +In file included from arch/mips/dec/prom/memory.c:16: +./arch/mips/include/asm/dec/prom.h: In function 'prom_meminit': +./arch/mips/include/asm/dec/prom.h:73:23: note: while referencing 'bitmap' + 73 | unsigned char bitmap[0]; + +This helps with the ongoing efforts to globally enable -Warray-bounds. + +This results in no differences in binary output. + +Link: https://github.com/KSPP/linux/issues/79 +Link: https://github.com/KSPP/linux/issues/323 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/dec/prom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/dec/prom.h ++++ b/arch/mips/include/asm/dec/prom.h +@@ -70,7 +70,7 @@ static inline bool prom_is_rex(u32 magic + */ + typedef struct { + int pagesize; +- unsigned char bitmap[0]; ++ unsigned char bitmap[]; + } memmap; + + diff --git a/tmp-5.15/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch b/tmp-5.15/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch new file mode 100644 index 00000000000..55cc9262a92 --- /dev/null +++ b/tmp-5.15/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch @@ -0,0 +1,86 @@ +From b23396ba46fea961466d9c753063ef3f69673c03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 03:42:29 +0100 +Subject: net: ethernet: mtk_eth_soc: handle probe deferral + +From: Daniel Golle + +[ Upstream commit 1d6d537dc55d1f42d16290f00157ac387985b95b ] + +Move the call to of_get_ethdev_address to mtk_add_mac which is part of +the probe function and can hence itself return -EPROBE_DEFER should +of_get_ethdev_address return -EPROBE_DEFER. This allows us to entirely +get rid of the mtk_init function. + +The problem of of_get_ethdev_address returning -EPROBE_DEFER surfaced +in situations in which the NVMEM provider holding the MAC address has +not yet be loaded at the time mtk_eth_soc is initially probed. In this +case probing of mtk_eth_soc should be deferred instead of falling back +to use a random MAC address, so once the NVMEM provider becomes +available probing can be repeated. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Signed-off-by: Daniel Golle +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 29 ++++++++------------- + 1 file changed, 11 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index c55ba1d085e5b..50ee9d3d4c841 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -2612,23 +2612,6 @@ static int mtk_hw_deinit(struct mtk_eth *eth) + return 0; + } + +-static int __init mtk_init(struct net_device *dev) +-{ +- struct mtk_mac *mac = netdev_priv(dev); +- struct mtk_eth *eth = mac->hw; +- int ret; +- +- ret = of_get_ethdev_address(mac->of_node, dev); +- if (ret) { +- /* If the mac address is invalid, use random mac address */ +- eth_hw_addr_random(dev); +- dev_err(eth->dev, "generated random MAC address %pM\n", +- dev->dev_addr); +- } +- +- return 0; +-} +- + static void mtk_uninit(struct net_device *dev) + { + struct mtk_mac *mac = netdev_priv(dev); +@@ -2956,7 +2939,6 @@ static const struct ethtool_ops mtk_ethtool_ops = { + }; + + static const struct net_device_ops mtk_netdev_ops = { +- .ndo_init = mtk_init, + .ndo_uninit = mtk_uninit, + .ndo_open = mtk_open, + .ndo_stop = mtk_stop, +@@ -3010,6 +2992,17 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np) + mac->hw = eth; + mac->of_node = np; + ++ err = of_get_ethdev_address(mac->of_node, eth->netdev[id]); ++ if (err == -EPROBE_DEFER) ++ return err; ++ ++ if (err) { ++ /* If the mac address is invalid, use random mac address */ ++ eth_hw_addr_random(eth->netdev[id]); ++ dev_err(eth->dev, "generated random MAC address %pM\n", ++ eth->netdev[id]->dev_addr); ++ } ++ + memset(mac->hwlro_ip, 0, sizeof(mac->hwlro_ip)); + mac->hwlro_ip_cnt = 0; + +-- +2.39.2 + diff --git a/tmp-5.15/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/tmp-5.15/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch new file mode 100644 index 00000000000..aa02245b6bd --- /dev/null +++ b/tmp-5.15/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch @@ -0,0 +1,78 @@ +From 5450103b6d7a14e4d67a13632e7a20c440666660 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 16:36:57 +0530 +Subject: net: ethernet: ti: cpsw_ale: Fix + cpsw_ale_get_field()/cpsw_ale_set_field() + +From: Tanmay Patil + +[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] + +CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. +The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the +field will be strictly contained within one word. However, this is not +guaranteed to be the case and it is possible for ALE field entries to span +across up to two words at the most. + +Fix the methods to handle getting/setting fields spanning up to two words. + +Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") +Signed-off-by: Tanmay Patil +[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] +Signed-off-by: Siddharth Vadapalli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index 1ef0aaef5c61c..8c59e34d8bcaf 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -104,23 +104,37 @@ struct cpsw_ale_dev_id { + + static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + { +- int idx; ++ int idx, idx2; ++ u32 hi_val = 0; + + idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be fetched exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); ++ } + start -= idx * 32; + idx = 2 - idx; /* flip */ +- return (ale_entry[idx] >> start) & BITMASK(bits); ++ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); + } + + static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, + u32 value) + { +- int idx; ++ int idx, idx2; + + value &= BITMASK(bits); +- idx = start / 32; ++ idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be set exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); ++ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); ++ } + start -= idx * 32; +- idx = 2 - idx; /* flip */ ++ idx = 2 - idx; /* flip */ + ale_entry[idx] &= ~(BITMASK(bits) << start); + ale_entry[idx] |= (value << start); + } +-- +2.39.2 + diff --git a/tmp-5.15/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch b/tmp-5.15/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch new file mode 100644 index 00000000000..e040a0a2343 --- /dev/null +++ b/tmp-5.15/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch @@ -0,0 +1,38 @@ +From 4c5cfad570615aaea94ab3da1e15d7f4a773562f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:59:19 +0800 +Subject: net: ipv4: Use kfree_sensitive instead of kfree + +From: Wang Ming + +[ Upstream commit daa751444fd9d4184270b1479d8af49aaf1a1ee6 ] + +key might contain private part of the key, so better use +kfree_sensitive to free it. + +Fixes: 38320c70d282 ("[IPSEC]: Use crypto_aead and authenc in ESP") +Signed-off-by: Wang Ming +Reviewed-by: Tariq Toukan +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index d747166bb291c..386e9875e5b80 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -1133,7 +1133,7 @@ static int esp_init_authenc(struct xfrm_state *x) + err = crypto_aead_setkey(aead, key, keylen); + + free_key: +- kfree(key); ++ kfree_sensitive(key); + + error: + return err; +-- +2.39.2 + diff --git a/tmp-5.15/net-ipv6-check-return-value-of-pskb_trim.patch b/tmp-5.15/net-ipv6-check-return-value-of-pskb_trim.patch new file mode 100644 index 00000000000..00474b305b6 --- /dev/null +++ b/tmp-5.15/net-ipv6-check-return-value-of-pskb_trim.patch @@ -0,0 +1,39 @@ +From 6c25c6fe0ea61f9a7879b09a7f088b0eaf8f4906 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 22:45:19 +0800 +Subject: net:ipv6: check return value of pskb_trim() + +From: Yuanjun Gong + +[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] + +goto tx_err if an unexpected result is returned by pskb_tirm() +in ip6erspan_tunnel_xmit(). + +Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") +Signed-off-by: Yuanjun Gong +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 0b041ab79ad90..0efd5b4346b09 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -955,7 +955,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + goto tx_err; + + if (skb->len > dev->mtu + dev->hard_header_len) { +- pskb_trim(skb, dev->mtu + dev->hard_header_len); ++ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) ++ goto tx_err; + truncate = true; + } + +-- +2.39.2 + diff --git a/tmp-5.15/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch b/tmp-5.15/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch new file mode 100644 index 00000000000..18c64c3df4a --- /dev/null +++ b/tmp-5.15/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch @@ -0,0 +1,74 @@ +From 2a9973bb55fd9bdd01399a399a2f85f45da84b70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 03:02:31 +0300 +Subject: net: phy: prevent stale pointer dereference in phy_init() + +From: Vladimir Oltean + +[ Upstream commit 1c613beaf877c0c0d755853dc62687e2013e55c4 ] + +mdio_bus_init() and phy_driver_register() both have error paths, and if +those are ever hit, ethtool will have a stale pointer to the +phy_ethtool_phy_ops stub structure, which references memory from a +module that failed to load (phylib). + +It is probably hard to force an error in this code path even manually, +but the error teardown path of phy_init() should be the same as +phy_exit(), which is now simply not the case. + +Fixes: 55d8f053ce1b ("net: phy: Register ethtool PHY operations") +Link: https://lore.kernel.org/netdev/ZLaiJ4G6TaJYGJyU@shell.armlinux.org.uk/ +Suggested-by: Russell King (Oracle) +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20230720000231.1939689-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 73485383db4ef..6085a28cae3d2 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -3253,23 +3253,30 @@ static int __init phy_init(void) + { + int rc; + ++ ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); ++ + rc = mdio_bus_init(); + if (rc) +- return rc; ++ goto err_ethtool_phy_ops; + +- ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); + features_init(); + + rc = phy_driver_register(&genphy_c45_driver, THIS_MODULE); + if (rc) +- goto err_c45; ++ goto err_mdio_bus; + + rc = phy_driver_register(&genphy_driver, THIS_MODULE); +- if (rc) { +- phy_driver_unregister(&genphy_c45_driver); ++ if (rc) ++ goto err_c45; ++ ++ return 0; ++ + err_c45: +- mdio_bus_exit(); +- } ++ phy_driver_unregister(&genphy_c45_driver); ++err_mdio_bus: ++ mdio_bus_exit(); ++err_ethtool_phy_ops: ++ ethtool_set_ethtool_phy_ops(NULL); + + return rc; + } +-- +2.39.2 + diff --git a/tmp-5.15/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch b/tmp-5.15/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch new file mode 100644 index 00000000000..418fac68395 --- /dev/null +++ b/tmp-5.15/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch @@ -0,0 +1,165 @@ +From 47289a7215d6ead9241d435f91da4355ec346001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:13 -0300 +Subject: net: sched: cls_bpf: Undo tcf_bind_filter in case of an error + +From: Victor Nogueira + +[ Upstream commit 26a22194927e8521e304ed75c2f38d8068d55fc7 ] + +If cls_bpf_offload errors out, we must also undo tcf_bind_filter that +was done before the error. + +Fix that by calling tcf_unbind_filter in errout_parms. + +Fixes: eadb41489fd2 ("net: cls_bpf: add support for marking filters as hardware-only") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_bpf.c | 99 +++++++++++++++++++++------------------------ + 1 file changed, 47 insertions(+), 52 deletions(-) + +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index df19a847829e8..b7c46a93a4121 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -402,56 +402,6 @@ static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog, + return 0; + } + +-static int cls_bpf_set_parms(struct net *net, struct tcf_proto *tp, +- struct cls_bpf_prog *prog, unsigned long base, +- struct nlattr **tb, struct nlattr *est, u32 flags, +- struct netlink_ext_ack *extack) +-{ +- bool is_bpf, is_ebpf, have_exts = false; +- u32 gen_flags = 0; +- int ret; +- +- is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; +- is_ebpf = tb[TCA_BPF_FD]; +- if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) +- return -EINVAL; +- +- ret = tcf_exts_validate(net, tp, tb, est, &prog->exts, flags, +- extack); +- if (ret < 0) +- return ret; +- +- if (tb[TCA_BPF_FLAGS]) { +- u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); +- +- if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) +- return -EINVAL; +- +- have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; +- } +- if (tb[TCA_BPF_FLAGS_GEN]) { +- gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); +- if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || +- !tc_flags_valid(gen_flags)) +- return -EINVAL; +- } +- +- prog->exts_integrated = have_exts; +- prog->gen_flags = gen_flags; +- +- ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : +- cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); +- if (ret < 0) +- return ret; +- +- if (tb[TCA_BPF_CLASSID]) { +- prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); +- tcf_bind_filter(tp, &prog->res, base); +- } +- +- return 0; +-} +- + static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + struct tcf_proto *tp, unsigned long base, + u32 handle, struct nlattr **tca, +@@ -459,9 +409,12 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + struct netlink_ext_ack *extack) + { + struct cls_bpf_head *head = rtnl_dereference(tp->root); ++ bool is_bpf, is_ebpf, have_exts = false; + struct cls_bpf_prog *oldprog = *arg; + struct nlattr *tb[TCA_BPF_MAX + 1]; ++ bool bound_to_filter = false; + struct cls_bpf_prog *prog; ++ u32 gen_flags = 0; + int ret; + + if (tca[TCA_OPTIONS] == NULL) +@@ -500,11 +453,51 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + goto errout; + prog->handle = handle; + +- ret = cls_bpf_set_parms(net, tp, prog, base, tb, tca[TCA_RATE], flags, +- extack); ++ is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; ++ is_ebpf = tb[TCA_BPF_FD]; ++ if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ ++ ret = tcf_exts_validate(net, tp, tb, tca[TCA_RATE], &prog->exts, ++ flags, extack); ++ if (ret < 0) ++ goto errout_idr; ++ ++ if (tb[TCA_BPF_FLAGS]) { ++ u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); ++ ++ if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ ++ have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; ++ } ++ if (tb[TCA_BPF_FLAGS_GEN]) { ++ gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); ++ if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || ++ !tc_flags_valid(gen_flags)) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ } ++ ++ prog->exts_integrated = have_exts; ++ prog->gen_flags = gen_flags; ++ ++ ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : ++ cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); + if (ret < 0) + goto errout_idr; + ++ if (tb[TCA_BPF_CLASSID]) { ++ prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); ++ tcf_bind_filter(tp, &prog->res, base); ++ bound_to_filter = true; ++ } ++ + ret = cls_bpf_offload(tp, prog, oldprog, extack); + if (ret) + goto errout_parms; +@@ -526,6 +519,8 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + return 0; + + errout_parms: ++ if (bound_to_filter) ++ tcf_unbind_filter(tp, &prog->res); + cls_bpf_free_parms(prog); + errout_idr: + if (!oldprog) +-- +2.39.2 + diff --git a/tmp-5.15/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/tmp-5.15/netfilter-nf_tables-fix-spurious-set-element-inserti.patch new file mode 100644 index 00000000000..df140106d8b --- /dev/null +++ b/tmp-5.15/netfilter-nf_tables-fix-spurious-set-element-inserti.patch @@ -0,0 +1,49 @@ +From e3c699e52733ef6d37df0f0688989d4f24069806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 00:29:58 +0200 +Subject: netfilter: nf_tables: fix spurious set element insertion failure + +From: Florian Westphal + +[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] + +On some platforms there is a padding hole in the nft_verdict +structure, between the verdict code and the chain pointer. + +On element insertion, if the new element clashes with an existing one and +NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as +the data associated with duplicated element is the same as the existing +one. The data equality check uses memcmp. + +For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT +padding area leads to spurious failure even if the verdict data is the +same. + +This then makes the insertion fail with 'already exists' error, even +though the new "key : data" matches an existing entry and userspace +told the kernel that it doesn't want to receive an error indication. + +Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 04b7c4e595200..f04a69d74cb23 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9908,6 +9908,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + + if (!tb[NFTA_VERDICT_CODE]) + return -EINVAL; ++ ++ /* zero padding hole for memcmp */ ++ memset(data, 0, sizeof(*data)); + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +-- +2.39.2 + diff --git a/tmp-5.15/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch b/tmp-5.15/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch new file mode 100644 index 00000000000..68becb2b21d --- /dev/null +++ b/tmp-5.15/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch @@ -0,0 +1,37 @@ +From c55ce5a713fe4bb402b4ae74cbbce31ca4e8d0ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 20:19:43 +0200 +Subject: netfilter: nf_tables: skip bound chain in netns release path + +From: Pablo Neira Ayuso + +[ Upstream commit 751d460ccff3137212f47d876221534bf0490996 ] + +Skip bound chain from netns release path, the rule that owns this chain +releases these objects. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f04a69d74cb23..1cf075a4269a4 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10192,6 +10192,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table) + ctx.family = table->family; + ctx.table = table; + list_for_each_entry(chain, &table->chains, list) { ++ if (nft_chain_is_bound(chain)) ++ continue; ++ + ctx.chain = chain; + list_for_each_entry_safe(rule, nr, &chain->rules, list) { + list_del(&rule->list); +-- +2.39.2 + diff --git a/tmp-5.15/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch b/tmp-5.15/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch new file mode 100644 index 00000000000..2c6be25e3f6 --- /dev/null +++ b/tmp-5.15/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch @@ -0,0 +1,43 @@ +From e2ce29044f79ecf611ac31ba29f979a22cf906d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:17:21 +0200 +Subject: netfilter: nf_tables: skip bound chain on rule flush + +From: Pablo Neira Ayuso + +[ Upstream commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 ] + +Skip bound chain when flushing table rules, the rule that owns this +chain releases these objects. + +Otherwise, the following warning is triggered: + + WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 + RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Reported-by: Kevin Rich +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 1cf075a4269a4..e0e675313d8e1 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3795,6 +3795,8 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, + list_for_each_entry(chain, &table->chains, list) { + if (!nft_is_active_next(net, chain)) + continue; ++ if (nft_chain_is_bound(chain)) ++ continue; + + ctx.chain = chain; + err = nft_delrule_by_chain(&ctx); +-- +2.39.2 + diff --git a/tmp-5.15/netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/tmp-5.15/netfilter-nft_set_pipapo-fix-improper-element-remova.patch new file mode 100644 index 00000000000..252ded12061 --- /dev/null +++ b/tmp-5.15/netfilter-nft_set_pipapo-fix-improper-element-remova.patch @@ -0,0 +1,63 @@ +From 40c5fc80a3383520d1b05dcb1adfd950f5060fd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:08:21 +0200 +Subject: netfilter: nft_set_pipapo: fix improper element removal + +From: Florian Westphal + +[ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ] + +end key should be equal to start unless NFT_SET_EXT_KEY_END is present. + +Its possible to add elements that only have a start key +("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. + +Insertion treats this via: + +if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) + end = (const u8 *)nft_set_ext_key_end(ext)->data; +else + end = start; + +but removal side always uses nft_set_ext_key_end(). +This is wrong and leads to garbage remaining in the set after removal +next lookup/insert attempt will give: + +BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 +Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 +Call Trace: + kasan_report+0x105/0x140 + pipapo_get+0x8eb/0xb90 + nft_pipapo_insert+0x1dc/0x1710 + nf_tables_newsetelem+0x31f5/0x4e00 + .. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: lonial con +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 0452ee586c1cc..a81829c10feab 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1930,7 +1930,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + int i, start, rules_fx; + + match_start = data; +- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ ++ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) ++ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ else ++ match_end = data; + + start = first_rule; + rules_fx = rules_f0; +-- +2.39.2 + diff --git a/tmp-5.15/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch b/tmp-5.15/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch new file mode 100644 index 00000000000..208f3fe0f33 --- /dev/null +++ b/tmp-5.15/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch @@ -0,0 +1,43 @@ +From 627d0c0e3899b4fcbe54008a0cdf5eaaef1633d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jul 2023 15:07:41 +0530 +Subject: octeontx2-pf: Dont allocate BPIDs for LBK interfaces + +From: Geetha sowjanya + +[ Upstream commit 8fcd7c7b3a38ab5e452f542fda8f7940e77e479a ] + +Current driver enables backpressure for LBK interfaces. +But these interfaces do not support this feature. +Hence, this patch fixes the issue by skipping the +backpressure configuration for these interfaces. + +Fixes: 75f36270990c ("octeontx2-pf: Support to enable/disable pause frames via ethtool"). +Signed-off-by: Geetha sowjanya +Signed-off-by: Sunil Goutham +Link: https://lore.kernel.org/r/20230716093741.28063-1-gakula@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index a987ae9d6a285..8fc4ecc4f7140 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1430,8 +1430,9 @@ static int otx2_init_hw_resources(struct otx2_nic *pf) + if (err) + goto err_free_npa_lf; + +- /* Enable backpressure */ +- otx2_nix_config_bp(pf, true); ++ /* Enable backpressure for CGX mapped PF/VFs */ ++ if (!is_otx2_lbkvf(pf->pdev)) ++ otx2_nix_config_bp(pf, true); + + /* Init Auras and pools used by NIX RQ, for free buffer ptrs */ + err = otx2_rq_aura_pool_init(pf); +-- +2.39.2 + diff --git a/tmp-5.15/of-net-add-a-helper-for-loading-netdev-dev_addr.patch b/tmp-5.15/of-net-add-a-helper-for-loading-netdev-dev_addr.patch new file mode 100644 index 00000000000..e278f1493a9 --- /dev/null +++ b/tmp-5.15/of-net-add-a-helper-for-loading-netdev-dev_addr.patch @@ -0,0 +1,91 @@ +From 7fdd227d5d07e585d16f0bf5cc66bef00028e9c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 18:06:55 -0700 +Subject: of: net: add a helper for loading netdev->dev_addr + +From: Jakub Kicinski + +[ Upstream commit d466effe282ddbab6acb6c3120c1de0ee1b86d57 ] + +Commit 406f42fa0d3c ("net-next: When a bond have a massive amount +of VLANs...") introduced a rbtree for faster Ethernet address look +up. To maintain netdev->dev_addr in this tree we need to make all +the writes to it got through appropriate helpers. + +There are roughly 40 places where netdev->dev_addr is passed +as the destination to a of_get_mac_address() call. Add a helper +which takes a dev pointer instead, so it can call an appropriate +helper. + +Note that of_get_mac_address() already assumes the address is +6 bytes long (ETH_ALEN) so use eth_hw_addr_set(). + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Stable-dep-of: 1d6d537dc55d ("net: ethernet: mtk_eth_soc: handle probe deferral") +Signed-off-by: Sasha Levin +--- + include/linux/of_net.h | 6 ++++++ + net/core/of_net.c | 25 +++++++++++++++++++++++++ + 2 files changed, 31 insertions(+) + +diff --git a/include/linux/of_net.h b/include/linux/of_net.h +index 55460ecfa50ad..0484b613ca647 100644 +--- a/include/linux/of_net.h ++++ b/include/linux/of_net.h +@@ -14,6 +14,7 @@ + struct net_device; + extern int of_get_phy_mode(struct device_node *np, phy_interface_t *interface); + extern int of_get_mac_address(struct device_node *np, u8 *mac); ++int of_get_ethdev_address(struct device_node *np, struct net_device *dev); + extern struct net_device *of_find_net_device_by_node(struct device_node *np); + #else + static inline int of_get_phy_mode(struct device_node *np, +@@ -27,6 +28,11 @@ static inline int of_get_mac_address(struct device_node *np, u8 *mac) + return -ENODEV; + } + ++static inline int of_get_ethdev_address(struct device_node *np, struct net_device *dev) ++{ ++ return -ENODEV; ++} ++ + static inline struct net_device *of_find_net_device_by_node(struct device_node *np) + { + return NULL; +diff --git a/net/core/of_net.c b/net/core/of_net.c +index dbac3a172a11e..f1a9bf7578e7a 100644 +--- a/net/core/of_net.c ++++ b/net/core/of_net.c +@@ -143,3 +143,28 @@ int of_get_mac_address(struct device_node *np, u8 *addr) + return of_get_mac_addr_nvmem(np, addr); + } + EXPORT_SYMBOL(of_get_mac_address); ++ ++/** ++ * of_get_ethdev_address() ++ * @np: Caller's Device Node ++ * @dev: Pointer to netdevice which address will be updated ++ * ++ * Search the device tree for the best MAC address to use. ++ * If found set @dev->dev_addr to that address. ++ * ++ * See documentation of of_get_mac_address() for more information on how ++ * the best address is determined. ++ * ++ * Return: 0 on success and errno in case of error. ++ */ ++int of_get_ethdev_address(struct device_node *np, struct net_device *dev) ++{ ++ u8 addr[ETH_ALEN]; ++ int ret; ++ ++ ret = of_get_mac_address(np, addr); ++ if (!ret) ++ eth_hw_addr_set(dev, addr); ++ return ret; ++} ++EXPORT_SYMBOL(of_get_ethdev_address); +-- +2.39.2 + diff --git a/tmp-5.15/perf-build-fix-library-not-found-error-when-using-cs.patch b/tmp-5.15/perf-build-fix-library-not-found-error-when-using-cs.patch new file mode 100644 index 00000000000..a1bb23375ef --- /dev/null +++ b/tmp-5.15/perf-build-fix-library-not-found-error-when-using-cs.patch @@ -0,0 +1,94 @@ +From 87c936a214ba46bb1429ffc8ea41a5fc504c6ace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 16:45:46 +0100 +Subject: perf build: Fix library not found error when using CSLIBS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Clark + +[ Upstream commit 1feece2780ac2f8de45177fe53979726cee4b3d1 ] + +-L only specifies the search path for libraries directly provided in the +link line with -l. Because -lopencsd isn't specified, it's only linked +because it's a dependency of -lopencsd_c_api. Dependencies like this are +resolved using the default system search paths or -rpath-link=... rather +than -L. This means that compilation only works if OpenCSD is installed +to the system rather than provided with the CSLIBS (-L) option. + +This could be fixed by adding -Wl,-rpath-link=$(CSLIBS) but that is less +conventional than just adding -lopencsd to the link line so that it uses +-L. -lopencsd seems to have been removed in commit ed17b1914978eddb +("perf tools: Drop requirement for libstdc++.so for libopencsd check") +because it was thought that there was a chance compilation would work +even if it didn't exist, but I think that only applies to libstdc++ so +there is no harm to add it back. libopencsd.so and libopencsd_c_api.so +would always exist together. + +Testing +======= + +The following scenarios now all work: + + * Cross build with OpenCSD installed + * Cross build using CSLIBS=... + * Native build with OpenCSD installed + * Native build using CSLIBS=... + * Static cross build with OpenCSD installed + * Static cross build with CSLIBS=... + +Committer testing: + + ⬢[acme@toolbox perf-tools]$ alias m + alias m='make -k BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools -C tools/perf install-bin && git status && perf test python ; perf record -o /dev/null sleep 0.01 ; perf stat --null sleep 0.01' + ⬢[acme@toolbox perf-tools]$ ldd ~/bin/perf | grep csd + libopencsd_c_api.so.1 => /lib64/libopencsd_c_api.so.1 (0x00007fd49c44e000) + libopencsd.so.1 => /lib64/libopencsd.so.1 (0x00007fd49bd56000) + ⬢[acme@toolbox perf-tools]$ cat /etc/redhat-release + Fedora release 36 (Thirty Six) + ⬢[acme@toolbox perf-tools]$ + +Fixes: ed17b1914978eddb ("perf tools: Drop requirement for libstdc++.so for libopencsd check") +Reported-by: Radhey Shyam Pandey +Signed-off-by: James Clark +Tested-by: Arnaldo Carvalho de Melo +Tested-by: Radhey Shyam Pandey +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Uwe Kleine-König +Cc: coresight@lists.linaro.org +Closes: https://lore.kernel.org/linux-arm-kernel/56905d7a-a91e-883a-b707-9d5f686ba5f1@arm.com/ +Link: https://lore.kernel.org/all/36cc4dc6-bf4b-1093-1c0a-876e368af183@kleine-koenig.org/ +Link: https://lore.kernel.org/r/20230707154546.456720-1-james.clark@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index 2c30a2b577d3e..973c0d5ed8d8b 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -143,9 +143,9 @@ FEATURE_CHECK_LDFLAGS-libcrypto = -lcrypto + ifdef CSINCLUDES + LIBOPENCSD_CFLAGS := -I$(CSINCLUDES) + endif +-OPENCSDLIBS := -lopencsd_c_api ++OPENCSDLIBS := -lopencsd_c_api -lopencsd + ifeq ($(findstring -static,${LDFLAGS}),-static) +- OPENCSDLIBS += -lopencsd -lstdc++ ++ OPENCSDLIBS += -lstdc++ + endif + ifdef CSLIBS + LIBOPENCSD_LDFLAGS := -L$(CSLIBS) +-- +2.39.2 + diff --git a/tmp-5.15/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/tmp-5.15/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch new file mode 100644 index 00000000000..ac282bd2634 --- /dev/null +++ b/tmp-5.15/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch @@ -0,0 +1,115 @@ +From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Georg=20M=C3=BCller?= +Date: Wed, 28 Jun 2023 10:45:50 +0200 +Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Georg Müller + +commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream. + +This patch adds a test to validate that 'perf probe' works for binaries +where DWARF info is split into multiple CUs + +Signed-off-by: Georg Müller +Acked-by: Masami Hiramatsu (Google) +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: regressions@lists.linux.dev +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++ + 1 file changed, 77 insertions(+) + create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh + +--- /dev/null ++++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +@@ -0,0 +1,77 @@ ++#!/bin/bash ++# test perf probe of function from different CU ++# SPDX-License-Identifier: GPL-2.0 ++ ++set -e ++ ++temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) ++ ++cleanup() ++{ ++ trap - EXIT TERM INT ++ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then ++ echo "--- Cleaning up ---" ++ perf probe -x ${temp_dir}/testfile -d foo ++ rm -f "${temp_dir}/"* ++ rmdir "${temp_dir}" ++ fi ++} ++ ++trap_cleanup() ++{ ++ cleanup ++ exit 1 ++} ++ ++trap trap_cleanup EXIT TERM INT ++ ++cat > ${temp_dir}/testfile-foo.h << EOF ++struct t ++{ ++ int *p; ++ int c; ++}; ++ ++extern int foo (int i, struct t *t); ++EOF ++ ++cat > ${temp_dir}/testfile-foo.c << EOF ++#include "testfile-foo.h" ++ ++int ++foo (int i, struct t *t) ++{ ++ int j, res = 0; ++ for (j = 0; j < i && j < t->c; j++) ++ res += t->p[j]; ++ ++ return res; ++} ++EOF ++ ++cat > ${temp_dir}/testfile-main.c << EOF ++#include "testfile-foo.h" ++ ++static struct t g; ++ ++int ++main (int argc, char **argv) ++{ ++ int i; ++ int j[argc]; ++ g.c = argc; ++ g.p = j; ++ for (i = 0; i < argc; i++) ++ j[i] = (int) argv[i][0]; ++ return foo (3, &g); ++} ++EOF ++ ++gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o ++gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o ++gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o ++ ++perf probe -x ${temp_dir}/testfile --funcs foo ++perf probe -x ${temp_dir}/testfile foo ++ ++cleanup diff --git a/tmp-5.15/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch b/tmp-5.15/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch new file mode 100644 index 00000000000..3d820d3b68a --- /dev/null +++ b/tmp-5.15/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch @@ -0,0 +1,108 @@ +From 8780aebd01afeac769cc853162b8329c5aca3c56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 08:30:03 -0500 +Subject: pinctrl: amd: Use amd_pinconf_set() for all config options + +From: Mario Limonciello + +[ Upstream commit 635a750d958e158e17af0f524bedc484b27fbb93 ] + +On ASUS TUF A16 it is reported that the ITE5570 ACPI device connected to +GPIO 7 is causing an interrupt storm. This issue doesn't happen on +Windows. + +Comparing the GPIO register configuration between Windows and Linux +bit 20 has been configured as a pull up on Windows, but not on Linux. +Checking GPIO declaration from the firmware it is clear it *should* have +been a pull up on Linux as well. + +``` +GpioInt (Level, ActiveLow, Exclusive, PullUp, 0x0000, + "\\_SB.GPIO", 0x00, ResourceConsumer, ,) +{ // Pin list +0x0007 +} +``` + +On Linux amd_gpio_set_config() is currently only used for programming +the debounce. Actually the GPIO core calls it with all the arguments +that are supported by a GPIO, pinctrl-amd just responds `-ENOTSUPP`. + +To solve this issue expand amd_gpio_set_config() to support the other +arguments amd_pinconf_set() supports, namely `PIN_CONFIG_BIAS_PULL_DOWN`, +`PIN_CONFIG_BIAS_PULL_UP`, and `PIN_CONFIG_DRIVE_STRENGTH`. + +Reported-by: Nik P +Reported-by: Nathan Schulte +Reported-by: Friedrich Vock +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217336 +Reported-by: dridri85@gmail.com +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217493 +Link: https://lore.kernel.org/linux-input/20230530154058.17594-1-friedrich.vock@gmx.de/ +Tested-by: Jan Visser +Fixes: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") +Signed-off-by: Mario Limonciello +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230705133005.577-3-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-amd.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c +index 9dff866614d40..384d93146e1f5 100644 +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -189,18 +189,6 @@ static int amd_gpio_set_debounce(struct gpio_chip *gc, unsigned offset, + return ret; + } + +-static int amd_gpio_set_config(struct gpio_chip *gc, unsigned offset, +- unsigned long config) +-{ +- u32 debounce; +- +- if (pinconf_to_config_param(config) != PIN_CONFIG_INPUT_DEBOUNCE) +- return -ENOTSUPP; +- +- debounce = pinconf_to_config_argument(config); +- return amd_gpio_set_debounce(gc, offset, debounce); +-} +- + #ifdef CONFIG_DEBUG_FS + static void amd_gpio_dbg_show(struct seq_file *s, struct gpio_chip *gc) + { +@@ -775,7 +763,7 @@ static int amd_pinconf_get(struct pinctrl_dev *pctldev, + } + + static int amd_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin, +- unsigned long *configs, unsigned num_configs) ++ unsigned long *configs, unsigned int num_configs) + { + int i; + u32 arg; +@@ -865,6 +853,20 @@ static int amd_pinconf_group_set(struct pinctrl_dev *pctldev, + return 0; + } + ++static int amd_gpio_set_config(struct gpio_chip *gc, unsigned int pin, ++ unsigned long config) ++{ ++ struct amd_gpio *gpio_dev = gpiochip_get_data(gc); ++ ++ if (pinconf_to_config_param(config) == PIN_CONFIG_INPUT_DEBOUNCE) { ++ u32 debounce = pinconf_to_config_argument(config); ++ ++ return amd_gpio_set_debounce(gc, pin, debounce); ++ } ++ ++ return amd_pinconf_set(gpio_dev->pctrl, pin, &config, 1); ++} ++ + static const struct pinconf_ops amd_pinconf_ops = { + .pin_config_get = amd_pinconf_get, + .pin_config_set = amd_pinconf_set, +-- +2.39.2 + diff --git a/tmp-5.15/quota-fix-warning-in-dqgrab.patch b/tmp-5.15/quota-fix-warning-in-dqgrab.patch new file mode 100644 index 00000000000..d7c504619b8 --- /dev/null +++ b/tmp-5.15/quota-fix-warning-in-dqgrab.patch @@ -0,0 +1,100 @@ +From e7a8a784521984ae7156036131ea2c7eaa8acb7a Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Mon, 5 Jun 2023 22:07:31 +0800 +Subject: [PATCH AUTOSEL 4.14 4/9] quota: fix warning in dqgrab() +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.14.320 + +[ Upstream commit d6a95db3c7ad160bc16b89e36449705309b52bcb ] + +There's issue as follows when do fault injection: +WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 +Modules linked in: +CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 +RIP: 0010:dquot_disable+0x13b7/0x18c0 +RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 +RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 +RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 +R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 +R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 +FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + dquot_load_quota_sb+0xd53/0x1060 + dquot_resume+0x172/0x230 + ext4_reconfigure+0x1dc6/0x27b0 + reconfigure_super+0x515/0xa90 + __x64_sys_fsconfig+0xb19/0xd20 + do_syscall_64+0x39/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Above issue may happens as follows: +ProcessA ProcessB ProcessC +sys_fsconfig + vfs_fsconfig_locked + reconfigure_super + ext4_remount + dquot_suspend -> suspend all type quota + + sys_fsconfig + vfs_fsconfig_locked + reconfigure_super + ext4_remount + dquot_resume + ret = dquot_load_quota_sb + add_dquot_ref + do_open -> open file O_RDWR + vfs_open + do_dentry_open + get_write_access + atomic_inc_unless_negative(&inode->i_writecount) + ext4_file_open + dquot_file_open + dquot_initialize + __dquot_initialize + dqget + atomic_inc(&dquot->dq_count); + + __dquot_initialize + __dquot_initialize + dqget + if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + ext4_acquire_dquot + -> Return error DQ_ACTIVE_B flag isn't set + dquot_disable + invalidate_dquots + if (atomic_read(&dquot->dq_count)) + dqgrab + WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + -> Trigger warning + +In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when +dqgrab(). +To solve above issue just replace the dqgrab() use in invalidate_dquots() with +atomic_inc(&dquot->dq_count). + +Signed-off-by: Ye Bin +Signed-off-by: Jan Kara +Message-Id: <20230605140731.2427629-3-yebin10@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -555,7 +555,7 @@ restart: + continue; + /* Wait for dquot users */ + if (atomic_read(&dquot->dq_count)) { +- dqgrab(dquot); ++ atomic_inc(&dquot->dq_count); + spin_unlock(&dq_list_lock); + /* + * Once dqput() wakes us up, we know it's time to free diff --git a/tmp-5.15/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch b/tmp-5.15/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch new file mode 100644 index 00000000000..b8a2b547452 --- /dev/null +++ b/tmp-5.15/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch @@ -0,0 +1,40 @@ +From f301753d111db16bc1a3c2df05ddfc769ea5ae66 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 5 Jun 2023 22:07:30 +0800 +Subject: [PATCH AUTOSEL 4.14 3/9] quota: Properly disable quotas when + add_dquot_ref() fails +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.14.320 + +[ Upstream commit 6a4e3363792e30177cc3965697e34ddcea8b900b ] + +When add_dquot_ref() fails (usually due to IO error or ENOMEM), we want +to disable quotas we are trying to enable. However dquot_disable() call +was passed just the flags we are enabling so in case flags == +DQUOT_USAGE_ENABLED dquot_disable() call will just fail with EINVAL +instead of properly disabling quotas. Fix the problem by always passing +DQUOT_LIMITS_ENABLED | DQUOT_USAGE_ENABLED to dquot_disable() in this +case. + +Reported-and-tested-by: Ye Bin +Reported-by: syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Message-Id: <20230605140731.2427629-2-yebin10@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2413,7 +2413,8 @@ int dquot_load_quota_sb(struct super_blo + + error = add_dquot_ref(sb, type); + if (error) +- dquot_disable(sb, type, flags); ++ dquot_disable(sb, type, ++ DQUOT_USAGE_ENABLED | DQUOT_LIMITS_ENABLED); + + return error; + out_fmt: diff --git a/tmp-5.15/regmap-account-for-register-length-in-smbus-i-o-limits.patch b/tmp-5.15/regmap-account-for-register-length-in-smbus-i-o-limits.patch new file mode 100644 index 00000000000..b920fc52b6d --- /dev/null +++ b/tmp-5.15/regmap-account-for-register-length-in-smbus-i-o-limits.patch @@ -0,0 +1,54 @@ +From 0c9d2eb5e94792fe64019008a04d4df5e57625af Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 12 Jul 2023 12:16:40 +0100 +Subject: regmap: Account for register length in SMBus I/O limits + +From: Mark Brown + +commit 0c9d2eb5e94792fe64019008a04d4df5e57625af upstream. + +The SMBus I2C buses have limits on the size of transfers they can do but +do not factor in the register length meaning we may try to do a transfer +longer than our length limit, the core will not take care of this. +Future changes will factor this out into the core but there are a number +of users that assume current behaviour so let's just do something +conservative here. + +This does not take account padding bits but practically speaking these +are very rarely if ever used on I2C buses given that they generally run +slowly enough to mean there's no issue. + +Cc: stable@kernel.org +Signed-off-by: Mark Brown +Reviewed-by: Xu Yilun +Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-2-80e2aed22e83@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-i2c.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/base/regmap/regmap-i2c.c ++++ b/drivers/base/regmap/regmap-i2c.c +@@ -242,8 +242,8 @@ static int regmap_i2c_smbus_i2c_read(voi + static const struct regmap_bus regmap_i2c_smbus_i2c_block = { + .write = regmap_i2c_smbus_i2c_write, + .read = regmap_i2c_smbus_i2c_read, +- .max_raw_read = I2C_SMBUS_BLOCK_MAX, +- .max_raw_write = I2C_SMBUS_BLOCK_MAX, ++ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 1, ++ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 1, + }; + + static int regmap_i2c_smbus_i2c_write_reg16(void *context, const void *data, +@@ -299,8 +299,8 @@ static int regmap_i2c_smbus_i2c_read_reg + static const struct regmap_bus regmap_i2c_smbus_i2c_block_reg16 = { + .write = regmap_i2c_smbus_i2c_write_reg16, + .read = regmap_i2c_smbus_i2c_read_reg16, +- .max_raw_read = I2C_SMBUS_BLOCK_MAX, +- .max_raw_write = I2C_SMBUS_BLOCK_MAX, ++ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 2, ++ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 2, + }; + + static const struct regmap_bus *regmap_get_i2c_bus(struct i2c_client *i2c, diff --git a/tmp-5.15/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch b/tmp-5.15/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch new file mode 100644 index 00000000000..5e50a9aaf7e --- /dev/null +++ b/tmp-5.15/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch @@ -0,0 +1,64 @@ +From bc64734825c59e18a27ac266b07e14944c111fd8 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 12 Jul 2023 12:16:39 +0100 +Subject: regmap: Drop initial version of maximum transfer length fixes + +From: Mark Brown + +commit bc64734825c59e18a27ac266b07e14944c111fd8 upstream. + +When problems were noticed with the register address not being taken +into account when limiting raw transfers with I2C devices we fixed this +in the core. Unfortunately it has subsequently been realised that a lot +of buses were relying on the prior behaviour, partly due to unclear +documentation not making it obvious what was intended in the core. This +is all more involved to fix than is sensible for a fix commit so let's +just drop the original fixes, a separate commit will fix the originally +observed problem in an I2C specific way + +Fixes: 3981514180c9 ("regmap: Account for register length when chunking") +Fixes: c8e796895e23 ("regmap: spi-avmm: Fix regmap_bus max_raw_write") +Signed-off-by: Mark Brown +Reviewed-by: Xu Yilun +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-1-80e2aed22e83@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-spi-avmm.c | 2 +- + drivers/base/regmap/regmap.c | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/base/regmap/regmap-spi-avmm.c ++++ b/drivers/base/regmap/regmap-spi-avmm.c +@@ -666,7 +666,7 @@ static const struct regmap_bus regmap_sp + .reg_format_endian_default = REGMAP_ENDIAN_NATIVE, + .val_format_endian_default = REGMAP_ENDIAN_NATIVE, + .max_raw_read = SPI_AVMM_VAL_SIZE * MAX_READ_CNT, +- .max_raw_write = SPI_AVMM_REG_SIZE + SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, ++ .max_raw_write = SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, + .free_context = spi_avmm_bridge_ctx_free, + }; + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -2041,8 +2041,6 @@ int _regmap_raw_write(struct regmap *map + size_t val_count = val_len / val_bytes; + size_t chunk_count, chunk_bytes; + size_t chunk_regs = val_count; +- size_t max_data = map->max_raw_write - map->format.reg_bytes - +- map->format.pad_bytes; + int ret, i; + + if (!val_count) +@@ -2050,8 +2048,8 @@ int _regmap_raw_write(struct regmap *map + + if (map->use_single_write) + chunk_regs = 1; +- else if (map->max_raw_write && val_len > max_data) +- chunk_regs = max_data / val_bytes; ++ else if (map->max_raw_write && val_len > map->max_raw_write) ++ chunk_regs = map->max_raw_write / val_bytes; + + chunk_count = val_count / chunk_regs; + chunk_bytes = chunk_regs * val_bytes; diff --git a/tmp-5.15/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/tmp-5.15/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch new file mode 100644 index 00000000000..eb95f2e3c93 --- /dev/null +++ b/tmp-5.15/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch @@ -0,0 +1,113 @@ +From b8c38854ea450db75e988f2003336172f1c482b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:59:18 -0700 +Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash + table" + +From: Kuniyuki Iwashima + +[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] + +This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. + +Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in +ehash table") reversed the order in how a socket is inserted into ehash +to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are +swapped. However, it introduced another lookup failure. + +The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU +and does not have SOCK_RCU_FREE, so the socket could be reused even while +it is being referenced on another CPU doing RCU lookup. + +Let's say a socket is reused and inserted into the same hash bucket during +lookup. After the blamed commit, a new socket is inserted at the end of +the list. If that happens, we will skip sockets placed after the previous +position of the reused socket, resulting in ehash lookup failure. + +As described in Documentation/RCU/rculist_nulls.rst, we should insert a +new socket at the head of the list to avoid such an issue. + +This issue, the swap-lookup-failure, and another variant reported in [0] +can all be handled properly by adding a locked ehash lookup suggested by +Eric Dumazet [1]. + +However, this issue could occur for every packet, thus more likely than +the other two races, so let's revert the change for now. + +Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] +Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] +Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 ++--------------- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 6 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 39b3db5b61190..2936676f86eb8 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -571,20 +571,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_hashed(osk); +- if (ret) { +- /* Before deleting the node, we insert a new one to make +- * sure that the look-up-sk process would not miss either +- * of them and that at least one node would exist in ehash +- * table all the time. Otherwise there's a tiny chance +- * that lookup process could find nothing in ehash table. +- */ +- __sk_nulls_add_node_tail_rcu(sk, list); +- sk_nulls_del_node_init_rcu(osk); +- } +- goto unlock; +- } +- if (found_dup_sk) { ++ ret = sk_nulls_del_node_init_rcu(osk); ++ } else if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -593,7 +581,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + +-unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index fe6340c363b43..437afe392e667 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -81,10 +81,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_tail_rcu(&tw->tw_node, list); ++ hlist_nulls_add_head_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -120,7 +120,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.2 + diff --git a/tmp-5.15/security-keys-modify-mismatched-function-name.patch b/tmp-5.15/security-keys-modify-mismatched-function-name.patch new file mode 100644 index 00000000000..2722a9f7bd6 --- /dev/null +++ b/tmp-5.15/security-keys-modify-mismatched-function-name.patch @@ -0,0 +1,40 @@ +From 05011b1bd2dcdc82edf4f77f9e954e125c577e98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 10:18:25 +0800 +Subject: security: keys: Modify mismatched function name + +From: Jiapeng Chong + +[ Upstream commit 2a4152742025c5f21482e8cebc581702a0fa5b01 ] + +No functional modification involved. + +security/keys/trusted-keys/trusted_tpm2.c:203: warning: expecting prototype for tpm_buf_append_auth(). Prototype was for tpm2_buf_append_auth() instead. + +Fixes: 2e19e10131a0 ("KEYS: trusted: Move TPM2 trusted keys code") +Reported-by: Abaci Robot +Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=5524 +Signed-off-by: Jiapeng Chong +Reviewed-by: Paul Moore +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + security/keys/trusted-keys/trusted_tpm2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c +index 2b2c8eb258d5b..bc700f85f80be 100644 +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -186,7 +186,7 @@ int tpm2_key_priv(void *context, size_t hdrlen, + } + + /** +- * tpm_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. ++ * tpm2_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. + * + * @buf: an allocated tpm_buf instance + * @session_handle: session handle +-- +2.39.2 + diff --git a/tmp-5.15/selftests-tc-add-conntrack-procfs-kconfig.patch b/tmp-5.15/selftests-tc-add-conntrack-procfs-kconfig.patch new file mode 100644 index 00000000000..8cde4a0890d --- /dev/null +++ b/tmp-5.15/selftests-tc-add-conntrack-procfs-kconfig.patch @@ -0,0 +1,42 @@ +From 031c99e71fedcce93b6785d38b7d287bf59e3952 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:46 +0200 +Subject: selftests: tc: add ConnTrack procfs kconfig + +From: Matthieu Baerts + +commit 031c99e71fedcce93b6785d38b7d287bf59e3952 upstream. + +When looking at the TC selftest reports, I noticed one test was failing +because /proc/net/nf_conntrack was not available. + + not ok 373 3992 - Add ct action triggering DNAT tuple conflict + Could not match regex pattern. Verify command output: + cat: /proc/net/nf_conntrack: No such file or directory + +It is only available if NF_CONNTRACK_PROCFS kconfig is set. So the issue +can be fixed simply by adding it to the list of required kconfig. + +Fixes: e46905641316 ("tc-testing: add test for ct DNAT tuple collision") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [1] +Signed-off-by: Matthieu Baerts +Tested-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-3-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/tc-testing/config ++++ b/tools/testing/selftests/tc-testing/config +@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m + CONFIG_NF_CONNTRACK_MARK=y + CONFIG_NF_CONNTRACK_ZONES=y + CONFIG_NF_CONNTRACK_LABELS=y ++CONFIG_NF_CONNTRACK_PROCFS=y + CONFIG_NF_FLOW_TABLE=m + CONFIG_NF_NAT=m + diff --git a/tmp-5.15/selftests-tc-add-ct-action-kconfig-dep.patch b/tmp-5.15/selftests-tc-add-ct-action-kconfig-dep.patch new file mode 100644 index 00000000000..7fda7e0d332 --- /dev/null +++ b/tmp-5.15/selftests-tc-add-ct-action-kconfig-dep.patch @@ -0,0 +1,43 @@ +From 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:45 +0200 +Subject: selftests: tc: add 'ct' action kconfig dep + +From: Matthieu Baerts + +commit 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 upstream. + +When looking for something else in LKFT reports [1], I noticed most of +the tests were skipped because the "teardown stage" did not complete +successfully. + +Pedro found out this is due to the fact CONFIG_NF_FLOW_TABLE is required +but not listed in the 'config' file. Adding it to the list fixes the +issues on LKFT side. CONFIG_NET_ACT_CT is now set to 'm' in the final +kconfig. + +Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Tested-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-2-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/tc-testing/config ++++ b/tools/testing/selftests/tc-testing/config +@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m + CONFIG_NF_CONNTRACK_MARK=y + CONFIG_NF_CONNTRACK_ZONES=y + CONFIG_NF_CONNTRACK_LABELS=y ++CONFIG_NF_FLOW_TABLE=m + CONFIG_NF_NAT=m + + CONFIG_NET_SCHED=y diff --git a/tmp-5.15/selftests-tc-set-timeout-to-15-minutes.patch b/tmp-5.15/selftests-tc-set-timeout-to-15-minutes.patch new file mode 100644 index 00000000000..ea00bbfff7d --- /dev/null +++ b/tmp-5.15/selftests-tc-set-timeout-to-15-minutes.patch @@ -0,0 +1,43 @@ +From fda05798c22a354efde09a76bdfc276b2d591829 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:44 +0200 +Subject: selftests: tc: set timeout to 15 minutes + +From: Matthieu Baerts + +commit fda05798c22a354efde09a76bdfc276b2d591829 upstream. + +When looking for something else in LKFT reports [1], I noticed that the +TC selftest ended with a timeout error: + + not ok 1 selftests: tc-testing: tdc.sh # TIMEOUT 45 seconds + +The timeout had been introduced 3 years ago, see the Fixes commit below. + +This timeout is only in place when executing the selftests via the +kselftests runner scripts. I guess this is not what most TC devs are +using and nobody noticed the issue before. + +The new timeout is set to 15 minutes as suggested by Pedro [2]. It looks +like it is plenty more time than what it takes in "normal" conditions. + +Fixes: 852c8cbf34d3 ("selftests/kselftest/runner.sh: Add 45 second timeout per test") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Reviewed-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-1-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/settings | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tools/testing/selftests/tc-testing/settings + +--- /dev/null ++++ b/tools/testing/selftests/tc-testing/settings +@@ -0,0 +1 @@ ++timeout=900 diff --git a/tmp-5.15/series b/tmp-5.15/series new file mode 100644 index 00000000000..372a82e750c --- /dev/null +++ b/tmp-5.15/series @@ -0,0 +1,80 @@ +alsa-hda-realtek-remove-3k-pull-low-procedure.patch +alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch +alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch +keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch +perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch +btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch +fuse-revalidate-don-t-invalidate-if-interrupted.patch +btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch +fuse-ioctl-translate-enosys-in-outarg.patch +selftests-tc-set-timeout-to-15-minutes.patch +selftests-tc-add-ct-action-kconfig-dep.patch +regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch +regmap-account-for-register-length-in-smbus-i-o-limits.patch +can-raw-fix-receiver-memory-leak.patch +can-bcm-fix-uaf-in-bcm_proc_show.patch +selftests-tc-add-conntrack-procfs-kconfig.patch +drm-client-fix-memory-leak-in-drm_client_target_cloned.patch +drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch +drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch +drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch +asoc-fsl_sai-disable-bit-clock-with-transmitter.patch +asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch +asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch +asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch +asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch +asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch +asoc-codecs-wcd938x-fix-codec-initialisation-race.patch +asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch +ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch +alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch +quota-properly-disable-quotas-when-add_dquot_ref-fai.patch +quota-fix-warning-in-dqgrab.patch +udf-fix-uninitialized-array-access-for-some-pathname.patch +fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch +mips-dec-prom-address-warray-bounds-warning.patch +fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch +fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch +spi-bcm63xx-fix-max-prepend-length.patch +fbdev-imxfb-warn-about-invalid-left-right-margin.patch +perf-build-fix-library-not-found-error-when-using-cs.patch +pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch +net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +bridge-add-extack-warning-when-enabling-stp-in-netns.patch +ethernet-use-eth_hw_addr_set-instead-of-ether_addr_c.patch +of-net-add-a-helper-for-loading-netdev-dev_addr.patch +ethernet-use-of_get_ethdev_address.patch +net-ethernet-mtk_eth_soc-handle-probe-deferral.patch +net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch +iavf-fix-use-after-free-in-free_netdev.patch +iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch +security-keys-modify-mismatched-function-name.patch +octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch +bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch +igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch +tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch +net-ipv4-use-kfree_sensitive-instead-of-kfree.patch +net-ipv6-check-return-value-of-pskb_trim.patch +revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +llc-don-t-drop-packet-from-non-root-netns.patch +netfilter-nf_tables-fix-spurious-set-element-inserti.patch +netfilter-nft_set_pipapo-fix-improper-element-remova.patch +netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch +netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch +tcp-annotate-data-races-around-tp-tcp_tx_delay.patch +tcp-annotate-data-races-around-tp-keepalive_time.patch +tcp-annotate-data-races-around-tp-keepalive_intvl.patch +tcp-annotate-data-races-around-tp-keepalive_probes.patch +tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch +tcp-annotate-data-races-around-tp-linger2.patch +tcp-annotate-data-races-around-rskq_defer_accept.patch +tcp-annotate-data-races-around-tp-notsent_lowat.patch +tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch +tcp-annotate-data-races-around-fastopenq.max_qlen.patch +net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch +jbd2-recheck-chechpointing-non-dirty-buffer.patch +tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch +x86-cpu-amd-move-the-errata-checking-functionality-up.patch +x86-cpu-amd-add-a-zenbleed-fix.patch diff --git a/tmp-5.15/spi-bcm63xx-fix-max-prepend-length.patch b/tmp-5.15/spi-bcm63xx-fix-max-prepend-length.patch new file mode 100644 index 00000000000..44702d1006b --- /dev/null +++ b/tmp-5.15/spi-bcm63xx-fix-max-prepend-length.patch @@ -0,0 +1,47 @@ +From 9fbcf2bf0230640f0ce7744450128a11ddbdc689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:14:52 +0200 +Subject: spi: bcm63xx: fix max prepend length + +From: Jonas Gorski + +[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] + +The command word is defined as following: + + /* Command */ + #define SPI_CMD_COMMAND_SHIFT 0 + #define SPI_CMD_DEVICE_ID_SHIFT 4 + #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 + #define SPI_CMD_ONE_BYTE_SHIFT 11 + #define SPI_CMD_ONE_WIRE_SHIFT 12 + +If the prepend byte count field starts at bit 8, and the next defined +bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and +thus the max value is 7, not 15. + +Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") +Signed-off-by: Jonas Gorski +Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index 80fa0ef8909ca..147199002df1e 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -126,7 +126,7 @@ enum bcm63xx_regs_spi { + SPI_MSG_DATA_SIZE, + }; + +-#define BCM63XX_SPI_MAX_PREPEND 15 ++#define BCM63XX_SPI_MAX_PREPEND 7 + + #define BCM63XX_SPI_MAX_CS 8 + #define BCM63XX_SPI_BUS_NUM 0 +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/tmp-5.15/tcp-annotate-data-races-around-fastopenq.max_qlen.patch new file mode 100644 index 00000000000..268ee78d7d7 --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-fastopenq.max_qlen.patch @@ -0,0 +1,77 @@ +From 504873f1d236bd53ef78e9b9b2a3ac77426d3932 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:57 +0000 +Subject: tcp: annotate data-races around fastopenq.max_qlen + +From: Eric Dumazet + +[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] + +This field can be read locklessly. + +Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_fastopen.c | 6 ++++-- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index a7ebadf83c681..07a84ae6bf81c 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -473,7 +473,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) + struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; + int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); + +- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); ++ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); + } + + static inline void tcp_move_syn(struct tcp_sock *tp, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index cf486d75da836..a91cf000bb61b 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -4142,7 +4142,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_FASTOPEN: +- val = icsk->icsk_accept_queue.fastopenq.max_qlen; ++ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); + break; + + case TCP_FASTOPEN_CONNECT: +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 6e0a8ef5e816f..e9b5d6f10c56d 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -301,6 +301,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, + static bool tcp_fastopen_queue_check(struct sock *sk) + { + struct fastopen_queue *fastopenq; ++ int max_qlen; + + /* Make sure the listener has enabled fastopen, and we don't + * exceed the max # of pending TFO requests allowed before trying +@@ -313,10 +314,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) + * temporarily vs a server not supporting Fast Open at all. + */ + fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; +- if (fastopenq->max_qlen == 0) ++ max_qlen = READ_ONCE(fastopenq->max_qlen); ++ if (max_qlen == 0) + return false; + +- if (fastopenq->qlen >= fastopenq->max_qlen) { ++ if (fastopenq->qlen >= max_qlen) { + struct request_sock *req1; + spin_lock(&fastopenq->lock); + req1 = fastopenq->rskq_rst_head; +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch b/tmp-5.15/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch new file mode 100644 index 00000000000..b4365f34dd7 --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch @@ -0,0 +1,69 @@ +From b2ddd787ef0c1df81069273cd907f7e4e71ce306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:52 +0000 +Subject: tcp: annotate data-races around icsk->icsk_syn_retries + +From: Eric Dumazet + +[ Upstream commit 3a037f0f3c4bfe44518f2fbb478aa2f99a9cd8bb ] + +do_tcp_getsockopt() and reqsk_timer_handler() read +icsk->icsk_syn_retries while another cpu might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/tcp.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 4fb0506430774..c770719797e12 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -833,7 +833,7 @@ static void reqsk_timer_handler(struct timer_list *t) + + icsk = inet_csk(sk_listener); + net = sock_net(sk_listener); +- max_syn_ack_retries = icsk->icsk_syn_retries ? : ++ max_syn_ack_retries = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_synack_retries); + /* Normally all the openreqs are young and become mature + * (i.e. converted to established socket) for first timeout. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 994ac3cd50e1d..4077b456e3838 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3296,7 +3296,7 @@ int tcp_sock_set_syncnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- inet_csk(sk)->icsk_syn_retries = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_syn_retries, val); + release_sock(sk); + return 0; + } +@@ -3577,7 +3577,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_SYNCNT) + err = -EINVAL; + else +- icsk->icsk_syn_retries = val; ++ WRITE_ONCE(icsk->icsk_syn_retries, val); + break; + + case TCP_SAVE_SYN: +@@ -3991,7 +3991,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = keepalive_probes(tp); + break; + case TCP_SYNCNT: +- val = icsk->icsk_syn_retries ? : ++ val = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch b/tmp-5.15/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch new file mode 100644 index 00000000000..f9520fdf8ff --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch @@ -0,0 +1,54 @@ +From f279d65abef9beb12c4b3a8e38d9551fa94e1462 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:56 +0000 +Subject: tcp: annotate data-races around icsk->icsk_user_timeout + +From: Eric Dumazet + +[ Upstream commit 26023e91e12c68669db416b97234328a03d8e499 ] + +This field can be read locklessly from do_tcp_getsockopt() + +Fixes: dca43c75e7e5 ("tcp: Add TCP_USER_TIMEOUT socket option.") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-11-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 95e3e32d211a7..cf486d75da836 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3305,7 +3305,7 @@ EXPORT_SYMBOL(tcp_sock_set_syncnt); + void tcp_sock_set_user_timeout(struct sock *sk, u32 val) + { + lock_sock(sk); +- inet_csk(sk)->icsk_user_timeout = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_user_timeout, val); + release_sock(sk); + } + EXPORT_SYMBOL(tcp_sock_set_user_timeout); +@@ -3625,7 +3625,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 0) + err = -EINVAL; + else +- icsk->icsk_user_timeout = val; ++ WRITE_ONCE(icsk->icsk_user_timeout, val); + break; + + case TCP_FASTOPEN: +@@ -4138,7 +4138,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_USER_TIMEOUT: +- val = icsk->icsk_user_timeout; ++ val = READ_ONCE(icsk->icsk_user_timeout); + break; + + case TCP_FASTOPEN: +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-rskq_defer_accept.patch b/tmp-5.15/tcp-annotate-data-races-around-rskq_defer_accept.patch new file mode 100644 index 00000000000..9fdfb32b1fd --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-rskq_defer_accept.patch @@ -0,0 +1,53 @@ +From f771690722227ddf46e211314d1db050e9d8c24a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:54 +0000 +Subject: tcp: annotate data-races around rskq_defer_accept + +From: Eric Dumazet + +[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] + +do_tcp_getsockopt() reads rskq_defer_accept while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 58f202fd6f269..29661f7e372d9 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3599,9 +3599,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_DEFER_ACCEPT: + /* Translate value in seconds to number of retransmits */ +- icsk->icsk_accept_queue.rskq_defer_accept = +- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, +- TCP_RTO_MAX / HZ); ++ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, ++ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ)); + break; + + case TCP_WINDOW_CLAMP: +@@ -4000,8 +4000,9 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; + case TCP_DEFER_ACCEPT: +- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, +- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); ++ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); ++ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ); + break; + case TCP_WINDOW_CLAMP: + val = tp->window_clamp; +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch b/tmp-5.15/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch new file mode 100644 index 00000000000..1132c32bc92 --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch @@ -0,0 +1,184 @@ +From 2c32fb0c394d7eab02829f481a3f9b49b806dd70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:44:45 +0000 +Subject: tcp: annotate data-races around tcp_rsk(req)->ts_recent + +From: Eric Dumazet + +[ Upstream commit eba20811f32652bc1a52d5e7cc403859b86390d9 ] + +TCP request sockets are lockless, tcp_rsk(req)->ts_recent +can change while being read by another cpu as syzbot noticed. + +This is harmless, but we should annotate the known races. + +Note that tcp_check_req() changes req->ts_recent a bit early, +we might change this in the future. + +BUG: KCSAN: data-race in tcp_check_req / tcp_check_req + +write to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 1: +tcp_check_req+0x694/0xc70 net/ipv4/tcp_minisocks.c:762 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +do_softirq+0x7e/0xb0 kernel/softirq.c:472 +__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:396 +local_bh_enable+0x1f/0x20 include/linux/bottom_half.h:33 +rcu_read_unlock_bh include/linux/rcupdate.h:843 [inline] +__dev_queue_xmit+0xabb/0x1d10 net/core/dev.c:4271 +dev_queue_xmit include/linux/netdevice.h:3088 [inline] +neigh_hh_output include/net/neighbour.h:528 [inline] +neigh_output include/net/neighbour.h:542 [inline] +ip_finish_output2+0x700/0x840 net/ipv4/ip_output.c:229 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:317 +NF_HOOK_COND include/linux/netfilter.h:292 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:431 +dst_output include/net/dst.h:458 [inline] +ip_local_out net/ipv4/ip_output.c:126 [inline] +__ip_queue_xmit+0xa4d/0xa70 net/ipv4/ip_output.c:533 +ip_queue_xmit+0x38/0x40 net/ipv4/ip_output.c:547 +__tcp_transmit_skb+0x1194/0x16e0 net/ipv4/tcp_output.c:1399 +tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] +tcp_write_xmit+0x13ff/0x2fd0 net/ipv4/tcp_output.c:2693 +__tcp_push_pending_frames+0x6a/0x1a0 net/ipv4/tcp_output.c:2877 +tcp_push_pending_frames include/net/tcp.h:1952 [inline] +__tcp_sock_set_cork net/ipv4/tcp.c:3336 [inline] +tcp_sock_set_cork+0xe8/0x100 net/ipv4/tcp.c:3343 +rds_tcp_xmit_path_complete+0x3b/0x40 net/rds/tcp_send.c:52 +rds_send_xmit+0xf8d/0x1420 net/rds/send.c:422 +rds_send_worker+0x42/0x1d0 net/rds/threads.c:200 +process_one_work+0x3e6/0x750 kernel/workqueue.c:2408 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2555 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +read to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 0: +tcp_check_req+0x32a/0xc70 net/ipv4/tcp_minisocks.c:622 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x1cd237f1 -> 0x1cd237f2 + +Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717144445.653164-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 2 +- + net/ipv4/tcp_minisocks.c | 9 ++++++--- + net/ipv4/tcp_output.c | 2 +- + net/ipv6/tcp_ipv6.c | 2 +- + 4 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 9ac6bca83fadb..87bdbb527930f 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -975,7 +975,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, ++ READ_ONCE(req->ts_recent), + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index aa67d5adcbca9..2606a5571116a 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -523,7 +523,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, + newtp->max_window = newtp->snd_wnd; + + if (newtp->rx_opt.tstamp_ok) { +- newtp->rx_opt.ts_recent = req->ts_recent; ++ newtp->rx_opt.ts_recent = READ_ONCE(req->ts_recent); + newtp->rx_opt.ts_recent_stamp = ktime_get_seconds(); + newtp->tcp_header_len = sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED; + } else { +@@ -586,7 +586,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + tcp_parse_options(sock_net(sk), skb, &tmp_opt, 0, NULL); + + if (tmp_opt.saw_tstamp) { +- tmp_opt.ts_recent = req->ts_recent; ++ tmp_opt.ts_recent = READ_ONCE(req->ts_recent); + if (tmp_opt.rcv_tsecr) + tmp_opt.rcv_tsecr -= tcp_rsk(req)->ts_off; + /* We do not store true stamp, but it is not required, +@@ -726,8 +726,11 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + + /* In sequence, PAWS is OK. */ + ++ /* TODO: We probably should defer ts_recent change once ++ * we take ownership of @req. ++ */ + if (tmp_opt.saw_tstamp && !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt)) +- req->ts_recent = tmp_opt.rcv_tsval; ++ WRITE_ONCE(req->ts_recent, tmp_opt.rcv_tsval); + + if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn) { + /* Truncate SYN, it is out of window starting +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 1f39b56bbab32..d46fb6d7057bd 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -875,7 +875,7 @@ static unsigned int tcp_synack_options(const struct sock *sk, + if (likely(ireq->tstamp_ok)) { + opts->options |= OPTION_TS; + opts->tsval = tcp_skb_timestamp(skb) + tcp_rsk(req)->ts_off; +- opts->tsecr = req->ts_recent; ++ opts->tsecr = READ_ONCE(req->ts_recent); + remaining -= TCPOLEN_TSTAMP_ALIGNED; + } + if (likely(ireq->sack_ok)) { +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index b6f5a4474d8bc..c18fdddbfa09d 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1171,7 +1171,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, sk->sk_bound_dev_if, ++ READ_ONCE(req->ts_recent), sk->sk_bound_dev_if, + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), + ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority); + } +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_intvl.patch b/tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_intvl.patch new file mode 100644 index 00000000000..32165d94ab7 --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_intvl.patch @@ -0,0 +1,68 @@ +From 396d0b4b004741b9e95e46d9e2d7c928e0659942 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:50 +0000 +Subject: tcp: annotate data-races around tp->keepalive_intvl + +From: Eric Dumazet + +[ Upstream commit 5ecf9d4f52ff2f1d4d44c9b68bc75688e82f13b4 ] + +do_tcp_getsockopt() reads tp->keepalive_intvl while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-5-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index f9a24f48fa986..b737ce77f7062 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1473,9 +1473,14 @@ void tcp_leave_memory_pressure(struct sock *sk); + static inline int keepalive_intvl_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepintvl() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_intvl); + +- return tp->keepalive_intvl ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); + } + + static inline int keepalive_time_when(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 54219e2080019..8fe1098b183d0 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3350,7 +3350,7 @@ int tcp_sock_set_keepintvl(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tcp_sk(sk)->keepalive_intvl, val * HZ); + release_sock(sk); + return 0; + } +@@ -3564,7 +3564,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPINTVL) + err = -EINVAL; + else +- tp->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tp->keepalive_intvl, val * HZ); + break; + case TCP_KEEPCNT: + if (val < 1 || val > MAX_TCP_KEEPCNT) +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_probes.patch b/tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_probes.patch new file mode 100644 index 00000000000..745e3bbd3fd --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_probes.patch @@ -0,0 +1,69 @@ +From ff4700cef1f60666493b4b6ab12310a59a844e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:51 +0000 +Subject: tcp: annotate data-races around tp->keepalive_probes + +From: Eric Dumazet + +[ Upstream commit 6e5e1de616bf5f3df1769abc9292191dfad9110a ] + +do_tcp_getsockopt() reads tp->keepalive_probes while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 5 +++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index b737ce77f7062..fe58b089f0b16 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1497,9 +1497,14 @@ static inline int keepalive_time_when(const struct tcp_sock *tp) + static inline int keepalive_probes(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepcnt() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_probes); + +- return tp->keepalive_probes ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); + } + + static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 8fe1098b183d0..994ac3cd50e1d 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3362,7 +3362,8 @@ int tcp_sock_set_keepcnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_probes = val; ++ /* Paired with READ_ONCE() in keepalive_probes() */ ++ WRITE_ONCE(tcp_sk(sk)->keepalive_probes, val); + release_sock(sk); + return 0; + } +@@ -3570,7 +3571,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPCNT) + err = -EINVAL; + else +- tp->keepalive_probes = val; ++ WRITE_ONCE(tp->keepalive_probes, val); + break; + case TCP_SYNCNT: + if (val < 1 || val > MAX_TCP_SYNCNT) +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_time.patch b/tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_time.patch new file mode 100644 index 00000000000..ffcf7a9d4dc --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-tp-keepalive_time.patch @@ -0,0 +1,58 @@ +From cffe2e189f82c424c3b454a7c55cd419107b1469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:49 +0000 +Subject: tcp: annotate data-races around tp->keepalive_time + +From: Eric Dumazet + +[ Upstream commit 4164245c76ff906c9086758e1c3f87082a7f5ef5 ] + +do_tcp_getsockopt() reads tp->keepalive_time while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 7 +++++-- + net/ipv4/tcp.c | 3 ++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index fdac6913b6c8f..f9a24f48fa986 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1481,9 +1481,12 @@ static inline int keepalive_intvl_when(const struct tcp_sock *tp) + static inline int keepalive_time_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; + +- return tp->keepalive_time ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepidle_locked() */ ++ val = READ_ONCE(tp->keepalive_time); ++ ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); + } + + static inline int keepalive_probes(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 8ff86431f44b4..54219e2080019 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3317,7 +3317,8 @@ int tcp_sock_set_keepidle_locked(struct sock *sk, int val) + if (val < 1 || val > MAX_TCP_KEEPIDLE) + return -EINVAL; + +- tp->keepalive_time = val * HZ; ++ /* Paired with WRITE_ONCE() in keepalive_time_when() */ ++ WRITE_ONCE(tp->keepalive_time, val * HZ); + if (sock_flag(sk, SOCK_KEEPOPEN) && + !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) { + u32 elapsed = keepalive_time_elapsed(tp); +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-tp-linger2.patch b/tmp-5.15/tcp-annotate-data-races-around-tp-linger2.patch new file mode 100644 index 00000000000..f4e69d16c71 --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-tp-linger2.patch @@ -0,0 +1,52 @@ +From 480941945887e8588a3503e00b21babff9e15aa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:53 +0000 +Subject: tcp: annotate data-races around tp->linger2 + +From: Eric Dumazet + +[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] + +do_tcp_getsockopt() reads tp->linger2 while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 4077b456e3838..58f202fd6f269 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3590,11 +3590,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_LINGER2: + if (val < 0) +- tp->linger2 = -1; ++ WRITE_ONCE(tp->linger2, -1); + else if (val > TCP_FIN_TIMEOUT_MAX / HZ) +- tp->linger2 = TCP_FIN_TIMEOUT_MAX; ++ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); + else +- tp->linger2 = val * HZ; ++ WRITE_ONCE(tp->linger2, val * HZ); + break; + + case TCP_DEFER_ACCEPT: +@@ -3995,7 +3995,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +- val = tp->linger2; ++ val = READ_ONCE(tp->linger2); + if (val >= 0) + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/tmp-5.15/tcp-annotate-data-races-around-tp-notsent_lowat.patch new file mode 100644 index 00000000000..1fe1cdc1475 --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-tp-notsent_lowat.patch @@ -0,0 +1,64 @@ +From a99b9155cd25e74550057ab7c9289b551a9ddf6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:55 +0000 +Subject: tcp: annotate data-races around tp->notsent_lowat + +From: Eric Dumazet + +[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] + +tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() +and tcp_poll(). + +Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 6 +++++- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index fe58b089f0b16..d8920f84f0a8d 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -2012,7 +2012,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); +- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); ++ u32 val; ++ ++ val = READ_ONCE(tp->notsent_lowat); ++ ++ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); + } + + bool tcp_stream_memory_free(const struct sock *sk, int wake); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 29661f7e372d9..95e3e32d211a7 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3669,7 +3669,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + err = tcp_repair_set_window(tp, optval, optlen); + break; + case TCP_NOTSENT_LOWAT: +- tp->notsent_lowat = val; ++ WRITE_ONCE(tp->notsent_lowat, val); + sk->sk_write_space(sk); + break; + case TCP_INQ: +@@ -4161,7 +4161,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = tcp_time_stamp_raw() + tp->tsoffset; + break; + case TCP_NOTSENT_LOWAT: +- val = tp->notsent_lowat; ++ val = READ_ONCE(tp->notsent_lowat); + break; + case TCP_INQ: + val = tp->recvmsg_inq; +-- +2.39.2 + diff --git a/tmp-5.15/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch b/tmp-5.15/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch new file mode 100644 index 00000000000..de65384496e --- /dev/null +++ b/tmp-5.15/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch @@ -0,0 +1,46 @@ +From 2baf574dc716b3442b179f7f42d1697046266fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:47 +0000 +Subject: tcp: annotate data-races around tp->tcp_tx_delay + +From: Eric Dumazet + +[ Upstream commit 348b81b68b13ebd489a3e6a46aa1c384c731c919 ] + +do_tcp_getsockopt() reads tp->tcp_tx_delay while another cpu +might change its value. + +Fixes: a842fe1425cb ("tcp: add optional per socket transmit delay") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index fc0fa1f2ca9b1..8ff86431f44b4 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3679,7 +3679,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, int optname, + case TCP_TX_DELAY: + if (val) + tcp_enable_tx_delay(); +- tp->tcp_tx_delay = val; ++ WRITE_ONCE(tp->tcp_tx_delay, val); + break; + default: + err = -ENOPROTOOPT; +@@ -4151,7 +4151,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_TX_DELAY: +- val = tp->tcp_tx_delay; ++ val = READ_ONCE(tp->tcp_tx_delay); + break; + + case TCP_TIMESTAMP: +-- +2.39.2 + diff --git a/tmp-5.15/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch b/tmp-5.15/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch new file mode 100644 index 00000000000..7db6d37c43c --- /dev/null +++ b/tmp-5.15/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch @@ -0,0 +1,38 @@ +From 4b8b3905165ef98386a3c06f196c85d21292d029 Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Fri, 14 Jul 2023 20:33:41 +0000 +Subject: tracing/histograms: Return an error if we fail to add histogram to hist_vars list + +From: Mohamed Khalfella + +commit 4b8b3905165ef98386a3c06f196c85d21292d029 upstream. + +Commit 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if +they have referenced variables") added a check to fail histogram creation +if save_hist_vars() failed to add histogram to hist_vars list. But the +commit failed to set ret to failed return code before jumping to +unregister histogram, fix it. + +Link: https://lore.kernel.org/linux-trace-kernel/20230714203341.51396-1-mkhalfella@purestorage.com + +Cc: stable@vger.kernel.org +Fixes: 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if they have referenced variables") +Signed-off-by: Mohamed Khalfella +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -5949,7 +5949,8 @@ static int event_hist_trigger_func(struc + goto out_unreg; + + if (has_hist_vars(hist_data) || hist_data->n_var_refs) { +- if (save_hist_vars(hist_data)) ++ ret = save_hist_vars(hist_data); ++ if (ret) + goto out_unreg; + } + diff --git a/tmp-5.15/udf-fix-uninitialized-array-access-for-some-pathname.patch b/tmp-5.15/udf-fix-uninitialized-array-access-for-some-pathname.patch new file mode 100644 index 00000000000..3e220e6aa36 --- /dev/null +++ b/tmp-5.15/udf-fix-uninitialized-array-access-for-some-pathname.patch @@ -0,0 +1,36 @@ +From 9da03b3b3c1b0c6a5cbb8a71990085e53fd1d7d9 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 21 Jun 2023 11:32:35 +0200 +Subject: [PATCH AUTOSEL 4.14 5/9] udf: Fix uninitialized array access for some + pathnames +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.14.320 + +[ Upstream commit 028f6055c912588e6f72722d89c30b401bbcf013 ] + +For filenames that begin with . and are between 2 and 5 characters long, +UDF charset conversion code would read uninitialized memory in the +output buffer. The only practical impact is that the name may be prepended a +"unification hash" when it is not actually needed but still it is good +to fix this. + +Reported-by: syzbot+cd311b1e43cc25f90d18@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000e2638a05fe9dc8f9@google.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/unicode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -247,7 +247,7 @@ static int udf_name_from_CS0(struct supe + } + + if (translate) { +- if (str_o_len <= 2 && str_o[0] == '.' && ++ if (str_o_len > 0 && str_o_len <= 2 && str_o[0] == '.' && + (str_o_len == 1 || str_o[1] == '.')) + needsCRC = 1; + if (needsCRC) { diff --git a/tmp-5.15/x86-cpu-amd-add-a-zenbleed-fix.patch b/tmp-5.15/x86-cpu-amd-add-a-zenbleed-fix.patch new file mode 100644 index 00000000000..f85b27c48b1 --- /dev/null +++ b/tmp-5.15/x86-cpu-amd-add-a-zenbleed-fix.patch @@ -0,0 +1,161 @@ +From b2d362e150f1a48e95b4224e6ad860948f48c158 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:41:28 +0200 +Subject: x86/cpu/amd: Add a Zenbleed fix + +From: "Borislav Petkov (AMD)" + +Upstream commit: 522b1d69219d8f083173819fde04f994aa051a98 + +Add a fix for the Zen2 VZEROUPPER data corruption bug where under +certain circumstances executing VZEROUPPER can cause register +corruption or leak data. + +The optimal fix is through microcode but in the case the proper +microcode revision has not been applied, enable a fallback fix using +a chicken bit. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/microcode.h | 1 + arch/x86/include/asm/microcode_amd.h | 2 + + arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 60 +++++++++++++++++++++++++++++++++++ + arch/x86/kernel/cpu/common.c | 2 + + 5 files changed, 66 insertions(+) + +--- a/arch/x86/include/asm/microcode.h ++++ b/arch/x86/include/asm/microcode.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + struct ucode_patch { + struct list_head plist; +--- a/arch/x86/include/asm/microcode_amd.h ++++ b/arch/x86/include/asm/microcode_amd.h +@@ -48,11 +48,13 @@ extern void __init load_ucode_amd_bsp(un + extern void load_ucode_amd_ap(unsigned int family); + extern int __init save_microcode_in_initrd_amd(unsigned int family); + void reload_ucode_amd(unsigned int cpu); ++extern void amd_check_microcode(void); + #else + static inline void __init load_ucode_amd_bsp(unsigned int family) {} + static inline void load_ucode_amd_ap(unsigned int family) {} + static inline int __init + save_microcode_in_initrd_amd(unsigned int family) { return -EINVAL; } + static inline void reload_ucode_amd(unsigned int cpu) {} ++static inline void amd_check_microcode(void) {} + #endif + #endif /* _ASM_X86_MICROCODE_AMD_H */ +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -503,6 +503,7 @@ + #define MSR_AMD64_DE_CFG 0xc0011029 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT 1 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE BIT_ULL(MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT) ++#define MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT 9 + + #define MSR_AMD64_BU_CFG2 0xc001102a + #define MSR_AMD64_IBSFETCHCTL 0xc0011030 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -70,6 +70,11 @@ static const int amd_erratum_383[] = + static const int amd_erratum_1054[] = + AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); + ++static const int amd_zenbleed[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x30, 0x0, 0x4f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0x60, 0x0, 0x7f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0xa0, 0x0, 0xaf, 0xf)); ++ + static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) + { + int osvw_id = *erratum++; +@@ -1002,6 +1007,47 @@ static void init_amd_zn(struct cpuinfo_x + } + } + ++static bool cpu_has_zenbleed_microcode(void) ++{ ++ u32 good_rev = 0; ++ ++ switch (boot_cpu_data.x86_model) { ++ case 0x30 ... 0x3f: good_rev = 0x0830107a; break; ++ case 0x60 ... 0x67: good_rev = 0x0860010b; break; ++ case 0x68 ... 0x6f: good_rev = 0x08608105; break; ++ case 0x70 ... 0x7f: good_rev = 0x08701032; break; ++ case 0xa0 ... 0xaf: good_rev = 0x08a00008; break; ++ ++ default: ++ return false; ++ break; ++ } ++ ++ if (boot_cpu_data.microcode < good_rev) ++ return false; ++ ++ return true; ++} ++ ++static void zenbleed_check(struct cpuinfo_x86 *c) ++{ ++ if (!cpu_has_amd_erratum(c, amd_zenbleed)) ++ return; ++ ++ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ return; ++ ++ if (!cpu_has(c, X86_FEATURE_AVX)) ++ return; ++ ++ if (!cpu_has_zenbleed_microcode()) { ++ pr_notice_once("Zenbleed: please update your microcode for the most optimal fix\n"); ++ msr_set_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } else { ++ msr_clear_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + early_init_amd(c); +@@ -1092,6 +1138,8 @@ static void init_amd(struct cpuinfo_x86 + msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT); + + check_null_seg_clears_base(c); ++ ++ zenbleed_check(c); + } + + #ifdef CONFIG_X86_32 +@@ -1221,3 +1269,15 @@ u32 amd_get_highest_perf(void) + return 255; + } + EXPORT_SYMBOL_GPL(amd_get_highest_perf); ++ ++static void zenbleed_check_cpu(void *unused) ++{ ++ struct cpuinfo_x86 *c = &cpu_data(smp_processor_id()); ++ ++ zenbleed_check(c); ++} ++ ++void amd_check_microcode(void) ++{ ++ on_each_cpu(zenbleed_check_cpu, NULL, 1); ++} +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -2185,6 +2185,8 @@ void microcode_check(struct cpuinfo_x86 + + perf_check_microcode(); + ++ amd_check_microcode(); ++ + store_cpu_caps(&curr_info); + + if (!memcmp(&prev_info->x86_capability, &curr_info.x86_capability, diff --git a/tmp-5.15/x86-cpu-amd-move-the-errata-checking-functionality-up.patch b/tmp-5.15/x86-cpu-amd-move-the-errata-checking-functionality-up.patch new file mode 100644 index 00000000000..0134ed8ec25 --- /dev/null +++ b/tmp-5.15/x86-cpu-amd-move-the-errata-checking-functionality-up.patch @@ -0,0 +1,181 @@ +From 334baad709246598bfd30587a0e98b0d90f3f596 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:31:32 +0200 +Subject: x86/cpu/amd: Move the errata checking functionality up + +From: "Borislav Petkov (AMD)" + +Upstream commit: 8b6f687743dacce83dbb0c7cfacf88bab00f808a + +Avoid new and remove old forward declarations. + +No functional changes. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 139 ++++++++++++++++++++++------------------------ + 1 file changed, 67 insertions(+), 72 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -27,11 +27,6 @@ + + #include "cpu.h" + +-static const int amd_erratum_383[]; +-static const int amd_erratum_400[]; +-static const int amd_erratum_1054[]; +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); +- + /* + * nodes_per_socket: Stores the number of nodes per socket. + * Refer to Fam15h Models 00-0fh BKDG - CPUID Fn8000_001E_ECX +@@ -39,6 +34,73 @@ static bool cpu_has_amd_erratum(struct c + */ + static u32 nodes_per_socket = 1; + ++/* ++ * AMD errata checking ++ * ++ * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or ++ * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that ++ * have an OSVW id assigned, which it takes as first argument. Both take a ++ * variable number of family-specific model-stepping ranges created by ++ * AMD_MODEL_RANGE(). ++ * ++ * Example: ++ * ++ * const int amd_erratum_319[] = ++ * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), ++ * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), ++ * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); ++ */ ++ ++#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } ++#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } ++#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ ++ ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) ++#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) ++#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) ++#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) ++ ++static const int amd_erratum_400[] = ++ AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), ++ AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); ++ ++static const int amd_erratum_383[] = ++ AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); ++ ++/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ ++static const int amd_erratum_1054[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); ++ ++static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) ++{ ++ int osvw_id = *erratum++; ++ u32 range; ++ u32 ms; ++ ++ if (osvw_id >= 0 && osvw_id < 65536 && ++ cpu_has(cpu, X86_FEATURE_OSVW)) { ++ u64 osvw_len; ++ ++ rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); ++ if (osvw_id < osvw_len) { ++ u64 osvw_bits; ++ ++ rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), ++ osvw_bits); ++ return osvw_bits & (1ULL << (osvw_id & 0x3f)); ++ } ++ } ++ ++ /* OSVW unavailable or ID unknown, match family-model-stepping range */ ++ ms = (cpu->x86_model << 4) | cpu->x86_stepping; ++ while ((range = *erratum++)) ++ if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && ++ (ms >= AMD_MODEL_RANGE_START(range)) && ++ (ms <= AMD_MODEL_RANGE_END(range))) ++ return true; ++ ++ return false; ++} ++ + static inline int rdmsrl_amd_safe(unsigned msr, unsigned long long *p) + { + u32 gprs[8] = { 0 }; +@@ -1125,73 +1187,6 @@ static const struct cpu_dev amd_cpu_dev + + cpu_dev_register(amd_cpu_dev); + +-/* +- * AMD errata checking +- * +- * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or +- * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that +- * have an OSVW id assigned, which it takes as first argument. Both take a +- * variable number of family-specific model-stepping ranges created by +- * AMD_MODEL_RANGE(). +- * +- * Example: +- * +- * const int amd_erratum_319[] = +- * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), +- * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), +- * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); +- */ +- +-#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } +-#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } +-#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ +- ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) +-#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) +-#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) +-#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) +- +-static const int amd_erratum_400[] = +- AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), +- AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); +- +-static const int amd_erratum_383[] = +- AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); +- +-/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ +-static const int amd_erratum_1054[] = +- AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); +- +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) +-{ +- int osvw_id = *erratum++; +- u32 range; +- u32 ms; +- +- if (osvw_id >= 0 && osvw_id < 65536 && +- cpu_has(cpu, X86_FEATURE_OSVW)) { +- u64 osvw_len; +- +- rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); +- if (osvw_id < osvw_len) { +- u64 osvw_bits; +- +- rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), +- osvw_bits); +- return osvw_bits & (1ULL << (osvw_id & 0x3f)); +- } +- } +- +- /* OSVW unavailable or ID unknown, match family-model-stepping range */ +- ms = (cpu->x86_model << 4) | cpu->x86_stepping; +- while ((range = *erratum++)) +- if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && +- (ms >= AMD_MODEL_RANGE_START(range)) && +- (ms <= AMD_MODEL_RANGE_END(range))) +- return true; +- +- return false; +-} +- + void set_dr_addr_mask(unsigned long mask, int dr) + { + if (!boot_cpu_has(X86_FEATURE_BPEXT)) diff --git a/tmp-5.4/add-module_firmware-for-firmware_tg357766.patch b/tmp-5.4/add-module_firmware-for-firmware_tg357766.patch new file mode 100644 index 00000000000..605d8fed3ee --- /dev/null +++ b/tmp-5.4/add-module_firmware-for-firmware_tg357766.patch @@ -0,0 +1,37 @@ +From 7b7bc6e6b4065be710de7be625fd830ccfc71ee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 02:13:32 +0200 +Subject: Add MODULE_FIRMWARE() for FIRMWARE_TG357766. + +From: Tobias Heider + +[ Upstream commit 046f753da6143ee16452966915087ec8b0de3c70 ] + +Fixes a bug where on the M1 mac mini initramfs-tools fails to +include the necessary firmware into the initrd. + +Fixes: c4dab50697ff ("tg3: Download 57766 EEE service patch firmware") +Signed-off-by: Tobias Heider +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/ZJt7LKzjdz8+dClx@tobhe.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index d0cd86af29d9f..b16517d162cfd 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -230,6 +230,7 @@ MODULE_DESCRIPTION("Broadcom Tigon3 ethernet driver"); + MODULE_LICENSE("GPL"); + MODULE_VERSION(DRV_MODULE_VERSION); + MODULE_FIRMWARE(FIRMWARE_TG3); ++MODULE_FIRMWARE(FIRMWARE_TG357766); + MODULE_FIRMWARE(FIRMWARE_TG3TSO); + MODULE_FIRMWARE(FIRMWARE_TG3TSO5); + +-- +2.39.2 + diff --git a/tmp-5.4/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch b/tmp-5.4/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch new file mode 100644 index 00000000000..f2141457089 --- /dev/null +++ b/tmp-5.4/alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch @@ -0,0 +1,42 @@ +From 0d9ac228cf66a8fa67c7465ccb21bebc17592794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 10:17:32 +0800 +Subject: ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer + +From: Su Hui + +[ Upstream commit 79597c8bf64ca99eab385115743131d260339da5 ] + +smatch error: +sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error: +we previously assumed 'rac97' could be null (see line 2072) + +remove redundant assignment, return error if rac97 is NULL. + +Fixes: da3cec35dd3c ("ALSA: Kill snd_assert() in sound/pci/*") +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20230615021732.1972194-1-suhui@nfschina.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/ac97/ac97_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/ac97/ac97_codec.c b/sound/pci/ac97/ac97_codec.c +index 83bb086bf9757..b920c739d6863 100644 +--- a/sound/pci/ac97/ac97_codec.c ++++ b/sound/pci/ac97/ac97_codec.c +@@ -2006,8 +2006,8 @@ int snd_ac97_mixer(struct snd_ac97_bus *bus, struct snd_ac97_template *template, + .dev_disconnect = snd_ac97_dev_disconnect, + }; + +- if (rac97) +- *rac97 = NULL; ++ if (!rac97) ++ return -EINVAL; + if (snd_BUG_ON(!bus || !template)) + return -EINVAL; + if (snd_BUG_ON(template->num >= 4)) +-- +2.39.2 + diff --git a/tmp-5.4/alsa-jack-fix-mutex-call-in-snd_jack_report.patch b/tmp-5.4/alsa-jack-fix-mutex-call-in-snd_jack_report.patch new file mode 100644 index 00000000000..72aacbb22bf --- /dev/null +++ b/tmp-5.4/alsa-jack-fix-mutex-call-in-snd_jack_report.patch @@ -0,0 +1,91 @@ +From eb557ccd93d143675ff7af6f82cb0a75150dc7f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 17:53:57 +0200 +Subject: ALSA: jack: Fix mutex call in snd_jack_report() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +[ Upstream commit 89dbb335cb6a627a4067bc42caa09c8bc3326d40 ] + +snd_jack_report() is supposed to be callable from an IRQ context, too, +and it's indeed used in that way from virtsnd driver. The fix for +input_dev race in commit 1b6a6fc5280e ("ALSA: jack: Access input_dev +under mutex"), however, introduced a mutex lock in snd_jack_report(), +and this resulted in a potential sleep-in-atomic. + +For addressing that problem, this patch changes the relevant code to +use the object get/put and removes the mutex usage. That is, +snd_jack_report(), it takes input_get_device() and leaves with +input_put_device() for assuring the input_dev being assigned. + +Although the whole mutex could be reduced, we keep it because it can +be still a protection for potential races between creation and +deletion. + +Fixes: 1b6a6fc5280e ("ALSA: jack: Access input_dev under mutex") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/cf95f7fe-a748-4990-8378-000491b40329@moroto.mountain +Tested-by: Amadeusz Sławiński +Cc: +Link: https://lore.kernel.org/r/20230706155357.3470-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/jack.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/sound/core/jack.c b/sound/core/jack.c +index e7ac82d468216..c2022b13fddc9 100644 +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -364,6 +364,7 @@ void snd_jack_report(struct snd_jack *jack, int status) + { + struct snd_jack_kctl *jack_kctl; + #ifdef CONFIG_SND_JACK_INPUT_DEV ++ struct input_dev *idev; + int i; + #endif + +@@ -375,30 +376,28 @@ void snd_jack_report(struct snd_jack *jack, int status) + status & jack_kctl->mask_bits); + + #ifdef CONFIG_SND_JACK_INPUT_DEV +- mutex_lock(&jack->input_dev_lock); +- if (!jack->input_dev) { +- mutex_unlock(&jack->input_dev_lock); ++ idev = input_get_device(jack->input_dev); ++ if (!idev) + return; +- } + + for (i = 0; i < ARRAY_SIZE(jack->key); i++) { + int testbit = SND_JACK_BTN_0 >> i; + + if (jack->type & testbit) +- input_report_key(jack->input_dev, jack->key[i], ++ input_report_key(idev, jack->key[i], + status & testbit); + } + + for (i = 0; i < ARRAY_SIZE(jack_switch_types); i++) { + int testbit = 1 << i; + if (jack->type & testbit) +- input_report_switch(jack->input_dev, ++ input_report_switch(idev, + jack_switch_types[i], + status & testbit); + } + +- input_sync(jack->input_dev); +- mutex_unlock(&jack->input_dev_lock); ++ input_sync(idev); ++ input_put_device(idev); + #endif /* CONFIG_SND_JACK_INPUT_DEV */ + } + EXPORT_SYMBOL(snd_jack_report); +-- +2.39.2 + diff --git a/tmp-5.4/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch b/tmp-5.4/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch new file mode 100644 index 00000000000..a02e737750e --- /dev/null +++ b/tmp-5.4/arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch @@ -0,0 +1,62 @@ +From 5609fcb852bae84c9a25bfb1cfe1f4b99face629 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 00:50:50 +0900 +Subject: ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ + guard + +From: Masahiro Yamada + +[ Upstream commit 92e2921eeafdfca9acd9b83f07d2b7ca099bac24 ] + +ASM_NL is useful not only in *.S files but also in .c files for using +inline assembler in C code. + +On ARC, however, ASM_NL is evaluated inconsistently. It is expanded to +a backquote (`) in *.S files, but a semicolon (;) in *.c files because +arch/arc/include/asm/linkage.h defines it inside #ifdef __ASSEMBLY__, +so the definition for C code falls back to the default value defined in +include/linux/linkage.h. + +If ASM_NL is used in inline assembler in .c files, it will result in +wrong assembly code because a semicolon is not an instruction separator, +but the start of a comment for ARC. + +Move ASM_NL (also __ALIGN and __ALIGN_STR) out of the #ifdef. + +Fixes: 9df62f054406 ("arch: use ASM_NL instead of ';' for assembler new line character in the macro") +Fixes: 8d92e992a785 ("ARC: define __ALIGN_STR and __ALIGN symbols for ARC") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/linkage.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arc/include/asm/linkage.h b/arch/arc/include/asm/linkage.h +index fe19f1d412e71..284fd513d7c67 100644 +--- a/arch/arc/include/asm/linkage.h ++++ b/arch/arc/include/asm/linkage.h +@@ -8,6 +8,10 @@ + + #include + ++#define ASM_NL ` /* use '`' to mark new line in macro */ ++#define __ALIGN .align 4 ++#define __ALIGN_STR __stringify(__ALIGN) ++ + #ifdef __ASSEMBLY__ + + .macro ST2 e, o, off +@@ -28,10 +32,6 @@ + #endif + .endm + +-#define ASM_NL ` /* use '`' to mark new line in macro */ +-#define __ALIGN .align 4 +-#define __ALIGN_STR __stringify(__ALIGN) +- + /* annotation for data we want in DCCM - if enabled in .config */ + .macro ARCFP_DATA nm + #ifdef CONFIG_ARC_HAS_DCCM +-- +2.39.2 + diff --git a/tmp-5.4/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch b/tmp-5.4/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch new file mode 100644 index 00000000000..f573ced2493 --- /dev/null +++ b/tmp-5.4/arm-9303-1-kprobes-avoid-missing-declaration-warning.patch @@ -0,0 +1,103 @@ +From 6402def2cf5aa40cd02fab84a340ccf05ca5bf4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 19:28:42 +0100 +Subject: ARM: 9303/1: kprobes: avoid missing-declaration warnings + +From: Arnd Bergmann + +[ Upstream commit 1b9c3ddcec6a55e15d3e38e7405e2d078db02020 ] + +checker_stack_use_t32strd() and kprobe_handler() can be made static since +they are not used from other files, while coverage_start_registers() +and __kprobes_test_case() are used from assembler code, and just need +a declaration to avoid a warning with the global definition. + +arch/arm/probes/kprobes/checkers-common.c:43:18: error: no previous prototype for 'checker_stack_use_t32strd' +arch/arm/probes/kprobes/core.c:236:16: error: no previous prototype for 'kprobe_handler' +arch/arm/probes/kprobes/test-core.c:723:10: error: no previous prototype for 'coverage_start_registers' +arch/arm/probes/kprobes/test-core.c:918:14: error: no previous prototype for '__kprobes_test_case_start' +arch/arm/probes/kprobes/test-core.c:952:14: error: no previous prototype for '__kprobes_test_case_end_16' +arch/arm/probes/kprobes/test-core.c:967:14: error: no previous prototype for '__kprobes_test_case_end_32' + +Fixes: 6624cf651f1a ("ARM: kprobes: collects stack consumption for store instructions") +Fixes: 454f3e132d05 ("ARM/kprobes: Remove jprobe arm implementation") +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Kees Cook +Signed-off-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/probes/kprobes/checkers-common.c | 2 +- + arch/arm/probes/kprobes/core.c | 2 +- + arch/arm/probes/kprobes/opt-arm.c | 2 -- + arch/arm/probes/kprobes/test-core.c | 2 +- + arch/arm/probes/kprobes/test-core.h | 4 ++++ + 5 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/probes/kprobes/checkers-common.c b/arch/arm/probes/kprobes/checkers-common.c +index 4d720990cf2a3..eba7ac4725c02 100644 +--- a/arch/arm/probes/kprobes/checkers-common.c ++++ b/arch/arm/probes/kprobes/checkers-common.c +@@ -40,7 +40,7 @@ enum probes_insn checker_stack_use_imm_0xx(probes_opcode_t insn, + * Different from other insn uses imm8, the real addressing offset of + * STRD in T32 encoding should be imm8 * 4. See ARMARM description. + */ +-enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, ++static enum probes_insn checker_stack_use_t32strd(probes_opcode_t insn, + struct arch_probes_insn *asi, + const struct decode_header *h) + { +diff --git a/arch/arm/probes/kprobes/core.c b/arch/arm/probes/kprobes/core.c +index 0a783bd4641c5..44b5f7dbcc00f 100644 +--- a/arch/arm/probes/kprobes/core.c ++++ b/arch/arm/probes/kprobes/core.c +@@ -231,7 +231,7 @@ singlestep(struct kprobe *p, struct pt_regs *regs, struct kprobe_ctlblk *kcb) + * kprobe, and that level is reserved for user kprobe handlers, so we can't + * risk encountering a new kprobe in an interrupt handler. + */ +-void __kprobes kprobe_handler(struct pt_regs *regs) ++static void __kprobes kprobe_handler(struct pt_regs *regs) + { + struct kprobe *p, *cur; + struct kprobe_ctlblk *kcb; +diff --git a/arch/arm/probes/kprobes/opt-arm.c b/arch/arm/probes/kprobes/opt-arm.c +index c78180172120f..e20304f1d8bc9 100644 +--- a/arch/arm/probes/kprobes/opt-arm.c ++++ b/arch/arm/probes/kprobes/opt-arm.c +@@ -145,8 +145,6 @@ __arch_remove_optimized_kprobe(struct optimized_kprobe *op, int dirty) + } + } + +-extern void kprobe_handler(struct pt_regs *regs); +- + static void + optimized_callback(struct optimized_kprobe *op, struct pt_regs *regs) + { +diff --git a/arch/arm/probes/kprobes/test-core.c b/arch/arm/probes/kprobes/test-core.c +index c562832b86272..171c7076b89f4 100644 +--- a/arch/arm/probes/kprobes/test-core.c ++++ b/arch/arm/probes/kprobes/test-core.c +@@ -720,7 +720,7 @@ static const char coverage_register_lookup[16] = { + [REG_TYPE_NOSPPCX] = COVERAGE_ANY_REG | COVERAGE_SP, + }; + +-unsigned coverage_start_registers(const struct decode_header *h) ++static unsigned coverage_start_registers(const struct decode_header *h) + { + unsigned regs = 0; + int i; +diff --git a/arch/arm/probes/kprobes/test-core.h b/arch/arm/probes/kprobes/test-core.h +index 19a5b2add41e1..805116c2ec27c 100644 +--- a/arch/arm/probes/kprobes/test-core.h ++++ b/arch/arm/probes/kprobes/test-core.h +@@ -453,3 +453,7 @@ void kprobe_thumb32_test_cases(void); + #else + void kprobe_arm_test_cases(void); + #endif ++ ++void __kprobes_test_case_start(void); ++void __kprobes_test_case_end_16(void); ++void __kprobes_test_case_end_32(void); +-- +2.39.2 + diff --git a/tmp-5.4/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch b/tmp-5.4/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch new file mode 100644 index 00000000000..ee152c11de5 --- /dev/null +++ b/tmp-5.4/arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch @@ -0,0 +1,42 @@ +From 0096c1e92ba0a406b0fd058c1a62d0e83b2acc16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 14:28:30 +0200 +Subject: ARM: dts: BCM5301X: Drop "clock-names" from the SPI node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit d3c8e2c5757153bbfad70019ec1decbca86f3def ] + +There is no such property in the SPI controller binding documentation. +Also Linux driver doesn't look for it. + +This fixes: +arch/arm/boot/dts/bcm4708-asus-rt-ac56u.dtb: spi@18029200: Unevaluated properties are not allowed ('clock-names' was unexpected) + From schema: Documentation/devicetree/bindings/spi/brcm,spi-bcm-qspi.yaml + +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20230503122830.3200-1-zajec5@gmail.com +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm5301x.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi +index 05d67f9769118..bf8154aa203a7 100644 +--- a/arch/arm/boot/dts/bcm5301x.dtsi ++++ b/arch/arm/boot/dts/bcm5301x.dtsi +@@ -511,7 +511,6 @@ spi@18029200 { + "spi_lr_session_done", + "spi_lr_overread"; + clocks = <&iprocmed>; +- clock-names = "iprocmed"; + num-cs = <2>; + #address-cells = <1>; + #size-cells = <0>; +-- +2.39.2 + diff --git a/tmp-5.4/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch b/tmp-5.4/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch new file mode 100644 index 00000000000..88e6a164920 --- /dev/null +++ b/tmp-5.4/arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch @@ -0,0 +1,41 @@ +From 30dbdf68579470da0220645c27b82c006145814b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 13:32:25 +0300 +Subject: ARM: dts: gta04: Move model property out of pinctrl node + +From: Tony Lindgren + +[ Upstream commit 4ffec92e70ac5097b9f67ec154065305b16a3b46 ] + +The model property should be at the top level, let's move it out +of the pinctrl node. + +Fixes: d2eaf949d2c3 ("ARM: dts: omap3-gta04a5one: define GTA04A5 variant with OneNAND") +Cc: Andreas Kemnade +Cc: H. Nikolaus Schaller +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap3-gta04a5one.dts | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/omap3-gta04a5one.dts b/arch/arm/boot/dts/omap3-gta04a5one.dts +index 9db9fe67cd63b..95df45cc70c09 100644 +--- a/arch/arm/boot/dts/omap3-gta04a5one.dts ++++ b/arch/arm/boot/dts/omap3-gta04a5one.dts +@@ -5,9 +5,11 @@ + + #include "omap3-gta04a5.dts" + +-&omap3_pmx_core { ++/ { + model = "Goldelico GTA04A5/Letux 2804 with OneNAND"; ++}; + ++&omap3_pmx_core { + gpmc_pins: pinmux_gpmc_pins { + pinctrl-single,pins = < + +-- +2.39.2 + diff --git a/tmp-5.4/arm-ep93xx-fix-missing-prototype-warnings.patch b/tmp-5.4/arm-ep93xx-fix-missing-prototype-warnings.patch new file mode 100644 index 00000000000..43de680fdc9 --- /dev/null +++ b/tmp-5.4/arm-ep93xx-fix-missing-prototype-warnings.patch @@ -0,0 +1,48 @@ +From 685ad03a8c0da4a70dcb9d235a40f508a5ad0af2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 17:30:58 +0200 +Subject: ARM: ep93xx: fix missing-prototype warnings + +From: Arnd Bergmann + +[ Upstream commit 419013740ea1e4343d8ade535d999f59fa28e460 ] + +ep93xx_clocksource_read() is only called from the file it is declared in, +while ep93xx_timer_init() is declared in a header that is not included here. + +arch/arm/mach-ep93xx/timer-ep93xx.c:120:13: error: no previous prototype for 'ep93xx_timer_init' +arch/arm/mach-ep93xx/timer-ep93xx.c:63:5: error: no previous prototype for 'ep93xx_clocksource_read' + +Fixes: 000bc17817bf ("ARM: ep93xx: switch to GENERIC_CLOCKEVENTS") +Acked-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20230516153109.514251-3-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-ep93xx/timer-ep93xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-ep93xx/timer-ep93xx.c b/arch/arm/mach-ep93xx/timer-ep93xx.c +index de998830f534f..b07956883e165 100644 +--- a/arch/arm/mach-ep93xx/timer-ep93xx.c ++++ b/arch/arm/mach-ep93xx/timer-ep93xx.c +@@ -9,6 +9,7 @@ + #include + #include + #include "soc.h" ++#include "platform.h" + + /************************************************************************* + * Timer handling for EP93xx +@@ -60,7 +61,7 @@ static u64 notrace ep93xx_read_sched_clock(void) + return ret; + } + +-u64 ep93xx_clocksource_read(struct clocksource *c) ++static u64 ep93xx_clocksource_read(struct clocksource *c) + { + u64 ret; + +-- +2.39.2 + diff --git a/tmp-5.4/arm-orion5x-fix-d2net-gpio-initialization.patch b/tmp-5.4/arm-orion5x-fix-d2net-gpio-initialization.patch new file mode 100644 index 00000000000..f0266df5c4e --- /dev/null +++ b/tmp-5.4/arm-orion5x-fix-d2net-gpio-initialization.patch @@ -0,0 +1,55 @@ +From f8ef1233939495c405a9faa4bd1ae7d3f581bae4 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 16 May 2023 17:31:05 +0200 +Subject: ARM: orion5x: fix d2net gpio initialization + +From: Arnd Bergmann + +commit f8ef1233939495c405a9faa4bd1ae7d3f581bae4 upstream. + +The DT version of this board has a custom file with the gpio +device. However, it does nothing because the d2net_init() +has no caller or prototype: + +arch/arm/mach-orion5x/board-d2net.c:101:13: error: no previous prototype for 'd2net_init' + +Call it from the board-dt file as intended. + +Fixes: 94b0bd366e36 ("ARM: orion5x: convert d2net to Device Tree") +Reviewed-by: Andrew Lunn +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230516153109.514251-10-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-orion5x/board-dt.c | 3 +++ + arch/arm/mach-orion5x/common.h | 6 ++++++ + 2 files changed, 9 insertions(+) + +--- a/arch/arm/mach-orion5x/board-dt.c ++++ b/arch/arm/mach-orion5x/board-dt.c +@@ -63,6 +63,9 @@ static void __init orion5x_dt_init(void) + if (of_machine_is_compatible("maxtor,shared-storage-2")) + mss2_init(); + ++ if (of_machine_is_compatible("lacie,d2-network")) ++ d2net_init(); ++ + of_platform_default_populate(NULL, orion5x_auxdata_lookup, NULL); + } + +--- a/arch/arm/mach-orion5x/common.h ++++ b/arch/arm/mach-orion5x/common.h +@@ -75,6 +75,12 @@ extern void mss2_init(void); + static inline void mss2_init(void) {} + #endif + ++#ifdef CONFIG_MACH_D2NET_DT ++void d2net_init(void); ++#else ++static inline void d2net_init(void) {} ++#endif ++ + /***************************************************************************** + * Helpers to access Orion registers + ****************************************************************************/ diff --git a/tmp-5.4/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch b/tmp-5.4/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch new file mode 100644 index 00000000000..1856c045c24 --- /dev/null +++ b/tmp-5.4/arm64-dts-qcom-msm8916-correct-camss-unit-address.patch @@ -0,0 +1,39 @@ +From d93bb436a0e37af1a78696984562d6cfb1fcd591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 23:18:40 +0200 +Subject: arm64: dts: qcom: msm8916: correct camss unit address + +From: Krzysztof Kozlowski + +[ Upstream commit 48798d992ce276cf0d57bf75318daf8eabd02aa4 ] + +Match unit-address to reg entry to fix dtbs W=1 warnings: + + Warning (simple_bus_reg): /soc@0/camss@1b00000: simple-bus unit address format error, expected "1b0ac00" + +Fixes: 58f479f90a7c ("arm64: dts: qcom: msm8916: Add CAMSS support") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230419211856.79332-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index 301c1c467c0b7..bf40500adef73 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -1451,7 +1451,7 @@ video-encoder { + }; + }; + +- camss: camss@1b00000 { ++ camss: camss@1b0ac00 { + compatible = "qcom,msm8916-camss"; + reg = <0x1b0ac00 0x200>, + <0x1b00030 0x4>, +-- +2.39.2 + diff --git a/tmp-5.4/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch b/tmp-5.4/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch new file mode 100644 index 00000000000..cf69bb90633 --- /dev/null +++ b/tmp-5.4/arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch @@ -0,0 +1,46 @@ +From dabb2fd0846a090677f98cc9ec06cf81fe0e6f29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 10:48:22 +0200 +Subject: arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1 + +From: Wolfram Sang + +[ Upstream commit 1a2c4e5635177939a088d22fa35c6a7032725663 ] + +The schematics are misleading, the flow control is for HSCIF1. We need +SCIF1 for GNSS/GPS which does not use flow control. + +Fixes: c6c816e22bc8 ("arm64: dts: ulcb-kf: enable SCIF1") +Signed-off-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230525084823.4195-2-wsa+renesas@sang-engineering.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/ulcb-kf.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi +index 202177706cdeb..df00acb35263d 100644 +--- a/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi ++++ b/arch/arm64/boot/dts/renesas/ulcb-kf.dtsi +@@ -269,7 +269,7 @@ hscif0_pins: hscif0 { + }; + + scif1_pins: scif1 { +- groups = "scif1_data_b", "scif1_ctrl"; ++ groups = "scif1_data_b"; + function = "scif1"; + }; + +@@ -329,7 +329,6 @@ rsnd_for_pcm3168a_capture: endpoint { + &scif1 { + pinctrl-0 = <&scif1_pins>; + pinctrl-names = "default"; +- uart-has-rtscts; + + status = "okay"; + }; +-- +2.39.2 + diff --git a/tmp-5.4/arm64-mm-fix-va-range-sanity-check.patch b/tmp-5.4/arm64-mm-fix-va-range-sanity-check.patch new file mode 100644 index 00000000000..f9104cf0bdd --- /dev/null +++ b/tmp-5.4/arm64-mm-fix-va-range-sanity-check.patch @@ -0,0 +1,106 @@ +From 8de8bcd7f0e1ec75648551ace9fedfc854315920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:26:28 +0100 +Subject: arm64: mm: fix VA-range sanity check + +From: Mark Rutland + +[ Upstream commit ab9b4008092c86dc12497af155a0901cc1156999 ] + +Both create_mapping_noalloc() and update_mapping_prot() sanity-check +their 'virt' parameter, but the check itself doesn't make much sense. +The condition used today appears to be a historical accident. + +The sanity-check condition: + + if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +... can only be true for the KASAN shadow region or the module region, +and there's no reason to exclude these specifically for creating and +updateing mappings. + +When arm64 support was first upstreamed in commit: + + c1cc1552616d0f35 ("arm64: MMU initialisation") + +... the condition was: + + if (virt < VMALLOC_START) { + [ ... warning here ... ] + return; + } + +At the time, VMALLOC_START was the lowest kernel address, and this was +checking whether 'virt' would be translated via TTBR1. + +Subsequently in commit: + + 14c127c957c1c607 ("arm64: mm: Flip kernel VA space") + +... the condition was changed to: + + if ((virt >= VA_START) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +This appear to have been a thinko. The commit moved the linear map to +the bottom of the kernel address space, with VMALLOC_START being at the +halfway point. The old condition would warn for changes to the linear +map below this, and at the time VA_START was the end of the linear map. + +Subsequently we cleaned up the naming of VA_START in commit: + + 77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END") + +... keeping the erroneous condition as: + + if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +Correct the condition to check against the start of the TTBR1 address +space, which is currently PAGE_OFFSET. This simplifies the logic, and +more clearly matches the "outside kernel range" message in the warning. + +Signed-off-by: Mark Rutland +Cc: Russell King +Cc: Steve Capper +Cc: Will Deacon +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20230615102628.1052103-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index 5cf575f23af28..8e934bb44f12e 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -399,7 +399,7 @@ static phys_addr_t pgd_pgtable_alloc(int shift) + static void __init create_mapping_noalloc(phys_addr_t phys, unsigned long virt, + phys_addr_t size, pgprot_t prot) + { +- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { ++ if (virt < PAGE_OFFSET) { + pr_warn("BUG: not creating mapping for %pa at 0x%016lx - outside kernel range\n", + &phys, virt); + return; +@@ -426,7 +426,7 @@ void __init create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys, + static void update_mapping_prot(phys_addr_t phys, unsigned long virt, + phys_addr_t size, pgprot_t prot) + { +- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { ++ if (virt < PAGE_OFFSET) { + pr_warn("BUG: not updating mapping for %pa at 0x%016lx - outside kernel range\n", + &phys, virt); + return; +-- +2.39.2 + diff --git a/tmp-5.4/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch b/tmp-5.4/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch new file mode 100644 index 00000000000..e08774e1abb --- /dev/null +++ b/tmp-5.4/asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch @@ -0,0 +1,91 @@ +From 8dee408ced8c40a6774e8d3b300f6704cdb1f0b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 21:11:39 +0300 +Subject: ASoC: es8316: Do not set rate constraints for unsupported MCLKs + +From: Cristian Ciocaltea + +[ Upstream commit 60413129ee2b38a80347489270af7f6e1c1de4d0 ] + +When using the codec through the generic audio graph card, there are at +least two calls of es8316_set_dai_sysclk(), with the effect of limiting +the allowed sample rates according to the MCLK/LRCK ratios supported by +the codec: + +1. During audio card setup, to set the initial MCLK - see + asoc_simple_init_dai(). + +2. Before opening a stream, to update MCLK, according to the stream + sample rate and the multiplication factor - see + asoc_simple_hw_params(). + +In some cases the initial MCLK might be set to a frequency that doesn't +match any of the supported ratios, e.g. 12287999 instead of 12288000, +which is only 1 Hz below the supported clock, as that is what the +hardware reports. This creates an empty list of rate constraints, which +is further passed to snd_pcm_hw_constraint_list() via +es8316_pcm_startup(), and causes the following error on the very first +access of the sound card: + + $ speaker-test -D hw:Analog,0 -F S16_LE -c 2 -t wav + Broken configuration for playback: no configurations available: Invalid argument + Setting of hwparams failed: Invalid argument + +Note that all subsequent retries succeed thanks to the updated MCLK set +at point 2 above, which uses a computed frequency value instead of a +reading from the hardware registers. Normally this would have mitigated +the issue, but es8316_pcm_startup() executes before the 2nd call to +es8316_set_dai_sysclk(), hence it cannot make use of the updated +constraints. + +Since es8316_pcm_hw_params() performs anyway a final validation of MCLK +against the stream sample rate and the supported MCLK/LRCK ratios, fix +the issue by ensuring that sysclk_constraints list is only set when at +least one supported sample rate is autodetected by the codec. + +Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230530181140.483936-3-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8316.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c +index 9be667e76e552..131f41cccbe65 100644 +--- a/sound/soc/codecs/es8316.c ++++ b/sound/soc/codecs/es8316.c +@@ -369,13 +369,11 @@ static int es8316_set_dai_sysclk(struct snd_soc_dai *codec_dai, + int count = 0; + + es8316->sysclk = freq; ++ es8316->sysclk_constraints.list = NULL; ++ es8316->sysclk_constraints.count = 0; + +- if (freq == 0) { +- es8316->sysclk_constraints.list = NULL; +- es8316->sysclk_constraints.count = 0; +- ++ if (freq == 0) + return 0; +- } + + ret = clk_set_rate(es8316->mclk, freq); + if (ret) +@@ -391,8 +389,10 @@ static int es8316_set_dai_sysclk(struct snd_soc_dai *codec_dai, + es8316->allowed_rates[count++] = freq / ratio; + } + +- es8316->sysclk_constraints.list = es8316->allowed_rates; +- es8316->sysclk_constraints.count = count; ++ if (count) { ++ es8316->sysclk_constraints.list = es8316->allowed_rates; ++ es8316->sysclk_constraints.count = count; ++ } + + return 0; + } +-- +2.39.2 + diff --git a/tmp-5.4/asoc-es8316-increment-max-value-for-alc-capture-targ.patch b/tmp-5.4/asoc-es8316-increment-max-value-for-alc-capture-targ.patch new file mode 100644 index 00000000000..8f4e3873764 --- /dev/null +++ b/tmp-5.4/asoc-es8316-increment-max-value-for-alc-capture-targ.patch @@ -0,0 +1,91 @@ +From 191a40bb157ade3123cc5c5334ec2eadd0a0dd3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 21:11:38 +0300 +Subject: ASoC: es8316: Increment max value for ALC Capture Target Volume + control + +From: Cristian Ciocaltea + +[ Upstream commit 6f073429037cd79d7311cd8236311c53f5ea8f01 ] + +The following error occurs when trying to restore a previously saved +ALSA mixer state (tested on a Rock 5B board): + + $ alsactl --no-ucm -f /tmp/asound.state store hw:Analog + $ alsactl --no-ucm -I -f /tmp/asound.state restore hw:Analog + alsactl: set_control:1475: Cannot write control '2:0:0:ALC Capture Target Volume:0' : Invalid argument + +According to ES8316 datasheet, the register at address 0x2B, which is +related to the above mixer control, contains by default the value 0xB0. +Considering the corresponding ALC target bits (ALCLVL) are 7:4, the +control is initialized with 11, which is one step above the maximum +value allowed by the driver: + + ALCLVL | dB gain + -------+-------- + 0000 | -16.5 + 0001 | -15.0 + 0010 | -13.5 + .... | ..... + 0111 | -6.0 + 1000 | -4.5 + 1001 | -3.0 + 1010 | -1.5 + .... | ..... + 1111 | -1.5 + +The tests performed using the VU meter feature (--vumeter=TYPE) of +arecord/aplay confirm the specs are correct and there is no measured +gain if the 1011-1111 range would have been mapped to 0 dB: + + dB gain | VU meter % + --------+----------- + -6.0 | 30-31 + -4.5 | 35-36 + -3.0 | 42-43 + -1.5 | 50-51 + 0.0 | 50-51 + +Increment the max value allowed for ALC Capture Target Volume control, +so that it matches the hardware default. Additionally, update the +related TLV to prevent an artificial extension of the dB gain range. + +Fixes: b8b88b70875a ("ASoC: add es8316 codec driver") +Signed-off-by: Cristian Ciocaltea +Link: https://lore.kernel.org/r/20230530181140.483936-2-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8316.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c +index efeffa0bf2d78..9be667e76e552 100644 +--- a/sound/soc/codecs/es8316.c ++++ b/sound/soc/codecs/es8316.c +@@ -52,7 +52,12 @@ static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(dac_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(adc_vol_tlv, -9600, 50, 1); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_max_gain_tlv, -650, 150, 0); + static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_min_gain_tlv, -1200, 150, 0); +-static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(alc_target_tlv, -1650, 150, 0); ++ ++static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(alc_target_tlv, ++ 0, 10, TLV_DB_SCALE_ITEM(-1650, 150, 0), ++ 11, 11, TLV_DB_SCALE_ITEM(-150, 0, 0), ++); ++ + static const SNDRV_CTL_TLVD_DECLARE_DB_RANGE(hpmixer_gain_tlv, + 0, 4, TLV_DB_SCALE_ITEM(-1200, 150, 0), + 8, 11, TLV_DB_SCALE_ITEM(-450, 150, 0), +@@ -115,7 +120,7 @@ static const struct snd_kcontrol_new es8316_snd_controls[] = { + alc_max_gain_tlv), + SOC_SINGLE_TLV("ALC Capture Min Volume", ES8316_ADC_ALC2, 0, 28, 0, + alc_min_gain_tlv), +- SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 10, 0, ++ SOC_SINGLE_TLV("ALC Capture Target Volume", ES8316_ADC_ALC3, 4, 11, 0, + alc_target_tlv), + SOC_SINGLE("ALC Capture Hold Time", ES8316_ADC_ALC3, 0, 10, 0), + SOC_SINGLE("ALC Capture Decay Time", ES8316_ADC_ALC4, 4, 10, 0), +-- +2.39.2 + diff --git a/tmp-5.4/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch b/tmp-5.4/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch new file mode 100644 index 00000000000..156b845b48f --- /dev/null +++ b/tmp-5.4/asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch @@ -0,0 +1,66 @@ +From c011bb31a4a41e3076ca6e2cd957d4a273572962 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 15:15:09 +0300 +Subject: ASoC: imx-audmix: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit 2f76e1d6ca524a888d29aafe29f2ad2003857971 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: b86ef5367761 ("ASoC: fsl: Add Audio Mixer machine driver") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230614121509.443926-1-claudiu.beznea@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-audmix.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/soc/fsl/imx-audmix.c b/sound/soc/fsl/imx-audmix.c +index 71590ca6394b9..08c044a72250a 100644 +--- a/sound/soc/fsl/imx-audmix.c ++++ b/sound/soc/fsl/imx-audmix.c +@@ -230,6 +230,8 @@ static int imx_audmix_probe(struct platform_device *pdev) + + dai_name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s%s", + fe_name_pref, args.np->full_name + 1); ++ if (!dai_name) ++ return -ENOMEM; + + dev_info(pdev->dev.parent, "DAI FE name:%s\n", dai_name); + +@@ -238,6 +240,8 @@ static int imx_audmix_probe(struct platform_device *pdev) + capture_dai_name = + devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s %s", + dai_name, "CPU-Capture"); ++ if (!capture_dai_name) ++ return -ENOMEM; + } + + priv->dai[i].cpus = &dlc[0]; +@@ -268,6 +272,8 @@ static int imx_audmix_probe(struct platform_device *pdev) + "AUDMIX-Playback-%d", i); + be_cp = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "AUDMIX-Capture-%d", i); ++ if (!be_name || !be_pb || !be_cp) ++ return -ENOMEM; + + priv->dai[num_dai + i].cpus = &dlc[3]; + priv->dai[num_dai + i].codecs = &dlc[4]; +@@ -295,6 +301,9 @@ static int imx_audmix_probe(struct platform_device *pdev) + priv->dapm_routes[i].source = + devm_kasprintf(&pdev->dev, GFP_KERNEL, "%s %s", + dai_name, "CPU-Playback"); ++ if (!priv->dapm_routes[i].source) ++ return -ENOMEM; ++ + priv->dapm_routes[i].sink = be_pb; + priv->dapm_routes[num_dai + i].source = be_pb; + priv->dapm_routes[num_dai + i].sink = be_cp; +-- +2.39.2 + diff --git a/tmp-5.4/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch b/tmp-5.4/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch new file mode 100644 index 00000000000..342fba66031 --- /dev/null +++ b/tmp-5.4/bcache-remove-unnecessary-null-point-check-in-node-allocations.patch @@ -0,0 +1,92 @@ +From 028ddcac477b691dd9205c92f991cc15259d033e Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Thu, 15 Jun 2023 20:12:21 +0800 +Subject: bcache: Remove unnecessary NULL point check in node allocations + +From: Zheng Wang + +commit 028ddcac477b691dd9205c92f991cc15259d033e upstream. + +Due to the previous fix of __bch_btree_node_alloc, the return value will +never be a NULL pointer. So IS_ERR is enough to handle the failure +situation. Fix it by replacing IS_ERR_OR_NULL check by an IS_ERR check. + +Fixes: cafe56359144 ("bcache: A block layer cache") +Cc: stable@vger.kernel.org +Signed-off-by: Zheng Wang +Signed-off-by: Coly Li +Link: https://lore.kernel.org/r/20230615121223.22502-5-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 10 +++++----- + drivers/md/bcache/super.c | 4 ++-- + 2 files changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1186,7 +1186,7 @@ static struct btree *btree_node_alloc_re + { + struct btree *n = bch_btree_node_alloc(b->c, op, b->level, b->parent); + +- if (!IS_ERR_OR_NULL(n)) { ++ if (!IS_ERR(n)) { + mutex_lock(&n->write_lock); + bch_btree_sort_into(&b->keys, &n->keys, &b->c->sort); + bkey_copy_key(&n->key, &b->key); +@@ -1389,7 +1389,7 @@ static int btree_gc_coalesce(struct btre + memset(new_nodes, 0, sizeof(new_nodes)); + closure_init_stack(&cl); + +- while (nodes < GC_MERGE_NODES && !IS_ERR_OR_NULL(r[nodes].b)) ++ while (nodes < GC_MERGE_NODES && !IS_ERR(r[nodes].b)) + keys += r[nodes++].keys; + + blocks = btree_default_blocks(b->c) * 2 / 3; +@@ -1401,7 +1401,7 @@ static int btree_gc_coalesce(struct btre + + for (i = 0; i < nodes; i++) { + new_nodes[i] = btree_node_alloc_replacement(r[i].b, NULL); +- if (IS_ERR_OR_NULL(new_nodes[i])) ++ if (IS_ERR(new_nodes[i])) + goto out_nocoalesce; + } + +@@ -1536,7 +1536,7 @@ out_nocoalesce: + bch_keylist_free(&keylist); + + for (i = 0; i < nodes; i++) +- if (!IS_ERR_OR_NULL(new_nodes[i])) { ++ if (!IS_ERR(new_nodes[i])) { + btree_node_free(new_nodes[i]); + rw_unlock(true, new_nodes[i]); + } +@@ -1718,7 +1718,7 @@ static int bch_btree_gc_root(struct btre + if (should_rewrite) { + n = btree_node_alloc_replacement(b, NULL); + +- if (!IS_ERR_OR_NULL(n)) { ++ if (!IS_ERR(n)) { + bch_btree_node_write_sync(n); + + bch_btree_set_root(n); +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1633,7 +1633,7 @@ static void cache_set_flush(struct closu + if (!IS_ERR_OR_NULL(c->gc_thread)) + kthread_stop(c->gc_thread); + +- if (!IS_ERR_OR_NULL(c->root)) ++ if (!IS_ERR(c->root)) + list_add(&c->root->list, &c->btree_cache); + + /* +@@ -2000,7 +2000,7 @@ static int run_cache_set(struct cache_se + + err = "cannot allocate new btree root"; + c->root = __bch_btree_node_alloc(c, NULL, 0, true, NULL); +- if (IS_ERR_OR_NULL(c->root)) ++ if (IS_ERR(c->root)) + goto err; + + mutex_lock(&c->root->write_lock); diff --git a/tmp-5.4/bgmac-fix-initial-chip-reset-to-support-bcm5358.patch b/tmp-5.4/bgmac-fix-initial-chip-reset-to-support-bcm5358.patch new file mode 100644 index 00000000000..63a35fd2295 --- /dev/null +++ b/tmp-5.4/bgmac-fix-initial-chip-reset-to-support-bcm5358.patch @@ -0,0 +1,85 @@ +From f99e6d7c4ed3be2531bd576425a5bd07fb133bd7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Mon, 27 Feb 2023 10:11:56 +0100 +Subject: bgmac: fix *initial* chip reset to support BCM5358 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +commit f99e6d7c4ed3be2531bd576425a5bd07fb133bd7 upstream. + +While bringing hardware up we should perform a full reset including the +switch bit (BGMAC_BCMA_IOCTL_SW_RESET aka SICF_SWRST). It's what +specification says and what reference driver does. + +This seems to be critical for the BCM5358. Without this hardware doesn't +get initialized properly and doesn't seem to transmit or receive any +packets. + +Originally bgmac was calling bgmac_chip_reset() before setting +"has_robosw" property which resulted in expected behaviour. That has +changed as a side effect of adding platform device support which +regressed BCM5358 support. + +Fixes: f6a95a24957a ("net: ethernet: bgmac: Add platform device support") +Cc: Jon Mason +Signed-off-by: Rafał Miłecki +Reviewed-by: Leon Romanovsky +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230227091156.19509-1-zajec5@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bgmac.c | 8 ++++++-- + drivers/net/ethernet/broadcom/bgmac.h | 2 ++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -890,13 +890,13 @@ static void bgmac_chip_reset_idm_config( + + if (iost & BGMAC_BCMA_IOST_ATTACHED) { + flags = BGMAC_BCMA_IOCTL_SW_CLKEN; +- if (!bgmac->has_robosw) ++ if (bgmac->in_init || !bgmac->has_robosw) + flags |= BGMAC_BCMA_IOCTL_SW_RESET; + } + bgmac_clk_enable(bgmac, flags); + } + +- if (iost & BGMAC_BCMA_IOST_ATTACHED && !bgmac->has_robosw) ++ if (iost & BGMAC_BCMA_IOST_ATTACHED && (bgmac->in_init || !bgmac->has_robosw)) + bgmac_idm_write(bgmac, BCMA_IOCTL, + bgmac_idm_read(bgmac, BCMA_IOCTL) & + ~BGMAC_BCMA_IOCTL_SW_RESET); +@@ -1489,6 +1489,8 @@ int bgmac_enet_probe(struct bgmac *bgmac + struct net_device *net_dev = bgmac->net_dev; + int err; + ++ bgmac->in_init = true; ++ + bgmac_chip_intrs_off(bgmac); + + net_dev->irq = bgmac->irq; +@@ -1538,6 +1540,8 @@ int bgmac_enet_probe(struct bgmac *bgmac + net_dev->hw_features = net_dev->features; + net_dev->vlan_features = net_dev->features; + ++ bgmac->in_init = false; ++ + err = register_netdev(bgmac->net_dev); + if (err) { + dev_err(bgmac->dev, "Cannot register net device\n"); +--- a/drivers/net/ethernet/broadcom/bgmac.h ++++ b/drivers/net/ethernet/broadcom/bgmac.h +@@ -511,6 +511,8 @@ struct bgmac { + int irq; + u32 int_mask; + ++ bool in_init; ++ + /* Current MAC state */ + int mac_speed; + int mac_duplex; diff --git a/tmp-5.4/block-add-overflow-checks-for-amiga-partition-support.patch b/tmp-5.4/block-add-overflow-checks-for-amiga-partition-support.patch new file mode 100644 index 00000000000..df58a766bfc --- /dev/null +++ b/tmp-5.4/block-add-overflow-checks-for-amiga-partition-support.patch @@ -0,0 +1,204 @@ +From b6f3f28f604ba3de4724ad82bea6adb1300c0b5f Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:25 +1200 +Subject: block: add overflow checks for Amiga partition support + +From: Michael Schmitz + +commit b6f3f28f604ba3de4724ad82bea6adb1300c0b5f upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use u64 as type for sector address and size to allow using disks up to +2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD +format allows to specify disk sizes up to 2^128 bytes (though native +OS limitations reduce this somewhat, to max 2^68 bytes), so check for +u64 overflow carefully to protect against overflowing sector_t. + +Bail out if sector addresses overflow 32 bits on kernels without LBD +support. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted (now resubmitted as patch 1 in this series). +This patch adds additional error checking and warning messages. + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230620201725.7020-4-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/amiga.c | 103 ++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 85 insertions(+), 18 deletions(-) + +--- a/block/partitions/amiga.c ++++ b/block/partitions/amiga.c +@@ -11,11 +11,19 @@ + #define pr_fmt(fmt) fmt + + #include ++#include ++#include + #include + + #include "check.h" + #include "amiga.h" + ++/* magic offsets in partition DosEnvVec */ ++#define NR_HD 3 ++#define NR_SECT 5 ++#define LO_CYL 9 ++#define HI_CYL 10 ++ + static __inline__ u32 + checksum_block(__be32 *m, int size) + { +@@ -32,9 +40,12 @@ int amiga_partition(struct parsed_partit + unsigned char *data; + struct RigidDiskBlock *rdb; + struct PartitionBlock *pb; +- sector_t start_sect, nr_sects; +- int blk, part, res = 0; +- int blksize = 1; /* Multiplier for disk block size */ ++ u64 start_sect, nr_sects; ++ sector_t blk, end_sect; ++ u32 cylblk; /* rdb_CylBlocks = nr_heads*sect_per_track */ ++ u32 nr_hd, nr_sect, lo_cyl, hi_cyl; ++ int part, res = 0; ++ unsigned int blksize = 1; /* Multiplier for disk block size */ + int slot = 1; + char b[BDEVNAME_SIZE]; + +@@ -44,7 +55,7 @@ int amiga_partition(struct parsed_partit + data = read_part_sector(state, blk, §); + if (!data) { + if (warn_no_part) +- pr_err("Dev %s: unable to read RDB block %d\n", ++ pr_err("Dev %s: unable to read RDB block %llu\n", + bdevname(state->bdev, b), blk); + res = -1; + goto rdb_done; +@@ -61,12 +72,12 @@ int amiga_partition(struct parsed_partit + *(__be32 *)(data+0xdc) = 0; + if (checksum_block((__be32 *)data, + be32_to_cpu(rdb->rdb_SummedLongs) & 0x7F)==0) { +- pr_err("Trashed word at 0xd0 in block %d ignored in checksum calculation\n", ++ pr_err("Trashed word at 0xd0 in block %llu ignored in checksum calculation\n", + blk); + break; + } + +- pr_err("Dev %s: RDB in block %d has bad checksum\n", ++ pr_err("Dev %s: RDB in block %llu has bad checksum\n", + bdevname(state->bdev, b), blk); + } + +@@ -83,11 +94,16 @@ int amiga_partition(struct parsed_partit + blk = be32_to_cpu(rdb->rdb_PartitionList); + put_dev_sector(sect); + for (part = 1; blk>0 && part<=16; part++, put_dev_sector(sect)) { +- blk *= blksize; /* Read in terms partition table understands */ ++ /* Read in terms partition table understands */ ++ if (check_mul_overflow(blk, (sector_t) blksize, &blk)) { ++ pr_err("Dev %s: overflow calculating partition block %llu! Skipping partitions %u and beyond\n", ++ bdevname(state->bdev, b), blk, part); ++ break; ++ } + data = read_part_sector(state, blk, §); + if (!data) { + if (warn_no_part) +- pr_err("Dev %s: unable to read partition block %d\n", ++ pr_err("Dev %s: unable to read partition block %llu\n", + bdevname(state->bdev, b), blk); + res = -1; + goto rdb_done; +@@ -99,19 +115,70 @@ int amiga_partition(struct parsed_partit + if (checksum_block((__be32 *)pb, be32_to_cpu(pb->pb_SummedLongs) & 0x7F) != 0 ) + continue; + +- /* Tell Kernel about it */ ++ /* RDB gives us more than enough rope to hang ourselves with, ++ * many times over (2^128 bytes if all fields max out). ++ * Some careful checks are in order, so check for potential ++ * overflows. ++ * We are multiplying four 32 bit numbers to one sector_t! ++ */ ++ ++ nr_hd = be32_to_cpu(pb->pb_Environment[NR_HD]); ++ nr_sect = be32_to_cpu(pb->pb_Environment[NR_SECT]); ++ ++ /* CylBlocks is total number of blocks per cylinder */ ++ if (check_mul_overflow(nr_hd, nr_sect, &cylblk)) { ++ pr_err("Dev %s: heads*sects %u overflows u32, skipping partition!\n", ++ bdevname(state->bdev, b), cylblk); ++ continue; ++ } ++ ++ /* check for consistency with RDB defined CylBlocks */ ++ if (cylblk > be32_to_cpu(rdb->rdb_CylBlocks)) { ++ pr_warn("Dev %s: cylblk %u > rdb_CylBlocks %u!\n", ++ bdevname(state->bdev, b), cylblk, ++ be32_to_cpu(rdb->rdb_CylBlocks)); ++ } ++ ++ /* RDB allows for variable logical block size - ++ * normalize to 512 byte blocks and check result. ++ */ ++ ++ if (check_mul_overflow(cylblk, blksize, &cylblk)) { ++ pr_err("Dev %s: partition %u bytes per cyl. overflows u32, skipping partition!\n", ++ bdevname(state->bdev, b), part); ++ continue; ++ } ++ ++ /* Calculate partition start and end. Limit of 32 bit on cylblk ++ * guarantees no overflow occurs if LBD support is enabled. ++ */ ++ ++ lo_cyl = be32_to_cpu(pb->pb_Environment[LO_CYL]); ++ start_sect = ((u64) lo_cyl * cylblk); ++ ++ hi_cyl = be32_to_cpu(pb->pb_Environment[HI_CYL]); ++ nr_sects = (((u64) hi_cyl - lo_cyl + 1) * cylblk); + +- nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 - +- be32_to_cpu(pb->pb_Environment[9])) * +- be32_to_cpu(pb->pb_Environment[3]) * +- be32_to_cpu(pb->pb_Environment[5]) * +- blksize; + if (!nr_sects) + continue; +- start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) * +- be32_to_cpu(pb->pb_Environment[3]) * +- be32_to_cpu(pb->pb_Environment[5]) * +- blksize; ++ ++ /* Warn user if partition end overflows u32 (AmigaDOS limit) */ ++ ++ if ((start_sect + nr_sects) > UINT_MAX) { ++ pr_warn("Dev %s: partition %u (%llu-%llu) needs 64 bit device support!\n", ++ bdevname(state->bdev, b), part, ++ start_sect, start_sect + nr_sects); ++ } ++ ++ if (check_add_overflow(start_sect, nr_sects, &end_sect)) { ++ pr_err("Dev %s: partition %u (%llu-%llu) needs LBD device support, skipping partition!\n", ++ bdevname(state->bdev, b), part, ++ start_sect, end_sect); ++ continue; ++ } ++ ++ /* Tell Kernel about it */ ++ + put_partition(state,slot++,start_sect,nr_sects); + { + /* Be even more informative to aid mounting */ diff --git a/tmp-5.4/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch b/tmp-5.4/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch new file mode 100644 index 00000000000..ca54e71c9d2 --- /dev/null +++ b/tmp-5.4/block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch @@ -0,0 +1,142 @@ +From 95a55437dc49fb3342c82e61f5472a71c63d9ed0 Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:24 +1200 +Subject: block: change all __u32 annotations to __be32 in affs_hardblocks.h + +From: Michael Schmitz + +commit 95a55437dc49fb3342c82e61f5472a71c63d9ed0 upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use u64 as type for sector address and size to allow using disks up to +2 TB without LBD support, and disks larger than 2 TB with LBD. The RBD +format allows to specify disk sizes up to 2^128 bytes (though native +OS limitations reduce this somewhat, to max 2^68 bytes), so check for +u64 overflow carefully to protect against overflowing sector_t. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted (now resubmitted as patch 1 of this series). + +Patch 3 (this series) adds additional error checking and warning +messages. One of the error checks now makes use of the previously +unused rdb_CylBlocks field, which causes a 'sparse' warning +(cast to restricted __be32). + +Annotate all 32 bit fields in affs_hardblocks.h as __be32, as the +on-disk format of RDB and partition blocks is always big endian. + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Reviewed-by: Christoph Hellwig +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230620201725.7020-3-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/affs_hardblocks.h | 68 +++++++++++++++++------------------ + 1 file changed, 34 insertions(+), 34 deletions(-) + +--- a/include/uapi/linux/affs_hardblocks.h ++++ b/include/uapi/linux/affs_hardblocks.h +@@ -7,42 +7,42 @@ + /* Just the needed definitions for the RDB of an Amiga HD. */ + + struct RigidDiskBlock { +- __u32 rdb_ID; ++ __be32 rdb_ID; + __be32 rdb_SummedLongs; +- __s32 rdb_ChkSum; +- __u32 rdb_HostID; ++ __be32 rdb_ChkSum; ++ __be32 rdb_HostID; + __be32 rdb_BlockBytes; +- __u32 rdb_Flags; +- __u32 rdb_BadBlockList; ++ __be32 rdb_Flags; ++ __be32 rdb_BadBlockList; + __be32 rdb_PartitionList; +- __u32 rdb_FileSysHeaderList; +- __u32 rdb_DriveInit; +- __u32 rdb_Reserved1[6]; +- __u32 rdb_Cylinders; +- __u32 rdb_Sectors; +- __u32 rdb_Heads; +- __u32 rdb_Interleave; +- __u32 rdb_Park; +- __u32 rdb_Reserved2[3]; +- __u32 rdb_WritePreComp; +- __u32 rdb_ReducedWrite; +- __u32 rdb_StepRate; +- __u32 rdb_Reserved3[5]; +- __u32 rdb_RDBBlocksLo; +- __u32 rdb_RDBBlocksHi; +- __u32 rdb_LoCylinder; +- __u32 rdb_HiCylinder; +- __u32 rdb_CylBlocks; +- __u32 rdb_AutoParkSeconds; +- __u32 rdb_HighRDSKBlock; +- __u32 rdb_Reserved4; ++ __be32 rdb_FileSysHeaderList; ++ __be32 rdb_DriveInit; ++ __be32 rdb_Reserved1[6]; ++ __be32 rdb_Cylinders; ++ __be32 rdb_Sectors; ++ __be32 rdb_Heads; ++ __be32 rdb_Interleave; ++ __be32 rdb_Park; ++ __be32 rdb_Reserved2[3]; ++ __be32 rdb_WritePreComp; ++ __be32 rdb_ReducedWrite; ++ __be32 rdb_StepRate; ++ __be32 rdb_Reserved3[5]; ++ __be32 rdb_RDBBlocksLo; ++ __be32 rdb_RDBBlocksHi; ++ __be32 rdb_LoCylinder; ++ __be32 rdb_HiCylinder; ++ __be32 rdb_CylBlocks; ++ __be32 rdb_AutoParkSeconds; ++ __be32 rdb_HighRDSKBlock; ++ __be32 rdb_Reserved4; + char rdb_DiskVendor[8]; + char rdb_DiskProduct[16]; + char rdb_DiskRevision[4]; + char rdb_ControllerVendor[8]; + char rdb_ControllerProduct[16]; + char rdb_ControllerRevision[4]; +- __u32 rdb_Reserved5[10]; ++ __be32 rdb_Reserved5[10]; + }; + + #define IDNAME_RIGIDDISK 0x5244534B /* "RDSK" */ +@@ -50,16 +50,16 @@ struct RigidDiskBlock { + struct PartitionBlock { + __be32 pb_ID; + __be32 pb_SummedLongs; +- __s32 pb_ChkSum; +- __u32 pb_HostID; ++ __be32 pb_ChkSum; ++ __be32 pb_HostID; + __be32 pb_Next; +- __u32 pb_Flags; +- __u32 pb_Reserved1[2]; +- __u32 pb_DevFlags; ++ __be32 pb_Flags; ++ __be32 pb_Reserved1[2]; ++ __be32 pb_DevFlags; + __u8 pb_DriveName[32]; +- __u32 pb_Reserved2[15]; ++ __be32 pb_Reserved2[15]; + __be32 pb_Environment[17]; +- __u32 pb_EReserved[15]; ++ __be32 pb_EReserved[15]; + }; + + #define IDNAME_PARTITION 0x50415254 /* "PART" */ diff --git a/tmp-5.4/block-fix-signed-int-overflow-in-amiga-partition-support.patch b/tmp-5.4/block-fix-signed-int-overflow-in-amiga-partition-support.patch new file mode 100644 index 00000000000..8c0f4a9aa60 --- /dev/null +++ b/tmp-5.4/block-fix-signed-int-overflow-in-amiga-partition-support.patch @@ -0,0 +1,68 @@ +From fc3d092c6bb48d5865fec15ed5b333c12f36288c Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 21 Jun 2023 08:17:23 +1200 +Subject: block: fix signed int overflow in Amiga partition support + +From: Michael Schmitz + +commit fc3d092c6bb48d5865fec15ed5b333c12f36288c upstream. + +The Amiga partition parser module uses signed int for partition sector +address and count, which will overflow for disks larger than 1 TB. + +Use sector_t as type for sector address and size to allow using disks +up to 2 TB without LBD support, and disks larger than 2 TB with LBD. + +This bug was reported originally in 2012, and the fix was created by +the RDB author, Joanne Dow . A patch had been +discussed and reviewed on linux-m68k at that time but never officially +submitted. This patch differs from Joanne's patch only in its use of +sector_t instead of unsigned int. No checking for overflows is done +(see patch 3 of this series for that). + +Reported-by: Martin Steigerwald +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=43511 +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Message-ID: <201206192146.09327.Martin@lichtvoll.de> +Cc: # 5.2 +Signed-off-by: Michael Schmitz +Tested-by: Martin Steigerwald +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230620201725.7020-2-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/amiga.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/block/partitions/amiga.c ++++ b/block/partitions/amiga.c +@@ -32,7 +32,8 @@ int amiga_partition(struct parsed_partit + unsigned char *data; + struct RigidDiskBlock *rdb; + struct PartitionBlock *pb; +- int start_sect, nr_sects, blk, part, res = 0; ++ sector_t start_sect, nr_sects; ++ int blk, part, res = 0; + int blksize = 1; /* Multiplier for disk block size */ + int slot = 1; + char b[BDEVNAME_SIZE]; +@@ -100,14 +101,14 @@ int amiga_partition(struct parsed_partit + + /* Tell Kernel about it */ + +- nr_sects = (be32_to_cpu(pb->pb_Environment[10]) + 1 - +- be32_to_cpu(pb->pb_Environment[9])) * ++ nr_sects = ((sector_t)be32_to_cpu(pb->pb_Environment[10]) + 1 - ++ be32_to_cpu(pb->pb_Environment[9])) * + be32_to_cpu(pb->pb_Environment[3]) * + be32_to_cpu(pb->pb_Environment[5]) * + blksize; + if (!nr_sects) + continue; +- start_sect = be32_to_cpu(pb->pb_Environment[9]) * ++ start_sect = (sector_t)be32_to_cpu(pb->pb_Environment[9]) * + be32_to_cpu(pb->pb_Environment[3]) * + be32_to_cpu(pb->pb_Environment[5]) * + blksize; diff --git a/tmp-5.4/block-partition-fix-signedness-issue-for-amiga-partitions.patch b/tmp-5.4/block-partition-fix-signedness-issue-for-amiga-partitions.patch new file mode 100644 index 00000000000..f60185df57a --- /dev/null +++ b/tmp-5.4/block-partition-fix-signedness-issue-for-amiga-partitions.patch @@ -0,0 +1,39 @@ +From 7eb1e47696aa231b1a567846bbe3a1e1befe1854 Mon Sep 17 00:00:00 2001 +From: Michael Schmitz +Date: Wed, 5 Jul 2023 11:38:08 +1200 +Subject: block/partition: fix signedness issue for Amiga partitions + +From: Michael Schmitz + +commit 7eb1e47696aa231b1a567846bbe3a1e1befe1854 upstream. + +Making 'blk' sector_t (i.e. 64 bit if LBD support is active) fails the +'blk>0' test in the partition block loop if a value of (signed int) -1 is +used to mark the end of the partition block list. + +Explicitly cast 'blk' to signed int to allow use of -1 to terminate the +partition block linked list. + +Fixes: b6f3f28f604b ("block: add overflow checks for Amiga partition support") +Reported-by: Christian Zigotzky +Link: https://lore.kernel.org/r/024ce4fa-cc6d-50a2-9aae-3701d0ebf668@xenosoft.de +Signed-off-by: Michael Schmitz +Reviewed-by: Martin Steigerwald +Tested-by: Christian Zigotzky +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/amiga.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/partitions/amiga.c ++++ b/block/partitions/amiga.c +@@ -93,7 +93,7 @@ int amiga_partition(struct parsed_partit + } + blk = be32_to_cpu(rdb->rdb_PartitionList); + put_dev_sector(sect); +- for (part = 1; blk>0 && part<=16; part++, put_dev_sector(sect)) { ++ for (part = 1; (s32) blk>0 && part<=16; part++, put_dev_sector(sect)) { + /* Read in terms partition table understands */ + if (check_mul_overflow(blk, (sector_t) blksize, &blk)) { + pr_err("Dev %s: overflow calculating partition block %llu! Skipping partitions %u and beyond\n", diff --git a/tmp-5.4/bpf-address-kcsan-report-on-bpf_lru_list.patch b/tmp-5.4/bpf-address-kcsan-report-on-bpf_lru_list.patch new file mode 100644 index 00000000000..edfcd986240 --- /dev/null +++ b/tmp-5.4/bpf-address-kcsan-report-on-bpf_lru_list.patch @@ -0,0 +1,177 @@ +From 1e5428d5217a30952df66f845de9a533929933fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 21:37:48 -0700 +Subject: bpf: Address KCSAN report on bpf_lru_list + +From: Martin KaFai Lau + +[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] + +KCSAN reported a data-race when accessing node->ref. +Although node->ref does not have to be accurate, +take this chance to use a more common READ_ONCE() and WRITE_ONCE() +pattern instead of data_race(). + +There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). +This patch also adds bpf_lru_node_clear_ref() to do the +WRITE_ONCE(node->ref, 0) also. + +================================================================== +BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem + +write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: +__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] +__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] +__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 +bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] +bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] +bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 +prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] +__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: +bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] +__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x01 -> 0x00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 +================================================================== + +Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com +Signed-off-by: Martin KaFai Lau +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- + kernel/bpf/bpf_lru_list.h | 7 ++----- + 2 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c +index d99e89f113c43..3dabdd137d102 100644 +--- a/kernel/bpf/bpf_lru_list.c ++++ b/kernel/bpf/bpf_lru_list.c +@@ -41,7 +41,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) + /* bpf_lru_node helpers */ + static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) + { +- return node->ref; ++ return READ_ONCE(node->ref); ++} ++ ++static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) ++{ ++ WRITE_ONCE(node->ref, 0); + } + + static void bpf_lru_list_count_inc(struct bpf_lru_list *l, +@@ -89,7 +94,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, + + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, &l->lists[tgt_type]); + } + +@@ -110,7 +115,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; + } +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + + /* If the moving node is the next_inactive_rotation candidate, + * move the next_inactive_rotation pointer also. +@@ -353,7 +358,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, + *(u32 *)((void *)node + lru->hash_offset) = hash; + node->cpu = cpu; + node->type = BPF_LRU_LOCAL_LIST_T_PENDING; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, local_pending_list(loc_l)); + } + +@@ -419,7 +424,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, + if (!list_empty(free_list)) { + node = list_first_entry(free_list, struct bpf_lru_node, list); + *(u32 *)((void *)node + lru->hash_offset) = hash; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); + } + +@@ -522,7 +527,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, + } + + node->type = BPF_LRU_LOCAL_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, local_free_list(loc_l)); + + raw_spin_unlock_irqrestore(&loc_l->lock, flags); +@@ -568,7 +573,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, + + node = (struct bpf_lru_node *)(buf + node_offset); + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + buf += elem_size; + } +@@ -594,7 +599,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, + node = (struct bpf_lru_node *)(buf + node_offset); + node->cpu = cpu; + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + i++; + buf += elem_size; +diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h +index f02504640e185..41f8fea530c8d 100644 +--- a/kernel/bpf/bpf_lru_list.h ++++ b/kernel/bpf/bpf_lru_list.h +@@ -63,11 +63,8 @@ struct bpf_lru { + + static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) + { +- /* ref is an approximation on access frequency. It does not +- * have to be very accurate. Hence, no protection is used. +- */ +- if (!node->ref) +- node->ref = 1; ++ if (!READ_ONCE(node->ref)) ++ WRITE_ONCE(node->ref, 1); + } + + int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, +-- +2.39.2 + diff --git a/tmp-5.4/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch b/tmp-5.4/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch new file mode 100644 index 00000000000..f694324043f --- /dev/null +++ b/tmp-5.4/btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch @@ -0,0 +1,84 @@ +From b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 19 Jun 2023 17:21:47 +0100 +Subject: btrfs: fix race when deleting quota root from the dirty cow roots list + +From: Filipe Manana + +commit b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 upstream. + +When disabling quotas we are deleting the quota root from the list +fs_info->dirty_cowonly_roots without taking the lock that protects it, +which is struct btrfs_fs_info::trans_lock. This unsynchronized list +manipulation may cause chaos if there's another concurrent manipulation +of this list, such as when adding a root to it with +ctree.c:add_root_to_dirty_list(). + +This can result in all sorts of weird failures caused by a race, such as +the following crash: + + [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI + [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 + [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] + [337571.279928] Code: 85 38 06 00 (...) + [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 + [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 + [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 + [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b + [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 + [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 + [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 + [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 + [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [337571.282874] Call Trace: + [337571.283101] + [337571.283327] ? __die_body+0x1b/0x60 + [337571.283570] ? die_addr+0x39/0x60 + [337571.283796] ? exc_general_protection+0x22e/0x430 + [337571.284022] ? asm_exc_general_protection+0x22/0x30 + [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] + [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] + [337571.284803] ? _raw_spin_unlock+0x15/0x30 + [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] + [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] + [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] + [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 + [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] + [337571.286358] ? mod_objcg_state+0xd2/0x360 + [337571.286577] ? refill_obj_stock+0xb0/0x160 + [337571.286798] ? seq_release+0x25/0x30 + [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 + [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 + [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 + [337571.287675] __x64_sys_ioctl+0x88/0xc0 + [337571.287901] do_syscall_64+0x38/0x90 + [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc + [337571.288352] RIP: 0033:0x7f478aaffe9b + +So fix this by locking struct btrfs_fs_info::trans_lock before deleting +the quota root from that list. + +Fixes: bed92eae26cc ("Btrfs: qgroup implementation and prototypes") +CC: stable@vger.kernel.org # 4.14+ +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -1189,7 +1189,9 @@ int btrfs_quota_disable(struct btrfs_fs_ + goto out; + } + ++ spin_lock(&fs_info->trans_lock); + list_del("a_root->dirty_list); ++ spin_unlock(&fs_info->trans_lock); + + btrfs_tree_lock(quota_root->node); + btrfs_clean_tree_block(quota_root->node); diff --git a/tmp-5.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch b/tmp-5.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch new file mode 100644 index 00000000000..8c1492cccb2 --- /dev/null +++ b/tmp-5.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch @@ -0,0 +1,89 @@ +From aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 14 Jul 2023 13:42:06 +0100 +Subject: btrfs: fix warning when putting transaction with qgroups enabled after abort + +From: Filipe Manana + +commit aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 upstream. + +If we have a transaction abort with qgroups enabled we get a warning +triggered when doing the final put on the transaction, like this: + + [552.6789] ------------[ cut here ]------------ + [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6817] Modules linked in: btrfs blake2b_generic xor (...) + [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6821] Code: bd a0 01 00 (...) + [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 + [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 + [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 + [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 + [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 + [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 + [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 + [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 + [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [552.6822] Call Trace: + [552.6822] + [552.6822] ? __warn+0x80/0x130 + [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6824] ? report_bug+0x1f4/0x200 + [552.6824] ? handle_bug+0x42/0x70 + [552.6824] ? exc_invalid_op+0x14/0x70 + [552.6824] ? asm_exc_invalid_op+0x16/0x20 + [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] + [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 + [552.6828] ? try_to_wake_up+0x94/0x5e0 + [552.6828] ? __pfx_process_timeout+0x10/0x10 + [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] + [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] + [552.6832] kthread+0xee/0x120 + [552.6832] ? __pfx_kthread+0x10/0x10 + [552.6832] ret_from_fork+0x29/0x50 + [552.6832] + [552.6832] ---[ end trace 0000000000000000 ]--- + +This corresponds to this line of code: + + void btrfs_put_transaction(struct btrfs_transaction *transaction) + { + (...) + WARN_ON(!RB_EMPTY_ROOT( + &transaction->delayed_refs.dirty_extent_root)); + (...) + } + +The warning happens because btrfs_qgroup_destroy_extent_records(), called +in the transaction abort path, we free all entries from the rbtree +"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we +don't actually empty the rbtree - it's still pointing to nodes that were +freed. + +So set the rbtree's root node to NULL to avoid this warning (assign +RB_ROOT). + +Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Josef Bacik +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -4285,4 +4285,5 @@ void btrfs_qgroup_destroy_extent_records + ulist_free(entry->old_roots); + kfree(entry); + } ++ *root = RB_ROOT; + } diff --git a/tmp-5.4/can-bcm-fix-uaf-in-bcm_proc_show.patch b/tmp-5.4/can-bcm-fix-uaf-in-bcm_proc_show.patch new file mode 100644 index 00000000000..7cde45ba979 --- /dev/null +++ b/tmp-5.4/can-bcm-fix-uaf-in-bcm_proc_show.patch @@ -0,0 +1,92 @@ +From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 15 Jul 2023 17:25:43 +0800 +Subject: can: bcm: Fix UAF in bcm_proc_show() + +From: YueHaibing + +commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream. + +BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 +Read of size 8 at addr ffff888155846230 by task cat/7862 + +CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0xd5/0x150 + print_report+0xc1/0x5e0 + kasan_report+0xba/0xf0 + bcm_proc_show+0x969/0xa80 + seq_read_iter+0x4f6/0x1260 + seq_read+0x165/0x210 + proc_reg_read+0x227/0x300 + vfs_read+0x1d5/0x8d0 + ksys_read+0x11e/0x240 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Allocated by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x9e/0xa0 + bcm_sendmsg+0x264b/0x44e0 + sock_sendmsg+0xda/0x180 + ____sys_sendmsg+0x735/0x920 + ___sys_sendmsg+0x11d/0x1b0 + __sys_sendmsg+0xfa/0x1d0 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x27/0x40 + ____kasan_slab_free+0x161/0x1c0 + slab_free_freelist_hook+0x119/0x220 + __kmem_cache_free+0xb4/0x2e0 + rcu_core+0x809/0x1bd0 + +bcm_op is freed before procfs entry be removed in bcm_release(), +this lead to bcm_proc_show() may read the freed bcm_op. + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Signed-off-by: YueHaibing +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1523,6 +1523,12 @@ static int bcm_release(struct socket *so + + lock_sock(sk); + ++#if IS_ENABLED(CONFIG_PROC_FS) ++ /* remove procfs entry */ ++ if (net->can.bcmproc_dir && bo->bcm_proc_read) ++ remove_proc_entry(bo->procname, net->can.bcmproc_dir); ++#endif /* CONFIG_PROC_FS */ ++ + list_for_each_entry_safe(op, next, &bo->tx_ops, list) + bcm_remove_op(op); + +@@ -1558,12 +1564,6 @@ static int bcm_release(struct socket *so + list_for_each_entry_safe(op, next, &bo->rx_ops, list) + bcm_remove_op(op); + +-#if IS_ENABLED(CONFIG_PROC_FS) +- /* remove procfs entry */ +- if (net->can.bcmproc_dir && bo->bcm_proc_read) +- remove_proc_entry(bo->procname, net->can.bcmproc_dir); +-#endif /* CONFIG_PROC_FS */ +- + /* remove device reference */ + if (bo->bound) { + bo->bound = 0; diff --git a/tmp-5.4/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch b/tmp-5.4/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch new file mode 100644 index 00000000000..027c1b85c55 --- /dev/null +++ b/tmp-5.4/ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch @@ -0,0 +1,47 @@ +From 257e6172ab36ebbe295a6c9ee9a9dd0fe54c1dc2 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Wed, 28 Jun 2023 07:57:09 +0800 +Subject: ceph: don't let check_caps skip sending responses for revoke msgs + +From: Xiubo Li + +commit 257e6172ab36ebbe295a6c9ee9a9dd0fe54c1dc2 upstream. + +If a client sends out a cap update dropping caps with the prior 'seq' +just before an incoming cap revoke request, then the client may drop +the revoke because it believes it's already released the requested +capabilities. + +This causes the MDS to wait indefinitely for the client to respond +to the revoke. It's therefore always a good idea to ack the cap +revoke request with the bumped up 'seq'. + +Cc: stable@vger.kernel.org +Link: https://tracker.ceph.com/issues/61782 +Signed-off-by: Xiubo Li +Reviewed-by: Milind Changire +Reviewed-by: Patrick Donnelly +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/caps.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -3340,6 +3340,15 @@ static void handle_cap_grant(struct inod + } + BUG_ON(cap->issued & ~cap->implemented); + ++ /* don't let check_caps skip sending a response to MDS for revoke msgs */ ++ if (le32_to_cpu(grant->op) == CEPH_CAP_OP_REVOKE) { ++ cap->mds_wanted = 0; ++ if (cap == ci->i_auth_cap) ++ check_caps = 1; /* check auth cap only */ ++ else ++ check_caps = 2; /* check all caps */ ++ } ++ + if (extra_info->inline_version > 0 && + extra_info->inline_version >= ci->i_inline_version) { + ci->i_inline_version = extra_info->inline_version; diff --git a/tmp-5.4/clk-cdce925-check-return-value-of-kasprintf.patch b/tmp-5.4/clk-cdce925-check-return-value-of-kasprintf.patch new file mode 100644 index 00000000000..606d4c27c2a --- /dev/null +++ b/tmp-5.4/clk-cdce925-check-return-value-of-kasprintf.patch @@ -0,0 +1,63 @@ +From 06e8c588011192b1a3a5de6047c5a34f5bb296de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:07 +0300 +Subject: clk: cdce925: check return value of kasprintf() + +From: Claudiu Beznea + +[ Upstream commit bb7d09ddbf361d51eae46f38e7c8a2b85914ea2a ] + +kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 19fbbbbcd3a3 ("Add TI CDCE925 I2C controlled clock synthesizer driver") +Depends-on: e665f029a283 ("clk: Convert to using %pOFn instead of device_node.name") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-3-claudiu.beznea@microchip.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-cdce925.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/clk/clk-cdce925.c b/drivers/clk/clk-cdce925.c +index 308b353815e17..470d91d7314db 100644 +--- a/drivers/clk/clk-cdce925.c ++++ b/drivers/clk/clk-cdce925.c +@@ -705,6 +705,10 @@ static int cdce925_probe(struct i2c_client *client, + for (i = 0; i < data->chip_info->num_plls; ++i) { + pll_clk_name[i] = kasprintf(GFP_KERNEL, "%pOFn.pll%d", + client->dev.of_node, i); ++ if (!pll_clk_name[i]) { ++ err = -ENOMEM; ++ goto error; ++ } + init.name = pll_clk_name[i]; + data->pll[i].chip = data; + data->pll[i].hw.init = &init; +@@ -746,6 +750,10 @@ static int cdce925_probe(struct i2c_client *client, + init.num_parents = 1; + init.parent_names = &parent_name; /* Mux Y1 to input */ + init.name = kasprintf(GFP_KERNEL, "%pOFn.Y1", client->dev.of_node); ++ if (!init.name) { ++ err = -ENOMEM; ++ goto error; ++ } + data->clk[0].chip = data; + data->clk[0].hw.init = &init; + data->clk[0].index = 0; +@@ -764,6 +772,10 @@ static int cdce925_probe(struct i2c_client *client, + for (i = 1; i < data->chip_info->num_outputs; ++i) { + init.name = kasprintf(GFP_KERNEL, "%pOFn.Y%d", + client->dev.of_node, i+1); ++ if (!init.name) { ++ err = -ENOMEM; ++ goto error; ++ } + data->clk[i].chip = data; + data->clk[i].hw.init = &init; + data->clk[i].index = i; +-- +2.39.2 + diff --git a/tmp-5.4/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch b/tmp-5.4/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch new file mode 100644 index 00000000000..daf2dafb743 --- /dev/null +++ b/tmp-5.4/clk-keystone-sci-clk-check-return-value-of-kasprintf.patch @@ -0,0 +1,40 @@ +From 2656d1bd9c07cc481e64665d3ce063f6bf282881 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 12:39:11 +0300 +Subject: clk: keystone: sci-clk: check return value of kasprintf() + +From: Claudiu Beznea + +[ Upstream commit b73ed981da6d25c921aaefa7ca3df85bbd85b7fc ] + +kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: b745c0794e2f ("clk: keystone: Add sci-clk driver support") +Depends-on: 96488c09b0f4 ("clk: keystone: sci-clk: cut down the clock name length") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230530093913.1656095-7-claudiu.beznea@microchip.com +Reviewed-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/keystone/sci-clk.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/keystone/sci-clk.c b/drivers/clk/keystone/sci-clk.c +index 64ea895f1a7df..8e28e3489ded3 100644 +--- a/drivers/clk/keystone/sci-clk.c ++++ b/drivers/clk/keystone/sci-clk.c +@@ -287,6 +287,8 @@ static int _sci_clk_build(struct sci_clk_provider *provider, + + name = kasprintf(GFP_KERNEL, "clk:%d:%d", sci_clk->dev_id, + sci_clk->clk_id); ++ if (!name) ++ return -ENOMEM; + + init.name = name; + +-- +2.39.2 + diff --git a/tmp-5.4/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch b/tmp-5.4/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch new file mode 100644 index 00000000000..64ed04acfa0 --- /dev/null +++ b/tmp-5.4/clk-tegra-tegra124-emc-fix-potential-memory-leak.patch @@ -0,0 +1,45 @@ +From 5ff744f390b62ba363cc4ac655dab5a6724c3e54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 09:41:24 +0000 +Subject: clk: tegra: tegra124-emc: Fix potential memory leak + +From: Yuan Can + +[ Upstream commit 53a06e5924c0d43c11379a08c5a78529c3e61595 ] + +The tegra and tegra needs to be freed in the error handling path, otherwise +it will be leaked. + +Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221209094124.71043-1-yuancan@huawei.com +Acked-by: Thierry Reding +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-emc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/tegra/clk-emc.c b/drivers/clk/tegra/clk-emc.c +index 0c1b83bedb73d..eb2411a4cd783 100644 +--- a/drivers/clk/tegra/clk-emc.c ++++ b/drivers/clk/tegra/clk-emc.c +@@ -459,6 +459,7 @@ static int load_timings_from_dt(struct tegra_clk_emc *tegra, + err = load_one_timing_from_dt(tegra, timing, child); + if (err) { + of_node_put(child); ++ kfree(tegra->timings); + return err; + } + +@@ -510,6 +511,7 @@ struct clk *tegra_clk_register_emc(void __iomem *base, struct device_node *np, + err = load_timings_from_dt(tegra, node, node_ram_code); + if (err) { + of_node_put(node); ++ kfree(tegra); + return ERR_PTR(err); + } + } +-- +2.39.2 + diff --git a/tmp-5.4/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch b/tmp-5.4/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch new file mode 100644 index 00000000000..4d95ad0ec47 --- /dev/null +++ b/tmp-5.4/clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch @@ -0,0 +1,81 @@ +From ff8dc93e7429fcd507170d44d712a4c5804cedb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 06:56:11 +0000 +Subject: clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe + +From: Feng Mingxi + +[ Upstream commit 8b5bf64c89c7100c921bd807ba39b2eb003061ab ] + +Smatch reports: +drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe() +warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516. + +timer_baseaddr may have the problem of not being released after use, +I replaced it with the devm_of_iomap() function and added the clk_put() +function to cleanup the "clk_ce" and "clk_cs". + +Fixes: e932900a3279 ("arm: zynq: Use standard timer binding") +Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error") +Signed-off-by: Feng Mingxi +Reviewed-by: Dongliang Mu +Acked-by: Michal Simek +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20230425065611.702917-1-m202271825@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-cadence-ttc.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c +index df5895e934636..bd49385178d0f 100644 +--- a/drivers/clocksource/timer-cadence-ttc.c ++++ b/drivers/clocksource/timer-cadence-ttc.c +@@ -486,10 +486,10 @@ static int __init ttc_timer_probe(struct platform_device *pdev) + * and use it. Note that the event timer uses the interrupt and it's the + * 2nd TTC hence the irq_of_parse_and_map(,1) + */ +- timer_baseaddr = of_iomap(timer, 0); +- if (!timer_baseaddr) { ++ timer_baseaddr = devm_of_iomap(&pdev->dev, timer, 0, NULL); ++ if (IS_ERR(timer_baseaddr)) { + pr_err("ERROR: invalid timer base address\n"); +- return -ENXIO; ++ return PTR_ERR(timer_baseaddr); + } + + irq = irq_of_parse_and_map(timer, 1); +@@ -513,20 +513,27 @@ static int __init ttc_timer_probe(struct platform_device *pdev) + clk_ce = of_clk_get(timer, clksel); + if (IS_ERR(clk_ce)) { + pr_err("ERROR: timer input clock not found\n"); +- return PTR_ERR(clk_ce); ++ ret = PTR_ERR(clk_ce); ++ goto put_clk_cs; + } + + ret = ttc_setup_clocksource(clk_cs, timer_baseaddr, timer_width); + if (ret) +- return ret; ++ goto put_clk_ce; + + ret = ttc_setup_clockevent(clk_ce, timer_baseaddr + 4, irq); + if (ret) +- return ret; ++ goto put_clk_ce; + + pr_info("%pOFn #0 at %p, irq=%d\n", timer, timer_baseaddr, irq); + + return 0; ++ ++put_clk_ce: ++ clk_put(clk_ce); ++put_clk_cs: ++ clk_put(clk_cs); ++ return ret; + } + + static const struct of_device_id ttc_timer_of_match[] = { +-- +2.39.2 + diff --git a/tmp-5.4/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch b/tmp-5.4/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch new file mode 100644 index 00000000000..458cb8a918c --- /dev/null +++ b/tmp-5.4/clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch @@ -0,0 +1,86 @@ +From 9aafc8310ef35dfe631b0ae48e9a39bdf27caf13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2019 02:36:28 -0800 +Subject: clocksource/drivers/cadence-ttc: Use ttc driver as platform driver + +From: Rajan Vaja + +[ Upstream commit f5ac896b6a23eb46681cdbef440c1d991b04e519 ] + +Currently TTC driver is TIMER_OF_DECLARE type driver. Because of +that, TTC driver may be initialized before other clock drivers. If +TTC driver is dependent on that clock driver then initialization of +TTC driver will failed. + +So use TTC driver as platform driver instead of using +TIMER_OF_DECLARE. + +Signed-off-by: Rajan Vaja +Tested-by: Michal Simek +Acked-by: Michal Simek +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/1573122988-18399-1-git-send-email-rajan.vaja@xilinx.com +Stable-dep-of: 8b5bf64c89c7 ("clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe") +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-cadence-ttc.c | 26 +++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/drivers/clocksource/timer-cadence-ttc.c b/drivers/clocksource/timer-cadence-ttc.c +index 160bc6597de5b..df5895e934636 100644 +--- a/drivers/clocksource/timer-cadence-ttc.c ++++ b/drivers/clocksource/timer-cadence-ttc.c +@@ -15,6 +15,8 @@ + #include + #include + #include ++#include ++#include + + /* + * This driver configures the 2 16/32-bit count-up timers as follows: +@@ -464,13 +466,7 @@ static int __init ttc_setup_clockevent(struct clk *clk, + return err; + } + +-/** +- * ttc_timer_init - Initialize the timer +- * +- * Initializes the timer hardware and register the clock source and clock event +- * timers with Linux kernal timer framework +- */ +-static int __init ttc_timer_init(struct device_node *timer) ++static int __init ttc_timer_probe(struct platform_device *pdev) + { + unsigned int irq; + void __iomem *timer_baseaddr; +@@ -478,6 +474,7 @@ static int __init ttc_timer_init(struct device_node *timer) + static int initialized; + int clksel, ret; + u32 timer_width = 16; ++ struct device_node *timer = pdev->dev.of_node; + + if (initialized) + return 0; +@@ -532,4 +529,17 @@ static int __init ttc_timer_init(struct device_node *timer) + return 0; + } + +-TIMER_OF_DECLARE(ttc, "cdns,ttc", ttc_timer_init); ++static const struct of_device_id ttc_timer_of_match[] = { ++ {.compatible = "cdns,ttc"}, ++ {}, ++}; ++ ++MODULE_DEVICE_TABLE(of, ttc_timer_of_match); ++ ++static struct platform_driver ttc_timer_driver = { ++ .driver = { ++ .name = "cdns_ttc_timer", ++ .of_match_table = ttc_timer_of_match, ++ }, ++}; ++builtin_platform_driver_probe(ttc_timer_driver, ttc_timer_probe); +-- +2.39.2 + diff --git a/tmp-5.4/cls_flower-add-extack-support-for-src-and-dst-port-r.patch b/tmp-5.4/cls_flower-add-extack-support-for-src-and-dst-port-r.patch new file mode 100644 index 00000000000..a55d61f927b --- /dev/null +++ b/tmp-5.4/cls_flower-add-extack-support-for-src-and-dst-port-r.patch @@ -0,0 +1,78 @@ +From baa5899647027ec01ba907ae23c434d7daca9cb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Mar 2020 21:48:51 +0100 +Subject: cls_flower: Add extack support for src and dst port range options + +From: Guillaume Nault + +[ Upstream commit bd7d4c12819b60b161939bc2f43053955d24d0df ] + +Pass extack down to fl_set_key_port_range() and set message on error. + +Both the min and max ports would qualify as invalid attributes here. +Report the min one as invalid, as it's probably what makes the most +sense from a user point of view. + +Signed-off-by: Guillaume Nault +Signed-off-by: David S. Miller +Stable-dep-of: d3f87278bcb8 ("net/sched: flower: Ensure both minimum and maximum ports are specified") +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index f21c97f02d361..f0010e4850eb6 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -719,7 +719,8 @@ static void fl_set_key_val(struct nlattr **tb, + } + + static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key, +- struct fl_flow_key *mask) ++ struct fl_flow_key *mask, ++ struct netlink_ext_ack *extack) + { + fl_set_key_val(tb, &key->tp_range.tp_min.dst, + TCA_FLOWER_KEY_PORT_DST_MIN, &mask->tp_range.tp_min.dst, +@@ -734,13 +735,22 @@ static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key, + TCA_FLOWER_KEY_PORT_SRC_MAX, &mask->tp_range.tp_max.src, + TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.src)); + +- if ((mask->tp_range.tp_min.dst && mask->tp_range.tp_max.dst && +- htons(key->tp_range.tp_max.dst) <= +- htons(key->tp_range.tp_min.dst)) || +- (mask->tp_range.tp_min.src && mask->tp_range.tp_max.src && +- htons(key->tp_range.tp_max.src) <= +- htons(key->tp_range.tp_min.src))) ++ if (mask->tp_range.tp_min.dst && mask->tp_range.tp_max.dst && ++ htons(key->tp_range.tp_max.dst) <= ++ htons(key->tp_range.tp_min.dst)) { ++ NL_SET_ERR_MSG_ATTR(extack, ++ tb[TCA_FLOWER_KEY_PORT_DST_MIN], ++ "Invalid destination port range (min must be strictly smaller than max)"); + return -EINVAL; ++ } ++ if (mask->tp_range.tp_min.src && mask->tp_range.tp_max.src && ++ htons(key->tp_range.tp_max.src) <= ++ htons(key->tp_range.tp_min.src)) { ++ NL_SET_ERR_MSG_ATTR(extack, ++ tb[TCA_FLOWER_KEY_PORT_SRC_MIN], ++ "Invalid source port range (min must be strictly smaller than max)"); ++ return -EINVAL; ++ } + + return 0; + } +@@ -1211,7 +1221,7 @@ static int fl_set_key(struct net *net, struct nlattr **tb, + if (key->basic.ip_proto == IPPROTO_TCP || + key->basic.ip_proto == IPPROTO_UDP || + key->basic.ip_proto == IPPROTO_SCTP) { +- ret = fl_set_key_port_range(tb, key, mask); ++ ret = fl_set_key_port_range(tb, key, mask, extack); + if (ret) + return ret; + } +-- +2.39.2 + diff --git a/tmp-5.4/crypto-marvell-cesa-fix-type-mismatch-warning.patch b/tmp-5.4/crypto-marvell-cesa-fix-type-mismatch-warning.patch new file mode 100644 index 00000000000..771f0203cc3 --- /dev/null +++ b/tmp-5.4/crypto-marvell-cesa-fix-type-mismatch-warning.patch @@ -0,0 +1,49 @@ +From 95077e34f3fe5cbe27a65bd338f45589cd7ef28c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 10:33:04 +0200 +Subject: crypto: marvell/cesa - Fix type mismatch warning + +From: Arnd Bergmann + +[ Upstream commit efbc7764c4446566edb76ca05e903b5905673d2e ] + +Commit df8fc4e934c1 ("kbuild: Enable -fstrict-flex-arrays=3") uncovered +a type mismatch in cesa 3des support that leads to a memcpy beyond the +end of a structure: + +In function 'fortify_memcpy_chk', + inlined from 'mv_cesa_des3_ede_setkey' at drivers/crypto/marvell/cesa/cipher.c:307:2: +include/linux/fortify-string.h:583:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] + 583 | __write_overflow_field(p_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This is probably harmless as the actual data that is copied has the correct +type, but clearly worth fixing nonetheless. + +Fixes: 4ada48397823 ("crypto: marvell/cesa - add Triple-DES support") +Cc: Kees Cook +Cc: Gustavo A. R. Silva +Signed-off-by: Arnd Bergmann +Reviewed-by: Kees Cook +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/marvell/cipher.c b/drivers/crypto/marvell/cipher.c +index 708dc63b2f099..c7d433d1cd99d 100644 +--- a/drivers/crypto/marvell/cipher.c ++++ b/drivers/crypto/marvell/cipher.c +@@ -287,7 +287,7 @@ static int mv_cesa_des_setkey(struct crypto_skcipher *cipher, const u8 *key, + static int mv_cesa_des3_ede_setkey(struct crypto_skcipher *cipher, + const u8 *key, unsigned int len) + { +- struct mv_cesa_des_ctx *ctx = crypto_skcipher_ctx(cipher); ++ struct mv_cesa_des3_ctx *ctx = crypto_skcipher_ctx(cipher); + int err; + + err = verify_skcipher_des3_key(cipher, key); +-- +2.39.2 + diff --git a/tmp-5.4/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch b/tmp-5.4/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch new file mode 100644 index 00000000000..66b1b565aaf --- /dev/null +++ b/tmp-5.4/crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch @@ -0,0 +1,88 @@ +From ab77abb378b334c4643ed68491cbad54967434c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:33:34 -0700 +Subject: crypto: nx - fix build warnings when DEBUG_FS is not enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit b04b076fb56560b39d695ac3744db457e12278fd ] + +Fix build warnings when DEBUG_FS is not enabled by using an empty +do-while loop instead of a value: + +In file included from ../drivers/crypto/nx/nx.c:27: +../drivers/crypto/nx/nx.c: In function 'nx_register_algs': +../drivers/crypto/nx/nx.h:173:33: warning: statement with no effect [-Wunused-value] + 173 | #define NX_DEBUGFS_INIT(drv) (0) +../drivers/crypto/nx/nx.c:573:9: note: in expansion of macro 'NX_DEBUGFS_INIT' + 573 | NX_DEBUGFS_INIT(&nx_driver); +../drivers/crypto/nx/nx.c: In function 'nx_remove': +../drivers/crypto/nx/nx.h:174:33: warning: statement with no effect [-Wunused-value] + 174 | #define NX_DEBUGFS_FINI(drv) (0) +../drivers/crypto/nx/nx.c:793:17: note: in expansion of macro 'NX_DEBUGFS_FINI' + 793 | NX_DEBUGFS_FINI(&nx_driver); + +Also, there is no need to build nx_debugfs.o when DEBUG_FS is not +enabled, so change the Makefile to accommodate that. + +Fixes: ae0222b7289d ("powerpc/crypto: nx driver code supporting nx encryption") +Fixes: aef7b31c8833 ("powerpc/crypto: Build files for the nx device driver") +Signed-off-by: Randy Dunlap +Cc: Breno Leitão +Cc: Nayna Jain +Cc: Paulo Flabiano Smorigo +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: linux-crypto@vger.kernel.org +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Christophe Leroy +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/Makefile | 2 +- + drivers/crypto/nx/nx.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/nx/Makefile b/drivers/crypto/nx/Makefile +index 015155da59c29..76139865d7fa1 100644 +--- a/drivers/crypto/nx/Makefile ++++ b/drivers/crypto/nx/Makefile +@@ -1,7 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-$(CONFIG_CRYPTO_DEV_NX_ENCRYPT) += nx-crypto.o + nx-crypto-objs := nx.o \ +- nx_debugfs.o \ + nx-aes-cbc.o \ + nx-aes-ecb.o \ + nx-aes-gcm.o \ +@@ -11,6 +10,7 @@ nx-crypto-objs := nx.o \ + nx-sha256.o \ + nx-sha512.o + ++nx-crypto-$(CONFIG_DEBUG_FS) += nx_debugfs.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_PSERIES) += nx-compress-pseries.o nx-compress.o + obj-$(CONFIG_CRYPTO_DEV_NX_COMPRESS_POWERNV) += nx-compress-powernv.o nx-compress.o + nx-compress-objs := nx-842.o +diff --git a/drivers/crypto/nx/nx.h b/drivers/crypto/nx/nx.h +index 7ecca168f8c48..5c77aba450cf8 100644 +--- a/drivers/crypto/nx/nx.h ++++ b/drivers/crypto/nx/nx.h +@@ -169,8 +169,8 @@ struct nx_sg *nx_walk_and_build(struct nx_sg *, unsigned int, + void nx_debugfs_init(struct nx_crypto_driver *); + void nx_debugfs_fini(struct nx_crypto_driver *); + #else +-#define NX_DEBUGFS_INIT(drv) (0) +-#define NX_DEBUGFS_FINI(drv) (0) ++#define NX_DEBUGFS_INIT(drv) do {} while (0) ++#define NX_DEBUGFS_FINI(drv) do {} while (0) + #endif + + #define NX_PAGE_NUM(x) ((u64)(x) & 0xfffffffffffff000ULL) +-- +2.39.2 + diff --git a/tmp-5.4/crypto-skcipher-remove-crypto_has_ablkcipher.patch b/tmp-5.4/crypto-skcipher-remove-crypto_has_ablkcipher.patch new file mode 100644 index 00000000000..c6238a04842 --- /dev/null +++ b/tmp-5.4/crypto-skcipher-remove-crypto_has_ablkcipher.patch @@ -0,0 +1,88 @@ +From 977d524b86005c307a4d0ed46d890c93102e12b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 12:41:10 -0700 +Subject: crypto: skcipher - remove crypto_has_ablkcipher() + +From: Eric Biggers + +[ Upstream commit cec0cb8a28f9060367099beeafd0dbdb76fdfae2 ] + +crypto_has_ablkcipher() has no users, and it does the same thing as +crypto_has_skcipher() anyway. So remove it. This also removes the last +user of crypto_skcipher_type() and crypto_skcipher_mask(), so remove +those too. + +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Stable-dep-of: efbc7764c444 ("crypto: marvell/cesa - Fix type mismatch warning") +Signed-off-by: Sasha Levin +--- + Documentation/crypto/api-skcipher.rst | 2 +- + include/linux/crypto.h | 31 --------------------------- + 2 files changed, 1 insertion(+), 32 deletions(-) + +diff --git a/Documentation/crypto/api-skcipher.rst b/Documentation/crypto/api-skcipher.rst +index 20ba08dddf2ec..55e0851f6fed9 100644 +--- a/Documentation/crypto/api-skcipher.rst ++++ b/Documentation/crypto/api-skcipher.rst +@@ -41,7 +41,7 @@ Asynchronous Block Cipher API - Deprecated + :doc: Asynchronous Block Cipher API + + .. kernel-doc:: include/linux/crypto.h +- :functions: crypto_free_ablkcipher crypto_has_ablkcipher crypto_ablkcipher_ivsize crypto_ablkcipher_blocksize crypto_ablkcipher_setkey crypto_ablkcipher_reqtfm crypto_ablkcipher_encrypt crypto_ablkcipher_decrypt ++ :functions: crypto_free_ablkcipher crypto_ablkcipher_ivsize crypto_ablkcipher_blocksize crypto_ablkcipher_setkey crypto_ablkcipher_reqtfm crypto_ablkcipher_encrypt crypto_ablkcipher_decrypt + + Asynchronous Cipher Request Handle - Deprecated + ----------------------------------------------- +diff --git a/include/linux/crypto.h b/include/linux/crypto.h +index 0c720a2982ae4..019ddf7596534 100644 +--- a/include/linux/crypto.h ++++ b/include/linux/crypto.h +@@ -903,20 +903,6 @@ static inline struct crypto_ablkcipher *__crypto_ablkcipher_cast( + return (struct crypto_ablkcipher *)tfm; + } + +-static inline u32 crypto_skcipher_type(u32 type) +-{ +- type &= ~CRYPTO_ALG_TYPE_MASK; +- type |= CRYPTO_ALG_TYPE_BLKCIPHER; +- return type; +-} +- +-static inline u32 crypto_skcipher_mask(u32 mask) +-{ +- mask &= ~CRYPTO_ALG_TYPE_MASK; +- mask |= CRYPTO_ALG_TYPE_BLKCIPHER_MASK; +- return mask; +-} +- + /** + * DOC: Asynchronous Block Cipher API + * +@@ -962,23 +948,6 @@ static inline void crypto_free_ablkcipher(struct crypto_ablkcipher *tfm) + crypto_free_tfm(crypto_ablkcipher_tfm(tfm)); + } + +-/** +- * crypto_has_ablkcipher() - Search for the availability of an ablkcipher. +- * @alg_name: is the cra_name / name or cra_driver_name / driver name of the +- * ablkcipher +- * @type: specifies the type of the cipher +- * @mask: specifies the mask for the cipher +- * +- * Return: true when the ablkcipher is known to the kernel crypto API; false +- * otherwise +- */ +-static inline int crypto_has_ablkcipher(const char *alg_name, u32 type, +- u32 mask) +-{ +- return crypto_has_alg(alg_name, crypto_skcipher_type(type), +- crypto_skcipher_mask(mask)); +-} +- + static inline struct ablkcipher_tfm *crypto_ablkcipher_crt( + struct crypto_ablkcipher *tfm) + { +-- +2.39.2 + diff --git a/tmp-5.4/crypto-skcipher-unify-the-crypto_has_skcipher-functi.patch b/tmp-5.4/crypto-skcipher-unify-the-crypto_has_skcipher-functi.patch new file mode 100644 index 00000000000..d0090e0c195 --- /dev/null +++ b/tmp-5.4/crypto-skcipher-unify-the-crypto_has_skcipher-functi.patch @@ -0,0 +1,84 @@ +From 250ed9f7489ea73ea7422f38c4e4f648af200125 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Oct 2019 12:41:09 -0700 +Subject: crypto: skcipher - unify the crypto_has_skcipher*() functions + +From: Eric Biggers + +[ Upstream commit d3ca75a8b3d77f2788e6c119ea7c3e3a1ab1e1ca ] + +crypto_has_skcipher() and crypto_has_skcipher2() do the same thing: they +check for the availability of an algorithm of type skcipher, blkcipher, +or ablkcipher, which also meets any non-type constraints the caller +specified. And they have exactly the same prototype. + +Therefore, eliminate the redundancy by removing crypto_has_skcipher() +and renaming crypto_has_skcipher2() to crypto_has_skcipher(). + +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Stable-dep-of: efbc7764c444 ("crypto: marvell/cesa - Fix type mismatch warning") +Signed-off-by: Sasha Levin +--- + crypto/skcipher.c | 4 ++-- + include/crypto/skcipher.h | 19 +------------------ + 2 files changed, 3 insertions(+), 20 deletions(-) + +diff --git a/crypto/skcipher.c b/crypto/skcipher.c +index 22753c1c72022..233678d078169 100644 +--- a/crypto/skcipher.c ++++ b/crypto/skcipher.c +@@ -1017,12 +1017,12 @@ struct crypto_sync_skcipher *crypto_alloc_sync_skcipher( + } + EXPORT_SYMBOL_GPL(crypto_alloc_sync_skcipher); + +-int crypto_has_skcipher2(const char *alg_name, u32 type, u32 mask) ++int crypto_has_skcipher(const char *alg_name, u32 type, u32 mask) + { + return crypto_type_has_alg(alg_name, &crypto_skcipher_type2, + type, mask); + } +-EXPORT_SYMBOL_GPL(crypto_has_skcipher2); ++EXPORT_SYMBOL_GPL(crypto_has_skcipher); + + static int skcipher_prepare_alg(struct skcipher_alg *alg) + { +diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h +index 0bce6005d325d..6514e32e7c2fd 100644 +--- a/include/crypto/skcipher.h ++++ b/include/crypto/skcipher.h +@@ -220,30 +220,13 @@ static inline void crypto_free_sync_skcipher(struct crypto_sync_skcipher *tfm) + * crypto_has_skcipher() - Search for the availability of an skcipher. + * @alg_name: is the cra_name / name or cra_driver_name / driver name of the + * skcipher +- * @type: specifies the type of the cipher +- * @mask: specifies the mask for the cipher +- * +- * Return: true when the skcipher is known to the kernel crypto API; false +- * otherwise +- */ +-static inline int crypto_has_skcipher(const char *alg_name, u32 type, +- u32 mask) +-{ +- return crypto_has_alg(alg_name, crypto_skcipher_type(type), +- crypto_skcipher_mask(mask)); +-} +- +-/** +- * crypto_has_skcipher2() - Search for the availability of an skcipher. +- * @alg_name: is the cra_name / name or cra_driver_name / driver name of the +- * skcipher + * @type: specifies the type of the skcipher + * @mask: specifies the mask for the skcipher + * + * Return: true when the skcipher is known to the kernel crypto API; false + * otherwise + */ +-int crypto_has_skcipher2(const char *alg_name, u32 type, u32 mask); ++int crypto_has_skcipher(const char *alg_name, u32 type, u32 mask); + + static inline const char *crypto_skcipher_driver_name( + struct crypto_skcipher *tfm) +-- +2.39.2 + diff --git a/tmp-5.4/debugobjects-recheck-debug_objects_enabled-before-re.patch b/tmp-5.4/debugobjects-recheck-debug_objects_enabled-before-re.patch new file mode 100644 index 00000000000..12a9a23dbb2 --- /dev/null +++ b/tmp-5.4/debugobjects-recheck-debug_objects_enabled-before-re.patch @@ -0,0 +1,74 @@ +From 3f9b05ff93ea80f06045912ae0c882684155cdb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jun 2023 19:19:02 +0900 +Subject: debugobjects: Recheck debug_objects_enabled before reporting + +From: Tetsuo Handa + +[ Upstream commit 8b64d420fe2450f82848178506d3e3a0bd195539 ] + +syzbot is reporting false a positive ODEBUG message immediately after +ODEBUG was disabled due to OOM. + + [ 1062.309646][T22911] ODEBUG: Out of memory. ODEBUG disabled + [ 1062.886755][ T5171] ------------[ cut here ]------------ + [ 1062.892770][ T5171] ODEBUG: assert_init not available (active state 0) object: ffffc900056afb20 object type: timer_list hint: process_timeout+0x0/0x40 + + CPU 0 [ T5171] CPU 1 [T22911] + -------------- -------------- + debug_object_assert_init() { + if (!debug_objects_enabled) + return; + db = get_bucket(addr); + lookup_object_or_alloc() { + debug_objects_enabled = 0; + return NULL; + } + debug_objects_oom() { + pr_warn("Out of memory. ODEBUG disabled\n"); + // all buckets get emptied here, and + } + lookup_object_or_alloc(addr, db, descr, false, true) { + // this bucket is already empty. + return ERR_PTR(-ENOENT); + } + // Emits false positive warning. + debug_print_object(&o, "assert_init"); + } + +Recheck debug_object_enabled in debug_print_object() to avoid that. + +Reported-by: syzbot +Suggested-by: Thomas Gleixner +Signed-off-by: Tetsuo Handa +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/492fe2ae-5141-d548-ebd5-62f5fe2e57f7@I-love.SAKURA.ne.jp +Closes: https://syzkaller.appspot.com/bug?extid=7937ba6a50bdd00fffdf +Signed-off-by: Sasha Levin +--- + lib/debugobjects.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/debugobjects.c b/lib/debugobjects.c +index 26fa04335537b..b0e4301d74954 100644 +--- a/lib/debugobjects.c ++++ b/lib/debugobjects.c +@@ -474,6 +474,15 @@ static void debug_print_object(struct debug_obj *obj, char *msg) + struct debug_obj_descr *descr = obj->descr; + static int limit; + ++ /* ++ * Don't report if lookup_object_or_alloc() by the current thread ++ * failed because lookup_object_or_alloc()/debug_objects_oom() by a ++ * concurrent thread turned off debug_objects_enabled and cleared ++ * the hash buckets. ++ */ ++ if (!debug_objects_enabled) ++ return; ++ + if (limit < 5 && descr != descr_test) { + void *hint = descr->debug_hint ? + descr->debug_hint(obj->object) : NULL; +-- +2.39.2 + diff --git a/tmp-5.4/devlink-report-devlink_port_type_warn-source-device.patch b/tmp-5.4/devlink-report-devlink_port_type_warn-source-device.patch new file mode 100644 index 00000000000..fa06ed629ab --- /dev/null +++ b/tmp-5.4/devlink-report-devlink_port_type_warn-source-device.patch @@ -0,0 +1,77 @@ +From 634c51780e8327ad19a3169eb0cae02bd9ae033d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:54:47 +0200 +Subject: devlink: report devlink_port_type_warn source device + +From: Petr Oros + +[ Upstream commit a52305a81d6bb74b90b400dfa56455d37872fe4b ] + +devlink_port_type_warn is scheduled for port devlink and warning +when the port type is not set. But from this warning it is not easy +found out which device (driver) has no devlink port set. + +[ 3709.975552] Type was not set for devlink port. +[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 +[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm +[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse +[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 +[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 +[ 3710.108437] Workqueue: events devlink_port_type_warn +[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 +[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 +[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 +[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 +[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 +[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 +[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 +[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 +[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 +[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 +[ 3710.108456] PKRU: 55555554 +[ 3710.108457] Call Trace: +[ 3710.108458] +[ 3710.108459] process_one_work+0x1e2/0x3b0 +[ 3710.108466] ? rescuer_thread+0x390/0x390 +[ 3710.108468] worker_thread+0x50/0x3a0 +[ 3710.108471] ? rescuer_thread+0x390/0x390 +[ 3710.108473] kthread+0xdd/0x100 +[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 +[ 3710.108479] ret_from_fork+0x1f/0x30 +[ 3710.108485] +[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]--- + +After patch: +[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. +[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. + +Signed-off-by: Petr Oros +Reviewed-by: Pavan Chebbi +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20230615095447.8259-1-poros@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/devlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/core/devlink.c b/net/core/devlink.c +index 2dd354d869cd7..b4dabe5d89f72 100644 +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -6299,7 +6299,10 @@ EXPORT_SYMBOL_GPL(devlink_free); + + static void devlink_port_type_warn(struct work_struct *work) + { +- WARN(true, "Type was not set for devlink port."); ++ struct devlink_port *port = container_of(to_delayed_work(work), ++ struct devlink_port, ++ type_warn_dw); ++ dev_warn(port->devlink->dev, "Type was not set for devlink port."); + } + + static bool devlink_port_type_should_warn(struct devlink_port *devlink_port) +-- +2.39.2 + diff --git a/tmp-5.4/drm-amdgpu-validate-vm-ioctl-flags.patch b/tmp-5.4/drm-amdgpu-validate-vm-ioctl-flags.patch new file mode 100644 index 00000000000..c3b98933574 --- /dev/null +++ b/tmp-5.4/drm-amdgpu-validate-vm-ioctl-flags.patch @@ -0,0 +1,33 @@ +From a2b308044dcaca8d3e580959a4f867a1d5c37fac Mon Sep 17 00:00:00 2001 +From: Bas Nieuwenhuizen +Date: Sat, 13 May 2023 14:51:00 +0200 +Subject: drm/amdgpu: Validate VM ioctl flags. + +From: Bas Nieuwenhuizen + +commit a2b308044dcaca8d3e580959a4f867a1d5c37fac upstream. + +None have been defined yet, so reject anybody setting any. Mesa sets +it to 0 anyway. + +Signed-off-by: Bas Nieuwenhuizen +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -3076,6 +3076,10 @@ int amdgpu_vm_ioctl(struct drm_device *d + struct amdgpu_fpriv *fpriv = filp->driver_priv; + int r; + ++ /* No valid flags defined yet */ ++ if (args->in.flags) ++ return -EINVAL; ++ + switch (args->in.op) { + case AMDGPU_VM_OP_RESERVE_VMID: + /* current, we only have requirement to reserve vmid from gfxhub */ diff --git a/tmp-5.4/drm-amdkfd-fix-potential-deallocation-of-previously-.patch b/tmp-5.4/drm-amdkfd-fix-potential-deallocation-of-previously-.patch new file mode 100644 index 00000000000..b3b7a1f0677 --- /dev/null +++ b/tmp-5.4/drm-amdkfd-fix-potential-deallocation-of-previously-.patch @@ -0,0 +1,58 @@ +From 328bbe520714edfe435345c4087849764a6099ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2023 04:23:14 -0700 +Subject: drm/amdkfd: Fix potential deallocation of previously deallocated + memory. + +From: Daniil Dulov + +[ Upstream commit cabbdea1f1861098991768d7bbf5a49ed1608213 ] + +Pointer mqd_mem_obj can be deallocated in kfd_gtt_sa_allocate(). +The function then returns non-zero value, which causes the second deallocation. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: d1f8f0d17d40 ("drm/amdkfd: Move non-sdma mqd allocation out of init_mqd") +Signed-off-by: Daniil Dulov +Signed-off-by: Felix Kuehling +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +index d3380c5bdbdea..d978fcac26651 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +@@ -101,18 +101,19 @@ static struct kfd_mem_obj *allocate_mqd(struct kfd_dev *kfd, + &(mqd_mem_obj->gtt_mem), + &(mqd_mem_obj->gpu_addr), + (void *)&(mqd_mem_obj->cpu_ptr), true); ++ ++ if (retval) { ++ kfree(mqd_mem_obj); ++ return NULL; ++ } + } else { + retval = kfd_gtt_sa_allocate(kfd, sizeof(struct v9_mqd), + &mqd_mem_obj); +- } +- +- if (retval) { +- kfree(mqd_mem_obj); +- return NULL; ++ if (retval) ++ return NULL; + } + + return mqd_mem_obj; +- + } + + static void init_mqd(struct mqd_manager *mm, void **mqd, +-- +2.39.2 + diff --git a/tmp-5.4/drm-atomic-allow-vblank-enabled-self-refresh-disable.patch b/tmp-5.4/drm-atomic-allow-vblank-enabled-self-refresh-disable.patch new file mode 100644 index 00000000000..6735c1b4049 --- /dev/null +++ b/tmp-5.4/drm-atomic-allow-vblank-enabled-self-refresh-disable.patch @@ -0,0 +1,83 @@ +From 9d0e3cac3517942a6e00eeecfe583a98715edb16 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 9 Jan 2023 17:18:16 -0800 +Subject: drm/atomic: Allow vblank-enabled + self-refresh "disable" + +From: Brian Norris + +commit 9d0e3cac3517942a6e00eeecfe583a98715edb16 upstream. + +The self-refresh helper framework overloads "disable" to sometimes mean +"go into self-refresh mode," and this mode activates automatically +(e.g., after some period of unchanging display output). In such cases, +the display pipe is still considered "on", and user-space is not aware +that we went into self-refresh mode. Thus, users may expect that +vblank-related features (such as DRM_IOCTL_WAIT_VBLANK) still work +properly. + +However, we trigger the WARN_ONCE() here if a CRTC driver tries to leave +vblank enabled. + +Add a different expectation: that CRTCs *should* leave vblank enabled +when going into self-refresh. + +This patch is preparation for another patch -- "drm/rockchip: vop: Leave +vblank enabled in self-refresh" -- which resolves conflicts between the +above self-refresh behavior and the API tests in IGT's kms_vblank test +module. + +== Some alternatives discussed: == + +It's likely that on many display controllers, vblank interrupts will +turn off when the CRTC is disabled, and so in some cases, self-refresh +may not support vblank. To support such cases, we might consider +additions to the generic helpers such that we fire vblank events based +on a timer. + +However, there is currently only one driver using the common +self-refresh helpers (i.e., rockchip), and at least as of commit +bed030a49f3e ("drm/rockchip: Don't fully disable vop on self refresh"), +the CRTC hardware is powered enough to continue to generate vblank +interrupts. + +So we chose the simpler option of leaving vblank interrupts enabled. We +can reevaluate this decision and perhaps augment the helpers if/when we +gain a second driver that has different requirements. + +v3: + * include discussion summary + +v2: + * add 'ret != 0' warning case for self-refresh + * describe failing test case and relation to drm/rockchip patch better + +Cc: # dependency for "drm/rockchip: vop: Leave + # vblank enabled in self-refresh" +Signed-off-by: Brian Norris +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20230109171809.v3.1.I3904f697863649eb1be540ecca147a66e42bfad7@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic_helper.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1086,7 +1086,16 @@ disable_outputs(struct drm_device *dev, + continue; + + ret = drm_crtc_vblank_get(crtc); +- WARN_ONCE(ret != -EINVAL, "driver forgot to call drm_crtc_vblank_off()\n"); ++ /* ++ * Self-refresh is not a true "disable"; ensure vblank remains ++ * enabled. ++ */ ++ if (new_crtc_state->self_refresh_active) ++ WARN_ONCE(ret != 0, ++ "driver disabled vblank in self-refresh\n"); ++ else ++ WARN_ONCE(ret != -EINVAL, ++ "driver forgot to call drm_crtc_vblank_off()\n"); + if (ret == 0) + drm_crtc_vblank_put(crtc); + } diff --git a/tmp-5.4/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch b/tmp-5.4/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch new file mode 100644 index 00000000000..dafb7a21dd9 --- /dev/null +++ b/tmp-5.4/drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch @@ -0,0 +1,91 @@ +From 4e076c73e4f6e90816b30fcd4a0d7ab365087255 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Fri, 21 Jul 2023 15:58:38 +0200 +Subject: drm/atomic: Fix potential use-after-free in nonblocking commits + +From: Daniel Vetter + +commit 4e076c73e4f6e90816b30fcd4a0d7ab365087255 upstream. + +This requires a bit of background. Properly done a modeset driver's +unload/remove sequence should be + + drm_dev_unplug(); + drm_atomic_helper_shutdown(); + drm_dev_put(); + +The trouble is that the drm_dev_unplugged() checks are by design racy, +they do not synchronize against all outstanding ioctl. This is because +those ioctl could block forever (both for modeset and for driver +specific ioctls), leading to deadlocks in hotunplug. Instead the code +sections that touch the hardware need to be annotated with +drm_dev_enter/exit, to avoid accessing hardware resources after the +unload/remove has finished. + +To avoid use-after-free issues all the involved userspace visible +objects are supposed to hold a reference on the underlying drm_device, +like drm_file does. + +The issue now is that we missed one, the atomic modeset ioctl can be run +in a nonblocking fashion, and in that case it cannot rely on the implied +drm_device reference provided by the ioctl calling context. This can +result in a use-after-free if an nonblocking atomic commit is carefully +raced against a driver unload. + +Fix this by unconditionally grabbing a drm_device reference for any +drm_atomic_state structures. Strictly speaking this isn't required for +blocking commits and TEST_ONLY calls, but it's the simpler approach. + +Thanks to shanzhulig for the initial idea of grabbing an unconditional +reference, I just added comments, a condensed commit message and fixed a +minor potential issue in where exactly we drop the final reference. + +Reported-by: shanzhulig +Suggested-by: shanzhulig +Reviewed-by: Maxime Ripard +Cc: Maarten Lankhorst +Cc: Thomas Zimmermann +Cc: David Airlie +Cc: stable@kernel.org +Signed-off-by: Daniel Vetter +Signed-off-by: Daniel Vetter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_atomic.c ++++ b/drivers/gpu/drm/drm_atomic.c +@@ -97,6 +97,12 @@ drm_atomic_state_init(struct drm_device + if (!state->planes) + goto fail; + ++ /* ++ * Because drm_atomic_state can be committed asynchronously we need our ++ * own reference and cannot rely on the on implied by drm_file in the ++ * ioctl call. ++ */ ++ drm_dev_get(dev); + state->dev = dev; + + DRM_DEBUG_ATOMIC("Allocated atomic state %p\n", state); +@@ -256,7 +262,8 @@ EXPORT_SYMBOL(drm_atomic_state_clear); + void __drm_atomic_state_free(struct kref *ref) + { + struct drm_atomic_state *state = container_of(ref, typeof(*state), ref); +- struct drm_mode_config *config = &state->dev->mode_config; ++ struct drm_device *dev = state->dev; ++ struct drm_mode_config *config = &dev->mode_config; + + drm_atomic_state_clear(state); + +@@ -268,6 +275,8 @@ void __drm_atomic_state_free(struct kref + drm_atomic_state_default_release(state); + kfree(state); + } ++ ++ drm_dev_put(dev); + } + EXPORT_SYMBOL(__drm_atomic_state_free); + diff --git a/tmp-5.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch b/tmp-5.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch new file mode 100644 index 00000000000..324855d9bc6 --- /dev/null +++ b/tmp-5.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch @@ -0,0 +1,46 @@ +From 2329cc7a101af1a844fbf706c0724c0baea38365 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:44 +0200 +Subject: drm/client: Fix memory leak in drm_client_modeset_probe + +From: Jocelyn Falempe + +commit 2329cc7a101af1a844fbf706c0724c0baea38365 upstream. + +When a new mode is set to modeset->mode, the previous mode should be freed. +This fixes the following kmemleak report: + +drm_mode_duplicate+0x45/0x220 [drm] +drm_client_modeset_probe+0x944/0xf50 [drm] +__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] +drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] +drm_client_register+0x169/0x240 [drm] +ast_pci_probe+0x142/0x190 [ast] +local_pci_probe+0xdc/0x180 +work_for_cpu_fn+0x4e/0xa0 +process_one_work+0x8b7/0x1540 +worker_thread+0x70a/0xed0 +kthread+0x29f/0x340 +ret_from_fork+0x1f/0x30 + +cc: +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-3-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -790,6 +790,7 @@ int drm_client_modeset_probe(struct drm_ + break; + } + ++ kfree(modeset->mode); + modeset->mode = drm_mode_duplicate(dev, mode); + drm_connector_get(connector); + modeset->connectors[modeset->num_connectors++] = connector; diff --git a/tmp-5.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch b/tmp-5.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch new file mode 100644 index 00000000000..6512e37e47a --- /dev/null +++ b/tmp-5.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch @@ -0,0 +1,68 @@ +From c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:43 +0200 +Subject: drm/client: Fix memory leak in drm_client_target_cloned + +From: Jocelyn Falempe + +commit c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 upstream. + +dmt_mode is allocated and never freed in this function. +It was found with the ast driver, but most drivers using generic fbdev +setup are probably affected. + +This fixes the following kmemleak report: + backtrace: + [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] + [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] + [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] + [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] + [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] + [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] + [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] + [<00000000987f19bb>] local_pci_probe+0xdc/0x180 + [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 + [<0000000000b85301>] process_one_work+0x8b7/0x1540 + [<000000003375b17c>] worker_thread+0x70a/0xed0 + [<00000000b0d43cd9>] kthread+0x29f/0x340 + [<000000008d770833>] ret_from_fork+0x1f/0x30 +unreferenced object 0xff11000333089a00 (size 128): + +cc: +Fixes: 1d42bbc8f7f9 ("drm/fbdev: fix cloning on fbcon") +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-2-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -281,6 +281,9 @@ static bool drm_client_target_cloned(str + can_clone = true; + dmt_mode = drm_mode_find_dmt(dev, 1024, 768, 60, false); + ++ if (!dmt_mode) ++ goto fail; ++ + for (i = 0; i < connector_count; i++) { + if (!enabled[i]) + continue; +@@ -296,11 +299,13 @@ static bool drm_client_target_cloned(str + if (!modes[i]) + can_clone = false; + } ++ kfree(dmt_mode); + + if (can_clone) { + DRM_DEBUG_KMS("can clone using 1024x768\n"); + return true; + } ++fail: + DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); + return false; + } diff --git a/tmp-5.4/drm-i915-initialise-outparam-for-error-return-from-wait_for_register.patch b/tmp-5.4/drm-i915-initialise-outparam-for-error-return-from-wait_for_register.patch new file mode 100644 index 00000000000..ed517ccc6f3 --- /dev/null +++ b/tmp-5.4/drm-i915-initialise-outparam-for-error-return-from-wait_for_register.patch @@ -0,0 +1,45 @@ +From b79ffa914ede785a721f42d8ee3ce7b8eeede2bb Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Wed, 16 Sep 2020 11:50:21 +0100 +Subject: drm/i915: Initialise outparam for error return from wait_for_register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +commit b79ffa914ede785a721f42d8ee3ce7b8eeede2bb upstream. + +Just in case the caller passes in 0 for both slow&fast timeouts, make +sure we initialise the stack value returned. Add an assert so that we +don't make the mistake of passing 0 timeouts for the wait. + +drivers/gpu/drm/i915/intel_uncore.c:2011 __intel_wait_for_register_fw() error: uninitialized symbol 'reg_value'. + +References: 3f649ab728cd ("treewide: Remove uninitialized_var() usage") +Signed-off-by: Chris Wilson +Reviewed-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20200916105022.28316-1-chris@chris-wilson.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/intel_uncore.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_uncore.c ++++ b/drivers/gpu/drm/i915/intel_uncore.c +@@ -1926,13 +1926,14 @@ int __intel_wait_for_register_fw(struct + unsigned int slow_timeout_ms, + u32 *out_value) + { +- u32 reg_value; ++ u32 reg_value = 0; + #define done (((reg_value = intel_uncore_read_fw(uncore, reg)) & mask) == value) + int ret; + + /* Catch any overuse of this function */ + might_sleep_if(slow_timeout_ms); + GEM_BUG_ON(fast_timeout_us > 20000); ++ GEM_BUG_ON(!fast_timeout_us && !slow_timeout_ms); + + ret = -ETIMEDOUT; + if (fast_timeout_us && fast_timeout_us <= 20000) diff --git a/tmp-5.4/drm-panel-add-and-fill-drm_panel-type-field.patch b/tmp-5.4/drm-panel-add-and-fill-drm_panel-type-field.patch new file mode 100644 index 00000000000..09cac7cd32f --- /dev/null +++ b/tmp-5.4/drm-panel-add-and-fill-drm_panel-type-field.patch @@ -0,0 +1,854 @@ +From d0adebec16ee01a75fe118ee44ae27ed4ee7d584 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Sep 2019 16:28:03 +0300 +Subject: drm/panel: Add and fill drm_panel type field + +From: Laurent Pinchart + +[ Upstream commit 9a2654c0f62a1704f36acb6329f9ccbd539f75ad ] + +Add a type field to the drm_panel structure to report the panel type, +using DRM_MODE_CONNECTOR_* macros (the values that make sense are LVDS, +eDP, DSI and DPI). This will be used to initialise the corresponding +connector type. + +Update all panel drivers accordingly. The panel-simple driver only +specifies the type for the known to be LVDS panels, while all other +panels are left as unknown and will be converted on a case-by-case +basis as they all need to be carefully reviewed. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Boris Brezillon +Reviewed-by: Linus Walleij +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20190904132804.29680-2-laurent.pinchart@ideasonboard.com +Stable-dep-of: 2c56a751845d ("drm/panel: simple: Add connector_type for innolux_at043tn24") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel.c | 5 +++- + drivers/gpu/drm/panel/panel-arm-versatile.c | 3 ++- + .../drm/panel/panel-feiyang-fy07024di26a30d.c | 3 ++- + drivers/gpu/drm/panel/panel-ilitek-ili9322.c | 3 ++- + drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 3 ++- + drivers/gpu/drm/panel/panel-innolux-p079zca.c | 3 ++- + .../gpu/drm/panel/panel-jdi-lt070me05000.c | 3 ++- + .../drm/panel/panel-kingdisplay-kd097d04.c | 2 +- + drivers/gpu/drm/panel/panel-lg-lb035q02.c | 3 ++- + drivers/gpu/drm/panel/panel-lg-lg4573.c | 3 ++- + drivers/gpu/drm/panel/panel-lvds.c | 3 ++- + drivers/gpu/drm/panel/panel-nec-nl8048hl11.c | 3 ++- + drivers/gpu/drm/panel/panel-novatek-nt39016.c | 3 ++- + .../drm/panel/panel-olimex-lcd-olinuxino.c | 3 ++- + .../gpu/drm/panel/panel-orisetech-otm8009a.c | 3 ++- + .../drm/panel/panel-osd-osd101t2587-53ts.c | 2 +- + .../drm/panel/panel-panasonic-vvx10f034n00.c | 2 +- + .../drm/panel/panel-raspberrypi-touchscreen.c | 3 ++- + drivers/gpu/drm/panel/panel-raydium-rm67191.c | 3 ++- + drivers/gpu/drm/panel/panel-raydium-rm68200.c | 3 ++- + .../drm/panel/panel-rocktech-jh057n00900.c | 3 ++- + drivers/gpu/drm/panel/panel-ronbo-rb070d30.c | 3 ++- + drivers/gpu/drm/panel/panel-samsung-ld9040.c | 3 ++- + drivers/gpu/drm/panel/panel-samsung-s6d16d0.c | 3 ++- + drivers/gpu/drm/panel/panel-samsung-s6e3ha2.c | 3 ++- + .../gpu/drm/panel/panel-samsung-s6e63j0x03.c | 3 ++- + drivers/gpu/drm/panel/panel-samsung-s6e63m0.c | 3 ++- + drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c | 3 ++- + drivers/gpu/drm/panel/panel-seiko-43wvf1g.c | 3 ++- + .../gpu/drm/panel/panel-sharp-lq101r1sx01.c | 3 ++- + .../gpu/drm/panel/panel-sharp-ls037v7dw01.c | 3 ++- + .../gpu/drm/panel/panel-sharp-ls043t1le01.c | 2 +- + drivers/gpu/drm/panel/panel-simple.c | 26 ++++++++++++++++++- + drivers/gpu/drm/panel/panel-sitronix-st7701.c | 3 ++- + .../gpu/drm/panel/panel-sitronix-st7789v.c | 3 ++- + drivers/gpu/drm/panel/panel-sony-acx565akm.c | 3 ++- + drivers/gpu/drm/panel/panel-tpo-td028ttec1.c | 3 ++- + drivers/gpu/drm/panel/panel-tpo-td043mtea1.c | 3 ++- + drivers/gpu/drm/panel/panel-tpo-tpg110.c | 3 ++- + drivers/gpu/drm/panel/panel-truly-nt35597.c | 3 ++- + include/drm/drm_panel.h | 12 ++++++++- + 41 files changed, 112 insertions(+), 41 deletions(-) + +diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c +index ba2fad4c96489..ed7985c0535a2 100644 +--- a/drivers/gpu/drm/drm_panel.c ++++ b/drivers/gpu/drm/drm_panel.c +@@ -46,16 +46,19 @@ static LIST_HEAD(panel_list); + * @panel: DRM panel + * @dev: parent device of the panel + * @funcs: panel operations ++ * @connector_type: the connector type (DRM_MODE_CONNECTOR_*) corresponding to ++ * the panel interface + * + * Initialize the panel structure for subsequent registration with + * drm_panel_add(). + */ + void drm_panel_init(struct drm_panel *panel, struct device *dev, +- const struct drm_panel_funcs *funcs) ++ const struct drm_panel_funcs *funcs, int connector_type) + { + INIT_LIST_HEAD(&panel->list); + panel->dev = dev; + panel->funcs = funcs; ++ panel->connector_type = connector_type; + } + EXPORT_SYMBOL(drm_panel_init); + +diff --git a/drivers/gpu/drm/panel/panel-arm-versatile.c b/drivers/gpu/drm/panel/panel-arm-versatile.c +index a4333ed0f20ca..a0574dc03e16f 100644 +--- a/drivers/gpu/drm/panel/panel-arm-versatile.c ++++ b/drivers/gpu/drm/panel/panel-arm-versatile.c +@@ -350,7 +350,8 @@ static int versatile_panel_probe(struct platform_device *pdev) + dev_info(dev, "panel mounted on IB2 daughterboard\n"); + } + +- drm_panel_init(&vpanel->panel, dev, &versatile_panel_drm_funcs); ++ drm_panel_init(&vpanel->panel, dev, &versatile_panel_drm_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + return drm_panel_add(&vpanel->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c b/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c +index 7d5d7455bc01f..98f184b811873 100644 +--- a/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c ++++ b/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c +@@ -204,7 +204,8 @@ static int feiyang_dsi_probe(struct mipi_dsi_device *dsi) + mipi_dsi_set_drvdata(dsi, ctx); + ctx->dsi = dsi; + +- drm_panel_init(&ctx->panel, &dsi->dev, &feiyang_funcs); ++ drm_panel_init(&ctx->panel, &dsi->dev, &feiyang_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + ctx->dvdd = devm_regulator_get(&dsi->dev, "dvdd"); + if (IS_ERR(ctx->dvdd)) { +diff --git a/drivers/gpu/drm/panel/panel-ilitek-ili9322.c b/drivers/gpu/drm/panel/panel-ilitek-ili9322.c +index ad2405baa0ac5..24955bec1958b 100644 +--- a/drivers/gpu/drm/panel/panel-ilitek-ili9322.c ++++ b/drivers/gpu/drm/panel/panel-ilitek-ili9322.c +@@ -895,7 +895,8 @@ static int ili9322_probe(struct spi_device *spi) + ili->input = ili->conf->input; + } + +- drm_panel_init(&ili->panel, dev, &ili9322_drm_funcs); ++ drm_panel_init(&ili->panel, dev, &ili9322_drm_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + return drm_panel_add(&ili->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c +index 1d714f961c009..e8789e460a169 100644 +--- a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c ++++ b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c +@@ -433,7 +433,8 @@ static int ili9881c_dsi_probe(struct mipi_dsi_device *dsi) + mipi_dsi_set_drvdata(dsi, ctx); + ctx->dsi = dsi; + +- drm_panel_init(&ctx->panel, &dsi->dev, &ili9881c_funcs); ++ drm_panel_init(&ctx->panel, &dsi->dev, &ili9881c_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + ctx->power = devm_regulator_get(&dsi->dev, "power"); + if (IS_ERR(ctx->power)) { +diff --git a/drivers/gpu/drm/panel/panel-innolux-p079zca.c b/drivers/gpu/drm/panel/panel-innolux-p079zca.c +index 8f3647804a1e4..327fca97977ee 100644 +--- a/drivers/gpu/drm/panel/panel-innolux-p079zca.c ++++ b/drivers/gpu/drm/panel/panel-innolux-p079zca.c +@@ -487,7 +487,8 @@ static int innolux_panel_add(struct mipi_dsi_device *dsi, + if (IS_ERR(innolux->backlight)) + return PTR_ERR(innolux->backlight); + +- drm_panel_init(&innolux->base, dev, &innolux_panel_funcs); ++ drm_panel_init(&innolux->base, dev, &innolux_panel_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + err = drm_panel_add(&innolux->base); + if (err < 0) +diff --git a/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c b/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c +index 7bfdbfbc868ed..56364a93f0b81 100644 +--- a/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c ++++ b/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c +@@ -437,7 +437,8 @@ static int jdi_panel_add(struct jdi_panel *jdi) + return ret; + } + +- drm_panel_init(&jdi->base, &jdi->dsi->dev, &jdi_panel_funcs); ++ drm_panel_init(&jdi->base, &jdi->dsi->dev, &jdi_panel_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + ret = drm_panel_add(&jdi->base); + +diff --git a/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c b/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c +index bb131749a0b92..2c576e7eee72f 100644 +--- a/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c ++++ b/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c +@@ -392,7 +392,7 @@ static int kingdisplay_panel_add(struct kingdisplay_panel *kingdisplay) + return PTR_ERR(kingdisplay->backlight); + + drm_panel_init(&kingdisplay->base, &kingdisplay->link->dev, +- &kingdisplay_panel_funcs); ++ &kingdisplay_panel_funcs, DRM_MODE_CONNECTOR_DSI); + + return drm_panel_add(&kingdisplay->base); + } +diff --git a/drivers/gpu/drm/panel/panel-lg-lb035q02.c b/drivers/gpu/drm/panel/panel-lg-lb035q02.c +index c7b9b47849bb8..7a1385e834f0e 100644 +--- a/drivers/gpu/drm/panel/panel-lg-lb035q02.c ++++ b/drivers/gpu/drm/panel/panel-lg-lb035q02.c +@@ -196,7 +196,8 @@ static int lb035q02_probe(struct spi_device *spi) + if (ret < 0) + return ret; + +- drm_panel_init(&lcd->panel, &lcd->spi->dev, &lb035q02_funcs); ++ drm_panel_init(&lcd->panel, &lcd->spi->dev, &lb035q02_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + return drm_panel_add(&lcd->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-lg-lg4573.c b/drivers/gpu/drm/panel/panel-lg-lg4573.c +index 608f2de91662d..db4865a4c2b98 100644 +--- a/drivers/gpu/drm/panel/panel-lg-lg4573.c ++++ b/drivers/gpu/drm/panel/panel-lg-lg4573.c +@@ -259,7 +259,8 @@ static int lg4573_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&ctx->panel, &spi->dev, &lg4573_drm_funcs); ++ drm_panel_init(&ctx->panel, &spi->dev, &lg4573_drm_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + return drm_panel_add(&ctx->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-lvds.c b/drivers/gpu/drm/panel/panel-lvds.c +index ff1e305d56a02..2405f26e5d31f 100644 +--- a/drivers/gpu/drm/panel/panel-lvds.c ++++ b/drivers/gpu/drm/panel/panel-lvds.c +@@ -254,7 +254,8 @@ static int panel_lvds_probe(struct platform_device *pdev) + */ + + /* Register the panel. */ +- drm_panel_init(&lvds->panel, lvds->dev, &panel_lvds_funcs); ++ drm_panel_init(&lvds->panel, lvds->dev, &panel_lvds_funcs, ++ DRM_MODE_CONNECTOR_LVDS); + + ret = drm_panel_add(&lvds->panel); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-nec-nl8048hl11.c b/drivers/gpu/drm/panel/panel-nec-nl8048hl11.c +index 272a1434e1558..fd593532ab23c 100644 +--- a/drivers/gpu/drm/panel/panel-nec-nl8048hl11.c ++++ b/drivers/gpu/drm/panel/panel-nec-nl8048hl11.c +@@ -205,7 +205,8 @@ static int nl8048_probe(struct spi_device *spi) + if (ret < 0) + return ret; + +- drm_panel_init(&lcd->panel, &lcd->spi->dev, &nl8048_funcs); ++ drm_panel_init(&lcd->panel, &lcd->spi->dev, &nl8048_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + return drm_panel_add(&lcd->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-novatek-nt39016.c b/drivers/gpu/drm/panel/panel-novatek-nt39016.c +index 64cfe111aaadb..60ccedce530c2 100644 +--- a/drivers/gpu/drm/panel/panel-novatek-nt39016.c ++++ b/drivers/gpu/drm/panel/panel-novatek-nt39016.c +@@ -292,7 +292,8 @@ static int nt39016_probe(struct spi_device *spi) + return err; + } + +- drm_panel_init(&panel->drm_panel, dev, &nt39016_funcs); ++ drm_panel_init(&panel->drm_panel, dev, &nt39016_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + err = drm_panel_add(&panel->drm_panel); + if (err < 0) { +diff --git a/drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.c b/drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.c +index f2d6a4ec00467..f2a72ee6ee07d 100644 +--- a/drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.c ++++ b/drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.c +@@ -288,7 +288,8 @@ static int lcd_olinuxino_probe(struct i2c_client *client, + if (IS_ERR(lcd->backlight)) + return PTR_ERR(lcd->backlight); + +- drm_panel_init(&lcd->panel, dev, &lcd_olinuxino_funcs); ++ drm_panel_init(&lcd->panel, dev, &lcd_olinuxino_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + return drm_panel_add(&lcd->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c b/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c +index 5aacd632c6f69..938826f326658 100644 +--- a/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c ++++ b/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c +@@ -455,7 +455,8 @@ static int otm8009a_probe(struct mipi_dsi_device *dsi) + dsi->mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_BURST | + MIPI_DSI_MODE_LPM; + +- drm_panel_init(&ctx->panel, dev, &otm8009a_drm_funcs); ++ drm_panel_init(&ctx->panel, dev, &otm8009a_drm_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + ctx->bl_dev = devm_backlight_device_register(dev, dev_name(dev), + dev, ctx, +diff --git a/drivers/gpu/drm/panel/panel-osd-osd101t2587-53ts.c b/drivers/gpu/drm/panel/panel-osd-osd101t2587-53ts.c +index 38f114b03b897..2b40913899d88 100644 +--- a/drivers/gpu/drm/panel/panel-osd-osd101t2587-53ts.c ++++ b/drivers/gpu/drm/panel/panel-osd-osd101t2587-53ts.c +@@ -167,7 +167,7 @@ static int osd101t2587_panel_add(struct osd101t2587_panel *osd101t2587) + return PTR_ERR(osd101t2587->backlight); + + drm_panel_init(&osd101t2587->base, &osd101t2587->dsi->dev, +- &osd101t2587_panel_funcs); ++ &osd101t2587_panel_funcs, DRM_MODE_CONNECTOR_DSI); + + return drm_panel_add(&osd101t2587->base); + } +diff --git a/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c b/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c +index 6035bf4580744..664605071d342 100644 +--- a/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c ++++ b/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c +@@ -224,7 +224,7 @@ static int wuxga_nt_panel_add(struct wuxga_nt_panel *wuxga_nt) + } + + drm_panel_init(&wuxga_nt->base, &wuxga_nt->dsi->dev, +- &wuxga_nt_panel_funcs); ++ &wuxga_nt_panel_funcs, DRM_MODE_CONNECTOR_DSI); + + ret = drm_panel_add(&wuxga_nt->base); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +index cded730f29ad2..2ccb74debc8ab 100644 +--- a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c ++++ b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +@@ -433,7 +433,8 @@ static int rpi_touchscreen_probe(struct i2c_client *i2c, + return PTR_ERR(ts->dsi); + } + +- drm_panel_init(&ts->base, dev, &rpi_touchscreen_funcs); ++ drm_panel_init(&ts->base, dev, &rpi_touchscreen_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + /* This appears last, as it's what will unblock the DSI host + * driver's component bind function. +diff --git a/drivers/gpu/drm/panel/panel-raydium-rm67191.c b/drivers/gpu/drm/panel/panel-raydium-rm67191.c +index f82a1f69f13ba..fd67fc6185c4f 100644 +--- a/drivers/gpu/drm/panel/panel-raydium-rm67191.c ++++ b/drivers/gpu/drm/panel/panel-raydium-rm67191.c +@@ -606,7 +606,8 @@ static int rad_panel_probe(struct mipi_dsi_device *dsi) + if (ret) + return ret; + +- drm_panel_init(&panel->panel, dev, &rad_panel_funcs); ++ drm_panel_init(&panel->panel, dev, &rad_panel_funcs, ++ DRM_MODE_CONNECTOR_DSI); + dev_set_drvdata(dev, panel); + + ret = drm_panel_add(&panel->panel); +diff --git a/drivers/gpu/drm/panel/panel-raydium-rm68200.c b/drivers/gpu/drm/panel/panel-raydium-rm68200.c +index f004b78fb8bc9..994e855721f4b 100644 +--- a/drivers/gpu/drm/panel/panel-raydium-rm68200.c ++++ b/drivers/gpu/drm/panel/panel-raydium-rm68200.c +@@ -404,7 +404,8 @@ static int rm68200_probe(struct mipi_dsi_device *dsi) + dsi->mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_BURST | + MIPI_DSI_MODE_LPM; + +- drm_panel_init(&ctx->panel, dev, &rm68200_drm_funcs); ++ drm_panel_init(&ctx->panel, dev, &rm68200_drm_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + drm_panel_add(&ctx->panel); + +diff --git a/drivers/gpu/drm/panel/panel-rocktech-jh057n00900.c b/drivers/gpu/drm/panel/panel-rocktech-jh057n00900.c +index d7f56374f2f17..31234b79d3b1a 100644 +--- a/drivers/gpu/drm/panel/panel-rocktech-jh057n00900.c ++++ b/drivers/gpu/drm/panel/panel-rocktech-jh057n00900.c +@@ -343,7 +343,8 @@ static int jh057n_probe(struct mipi_dsi_device *dsi) + return ret; + } + +- drm_panel_init(&ctx->panel, dev, &jh057n_drm_funcs); ++ drm_panel_init(&ctx->panel, dev, &jh057n_drm_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + drm_panel_add(&ctx->panel); + +diff --git a/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c b/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c +index 8708fbbe76376..170a5cda21b93 100644 +--- a/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c ++++ b/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c +@@ -173,7 +173,8 @@ static int rb070d30_panel_dsi_probe(struct mipi_dsi_device *dsi) + mipi_dsi_set_drvdata(dsi, ctx); + ctx->dsi = dsi; + +- drm_panel_init(&ctx->panel, &dsi->dev, &rb070d30_panel_funcs); ++ drm_panel_init(&ctx->panel, &dsi->dev, &rb070d30_panel_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + ctx->gpios.reset = devm_gpiod_get(&dsi->dev, "reset", GPIOD_OUT_LOW); + if (IS_ERR(ctx->gpios.reset)) { +diff --git a/drivers/gpu/drm/panel/panel-samsung-ld9040.c b/drivers/gpu/drm/panel/panel-samsung-ld9040.c +index 71a292dbec478..250809ba37c7e 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-ld9040.c ++++ b/drivers/gpu/drm/panel/panel-samsung-ld9040.c +@@ -351,7 +351,8 @@ static int ld9040_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&ctx->panel, dev, &ld9040_drm_funcs); ++ drm_panel_init(&ctx->panel, dev, &ld9040_drm_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + return drm_panel_add(&ctx->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-samsung-s6d16d0.c b/drivers/gpu/drm/panel/panel-samsung-s6d16d0.c +index 4d25c96e842cf..e3a0397e953ee 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-s6d16d0.c ++++ b/drivers/gpu/drm/panel/panel-samsung-s6d16d0.c +@@ -215,7 +215,8 @@ static int s6d16d0_probe(struct mipi_dsi_device *dsi) + return ret; + } + +- drm_panel_init(&s6->panel, dev, &s6d16d0_drm_funcs); ++ drm_panel_init(&s6->panel, dev, &s6d16d0_drm_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + ret = drm_panel_add(&s6->panel); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-samsung-s6e3ha2.c b/drivers/gpu/drm/panel/panel-samsung-s6e3ha2.c +index 42a3aaab49eb4..938ab72c55404 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-s6e3ha2.c ++++ b/drivers/gpu/drm/panel/panel-samsung-s6e3ha2.c +@@ -732,7 +732,8 @@ static int s6e3ha2_probe(struct mipi_dsi_device *dsi) + ctx->bl_dev->props.brightness = S6E3HA2_DEFAULT_BRIGHTNESS; + ctx->bl_dev->props.power = FB_BLANK_POWERDOWN; + +- drm_panel_init(&ctx->panel, dev, &s6e3ha2_drm_funcs); ++ drm_panel_init(&ctx->panel, dev, &s6e3ha2_drm_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + ret = drm_panel_add(&ctx->panel); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-samsung-s6e63j0x03.c b/drivers/gpu/drm/panel/panel-samsung-s6e63j0x03.c +index b4d879bf4d03d..a60635e9226da 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-s6e63j0x03.c ++++ b/drivers/gpu/drm/panel/panel-samsung-s6e63j0x03.c +@@ -466,7 +466,8 @@ static int s6e63j0x03_probe(struct mipi_dsi_device *dsi) + return PTR_ERR(ctx->reset_gpio); + } + +- drm_panel_init(&ctx->panel, dev, &s6e63j0x03_funcs); ++ drm_panel_init(&ctx->panel, dev, &s6e63j0x03_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + ctx->bl_dev = backlight_device_register("s6e63j0x03", dev, ctx, + &s6e63j0x03_bl_ops, NULL); +diff --git a/drivers/gpu/drm/panel/panel-samsung-s6e63m0.c b/drivers/gpu/drm/panel/panel-samsung-s6e63m0.c +index 61259c2833ab8..ba01af0b14fd3 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-s6e63m0.c ++++ b/drivers/gpu/drm/panel/panel-samsung-s6e63m0.c +@@ -473,7 +473,8 @@ static int s6e63m0_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&ctx->panel, dev, &s6e63m0_drm_funcs); ++ drm_panel_init(&ctx->panel, dev, &s6e63m0_drm_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + ret = s6e63m0_backlight_register(ctx); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c b/drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c +index 35dbffabd5267..dbced65012045 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c ++++ b/drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c +@@ -1017,7 +1017,8 @@ static int s6e8aa0_probe(struct mipi_dsi_device *dsi) + + ctx->brightness = GAMMA_LEVEL_NUM - 1; + +- drm_panel_init(&ctx->panel, dev, &s6e8aa0_drm_funcs); ++ drm_panel_init(&ctx->panel, dev, &s6e8aa0_drm_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + ret = drm_panel_add(&ctx->panel); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-seiko-43wvf1g.c b/drivers/gpu/drm/panel/panel-seiko-43wvf1g.c +index 0833d0c03adc9..b3619ba443bd2 100644 +--- a/drivers/gpu/drm/panel/panel-seiko-43wvf1g.c ++++ b/drivers/gpu/drm/panel/panel-seiko-43wvf1g.c +@@ -274,7 +274,8 @@ static int seiko_panel_probe(struct device *dev, + return -EPROBE_DEFER; + } + +- drm_panel_init(&panel->base, dev, &seiko_panel_funcs); ++ drm_panel_init(&panel->base, dev, &seiko_panel_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + err = drm_panel_add(&panel->base); + if (err < 0) +diff --git a/drivers/gpu/drm/panel/panel-sharp-lq101r1sx01.c b/drivers/gpu/drm/panel/panel-sharp-lq101r1sx01.c +index 87a58cb4d9455..5e136c3ba1850 100644 +--- a/drivers/gpu/drm/panel/panel-sharp-lq101r1sx01.c ++++ b/drivers/gpu/drm/panel/panel-sharp-lq101r1sx01.c +@@ -329,7 +329,8 @@ static int sharp_panel_add(struct sharp_panel *sharp) + if (IS_ERR(sharp->backlight)) + return PTR_ERR(sharp->backlight); + +- drm_panel_init(&sharp->base, &sharp->link1->dev, &sharp_panel_funcs); ++ drm_panel_init(&sharp->base, &sharp->link1->dev, &sharp_panel_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + return drm_panel_add(&sharp->base); + } +diff --git a/drivers/gpu/drm/panel/panel-sharp-ls037v7dw01.c b/drivers/gpu/drm/panel/panel-sharp-ls037v7dw01.c +index 96e3deb0e305c..eeab7998c7de4 100644 +--- a/drivers/gpu/drm/panel/panel-sharp-ls037v7dw01.c ++++ b/drivers/gpu/drm/panel/panel-sharp-ls037v7dw01.c +@@ -185,7 +185,8 @@ static int ls037v7dw01_probe(struct platform_device *pdev) + return PTR_ERR(lcd->ud_gpio); + } + +- drm_panel_init(&lcd->panel, &pdev->dev, &ls037v7dw01_funcs); ++ drm_panel_init(&lcd->panel, &pdev->dev, &ls037v7dw01_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + return drm_panel_add(&lcd->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c +index ffa844ee82ad4..b963ba4ab5898 100644 +--- a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c ++++ b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c +@@ -265,7 +265,7 @@ static int sharp_nt_panel_add(struct sharp_nt_panel *sharp_nt) + return PTR_ERR(sharp_nt->backlight); + + drm_panel_init(&sharp_nt->base, &sharp_nt->dsi->dev, +- &sharp_nt_panel_funcs); ++ &sharp_nt_panel_funcs, DRM_MODE_CONNECTOR_DSI); + + return drm_panel_add(&sharp_nt->base); + } +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 156bd4d551dc3..af71365fb99b3 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -94,6 +94,7 @@ struct panel_desc { + + u32 bus_format; + u32 bus_flags; ++ int connector_type; + }; + + struct panel_simple { +@@ -464,7 +465,8 @@ static int panel_simple_probe(struct device *dev, const struct panel_desc *desc) + if (!of_get_display_timing(dev->of_node, "panel-timing", &dt)) + panel_simple_parse_panel_timing_node(dev, panel, &dt); + +- drm_panel_init(&panel->base, dev, &panel_simple_funcs); ++ drm_panel_init(&panel->base, dev, &panel_simple_funcs, ++ desc->connector_type); + + err = drm_panel_add(&panel->base); + if (err < 0) +@@ -831,6 +833,7 @@ static const struct panel_desc auo_g133han01 = { + .unprepare = 1000, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_JEIDA, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing auo_g185han01_timings = { +@@ -860,6 +863,7 @@ static const struct panel_desc auo_g185han01 = { + .unprepare = 1000, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing auo_p320hvn03_timings = { +@@ -888,6 +892,7 @@ static const struct panel_desc auo_p320hvn03 = { + .unprepare = 500, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode auo_t215hvn01_mode = { +@@ -1203,6 +1208,7 @@ static const struct panel_desc dlc_dlc0700yzg_1 = { + .disable = 200, + }, + .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing dlc_dlc1010gig_timing = { +@@ -1233,6 +1239,7 @@ static const struct panel_desc dlc_dlc1010gig = { + .unprepare = 60, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode edt_et035012dm6_mode = { +@@ -1499,6 +1506,7 @@ static const struct panel_desc hannstar_hsd070pww1 = { + .height = 94, + }, + .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing hannstar_hsd100pxn1_timing = { +@@ -1523,6 +1531,7 @@ static const struct panel_desc hannstar_hsd100pxn1 = { + .height = 152, + }, + .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode hitachi_tx23d38vm0caa_mode = { +@@ -1629,6 +1638,7 @@ static const struct panel_desc innolux_g070y2_l01 = { + .unprepare = 800, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing innolux_g101ice_l01_timing = { +@@ -1657,6 +1667,7 @@ static const struct panel_desc innolux_g101ice_l01 = { + .disable = 200, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing innolux_g121i1_l01_timing = { +@@ -1684,6 +1695,7 @@ static const struct panel_desc innolux_g121i1_l01 = { + .disable = 20, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode innolux_g121x1_l03_mode = { +@@ -1867,6 +1879,7 @@ static const struct panel_desc koe_tx31d200vm0baa = { + .height = 109, + }, + .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing kyo_tcg121xglp_timing = { +@@ -1891,6 +1904,7 @@ static const struct panel_desc kyo_tcg121xglp = { + .height = 184, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode lemaker_bl035_rgb_002_mode = { +@@ -1939,6 +1953,7 @@ static const struct panel_desc lg_lb070wv8 = { + .height = 91, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode lg_lp079qx1_sp0v_mode = { +@@ -2095,6 +2110,7 @@ static const struct panel_desc mitsubishi_aa070mc01 = { + .disable = 400, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + .bus_flags = DRM_BUS_FLAG_DE_HIGH, + }; + +@@ -2123,6 +2139,7 @@ static const struct panel_desc nec_nl12880bc20_05 = { + .disable = 50, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode nec_nl4827hc19_05b_mode = { +@@ -2225,6 +2242,7 @@ static const struct panel_desc nlt_nl192108ac18_02d = { + .unprepare = 500, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode nvd_9128_mode = { +@@ -2248,6 +2266,7 @@ static const struct panel_desc nvd_9128 = { + .height = 88, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing okaya_rs800480t_7x0gp_timing = { +@@ -2660,6 +2679,7 @@ static const struct panel_desc sharp_lq101k1ly04 = { + .height = 136, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_JEIDA, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing sharp_lq123p1jx31_timing = { +@@ -2839,6 +2859,7 @@ static const struct panel_desc tianma_tm070jdhg30 = { + .height = 95, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct display_timing tianma_tm070rvhg71_timing = { +@@ -2863,6 +2884,7 @@ static const struct panel_desc tianma_tm070rvhg71 = { + .height = 86, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode ti_nspire_cx_lcd_mode[] = { +@@ -2945,6 +2967,7 @@ static const struct panel_desc toshiba_lt089ac29000 = { + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, + .bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct drm_display_mode tpk_f07a_0102_mode = { +@@ -3015,6 +3038,7 @@ static const struct panel_desc urt_umsh_8596md_lvds = { + .height = 91, + }, + .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG, ++ .connector_type = DRM_MODE_CONNECTOR_LVDS, + }; + + static const struct panel_desc urt_umsh_8596md_parallel = { +diff --git a/drivers/gpu/drm/panel/panel-sitronix-st7701.c b/drivers/gpu/drm/panel/panel-sitronix-st7701.c +index 77a3f6b9aec1d..1d2fd6cc66740 100644 +--- a/drivers/gpu/drm/panel/panel-sitronix-st7701.c ++++ b/drivers/gpu/drm/panel/panel-sitronix-st7701.c +@@ -369,7 +369,8 @@ static int st7701_dsi_probe(struct mipi_dsi_device *dsi) + if (IS_ERR(st7701->backlight)) + return PTR_ERR(st7701->backlight); + +- drm_panel_init(&st7701->panel, &dsi->dev, &st7701_funcs); ++ drm_panel_init(&st7701->panel, &dsi->dev, &st7701_funcs, ++ DRM_MODE_CONNECTOR_DSI); + + /** + * Once sleep out has been issued, ST7701 IC required to wait 120ms +diff --git a/drivers/gpu/drm/panel/panel-sitronix-st7789v.c b/drivers/gpu/drm/panel/panel-sitronix-st7789v.c +index 2eeaeee0dd7f3..108a85bb66672 100644 +--- a/drivers/gpu/drm/panel/panel-sitronix-st7789v.c ++++ b/drivers/gpu/drm/panel/panel-sitronix-st7789v.c +@@ -381,7 +381,8 @@ static int st7789v_probe(struct spi_device *spi) + spi_set_drvdata(spi, ctx); + ctx->spi = spi; + +- drm_panel_init(&ctx->panel, &spi->dev, &st7789v_drm_funcs); ++ drm_panel_init(&ctx->panel, &spi->dev, &st7789v_drm_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + ctx->power = devm_regulator_get(&spi->dev, "power"); + if (IS_ERR(ctx->power)) +diff --git a/drivers/gpu/drm/panel/panel-sony-acx565akm.c b/drivers/gpu/drm/panel/panel-sony-acx565akm.c +index 1e39067387a61..d6387d8f88a3f 100644 +--- a/drivers/gpu/drm/panel/panel-sony-acx565akm.c ++++ b/drivers/gpu/drm/panel/panel-sony-acx565akm.c +@@ -648,7 +648,8 @@ static int acx565akm_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&lcd->panel, &lcd->spi->dev, &acx565akm_funcs); ++ drm_panel_init(&lcd->panel, &lcd->spi->dev, &acx565akm_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + ret = drm_panel_add(&lcd->panel); + if (ret < 0) { +diff --git a/drivers/gpu/drm/panel/panel-tpo-td028ttec1.c b/drivers/gpu/drm/panel/panel-tpo-td028ttec1.c +index 76cfca89c3c78..c44d6a65c0aa2 100644 +--- a/drivers/gpu/drm/panel/panel-tpo-td028ttec1.c ++++ b/drivers/gpu/drm/panel/panel-tpo-td028ttec1.c +@@ -347,7 +347,8 @@ static int td028ttec1_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&lcd->panel, &lcd->spi->dev, &td028ttec1_funcs); ++ drm_panel_init(&lcd->panel, &lcd->spi->dev, &td028ttec1_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + return drm_panel_add(&lcd->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-tpo-td043mtea1.c b/drivers/gpu/drm/panel/panel-tpo-td043mtea1.c +index afd7c5ed53c45..621b65feec070 100644 +--- a/drivers/gpu/drm/panel/panel-tpo-td043mtea1.c ++++ b/drivers/gpu/drm/panel/panel-tpo-td043mtea1.c +@@ -458,7 +458,8 @@ static int td043mtea1_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&lcd->panel, &lcd->spi->dev, &td043mtea1_funcs); ++ drm_panel_init(&lcd->panel, &lcd->spi->dev, &td043mtea1_funcs, ++ DRM_MODE_CONNECTOR_DPI); + + ret = drm_panel_add(&lcd->panel); + if (ret < 0) { +diff --git a/drivers/gpu/drm/panel/panel-tpo-tpg110.c b/drivers/gpu/drm/panel/panel-tpo-tpg110.c +index 25524c26b241b..1a5418ae2ccf3 100644 +--- a/drivers/gpu/drm/panel/panel-tpo-tpg110.c ++++ b/drivers/gpu/drm/panel/panel-tpo-tpg110.c +@@ -457,7 +457,8 @@ static int tpg110_probe(struct spi_device *spi) + if (ret) + return ret; + +- drm_panel_init(&tpg->panel, dev, &tpg110_drm_funcs); ++ drm_panel_init(&tpg->panel, dev, &tpg110_drm_funcs, ++ DRM_MODE_CONNECTOR_DPI); + spi_set_drvdata(spi, tpg); + + return drm_panel_add(&tpg->panel); +diff --git a/drivers/gpu/drm/panel/panel-truly-nt35597.c b/drivers/gpu/drm/panel/panel-truly-nt35597.c +index c3714be788375..0feea2456e14b 100644 +--- a/drivers/gpu/drm/panel/panel-truly-nt35597.c ++++ b/drivers/gpu/drm/panel/panel-truly-nt35597.c +@@ -518,7 +518,8 @@ static int truly_nt35597_panel_add(struct truly_nt35597 *ctx) + /* dual port */ + gpiod_set_value(ctx->mode_gpio, 0); + +- drm_panel_init(&ctx->panel, dev, &truly_nt35597_drm_funcs); ++ drm_panel_init(&ctx->panel, dev, &truly_nt35597_drm_funcs, ++ DRM_MODE_CONNECTOR_DSI); + drm_panel_add(&ctx->panel); + + return 0; +diff --git a/include/drm/drm_panel.h b/include/drm/drm_panel.h +index 4b9c656dc15e3..ce8da64022b43 100644 +--- a/include/drm/drm_panel.h ++++ b/include/drm/drm_panel.h +@@ -139,6 +139,15 @@ struct drm_panel { + */ + const struct drm_panel_funcs *funcs; + ++ /** ++ * @connector_type: ++ * ++ * Type of the panel as a DRM_MODE_CONNECTOR_* value. This is used to ++ * initialise the drm_connector corresponding to the panel with the ++ * correct connector type. ++ */ ++ int connector_type; ++ + /** + * @list: + * +@@ -148,7 +157,8 @@ struct drm_panel { + }; + + void drm_panel_init(struct drm_panel *panel, struct device *dev, +- const struct drm_panel_funcs *funcs); ++ const struct drm_panel_funcs *funcs, ++ int connector_type); + + int drm_panel_add(struct drm_panel *panel); + void drm_panel_remove(struct drm_panel *panel); +-- +2.39.2 + diff --git a/tmp-5.4/drm-panel-initialise-panel-dev-and-funcs-through-drm.patch b/tmp-5.4/drm-panel-initialise-panel-dev-and-funcs-through-drm.patch new file mode 100644 index 00000000000..09ae6751e89 --- /dev/null +++ b/tmp-5.4/drm-panel-initialise-panel-dev-and-funcs-through-drm.patch @@ -0,0 +1,724 @@ +From f849202961ea5bcb40ab2762d74ce17555110c64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Aug 2019 22:32:43 +0300 +Subject: drm/panel: Initialise panel dev and funcs through drm_panel_init() + +From: Laurent Pinchart + +[ Upstream commit 6dbe0c4b0fc0646442b2b1580d022404e582fd7b ] + +Instead of requiring all drivers to set the dev and funcs fields of +drm_panel manually after calling drm_panel_init(), pass the data as +arguments to the function. This simplifies the panel drivers, and will +help future refactoring when adding new arguments to drm_panel_init(). + +The panel drivers have been updated with the following Coccinelle +semantic patch, with manual inspection to verify that no call to +drm_panel_init() with a single argument still exists. + +@@ +expression panel; +expression device; +identifier ops; +@@ + drm_panel_init(&panel ++ , device, &ops + ); + ... +( +-panel.dev = device; +-panel.funcs = &ops; +| +-panel.funcs = &ops; +-panel.dev = device; +) + +Suggested-by: Sam Ravnborg +Signed-off-by: Laurent Pinchart +Signed-off-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/20190823193245.23876-3-laurent.pinchart@ideasonboard.com +Stable-dep-of: 2c56a751845d ("drm/panel: simple: Add connector_type for innolux_at043tn24") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel.c | 11 ++++++++--- + drivers/gpu/drm/panel/panel-arm-versatile.c | 4 +--- + drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c | 4 +--- + drivers/gpu/drm/panel/panel-ilitek-ili9322.c | 4 +--- + drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 4 +--- + drivers/gpu/drm/panel/panel-innolux-p079zca.c | 4 +--- + drivers/gpu/drm/panel/panel-jdi-lt070me05000.c | 4 +--- + drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c | 5 ++--- + drivers/gpu/drm/panel/panel-lg-lb035q02.c | 4 +--- + drivers/gpu/drm/panel/panel-lg-lg4573.c | 4 +--- + drivers/gpu/drm/panel/panel-lvds.c | 4 +--- + drivers/gpu/drm/panel/panel-nec-nl8048hl11.c | 4 +--- + drivers/gpu/drm/panel/panel-novatek-nt39016.c | 4 +--- + drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.c | 4 +--- + drivers/gpu/drm/panel/panel-orisetech-otm8009a.c | 4 +--- + drivers/gpu/drm/panel/panel-osd-osd101t2587-53ts.c | 5 ++--- + drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c | 5 ++--- + drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c | 4 +--- + drivers/gpu/drm/panel/panel-raydium-rm67191.c | 4 +--- + drivers/gpu/drm/panel/panel-raydium-rm68200.c | 4 +--- + drivers/gpu/drm/panel/panel-rocktech-jh057n00900.c | 4 +--- + drivers/gpu/drm/panel/panel-ronbo-rb070d30.c | 4 +--- + drivers/gpu/drm/panel/panel-samsung-ld9040.c | 4 +--- + drivers/gpu/drm/panel/panel-samsung-s6d16d0.c | 4 +--- + drivers/gpu/drm/panel/panel-samsung-s6e3ha2.c | 4 +--- + drivers/gpu/drm/panel/panel-samsung-s6e63j0x03.c | 4 +--- + drivers/gpu/drm/panel/panel-samsung-s6e63m0.c | 4 +--- + drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c | 4 +--- + drivers/gpu/drm/panel/panel-seiko-43wvf1g.c | 4 +--- + drivers/gpu/drm/panel/panel-sharp-lq101r1sx01.c | 4 +--- + drivers/gpu/drm/panel/panel-sharp-ls037v7dw01.c | 4 +--- + drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c | 5 ++--- + drivers/gpu/drm/panel/panel-simple.c | 4 +--- + drivers/gpu/drm/panel/panel-sitronix-st7701.c | 4 +--- + drivers/gpu/drm/panel/panel-sitronix-st7789v.c | 4 +--- + drivers/gpu/drm/panel/panel-sony-acx565akm.c | 4 +--- + drivers/gpu/drm/panel/panel-tpo-td028ttec1.c | 4 +--- + drivers/gpu/drm/panel/panel-tpo-td043mtea1.c | 4 +--- + drivers/gpu/drm/panel/panel-tpo-tpg110.c | 4 +--- + drivers/gpu/drm/panel/panel-truly-nt35597.c | 4 +--- + include/drm/drm_panel.h | 3 ++- + 41 files changed, 53 insertions(+), 121 deletions(-) + +diff --git a/drivers/gpu/drm/drm_panel.c b/drivers/gpu/drm/drm_panel.c +index 6b0bf42039cfa..ba2fad4c96489 100644 +--- a/drivers/gpu/drm/drm_panel.c ++++ b/drivers/gpu/drm/drm_panel.c +@@ -44,13 +44,18 @@ static LIST_HEAD(panel_list); + /** + * drm_panel_init - initialize a panel + * @panel: DRM panel ++ * @dev: parent device of the panel ++ * @funcs: panel operations + * +- * Sets up internal fields of the panel so that it can subsequently be added +- * to the registry. ++ * Initialize the panel structure for subsequent registration with ++ * drm_panel_add(). + */ +-void drm_panel_init(struct drm_panel *panel) ++void drm_panel_init(struct drm_panel *panel, struct device *dev, ++ const struct drm_panel_funcs *funcs) + { + INIT_LIST_HEAD(&panel->list); ++ panel->dev = dev; ++ panel->funcs = funcs; + } + EXPORT_SYMBOL(drm_panel_init); + +diff --git a/drivers/gpu/drm/panel/panel-arm-versatile.c b/drivers/gpu/drm/panel/panel-arm-versatile.c +index 5f72c922a04b1..a4333ed0f20ca 100644 +--- a/drivers/gpu/drm/panel/panel-arm-versatile.c ++++ b/drivers/gpu/drm/panel/panel-arm-versatile.c +@@ -350,9 +350,7 @@ static int versatile_panel_probe(struct platform_device *pdev) + dev_info(dev, "panel mounted on IB2 daughterboard\n"); + } + +- drm_panel_init(&vpanel->panel); +- vpanel->panel.dev = dev; +- vpanel->panel.funcs = &versatile_panel_drm_funcs; ++ drm_panel_init(&vpanel->panel, dev, &versatile_panel_drm_funcs); + + return drm_panel_add(&vpanel->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c b/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c +index dabf59e0f56fa..7d5d7455bc01f 100644 +--- a/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c ++++ b/drivers/gpu/drm/panel/panel-feiyang-fy07024di26a30d.c +@@ -204,9 +204,7 @@ static int feiyang_dsi_probe(struct mipi_dsi_device *dsi) + mipi_dsi_set_drvdata(dsi, ctx); + ctx->dsi = dsi; + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = &dsi->dev; +- ctx->panel.funcs = &feiyang_funcs; ++ drm_panel_init(&ctx->panel, &dsi->dev, &feiyang_funcs); + + ctx->dvdd = devm_regulator_get(&dsi->dev, "dvdd"); + if (IS_ERR(ctx->dvdd)) { +diff --git a/drivers/gpu/drm/panel/panel-ilitek-ili9322.c b/drivers/gpu/drm/panel/panel-ilitek-ili9322.c +index 3c58f63adbf7e..ad2405baa0ac5 100644 +--- a/drivers/gpu/drm/panel/panel-ilitek-ili9322.c ++++ b/drivers/gpu/drm/panel/panel-ilitek-ili9322.c +@@ -895,9 +895,7 @@ static int ili9322_probe(struct spi_device *spi) + ili->input = ili->conf->input; + } + +- drm_panel_init(&ili->panel); +- ili->panel.dev = dev; +- ili->panel.funcs = &ili9322_drm_funcs; ++ drm_panel_init(&ili->panel, dev, &ili9322_drm_funcs); + + return drm_panel_add(&ili->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c +index 3ad4a46c4e945..1d714f961c009 100644 +--- a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c ++++ b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c +@@ -433,9 +433,7 @@ static int ili9881c_dsi_probe(struct mipi_dsi_device *dsi) + mipi_dsi_set_drvdata(dsi, ctx); + ctx->dsi = dsi; + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = &dsi->dev; +- ctx->panel.funcs = &ili9881c_funcs; ++ drm_panel_init(&ctx->panel, &dsi->dev, &ili9881c_funcs); + + ctx->power = devm_regulator_get(&dsi->dev, "power"); + if (IS_ERR(ctx->power)) { +diff --git a/drivers/gpu/drm/panel/panel-innolux-p079zca.c b/drivers/gpu/drm/panel/panel-innolux-p079zca.c +index df90b66079816..8f3647804a1e4 100644 +--- a/drivers/gpu/drm/panel/panel-innolux-p079zca.c ++++ b/drivers/gpu/drm/panel/panel-innolux-p079zca.c +@@ -487,9 +487,7 @@ static int innolux_panel_add(struct mipi_dsi_device *dsi, + if (IS_ERR(innolux->backlight)) + return PTR_ERR(innolux->backlight); + +- drm_panel_init(&innolux->base); +- innolux->base.funcs = &innolux_panel_funcs; +- innolux->base.dev = dev; ++ drm_panel_init(&innolux->base, dev, &innolux_panel_funcs); + + err = drm_panel_add(&innolux->base); + if (err < 0) +diff --git a/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c b/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c +index ff3e89e61e3fc..7bfdbfbc868ed 100644 +--- a/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c ++++ b/drivers/gpu/drm/panel/panel-jdi-lt070me05000.c +@@ -437,9 +437,7 @@ static int jdi_panel_add(struct jdi_panel *jdi) + return ret; + } + +- drm_panel_init(&jdi->base); +- jdi->base.funcs = &jdi_panel_funcs; +- jdi->base.dev = &jdi->dsi->dev; ++ drm_panel_init(&jdi->base, &jdi->dsi->dev, &jdi_panel_funcs); + + ret = drm_panel_add(&jdi->base); + +diff --git a/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c b/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c +index 1e7fecab72a9f..bb131749a0b92 100644 +--- a/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c ++++ b/drivers/gpu/drm/panel/panel-kingdisplay-kd097d04.c +@@ -391,9 +391,8 @@ static int kingdisplay_panel_add(struct kingdisplay_panel *kingdisplay) + if (IS_ERR(kingdisplay->backlight)) + return PTR_ERR(kingdisplay->backlight); + +- drm_panel_init(&kingdisplay->base); +- kingdisplay->base.funcs = &kingdisplay_panel_funcs; +- kingdisplay->base.dev = &kingdisplay->link->dev; ++ drm_panel_init(&kingdisplay->base, &kingdisplay->link->dev, ++ &kingdisplay_panel_funcs); + + return drm_panel_add(&kingdisplay->base); + } +diff --git a/drivers/gpu/drm/panel/panel-lg-lb035q02.c b/drivers/gpu/drm/panel/panel-lg-lb035q02.c +index ee4379729a5b8..c7b9b47849bb8 100644 +--- a/drivers/gpu/drm/panel/panel-lg-lb035q02.c ++++ b/drivers/gpu/drm/panel/panel-lg-lb035q02.c +@@ -196,9 +196,7 @@ static int lb035q02_probe(struct spi_device *spi) + if (ret < 0) + return ret; + +- drm_panel_init(&lcd->panel); +- lcd->panel.dev = &lcd->spi->dev; +- lcd->panel.funcs = &lb035q02_funcs; ++ drm_panel_init(&lcd->panel, &lcd->spi->dev, &lb035q02_funcs); + + return drm_panel_add(&lcd->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-lg-lg4573.c b/drivers/gpu/drm/panel/panel-lg-lg4573.c +index 41bf02d122a1f..608f2de91662d 100644 +--- a/drivers/gpu/drm/panel/panel-lg-lg4573.c ++++ b/drivers/gpu/drm/panel/panel-lg-lg4573.c +@@ -259,9 +259,7 @@ static int lg4573_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = &spi->dev; +- ctx->panel.funcs = &lg4573_drm_funcs; ++ drm_panel_init(&ctx->panel, &spi->dev, &lg4573_drm_funcs); + + return drm_panel_add(&ctx->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-lvds.c b/drivers/gpu/drm/panel/panel-lvds.c +index bf5fcc3e53791..ff1e305d56a02 100644 +--- a/drivers/gpu/drm/panel/panel-lvds.c ++++ b/drivers/gpu/drm/panel/panel-lvds.c +@@ -254,9 +254,7 @@ static int panel_lvds_probe(struct platform_device *pdev) + */ + + /* Register the panel. */ +- drm_panel_init(&lvds->panel); +- lvds->panel.dev = lvds->dev; +- lvds->panel.funcs = &panel_lvds_funcs; ++ drm_panel_init(&lvds->panel, lvds->dev, &panel_lvds_funcs); + + ret = drm_panel_add(&lvds->panel); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-nec-nl8048hl11.c b/drivers/gpu/drm/panel/panel-nec-nl8048hl11.c +index 20f17e46e65da..272a1434e1558 100644 +--- a/drivers/gpu/drm/panel/panel-nec-nl8048hl11.c ++++ b/drivers/gpu/drm/panel/panel-nec-nl8048hl11.c +@@ -205,9 +205,7 @@ static int nl8048_probe(struct spi_device *spi) + if (ret < 0) + return ret; + +- drm_panel_init(&lcd->panel); +- lcd->panel.dev = &lcd->spi->dev; +- lcd->panel.funcs = &nl8048_funcs; ++ drm_panel_init(&lcd->panel, &lcd->spi->dev, &nl8048_funcs); + + return drm_panel_add(&lcd->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-novatek-nt39016.c b/drivers/gpu/drm/panel/panel-novatek-nt39016.c +index 2ad1063b068d5..64cfe111aaadb 100644 +--- a/drivers/gpu/drm/panel/panel-novatek-nt39016.c ++++ b/drivers/gpu/drm/panel/panel-novatek-nt39016.c +@@ -292,9 +292,7 @@ static int nt39016_probe(struct spi_device *spi) + return err; + } + +- drm_panel_init(&panel->drm_panel); +- panel->drm_panel.dev = dev; +- panel->drm_panel.funcs = &nt39016_funcs; ++ drm_panel_init(&panel->drm_panel, dev, &nt39016_funcs); + + err = drm_panel_add(&panel->drm_panel); + if (err < 0) { +diff --git a/drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.c b/drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.c +index 2bae1db3ff344..f2d6a4ec00467 100644 +--- a/drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.c ++++ b/drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.c +@@ -288,9 +288,7 @@ static int lcd_olinuxino_probe(struct i2c_client *client, + if (IS_ERR(lcd->backlight)) + return PTR_ERR(lcd->backlight); + +- drm_panel_init(&lcd->panel); +- lcd->panel.dev = dev; +- lcd->panel.funcs = &lcd_olinuxino_funcs; ++ drm_panel_init(&lcd->panel, dev, &lcd_olinuxino_funcs); + + return drm_panel_add(&lcd->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c b/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c +index 3ee265f1755f4..5aacd632c6f69 100644 +--- a/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c ++++ b/drivers/gpu/drm/panel/panel-orisetech-otm8009a.c +@@ -455,9 +455,7 @@ static int otm8009a_probe(struct mipi_dsi_device *dsi) + dsi->mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_BURST | + MIPI_DSI_MODE_LPM; + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = dev; +- ctx->panel.funcs = &otm8009a_drm_funcs; ++ drm_panel_init(&ctx->panel, dev, &otm8009a_drm_funcs); + + ctx->bl_dev = devm_backlight_device_register(dev, dev_name(dev), + dev, ctx, +diff --git a/drivers/gpu/drm/panel/panel-osd-osd101t2587-53ts.c b/drivers/gpu/drm/panel/panel-osd-osd101t2587-53ts.c +index e0e20ecff916d..38f114b03b897 100644 +--- a/drivers/gpu/drm/panel/panel-osd-osd101t2587-53ts.c ++++ b/drivers/gpu/drm/panel/panel-osd-osd101t2587-53ts.c +@@ -166,9 +166,8 @@ static int osd101t2587_panel_add(struct osd101t2587_panel *osd101t2587) + if (IS_ERR(osd101t2587->backlight)) + return PTR_ERR(osd101t2587->backlight); + +- drm_panel_init(&osd101t2587->base); +- osd101t2587->base.funcs = &osd101t2587_panel_funcs; +- osd101t2587->base.dev = &osd101t2587->dsi->dev; ++ drm_panel_init(&osd101t2587->base, &osd101t2587->dsi->dev, ++ &osd101t2587_panel_funcs); + + return drm_panel_add(&osd101t2587->base); + } +diff --git a/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c b/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c +index 3dff0b3f73c23..6035bf4580744 100644 +--- a/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c ++++ b/drivers/gpu/drm/panel/panel-panasonic-vvx10f034n00.c +@@ -223,9 +223,8 @@ static int wuxga_nt_panel_add(struct wuxga_nt_panel *wuxga_nt) + return -EPROBE_DEFER; + } + +- drm_panel_init(&wuxga_nt->base); +- wuxga_nt->base.funcs = &wuxga_nt_panel_funcs; +- wuxga_nt->base.dev = &wuxga_nt->dsi->dev; ++ drm_panel_init(&wuxga_nt->base, &wuxga_nt->dsi->dev, ++ &wuxga_nt_panel_funcs); + + ret = drm_panel_add(&wuxga_nt->base); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +index a621dd28ff70d..cded730f29ad2 100644 +--- a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c ++++ b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c +@@ -433,9 +433,7 @@ static int rpi_touchscreen_probe(struct i2c_client *i2c, + return PTR_ERR(ts->dsi); + } + +- drm_panel_init(&ts->base); +- ts->base.dev = dev; +- ts->base.funcs = &rpi_touchscreen_funcs; ++ drm_panel_init(&ts->base, dev, &rpi_touchscreen_funcs); + + /* This appears last, as it's what will unblock the DSI host + * driver's component bind function. +diff --git a/drivers/gpu/drm/panel/panel-raydium-rm67191.c b/drivers/gpu/drm/panel/panel-raydium-rm67191.c +index 6a5d37006103e..f82a1f69f13ba 100644 +--- a/drivers/gpu/drm/panel/panel-raydium-rm67191.c ++++ b/drivers/gpu/drm/panel/panel-raydium-rm67191.c +@@ -606,9 +606,7 @@ static int rad_panel_probe(struct mipi_dsi_device *dsi) + if (ret) + return ret; + +- drm_panel_init(&panel->panel); +- panel->panel.funcs = &rad_panel_funcs; +- panel->panel.dev = dev; ++ drm_panel_init(&panel->panel, dev, &rad_panel_funcs); + dev_set_drvdata(dev, panel); + + ret = drm_panel_add(&panel->panel); +diff --git a/drivers/gpu/drm/panel/panel-raydium-rm68200.c b/drivers/gpu/drm/panel/panel-raydium-rm68200.c +index ba889625ad435..f004b78fb8bc9 100644 +--- a/drivers/gpu/drm/panel/panel-raydium-rm68200.c ++++ b/drivers/gpu/drm/panel/panel-raydium-rm68200.c +@@ -404,9 +404,7 @@ static int rm68200_probe(struct mipi_dsi_device *dsi) + dsi->mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_BURST | + MIPI_DSI_MODE_LPM; + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = dev; +- ctx->panel.funcs = &rm68200_drm_funcs; ++ drm_panel_init(&ctx->panel, dev, &rm68200_drm_funcs); + + drm_panel_add(&ctx->panel); + +diff --git a/drivers/gpu/drm/panel/panel-rocktech-jh057n00900.c b/drivers/gpu/drm/panel/panel-rocktech-jh057n00900.c +index b9109922397ff..d7f56374f2f17 100644 +--- a/drivers/gpu/drm/panel/panel-rocktech-jh057n00900.c ++++ b/drivers/gpu/drm/panel/panel-rocktech-jh057n00900.c +@@ -343,9 +343,7 @@ static int jh057n_probe(struct mipi_dsi_device *dsi) + return ret; + } + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = dev; +- ctx->panel.funcs = &jh057n_drm_funcs; ++ drm_panel_init(&ctx->panel, dev, &jh057n_drm_funcs); + + drm_panel_add(&ctx->panel); + +diff --git a/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c b/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c +index 3c15764f0c039..8708fbbe76376 100644 +--- a/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c ++++ b/drivers/gpu/drm/panel/panel-ronbo-rb070d30.c +@@ -173,9 +173,7 @@ static int rb070d30_panel_dsi_probe(struct mipi_dsi_device *dsi) + mipi_dsi_set_drvdata(dsi, ctx); + ctx->dsi = dsi; + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = &dsi->dev; +- ctx->panel.funcs = &rb070d30_panel_funcs; ++ drm_panel_init(&ctx->panel, &dsi->dev, &rb070d30_panel_funcs); + + ctx->gpios.reset = devm_gpiod_get(&dsi->dev, "reset", GPIOD_OUT_LOW); + if (IS_ERR(ctx->gpios.reset)) { +diff --git a/drivers/gpu/drm/panel/panel-samsung-ld9040.c b/drivers/gpu/drm/panel/panel-samsung-ld9040.c +index 3be902dcedc02..71a292dbec478 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-ld9040.c ++++ b/drivers/gpu/drm/panel/panel-samsung-ld9040.c +@@ -351,9 +351,7 @@ static int ld9040_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = dev; +- ctx->panel.funcs = &ld9040_drm_funcs; ++ drm_panel_init(&ctx->panel, dev, &ld9040_drm_funcs); + + return drm_panel_add(&ctx->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-samsung-s6d16d0.c b/drivers/gpu/drm/panel/panel-samsung-s6d16d0.c +index f75bef24e0504..4d25c96e842cf 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-s6d16d0.c ++++ b/drivers/gpu/drm/panel/panel-samsung-s6d16d0.c +@@ -215,9 +215,7 @@ static int s6d16d0_probe(struct mipi_dsi_device *dsi) + return ret; + } + +- drm_panel_init(&s6->panel); +- s6->panel.dev = dev; +- s6->panel.funcs = &s6d16d0_drm_funcs; ++ drm_panel_init(&s6->panel, dev, &s6d16d0_drm_funcs); + + ret = drm_panel_add(&s6->panel); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-samsung-s6e3ha2.c b/drivers/gpu/drm/panel/panel-samsung-s6e3ha2.c +index b923de23ed654..42a3aaab49eb4 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-s6e3ha2.c ++++ b/drivers/gpu/drm/panel/panel-samsung-s6e3ha2.c +@@ -732,9 +732,7 @@ static int s6e3ha2_probe(struct mipi_dsi_device *dsi) + ctx->bl_dev->props.brightness = S6E3HA2_DEFAULT_BRIGHTNESS; + ctx->bl_dev->props.power = FB_BLANK_POWERDOWN; + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = dev; +- ctx->panel.funcs = &s6e3ha2_drm_funcs; ++ drm_panel_init(&ctx->panel, dev, &s6e3ha2_drm_funcs); + + ret = drm_panel_add(&ctx->panel); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-samsung-s6e63j0x03.c b/drivers/gpu/drm/panel/panel-samsung-s6e63j0x03.c +index cd90fa700c493..b4d879bf4d03d 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-s6e63j0x03.c ++++ b/drivers/gpu/drm/panel/panel-samsung-s6e63j0x03.c +@@ -466,9 +466,7 @@ static int s6e63j0x03_probe(struct mipi_dsi_device *dsi) + return PTR_ERR(ctx->reset_gpio); + } + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = dev; +- ctx->panel.funcs = &s6e63j0x03_funcs; ++ drm_panel_init(&ctx->panel, dev, &s6e63j0x03_funcs); + + ctx->bl_dev = backlight_device_register("s6e63j0x03", dev, ctx, + &s6e63j0x03_bl_ops, NULL); +diff --git a/drivers/gpu/drm/panel/panel-samsung-s6e63m0.c b/drivers/gpu/drm/panel/panel-samsung-s6e63m0.c +index 142d395ea5129..61259c2833ab8 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-s6e63m0.c ++++ b/drivers/gpu/drm/panel/panel-samsung-s6e63m0.c +@@ -473,9 +473,7 @@ static int s6e63m0_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = dev; +- ctx->panel.funcs = &s6e63m0_drm_funcs; ++ drm_panel_init(&ctx->panel, dev, &s6e63m0_drm_funcs); + + ret = s6e63m0_backlight_register(ctx); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c b/drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c +index 81858267723ad..35dbffabd5267 100644 +--- a/drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c ++++ b/drivers/gpu/drm/panel/panel-samsung-s6e8aa0.c +@@ -1017,9 +1017,7 @@ static int s6e8aa0_probe(struct mipi_dsi_device *dsi) + + ctx->brightness = GAMMA_LEVEL_NUM - 1; + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = dev; +- ctx->panel.funcs = &s6e8aa0_drm_funcs; ++ drm_panel_init(&ctx->panel, dev, &s6e8aa0_drm_funcs); + + ret = drm_panel_add(&ctx->panel); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-seiko-43wvf1g.c b/drivers/gpu/drm/panel/panel-seiko-43wvf1g.c +index 18b22b1294fbc..0833d0c03adc9 100644 +--- a/drivers/gpu/drm/panel/panel-seiko-43wvf1g.c ++++ b/drivers/gpu/drm/panel/panel-seiko-43wvf1g.c +@@ -274,9 +274,7 @@ static int seiko_panel_probe(struct device *dev, + return -EPROBE_DEFER; + } + +- drm_panel_init(&panel->base); +- panel->base.dev = dev; +- panel->base.funcs = &seiko_panel_funcs; ++ drm_panel_init(&panel->base, dev, &seiko_panel_funcs); + + err = drm_panel_add(&panel->base); + if (err < 0) +diff --git a/drivers/gpu/drm/panel/panel-sharp-lq101r1sx01.c b/drivers/gpu/drm/panel/panel-sharp-lq101r1sx01.c +index e910b4ad13104..87a58cb4d9455 100644 +--- a/drivers/gpu/drm/panel/panel-sharp-lq101r1sx01.c ++++ b/drivers/gpu/drm/panel/panel-sharp-lq101r1sx01.c +@@ -329,9 +329,7 @@ static int sharp_panel_add(struct sharp_panel *sharp) + if (IS_ERR(sharp->backlight)) + return PTR_ERR(sharp->backlight); + +- drm_panel_init(&sharp->base); +- sharp->base.funcs = &sharp_panel_funcs; +- sharp->base.dev = &sharp->link1->dev; ++ drm_panel_init(&sharp->base, &sharp->link1->dev, &sharp_panel_funcs); + + return drm_panel_add(&sharp->base); + } +diff --git a/drivers/gpu/drm/panel/panel-sharp-ls037v7dw01.c b/drivers/gpu/drm/panel/panel-sharp-ls037v7dw01.c +index 46cd9a2501298..96e3deb0e305c 100644 +--- a/drivers/gpu/drm/panel/panel-sharp-ls037v7dw01.c ++++ b/drivers/gpu/drm/panel/panel-sharp-ls037v7dw01.c +@@ -185,9 +185,7 @@ static int ls037v7dw01_probe(struct platform_device *pdev) + return PTR_ERR(lcd->ud_gpio); + } + +- drm_panel_init(&lcd->panel); +- lcd->panel.dev = &pdev->dev; +- lcd->panel.funcs = &ls037v7dw01_funcs; ++ drm_panel_init(&lcd->panel, &pdev->dev, &ls037v7dw01_funcs); + + return drm_panel_add(&lcd->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c +index c39abde9f9f10..ffa844ee82ad4 100644 +--- a/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c ++++ b/drivers/gpu/drm/panel/panel-sharp-ls043t1le01.c +@@ -264,9 +264,8 @@ static int sharp_nt_panel_add(struct sharp_nt_panel *sharp_nt) + if (IS_ERR(sharp_nt->backlight)) + return PTR_ERR(sharp_nt->backlight); + +- drm_panel_init(&sharp_nt->base); +- sharp_nt->base.funcs = &sharp_nt_panel_funcs; +- sharp_nt->base.dev = &sharp_nt->dsi->dev; ++ drm_panel_init(&sharp_nt->base, &sharp_nt->dsi->dev, ++ &sharp_nt_panel_funcs); + + return drm_panel_add(&sharp_nt->base); + } +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index ec0085e664365..156bd4d551dc3 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -464,9 +464,7 @@ static int panel_simple_probe(struct device *dev, const struct panel_desc *desc) + if (!of_get_display_timing(dev->of_node, "panel-timing", &dt)) + panel_simple_parse_panel_timing_node(dev, panel, &dt); + +- drm_panel_init(&panel->base); +- panel->base.dev = dev; +- panel->base.funcs = &panel_simple_funcs; ++ drm_panel_init(&panel->base, dev, &panel_simple_funcs); + + err = drm_panel_add(&panel->base); + if (err < 0) +diff --git a/drivers/gpu/drm/panel/panel-sitronix-st7701.c b/drivers/gpu/drm/panel/panel-sitronix-st7701.c +index 638f605acb2db..77a3f6b9aec1d 100644 +--- a/drivers/gpu/drm/panel/panel-sitronix-st7701.c ++++ b/drivers/gpu/drm/panel/panel-sitronix-st7701.c +@@ -369,7 +369,7 @@ static int st7701_dsi_probe(struct mipi_dsi_device *dsi) + if (IS_ERR(st7701->backlight)) + return PTR_ERR(st7701->backlight); + +- drm_panel_init(&st7701->panel); ++ drm_panel_init(&st7701->panel, &dsi->dev, &st7701_funcs); + + /** + * Once sleep out has been issued, ST7701 IC required to wait 120ms +@@ -381,8 +381,6 @@ static int st7701_dsi_probe(struct mipi_dsi_device *dsi) + * ts8550b and there is no valid documentation for that. + */ + st7701->sleep_delay = 120 + desc->panel_sleep_delay; +- st7701->panel.funcs = &st7701_funcs; +- st7701->panel.dev = &dsi->dev; + + ret = drm_panel_add(&st7701->panel); + if (ret < 0) +diff --git a/drivers/gpu/drm/panel/panel-sitronix-st7789v.c b/drivers/gpu/drm/panel/panel-sitronix-st7789v.c +index 3b2612ae931e8..2eeaeee0dd7f3 100644 +--- a/drivers/gpu/drm/panel/panel-sitronix-st7789v.c ++++ b/drivers/gpu/drm/panel/panel-sitronix-st7789v.c +@@ -381,9 +381,7 @@ static int st7789v_probe(struct spi_device *spi) + spi_set_drvdata(spi, ctx); + ctx->spi = spi; + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = &spi->dev; +- ctx->panel.funcs = &st7789v_drm_funcs; ++ drm_panel_init(&ctx->panel, &spi->dev, &st7789v_drm_funcs); + + ctx->power = devm_regulator_get(&spi->dev, "power"); + if (IS_ERR(ctx->power)) +diff --git a/drivers/gpu/drm/panel/panel-sony-acx565akm.c b/drivers/gpu/drm/panel/panel-sony-acx565akm.c +index 3d5b9c4f68d98..1e39067387a61 100644 +--- a/drivers/gpu/drm/panel/panel-sony-acx565akm.c ++++ b/drivers/gpu/drm/panel/panel-sony-acx565akm.c +@@ -648,9 +648,7 @@ static int acx565akm_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&lcd->panel); +- lcd->panel.dev = &lcd->spi->dev; +- lcd->panel.funcs = &acx565akm_funcs; ++ drm_panel_init(&lcd->panel, &lcd->spi->dev, &acx565akm_funcs); + + ret = drm_panel_add(&lcd->panel); + if (ret < 0) { +diff --git a/drivers/gpu/drm/panel/panel-tpo-td028ttec1.c b/drivers/gpu/drm/panel/panel-tpo-td028ttec1.c +index f2baff827f507..76cfca89c3c78 100644 +--- a/drivers/gpu/drm/panel/panel-tpo-td028ttec1.c ++++ b/drivers/gpu/drm/panel/panel-tpo-td028ttec1.c +@@ -347,9 +347,7 @@ static int td028ttec1_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&lcd->panel); +- lcd->panel.dev = &lcd->spi->dev; +- lcd->panel.funcs = &td028ttec1_funcs; ++ drm_panel_init(&lcd->panel, &lcd->spi->dev, &td028ttec1_funcs); + + return drm_panel_add(&lcd->panel); + } +diff --git a/drivers/gpu/drm/panel/panel-tpo-td043mtea1.c b/drivers/gpu/drm/panel/panel-tpo-td043mtea1.c +index ba163c779084c..afd7c5ed53c45 100644 +--- a/drivers/gpu/drm/panel/panel-tpo-td043mtea1.c ++++ b/drivers/gpu/drm/panel/panel-tpo-td043mtea1.c +@@ -458,9 +458,7 @@ static int td043mtea1_probe(struct spi_device *spi) + return ret; + } + +- drm_panel_init(&lcd->panel); +- lcd->panel.dev = &lcd->spi->dev; +- lcd->panel.funcs = &td043mtea1_funcs; ++ drm_panel_init(&lcd->panel, &lcd->spi->dev, &td043mtea1_funcs); + + ret = drm_panel_add(&lcd->panel); + if (ret < 0) { +diff --git a/drivers/gpu/drm/panel/panel-tpo-tpg110.c b/drivers/gpu/drm/panel/panel-tpo-tpg110.c +index 71591e5f59383..25524c26b241b 100644 +--- a/drivers/gpu/drm/panel/panel-tpo-tpg110.c ++++ b/drivers/gpu/drm/panel/panel-tpo-tpg110.c +@@ -457,9 +457,7 @@ static int tpg110_probe(struct spi_device *spi) + if (ret) + return ret; + +- drm_panel_init(&tpg->panel); +- tpg->panel.dev = dev; +- tpg->panel.funcs = &tpg110_drm_funcs; ++ drm_panel_init(&tpg->panel, dev, &tpg110_drm_funcs); + spi_set_drvdata(spi, tpg); + + return drm_panel_add(&tpg->panel); +diff --git a/drivers/gpu/drm/panel/panel-truly-nt35597.c b/drivers/gpu/drm/panel/panel-truly-nt35597.c +index 77e1311b7c692..c3714be788375 100644 +--- a/drivers/gpu/drm/panel/panel-truly-nt35597.c ++++ b/drivers/gpu/drm/panel/panel-truly-nt35597.c +@@ -518,9 +518,7 @@ static int truly_nt35597_panel_add(struct truly_nt35597 *ctx) + /* dual port */ + gpiod_set_value(ctx->mode_gpio, 0); + +- drm_panel_init(&ctx->panel); +- ctx->panel.dev = dev; +- ctx->panel.funcs = &truly_nt35597_drm_funcs; ++ drm_panel_init(&ctx->panel, dev, &truly_nt35597_drm_funcs); + drm_panel_add(&ctx->panel); + + return 0; +diff --git a/include/drm/drm_panel.h b/include/drm/drm_panel.h +index 624bd15ecfab6..4b9c656dc15e3 100644 +--- a/include/drm/drm_panel.h ++++ b/include/drm/drm_panel.h +@@ -147,7 +147,8 @@ struct drm_panel { + struct list_head list; + }; + +-void drm_panel_init(struct drm_panel *panel); ++void drm_panel_init(struct drm_panel *panel, struct device *dev, ++ const struct drm_panel_funcs *funcs); + + int drm_panel_add(struct drm_panel *panel); + void drm_panel_remove(struct drm_panel *panel); +-- +2.39.2 + diff --git a/tmp-5.4/drm-panel-simple-add-connector_type-for-innolux_at04.patch b/tmp-5.4/drm-panel-simple-add-connector_type-for-innolux_at04.patch new file mode 100644 index 00000000000..0288c2cc55f --- /dev/null +++ b/tmp-5.4/drm-panel-simple-add-connector_type-for-innolux_at04.patch @@ -0,0 +1,39 @@ +From 15a2f19a825813ff4508488feb70893b2903eee2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 08:22:02 -0300 +Subject: drm/panel: simple: Add connector_type for innolux_at043tn24 + +From: Fabio Estevam + +[ Upstream commit 2c56a751845ddfd3078ebe79981aaaa182629163 ] + +The innolux at043tn24 display is a parallel LCD. Pass the 'connector_type' +information to avoid the following warning: + +panel-simple panel: Specify missing connector_type + +Signed-off-by: Fabio Estevam +Fixes: 41bcceb4de9c ("drm/panel: simple: Add support for Innolux AT043TN24") +Reviewed-by: Sam Ravnborg +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230620112202.654981-1-festevam@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index af71365fb99b3..a87b79c8d76f7 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1584,6 +1584,7 @@ static const struct panel_desc innolux_at043tn24 = { + .height = 54, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, ++ .connector_type = DRM_MODE_CONNECTOR_DPI, + .bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE, + }; + +-- +2.39.2 + diff --git a/tmp-5.4/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch b/tmp-5.4/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch new file mode 100644 index 00000000000..9e7f7876aec --- /dev/null +++ b/tmp-5.4/drm-panel-simple-fix-active-size-for-ampire-am-48027.patch @@ -0,0 +1,51 @@ +From d841c53b30d3cc981ac76595875a83e2edf58a71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 10:50:39 +0200 +Subject: drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H + +From: Dario Binacchi + +[ Upstream commit f24b49550814fdee4a98b9552e35e243ccafd4a8 ] + +The previous setting was related to the overall dimension and not to the +active display area. +In the "PHYSICAL SPECIFICATIONS" section, the datasheet shows the +following parameters: + + ---------------------------------------------------------- +| Item | Specifications | unit | + ---------------------------------------------------------- +| Display area | 98.7 (W) x 57.5 (H) | mm | + ---------------------------------------------------------- +| Overall dimension | 105.5(W) x 67.2(H) x 4.96(D) | mm | + ---------------------------------------------------------- + +Fixes: 966fea78adf2 ("drm/panel: simple: Add support for Ampire AM-480272H3TMQW-T01H") +Signed-off-by: Dario Binacchi +Reviewed-by: Neil Armstrong +[narmstrong: fixed Fixes commit id length] +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230516085039.3797303-1-dario.binacchi@amarulasolutions.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 312a3c4e23318..ec0085e664365 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -531,8 +531,8 @@ static const struct panel_desc ampire_am_480272h3tmqw_t01h = { + .num_modes = 1, + .bpc = 8, + .size = { +- .width = 105, +- .height = 67, ++ .width = 99, ++ .height = 58, + }, + .bus_format = MEDIA_BUS_FMT_RGB888_1X24, + }; +-- +2.39.2 + diff --git a/tmp-5.4/drm-radeon-fix-possible-division-by-zero-errors.patch b/tmp-5.4/drm-radeon-fix-possible-division-by-zero-errors.patch new file mode 100644 index 00000000000..563e385024a --- /dev/null +++ b/tmp-5.4/drm-radeon-fix-possible-division-by-zero-errors.patch @@ -0,0 +1,94 @@ +From 7b737e2a192e5411fcf868db4dc700d9e0c467c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 08:33:27 -0700 +Subject: drm/radeon: fix possible division-by-zero errors + +From: Nikita Zhandarovich + +[ Upstream commit 1becc57cd1a905e2aa0e1eca60d2a37744525c4a ] + +Function rv740_get_decoded_reference_divider() may return 0 due to +unpredictable reference divider value calculated in +radeon_atom_get_clock_dividers(). This will lead to +division-by-zero error once that value is used as a divider +in calculating 'clk_s'. +While unlikely, this issue should nonetheless be prevented so add a +sanity check for such cases by testing 'decoded_ref' value against 0. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +v2: minor coding style fixes (Alex) +In practice this should actually happen as the vbios should be +properly populated. + +Fixes: 66229b200598 ("drm/radeon/kms: add dpm support for rv7xx (v4)") +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/cypress_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/ni_dpm.c | 8 ++++++-- + drivers/gpu/drm/radeon/rv740_dpm.c | 8 ++++++-- + 3 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/cypress_dpm.c b/drivers/gpu/drm/radeon/cypress_dpm.c +index 32ed60f1048bd..b31d65a6752f1 100644 +--- a/drivers/gpu/drm/radeon/cypress_dpm.c ++++ b/drivers/gpu/drm/radeon/cypress_dpm.c +@@ -559,8 +559,12 @@ static int cypress_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c +index 288ec3039bc2c..cad7a73a551f7 100644 +--- a/drivers/gpu/drm/radeon/ni_dpm.c ++++ b/drivers/gpu/drm/radeon/ni_dpm.c +@@ -2241,8 +2241,12 @@ static int ni_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = ss.percentage * + (0x4000 * dividers.whole_fb_div + 0x800 * dividers.frac_fb_div) / (clk_s * 625); + + mpll_ss1 &= ~CLKV_MASK; +diff --git a/drivers/gpu/drm/radeon/rv740_dpm.c b/drivers/gpu/drm/radeon/rv740_dpm.c +index 327d65a76e1f4..79b2de65e905e 100644 +--- a/drivers/gpu/drm/radeon/rv740_dpm.c ++++ b/drivers/gpu/drm/radeon/rv740_dpm.c +@@ -250,8 +250,12 @@ int rv740_populate_mclk_value(struct radeon_device *rdev, + ASIC_INTERNAL_MEMORY_SS, vco_freq)) { + u32 reference_clock = rdev->clock.mpll.reference_freq; + u32 decoded_ref = rv740_get_decoded_reference_divider(dividers.ref_div); +- u32 clk_s = reference_clock * 5 / (decoded_ref * ss.rate); +- u32 clk_v = 0x40000 * ss.percentage * ++ u32 clk_s, clk_v; ++ ++ if (!decoded_ref) ++ return -EINVAL; ++ clk_s = reference_clock * 5 / (decoded_ref * ss.rate); ++ clk_v = 0x40000 * ss.percentage * + (dividers.whole_fb_div + (dividers.frac_fb_div / 8)) / (clk_s * 10000); + + mpll_ss1 &= ~CLKV_MASK; +-- +2.39.2 + diff --git a/tmp-5.4/drm-rockchip-vop-leave-vblank-enabled-in-self-refresh.patch b/tmp-5.4/drm-rockchip-vop-leave-vblank-enabled-in-self-refresh.patch new file mode 100644 index 00000000000..d2887b99c39 --- /dev/null +++ b/tmp-5.4/drm-rockchip-vop-leave-vblank-enabled-in-self-refresh.patch @@ -0,0 +1,94 @@ +From 2bdba9d4a3baa758c2ca7f5b37b35c7b3391dc42 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 9 Jan 2023 17:18:17 -0800 +Subject: drm/rockchip: vop: Leave vblank enabled in self-refresh + +From: Brian Norris + +commit 2bdba9d4a3baa758c2ca7f5b37b35c7b3391dc42 upstream. + +If we disable vblank when entering self-refresh, vblank APIs (like +DRM_IOCTL_WAIT_VBLANK) no longer work. But user space is not aware when +we enter self-refresh, so this appears to be an API violation -- that +DRM_IOCTL_WAIT_VBLANK fails with EINVAL whenever the display is idle and +enters self-refresh. + +The downstream driver used by many of these systems never used to +disable vblank for PSR, and in fact, even upstream, we didn't do that +until radically redesigning the state machine in commit 6c836d965bad +("drm/rockchip: Use the helpers for PSR"). + +Thus, it seems like a reasonable API fix to simply restore that +behavior, and leave vblank enabled. + +Note that this appears to potentially unbalance the +drm_crtc_vblank_{off,on}() calls in some cases, but: +(a) drm_crtc_vblank_on() documents this as OK and +(b) if I do the naive balancing, I find state machine issues such that + we're not in sync properly; so it's easier to take advantage of (a). + +This issue was exposed by IGT's kms_vblank tests, and reported by +KernelCI. The bug has been around a while (longer than KernelCI +noticed), but was only exposed once self-refresh was bugfixed more +recently, and so KernelCI could properly test it. Some other notes in: + + https://lore.kernel.org/dri-devel/Y6OCg9BPnJvimQLT@google.com/ + Re: renesas/master bisection: igt-kms-rockchip.kms_vblank.pipe-A-wait-forked on rk3399-gru-kevin + +== Backporting notes: == + +Marking as 'Fixes' commit 6c836d965bad ("drm/rockchip: Use the helpers +for PSR"), but it probably depends on commit bed030a49f3e +("drm/rockchip: Don't fully disable vop on self refresh") as well. + +We also need the previous patch ("drm/atomic: Allow vblank-enabled + +self-refresh "disable""), of course. + +v3: + * no update + +v2: + * skip unnecessary lock/unlock + +Fixes: 6c836d965bad ("drm/rockchip: Use the helpers for PSR") +Cc: +Reported-by: "kernelci.org bot" +Link: https://lore.kernel.org/dri-devel/Y5itf0+yNIQa6fU4@sirena.org.uk/ +Signed-off-by: Brian Norris +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20230109171809.v3.2.Ic07cba4ab9a7bd3618a9e4258b8f92ea7d10ae5a@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -654,13 +654,13 @@ static void vop_crtc_atomic_disable(stru + if (crtc->state->self_refresh_active) + rockchip_drm_set_win_enabled(crtc, false); + ++ if (crtc->state->self_refresh_active) ++ goto out; ++ + mutex_lock(&vop->vop_lock); + + drm_crtc_vblank_off(crtc); + +- if (crtc->state->self_refresh_active) +- goto out; +- + /* + * Vop standby will take effect at end of current frame, + * if dsp hold valid irq happen, it means standby complete. +@@ -692,9 +692,9 @@ static void vop_crtc_atomic_disable(stru + vop_core_clks_disable(vop); + pm_runtime_put(vop->dev); + +-out: + mutex_unlock(&vop->vop_lock); + ++out: + if (crtc->state->event && !crtc->state->active) { + spin_lock_irq(&crtc->dev->event_lock); + drm_crtc_send_vblank_event(crtc, crtc->state->event); diff --git a/tmp-5.4/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch b/tmp-5.4/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch new file mode 100644 index 00000000000..03ee8842f4a --- /dev/null +++ b/tmp-5.4/drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch @@ -0,0 +1,116 @@ +From fe30f5a271889263f88508cc30282bf7e8b0d004 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Apr 2023 19:23:46 +0800 +Subject: drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks` + +From: XuDong Liu + +[ Upstream commit 123ee07ba5b7123e0ce0e0f9d64938026c16a2ce ] + +Smatch reports: +drivers/gpu/drm/sun4i/sun4i_tcon.c:805 sun4i_tcon_init_clocks() warn: +'tcon->clk' from clk_prepare_enable() not released on lines: 792,801. + +In the function sun4i_tcon_init_clocks(), tcon->clk and tcon->sclk0 are +not disabled in the error handling, which affects the release of +these variable. Although sun4i_tcon_bind(), which calls +sun4i_tcon_init_clocks(), use sun4i_tcon_free_clocks to disable the +variables mentioned, but the error handling branch of +sun4i_tcon_init_clocks() ignores the required disable process. + +To fix this issue, use the devm_clk_get_enabled to automatically +balance enable and disabled calls. As original implementation use +sun4i_tcon_free_clocks() to disable clk explicitly, we delete the +related calls and error handling that are no longer needed. + +Fixes: 9026e0d122ac ("drm: Add Allwinner A10 Display Engine support") +Fixes: b14e945bda8a ("drm/sun4i: tcon: Prepare and enable TCON channel 0 clock at init") +Fixes: 8e9240472522 ("drm/sun4i: support TCONs without channel 1") +Fixes: 34d698f6e349 ("drm/sun4i: Add has_channel_0 TCON quirk") +Signed-off-by: XuDong Liu +Reviewed-by: Dongliang Mu +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20230430112347.4689-1-m202071377@hust.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_tcon.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c +index eb3b2350687fb..193c7f979bcaa 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c ++++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c +@@ -753,21 +753,19 @@ static irqreturn_t sun4i_tcon_handler(int irq, void *private) + static int sun4i_tcon_init_clocks(struct device *dev, + struct sun4i_tcon *tcon) + { +- tcon->clk = devm_clk_get(dev, "ahb"); ++ tcon->clk = devm_clk_get_enabled(dev, "ahb"); + if (IS_ERR(tcon->clk)) { + dev_err(dev, "Couldn't get the TCON bus clock\n"); + return PTR_ERR(tcon->clk); + } +- clk_prepare_enable(tcon->clk); + + if (tcon->quirks->has_channel_0) { +- tcon->sclk0 = devm_clk_get(dev, "tcon-ch0"); ++ tcon->sclk0 = devm_clk_get_enabled(dev, "tcon-ch0"); + if (IS_ERR(tcon->sclk0)) { + dev_err(dev, "Couldn't get the TCON channel 0 clock\n"); + return PTR_ERR(tcon->sclk0); + } + } +- clk_prepare_enable(tcon->sclk0); + + if (tcon->quirks->has_channel_1) { + tcon->sclk1 = devm_clk_get(dev, "tcon-ch1"); +@@ -780,12 +778,6 @@ static int sun4i_tcon_init_clocks(struct device *dev, + return 0; + } + +-static void sun4i_tcon_free_clocks(struct sun4i_tcon *tcon) +-{ +- clk_disable_unprepare(tcon->sclk0); +- clk_disable_unprepare(tcon->clk); +-} +- + static int sun4i_tcon_init_irq(struct device *dev, + struct sun4i_tcon *tcon) + { +@@ -1202,14 +1194,14 @@ static int sun4i_tcon_bind(struct device *dev, struct device *master, + ret = sun4i_tcon_init_regmap(dev, tcon); + if (ret) { + dev_err(dev, "Couldn't init our TCON regmap\n"); +- goto err_free_clocks; ++ goto err_assert_reset; + } + + if (tcon->quirks->has_channel_0) { + ret = sun4i_dclk_create(dev, tcon); + if (ret) { + dev_err(dev, "Couldn't create our TCON dot clock\n"); +- goto err_free_clocks; ++ goto err_assert_reset; + } + } + +@@ -1272,8 +1264,6 @@ static int sun4i_tcon_bind(struct device *dev, struct device *master, + err_free_dotclock: + if (tcon->quirks->has_channel_0) + sun4i_dclk_free(tcon); +-err_free_clocks: +- sun4i_tcon_free_clocks(tcon); + err_assert_reset: + reset_control_assert(tcon->lcd_rst); + return ret; +@@ -1287,7 +1277,6 @@ static void sun4i_tcon_unbind(struct device *dev, struct device *master, + list_del(&tcon->list); + if (tcon->quirks->has_channel_0) + sun4i_dclk_free(tcon); +- sun4i_tcon_free_clocks(tcon); + } + + static const struct component_ops sun4i_tcon_ops = { +-- +2.39.2 + diff --git a/tmp-5.4/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch b/tmp-5.4/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch new file mode 100644 index 00000000000..b4af1f14cdb --- /dev/null +++ b/tmp-5.4/erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch @@ -0,0 +1,54 @@ +From 3099608e5a6ce78608c3eada9fdad4a1193a66f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 17:34:10 +0800 +Subject: erofs: avoid infinite loop in z_erofs_do_read_page() when reading + beyond EOF + +From: Chunhai Guo + +[ Upstream commit 8191213a5835b0317c5e4d0d337ae1ae00c75253 ] + +z_erofs_do_read_page() may loop infinitely due to the inappropriate +truncation in the below statement. Since the offset is 64 bits and min_t() +truncates the result to 32 bits. The solution is to replace unsigned int +with a 64-bit type, such as erofs_off_t. + cur = end - min_t(unsigned int, offset + end - map->m_la, end); + + - For example: + - offset = 0x400160000 + - end = 0x370 + - map->m_la = 0x160370 + - offset + end - map->m_la = 0x400000000 + - offset + end - map->m_la = 0x00000000 (truncated as unsigned int) + - Expected result: + - cur = 0 + - Actual result: + - cur = 0x370 + +Signed-off-by: Chunhai Guo +Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") +Reviewed-by: Gao Xiang +Reviewed-by: Chao Yu +Link: https://lore.kernel.org/r/20230710093410.44071-1-guochunhai@vivo.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index fdd18c2508115..dcc377094f90b 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -636,7 +636,7 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe, + tight &= (clt->mode >= COLLECT_PRIMARY_HOOKED && + clt->mode != COLLECT_PRIMARY_FOLLOWED_NOINPLACE); + +- cur = end - min_t(unsigned int, offset + end - map->m_la, end); ++ cur = end - min_t(erofs_off_t, offset + end - map->m_la, end); + if (!(map->m_flags & EROFS_MAP_MAPPED)) { + zero_user_segment(page, cur, end); + goto next_part; +-- +2.39.2 + diff --git a/tmp-5.4/erofs-fix-compact-4b-support-for-16k-block-size.patch b/tmp-5.4/erofs-fix-compact-4b-support-for-16k-block-size.patch new file mode 100644 index 00000000000..8782d8e163d --- /dev/null +++ b/tmp-5.4/erofs-fix-compact-4b-support-for-16k-block-size.patch @@ -0,0 +1,66 @@ +From 001b8ccd0650727e54ec16ef72bf1b8eeab7168e Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Thu, 1 Jun 2023 19:23:41 +0800 +Subject: erofs: fix compact 4B support for 16k block size + +From: Gao Xiang + +commit 001b8ccd0650727e54ec16ef72bf1b8eeab7168e upstream. + +In compact 4B, two adjacent lclusters are packed together as a unit to +form on-disk indexes for effective random access, as below: + +(amortized = 4, vcnt = 2) + _____________________________________________ + |___@_____ encoded bits __________|_ blkaddr _| + 0 . amortized * vcnt = 8 + . . + . . amortized * vcnt - 4 = 4 + . . + .____________________________. + |_type (2 bits)_|_clusterofs_| + +Therefore, encoded bits for each pack are 32 bits (4 bytes). IOWs, +since each lcluster can get 16 bits for its type and clusterofs, the +maximum supported lclustersize for compact 4B format is 16k (14 bits). + +Fix this to enable compact 4B format for 16k lclusters (blocks), which +is tested on an arm64 server with 16k page size. + +Fixes: 152a333a5895 ("staging: erofs: add compacted compression indexes support") +Signed-off-by: Gao Xiang +Link: https://lore.kernel.org/r/20230601112341.56960-1-hsiangkao@linux.alibaba.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/zmap.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/fs/erofs/zmap.c ++++ b/fs/erofs/zmap.c +@@ -215,7 +215,7 @@ static int unpack_compacted_index(struct + int i; + u8 *in, type; + +- if (1 << amortizedshift == 4) ++ if (1 << amortizedshift == 4 && lclusterbits <= 14) + vcnt = 2; + else if (1 << amortizedshift == 2 && lclusterbits == 12) + vcnt = 16; +@@ -273,7 +273,6 @@ static int compacted_load_cluster_from_d + { + struct inode *const inode = m->inode; + struct erofs_inode *const vi = EROFS_I(inode); +- const unsigned int lclusterbits = vi->z_logical_clusterbits; + const erofs_off_t ebase = ALIGN(iloc(EROFS_I_SB(inode), vi->nid) + + vi->inode_isize + vi->xattr_isize, 8) + + sizeof(struct z_erofs_map_header); +@@ -283,9 +282,6 @@ static int compacted_load_cluster_from_d + erofs_off_t pos; + int err; + +- if (lclusterbits != 12) +- return -EOPNOTSUPP; +- + if (lcn >= totalidx) + return -EINVAL; + diff --git a/tmp-5.4/evm-complete-description-of-evm_inode_setattr.patch b/tmp-5.4/evm-complete-description-of-evm_inode_setattr.patch new file mode 100644 index 00000000000..e2afc6c517a --- /dev/null +++ b/tmp-5.4/evm-complete-description-of-evm_inode_setattr.patch @@ -0,0 +1,39 @@ +From abf63e3dc62b3c5f67f4f72f67f0569585ca960b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 11:40:36 +0100 +Subject: evm: Complete description of evm_inode_setattr() + +From: Roberto Sassu + +[ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ] + +Add the description for missing parameters of evm_inode_setattr() to +avoid the warning arising with W=n compile option. + +Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+ +Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+ +Signed-off-by: Roberto Sassu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/evm/evm_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c +index b82291d10e730..cc7e4e4439b0f 100644 +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -471,7 +471,9 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) + + /** + * evm_inode_setattr - prevent updating an invalid EVM extended attribute ++ * @idmap: idmap of the mount + * @dentry: pointer to the affected dentry ++ * @attr: iattr structure containing the new file attributes + * + * Permit update of file attributes when files have a valid EVM signature, + * except in the case of them having an immutable portable signature. +-- +2.39.2 + diff --git a/tmp-5.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch b/tmp-5.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch new file mode 100644 index 00000000000..6ecfb892324 --- /dev/null +++ b/tmp-5.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch @@ -0,0 +1,54 @@ +From 6909cf5c4101214f4305a62d582a5b93c7e1eb9a Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Mon, 22 May 2023 14:15:20 -0400 +Subject: ext4: correct inline offset when handling xattrs in inode body + +From: Eric Whitney + +commit 6909cf5c4101214f4305a62d582a5b93c7e1eb9a upstream. + +When run on a file system where the inline_data feature has been +enabled, xfstests generic/269, generic/270, and generic/476 cause ext4 +to emit error messages indicating that inline directory entries are +corrupted. This occurs because the inline offset used to locate +inline directory entries in the inode body is not updated when an +xattr in that shared region is deleted and the region is shifted in +memory to recover the space it occupied. If the deleted xattr precedes +the system.data attribute, which points to the inline directory entries, +that attribute will be moved further up in the region. The inline +offset continues to point to whatever is located in system.data's former +location, with unfortunate effects when used to access directory entries +or (presumably) inline data in the inode body. + +Cc: stable@kernel.org +Signed-off-by: Eric Whitney +Link: https://lore.kernel.org/r/20230522181520.1570360-1-enwlinux@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1742,6 +1742,20 @@ static int ext4_xattr_set_entry(struct e + memmove(here, (void *)here + size, + (void *)last - (void *)here + sizeof(__u32)); + memset(last, 0, size); ++ ++ /* ++ * Update i_inline_off - moved ibody region might contain ++ * system.data attribute. Handling a failure here won't ++ * cause other complications for setting an xattr. ++ */ ++ if (!is_block && ext4_has_inline_data(inode)) { ++ ret = ext4_find_inline_data_nolock(inode); ++ if (ret) { ++ ext4_warning_inode(inode, ++ "unable to update i_inline_off"); ++ goto out; ++ } ++ } + } else if (s->not_found) { + /* Insert new name. */ + size_t size = EXT4_XATTR_LEN(name_len); diff --git a/tmp-5.4/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch b/tmp-5.4/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch new file mode 100644 index 00000000000..a165fae5753 --- /dev/null +++ b/tmp-5.4/ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch @@ -0,0 +1,43 @@ +From c4d13222afd8a64bf11bc7ec68645496ee8b54b9 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 6 Jun 2023 15:32:03 +0800 +Subject: ext4: fix to check return value of freeze_bdev() in ext4_shutdown() + +From: Chao Yu + +commit c4d13222afd8a64bf11bc7ec68645496ee8b54b9 upstream. + +freeze_bdev() can fail due to a lot of reasons, it needs to check its +reason before later process. + +Fixes: 783d94854499 ("ext4: add EXT4_IOC_GOINGDOWN ioctl") +Cc: stable@kernel.org +Signed-off-by: Chao Yu +Link: https://lore.kernel.org/r/20230606073203.1310389-1-chao@kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ioctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -573,6 +573,7 @@ static int ext4_shutdown(struct super_bl + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + __u32 flags; ++ int ret; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -591,7 +592,9 @@ static int ext4_shutdown(struct super_bl + + switch (flags) { + case EXT4_GOING_FLAGS_DEFAULT: +- freeze_bdev(sb->s_bdev); ++ ret = freeze_bdev(sb->s_bdev); ++ if (ret) ++ return ret; + set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags); + thaw_bdev(sb->s_bdev, sb); + break; diff --git a/tmp-5.4/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch b/tmp-5.4/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch new file mode 100644 index 00000000000..cb2cbadf7a2 --- /dev/null +++ b/tmp-5.4/ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch @@ -0,0 +1,35 @@ +From 247c3d214c23dfeeeb892e91a82ac1188bdaec9f Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Sat, 3 Jun 2023 23:03:18 +0800 +Subject: ext4: fix wrong unit use in ext4_mb_clear_bb + +From: Kemeng Shi + +commit 247c3d214c23dfeeeb892e91a82ac1188bdaec9f upstream. + +Function ext4_issue_discard need count in cluster. Pass count_clusters +instead of count to fix the mismatch. + +Signed-off-by: Kemeng Shi +Cc: stable@kernel.org +Reviewed-by: Ojaswin Mujoo +Link: https://lore.kernel.org/r/20230603150327.3596033-11-shikemeng@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -4950,8 +4950,8 @@ do_more: + * them with group lock_held + */ + if (test_opt(sb, DISCARD)) { +- err = ext4_issue_discard(sb, block_group, bit, count, +- NULL); ++ err = ext4_issue_discard(sb, block_group, bit, ++ count_clusters, NULL); + if (err && err != -EOPNOTSUPP) + ext4_msg(sb, KERN_WARNING, "discard request in" + " group:%d block:%d count:%lu failed" diff --git a/tmp-5.4/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch b/tmp-5.4/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch new file mode 100644 index 00000000000..16911357fa5 --- /dev/null +++ b/tmp-5.4/ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch @@ -0,0 +1,92 @@ +From de25d6e9610a8b30cce9bbb19b50615d02ebca02 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Mon, 24 Apr 2023 11:38:35 +0800 +Subject: ext4: only update i_reserved_data_blocks on successful block allocation + +From: Baokun Li + +commit de25d6e9610a8b30cce9bbb19b50615d02ebca02 upstream. + +In our fault injection test, we create an ext4 file, migrate it to +non-extent based file, then punch a hole and finally trigger a WARN_ON +in the ext4_da_update_reserve_space(): + +EXT4-fs warning (device sda): ext4_da_update_reserve_space:369: +ino 14, used 11 with only 10 reserved data blocks + +When writing back a non-extent based file, if we enable delalloc, the +number of reserved blocks will be subtracted from the number of blocks +mapped by ext4_ind_map_blocks(), and the extent status tree will be +updated. We update the extent status tree by first removing the old +extent_status and then inserting the new extent_status. If the block range +we remove happens to be in an extent, then we need to allocate another +extent_status with ext4_es_alloc_extent(). + + use old to remove to add new + |----------|------------|------------| + old extent_status + +The problem is that the allocation of a new extent_status failed due to a +fault injection, and __es_shrink() did not get free memory, resulting in +a return of -ENOMEM. Then do_writepages() retries after receiving -ENOMEM, +we map to the same extent again, and the number of reserved blocks is again +subtracted from the number of blocks in that extent. Since the blocks in +the same extent are subtracted twice, we end up triggering WARN_ON at +ext4_da_update_reserve_space() because used > ei->i_reserved_data_blocks. + +For non-extent based file, we update the number of reserved blocks after +ext4_ind_map_blocks() is executed, which causes a problem that when we call +ext4_ind_map_blocks() to create a block, it doesn't always create a block, +but we always reduce the number of reserved blocks. So we move the logic +for updating reserved blocks to ext4_ind_map_blocks() to ensure that the +number of reserved blocks is updated only after we do succeed in allocating +some new blocks. + +Fixes: 5f634d064c70 ("ext4: Fix quota accounting error with fallocate") +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230424033846.4732-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/indirect.c | 8 ++++++++ + fs/ext4/inode.c | 10 ---------- + 2 files changed, 8 insertions(+), 10 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -636,6 +636,14 @@ int ext4_ind_map_blocks(handle_t *handle + + ext4_update_inode_fsync_trans(handle, inode, 1); + count = ar.len; ++ ++ /* ++ * Update reserved blocks/metadata blocks after successful block ++ * allocation which had been deferred till now. ++ */ ++ if (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE) ++ ext4_da_update_reserve_space(inode, count, 1); ++ + got_it: + map->m_flags |= EXT4_MAP_MAPPED; + map->m_pblk = le32_to_cpu(chain[depth-1].key); +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -669,16 +669,6 @@ found: + */ + ext4_clear_inode_state(inode, EXT4_STATE_EXT_MIGRATE); + } +- +- /* +- * Update reserved blocks/metadata blocks after successful +- * block allocation which had been deferred till now. We don't +- * support fallocate for non extent files. So we can update +- * reserve space here. +- */ +- if ((retval > 0) && +- (flags & EXT4_GET_BLOCKS_DELALLOC_RESERVE)) +- ext4_da_update_reserve_space(inode, retval, 1); + } + + if (retval > 0) { diff --git a/tmp-5.4/ext4-remove-ext4-locking-of-moved-directory.patch b/tmp-5.4/ext4-remove-ext4-locking-of-moved-directory.patch new file mode 100644 index 00000000000..c63387664ab --- /dev/null +++ b/tmp-5.4/ext4-remove-ext4-locking-of-moved-directory.patch @@ -0,0 +1,59 @@ +From 3658840cd363f2be094f5dfd2f0b174a9055dd0f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 1 Jun 2023 12:58:21 +0200 +Subject: ext4: Remove ext4 locking of moved directory + +From: Jan Kara + +commit 3658840cd363f2be094f5dfd2f0b174a9055dd0f upstream. + +Remove locking of moved directory in ext4_rename2(). We will take care +of it in VFS instead. This effectively reverts commit 0813299c586b +("ext4: Fix possible corruption when moving a directory") and followup +fixes. + +CC: Ted Tso +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Message-Id: <20230601105830.13168-1-jack@suse.cz> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -3795,19 +3795,10 @@ static int ext4_rename(struct inode *old + return retval; + } + +- /* +- * We need to protect against old.inode directory getting converted +- * from inline directory format into a normal one. +- */ +- if (S_ISDIR(old.inode->i_mode)) +- inode_lock_nested(old.inode, I_MUTEX_NONDIR2); +- + old.bh = ext4_find_entry(old.dir, &old.dentry->d_name, &old.de, + &old.inlined); +- if (IS_ERR(old.bh)) { +- retval = PTR_ERR(old.bh); +- goto unlock_moved_dir; +- } ++ if (IS_ERR(old.bh)) ++ return PTR_ERR(old.bh); + + /* + * Check for inode number is _not_ due to possible IO errors. +@@ -3968,10 +3959,6 @@ release_bh: + brelse(old.bh); + brelse(new.bh); + +-unlock_moved_dir: +- if (S_ISDIR(old.inode->i_mode)) +- inode_unlock(old.inode); +- + return retval; + } + diff --git a/tmp-5.4/extcon-fix-kernel-doc-of-property-capability-fields-.patch b/tmp-5.4/extcon-fix-kernel-doc-of-property-capability-fields-.patch new file mode 100644 index 00000000000..d920d752cf5 --- /dev/null +++ b/tmp-5.4/extcon-fix-kernel-doc-of-property-capability-fields-.patch @@ -0,0 +1,46 @@ +From 234d6d4113c2a9a2386a02cd48ec6a8b75209ee4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 16:39:53 +0200 +Subject: extcon: Fix kernel doc of property capability fields to avoid + warnings + +From: Andy Shevchenko + +[ Upstream commit 73346b9965ebda2feb7fef8629e9b28baee820e3 ] + +Kernel documentation has to be synchronized with a code, otherwise +the validator is not happy: + + Function parameter or member 'usb_bits' not described in 'extcon_cable' + Function parameter or member 'chg_bits' not described in 'extcon_cable' + Function parameter or member 'jack_bits' not described in 'extcon_cable' + Function parameter or member 'disp_bits' not described in 'extcon_cable' + +Describe the fields added in the past. + +Fixes: ceaa98f442cf ("extcon: Add the support for the capability of each property") +Signed-off-by: Andy Shevchenko +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c +index 00ad8b637749b..12f9ae2aac113 100644 +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -200,6 +200,10 @@ static const struct __extcon_info { + * @chg_propval: the array of charger connector properties + * @jack_propval: the array of jack connector properties + * @disp_propval: the array of display connector properties ++ * @usb_bits: the bit array of the USB connector property capabilities ++ * @chg_bits: the bit array of the charger connector property capabilities ++ * @jack_bits: the bit array of the jack connector property capabilities ++ * @disp_bits: the bit array of the display connector property capabilities + */ + struct extcon_cable { + struct extcon_dev *edev; +-- +2.39.2 + diff --git a/tmp-5.4/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch b/tmp-5.4/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch new file mode 100644 index 00000000000..3b4c26aab12 --- /dev/null +++ b/tmp-5.4/extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch @@ -0,0 +1,45 @@ +From e3ec1522ffa67dce0b89287b5e4869daae394ad1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Mar 2023 16:39:52 +0200 +Subject: extcon: Fix kernel doc of property fields to avoid warnings + +From: Andy Shevchenko + +[ Upstream commit 7e77e0b7a9f4cdf91cb0950749b40c840ea63efc ] + +Kernel documentation has to be synchronized with a code, otherwise +the validator is not happy: + + Function parameter or member 'usb_propval' not described in 'extcon_cable' + Function parameter or member 'chg_propval' not described in 'extcon_cable' + Function parameter or member 'jack_propval' not described in 'extcon_cable' + Function parameter or member 'disp_propval' not described in 'extcon_cable' + +Describe the fields added in the past. + +Fixes: 067c1652e7a7 ("extcon: Add the support for extcon property according to extcon type") +Signed-off-by: Andy Shevchenko +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/extcon/extcon.c b/drivers/extcon/extcon.c +index 6b905c3d30f4f..00ad8b637749b 100644 +--- a/drivers/extcon/extcon.c ++++ b/drivers/extcon/extcon.c +@@ -196,6 +196,10 @@ static const struct __extcon_info { + * @attr_name: "name" sysfs entry + * @attr_state: "state" sysfs entry + * @attrs: the array pointing to attr_name and attr_state for attr_g ++ * @usb_propval: the array of USB connector properties ++ * @chg_propval: the array of charger connector properties ++ * @jack_propval: the array of jack connector properties ++ * @disp_propval: the array of display connector properties + */ + struct extcon_cable { + struct extcon_dev *edev; +-- +2.39.2 + diff --git a/tmp-5.4/f2fs-fix-error-path-handling-in-truncate_dnode.patch b/tmp-5.4/f2fs-fix-error-path-handling-in-truncate_dnode.patch new file mode 100644 index 00000000000..a8b26f03f70 --- /dev/null +++ b/tmp-5.4/f2fs-fix-error-path-handling-in-truncate_dnode.patch @@ -0,0 +1,39 @@ +From a0996a6d79039d5b6f0692dd35faa2cef61e28c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:41:02 +0800 +Subject: f2fs: fix error path handling in truncate_dnode() + +From: Chao Yu + +[ Upstream commit 0135c482fa97e2fd8245cb462784112a00ed1211 ] + +If truncate_node() fails in truncate_dnode(), it missed to call +f2fs_put_page(), fix it. + +Fixes: 7735730d39d7 ("f2fs: fix to propagate error from __get_meta_page()") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/node.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c +index b080d5c58f6cb..8256a2dedae8c 100644 +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -889,8 +889,10 @@ static int truncate_dnode(struct dnode_of_data *dn) + dn->ofs_in_node = 0; + f2fs_truncate_data_blocks(dn); + err = truncate_node(dn); +- if (err) ++ if (err) { ++ f2fs_put_page(page, 1); + return err; ++ } + + return 1; + } +-- +2.39.2 + diff --git a/tmp-5.4/fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch b/tmp-5.4/fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch new file mode 100644 index 00000000000..d1e1bd5699a --- /dev/null +++ b/tmp-5.4/fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch @@ -0,0 +1,74 @@ +From 69562eb0bd3e6bb8e522a7b254334e0fb30dff0c Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Thu, 29 Jun 2023 07:20:44 +0300 +Subject: fanotify: disallow mount/sb marks on kernel internal pseudo fs + +From: Amir Goldstein + +commit 69562eb0bd3e6bb8e522a7b254334e0fb30dff0c upstream. + +Hopefully, nobody is trying to abuse mount/sb marks for watching all +anonymous pipes/inodes. + +I cannot think of a good reason to allow this - it looks like an +oversight that dated back to the original fanotify API. + +Link: https://lore.kernel.org/linux-fsdevel/20230628101132.kvchg544mczxv2pm@quack3/ +Fixes: 0ff21db9fcc3 ("fanotify: hooks the fanotify_mark syscall to the vfsmount code") +Signed-off-by: Amir Goldstein +Reviewed-by: Christian Brauner +Signed-off-by: Jan Kara +Message-Id: <20230629042044.25723-1-amir73il@gmail.com> +[backport to 5.x.y] +Signed-off-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fanotify/fanotify_user.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -928,8 +928,11 @@ static int fanotify_test_fid(struct path + return 0; + } + +-static int fanotify_events_supported(struct path *path, __u64 mask) ++static int fanotify_events_supported(struct path *path, __u64 mask, ++ unsigned int flags) + { ++ unsigned int mark_type = flags & FANOTIFY_MARK_TYPE_BITS; ++ + /* + * Some filesystems such as 'proc' acquire unusual locks when opening + * files. For them fanotify permission events have high chances of +@@ -941,6 +944,21 @@ static int fanotify_events_supported(str + if (mask & FANOTIFY_PERM_EVENTS && + path->mnt->mnt_sb->s_type->fs_flags & FS_DISALLOW_NOTIFY_PERM) + return -EINVAL; ++ ++ /* ++ * mount and sb marks are not allowed on kernel internal pseudo fs, ++ * like pipe_mnt, because that would subscribe to events on all the ++ * anonynous pipes in the system. ++ * ++ * SB_NOUSER covers all of the internal pseudo fs whose objects are not ++ * exposed to user's mount namespace, but there are other SB_KERNMOUNT ++ * fs, like nsfs, debugfs, for which the value of allowing sb and mount ++ * mark is questionable. For now we leave them alone. ++ */ ++ if (mark_type != FAN_MARK_INODE && ++ path->mnt->mnt_sb->s_flags & SB_NOUSER) ++ return -EINVAL; ++ + return 0; + } + +@@ -1050,7 +1068,7 @@ static int do_fanotify_mark(int fanotify + goto fput_and_out; + + if (flags & FAN_MARK_ADD) { +- ret = fanotify_events_supported(&path, mask); ++ ret = fanotify_events_supported(&path, mask, flags); + if (ret) + goto path_put_and_out; + } diff --git a/tmp-5.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/tmp-5.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch new file mode 100644 index 00000000000..1c0e655e29d --- /dev/null +++ b/tmp-5.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch @@ -0,0 +1,40 @@ +From e25dfa5ac6e4c44a8de6036201e1be18c4ecf443 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 16:16:56 +0800 +Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe + +From: Zhang Shurong + +[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] + +This func misses checking for platform_get_irq()'s call and may passes the +negative error codes to request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. + +Fix this by stop calling request_irq() with invalid IRQ #s. + +Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") +Signed-off-by: Zhang Shurong +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index 43a4dddaafd52..d0335d4d5ab54 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1732,6 +1732,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) + + /* Now hook interrupt too */ + irq = platform_get_irq(dev, 0); ++ if (irq < 0) ++ return irq; ++ + ret = request_irq(irq, au1200fb_handle_irq, + IRQF_SHARED, "lcd", (void *)dev); + if (ret) { +-- +2.39.2 + diff --git a/tmp-5.4/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch b/tmp-5.4/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch new file mode 100644 index 00000000000..b57f0c7aa01 --- /dev/null +++ b/tmp-5.4/fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch @@ -0,0 +1,75 @@ +From c75f5a55061091030a13fef71b9995b89bc86213 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Thu, 27 Apr 2023 11:08:41 +0800 +Subject: fbdev: imsttfb: Fix use after free bug in imsttfb_probe + +From: Zheng Wang + +commit c75f5a55061091030a13fef71b9995b89bc86213 upstream. + +A use-after-free bug may occur if init_imstt invokes framebuffer_release +and free the info ptr. The caller, imsttfb_probe didn't notice that and +still keep the ptr as private data in pdev. + +If we remove the driver which will call imsttfb_remove to make cleanup, +UAF happens. + +Fix it by return error code if bad case happens in init_imstt. + +Signed-off-by: Zheng Wang +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/imsttfb.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/video/fbdev/imsttfb.c ++++ b/drivers/video/fbdev/imsttfb.c +@@ -1346,7 +1346,7 @@ static struct fb_ops imsttfb_ops = { + .fb_ioctl = imsttfb_ioctl, + }; + +-static void init_imstt(struct fb_info *info) ++static int init_imstt(struct fb_info *info) + { + struct imstt_par *par = info->par; + __u32 i, tmp, *ip, *end; +@@ -1419,7 +1419,7 @@ static void init_imstt(struct fb_info *i + || !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) { + printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yres, info->var.bits_per_pixel); + framebuffer_release(info); +- return; ++ return -ENODEV; + } + + sprintf(info->fix.id, "IMS TT (%s)", par->ramdac == IBM ? "IBM" : "TVP"); +@@ -1455,12 +1455,13 @@ static void init_imstt(struct fb_info *i + + if (register_framebuffer(info) < 0) { + framebuffer_release(info); +- return; ++ return -ENODEV; + } + + tmp = (read_reg_le32(par->dc_regs, SSTATUS) & 0x0f00) >> 8; + fb_info(info, "%s frame buffer; %uMB vram; chip version %u\n", + info->fix.id, info->fix.smem_len >> 20, tmp); ++ return 0; + } + + static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_id *ent) +@@ -1523,10 +1524,10 @@ static int imsttfb_probe(struct pci_dev + if (!par->cmap_regs) + goto error; + info->pseudo_palette = par->palette; +- init_imstt(info); +- +- pci_set_drvdata(pdev, info); +- return 0; ++ ret = init_imstt(info); ++ if (!ret) ++ pci_set_drvdata(pdev, info); ++ return ret; + + error: + if (par->dc_regs) diff --git a/tmp-5.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/tmp-5.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch new file mode 100644 index 00000000000..585b94175f1 --- /dev/null +++ b/tmp-5.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch @@ -0,0 +1,43 @@ +From a04d9ccef0b4a1f90d0f96da18d27601add6d807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 15:24:37 +0200 +Subject: fbdev: imxfb: warn about invalid left/right margin + +From: Martin Kaiser + +[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] + +Warn about invalid var->left_margin or var->right_margin. Their values +are read from the device tree. + +We store var->left_margin-3 and var->right_margin-1 in register +fields. These fields should be >= 0. + +Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") +Signed-off-by: Martin Kaiser +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index ffde3107104bc..dbc8808b093a5 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -601,10 +601,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf + if (var->hsync_len < 1 || var->hsync_len > 64) + printk(KERN_ERR "%s: invalid hsync_len %d\n", + info->fix.id, var->hsync_len); +- if (var->left_margin > 255) ++ if (var->left_margin < 3 || var->left_margin > 255) + printk(KERN_ERR "%s: invalid left_margin %d\n", + info->fix.id, var->left_margin); +- if (var->right_margin > 255) ++ if (var->right_margin < 1 || var->right_margin > 255) + printk(KERN_ERR "%s: invalid right_margin %d\n", + info->fix.id, var->right_margin); + if (var->yres < 1 || var->yres > ymax_mask) +-- +2.39.2 + diff --git a/tmp-5.4/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch b/tmp-5.4/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch new file mode 100644 index 00000000000..c6493f6312c --- /dev/null +++ b/tmp-5.4/fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch @@ -0,0 +1,44 @@ +From 30fc0db36e128b7b4fb0c7bfb64a59bafe212a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 17:42:28 +0200 +Subject: fbdev: omapfb: lcd_mipid: Fix an error handling path in + mipid_spi_probe() + +From: Christophe JAILLET + +[ Upstream commit 79a3908d1ea6c35157a6d907b1a9d8ec06015e7a ] + +If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak. + +Fixes: 66d2f99d0bb5 ("omapfb: add support for MIPI-DCS compatible LCDs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap/lcd_mipid.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/omap/lcd_mipid.c b/drivers/video/fbdev/omap/lcd_mipid.c +index a75ae0c9b14c7..d1cd8785d011d 100644 +--- a/drivers/video/fbdev/omap/lcd_mipid.c ++++ b/drivers/video/fbdev/omap/lcd_mipid.c +@@ -563,11 +563,15 @@ static int mipid_spi_probe(struct spi_device *spi) + + r = mipid_detect(md); + if (r < 0) +- return r; ++ goto free_md; + + omapfb_register_panel(&md->panel); + + return 0; ++ ++free_md: ++ kfree(md); ++ return r; + } + + static int mipid_spi_remove(struct spi_device *spi) +-- +2.39.2 + diff --git a/tmp-5.4/firmware-stratix10-svc-fix-a-potential-resource-leak-in-svc_create_memory_pool.patch b/tmp-5.4/firmware-stratix10-svc-fix-a-potential-resource-leak-in-svc_create_memory_pool.patch new file mode 100644 index 00000000000..5d75586ebd8 --- /dev/null +++ b/tmp-5.4/firmware-stratix10-svc-fix-a-potential-resource-leak-in-svc_create_memory_pool.patch @@ -0,0 +1,39 @@ +From 1995f15590ca222f91193ed11461862b450abfd6 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Tue, 13 Jun 2023 16:15:21 -0500 +Subject: firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool() + +From: Christophe JAILLET + +commit 1995f15590ca222f91193ed11461862b450abfd6 upstream. + +svc_create_memory_pool() is only called from stratix10_svc_drv_probe(). +Most of resources in the probe are managed, but not this memremap() call. + +There is also no memunmap() call in the file. + +So switch to devm_memremap() to avoid a resource leak. + +Cc: stable@vger.kernel.org +Fixes: 7ca5ce896524 ("firmware: add Intel Stratix10 service layer driver") +Link: https://lore.kernel.org/all/783e9dfbba34e28505c9efa8bba41f97fd0fa1dc.1686109400.git.christophe.jaillet@wanadoo.fr/ +Signed-off-by: Christophe JAILLET +Signed-off-by: Dinh Nguyen +Message-ID: <20230613211521.16366-1-dinguyen@kernel.org> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -615,7 +615,7 @@ svc_create_memory_pool(struct platform_d + end = rounddown(sh_memory->addr + sh_memory->size, PAGE_SIZE); + paddr = begin; + size = end - begin; +- va = memremap(paddr, size, MEMREMAP_WC); ++ va = devm_memremap(dev, paddr, size, MEMREMAP_WC); + if (!va) { + dev_err(dev, "fail to remap shared memory\n"); + return ERR_PTR(-EINVAL); diff --git a/tmp-5.4/fs-avoid-empty-option-when-generating-legacy-mount-string.patch b/tmp-5.4/fs-avoid-empty-option-when-generating-legacy-mount-string.patch new file mode 100644 index 00000000000..1e106d6befe --- /dev/null +++ b/tmp-5.4/fs-avoid-empty-option-when-generating-legacy-mount-string.patch @@ -0,0 +1,43 @@ +From 62176420274db5b5127cd7a0083a9aeb461756ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Wed, 7 Jun 2023 19:28:48 +0200 +Subject: fs: avoid empty option when generating legacy mount string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit 62176420274db5b5127cd7a0083a9aeb461756ee upstream. + +As each option string fragment is always prepended with a comma it would +happen that the whole string always starts with a comma. This could be +interpreted by filesystem drivers as an empty option and may produce +errors. + +For example the NTFS driver from ntfs.ko behaves like this and fails +when mounted via the new API. + +Link: https://github.com/util-linux/util-linux/issues/2298 +Signed-off-by: Thomas Weißschuh +Fixes: 3e1aeb00e6d1 ("vfs: Implement a filesystem superblock creation/configuration context") +Cc: stable@vger.kernel.org +Message-Id: <20230607-fs-empty-option-v1-1-20c8dbf4671b@weissschuh.net> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/fs_context.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/fs_context.c ++++ b/fs/fs_context.c +@@ -598,7 +598,8 @@ static int legacy_parse_param(struct fs_ + return -ENOMEM; + } + +- ctx->legacy_data[size++] = ','; ++ if (size) ++ ctx->legacy_data[size++] = ','; + len = strlen(param->key); + memcpy(ctx->legacy_data + size, param->key, len); + size += len; diff --git a/tmp-5.4/fs-dlm-return-positive-pid-value-for-f_getlk.patch b/tmp-5.4/fs-dlm-return-positive-pid-value-for-f_getlk.patch new file mode 100644 index 00000000000..e41a88a3395 --- /dev/null +++ b/tmp-5.4/fs-dlm-return-positive-pid-value-for-f_getlk.patch @@ -0,0 +1,36 @@ +From 92655fbda5c05950a411eaabc19e025e86e2a291 Mon Sep 17 00:00:00 2001 +From: Alexander Aring +Date: Fri, 19 May 2023 11:21:24 -0400 +Subject: fs: dlm: return positive pid value for F_GETLK + +From: Alexander Aring + +commit 92655fbda5c05950a411eaabc19e025e86e2a291 upstream. + +The GETLK pid values have all been negated since commit 9d5b86ac13c5 +("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks"). +Revert this for local pids, and leave in place negative pids for remote +owners. + +Cc: stable@vger.kernel.org +Fixes: 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/plock.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/dlm/plock.c ++++ b/fs/dlm/plock.c +@@ -363,7 +363,9 @@ int dlm_posix_get(dlm_lockspace_t *locks + locks_init_lock(fl); + fl->fl_type = (op->info.ex) ? F_WRLCK : F_RDLCK; + fl->fl_flags = FL_POSIX; +- fl->fl_pid = -op->info.pid; ++ fl->fl_pid = op->info.pid; ++ if (op->info.nodeid != dlm_our_nodeid()) ++ fl->fl_pid = -fl->fl_pid; + fl->fl_start = op->info.start; + fl->fl_end = op->info.end; + rv = 0; diff --git a/tmp-5.4/fs-establish-locking-order-for-unrelated-directories.patch b/tmp-5.4/fs-establish-locking-order-for-unrelated-directories.patch new file mode 100644 index 00000000000..170233691c5 --- /dev/null +++ b/tmp-5.4/fs-establish-locking-order-for-unrelated-directories.patch @@ -0,0 +1,104 @@ +From f23ce757185319886ca80c4864ce5f81ac6cc9e9 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 1 Jun 2023 12:58:24 +0200 +Subject: fs: Establish locking order for unrelated directories + +From: Jan Kara + +commit f23ce757185319886ca80c4864ce5f81ac6cc9e9 upstream. + +Currently the locking order of inode locks for directories that are not +in ancestor relationship is not defined because all operations that +needed to lock two directories like this were serialized by +sb->s_vfs_rename_mutex. However some filesystems need to lock two +subdirectories for RENAME_EXCHANGE operations and for this we need the +locking order established even for two tree-unrelated directories. +Provide a helper function lock_two_inodes() that establishes lock +ordering for any two inodes and use it in lock_two_directories(). + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Message-Id: <20230601105830.13168-4-jack@suse.cz> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/inode.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + fs/internal.h | 2 ++ + fs/namei.c | 4 ++-- + 3 files changed, 46 insertions(+), 2 deletions(-) + +--- a/fs/inode.c ++++ b/fs/inode.c +@@ -1013,6 +1013,48 @@ void discard_new_inode(struct inode *ino + EXPORT_SYMBOL(discard_new_inode); + + /** ++ * lock_two_inodes - lock two inodes (may be regular files but also dirs) ++ * ++ * Lock any non-NULL argument. The caller must make sure that if he is passing ++ * in two directories, one is not ancestor of the other. Zero, one or two ++ * objects may be locked by this function. ++ * ++ * @inode1: first inode to lock ++ * @inode2: second inode to lock ++ * @subclass1: inode lock subclass for the first lock obtained ++ * @subclass2: inode lock subclass for the second lock obtained ++ */ ++void lock_two_inodes(struct inode *inode1, struct inode *inode2, ++ unsigned subclass1, unsigned subclass2) ++{ ++ if (!inode1 || !inode2) { ++ /* ++ * Make sure @subclass1 will be used for the acquired lock. ++ * This is not strictly necessary (no current caller cares) but ++ * let's keep things consistent. ++ */ ++ if (!inode1) ++ swap(inode1, inode2); ++ goto lock; ++ } ++ ++ /* ++ * If one object is directory and the other is not, we must make sure ++ * to lock directory first as the other object may be its child. ++ */ ++ if (S_ISDIR(inode2->i_mode) == S_ISDIR(inode1->i_mode)) { ++ if (inode1 > inode2) ++ swap(inode1, inode2); ++ } else if (!S_ISDIR(inode1->i_mode)) ++ swap(inode1, inode2); ++lock: ++ if (inode1) ++ inode_lock_nested(inode1, subclass1); ++ if (inode2 && inode2 != inode1) ++ inode_lock_nested(inode2, subclass2); ++} ++ ++/** + * lock_two_nondirectories - take two i_mutexes on non-directory objects + * + * Lock any non-NULL argument that is not a directory. +--- a/fs/internal.h ++++ b/fs/internal.h +@@ -138,6 +138,8 @@ extern int vfs_open(const struct path *, + extern long prune_icache_sb(struct super_block *sb, struct shrink_control *sc); + extern void inode_add_lru(struct inode *inode); + extern int dentry_needs_remove_privs(struct dentry *dentry); ++void lock_two_inodes(struct inode *inode1, struct inode *inode2, ++ unsigned subclass1, unsigned subclass2); + + /* + * fs-writeback.c +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2870,8 +2870,8 @@ struct dentry *lock_rename(struct dentry + return p; + } + +- inode_lock_nested(p1->d_inode, I_MUTEX_PARENT); +- inode_lock_nested(p2->d_inode, I_MUTEX_PARENT2); ++ lock_two_inodes(p1->d_inode, p2->d_inode, ++ I_MUTEX_PARENT, I_MUTEX_PARENT2); + return NULL; + } + EXPORT_SYMBOL(lock_rename); diff --git a/tmp-5.4/fs-lock-moved-directories.patch b/tmp-5.4/fs-lock-moved-directories.patch new file mode 100644 index 00000000000..4e5219a3e37 --- /dev/null +++ b/tmp-5.4/fs-lock-moved-directories.patch @@ -0,0 +1,126 @@ +From 28eceeda130f5058074dd007d9c59d2e8bc5af2e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 1 Jun 2023 12:58:25 +0200 +Subject: fs: Lock moved directories + +From: Jan Kara + +commit 28eceeda130f5058074dd007d9c59d2e8bc5af2e upstream. + +When a directory is moved to a different directory, some filesystems +(udf, ext4, ocfs2, f2fs, and likely gfs2, reiserfs, and others) need to +update their pointer to the parent and this must not race with other +operations on the directory. Lock the directories when they are moved. +Although not all filesystems need this locking, we perform it in +vfs_rename() because getting the lock ordering right is really difficult +and we don't want to expose these locking details to filesystems. + +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Message-Id: <20230601105830.13168-5-jack@suse.cz> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/filesystems/directory-locking.rst | 26 ++++++++++++------------ + fs/namei.c | 22 ++++++++++++-------- + 2 files changed, 28 insertions(+), 20 deletions(-) + +--- a/Documentation/filesystems/directory-locking.rst ++++ b/Documentation/filesystems/directory-locking.rst +@@ -22,12 +22,11 @@ exclusive. + 3) object removal. Locking rules: caller locks parent, finds victim, + locks victim and calls the method. Locks are exclusive. + +-4) rename() that is _not_ cross-directory. Locking rules: caller locks +-the parent and finds source and target. In case of exchange (with +-RENAME_EXCHANGE in flags argument) lock both. In any case, +-if the target already exists, lock it. If the source is a non-directory, +-lock it. If we need to lock both, lock them in inode pointer order. +-Then call the method. All locks are exclusive. ++4) rename() that is _not_ cross-directory. Locking rules: caller locks the ++parent and finds source and target. We lock both (provided they exist). If we ++need to lock two inodes of different type (dir vs non-dir), we lock directory ++first. If we need to lock two inodes of the same type, lock them in inode ++pointer order. Then call the method. All locks are exclusive. + NB: we might get away with locking the the source (and target in exchange + case) shared. + +@@ -44,15 +43,17 @@ All locks are exclusive. + rules: + + * lock the filesystem +- * lock parents in "ancestors first" order. ++ * lock parents in "ancestors first" order. If one is not ancestor of ++ the other, lock them in inode pointer order. + * find source and target. + * if old parent is equal to or is a descendent of target + fail with -ENOTEMPTY + * if new parent is equal to or is a descendent of source + fail with -ELOOP +- * If it's an exchange, lock both the source and the target. +- * If the target exists, lock it. If the source is a non-directory, +- lock it. If we need to lock both, do so in inode pointer order. ++ * Lock both the source and the target provided they exist. If we ++ need to lock two inodes of different type (dir vs non-dir), we lock ++ the directory first. If we need to lock two inodes of the same type, ++ lock them in inode pointer order. + * call the method. + + All ->i_rwsem are taken exclusive. Again, we might get away with locking +@@ -66,8 +67,9 @@ If no directory is its own ancestor, the + + Proof: + +- First of all, at any moment we have a partial ordering of the +- objects - A < B iff A is an ancestor of B. ++ First of all, at any moment we have a linear ordering of the ++ objects - A < B iff (A is an ancestor of B) or (B is not an ancestor ++ of A and ptr(A) < ptr(B)). + + That ordering can change. However, the following is true: + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -4367,7 +4367,7 @@ SYSCALL_DEFINE2(link, const char __user + * sb->s_vfs_rename_mutex. We might be more accurate, but that's another + * story. + * c) we have to lock _four_ objects - parents and victim (if it exists), +- * and source (if it is not a directory). ++ * and source. + * And that - after we got ->i_mutex on parents (until then we don't know + * whether the target exists). Solution: try to be smart with locking + * order for inodes. We rely on the fact that tree topology may change +@@ -4444,10 +4444,16 @@ int vfs_rename(struct inode *old_dir, st + + take_dentry_name_snapshot(&old_name, old_dentry); + dget(new_dentry); +- if (!is_dir || (flags & RENAME_EXCHANGE)) +- lock_two_nondirectories(source, target); +- else if (target) +- inode_lock(target); ++ /* ++ * Lock all moved children. Moved directories may need to change parent ++ * pointer so they need the lock to prevent against concurrent ++ * directory changes moving parent pointer. For regular files we've ++ * historically always done this. The lockdep locking subclasses are ++ * somewhat arbitrary but RENAME_EXCHANGE in particular can swap ++ * regular files and directories so it's difficult to tell which ++ * subclasses to use. ++ */ ++ lock_two_inodes(source, target, I_MUTEX_NORMAL, I_MUTEX_NONDIR2); + + error = -EBUSY; + if (is_local_mountpoint(old_dentry) || is_local_mountpoint(new_dentry)) +@@ -4491,9 +4497,9 @@ int vfs_rename(struct inode *old_dir, st + d_exchange(old_dentry, new_dentry); + } + out: +- if (!is_dir || (flags & RENAME_EXCHANGE)) +- unlock_two_nondirectories(source, target); +- else if (target) ++ if (source) ++ inode_unlock(source); ++ if (target) + inode_unlock(target); + dput(new_dentry); + if (!error) { diff --git a/tmp-5.4/fs-no-need-to-check-source.patch b/tmp-5.4/fs-no-need-to-check-source.patch new file mode 100644 index 00000000000..118ada4ab58 --- /dev/null +++ b/tmp-5.4/fs-no-need-to-check-source.patch @@ -0,0 +1,45 @@ +From 66d8fc0539b0d49941f313c9509a8384e4245ac1 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 3 Jul 2023 16:49:11 +0200 +Subject: fs: no need to check source + +From: Jan Kara + +commit 66d8fc0539b0d49941f313c9509a8384e4245ac1 upstream. + +The @source inode must be valid. It is even checked via IS_SWAPFILE() +above making it pretty clear. So no need to check it when we unlock. + +What doesn't need to exist is the @target inode. The lock_two_inodes() +helper currently swaps the @inode1 and @inode2 arguments if @inode1 is +NULL to have consistent lock class usage. However, we know that at least +for vfs_rename() that @inode1 is @source and thus is never NULL as per +above. We also know that @source is a different inode than @target as +that is checked right at the beginning of vfs_rename(). So we know that +@source is valid and locked and that @target is locked. So drop the +check whether @source is non-NULL. + +Fixes: 28eceeda130f ("fs: Lock moved directories") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202307030026.9sE2pk2x-lkp@intel.com +Message-Id: <20230703-vfs-rename-source-v1-1-37eebb29b65b@kernel.org> +[brauner: use commit message from patch I sent concurrently] +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/namei.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -4497,8 +4497,7 @@ int vfs_rename(struct inode *old_dir, st + d_exchange(old_dentry, new_dentry); + } + out: +- if (source) +- inode_unlock(source); ++ inode_unlock(source); + if (target) + inode_unlock(target); + dput(new_dentry); diff --git a/tmp-5.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/tmp-5.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch new file mode 100644 index 00000000000..372510ad902 --- /dev/null +++ b/tmp-5.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch @@ -0,0 +1,34 @@ +From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:20 +0200 +Subject: fuse: revalidate: don't invalidate if interrupted + +From: Miklos Szeredi + +commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream. + +If the LOOKUP request triggered from fuse_dentry_revalidate() is +interrupted, then the dentry will be invalidated, possibly resulting in +submounts being unmounted. + +Reported-by: Xu Rongbo +Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/ +Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -246,7 +246,7 @@ static int fuse_dentry_revalidate(struct + spin_unlock(&fi->lock); + } + kfree(forget); +- if (ret == -ENOMEM) ++ if (ret == -ENOMEM || ret == -EINTR) + goto out; + if (ret || fuse_invalid_attr(&outarg.attr) || + (outarg.attr.mode ^ inode->i_mode) & S_IFMT) diff --git a/tmp-5.4/gfs2-don-t-deref-jdesc-in-evict.patch b/tmp-5.4/gfs2-don-t-deref-jdesc-in-evict.patch new file mode 100644 index 00000000000..efd4815392c --- /dev/null +++ b/tmp-5.4/gfs2-don-t-deref-jdesc-in-evict.patch @@ -0,0 +1,63 @@ +From 504a10d9e46bc37b23d0a1ae2f28973c8516e636 Mon Sep 17 00:00:00 2001 +From: Bob Peterson +Date: Fri, 28 Apr 2023 12:07:46 -0400 +Subject: gfs2: Don't deref jdesc in evict + +From: Bob Peterson + +commit 504a10d9e46bc37b23d0a1ae2f28973c8516e636 upstream. + +On corrupt gfs2 file systems the evict code can try to reference the +journal descriptor structure, jdesc, after it has been freed and set to +NULL. The sequence of events is: + +init_journal() +... +fail_jindex: + gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL + if (gfs2_holder_initialized(&ji_gh)) + gfs2_glock_dq_uninit(&ji_gh); +fail: + iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode + evict() + gfs2_evict_inode() + evict_linked_inode() + ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks); +<------references the now freed/zeroed sd_jdesc pointer. + +The call to gfs2_trans_begin is done because the truncate_inode_pages +call can cause gfs2 events that require a transaction, such as removing +journaled data (jdata) blocks from the journal. + +This patch fixes the problem by adding a check for sdp->sd_jdesc to +function gfs2_evict_inode. In theory, this should only happen to corrupt +gfs2 file systems, when gfs2 detects the problem, reports it, then tries +to evict all the system inodes it has read in up to that point. + +Reported-by: Yang Lan +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +[DP: adjusted context] +Signed-off-by: Dragos-Marian Panait +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/super.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -1258,6 +1258,14 @@ static void gfs2_evict_inode(struct inod + if (inode->i_nlink || sb_rdonly(sb)) + goto out; + ++ /* ++ * In case of an incomplete mount, gfs2_evict_inode() may be called for ++ * system files without having an active journal to write to. In that ++ * case, skip the filesystem evict. ++ */ ++ if (!sdp->sd_jdesc) ++ goto out; ++ + if (test_bit(GIF_ALLOC_FAILED, &ip->i_flags)) { + BUG_ON(!gfs2_glock_is_locked_by_me(ip->i_gl)); + gfs2_holder_mark_uninitialized(&gh); diff --git a/tmp-5.4/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch b/tmp-5.4/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch new file mode 100644 index 00000000000..c50569c50ac --- /dev/null +++ b/tmp-5.4/gtp-fix-use-after-free-in-__gtp_encap_destroy.patch @@ -0,0 +1,190 @@ +From ce75be9ebfebfabcc631106036991740eb2b4f83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 14:32:31 -0700 +Subject: gtp: Fix use-after-free in __gtp_encap_destroy(). + +From: Kuniyuki Iwashima + +[ Upstream commit ce3aee7114c575fab32a5e9e939d4bbb3dcca79f ] + +syzkaller reported use-after-free in __gtp_encap_destroy(). [0] + +It shows the same process freed sk and touched it illegally. + +Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() +and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, +but release_sock() is called after sock_put() releases the last refcnt. + +[0]: +BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] +BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] +BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] +BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] +BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] +BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 +Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 + +CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:351 [inline] + print_report+0xcc/0x620 mm/kasan/report.c:462 + kasan_report+0xb2/0xe0 mm/kasan/report.c:572 + check_region_inline mm/kasan/generic.c:181 [inline] + kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 + instrument_atomic_read_write include/linux/instrumented.h:96 [inline] + atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] + queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] + do_raw_spin_lock include/linux/spinlock.h:186 [inline] + __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] + _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 + spin_lock_bh include/linux/spinlock.h:355 [inline] + release_sock+0x1f/0x1a0 net/core/sock.c:3526 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f1168b1fe5d +Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 +RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d +RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 +RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 + + +Allocated by task 1483: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328 + kasan_slab_alloc include/linux/kasan.h:186 [inline] + slab_post_alloc_hook mm/slab.h:711 [inline] + slab_alloc_node mm/slub.c:3451 [inline] + slab_alloc mm/slub.c:3459 [inline] + __kmem_cache_alloc_lru mm/slub.c:3466 [inline] + kmem_cache_alloc+0x16d/0x340 mm/slub.c:3475 + sk_prot_alloc+0x5f/0x280 net/core/sock.c:2073 + sk_alloc+0x34/0x6c0 net/core/sock.c:2132 + inet6_create net/ipv6/af_inet6.c:192 [inline] + inet6_create+0x2c7/0xf20 net/ipv6/af_inet6.c:119 + __sock_create+0x2a1/0x530 net/socket.c:1535 + sock_create net/socket.c:1586 [inline] + __sys_socket_create net/socket.c:1623 [inline] + __sys_socket_create net/socket.c:1608 [inline] + __sys_socket+0x137/0x250 net/socket.c:1651 + __do_sys_socket net/socket.c:1664 [inline] + __se_sys_socket net/socket.c:1662 [inline] + __x64_sys_socket+0x72/0xb0 net/socket.c:1662 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 2401: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free mm/kasan/common.c:200 [inline] + __kasan_slab_free+0x10c/0x1b0 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:162 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook mm/slub.c:1807 [inline] + slab_free mm/slub.c:3786 [inline] + kmem_cache_free+0xb4/0x490 mm/slub.c:3808 + sk_prot_free net/core/sock.c:2113 [inline] + __sk_destruct+0x500/0x720 net/core/sock.c:2207 + sk_destruct+0xc1/0xe0 net/core/sock.c:2222 + __sk_free+0xed/0x3d0 net/core/sock.c:2233 + sk_free+0x7c/0xa0 net/core/sock.c:2244 + sock_put include/net/sock.h:1981 [inline] + __gtp_encap_destroy+0x165/0x1b0 drivers/net/gtp.c:634 + gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] + gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 + gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 + unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 + rtnl_delete_link net/core/rtnetlink.c:3216 [inline] + rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 + rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 + netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b7/0x200 net/socket.c:747 + ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 + ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 + __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The buggy address belongs to the object at ffff88800dbef300 + which belongs to the cache UDPv6 of size 1344 +The buggy address is located 152 bytes inside of + freed 1344-byte region [ffff88800dbef300, ffff88800dbef840) + +The buggy address belongs to the physical page: +page:00000000d31bfed5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800dbeed40 pfn:0xdbe8 +head:00000000d31bfed5 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +memcg:ffff888008ee0801 +flags: 0x100000000010200(slab|head|node=0|zone=1) +page_type: 0xffffffff() +raw: 0100000000010200 ffff88800c7a3000 dead000000000122 0000000000000000 +raw: ffff88800dbeed40 0000000080160015 00000001ffffffff ffff888008ee0801 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800dbef280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800dbef300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff88800dbef380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88800dbef400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88800dbef480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Pablo Neira Ayuso +Link: https://lore.kernel.org/r/20230622213231.24651-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index d0653babab923..0409afe9a53d6 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -297,7 +297,9 @@ static void __gtp_encap_destroy(struct sock *sk) + gtp->sk1u = NULL; + udp_sk(sk)->encap_type = 0; + rcu_assign_sk_user_data(sk, NULL); ++ release_sock(sk); + sock_put(sk); ++ return; + } + release_sock(sk); + } +-- +2.39.2 + diff --git a/tmp-5.4/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch b/tmp-5.4/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch new file mode 100644 index 00000000000..717dded5790 --- /dev/null +++ b/tmp-5.4/hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch @@ -0,0 +1,70 @@ +From 9a6c0e28e215535b2938c61ded54603b4e5814c5 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Thu, 8 Jun 2023 14:38:28 -0700 +Subject: HID: wacom: Use ktime_t rather than int when dealing with timestamps + +From: Jason Gerecke + +commit 9a6c0e28e215535b2938c61ded54603b4e5814c5 upstream. + +Code which interacts with timestamps needs to use the ktime_t type +returned by functions like ktime_get. The int type does not offer +enough space to store these values, and attempting to use it is a +recipe for problems. In this particular case, overflows would occur +when calculating/storing timestamps leading to incorrect values being +reported to userspace. In some cases these bad timestamps cause input +handling in userspace to appear hung. + +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/901 +Fixes: 17d793f3ed53 ("HID: wacom: insert timestamp to packed Bluetooth (BT) events") +CC: stable@vger.kernel.org +Signed-off-by: Jason Gerecke +Reviewed-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20230608213828.2108-1-jason.gerecke@wacom.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 6 +++--- + drivers/hid/wacom_wac.h | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -1307,7 +1307,7 @@ static void wacom_intuos_pro2_bt_pen(str + struct input_dev *pen_input = wacom->pen_input; + unsigned char *data = wacom->data; + int number_of_valid_frames = 0; +- int time_interval = 15000000; ++ ktime_t time_interval = 15000000; + ktime_t time_packet_received = ktime_get(); + int i; + +@@ -1341,7 +1341,7 @@ static void wacom_intuos_pro2_bt_pen(str + if (number_of_valid_frames) { + if (wacom->hid_data.time_delayed) + time_interval = ktime_get() - wacom->hid_data.time_delayed; +- time_interval /= number_of_valid_frames; ++ time_interval = div_u64(time_interval, number_of_valid_frames); + wacom->hid_data.time_delayed = time_packet_received; + } + +@@ -1352,7 +1352,7 @@ static void wacom_intuos_pro2_bt_pen(str + bool range = frame[0] & 0x20; + bool invert = frame[0] & 0x10; + int frames_number_reversed = number_of_valid_frames - i - 1; +- int event_timestamp = time_packet_received - frames_number_reversed * time_interval; ++ ktime_t event_timestamp = time_packet_received - frames_number_reversed * time_interval; + + if (!valid) + continue; +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -320,7 +320,7 @@ struct hid_data { + int bat_connected; + int ps_connected; + bool pad_input_event_flag; +- int time_delayed; ++ ktime_t time_delayed; + }; + + struct wacom_remote_data { diff --git a/tmp-5.4/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch b/tmp-5.4/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch new file mode 100644 index 00000000000..ca1fb070af0 --- /dev/null +++ b/tmp-5.4/hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch @@ -0,0 +1,45 @@ +From d744ae7477190967a3ddc289e2cd4ae59e8b1237 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Thu, 15 Jun 2023 15:49:59 +0100 +Subject: hwrng: imx-rngc - fix the timeout for init and self check + +From: Martin Kaiser + +commit d744ae7477190967a3ddc289e2cd4ae59e8b1237 upstream. + +Fix the timeout that is used for the initialisation and for the self +test. wait_for_completion_timeout expects a timeout in jiffies, but +RNGC_TIMEOUT is in milliseconds. Call msecs_to_jiffies to do the +conversion. + +Cc: stable@vger.kernel.org +Fixes: 1d5449445bd0 ("hwrng: mx-rngc - add a driver for Freescale RNGC") +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/imx-rngc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/char/hw_random/imx-rngc.c ++++ b/drivers/char/hw_random/imx-rngc.c +@@ -99,7 +99,7 @@ static int imx_rngc_self_test(struct imx + cmd = readl(rngc->base + RNGC_COMMAND); + writel(cmd | RNGC_CMD_SELF_TEST, rngc->base + RNGC_COMMAND); + +- ret = wait_for_completion_timeout(&rngc->rng_op_done, RNGC_TIMEOUT); ++ ret = wait_for_completion_timeout(&rngc->rng_op_done, msecs_to_jiffies(RNGC_TIMEOUT)); + if (!ret) { + imx_rngc_irq_mask_clear(rngc); + return -ETIMEDOUT; +@@ -182,9 +182,7 @@ static int imx_rngc_init(struct hwrng *r + cmd = readl(rngc->base + RNGC_COMMAND); + writel(cmd | RNGC_CMD_SEED, rngc->base + RNGC_COMMAND); + +- ret = wait_for_completion_timeout(&rngc->rng_op_done, +- RNGC_TIMEOUT); +- ++ ret = wait_for_completion_timeout(&rngc->rng_op_done, msecs_to_jiffies(RNGC_TIMEOUT)); + if (!ret) { + imx_rngc_irq_mask_clear(rngc); + return -ETIMEDOUT; diff --git a/tmp-5.4/hwrng-st-fix-w-1-unused-variable-warning.patch b/tmp-5.4/hwrng-st-fix-w-1-unused-variable-warning.patch new file mode 100644 index 00000000000..7b104bbd6b4 --- /dev/null +++ b/tmp-5.4/hwrng-st-fix-w-1-unused-variable-warning.patch @@ -0,0 +1,43 @@ +From dde4ce22ee66b30e82dc447eb0223bd7ea5448a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 18:04:02 +1000 +Subject: hwrng: st - Fix W=1 unused variable warning + +From: Herbert Xu + +[ Upstream commit ad23756271d5744a0a0ba556f8aaa70e358d5aa6 ] + +This patch fixes an unused variable warning when this driver is +built-in with CONFIG_OF=n. + +Signed-off-by: Herbert Xu +Stable-dep-of: 501e197a02d4 ("hwrng: st - keep clock enabled while hwrng is registered") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/st-rng.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/st-rng.c b/drivers/char/hw_random/st-rng.c +index 863448360a7da..50975e761ca58 100644 +--- a/drivers/char/hw_random/st-rng.c ++++ b/drivers/char/hw_random/st-rng.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -123,7 +124,7 @@ static int st_rng_remove(struct platform_device *pdev) + return 0; + } + +-static const struct of_device_id st_rng_match[] = { ++static const struct of_device_id st_rng_match[] __maybe_unused = { + { .compatible = "st,rng" }, + {}, + }; +-- +2.39.2 + diff --git a/tmp-5.4/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch b/tmp-5.4/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch new file mode 100644 index 00000000000..0b4a2e9f864 --- /dev/null +++ b/tmp-5.4/hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch @@ -0,0 +1,96 @@ +From 715ccdf18c8c88329a35fdd3c69c07b7e74ada91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 09:58:13 +0100 +Subject: hwrng: st - keep clock enabled while hwrng is registered + +From: Martin Kaiser + +[ Upstream commit 501e197a02d4aef157f53ba3a0b9049c3e52fedc ] + +The st-rng driver uses devres to register itself with the hwrng core, +the driver will be unregistered from hwrng when its device goes out of +scope. This happens after the driver's remove function is called. + +However, st-rng's clock is disabled in the remove function. There's a +short timeframe where st-rng is still registered with the hwrng core +although its clock is disabled. I suppose the clock must be active to +access the hardware and serve requests from the hwrng core. + +Switch to devm_clk_get_enabled and let devres disable the clock and +unregister the hwrng. This avoids the race condition. + +Fixes: 3e75241be808 ("hwrng: drivers - Use device-managed registration API") +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/st-rng.c | 21 +-------------------- + 1 file changed, 1 insertion(+), 20 deletions(-) + +diff --git a/drivers/char/hw_random/st-rng.c b/drivers/char/hw_random/st-rng.c +index 50975e761ca58..f708a99619ecb 100644 +--- a/drivers/char/hw_random/st-rng.c ++++ b/drivers/char/hw_random/st-rng.c +@@ -42,7 +42,6 @@ + + struct st_rng_data { + void __iomem *base; +- struct clk *clk; + struct hwrng ops; + }; + +@@ -87,26 +86,18 @@ static int st_rng_probe(struct platform_device *pdev) + if (IS_ERR(base)) + return PTR_ERR(base); + +- clk = devm_clk_get(&pdev->dev, NULL); ++ clk = devm_clk_get_enabled(&pdev->dev, NULL); + if (IS_ERR(clk)) + return PTR_ERR(clk); + +- ret = clk_prepare_enable(clk); +- if (ret) +- return ret; +- + ddata->ops.priv = (unsigned long)ddata; + ddata->ops.read = st_rng_read; + ddata->ops.name = pdev->name; + ddata->base = base; +- ddata->clk = clk; +- +- dev_set_drvdata(&pdev->dev, ddata); + + ret = devm_hwrng_register(&pdev->dev, &ddata->ops); + if (ret) { + dev_err(&pdev->dev, "Failed to register HW RNG\n"); +- clk_disable_unprepare(clk); + return ret; + } + +@@ -115,15 +106,6 @@ static int st_rng_probe(struct platform_device *pdev) + return 0; + } + +-static int st_rng_remove(struct platform_device *pdev) +-{ +- struct st_rng_data *ddata = dev_get_drvdata(&pdev->dev); +- +- clk_disable_unprepare(ddata->clk); +- +- return 0; +-} +- + static const struct of_device_id st_rng_match[] __maybe_unused = { + { .compatible = "st,rng" }, + {}, +@@ -136,7 +118,6 @@ static struct platform_driver st_rng_driver = { + .of_match_table = of_match_ptr(st_rng_match), + }, + .probe = st_rng_probe, +- .remove = st_rng_remove + }; + + module_platform_driver(st_rng_driver); +-- +2.39.2 + diff --git a/tmp-5.4/hwrng-virtio-add-an-internal-buffer.patch b/tmp-5.4/hwrng-virtio-add-an-internal-buffer.patch new file mode 100644 index 00000000000..769f16dc836 --- /dev/null +++ b/tmp-5.4/hwrng-virtio-add-an-internal-buffer.patch @@ -0,0 +1,127 @@ +From 6a5b285b4e99eacbafc877c8cb9e45f6babcc378 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:08 +0200 +Subject: hwrng: virtio - add an internal buffer + +From: Laurent Vivier + +[ Upstream commit bf3175bc50a3754dc427e2f5046e17a9fafc8be7 ] + +hwrng core uses two buffers that can be mixed in the +virtio-rng queue. + +If the buffer is provided with wait=0 it is enqueued in the +virtio-rng queue but unused by the caller. +On the next call, core provides another buffer but the +first one is filled instead and the new one queued. +And the caller reads the data from the new one that is not +updated, and the data in the first one are lost. + +To avoid this mix, virtio-rng needs to use its own unique +internal buffer at a cost of a data copy to the caller buffer. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-2-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 43 ++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 10 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 718d8c0876506..23149e94d621f 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -17,13 +17,20 @@ static DEFINE_IDA(rng_index_ida); + struct virtrng_info { + struct hwrng hwrng; + struct virtqueue *vq; +- struct completion have_data; + char name[25]; +- unsigned int data_avail; + int index; + bool busy; + bool hwrng_register_done; + bool hwrng_removed; ++ /* data transfer */ ++ struct completion have_data; ++ unsigned int data_avail; ++ /* minimal size returned by rng_buffer_size() */ ++#if SMP_CACHE_BYTES < 32 ++ u8 data[32]; ++#else ++ u8 data[SMP_CACHE_BYTES]; ++#endif + }; + + static void random_recv_done(struct virtqueue *vq) +@@ -38,14 +45,14 @@ static void random_recv_done(struct virtqueue *vq) + } + + /* The host will fill any buffer we give it with sweet, sweet randomness. */ +-static void register_buffer(struct virtrng_info *vi, u8 *buf, size_t size) ++static void register_buffer(struct virtrng_info *vi) + { + struct scatterlist sg; + +- sg_init_one(&sg, buf, size); ++ sg_init_one(&sg, vi->data, sizeof(vi->data)); + + /* There should always be room for one buffer. */ +- virtqueue_add_inbuf(vi->vq, &sg, 1, buf, GFP_KERNEL); ++ virtqueue_add_inbuf(vi->vq, &sg, 1, vi->data, GFP_KERNEL); + + virtqueue_kick(vi->vq); + } +@@ -54,6 +61,8 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + { + int ret; + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; ++ unsigned int chunk; ++ size_t read; + + if (vi->hwrng_removed) + return -ENODEV; +@@ -61,19 +70,33 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (!vi->busy) { + vi->busy = true; + reinit_completion(&vi->have_data); +- register_buffer(vi, buf, size); ++ register_buffer(vi); + } + + if (!wait) + return 0; + +- ret = wait_for_completion_killable(&vi->have_data); +- if (ret < 0) +- return ret; ++ read = 0; ++ while (size != 0) { ++ ret = wait_for_completion_killable(&vi->have_data); ++ if (ret < 0) ++ return ret; ++ ++ chunk = min_t(unsigned int, size, vi->data_avail); ++ memcpy(buf + read, vi->data, chunk); ++ read += chunk; ++ size -= chunk; ++ vi->data_avail = 0; ++ ++ if (size != 0) { ++ reinit_completion(&vi->have_data); ++ register_buffer(vi); ++ } ++ } + + vi->busy = false; + +- return vi->data_avail; ++ return read; + } + + static void virtio_cleanup(struct hwrng *rng) +-- +2.39.2 + diff --git a/tmp-5.4/hwrng-virtio-always-add-a-pending-request.patch b/tmp-5.4/hwrng-virtio-always-add-a-pending-request.patch new file mode 100644 index 00000000000..1d85375023e --- /dev/null +++ b/tmp-5.4/hwrng-virtio-always-add-a-pending-request.patch @@ -0,0 +1,111 @@ +From 2cb8a0e665647074371a4a03a06c9dc5753ccdca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:11 +0200 +Subject: hwrng: virtio - always add a pending request + +From: Laurent Vivier + +[ Upstream commit 9a4b612d675b03f7fc9fa1957ca399c8223f3954 ] + +If we ensure we have already some data available by enqueuing +again the buffer once data are exhausted, we can return what we +have without waiting for the device answer. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-5-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 207a5f3b335c0..f98e3ee5f8b03 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -19,7 +19,6 @@ struct virtrng_info { + struct virtqueue *vq; + char name[25]; + int index; +- bool busy; + bool hwrng_register_done; + bool hwrng_removed; + /* data transfer */ +@@ -43,16 +42,18 @@ static void random_recv_done(struct virtqueue *vq) + return; + + vi->data_idx = 0; +- vi->busy = false; + + complete(&vi->have_data); + } + +-/* The host will fill any buffer we give it with sweet, sweet randomness. */ +-static void register_buffer(struct virtrng_info *vi) ++static void request_entropy(struct virtrng_info *vi) + { + struct scatterlist sg; + ++ reinit_completion(&vi->have_data); ++ vi->data_avail = 0; ++ vi->data_idx = 0; ++ + sg_init_one(&sg, vi->data, sizeof(vi->data)); + + /* There should always be room for one buffer. */ +@@ -68,6 +69,8 @@ static unsigned int copy_data(struct virtrng_info *vi, void *buf, + memcpy(buf, vi->data + vi->data_idx, size); + vi->data_idx += size; + vi->data_avail -= size; ++ if (vi->data_avail == 0) ++ request_entropy(vi); + return size; + } + +@@ -97,13 +100,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + * so either size is 0 or data_avail is 0 + */ + while (size != 0) { +- /* data_avail is 0 */ +- if (!vi->busy) { +- /* no pending request, ask for more */ +- vi->busy = true; +- reinit_completion(&vi->have_data); +- register_buffer(vi); +- } ++ /* data_avail is 0 but a request is pending */ + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; +@@ -125,8 +122,7 @@ static void virtio_cleanup(struct hwrng *rng) + { + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; + +- if (vi->busy) +- complete(&vi->have_data); ++ complete(&vi->have_data); + } + + static int probe_common(struct virtio_device *vdev) +@@ -162,6 +158,9 @@ static int probe_common(struct virtio_device *vdev) + goto err_find; + } + ++ /* we always have a pending entropy request */ ++ request_entropy(vi); ++ + return 0; + + err_find: +@@ -180,7 +179,6 @@ static void remove_common(struct virtio_device *vdev) + vi->data_idx = 0; + complete(&vi->have_data); + vdev->config->reset(vdev); +- vi->busy = false; + if (vi->hwrng_register_done) + hwrng_unregister(&vi->hwrng); + vdev->config->del_vqs(vdev); +-- +2.39.2 + diff --git a/tmp-5.4/hwrng-virtio-don-t-wait-on-cleanup.patch b/tmp-5.4/hwrng-virtio-don-t-wait-on-cleanup.patch new file mode 100644 index 00000000000..6f32d78ed8c --- /dev/null +++ b/tmp-5.4/hwrng-virtio-don-t-wait-on-cleanup.patch @@ -0,0 +1,58 @@ +From a406077dac0b95e2a23e07bd5b7c2612d68b3bb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:09 +0200 +Subject: hwrng: virtio - don't wait on cleanup + +From: Laurent Vivier + +[ Upstream commit 2bb31abdbe55742c89f4dc0cc26fcbc8467364f6 ] + +When virtio-rng device was dropped by the hwrng core we were forced +to wait the buffer to come back from the device to not have +remaining ongoing operation that could spoil the buffer. + +But now, as the buffer is internal to the virtio-rng we can release +the waiting loop immediately, the buffer will be retrieve and use +when the virtio-rng driver will be selected again. + +This avoids to hang on an rng_current write command if the virtio-rng +device is blocked by a lack of entropy. This allows to select +another entropy source if the current one is empty. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-3-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index 23149e94d621f..c8f5a3392e48c 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -81,6 +81,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; ++ /* if vi->data_avail is 0, we have been interrupted ++ * by a cleanup, but buffer stays in the queue ++ */ ++ if (vi->data_avail == 0) ++ return read; + + chunk = min_t(unsigned int, size, vi->data_avail); + memcpy(buf + read, vi->data, chunk); +@@ -104,7 +109,7 @@ static void virtio_cleanup(struct hwrng *rng) + struct virtrng_info *vi = (struct virtrng_info *)rng->priv; + + if (vi->busy) +- wait_for_completion(&vi->have_data); ++ complete(&vi->have_data); + } + + static int probe_common(struct virtio_device *vdev) +-- +2.39.2 + diff --git a/tmp-5.4/hwrng-virtio-don-t-waste-entropy.patch b/tmp-5.4/hwrng-virtio-don-t-waste-entropy.patch new file mode 100644 index 00000000000..8217a5d7f66 --- /dev/null +++ b/tmp-5.4/hwrng-virtio-don-t-waste-entropy.patch @@ -0,0 +1,130 @@ +From b24fa80fc841193dfa55417d1aad4e5737135b38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:11:10 +0200 +Subject: hwrng: virtio - don't waste entropy + +From: Laurent Vivier + +[ Upstream commit 5c8e933050044d6dd2a000f9a5756ae73cbe7c44 ] + +if we don't use all the entropy available in the buffer, keep it +and use it later. + +Signed-off-by: Laurent Vivier +Link: https://lore.kernel.org/r/20211028101111.128049-4-lvivier@redhat.com +Signed-off-by: Michael S. Tsirkin +Stable-dep-of: ac52578d6e8d ("hwrng: virtio - Fix race on data_avail and actual data") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 52 +++++++++++++++++++---------- + 1 file changed, 35 insertions(+), 17 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index c8f5a3392e48c..207a5f3b335c0 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -25,6 +25,7 @@ struct virtrng_info { + /* data transfer */ + struct completion have_data; + unsigned int data_avail; ++ unsigned int data_idx; + /* minimal size returned by rng_buffer_size() */ + #if SMP_CACHE_BYTES < 32 + u8 data[32]; +@@ -41,6 +42,9 @@ static void random_recv_done(struct virtqueue *vq) + if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) + return; + ++ vi->data_idx = 0; ++ vi->busy = false; ++ + complete(&vi->have_data); + } + +@@ -57,6 +61,16 @@ static void register_buffer(struct virtrng_info *vi) + virtqueue_kick(vi->vq); + } + ++static unsigned int copy_data(struct virtrng_info *vi, void *buf, ++ unsigned int size) ++{ ++ size = min_t(unsigned int, size, vi->data_avail); ++ memcpy(buf, vi->data + vi->data_idx, size); ++ vi->data_idx += size; ++ vi->data_avail -= size; ++ return size; ++} ++ + static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + { + int ret; +@@ -67,17 +81,29 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (vi->hwrng_removed) + return -ENODEV; + +- if (!vi->busy) { +- vi->busy = true; +- reinit_completion(&vi->have_data); +- register_buffer(vi); ++ read = 0; ++ ++ /* copy available data */ ++ if (vi->data_avail) { ++ chunk = copy_data(vi, buf, size); ++ size -= chunk; ++ read += chunk; + } + + if (!wait) +- return 0; ++ return read; + +- read = 0; ++ /* We have already copied available entropy, ++ * so either size is 0 or data_avail is 0 ++ */ + while (size != 0) { ++ /* data_avail is 0 */ ++ if (!vi->busy) { ++ /* no pending request, ask for more */ ++ vi->busy = true; ++ reinit_completion(&vi->have_data); ++ register_buffer(vi); ++ } + ret = wait_for_completion_killable(&vi->have_data); + if (ret < 0) + return ret; +@@ -87,20 +113,11 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + if (vi->data_avail == 0) + return read; + +- chunk = min_t(unsigned int, size, vi->data_avail); +- memcpy(buf + read, vi->data, chunk); +- read += chunk; ++ chunk = copy_data(vi, buf + read, size); + size -= chunk; +- vi->data_avail = 0; +- +- if (size != 0) { +- reinit_completion(&vi->have_data); +- register_buffer(vi); +- } ++ read += chunk; + } + +- vi->busy = false; +- + return read; + } + +@@ -160,6 +177,7 @@ static void remove_common(struct virtio_device *vdev) + + vi->hwrng_removed = true; + vi->data_avail = 0; ++ vi->data_idx = 0; + complete(&vi->have_data); + vdev->config->reset(vdev); + vi->busy = false; +-- +2.39.2 + diff --git a/tmp-5.4/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch b/tmp-5.4/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch new file mode 100644 index 00000000000..a6ec53cd9a5 --- /dev/null +++ b/tmp-5.4/hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch @@ -0,0 +1,86 @@ +From 8a4a549b7f39f7e6fa22594774a47da073037e9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 May 2023 11:59:32 +0800 +Subject: hwrng: virtio - Fix race on data_avail and actual data + +From: Herbert Xu + +[ Upstream commit ac52578d6e8d300dd50f790f29a24169b1edd26c ] + +The virtio rng device kicks off a new entropy request whenever the +data available reaches zero. When a new request occurs at the end +of a read operation, that is, when the result of that request is +only needed by the next reader, then there is a race between the +writing of the new data and the next reader. + +This is because there is no synchronisation whatsoever between the +writer and the reader. + +Fix this by writing data_avail with smp_store_release and reading +it with smp_load_acquire when we first enter read. The subsequent +reads are safe because they're either protected by the first load +acquire, or by the completion mechanism. + +Also remove the redundant zeroing of data_idx in random_recv_done +(data_idx must already be zero at this point) and data_avail in +request_entropy (ditto). + +Reported-by: syzbot+726dc8c62c3536431ceb@syzkaller.appspotmail.com +Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.") +Signed-off-by: Herbert Xu +Acked-by: Michael S. Tsirkin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/virtio-rng.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c +index f98e3ee5f8b03..145d7b1055c07 100644 +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -4,6 +4,7 @@ + * Copyright (C) 2007, 2008 Rusty Russell IBM Corporation + */ + ++#include + #include + #include + #include +@@ -36,13 +37,13 @@ struct virtrng_info { + static void random_recv_done(struct virtqueue *vq) + { + struct virtrng_info *vi = vq->vdev->priv; ++ unsigned int len; + + /* We can get spurious callbacks, e.g. shared IRQs + virtio_pci. */ +- if (!virtqueue_get_buf(vi->vq, &vi->data_avail)) ++ if (!virtqueue_get_buf(vi->vq, &len)) + return; + +- vi->data_idx = 0; +- ++ smp_store_release(&vi->data_avail, len); + complete(&vi->have_data); + } + +@@ -51,7 +52,6 @@ static void request_entropy(struct virtrng_info *vi) + struct scatterlist sg; + + reinit_completion(&vi->have_data); +- vi->data_avail = 0; + vi->data_idx = 0; + + sg_init_one(&sg, vi->data, sizeof(vi->data)); +@@ -87,7 +87,7 @@ static int virtio_read(struct hwrng *rng, void *buf, size_t size, bool wait) + read = 0; + + /* copy available data */ +- if (vi->data_avail) { ++ if (smp_load_acquire(&vi->data_avail)) { + chunk = copy_data(vi, buf, size); + size -= chunk; + read += chunk; +-- +2.39.2 + diff --git a/tmp-5.4/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch b/tmp-5.4/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch new file mode 100644 index 00000000000..37c3473c8fd --- /dev/null +++ b/tmp-5.4/i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch @@ -0,0 +1,112 @@ +From 55e0d2495f220a9481e73f0e53e8223c51ae11e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Aug 2021 23:41:42 +0200 +Subject: i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in + xiic_process() + +From: Marek Vasut + +[ Upstream commit 743e227a895923c37a333eb2ebf3e391f00c406d ] + +The __xiic_start_xfer() manipulates the interrupt flags, xiic_wakeup() +may result in return from xiic_xfer() early. Defer both to the end of +the xiic_process() interrupt thread, so that they are executed after +all the other interrupt bits handling completed and once it completely +safe to perform changes to the interrupt bits in the hardware. + +Signed-off-by: Marek Vasut +Acked-by: Michal Simek +Signed-off-by: Wolfram Sang +Stable-dep-of: cb6e45c9a0ad ("i2c: xiic: Don't try to handle more interrupt events after error") +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 37 ++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index c92ea6990ec69..c3fcaf5decc74 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -353,6 +353,9 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + struct xiic_i2c *i2c = dev_id; + u32 pend, isr, ier; + u32 clr = 0; ++ int xfer_more = 0; ++ int wakeup_req = 0; ++ int wakeup_code = 0; + + /* Get the interrupt Status from the IPIF. There is no clearing of + * interrupts in the IPIF. Interrupts must be cleared at the source. +@@ -389,10 +392,14 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + */ + xiic_reinit(i2c); + +- if (i2c->rx_msg) +- xiic_wakeup(i2c, STATE_ERROR); +- if (i2c->tx_msg) +- xiic_wakeup(i2c, STATE_ERROR); ++ if (i2c->rx_msg) { ++ wakeup_req = 1; ++ wakeup_code = STATE_ERROR; ++ } ++ if (i2c->tx_msg) { ++ wakeup_req = 1; ++ wakeup_code = STATE_ERROR; ++ } + } + if (pend & XIIC_INTR_RX_FULL_MASK) { + /* Receive register/FIFO is full */ +@@ -426,8 +433,7 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + i2c->tx_msg++; + dev_dbg(i2c->adap.dev.parent, + "%s will start next...\n", __func__); +- +- __xiic_start_xfer(i2c); ++ xfer_more = 1; + } + } + } +@@ -441,11 +447,13 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + if (!i2c->tx_msg) + goto out; + +- if ((i2c->nmsgs == 1) && !i2c->rx_msg && +- xiic_tx_space(i2c) == 0) +- xiic_wakeup(i2c, STATE_DONE); ++ wakeup_req = 1; ++ ++ if (i2c->nmsgs == 1 && !i2c->rx_msg && ++ xiic_tx_space(i2c) == 0) ++ wakeup_code = STATE_DONE; + else +- xiic_wakeup(i2c, STATE_ERROR); ++ wakeup_code = STATE_ERROR; + } + if (pend & (XIIC_INTR_TX_EMPTY_MASK | XIIC_INTR_TX_HALF_MASK)) { + /* Transmit register/FIFO is empty or ½ empty */ +@@ -469,7 +477,7 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + if (i2c->nmsgs > 1) { + i2c->nmsgs--; + i2c->tx_msg++; +- __xiic_start_xfer(i2c); ++ xfer_more = 1; + } else { + xiic_irq_dis(i2c, XIIC_INTR_TX_HALF_MASK); + +@@ -487,6 +495,13 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + dev_dbg(i2c->adap.dev.parent, "%s clr: 0x%x\n", __func__, clr); + + xiic_setreg32(i2c, XIIC_IISR_OFFSET, clr); ++ if (xfer_more) ++ __xiic_start_xfer(i2c); ++ if (wakeup_req) ++ xiic_wakeup(i2c, wakeup_code); ++ ++ WARN_ON(xfer_more && wakeup_req); ++ + mutex_unlock(&i2c->lock); + return IRQ_HANDLED; + } +-- +2.39.2 + diff --git a/tmp-5.4/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch b/tmp-5.4/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch new file mode 100644 index 00000000000..97e4d4aa12d --- /dev/null +++ b/tmp-5.4/i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch @@ -0,0 +1,60 @@ +From d7a67b251fc7714cdcc0a35f0488138fc6a21c3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 12:25:58 -0600 +Subject: i2c: xiic: Don't try to handle more interrupt events after error + +From: Robert Hancock + +[ Upstream commit cb6e45c9a0ad9e0f8664fd06db0227d185dc76ab ] + +In xiic_process, it is possible that error events such as arbitration +lost or TX error can be raised in conjunction with other interrupt flags +such as TX FIFO empty or bus not busy. Error events result in the +controller being reset and the error returned to the calling request, +but the function could potentially try to keep handling the other +events, such as by writing more messages into the TX FIFO. Since the +transaction has already failed, this is not helpful and will just cause +issues. + +This problem has been present ever since: + +commit 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr") + +which allowed non-error events to be handled after errors, but became +more obvious after: + +commit 743e227a8959 ("i2c: xiic: Defer xiic_wakeup() and +__xiic_start_xfer() in xiic_process()") + +which reworked the code to add a WARN_ON which triggers if both the +xfer_more and wakeup_req flags were set, since this combination is +not supposed to happen, but was occurring in this scenario. + +Skip further interrupt handling after error flags are detected to avoid +this problem. + +Fixes: 7f9906bd7f72 ("i2c: xiic: Service all interrupts in isr") +Signed-off-by: Robert Hancock +Acked-by: Andi Shyti +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xiic.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c +index c3fcaf5decc74..6bcb46cc28cdf 100644 +--- a/drivers/i2c/busses/i2c-xiic.c ++++ b/drivers/i2c/busses/i2c-xiic.c +@@ -400,6 +400,8 @@ static irqreturn_t xiic_process(int irq, void *dev_id) + wakeup_req = 1; + wakeup_code = STATE_ERROR; + } ++ /* don't try to handle other events */ ++ goto out; + } + if (pend & XIIC_INTR_RX_FULL_MASK) { + /* Receive register/FIFO is full */ +-- +2.39.2 + diff --git a/tmp-5.4/iavf-fix-use-after-free-in-free_netdev.patch b/tmp-5.4/iavf-fix-use-after-free-in-free_netdev.patch new file mode 100644 index 00000000000..f64b6dea5e0 --- /dev/null +++ b/tmp-5.4/iavf-fix-use-after-free-in-free_netdev.patch @@ -0,0 +1,215 @@ +From f8349f8f3af5f904d0f0db6d6cd33649b3e73dc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:47 +0800 +Subject: iavf: Fix use-after-free in free_netdev + +From: Ding Hui + +[ Upstream commit 5f4fa1672d98fe99d2297b03add35346f1685d6b ] + +We do netif_napi_add() for all allocated q_vectors[], but potentially +do netif_napi_del() for part of them, then kfree q_vectors and leave +invalid pointers at dev->napi_list. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 4093.900222] ================================================================== +[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390 +[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 +[ 4093.900233] +[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 4093.900239] Call Trace: +[ 4093.900244] dump_stack+0x71/0xab +[ 4093.900249] print_address_description+0x6b/0x290 +[ 4093.900251] ? free_netdev+0x308/0x390 +[ 4093.900252] kasan_report+0x14a/0x2b0 +[ 4093.900254] free_netdev+0x308/0x390 +[ 4093.900261] iavf_remove+0x825/0xd20 [iavf] +[ 4093.900265] pci_device_remove+0xa8/0x1f0 +[ 4093.900268] device_release_driver_internal+0x1c6/0x460 +[ 4093.900271] pci_stop_bus_device+0x101/0x150 +[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 4093.900278] ? pci_get_subsys+0x90/0x90 +[ 4093.900280] sriov_disable+0xed/0x3e0 +[ 4093.900282] ? bus_find_device+0x12d/0x1a0 +[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 4093.900299] ? pci_get_device+0x7c/0x90 +[ 4093.900300] ? pci_get_subsys+0x90/0x90 +[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900318] sriov_numvfs_store+0x214/0x290 +[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30 +[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900323] ? __check_object_size+0x15a/0x350 +[ 4093.900326] kernfs_fop_write+0x280/0x3f0 +[ 4093.900329] vfs_write+0x145/0x440 +[ 4093.900330] ksys_write+0xab/0x160 +[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0 +[ 4093.900334] ? fput_many+0x1a/0x120 +[ 4093.900335] ? filp_close+0xf0/0x130 +[ 4093.900338] do_syscall_64+0xa0/0x370 +[ 4093.900339] ? page_fault+0x8/0x30 +[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900357] RIP: 0033:0x7f16ad4d22c0 +[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 +[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 +[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 +[ 4093.900364] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 4093.900365] R13: 0000000000000001 R14: 00007f16ad7a0620 R15: 0000000000000001 +[ 4093.900367] +[ 4093.900368] Allocated by task 820: +[ 4093.900371] kasan_kmalloc+0xa6/0xd0 +[ 4093.900373] __kmalloc+0xfb/0x200 +[ 4093.900376] iavf_init_interrupt_scheme+0x63b/0x1320 [iavf] +[ 4093.900380] iavf_watchdog_task+0x3d51/0x52c0 [iavf] +[ 4093.900382] process_one_work+0x56a/0x11f0 +[ 4093.900383] worker_thread+0x8f/0xf40 +[ 4093.900384] kthread+0x2a0/0x390 +[ 4093.900385] ret_from_fork+0x1f/0x40 +[ 4093.900387] 0xffffffffffffffff +[ 4093.900387] +[ 4093.900388] Freed by task 6699: +[ 4093.900390] __kasan_slab_free+0x137/0x190 +[ 4093.900391] kfree+0x8b/0x1b0 +[ 4093.900394] iavf_free_q_vectors+0x11d/0x1a0 [iavf] +[ 4093.900397] iavf_remove+0x35a/0xd20 [iavf] +[ 4093.900399] pci_device_remove+0xa8/0x1f0 +[ 4093.900400] device_release_driver_internal+0x1c6/0x460 +[ 4093.900401] pci_stop_bus_device+0x101/0x150 +[ 4093.900402] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900403] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900404] sriov_disable+0xed/0x3e0 +[ 4093.900409] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900415] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900416] sriov_numvfs_store+0x214/0x290 +[ 4093.900417] kernfs_fop_write+0x280/0x3f0 +[ 4093.900418] vfs_write+0x145/0x440 +[ 4093.900419] ksys_write+0xab/0x160 +[ 4093.900420] do_syscall_64+0xa0/0x370 +[ 4093.900421] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900422] 0xffffffffffffffff +[ 4093.900422] +[ 4093.900424] The buggy address belongs to the object at ffff88b4dc144200 + which belongs to the cache kmalloc-8k of size 8192 +[ 4093.900425] The buggy address is located 5184 bytes inside of + 8192-byte region [ffff88b4dc144200, ffff88b4dc146200) +[ 4093.900425] The buggy address belongs to the page: +[ 4093.900427] page:ffffea00d3705000 refcount:1 mapcount:0 mapping:ffff88bf04415c80 index:0x0 compound_mapcount: 0 +[ 4093.900430] flags: 0x10000000008100(slab|head) +[ 4093.900433] raw: 0010000000008100 dead000000000100 dead000000000200 ffff88bf04415c80 +[ 4093.900434] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 +[ 4093.900434] page dumped because: kasan: bad access detected +[ 4093.900435] +[ 4093.900435] Memory state around the buggy address: +[ 4093.900436] ffff88b4dc145500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900437] ffff88b4dc145580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] >ffff88b4dc145600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] ^ +[ 4093.900439] ffff88b4dc145680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ffff88b4dc145700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ================================================================== + +Although the patch #2 (of 2) can avoid the issue triggered by this +repro.sh, there still are other potential risks that if num_active_queues +is changed to less than allocated q_vectors[] by unexpected, the +mismatched netif_napi_add/del() can also cause UAF. + +Since we actually call netif_napi_add() for all allocated q_vectors +unconditionally in iavf_alloc_q_vectors(), so we should fix it by +letting netif_napi_del() match to netif_napi_add(). + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Simon Horman +Reviewed-by: Madhu Chittim +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 838cd7881f2f7..9cf556fedc704 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1389,19 +1389,16 @@ static int iavf_alloc_q_vectors(struct iavf_adapter *adapter) + static void iavf_free_q_vectors(struct iavf_adapter *adapter) + { + int q_idx, num_q_vectors; +- int napi_vectors; + + if (!adapter->q_vectors) + return; + + num_q_vectors = adapter->num_msix_vectors - NONQ_VECS; +- napi_vectors = adapter->num_active_queues; + + for (q_idx = 0; q_idx < num_q_vectors; q_idx++) { + struct iavf_q_vector *q_vector = &adapter->q_vectors[q_idx]; + +- if (q_idx < napi_vectors) +- netif_napi_del(&q_vector->napi); ++ netif_napi_del(&q_vector->napi); + } + kfree(adapter->q_vectors); + adapter->q_vectors = NULL; +-- +2.39.2 + diff --git a/tmp-5.4/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch b/tmp-5.4/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch new file mode 100644 index 00000000000..0bd99028c2c --- /dev/null +++ b/tmp-5.4/ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch @@ -0,0 +1,110 @@ +From 2dee9c4c3ff7ec007303988264b1cf40a7a30180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 11:56:28 -0500 +Subject: IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors + +From: Patrick Kelsey + +[ Upstream commit fd8958efe8779d3db19c9124fce593ce681ac709 ] + +Fix three sources of error involving struct sdma_txreq.num_descs. + +When _extend_sdma_tx_descs() extends the descriptor array, it uses the +value of tx->num_descs to determine how many existing entries from the +tx's original, internal descriptor array to copy to the newly allocated +one. As this value was incremented before the call, the copy loop will +access one entry past the internal descriptor array, copying its contents +into the corresponding slot in the new array. + +If the call to _extend_sdma_tx_descs() fails, _pad_smda_tx_descs() then +invokes __sdma_tx_clean() which uses the value of tx->num_desc to drive a +loop that unmaps all descriptor entries in use. As this value was +incremented before the call, the unmap loop will invoke sdma_unmap_desc() +on a descriptor entry whose contents consist of whatever random data was +copied into it during (1), leading to cascading further calls into the +kernel and driver using arbitrary data. + +_sdma_close_tx() was using tx->num_descs instead of tx->num_descs - 1. + +Fix all of the above by: +- Only increment .num_descs after .descp is extended. +- Use .num_descs - 1 instead of .num_descs for last .descp entry. + +Fixes: f4d26d81ad7f ("staging/rdma/hfi1: Add coalescing support for SDMA TX descriptors") +Link: https://lore.kernel.org/r/167656658879.2223096.10026561343022570690.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Brendan Cunningham +Signed-off-by: Patrick Kelsey +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/sdma.c | 4 ++-- + drivers/infiniband/hw/hfi1/sdma.h | 15 +++++++-------- + 2 files changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/sdma.c b/drivers/infiniband/hw/hfi1/sdma.c +index 2a684fc6056e1..057c9ffcd02e1 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.c ++++ b/drivers/infiniband/hw/hfi1/sdma.c +@@ -3203,8 +3203,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + { + int rval = 0; + +- tx->num_desc++; +- if ((unlikely(tx->num_desc == tx->desc_limit))) { ++ if ((unlikely(tx->num_desc + 1 == tx->desc_limit))) { + rval = _extend_sdma_tx_descs(dd, tx); + if (rval) { + __sdma_txclean(dd, tx); +@@ -3217,6 +3216,7 @@ int _pad_sdma_tx_descs(struct hfi1_devdata *dd, struct sdma_txreq *tx) + SDMA_MAP_NONE, + dd->sdma_pad_phys, + sizeof(u32) - (tx->packet_len & (sizeof(u32) - 1))); ++ tx->num_desc++; + _sdma_close_tx(dd, tx); + return rval; + } +diff --git a/drivers/infiniband/hw/hfi1/sdma.h b/drivers/infiniband/hw/hfi1/sdma.h +index 1e2e40f79cb20..6ac00755848db 100644 +--- a/drivers/infiniband/hw/hfi1/sdma.h ++++ b/drivers/infiniband/hw/hfi1/sdma.h +@@ -672,14 +672,13 @@ static inline void sdma_txclean(struct hfi1_devdata *dd, struct sdma_txreq *tx) + static inline void _sdma_close_tx(struct hfi1_devdata *dd, + struct sdma_txreq *tx) + { +- tx->descp[tx->num_desc].qw[0] |= +- SDMA_DESC0_LAST_DESC_FLAG; +- tx->descp[tx->num_desc].qw[1] |= +- dd->default_desc1; ++ u16 last_desc = tx->num_desc - 1; ++ ++ tx->descp[last_desc].qw[0] |= SDMA_DESC0_LAST_DESC_FLAG; ++ tx->descp[last_desc].qw[1] |= dd->default_desc1; + if (tx->flags & SDMA_TXREQ_F_URGENT) +- tx->descp[tx->num_desc].qw[1] |= +- (SDMA_DESC1_HEAD_TO_HOST_FLAG | +- SDMA_DESC1_INT_REQ_FLAG); ++ tx->descp[last_desc].qw[1] |= (SDMA_DESC1_HEAD_TO_HOST_FLAG | ++ SDMA_DESC1_INT_REQ_FLAG); + } + + static inline int _sdma_txadd_daddr( +@@ -696,6 +695,7 @@ static inline int _sdma_txadd_daddr( + type, + addr, len); + WARN_ON(len > tx->tlen); ++ tx->num_desc++; + tx->tlen -= len; + /* special cases for last */ + if (!tx->tlen) { +@@ -707,7 +707,6 @@ static inline int _sdma_txadd_daddr( + _sdma_close_tx(dd, tx); + } + } +- tx->num_desc++; + return rval; + } + +-- +2.39.2 + diff --git a/tmp-5.4/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch b/tmp-5.4/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch new file mode 100644 index 00000000000..d9c91e65a55 --- /dev/null +++ b/tmp-5.4/icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch @@ -0,0 +1,145 @@ +From dfabf3cb2a6e619faed5ac9bc76d21417cb33a66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 18:43:27 -0700 +Subject: icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in + icmp6_dev(). + +From: Kuniyuki Iwashima + +[ Upstream commit 2aaa8a15de73874847d62eb595c6683bface80fd ] + +With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that +has the link-local address as src and dst IP and will be forwarded to +an external IP in the IPv6 Ext Hdr. + +For example, the script below generates a packet whose src IP is the +link-local address and dst is updated to 11::. + + # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done + # python3 + >>> from socket import * + >>> from scapy.all import * + >>> + >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456" + >>> + >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) + >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1) + >>> + >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) + >>> sk.sendto(bytes(pkt), (DST_ADDR, 0)) + +For such a packet, we call ip6_route_input() to look up a route for the +next destination in these three functions depending on the header type. + + * ipv6_rthdr_rcv() + * ipv6_rpl_srh_rcv() + * ipv6_srh_rcv() + +If no route is found, ip6_null_entry is set to skb, and the following +dst_input(skb) calls ip6_pkt_drop(). + +Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev +as the input device is the loopback interface. Then, we have to check if +skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref +for ip6_null_entry. + +BUG: kernel NULL pointer dereference, address: 0000000000000000 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Call Trace: + + ip6_pkt_drop (net/ipv6/route.c:4513) + ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686) + ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5)) + ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483) + __netif_receive_skb_one_core (net/core/dev.c:5455) + process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895) + __napi_poll (net/core/dev.c:6460) + net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660) + __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554) + do_softirq (kernel/softirq.c:454 kernel/softirq.c:441) + + + __local_bh_enable_ip (kernel/softirq.c:381) + __dev_queue_xmit (net/core/dev.c:4231) + ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135) + rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914) + sock_sendmsg (net/socket.c:725 net/socket.c:748) + __sys_sendto (net/socket.c:2134) + __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) +RIP: 0033:0x7f9dc751baea +Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +RSP: 002b:00007ffe98712c38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007ffe98712cf8 RCX: 00007f9dc751baea +RDX: 0000000000000060 RSI: 00007f9dc6460b90 RDI: 0000000000000003 +RBP: 00007f9dc56e8be0 R08: 00007ffe98712d70 R09: 000000000000001c +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f9dc6af5d1b + +Modules linked in: +CR2: 0000000000000000 + ---[ end trace 0000000000000000 ]--- +RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503) +Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01 +RSP: 0018:ffffc90000003c70 EFLAGS: 00000286 +RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0 +RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18 +RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10 +R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0 +FS: 00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception in interrupt +Kernel Offset: disabled + +Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address") +Reported-by: Wang Yufen +Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/icmp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c +index 3db10cae7b178..169467b5c98a6 100644 +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -410,7 +410,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb) + if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { + const struct rt6_info *rt6 = skb_rt6_info(skb); + +- if (rt6) ++ /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.), ++ * and ip6_null_entry could be set to skb if no route is found. ++ */ ++ if (rt6 && rt6->rt6i_idev) + dev = rt6->rt6i_idev->dev; + } + +-- +2.39.2 + diff --git a/tmp-5.4/igb-fix-igb_down-hung-on-surprise-removal.patch b/tmp-5.4/igb-fix-igb_down-hung-on-surprise-removal.patch new file mode 100644 index 00000000000..5f2ce5b3b89 --- /dev/null +++ b/tmp-5.4/igb-fix-igb_down-hung-on-surprise-removal.patch @@ -0,0 +1,89 @@ +From 0b3d3a2fbdf3027763c70d65dde0a044a8c3a6ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 10:47:32 -0700 +Subject: igb: Fix igb_down hung on surprise removal + +From: Ying Hsu + +[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] + +In a setup where a Thunderbolt hub connects to Ethernet and a display +through USB Type-C, users may experience a hung task timeout when they +remove the cable between the PC and the Thunderbolt hub. +This is because the igb_down function is called multiple times when +the Thunderbolt hub is unplugged. For example, the igb_io_error_detected +triggers the first call, and the igb_remove triggers the second call. +The second call to igb_down will block at napi_synchronize. +Here's the call trace: + __schedule+0x3b0/0xddb + ? __mod_timer+0x164/0x5d3 + schedule+0x44/0xa8 + schedule_timeout+0xb2/0x2a4 + ? run_local_timers+0x4e/0x4e + msleep+0x31/0x38 + igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] + __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] + igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] + __dev_close_many+0x95/0xec + dev_close_many+0x6e/0x103 + unregister_netdevice_many+0x105/0x5b1 + unregister_netdevice_queue+0xc2/0x10d + unregister_netdev+0x1c/0x23 + igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] + pci_device_remove+0x3f/0x9c + device_release_driver_internal+0xfe/0x1b4 + pci_stop_bus_device+0x5b/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_and_remove_bus_device+0x12/0x19 + pciehp_unconfigure_device+0x76/0xe9 + pciehp_disable_slot+0x6e/0x131 + pciehp_handle_presence_or_link_change+0x7a/0x3f7 + pciehp_ist+0xbe/0x194 + irq_thread_fn+0x22/0x4d + ? irq_thread+0x1fd/0x1fd + irq_thread+0x17b/0x1fd + ? irq_forced_thread_fn+0x5f/0x5f + kthread+0x142/0x153 + ? __irq_get_irqchip_state+0x46/0x46 + ? kthread_associate_blkcg+0x71/0x71 + ret_from_fork+0x1f/0x30 + +In this case, igb_io_error_detected detaches the network interface +and requests a PCIE slot reset, however, the PCIE reset callback is +not being invoked and thus the Ethernet connection breaks down. +As the PCIE error in this case is a non-fatal one, requesting a +slot reset can be avoided. +This patch fixes the task hung issue and preserves Ethernet +connection by ignoring non-fatal PCIE errors. + +Signed-off-by: Ying Hsu +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 00d66a6e5c6e5..8c6c0d9c7f766 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9028,6 +9028,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, + struct net_device *netdev = pci_get_drvdata(pdev); + struct igb_adapter *adapter = netdev_priv(netdev); + ++ if (state == pci_channel_io_normal) { ++ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); ++ return PCI_ERS_RESULT_CAN_RECOVER; ++ } ++ + netif_device_detach(netdev); + + if (state == pci_channel_io_perm_failure) +-- +2.39.2 + diff --git a/tmp-5.4/igc-remove-delay-during-tx-ring-configuration.patch b/tmp-5.4/igc-remove-delay-during-tx-ring-configuration.patch new file mode 100644 index 00000000000..e997d50d333 --- /dev/null +++ b/tmp-5.4/igc-remove-delay-during-tx-ring-configuration.patch @@ -0,0 +1,46 @@ +From 18266409139cf087182a9f927249e2718306dbe8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 08:18:12 +0800 +Subject: igc: Remove delay during TX ring configuration + +From: Muhammad Husaini Zulkifli + +[ Upstream commit cca28ceac7c7857bc2d313777017585aef00bcc4 ] + +Remove unnecessary delay during the TX ring configuration. +This will cause delay, especially during link down and +link up activity. + +Furthermore, old SKUs like as I225 will call the reset_adapter +to reset the controller during TSN mode Gate Control List (GCL) +setting. This will add more time to the configuration of the +real-time use case. + +It doesn't mentioned about this delay in the Software User Manual. +It might have been ported from legacy code I210 in the past. + +Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings") +Signed-off-by: Muhammad Husaini Zulkifli +Acked-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index b8297a63a7fd2..3839ca8bdf6dd 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -610,7 +610,6 @@ static void igc_configure_tx_ring(struct igc_adapter *adapter, + /* disable the queue */ + wr32(IGC_TXDCTL(reg_idx), 0); + wrfl(); +- mdelay(10); + + wr32(IGC_TDLEN(reg_idx), + ring->count * sizeof(union igc_adv_tx_desc)); +-- +2.39.2 + diff --git a/tmp-5.4/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch b/tmp-5.4/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch new file mode 100644 index 00000000000..11c9f783998 --- /dev/null +++ b/tmp-5.4/igc-set-tp-bit-in-supported-and-advertising-fields-o.patch @@ -0,0 +1,39 @@ +From bc13bf08dc0fa6def9892f176aeb46da47ff6c44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 11:09:01 -0700 +Subject: igc: set TP bit in 'supported' and 'advertising' fields of + ethtool_link_ksettings + +From: Prasad Koya + +[ Upstream commit 9ac3fc2f42e5ffa1e927dcbffb71b15fa81459e2 ] + +set TP bit in the 'supported' and 'advertising' fields. i225/226 parts +only support twisted pair copper. + +Fixes: 8c5ad0dae93c ("igc: Add ethtool support") +Signed-off-by: Prasad Koya +Acked-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c +index cbcb8611ab50d..0a4e7f5f292ac 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c ++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c +@@ -1668,6 +1668,8 @@ static int igc_get_link_ksettings(struct net_device *netdev, + /* twisted pair */ + cmd->base.port = PORT_TP; + cmd->base.phy_address = hw->phy.addr; ++ ethtool_link_ksettings_add_link_mode(cmd, supported, TP); ++ ethtool_link_ksettings_add_link_mode(cmd, advertising, TP); + + /* advertising link modes */ + if (hw->phy.autoneg_advertised & ADVERTISE_10_HALF) +-- +2.39.2 + diff --git a/tmp-5.4/ima-fix-build-warnings.patch b/tmp-5.4/ima-fix-build-warnings.patch new file mode 100644 index 00000000000..ef4b0a03fc5 --- /dev/null +++ b/tmp-5.4/ima-fix-build-warnings.patch @@ -0,0 +1,61 @@ +From a51450c0b2a17fd29dcb2b4169473a99934099d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 09:41:13 +0200 +Subject: ima: Fix build warnings + +From: Roberto Sassu + +[ Upstream commit 95526d13038c2bbddd567a4d8e39fac42484e182 ] + +Fix build warnings (function parameters description) for +ima_collect_modsig(), ima_match_policy() and ima_parse_add_rule(). + +Fixes: 15588227e086 ("ima: Collect modsig") # v5.4+ +Fixes: 2fe5d6def167 ("ima: integrity appraisal extension") # v5.14+ +Fixes: 4af4662fa4a9 ("integrity: IMA policy") # v3.2+ +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_modsig.c | 3 +++ + security/integrity/ima/ima_policy.c | 3 ++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c +index d106885cc4955..5fb971efc6e10 100644 +--- a/security/integrity/ima/ima_modsig.c ++++ b/security/integrity/ima/ima_modsig.c +@@ -109,6 +109,9 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len, + + /** + * ima_collect_modsig - Calculate the file hash without the appended signature. ++ * @modsig: parsed module signature ++ * @buf: data to verify the signature on ++ * @size: data size + * + * Since the modsig is part of the file contents, the hash used in its signature + * isn't the same one ordinarily calculated by IMA. Therefore PKCS7 code +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 6df0436462ab7..e749403f07a8b 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -500,6 +500,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) + * @secid: LSM secid of the task to be validated + * @func: IMA hook identifier + * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) ++ * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE) + * @pcr: set the pcr to extend + * @template_desc: the template that should be used for this rule + * +@@ -1266,7 +1267,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + + /** + * ima_parse_add_rule - add a rule to ima_policy_rules +- * @rule - ima measurement policy rule ++ * @rule: ima measurement policy rule + * + * Avoid locking by allowing just one writer at a time in ima_write_policy() + * Returns the length of the rule parsed, an error code on failure +-- +2.39.2 + diff --git a/tmp-5.4/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch b/tmp-5.4/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch new file mode 100644 index 00000000000..f6f3ffbb3e1 --- /dev/null +++ b/tmp-5.4/input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch @@ -0,0 +1,39 @@ +From 9c456640af3511035ce8c2a97570abdec1de36c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 17:27:55 -0700 +Subject: Input: adxl34x - do not hardcode interrupt trigger type + +From: Marek Vasut + +[ Upstream commit e96220bce5176ed2309f77f061dcc0430b82b25e ] + +Instead of hardcoding IRQ trigger type to IRQF_TRIGGER_HIGH, let's +respect the settings specified in the firmware description. + +Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") +Signed-off-by: Marek Vasut +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20230509203555.549158-1-marex@denx.de +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/adxl34x.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c +index 4cc4e8ff42b33..ad035c342cd3b 100644 +--- a/drivers/input/misc/adxl34x.c ++++ b/drivers/input/misc/adxl34x.c +@@ -811,8 +811,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq, + AC_WRITE(ac, POWER_CTL, 0); + + err = request_threaded_irq(ac->irq, NULL, adxl34x_irq, +- IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +- dev_name(dev), ac); ++ IRQF_ONESHOT, dev_name(dev), ac); + if (err) { + dev_err(dev, "irq %d busy?\n", ac->irq); + goto err_free_mem; +-- +2.39.2 + diff --git a/tmp-5.4/input-drv260x-sleep-between-polling-go-bit.patch b/tmp-5.4/input-drv260x-sleep-between-polling-go-bit.patch new file mode 100644 index 00000000000..38cfb6c5476 --- /dev/null +++ b/tmp-5.4/input-drv260x-sleep-between-polling-go-bit.patch @@ -0,0 +1,39 @@ +From deaccebed61ccc21f57924efe05fd9eae857cfbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 May 2023 17:01:45 -0700 +Subject: Input: drv260x - sleep between polling GO bit + +From: Luca Weiss + +[ Upstream commit efef661dfa6bf8cbafe4cd6a97433fcef0118967 ] + +When doing the initial startup there's no need to poll without any +delay and spam the I2C bus. + +Let's sleep 15ms between each attempt, which is the same time as used +in the vendor driver. + +Fixes: 7132fe4f5687 ("Input: drv260x - add TI drv260x haptics driver") +Signed-off-by: Luca Weiss +Link: https://lore.kernel.org/r/20230430-drv260x-improvements-v1-2-1fb28b4cc698@z3ntu.xyz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/drv260x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/misc/drv260x.c b/drivers/input/misc/drv260x.c +index 79d7fa710a714..54002d1a446b7 100644 +--- a/drivers/input/misc/drv260x.c ++++ b/drivers/input/misc/drv260x.c +@@ -435,6 +435,7 @@ static int drv260x_init(struct drv260x_data *haptics) + } + + do { ++ usleep_range(15000, 15500); + error = regmap_read(haptics->regmap, DRV260X_GO, &cal_buf); + if (error) { + dev_err(&haptics->client->dev, +-- +2.39.2 + diff --git a/tmp-5.4/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch b/tmp-5.4/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch new file mode 100644 index 00000000000..5c5d648e351 --- /dev/null +++ b/tmp-5.4/integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch @@ -0,0 +1,62 @@ +From 9df6a4870dc371136e90330cfbbc51464ee66993 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Thu, 1 Jun 2023 14:42:44 +0800 +Subject: integrity: Fix possible multiple allocation in integrity_inode_get() + +From: Tianjia Zhang + +commit 9df6a4870dc371136e90330cfbbc51464ee66993 upstream. + +When integrity_inode_get() is querying and inserting the cache, there +is a conditional race in the concurrent environment. + +The race condition is the result of not properly implementing +"double-checked locking". In this case, it first checks to see if the +iint cache record exists before taking the lock, but doesn't check +again after taking the integrity_iint_lock. + +Fixes: bf2276d10ce5 ("ima: allocating iint improvements") +Signed-off-by: Tianjia Zhang +Cc: Dmitry Kasatkin +Cc: # v3.10+ +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/iint.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/security/integrity/iint.c ++++ b/security/integrity/iint.c +@@ -43,12 +43,10 @@ static struct integrity_iint_cache *__in + else if (inode > iint->inode) + n = n->rb_right; + else +- break; ++ return iint; + } +- if (!n) +- return NULL; + +- return iint; ++ return NULL; + } + + /* +@@ -121,10 +119,15 @@ struct integrity_iint_cache *integrity_i + parent = *p; + test_iint = rb_entry(parent, struct integrity_iint_cache, + rb_node); +- if (inode < test_iint->inode) ++ if (inode < test_iint->inode) { + p = &(*p)->rb_left; +- else ++ } else if (inode > test_iint->inode) { + p = &(*p)->rb_right; ++ } else { ++ write_unlock(&integrity_iint_lock); ++ kmem_cache_free(iint_cache, iint); ++ return test_iint; ++ } + } + + iint->inode = inode; diff --git a/tmp-5.4/ionic-clean-irq-affinity-on-queue-deinit.patch b/tmp-5.4/ionic-clean-irq-affinity-on-queue-deinit.patch new file mode 100644 index 00000000000..bc23ac84923 --- /dev/null +++ b/tmp-5.4/ionic-clean-irq-affinity-on-queue-deinit.patch @@ -0,0 +1,38 @@ +From 4841f8e63e8937054dbda88c0209bc33b0996695 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Mar 2020 19:31:52 -0700 +Subject: ionic: clean irq affinity on queue deinit + +From: Shannon Nelson + +[ Upstream commit b9c17d39d5d19b321414a1737c754a819878424a ] + +Add a little more cleanup when tearing down the queues. + +Fixes: 1d062b7b6f64 ("ionic: Add basic adminq support") +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Stable-dep-of: abfb2a58a537 ("ionic: remove WARN_ON to prevent panic_on_warn") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 975cda9377ec4..fa57a526b60f6 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -269,8 +269,10 @@ static void ionic_lif_qcq_deinit(struct ionic_lif *lif, struct ionic_qcq *qcq) + if (qcq->flags & IONIC_QCQ_F_INTR) { + ionic_intr_mask(idev->intr_ctrl, qcq->intr.index, + IONIC_INTR_MASK_SET); ++ irq_set_affinity_hint(qcq->intr.vector, NULL); + devm_free_irq(dev, qcq->intr.vector, &qcq->napi); + netif_napi_del(&qcq->napi); ++ qcq->intr.vector = 0; + } + + qcq->flags &= ~IONIC_QCQ_F_INITED; +-- +2.39.2 + diff --git a/tmp-5.4/ionic-improve-irq-numa-locality.patch b/tmp-5.4/ionic-improve-irq-numa-locality.patch new file mode 100644 index 00000000000..bc02dfcf7a5 --- /dev/null +++ b/tmp-5.4/ionic-improve-irq-numa-locality.patch @@ -0,0 +1,42 @@ +From 5d239f70262c25e06b3fb08385d492bedc01d318 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2020 17:04:03 -0800 +Subject: ionic: improve irq numa locality + +From: Shannon Nelson + +[ Upstream commit b7f55b81f2ac40e52c5a56e22c80488eac531c91 ] + +Spreading the interrupts across the CPU cores is good for load +balancing, but not necessarily as good when using a CPU/core +that is not part of the NUMA local CPU. If it can be localized, +the kernel's cpumask_local_spread() service will pick a core +that is on the node close to the PCI device. + +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Stable-dep-of: abfb2a58a537 ("ionic: remove WARN_ON to prevent panic_on_warn") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index d0841836cf705..975cda9377ec4 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -418,8 +418,9 @@ static int ionic_qcq_alloc(struct ionic_lif *lif, unsigned int type, + ionic_intr_mask_assert(idev->intr_ctrl, new->intr.index, + IONIC_INTR_MASK_SET); + +- new->intr.cpu = new->intr.index % num_online_cpus(); +- if (cpu_online(new->intr.cpu)) ++ new->intr.cpu = cpumask_local_spread(new->intr.index, ++ dev_to_node(dev)); ++ if (new->intr.cpu != -1) + cpumask_set_cpu(new->intr.cpu, + &new->intr.affinity_mask); + } else { +-- +2.39.2 + diff --git a/tmp-5.4/ionic-ionic_intr_free-parameter-change.patch b/tmp-5.4/ionic-ionic_intr_free-parameter-change.patch new file mode 100644 index 00000000000..2a2cf1ebcf3 --- /dev/null +++ b/tmp-5.4/ionic-ionic_intr_free-parameter-change.patch @@ -0,0 +1,68 @@ +From 7c93ad29af052cdebe41ee38afa14873e8ac76a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2020 17:59:33 -0700 +Subject: ionic: ionic_intr_free parameter change + +From: Shannon Nelson + +[ Upstream commit 36ac2c50924892a28e17ff463e354fec7650ee19 ] + +Change the ionic_intr_free parameter from struct ionic_lif to +struct ionic since that's what it actually cares about. + +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Stable-dep-of: abfb2a58a537 ("ionic: remove WARN_ON to prevent panic_on_warn") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 3fc9ac1e8b7b7..52d291383c233 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -167,10 +167,10 @@ static int ionic_intr_alloc(struct ionic_lif *lif, struct ionic_intr_info *intr) + return 0; + } + +-static void ionic_intr_free(struct ionic_lif *lif, int index) ++static void ionic_intr_free(struct ionic *ionic, int index) + { +- if (index != INTR_INDEX_NOT_ASSIGNED && index < lif->ionic->nintrs) +- clear_bit(index, lif->ionic->intrs); ++ if (index != INTR_INDEX_NOT_ASSIGNED && index < ionic->nintrs) ++ clear_bit(index, ionic->intrs); + } + + static int ionic_qcq_enable(struct ionic_qcq *qcq) +@@ -289,7 +289,7 @@ static void ionic_qcq_free(struct ionic_lif *lif, struct ionic_qcq *qcq) + irq_set_affinity_hint(qcq->intr.vector, NULL); + devm_free_irq(dev, qcq->intr.vector, &qcq->napi); + qcq->intr.vector = 0; +- ionic_intr_free(lif, qcq->intr.index); ++ ionic_intr_free(lif->ionic, qcq->intr.index); + } + + devm_kfree(dev, qcq->cq.info); +@@ -333,7 +333,7 @@ static void ionic_link_qcq_interrupts(struct ionic_qcq *src_qcq, + struct ionic_qcq *n_qcq) + { + if (WARN_ON(n_qcq->flags & IONIC_QCQ_F_INTR)) { +- ionic_intr_free(n_qcq->cq.lif, n_qcq->intr.index); ++ ionic_intr_free(n_qcq->cq.lif->ionic, n_qcq->intr.index); + n_qcq->flags &= ~IONIC_QCQ_F_INTR; + } + +@@ -485,7 +485,7 @@ static int ionic_qcq_alloc(struct ionic_lif *lif, unsigned int type, + devm_free_irq(dev, new->intr.vector, &new->napi); + err_out_free_intr: + if (flags & IONIC_QCQ_F_INTR) +- ionic_intr_free(lif, new->intr.index); ++ ionic_intr_free(lif->ionic, new->intr.index); + err_out: + dev_err(dev, "qcq alloc of %s%d failed %d\n", name, index, err); + return err; +-- +2.39.2 + diff --git a/tmp-5.4/ionic-move-irq-request-to-qcq-alloc.patch b/tmp-5.4/ionic-move-irq-request-to-qcq-alloc.patch new file mode 100644 index 00000000000..956ec94b82a --- /dev/null +++ b/tmp-5.4/ionic-move-irq-request-to-qcq-alloc.patch @@ -0,0 +1,140 @@ +From 157c71022d07073d2f4d4e279fb05962e68e784c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Mar 2020 20:14:44 -0700 +Subject: ionic: move irq request to qcq alloc + +From: Shannon Nelson + +[ Upstream commit 0b0641009b8918c8d5f6e7ed300d569c9d811de5 ] + +Move the irq request and free out of the qcq_init and deinit +and into the alloc and free routines where they belong for +better resource management. + +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Stable-dep-of: abfb2a58a537 ("ionic: remove WARN_ON to prevent panic_on_warn") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/pensando/ionic/ionic_lif.c | 41 +++++++++---------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index fa57a526b60f6..3fc9ac1e8b7b7 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -256,7 +256,6 @@ static int ionic_qcq_disable(struct ionic_qcq *qcq) + static void ionic_lif_qcq_deinit(struct ionic_lif *lif, struct ionic_qcq *qcq) + { + struct ionic_dev *idev = &lif->ionic->idev; +- struct device *dev = lif->ionic->dev; + + if (!qcq) + return; +@@ -269,10 +268,7 @@ static void ionic_lif_qcq_deinit(struct ionic_lif *lif, struct ionic_qcq *qcq) + if (qcq->flags & IONIC_QCQ_F_INTR) { + ionic_intr_mask(idev->intr_ctrl, qcq->intr.index, + IONIC_INTR_MASK_SET); +- irq_set_affinity_hint(qcq->intr.vector, NULL); +- devm_free_irq(dev, qcq->intr.vector, &qcq->napi); + netif_napi_del(&qcq->napi); +- qcq->intr.vector = 0; + } + + qcq->flags &= ~IONIC_QCQ_F_INITED; +@@ -289,8 +285,12 @@ static void ionic_qcq_free(struct ionic_lif *lif, struct ionic_qcq *qcq) + qcq->base = NULL; + qcq->base_pa = 0; + +- if (qcq->flags & IONIC_QCQ_F_INTR) ++ if (qcq->flags & IONIC_QCQ_F_INTR) { ++ irq_set_affinity_hint(qcq->intr.vector, NULL); ++ devm_free_irq(dev, qcq->intr.vector, &qcq->napi); ++ qcq->intr.vector = 0; + ionic_intr_free(lif, qcq->intr.index); ++ } + + devm_kfree(dev, qcq->cq.info); + qcq->cq.info = NULL; +@@ -420,6 +420,12 @@ static int ionic_qcq_alloc(struct ionic_lif *lif, unsigned int type, + ionic_intr_mask_assert(idev->intr_ctrl, new->intr.index, + IONIC_INTR_MASK_SET); + ++ err = ionic_request_irq(lif, new); ++ if (err) { ++ netdev_warn(lif->netdev, "irq request failed %d\n", err); ++ goto err_out_free_intr; ++ } ++ + new->intr.cpu = cpumask_local_spread(new->intr.index, + dev_to_node(dev)); + if (new->intr.cpu != -1) +@@ -434,13 +440,13 @@ static int ionic_qcq_alloc(struct ionic_lif *lif, unsigned int type, + if (!new->cq.info) { + netdev_err(lif->netdev, "Cannot allocate completion queue info\n"); + err = -ENOMEM; +- goto err_out_free_intr; ++ goto err_out_free_irq; + } + + err = ionic_cq_init(lif, &new->cq, &new->intr, num_descs, cq_desc_size); + if (err) { + netdev_err(lif->netdev, "Cannot initialize completion queue\n"); +- goto err_out_free_intr; ++ goto err_out_free_irq; + } + + new->base = dma_alloc_coherent(dev, total_size, &new->base_pa, +@@ -448,7 +454,7 @@ static int ionic_qcq_alloc(struct ionic_lif *lif, unsigned int type, + if (!new->base) { + netdev_err(lif->netdev, "Cannot allocate queue DMA memory\n"); + err = -ENOMEM; +- goto err_out_free_intr; ++ goto err_out_free_irq; + } + + new->total_size = total_size; +@@ -474,8 +480,12 @@ static int ionic_qcq_alloc(struct ionic_lif *lif, unsigned int type, + + return 0; + ++err_out_free_irq: ++ if (flags & IONIC_QCQ_F_INTR) ++ devm_free_irq(dev, new->intr.vector, &new->napi); + err_out_free_intr: +- ionic_intr_free(lif, new->intr.index); ++ if (flags & IONIC_QCQ_F_INTR) ++ ionic_intr_free(lif, new->intr.index); + err_out: + dev_err(dev, "qcq alloc of %s%d failed %d\n", name, index, err); + return err; +@@ -650,12 +660,6 @@ static int ionic_lif_rxq_init(struct ionic_lif *lif, struct ionic_qcq *qcq) + netif_napi_add(lif->netdev, &qcq->napi, ionic_rx_napi, + NAPI_POLL_WEIGHT); + +- err = ionic_request_irq(lif, qcq); +- if (err) { +- netif_napi_del(&qcq->napi); +- return err; +- } +- + qcq->flags |= IONIC_QCQ_F_INITED; + + ionic_debugfs_add_qcq(lif, qcq); +@@ -1873,13 +1877,6 @@ static int ionic_lif_adminq_init(struct ionic_lif *lif) + netif_napi_add(lif->netdev, &qcq->napi, ionic_adminq_napi, + NAPI_POLL_WEIGHT); + +- err = ionic_request_irq(lif, qcq); +- if (err) { +- netdev_warn(lif->netdev, "adminq irq request failed %d\n", err); +- netif_napi_del(&qcq->napi); +- return err; +- } +- + napi_enable(&qcq->napi); + + if (qcq->flags & IONIC_QCQ_F_INTR) +-- +2.39.2 + diff --git a/tmp-5.4/ionic-remove-warn_on-to-prevent-panic_on_warn.patch b/tmp-5.4/ionic-remove-warn_on-to-prevent-panic_on_warn.patch new file mode 100644 index 00000000000..af5f8466274 --- /dev/null +++ b/tmp-5.4/ionic-remove-warn_on-to-prevent-panic_on_warn.patch @@ -0,0 +1,42 @@ +From 113c4ac1bad18d282992e71eb7f76fa46d2d8a9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 11:20:06 -0700 +Subject: ionic: remove WARN_ON to prevent panic_on_warn + +From: Nitya Sunkad + +[ Upstream commit abfb2a58a5377ebab717d4362d6180f901b6e5c1 ] + +Remove unnecessary early code development check and the WARN_ON +that it uses. The irq alloc and free paths have long been +cleaned up and this check shouldn't have stuck around so long. + +Fixes: 77ceb68e29cc ("ionic: Add notifyq support") +Signed-off-by: Nitya Sunkad +Signed-off-by: Shannon Nelson +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 52d291383c233..d718c1a6d5fc7 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -332,11 +332,6 @@ static void ionic_qcqs_free(struct ionic_lif *lif) + static void ionic_link_qcq_interrupts(struct ionic_qcq *src_qcq, + struct ionic_qcq *n_qcq) + { +- if (WARN_ON(n_qcq->flags & IONIC_QCQ_F_INTR)) { +- ionic_intr_free(n_qcq->cq.lif->ionic, n_qcq->intr.index); +- n_qcq->flags &= ~IONIC_QCQ_F_INTR; +- } +- + n_qcq->intr.vector = src_qcq->intr.vector; + n_qcq->intr.index = src_qcq->intr.index; + } +-- +2.39.2 + diff --git a/tmp-5.4/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch b/tmp-5.4/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch new file mode 100644 index 00000000000..37e74ea8a7b --- /dev/null +++ b/tmp-5.4/ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch @@ -0,0 +1,53 @@ +From a5cdf1f335af33aa38bbf67ce4622dc786cb1828 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 14:59:10 +0800 +Subject: ipv6/addrconf: fix a potential refcount underflow for idev + +From: Ziyang Xuan + +[ Upstream commit 06a0716949c22e2aefb648526580671197151acc ] + +Now in addrconf_mod_rs_timer(), reference idev depends on whether +rs_timer is not pending. Then modify rs_timer timeout. + +There is a time gap in [1], during which if the pending rs_timer +becomes not pending. It will miss to hold idev, but the rs_timer +is activated. Thus rs_timer callback function addrconf_rs_timer() +will be executed and put idev later without holding idev. A refcount +underflow issue for idev can be caused by this. + + if (!timer_pending(&idev->rs_timer)) + in6_dev_hold(idev); + <--------------[1] + mod_timer(&idev->rs_timer, jiffies + when); + +To fix the issue, hold idev if mod_timer() return 0. + +Fixes: b7b1bfce0bb6 ("ipv6: split duplicate address detection and router solicitation timer") +Suggested-by: Eric Dumazet +Signed-off-by: Ziyang Xuan +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index a0123760fb2c7..46e3c939958bb 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -313,9 +313,8 @@ static void addrconf_del_dad_work(struct inet6_ifaddr *ifp) + static void addrconf_mod_rs_timer(struct inet6_dev *idev, + unsigned long when) + { +- if (!timer_pending(&idev->rs_timer)) ++ if (!mod_timer(&idev->rs_timer, jiffies + when)) + in6_dev_hold(idev); +- mod_timer(&idev->rs_timer, jiffies + when); + } + + static void addrconf_mod_dad_work(struct inet6_ifaddr *ifp, +-- +2.39.2 + diff --git a/tmp-5.4/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch b/tmp-5.4/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch new file mode 100644 index 00000000000..8130c2df469 --- /dev/null +++ b/tmp-5.4/ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch @@ -0,0 +1,66 @@ +From 35f34daabd4d15e75c1c2170d9f2c1a226290375 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 17:33:47 +0800 +Subject: ipvlan: Fix return value of ipvlan_queue_xmit() + +From: Cambda Zhu + +[ Upstream commit 8a9922e7be6d042fa00f894c376473b17a162b66 ] + +ipvlan_queue_xmit() should return NET_XMIT_XXX, but +ipvlan_xmit_mode_l2/l3() returns rx_handler_result_t or NET_RX_XXX +in some cases. ipvlan_rcv_frame() will only return RX_HANDLER_CONSUMED +in ipvlan_xmit_mode_l2/l3() because 'local' is true. It's equal to +NET_XMIT_SUCCESS. But dev_forward_skb() can return NET_RX_SUCCESS or +NET_RX_DROP, and returning NET_RX_DROP(NET_XMIT_DROP) will increase +both ipvlan and ipvlan->phy_dev drops counter. + +The skb to forward can be treated as xmitted successfully. This patch +makes ipvlan_queue_xmit() return NET_XMIT_SUCCESS for forward skb. + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Cambda Zhu +Link: https://lore.kernel.org/r/20230626093347.7492-1-cambda@linux.alibaba.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ipvlan/ipvlan_core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 0a5b5ff597c6f..ab09d110760ec 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -586,7 +586,8 @@ static int ipvlan_xmit_mode_l3(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + return NET_XMIT_DROP; + } +- return ipvlan_rcv_frame(addr, &skb, true); ++ ipvlan_rcv_frame(addr, &skb, true); ++ return NET_XMIT_SUCCESS; + } + } + out: +@@ -612,7 +613,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + return NET_XMIT_DROP; + } +- return ipvlan_rcv_frame(addr, &skb, true); ++ ipvlan_rcv_frame(addr, &skb, true); ++ return NET_XMIT_SUCCESS; + } + } + skb = skb_share_check(skb, GFP_ATOMIC); +@@ -624,7 +626,8 @@ static int ipvlan_xmit_mode_l2(struct sk_buff *skb, struct net_device *dev) + * the skb for the main-dev. At the RX side we just return + * RX_PASS for it to be processed further on the stack. + */ +- return dev_forward_skb(ipvlan->phy_dev, skb); ++ dev_forward_skb(ipvlan->phy_dev, skb); ++ return NET_XMIT_SUCCESS; + + } else if (is_multicast_ether_addr(eth->h_dest)) { + skb_reset_mac_header(skb); +-- +2.39.2 + diff --git a/tmp-5.4/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch b/tmp-5.4/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch new file mode 100644 index 00000000000..a27520cabe5 --- /dev/null +++ b/tmp-5.4/irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch @@ -0,0 +1,53 @@ +From f17b7dd8b298df39048fbf98b7ebd6f7c8b807af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 18:33:42 +0200 +Subject: irqchip/jcore-aic: Fix missing allocation of IRQ descriptors + +From: John Paul Adrian Glaubitz + +[ Upstream commit 4848229494a323eeaab62eee5574ef9f7de80374 ] + +The initialization function for the J-Core AIC aic_irq_of_init() is +currently missing the call to irq_alloc_descs() which allocates and +initializes all the IRQ descriptors. Add missing function call and +return the error code from irq_alloc_descs() in case the allocation +fails. + +Fixes: 981b58f66cfc ("irqchip/jcore-aic: Add J-Core AIC driver") +Signed-off-by: John Paul Adrian Glaubitz +Tested-by: Rob Landley +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230510163343.43090-1-glaubitz@physik.fu-berlin.de +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-jcore-aic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c +index 5f47d8ee4ae39..b9dcc8e78c750 100644 +--- a/drivers/irqchip/irq-jcore-aic.c ++++ b/drivers/irqchip/irq-jcore-aic.c +@@ -68,6 +68,7 @@ static int __init aic_irq_of_init(struct device_node *node, + unsigned min_irq = JCORE_AIC2_MIN_HWIRQ; + unsigned dom_sz = JCORE_AIC_MAX_HWIRQ+1; + struct irq_domain *domain; ++ int ret; + + pr_info("Initializing J-Core AIC\n"); + +@@ -100,6 +101,12 @@ static int __init aic_irq_of_init(struct device_node *node, + jcore_aic.irq_unmask = noop; + jcore_aic.name = "AIC"; + ++ ret = irq_alloc_descs(-1, min_irq, dom_sz - min_irq, ++ of_node_to_nid(node)); ++ ++ if (ret < 0) ++ return ret; ++ + domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, + &jcore_aic_irqdomain_ops, + &jcore_aic); +-- +2.39.2 + diff --git a/tmp-5.4/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch b/tmp-5.4/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch new file mode 100644 index 00000000000..254ab8be632 --- /dev/null +++ b/tmp-5.4/irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch @@ -0,0 +1,41 @@ +From 567410ef2e3646e5cde58e251d16d4bd165cb6e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Apr 2021 10:35:51 +0100 +Subject: irqchip/jcore-aic: Kill use of irq_create_strict_mappings() + +From: Marc Zyngier + +[ Upstream commit 5f8b938bd790cff6542c7fe3c1495c71f89fef1b ] + +irq_create_strict_mappings() is a poor way to allow the use of +a linear IRQ domain as a legacy one. Let's be upfront about it. + +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20210406093557.1073423-4-maz@kernel.org +Stable-dep-of: 4848229494a3 ("irqchip/jcore-aic: Fix missing allocation of IRQ descriptors") +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-jcore-aic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/irqchip/irq-jcore-aic.c b/drivers/irqchip/irq-jcore-aic.c +index 033bccb41455c..5f47d8ee4ae39 100644 +--- a/drivers/irqchip/irq-jcore-aic.c ++++ b/drivers/irqchip/irq-jcore-aic.c +@@ -100,11 +100,11 @@ static int __init aic_irq_of_init(struct device_node *node, + jcore_aic.irq_unmask = noop; + jcore_aic.name = "AIC"; + +- domain = irq_domain_add_linear(node, dom_sz, &jcore_aic_irqdomain_ops, ++ domain = irq_domain_add_legacy(node, dom_sz - min_irq, min_irq, min_irq, ++ &jcore_aic_irqdomain_ops, + &jcore_aic); + if (!domain) + return -ENOMEM; +- irq_create_strict_mappings(domain, min_irq, min_irq, dom_sz - min_irq); + + return 0; + } +-- +2.39.2 + diff --git a/tmp-5.4/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch b/tmp-5.4/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch new file mode 100644 index 00000000000..7ffa2036cfa --- /dev/null +++ b/tmp-5.4/jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch @@ -0,0 +1,128 @@ +From 1168f095417643f663caa341211e117db552989f Mon Sep 17 00:00:00 2001 +From: Fabian Frederick +Date: Sat, 6 May 2023 06:56:12 +0200 +Subject: jffs2: reduce stack usage in jffs2_build_xattr_subsystem() + +From: Fabian Frederick + +commit 1168f095417643f663caa341211e117db552989f upstream. + +Use kcalloc() for allocation/flush of 128 pointers table to +reduce stack usage. + +Function now returns -ENOMEM or 0 on success. + +stackusage +Before: +./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 1208 +dynamic,bounded + +After: +./fs/jffs2/xattr.c:775 jffs2_build_xattr_subsystem 192 +dynamic,bounded + +Also update definition when CONFIG_JFFS2_FS_XATTR is not enabled + +Tested with an MTD mount point and some user set/getfattr. + +Many current target on OpenWRT also suffer from a compilation warning +(that become an error with CONFIG_WERROR) with the following output: + +fs/jffs2/xattr.c: In function 'jffs2_build_xattr_subsystem': +fs/jffs2/xattr.c:887:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] + 887 | } + | ^ + +Using dynamic allocation fix this compilation warning. + +Fixes: c9f700f840bd ("[JFFS2][XATTR] using 'delete marker' for xdatum/xref deletion") +Reported-by: Tim Gardner +Reported-by: kernel test robot +Reported-by: Ron Economos +Reported-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Fabian Frederick +Signed-off-by: Christian Marangi +Cc: stable@vger.kernel.org +Message-Id: <20230506045612.16616-1-ansuelsmth@gmail.com> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/build.c | 5 ++++- + fs/jffs2/xattr.c | 13 +++++++++---- + fs/jffs2/xattr.h | 4 ++-- + 3 files changed, 15 insertions(+), 7 deletions(-) + +--- a/fs/jffs2/build.c ++++ b/fs/jffs2/build.c +@@ -211,7 +211,10 @@ static int jffs2_build_filesystem(struct + ic->scan_dents = NULL; + cond_resched(); + } +- jffs2_build_xattr_subsystem(c); ++ ret = jffs2_build_xattr_subsystem(c); ++ if (ret) ++ goto exit; ++ + c->flags &= ~JFFS2_SB_FLAG_BUILDING; + + dbg_fsbuild("FS build complete\n"); +--- a/fs/jffs2/xattr.c ++++ b/fs/jffs2/xattr.c +@@ -772,10 +772,10 @@ void jffs2_clear_xattr_subsystem(struct + } + + #define XREF_TMPHASH_SIZE (128) +-void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c) ++int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c) + { + struct jffs2_xattr_ref *ref, *_ref; +- struct jffs2_xattr_ref *xref_tmphash[XREF_TMPHASH_SIZE]; ++ struct jffs2_xattr_ref **xref_tmphash; + struct jffs2_xattr_datum *xd, *_xd; + struct jffs2_inode_cache *ic; + struct jffs2_raw_node_ref *raw; +@@ -784,9 +784,12 @@ void jffs2_build_xattr_subsystem(struct + + BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING)); + ++ xref_tmphash = kcalloc(XREF_TMPHASH_SIZE, ++ sizeof(struct jffs2_xattr_ref *), GFP_KERNEL); ++ if (!xref_tmphash) ++ return -ENOMEM; ++ + /* Phase.1 : Merge same xref */ +- for (i=0; i < XREF_TMPHASH_SIZE; i++) +- xref_tmphash[i] = NULL; + for (ref=c->xref_temp; ref; ref=_ref) { + struct jffs2_xattr_ref *tmp; + +@@ -884,6 +887,8 @@ void jffs2_build_xattr_subsystem(struct + "%u of xref (%u dead, %u orphan) found.\n", + xdatum_count, xdatum_unchecked_count, xdatum_orphan_count, + xref_count, xref_dead_count, xref_orphan_count); ++ kfree(xref_tmphash); ++ return 0; + } + + struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c, +--- a/fs/jffs2/xattr.h ++++ b/fs/jffs2/xattr.h +@@ -71,7 +71,7 @@ static inline int is_xattr_ref_dead(stru + #ifdef CONFIG_JFFS2_FS_XATTR + + extern void jffs2_init_xattr_subsystem(struct jffs2_sb_info *c); +-extern void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c); ++extern int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c); + extern void jffs2_clear_xattr_subsystem(struct jffs2_sb_info *c); + + extern struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c, +@@ -103,7 +103,7 @@ extern ssize_t jffs2_listxattr(struct de + #else + + #define jffs2_init_xattr_subsystem(c) +-#define jffs2_build_xattr_subsystem(c) ++#define jffs2_build_xattr_subsystem(c) (0) + #define jffs2_clear_xattr_subsystem(c) + + #define jffs2_xattr_do_crccheck_inode(c, ic) diff --git a/tmp-5.4/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch b/tmp-5.4/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch new file mode 100644 index 00000000000..00fec96e551 --- /dev/null +++ b/tmp-5.4/jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch @@ -0,0 +1,66 @@ +From 11509910c599cbd04585ec35a6d5e1a0053d84c1 Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant +Date: Tue, 20 Jun 2023 22:17:00 +0530 +Subject: jfs: jfs_dmap: Validate db_l2nbperpage while mounting + +From: Siddh Raman Pant + +commit 11509910c599cbd04585ec35a6d5e1a0053d84c1 upstream. + +In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block +number inside dbFree(). db_l2nbperpage, which is the log2 number of +blocks per page, is passed as an argument to BLKTODMAP which uses it +for shifting. + +Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is +too big. This happens because the large value is set without any +validation in dbMount() at line 181. + +Thus, make sure that db_l2nbperpage is correct while mounting. + +Max number of blocks per page = Page size / Min block size +=> log2(Max num_block per page) = log2(Page size / Min block size) + = log2(Page size) - log2(Min block size) + +=> Max db_l2nbperpage = L2PSIZE - L2MINBLOCKSIZE + +Reported-and-tested-by: syzbot+d2cd27dcf8e04b232eb2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=2a70a453331db32ed491f5cbb07e81bf2d225715 +Cc: stable@vger.kernel.org +Suggested-by: Dave Kleikamp +Signed-off-by: Siddh Raman Pant +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dmap.c | 6 ++++++ + fs/jfs/jfs_filsys.h | 2 ++ + 2 files changed, 8 insertions(+) + +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -178,7 +178,13 @@ int dbMount(struct inode *ipbmap) + dbmp_le = (struct dbmap_disk *) mp->data; + bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize); + bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); ++ + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); ++ if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) { ++ err = -EINVAL; ++ goto err_release_metapage; ++ } ++ + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); + if (!bmp->db_numag) { + err = -EINVAL; +--- a/fs/jfs/jfs_filsys.h ++++ b/fs/jfs/jfs_filsys.h +@@ -122,7 +122,9 @@ + #define NUM_INODE_PER_IAG INOSPERIAG + + #define MINBLOCKSIZE 512 ++#define L2MINBLOCKSIZE 9 + #define MAXBLOCKSIZE 4096 ++#define L2MAXBLOCKSIZE 12 + #define MAXFILESIZE ((s64)1 << 52) + + #define JFS_LINK_MAX 0xffffffff diff --git a/tmp-5.4/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch b/tmp-5.4/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch new file mode 100644 index 00000000000..7621ed250c6 --- /dev/null +++ b/tmp-5.4/kexec-fix-a-memory-leak-in-crash_shrink_memory.patch @@ -0,0 +1,93 @@ +From 5fb5cd1001376c72e6b15b36e2ec0a24646d9c74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 20:34:34 +0800 +Subject: kexec: fix a memory leak in crash_shrink_memory() + +From: Zhen Lei + +[ Upstream commit 1cba6c4309f03de570202c46f03df3f73a0d4c82 ] + +Patch series "kexec: enable kexec_crash_size to support two crash kernel +regions". + +When crashkernel=X fails to reserve region under 4G, it will fall back to +reserve region above 4G and a region of the default size will also be +reserved under 4G. Unfortunately, /sys/kernel/kexec_crash_size only +supports one crash kernel region now, the user cannot sense the low memory +reserved by reading /sys/kernel/kexec_crash_size. Also, low memory cannot +be freed by writing this file. + +For example: +resource_size(crashk_res) = 512M +resource_size(crashk_low_res) = 256M + +The result of 'cat /sys/kernel/kexec_crash_size' is 512M, but it should be +768M. When we execute 'echo 0 > /sys/kernel/kexec_crash_size', the size +of crashk_res becomes 0 and resource_size(crashk_low_res) is still 256 MB, +which is incorrect. + +Since crashk_res manages the memory with high address and crashk_low_res +manages the memory with low address, crashk_low_res is shrunken only when +all crashk_res is shrunken. And because when there is only one crash +kernel region, crashk_res is always used. Therefore, if all crashk_res is +shrunken and crashk_low_res still exists, swap them. + +This patch (of 6): + +If the value of parameter 'new_size' is in the semi-open and semi-closed +interval (crashk_res.end - KEXEC_CRASH_MEM_ALIGN + 1, crashk_res.end], the +calculation result of ram_res is: + + ram_res->start = crashk_res.end + 1 + ram_res->end = crashk_res.end + +The operation of insert_resource() fails, and ram_res is not added to +iomem_resource. As a result, the memory of the control block ram_res is +leaked. + +In fact, on all architectures, the start address and size of crashk_res +are already aligned by KEXEC_CRASH_MEM_ALIGN. Therefore, we do not need +to round up crashk_res.start again. Instead, we should round up +'new_size' in advance. + +Link: https://lkml.kernel.org/r/20230527123439.772-1-thunder.leizhen@huawei.com +Link: https://lkml.kernel.org/r/20230527123439.772-2-thunder.leizhen@huawei.com +Fixes: 6480e5a09237 ("kdump: add missing RAM resource in crash_shrink_memory()") +Fixes: 06a7f711246b ("kexec: premit reduction of the reserved memory size") +Signed-off-by: Zhen Lei +Acked-by: Baoquan He +Cc: Cong Wang +Cc: Eric W. Biederman +Cc: Michael Holzheu +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kexec_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c +index d65b0fc8fb48b..3694d90c3722f 100644 +--- a/kernel/kexec_core.c ++++ b/kernel/kexec_core.c +@@ -1019,6 +1019,7 @@ int crash_shrink_memory(unsigned long new_size) + start = crashk_res.start; + end = crashk_res.end; + old_size = (end == 0) ? 0 : end - start + 1; ++ new_size = roundup(new_size, KEXEC_CRASH_MEM_ALIGN); + if (new_size >= old_size) { + ret = (new_size == old_size) ? 0 : -EINVAL; + goto unlock; +@@ -1030,9 +1031,7 @@ int crash_shrink_memory(unsigned long new_size) + goto unlock; + } + +- start = roundup(start, KEXEC_CRASH_MEM_ALIGN); +- end = roundup(start + new_size, KEXEC_CRASH_MEM_ALIGN); +- ++ end = start + new_size; + crash_free_reserved_phys_range(end, crashk_res.end); + + if ((start == end) && (crashk_res.parent != NULL)) +-- +2.39.2 + diff --git a/tmp-5.4/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch b/tmp-5.4/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch new file mode 100644 index 00000000000..192bfd62e22 --- /dev/null +++ b/tmp-5.4/kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch @@ -0,0 +1,74 @@ +From cb77bd4b66fc12acc2a600a8707bcb76709d84d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 15:54:23 +0100 +Subject: KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes + +From: Nico Boehr + +[ Upstream commit 285cff4c0454340a4dc53f46e67f2cb1c293bd74 ] + +The KVM_S390_GET_CMMA_BITS ioctl may return incorrect values when userspace +specifies a start_gfn outside of memslots. + +This can occur when a VM has multiple memslots with a hole in between: + ++-----+----------+--------+--------+ +| ... | Slot N-1 | | Slot N | ++-----+----------+--------+--------+ + ^ ^ ^ ^ + | | | | +GFN A A+B | | + A+B+C | + A+B+C+D + +When userspace specifies a GFN in [A+B, A+B+C), it would expect to get the +CMMA values of the first dirty page in Slot N. However, userspace may get a +start_gfn of A+B+C+D with a count of 0, hence completely skipping over any +dirty pages in slot N. + +The error is in kvm_s390_next_dirty_cmma(), which assumes +gfn_to_memslot_approx() will return the memslot _below_ the specified GFN +when the specified GFN lies outside a memslot. In reality it may return +either the memslot below or above the specified GFN. + +When a memslot above the specified GFN is returned this happens: + +- ofs is calculated, but since the memslot's base_gfn is larger than the + specified cur_gfn, ofs will underflow to a huge number. +- ofs is passed to find_next_bit(). Since ofs will exceed the memslot's + number of pages, the number of pages in the memslot is returned, + completely skipping over all bits in the memslot userspace would be + interested in. + +Fix this by resetting ofs to zero when a memslot _above_ cur_gfn is +returned (cur_gfn < ms->base_gfn). + +Signed-off-by: Nico Boehr +Reviewed-by: Claudio Imbrenda +Fixes: afdad61615cc ("KVM: s390: Fix storage attributes migration with memory slots") +Message-Id: <20230324145424.293889-2-nrb@linux.ibm.com> +Signed-off-by: Claudio Imbrenda +Signed-off-by: Janosch Frank +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/kvm-s390.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 9ade970b4232c..b11eb11e2f499 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -1982,6 +1982,10 @@ static unsigned long kvm_s390_next_dirty_cmma(struct kvm_memslots *slots, + ms = slots->memslots + slotidx; + ofs = 0; + } ++ ++ if (cur_gfn < ms->base_gfn) ++ ofs = 0; ++ + ofs = find_next_bit(kvm_second_dirty_bitmap(ms), ms->npages, ofs); + while ((slotidx > 0) && (ofs >= ms->npages)) { + slotidx--; +-- +2.39.2 + diff --git a/tmp-5.4/kvm-s390-vsie-fix-the-length-of-apcb-bitmap.patch b/tmp-5.4/kvm-s390-vsie-fix-the-length-of-apcb-bitmap.patch new file mode 100644 index 00000000000..8f1b7295cfb --- /dev/null +++ b/tmp-5.4/kvm-s390-vsie-fix-the-length-of-apcb-bitmap.patch @@ -0,0 +1,52 @@ +From c4264d6cc6f7858a46495b03a0db4ec4a29c4037 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 17:42:58 +0200 +Subject: KVM: s390: vsie: fix the length of APCB bitmap + +From: Pierre Morel + +[ Upstream commit 246be7d2720ea9a795b576067ecc5e5c7a1e7848 ] + +bit_and() uses the count of bits as the woking length. +Fix the previous implementation and effectively use +the right bitmap size. + +Fixes: 19fd83a64718 ("KVM: s390: vsie: allow CRYCB FORMAT-1") +Fixes: 56019f9aca22 ("KVM: s390: vsie: Allow CRYCB FORMAT-2") + +Signed-off-by: Pierre Morel +Reviewed-by: Janosch Frank +Link: https://lore.kernel.org/kvm/20230511094719.9691-1-pmorel@linux.ibm.com/ +Signed-off-by: Janosch Frank +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/vsie.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c +index 2021946176de8..596b2a2cd837d 100644 +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -168,7 +168,8 @@ static int setup_apcb00(struct kvm_vcpu *vcpu, unsigned long *apcb_s, + sizeof(struct kvm_s390_apcb0))) + return -EFAULT; + +- bitmap_and(apcb_s, apcb_s, apcb_h, sizeof(struct kvm_s390_apcb0)); ++ bitmap_and(apcb_s, apcb_s, apcb_h, ++ BITS_PER_BYTE * sizeof(struct kvm_s390_apcb0)); + + return 0; + } +@@ -190,7 +191,8 @@ static int setup_apcb11(struct kvm_vcpu *vcpu, unsigned long *apcb_s, + sizeof(struct kvm_s390_apcb1))) + return -EFAULT; + +- bitmap_and(apcb_s, apcb_s, apcb_h, sizeof(struct kvm_s390_apcb1)); ++ bitmap_and(apcb_s, apcb_s, apcb_h, ++ BITS_PER_BYTE * sizeof(struct kvm_s390_apcb1)); + + return 0; + } +-- +2.39.2 + diff --git a/tmp-5.4/lib-ts_bm-reset-initial-match-offset-for-every-block.patch b/tmp-5.4/lib-ts_bm-reset-initial-match-offset-for-every-block.patch new file mode 100644 index 00000000000..704c8be9887 --- /dev/null +++ b/tmp-5.4/lib-ts_bm-reset-initial-match-offset-for-every-block.patch @@ -0,0 +1,59 @@ +From e840b0560f2efee094b37016ba0a076546bc07d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 20:06:57 +0100 +Subject: lib/ts_bm: reset initial match offset for every block of text + +From: Jeremy Sowden + +[ Upstream commit 6f67fbf8192da80c4db01a1800c7fceaca9cf1f9 ] + +The `shift` variable which indicates the offset in the string at which +to start matching the pattern is initialized to `bm->patlen - 1`, but it +is not reset when a new block is retrieved. This means the implemen- +tation may start looking at later and later positions in each successive +block and miss occurrences of the pattern at the beginning. E.g., +consider a HTTP packet held in a non-linear skb, where the HTTP request +line occurs in the second block: + + [... 52 bytes of packet headers ...] + GET /bmtest HTTP/1.1\r\nHost: www.example.com\r\n\r\n + +and the pattern is "GET /bmtest". + +Once the first block comprising the packet headers has been examined, +`shift` will be pointing to somewhere near the end of the block, and so +when the second block is examined the request line at the beginning will +be missed. + +Reinitialize the variable for each new block. + +Fixes: 8082e4ed0a61 ("[LIB]: Boyer-Moore extension for textsearch infrastructure strike #2") +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1390 +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + lib/ts_bm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/ts_bm.c b/lib/ts_bm.c +index b352903c50e38..0a22ae48af61f 100644 +--- a/lib/ts_bm.c ++++ b/lib/ts_bm.c +@@ -60,10 +60,12 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state) + struct ts_bm *bm = ts_config_priv(conf); + unsigned int i, text_len, consumed = state->offset; + const u8 *text; +- int shift = bm->patlen - 1, bs; ++ int bs; + const u8 icase = conf->flags & TS_IGNORECASE; + + for (;;) { ++ int shift = bm->patlen - 1; ++ + text_len = conf->get_next_block(consumed, &text, conf, state); + + if (unlikely(text_len == 0)) +-- +2.39.2 + diff --git a/tmp-5.4/llc-don-t-drop-packet-from-non-root-netns.patch b/tmp-5.4/llc-don-t-drop-packet-from-non-root-netns.patch new file mode 100644 index 00000000000..12706d00597 --- /dev/null +++ b/tmp-5.4/llc-don-t-drop-packet-from-non-root-netns.patch @@ -0,0 +1,50 @@ +From 5f49d88b5518144b7e6b9ddd2a5a4b3ec3dea453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:41:51 -0700 +Subject: llc: Don't drop packet from non-root netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] + +Now these upper layer protocol handlers can be called from llc_rcv() +as sap->rcv_func(), which is registered by llc_sap_open(). + + * function which is passed to register_8022_client() + -> no in-kernel user calls register_8022_client(). + + * snap_rcv() + `- proto->rcvfunc() : registered by register_snap_client() + -> aarp_rcv() and atalk_rcv() drop packets from non-root netns + + * stp_pdu_rcv() + `- garp_protos[]->rcv() : registered by stp_proto_register() + -> garp_pdu_rcv() and br_stp_rcv() are netns-aware + +So, we can safely remove the netns restriction in llc_rcv(). + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index 82cb93f66b9bd..f9e801cc50f5e 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -162,9 +162,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, + void (*sta_handler)(struct sk_buff *skb); + void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); + +- if (!net_eq(dev_net(dev), &init_net)) +- goto drop; +- + /* + * When the interface is in promisc. mode, drop all the crap that it + * receives, do not try to analyse it. +-- +2.39.2 + diff --git a/tmp-5.4/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch b/tmp-5.4/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch new file mode 100644 index 00000000000..2b3d7b301a0 --- /dev/null +++ b/tmp-5.4/mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch @@ -0,0 +1,75 @@ +From a8083ee00dc4d6595c0a634260449f797bcdd366 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 20:00:22 -0500 +Subject: mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 + +From: Nishanth Menon + +[ Upstream commit 1b712f18c461bd75f018033a15cf381e712806b5 ] + +Sec proxy/message manager data buffer is 60 bytes with the last of the +registers indicating transmission completion. This however poses a bit +of a challenge. + +The backing memory for sec_proxy / message manager is regular memory, +and all sec proxy does is to trigger a burst of all 60 bytes of data +over to the target thread backing ring accelerator. It doesn't do a +memory scrub when it moves data out in the burst. When we transmit +multiple messages, remnants of previous message is also transmitted +which results in some random data being set in TISCI fields of +messages that have been expanded forward. + +The entire concept of backward compatibility hinges on the fact that +the unused message fields remain 0x0 allowing for 0x0 value to be +specially considered when backward compatibility of message extension +is done. + +So, instead of just writing the completion register, we continue +to fill the message buffer up with 0x0 (note: for partial message +involving completion, we already do this). + +This allows us to scale and introduce ABI changes back also work with +other boot stages that may have left data in the internal memory. + +While at this, be consistent and explicit with the data_reg pointer +increment. + +Fixes: aace66b170ce ("mailbox: Introduce TI message manager driver") +Signed-off-by: Nishanth Menon +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/ti-msgmgr.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/mailbox/ti-msgmgr.c b/drivers/mailbox/ti-msgmgr.c +index 88047d835211c..75f14b624ca22 100644 +--- a/drivers/mailbox/ti-msgmgr.c ++++ b/drivers/mailbox/ti-msgmgr.c +@@ -385,14 +385,20 @@ static int ti_msgmgr_send_data(struct mbox_chan *chan, void *data) + /* Ensure all unused data is 0 */ + data_trail &= 0xFFFFFFFF >> (8 * (sizeof(u32) - trail_bytes)); + writel(data_trail, data_reg); +- data_reg++; ++ data_reg += sizeof(u32); + } ++ + /* + * 'data_reg' indicates next register to write. If we did not already + * write on tx complete reg(last reg), we must do so for transmit ++ * In addition, we also need to make sure all intermediate data ++ * registers(if any required), are reset to 0 for TISCI backward ++ * compatibility to be maintained. + */ +- if (data_reg <= qinst->queue_buff_end) +- writel(0, qinst->queue_buff_end); ++ while (data_reg <= qinst->queue_buff_end) { ++ writel(0, data_reg); ++ data_reg += sizeof(u32); ++ } + + return 0; + } +-- +2.39.2 + diff --git a/tmp-5.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch b/tmp-5.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch new file mode 100644 index 00000000000..f08db1820b2 --- /dev/null +++ b/tmp-5.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch @@ -0,0 +1,60 @@ +From 4cc78653a330f245001ff2e0e31088dbba8facdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:56:07 +0800 +Subject: md: fix data corruption for raid456 when reshape restart while grow + up + +From: Yu Kuai + +[ Upstream commit 873f50ece41aad5c4f788a340960c53774b5526e ] + +Currently, if reshape is interrupted, echo "reshape" to sync_action will +restart reshape from scratch, for example: + +echo frozen > sync_action +echo reshape > sync_action + +This will corrupt data before reshape_position if the array is growing, +fix the problem by continue reshape from reshape_position. + +Reported-by: Peter Neuwirth +Link: https://lore.kernel.org/linux-raid/e2f96772-bfbc-f43b-6da1-f520e5164536@online.de/ +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230512015610.821290-3-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 0765712513e7d..a006f3a9554bf 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4743,11 +4743,21 @@ action_store(struct mddev *mddev, const char *page, size_t len) + return -EINVAL; + err = mddev_lock(mddev); + if (!err) { +- if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) ++ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) { + err = -EBUSY; +- else { ++ } else if (mddev->reshape_position == MaxSector || ++ mddev->pers->check_reshape == NULL || ++ mddev->pers->check_reshape(mddev)) { + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + err = mddev->pers->start_reshape(mddev); ++ } else { ++ /* ++ * If reshape is still in progress, and ++ * md_check_recovery() can continue to reshape, ++ * don't restart reshape because data can be ++ * corrupted for raid456. ++ */ ++ clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + } + mddev_unlock(mddev); + } +-- +2.39.2 + diff --git a/tmp-5.4/md-raid0-add-discard-support-for-the-original-layout.patch b/tmp-5.4/md-raid0-add-discard-support-for-the-original-layout.patch new file mode 100644 index 00000000000..e659367a304 --- /dev/null +++ b/tmp-5.4/md-raid0-add-discard-support-for-the-original-layout.patch @@ -0,0 +1,203 @@ +From e836007089ba8fdf24e636ef2b007651fb4582e6 Mon Sep 17 00:00:00 2001 +From: Jason Baron +Date: Fri, 23 Jun 2023 14:05:23 -0400 +Subject: md/raid0: add discard support for the 'original' layout + +From: Jason Baron + +commit e836007089ba8fdf24e636ef2b007651fb4582e6 upstream. + +We've found that using raid0 with the 'original' layout and discard +enabled with different disk sizes (such that at least two zones are +created) can result in data corruption. This is due to the fact that +the discard handling in 'raid0_handle_discard()' assumes the 'alternate' +layout. We've seen this corruption using ext4 but other filesystems are +likely susceptible as well. + +More specifically, while multiple zones are necessary to create the +corruption, the corruption may not occur with multiple zones if they +layout in such a way the layout matches what the 'alternate' layout +would have produced. Thus, not all raid0 devices with the 'original' +layout, different size disks and discard enabled will encounter this +corruption. + +The 3.14 kernel inadvertently changed the raid0 disk layout for different +size disks. Thus, running a pre-3.14 kernel and post-3.14 kernel on the +same raid0 array could corrupt data. This lead to the creation of the +'original' layout (to match the pre-3.14 layout) and the 'alternate' layout +(to match the post 3.14 layout) in the 5.4 kernel time frame and an option +to tell the kernel which layout to use (since it couldn't be autodetected). +However, when the 'original' layout was added back to 5.4 discard support +for the 'original' layout was not added leading this issue. + +I've been able to reliably reproduce the corruption with the following +test case: + +1. create raid0 array with different size disks using original layout +2. mkfs +3. mount -o discard +4. create lots of files +5. remove 1/2 the files +6. fstrim -a (or just the mount point for the raid0 array) +7. umount +8. fsck -fn /dev/md0 (spews all sorts of corruptions) + +Let's fix this by adding proper discard support to the 'original' layout. +The fix 'maps' the 'original' layout disks to the order in which they are +read/written such that we can compare the disks in the same way that the +current 'alternate' layout does. A 'disk_shift' field is added to +'struct strip_zone'. This could be computed on the fly in +raid0_handle_discard() but by adding this field, we save some computation +in the discard path. + +Note we could also potentially fix this by re-ordering the disks in the +zones that follow the first one, and then always read/writing them using +the 'alternate' layout. However, that is seen as a more substantial change, +and we are attempting the least invasive fix at this time to remedy the +corruption. + +I've verified the change using the reproducer mentioned above. Typically, +the corruption is seen after less than 3 iterations, while the patch has +run 500+ iterations. + +Cc: NeilBrown +Cc: Song Liu +Fixes: c84a1372df92 ("md/raid0: avoid RAID0 data corruption due to layout confusion.") +Cc: stable@vger.kernel.org +Signed-off-by: Jason Baron +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230623180523.1901230-1-jbaron@akamai.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid0.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++------- + drivers/md/raid0.h | 1 + 2 files changed, 55 insertions(+), 8 deletions(-) + +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -289,6 +289,18 @@ static int create_strip_zones(struct mdd + goto abort; + } + ++ if (conf->layout == RAID0_ORIG_LAYOUT) { ++ for (i = 1; i < conf->nr_strip_zones; i++) { ++ sector_t first_sector = conf->strip_zone[i-1].zone_end; ++ ++ sector_div(first_sector, mddev->chunk_sectors); ++ zone = conf->strip_zone + i; ++ /* disk_shift is first disk index used in the zone */ ++ zone->disk_shift = sector_div(first_sector, ++ zone->nb_dev); ++ } ++ } ++ + pr_debug("md/raid0:%s: done.\n", mdname(mddev)); + *private_conf = conf; + +@@ -475,6 +487,20 @@ static inline int is_io_in_chunk_boundar + } + } + ++/* ++ * Convert disk_index to the disk order in which it is read/written. ++ * For example, if we have 4 disks, they are numbered 0,1,2,3. If we ++ * write the disks starting at disk 3, then the read/write order would ++ * be disk 3, then 0, then 1, and then disk 2 and we want map_disk_shift() ++ * to map the disks as follows 0,1,2,3 => 1,2,3,0. So disk 0 would map ++ * to 1, 1 to 2, 2 to 3, and 3 to 0. That way we can compare disks in ++ * that 'output' space to understand the read/write disk ordering. ++ */ ++static int map_disk_shift(int disk_index, int num_disks, int disk_shift) ++{ ++ return ((disk_index + num_disks - disk_shift) % num_disks); ++} ++ + static void raid0_handle_discard(struct mddev *mddev, struct bio *bio) + { + struct r0conf *conf = mddev->private; +@@ -488,7 +514,9 @@ static void raid0_handle_discard(struct + sector_t end_disk_offset; + unsigned int end_disk_index; + unsigned int disk; ++ sector_t orig_start, orig_end; + ++ orig_start = start; + zone = find_zone(conf, &start); + + if (bio_end_sector(bio) > zone->zone_end) { +@@ -502,6 +530,7 @@ static void raid0_handle_discard(struct + } else + end = bio_end_sector(bio); + ++ orig_end = end; + if (zone != conf->strip_zone) + end = end - zone[-1].zone_end; + +@@ -513,13 +542,26 @@ static void raid0_handle_discard(struct + last_stripe_index = end; + sector_div(last_stripe_index, stripe_size); + +- start_disk_index = (int)(start - first_stripe_index * stripe_size) / +- mddev->chunk_sectors; ++ /* In the first zone the original and alternate layouts are the same */ ++ if ((conf->layout == RAID0_ORIG_LAYOUT) && (zone != conf->strip_zone)) { ++ sector_div(orig_start, mddev->chunk_sectors); ++ start_disk_index = sector_div(orig_start, zone->nb_dev); ++ start_disk_index = map_disk_shift(start_disk_index, ++ zone->nb_dev, ++ zone->disk_shift); ++ sector_div(orig_end, mddev->chunk_sectors); ++ end_disk_index = sector_div(orig_end, zone->nb_dev); ++ end_disk_index = map_disk_shift(end_disk_index, ++ zone->nb_dev, zone->disk_shift); ++ } else { ++ start_disk_index = (int)(start - first_stripe_index * stripe_size) / ++ mddev->chunk_sectors; ++ end_disk_index = (int)(end - last_stripe_index * stripe_size) / ++ mddev->chunk_sectors; ++ } + start_disk_offset = ((int)(start - first_stripe_index * stripe_size) % + mddev->chunk_sectors) + + first_stripe_index * mddev->chunk_sectors; +- end_disk_index = (int)(end - last_stripe_index * stripe_size) / +- mddev->chunk_sectors; + end_disk_offset = ((int)(end - last_stripe_index * stripe_size) % + mddev->chunk_sectors) + + last_stripe_index * mddev->chunk_sectors; +@@ -528,18 +570,22 @@ static void raid0_handle_discard(struct + sector_t dev_start, dev_end; + struct bio *discard_bio = NULL; + struct md_rdev *rdev; ++ int compare_disk; ++ ++ compare_disk = map_disk_shift(disk, zone->nb_dev, ++ zone->disk_shift); + +- if (disk < start_disk_index) ++ if (compare_disk < start_disk_index) + dev_start = (first_stripe_index + 1) * + mddev->chunk_sectors; +- else if (disk > start_disk_index) ++ else if (compare_disk > start_disk_index) + dev_start = first_stripe_index * mddev->chunk_sectors; + else + dev_start = start_disk_offset; + +- if (disk < end_disk_index) ++ if (compare_disk < end_disk_index) + dev_end = (last_stripe_index + 1) * mddev->chunk_sectors; +- else if (disk > end_disk_index) ++ else if (compare_disk > end_disk_index) + dev_end = last_stripe_index * mddev->chunk_sectors; + else + dev_end = end_disk_offset; +--- a/drivers/md/raid0.h ++++ b/drivers/md/raid0.h +@@ -6,6 +6,7 @@ struct strip_zone { + sector_t zone_end; /* Start of the next zone (in sectors) */ + sector_t dev_start; /* Zone offset in real dev (in sectors) */ + int nb_dev; /* # of devices attached to the zone */ ++ int disk_shift; /* start disk for the original layout */ + }; + + /* Linux 3.14 (20d0189b101) made an unintended change to diff --git a/tmp-5.4/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch b/tmp-5.4/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch new file mode 100644 index 00000000000..1c6ae0b220d --- /dev/null +++ b/tmp-5.4/md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch @@ -0,0 +1,65 @@ +From 424deacdd4401864eadf2e2e8b7afd6a5ebb7f9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 21:48:05 +0800 +Subject: md/raid10: check slab-out-of-bounds in md_bitmap_get_counter + +From: Li Nan + +[ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ] + +If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() +will return -EINVAL because 'page >= bitmap->pages', but the return value +was not checked immediately in md_bitmap_get_counter() in order to set +*blocks value and slab-out-of-bounds occurs. + +Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and +return directly if true. + +Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md-bitmap.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 0545cdccf6369..bea8265ce9b8e 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -54,14 +54,7 @@ __acquires(bitmap->lock) + { + unsigned char *mappage; + +- if (page >= bitmap->pages) { +- /* This can happen if bitmap_start_sync goes beyond +- * End-of-device while looking for a whole page. +- * It is harmless. +- */ +- return -EINVAL; +- } +- ++ WARN_ON_ONCE(page >= bitmap->pages); + if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */ + return 0; + +@@ -1369,6 +1362,14 @@ __acquires(bitmap->lock) + sector_t csize; + int err; + ++ if (page >= bitmap->pages) { ++ /* ++ * This can happen if bitmap_start_sync goes beyond ++ * End-of-device while looking for a whole page or ++ * user set a huge number to sysfs bitmap_set_bits. ++ */ ++ return NULL; ++ } + err = md_bitmap_checkpage(bitmap, page, create, 0); + + if (bitmap->bp[page].hijacked || +-- +2.39.2 + diff --git a/tmp-5.4/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch b/tmp-5.4/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch new file mode 100644 index 00000000000..8e2253166d4 --- /dev/null +++ b/tmp-5.4/md-raid10-fix-io-loss-while-replacement-replace-rdev.patch @@ -0,0 +1,79 @@ +From dbee0683a39045c5b85c5ce372f10260fec448aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 17:18:39 +0800 +Subject: md/raid10: fix io loss while replacement replace rdev + +From: Li Nan + +[ Upstream commit 2ae6aaf76912bae53c74b191569d2ab484f24bf3 ] + +When removing a disk with replacement, the replacement will be used to +replace rdev. During this process, there is a brief window in which both +rdev and replacement are read as NULL in raid10_write_request(). This +will result in io not being submitted but it should be. + + //remove //write + raid10_remove_disk raid10_write_request + mirror->rdev = NULL + read rdev -> NULL + mirror->rdev = mirror->replacement + mirror->replacement = NULL + read replacement -> NULL + +Fix it by reading replacement first and rdev later, meanwhile, use smp_mb() +to prevent memory reordering. + +Fixes: 475b0321a4df ("md/raid10: writes should get directed to replacement as well as original.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230602091839.743798-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 7f762df43a2fc..db4de8e07cd97 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -751,8 +751,16 @@ static struct md_rdev *read_balance(struct r10conf *conf, + disk = r10_bio->devs[slot].devnum; + rdev = rcu_dereference(conf->mirrors[disk].replacement); + if (rdev == NULL || test_bit(Faulty, &rdev->flags) || +- r10_bio->devs[slot].addr + sectors > rdev->recovery_offset) ++ r10_bio->devs[slot].addr + sectors > ++ rdev->recovery_offset) { ++ /* ++ * Read replacement first to prevent reading both rdev ++ * and replacement as NULL during replacement replace ++ * rdev. ++ */ ++ smp_mb(); + rdev = rcu_dereference(conf->mirrors[disk].rdev); ++ } + if (rdev == NULL || + test_bit(Faulty, &rdev->flags)) + continue; +@@ -1363,9 +1371,15 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio, + + for (i = 0; i < conf->copies; i++) { + int d = r10_bio->devs[i].devnum; +- struct md_rdev *rdev = rcu_dereference(conf->mirrors[d].rdev); +- struct md_rdev *rrdev = rcu_dereference( +- conf->mirrors[d].replacement); ++ struct md_rdev *rdev, *rrdev; ++ ++ rrdev = rcu_dereference(conf->mirrors[d].replacement); ++ /* ++ * Read replacement first to prevent reading both rdev and ++ * replacement as NULL during replacement replace rdev. ++ */ ++ smp_mb(); ++ rdev = rcu_dereference(conf->mirrors[d].rdev); + if (rdev == rrdev) + rrdev = NULL; + if (rdev && unlikely(test_bit(Blocked, &rdev->flags))) { +-- +2.39.2 + diff --git a/tmp-5.4/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch b/tmp-5.4/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch new file mode 100644 index 00000000000..31029cc4bbc --- /dev/null +++ b/tmp-5.4/md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch @@ -0,0 +1,81 @@ +From fe46b1dc2a17a2bf0917ebda81c867957f1909ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 15:22:15 +0800 +Subject: md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request + +From: Li Nan + +[ Upstream commit 34817a2441747b48e444cb0e05d84e14bc9443da ] + +There are two check of 'mreplace' in raid10_sync_request(). In the first +check, 'need_replace' will be set and 'mreplace' will be used later if +no-Faulty 'mreplace' exists, In the second check, 'mreplace' will be +set to NULL if it is Faulty, but 'need_replace' will not be changed +accordingly. null-ptr-deref occurs if Faulty is set between two check. + +Fix it by merging two checks into one. And replace 'need_replace' with +'mreplace' because their values are always the same. + +Fixes: ee37d7314a32 ("md/raid10: Fix raid10 replace hang when new added disk faulty") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230527072218.2365857-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index aee429ab114a5..7f762df43a2fc 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3054,7 +3054,6 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + int must_sync; + int any_working; + int need_recover = 0; +- int need_replace = 0; + struct raid10_info *mirror = &conf->mirrors[i]; + struct md_rdev *mrdev, *mreplace; + +@@ -3066,11 +3065,10 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + !test_bit(Faulty, &mrdev->flags) && + !test_bit(In_sync, &mrdev->flags)) + need_recover = 1; +- if (mreplace != NULL && +- !test_bit(Faulty, &mreplace->flags)) +- need_replace = 1; ++ if (mreplace && test_bit(Faulty, &mreplace->flags)) ++ mreplace = NULL; + +- if (!need_recover && !need_replace) { ++ if (!need_recover && !mreplace) { + rcu_read_unlock(); + continue; + } +@@ -3086,8 +3084,6 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + rcu_read_unlock(); + continue; + } +- if (mreplace && test_bit(Faulty, &mreplace->flags)) +- mreplace = NULL; + /* Unless we are doing a full sync, or a replacement + * we only need to recover the block if it is set in + * the bitmap +@@ -3210,11 +3206,11 @@ static sector_t raid10_sync_request(struct mddev *mddev, sector_t sector_nr, + bio = r10_bio->devs[1].repl_bio; + if (bio) + bio->bi_end_io = NULL; +- /* Note: if need_replace, then bio ++ /* Note: if replace is not NULL, then bio + * cannot be NULL as r10buf_pool_alloc will + * have allocated it. + */ +- if (!need_replace) ++ if (!mreplace) + break; + bio->bi_next = biolist; + biolist = bio; +-- +2.39.2 + diff --git a/tmp-5.4/md-raid10-fix-overflow-of-md-safe_mode_delay.patch b/tmp-5.4/md-raid10-fix-overflow-of-md-safe_mode_delay.patch new file mode 100644 index 00000000000..dc65a9d1a5b --- /dev/null +++ b/tmp-5.4/md-raid10-fix-overflow-of-md-safe_mode_delay.patch @@ -0,0 +1,51 @@ +From 047ef324b352b0a73fa40f3a132be57b8dc224b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:33 +0800 +Subject: md/raid10: fix overflow of md/safe_mode_delay + +From: Li Nan + +[ Upstream commit 6beb489b2eed25978523f379a605073f99240c50 ] + +There is no input check when echo md/safe_mode_delay in safe_delay_store(). +And msec might also overflow when HZ < 1000 in safe_delay_show(), Fix it by +checking overflow in safe_delay_store() and use unsigned long conversion in +safe_delay_show(). + +Fixes: 72e02075a33f ("md: factor out parsing of fixed-point numbers") +Signed-off-by: Li Nan +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-2-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 64558991ce0a0..bae264aae3cd0 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3766,8 +3766,9 @@ int strict_strtoul_scaled(const char *cp, unsigned long *res, int scale) + static ssize_t + safe_delay_show(struct mddev *mddev, char *page) + { +- int msec = (mddev->safemode_delay*1000)/HZ; +- return sprintf(page, "%d.%03d\n", msec/1000, msec%1000); ++ unsigned int msec = ((unsigned long)mddev->safemode_delay*1000)/HZ; ++ ++ return sprintf(page, "%u.%03u\n", msec/1000, msec%1000); + } + static ssize_t + safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) +@@ -3779,7 +3780,7 @@ safe_delay_store(struct mddev *mddev, const char *cbuf, size_t len) + return -EINVAL; + } + +- if (strict_strtoul_scaled(cbuf, &msec, 3) < 0) ++ if (strict_strtoul_scaled(cbuf, &msec, 3) < 0 || msec > UINT_MAX / HZ) + return -EINVAL; + if (msec == 0) + mddev->safemode_delay = 0; +-- +2.39.2 + diff --git a/tmp-5.4/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch b/tmp-5.4/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch new file mode 100644 index 00000000000..2dc628be34b --- /dev/null +++ b/tmp-5.4/md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch @@ -0,0 +1,38 @@ +From 7c790c7196a12230bfbc93020dc28688b8f7016c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 15:25:34 +0800 +Subject: md/raid10: fix wrong setting of max_corr_read_errors + +From: Li Nan + +[ Upstream commit f8b20a405428803bd9881881d8242c9d72c6b2b2 ] + +There is no input check when echo md/max_read_errors and overflow might +occur. Add check of input number. + +Fixes: 1e50915fe0bb ("raid: improve MD/raid10 handling of correctable read errors.") +Signed-off-by: Li Nan +Reviewed-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230522072535.1523740-3-linan666@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index bae264aae3cd0..0765712513e7d 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4441,6 +4441,8 @@ max_corrected_read_errors_store(struct mddev *mddev, const char *buf, size_t len + rv = kstrtouint(buf, 10, &n); + if (rv < 0) + return rv; ++ if (n > INT_MAX) ++ return -EINVAL; + atomic_set(&mddev->max_corr_read_errors, n); + return len; + } +-- +2.39.2 + diff --git a/tmp-5.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch b/tmp-5.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch new file mode 100644 index 00000000000..70ece3d376a --- /dev/null +++ b/tmp-5.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch @@ -0,0 +1,79 @@ +From e162491c96b0f3c2366d9c0cdb870c15fca436db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 21:11:00 +0800 +Subject: md/raid10: prevent soft lockup while flush writes + +From: Yu Kuai + +[ Upstream commit 010444623e7f4da6b4a4dd603a7da7469981e293 ] + +Currently, there is no limit for raid1/raid10 plugged bio. While flushing +writes, raid1 has cond_resched() while raid10 doesn't, and too many +writes can cause soft lockup. + +Follow up soft lockup can be triggered easily with writeback test for +raid10 with ramdisks: + +watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293] +Call Trace: + + call_rcu+0x16/0x20 + put_object+0x41/0x80 + __delete_object+0x50/0x90 + delete_object_full+0x2b/0x40 + kmemleak_free+0x46/0xa0 + slab_free_freelist_hook.constprop.0+0xed/0x1a0 + kmem_cache_free+0xfd/0x300 + mempool_free_slab+0x1f/0x30 + mempool_free+0x3a/0x100 + bio_free+0x59/0x80 + bio_put+0xcf/0x2c0 + free_r10bio+0xbf/0xf0 + raid_end_bio_io+0x78/0xb0 + one_write_done+0x8a/0xa0 + raid10_end_write_request+0x1b4/0x430 + bio_endio+0x175/0x320 + brd_submit_bio+0x3b9/0x9b7 [brd] + __submit_bio+0x69/0xe0 + submit_bio_noacct_nocheck+0x1e6/0x5a0 + submit_bio_noacct+0x38c/0x7e0 + flush_pending_writes+0xf0/0x240 + raid10d+0xac/0x1ed0 + +Fix the problem by adding cond_resched() to raid10 like what raid1 did. + +Note that unlimited plugged bio still need to be optimized, for example, +in the case of lots of dirty pages writeback, this will take lots of +memory and io will spend a long time in plug, hence io latency is bad. + +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230529131106.2123367-2-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index db4de8e07cd97..3983d5c8b5cd2 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -927,6 +927,7 @@ static void flush_pending_writes(struct r10conf *conf) + else + generic_make_request(bio); + bio = next; ++ cond_resched(); + } + blk_finish_plug(&plug); + } else +@@ -1112,6 +1113,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule) + else + generic_make_request(bio); + bio = next; ++ cond_resched(); + } + kfree(plug); + } +-- +2.39.2 + diff --git a/tmp-5.4/media-usb-check-az6007_read-return-value.patch b/tmp-5.4/media-usb-check-az6007_read-return-value.patch new file mode 100644 index 00000000000..d092b8cfc45 --- /dev/null +++ b/tmp-5.4/media-usb-check-az6007_read-return-value.patch @@ -0,0 +1,38 @@ +From 54ce570329203390e86373b3875d5bf0938dafc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Mar 2023 10:04:49 -0700 +Subject: media: usb: Check az6007_read() return value + +From: Daniil Dulov + +[ Upstream commit fdaca63186f59fc664b346c45b76576624b48e57 ] + +If az6007_read() returns error, there is no sence to continue. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 3af2f4f15a61 ("[media] az6007: Change the az6007 read/write routine parameter") +Signed-off-by: Daniil Dulov +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/az6007.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c +index 62ee09f28a0bc..7524c90f5da61 100644 +--- a/drivers/media/usb/dvb-usb-v2/az6007.c ++++ b/drivers/media/usb/dvb-usb-v2/az6007.c +@@ -202,7 +202,8 @@ static int az6007_rc_query(struct dvb_usb_device *d) + unsigned code; + enum rc_proto proto; + +- az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10); ++ if (az6007_read(d, AZ6007_READ_IR, 0, 0, st->data, 10) < 0) ++ return -EIO; + + if (st->data[1] == 0x44) + return 0; +-- +2.39.2 + diff --git a/tmp-5.4/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch b/tmp-5.4/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch new file mode 100644 index 00000000000..ccc5f2d6e4c --- /dev/null +++ b/tmp-5.4/media-usb-siano-fix-warning-due-to-null-work_func_t-.patch @@ -0,0 +1,83 @@ +From 057ff1636f13fca736945002ddf4cfb43fe34455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 07:59:32 +0800 +Subject: media: usb: siano: Fix warning due to null work_func_t function + pointer + +From: Duoming Zhou + +[ Upstream commit 6f489a966fbeb0da63d45c2c66a8957eab604bf6 ] + +The previous commit ebad8e731c1c ("media: usb: siano: Fix use after +free bugs caused by do_submit_urb") adds cancel_work_sync() in +smsusb_stop_streaming(). But smsusb_stop_streaming() may be called, +even if the work_struct surb->wq has not been initialized. As a result, +the warning will occur. One of the processes that could lead to warning +is shown below: + +smsusb_probe() + smsusb_init_device() + if (!dev->in_ep || !dev->out_ep || align < 0) { + smsusb_term_device(intf); + smsusb_stop_streaming() + cancel_work_sync(&dev->surbs[i].wq); + __cancel_work_timer() + __flush_work() + if (WARN_ON(!work->func)) // work->func is null + +The log reported by syzbot is shown below: + +WARNING: CPU: 0 PID: 897 at kernel/workqueue.c:3066 __flush_work+0x798/0xa80 kernel/workqueue.c:3063 +Modules linked in: +CPU: 0 PID: 897 Comm: kworker/0:2 Not tainted 6.2.0-rc1-syzkaller #0 +RIP: 0010:__flush_work+0x798/0xa80 kernel/workqueue.c:3066 +... +RSP: 0018:ffffc9000464ebf8 EFLAGS: 00010246 +RAX: 1ffff11002dbb420 RBX: 0000000000000021 RCX: 1ffffffff204fa4e +RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff888016dda0e8 +RBP: ffffc9000464ed98 R08: 0000000000000001 R09: ffffffff90253b2f +R10: 0000000000000001 R11: 0000000000000000 R12: ffff888016dda0e8 +R13: ffff888016dda0e8 R14: ffff888016dda100 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd4331efe8 CR3: 000000000b48e000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + __cancel_work_timer+0x315/0x460 kernel/workqueue.c:3160 + smsusb_stop_streaming drivers/media/usb/siano/smsusb.c:182 [inline] + smsusb_term_device+0xda/0x2d0 drivers/media/usb/siano/smsusb.c:344 + smsusb_init_device+0x400/0x9ce drivers/media/usb/siano/smsusb.c:419 + smsusb_probe+0xbbd/0xc55 drivers/media/usb/siano/smsusb.c:567 +... + +This patch adds check before cancel_work_sync(). If surb->wq has not +been initialized, the cancel_work_sync() will not be executed. + +Reported-by: syzbot+27b0b464864741b18b99@syzkaller.appspotmail.com +Fixes: ebad8e731c1c ("media: usb: siano: Fix use after free bugs caused by do_submit_urb") +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/siano/smsusb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 1db232a1063b9..0358cd1043877 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -179,7 +179,8 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev) + + for (i = 0; i < MAX_URBS; i++) { + usb_kill_urb(&dev->surbs[i].urb); +- cancel_work_sync(&dev->surbs[i].wq); ++ if (dev->surbs[i].wq.func) ++ cancel_work_sync(&dev->surbs[i].wq); + + if (dev->surbs[i].cb) { + smscore_putbuffer(dev->coredev, dev->surbs[i].cb); +-- +2.39.2 + diff --git a/tmp-5.4/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch b/tmp-5.4/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch new file mode 100644 index 00000000000..1136c45eaf3 --- /dev/null +++ b/tmp-5.4/media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch @@ -0,0 +1,62 @@ +From fb57ae911c10a867ad28a6a7a06a71d090d2743e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 15:36:49 +0200 +Subject: media: videodev2.h: Fix struct v4l2_input tuner index comment + +From: Marek Vasut + +[ Upstream commit 26ae58f65e64fa7ba61d64bae752e59e08380c6a ] + +VIDIOC_ENUMINPUT documentation describes the tuner field of +struct v4l2_input as index: + +Documentation/userspace-api/media/v4l/vidioc-enuminput.rst +" +* - __u32 + - ``tuner`` + - Capture devices can have zero or more tuners (RF demodulators). + When the ``type`` is set to ``V4L2_INPUT_TYPE_TUNER`` this is an + RF connector and this field identifies the tuner. It corresponds + to struct :c:type:`v4l2_tuner` field ``index``. For + details on tuners see :ref:`tuner`. +" + +Drivers I could find also use the 'tuner' field as an index, e.g.: +drivers/media/pci/bt8xx/bttv-driver.c bttv_enum_input() +drivers/media/usb/go7007/go7007-v4l2.c vidioc_enum_input() + +However, the UAPI comment claims this field is 'enum v4l2_tuner_type': +include/uapi/linux/videodev2.h + +This field being 'enum v4l2_tuner_type' is unlikely as it seems to be +never used that way in drivers, and documentation confirms it. It seem +this comment got in accidentally in the commit which this patch fixes. +Fix the UAPI comment to stop confusion. + +This was pointed out by Dmitry while reviewing VIDIOC_ENUMINPUT +support for strace. + +Fixes: 6016af82eafc ("[media] v4l2: use __u32 rather than enums in ioctl() structs") +Signed-off-by: Marek Vasut +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + include/uapi/linux/videodev2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h +index 9c89429f31130..895c5ba8b6ac2 100644 +--- a/include/uapi/linux/videodev2.h ++++ b/include/uapi/linux/videodev2.h +@@ -1588,7 +1588,7 @@ struct v4l2_input { + __u8 name[32]; /* Label */ + __u32 type; /* Type of input */ + __u32 audioset; /* Associated audios (bitfield) */ +- __u32 tuner; /* enum v4l2_tuner_type */ ++ __u32 tuner; /* Tuner index */ + v4l2_std_id std; + __u32 status; + __u32 capabilities; +-- +2.39.2 + diff --git a/tmp-5.4/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch b/tmp-5.4/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch new file mode 100644 index 00000000000..7891944c498 --- /dev/null +++ b/tmp-5.4/memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch @@ -0,0 +1,50 @@ +From 9b02b49d7db025e04ef464355fa2fc21bf311e8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 May 2023 13:29:31 +0200 +Subject: memory: brcmstb_dpfe: fix testing array offset after use + +From: Krzysztof Kozlowski + +[ Upstream commit 1d9e93fad549bc38f593147479ee063f2872c170 ] + +Code should first check for valid value of array offset, then use it as +the index. Fixes smatch warning: + + drivers/memory/brcmstb_dpfe.c:443 __send_command() error: testing array offset 'cmd' after use. + +Fixes: 2f330caff577 ("memory: brcmstb: Add driver for DPFE") +Acked-by: Markus Mayer +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230513112931.176066-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/brcmstb_dpfe.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/memory/brcmstb_dpfe.c b/drivers/memory/brcmstb_dpfe.c +index 6827ed4847507..127a9bffdbca8 100644 +--- a/drivers/memory/brcmstb_dpfe.c ++++ b/drivers/memory/brcmstb_dpfe.c +@@ -398,15 +398,17 @@ static void __finalize_command(struct private_data *priv) + static int __send_command(struct private_data *priv, unsigned int cmd, + u32 result[]) + { +- const u32 *msg = priv->dpfe_api->command[cmd]; + void __iomem *regs = priv->regs; + unsigned int i, chksum, chksum_idx; ++ const u32 *msg; + int ret = 0; + u32 resp; + + if (cmd >= DPFE_CMD_MAX) + return -1; + ++ msg = priv->dpfe_api->command[cmd]; ++ + mutex_lock(&priv->lock); + + /* Wait for DCPU to become ready */ +-- +2.39.2 + diff --git a/tmp-5.4/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch b/tmp-5.4/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch new file mode 100644 index 00000000000..7505393416b --- /dev/null +++ b/tmp-5.4/memstick-r592-make-memstick_debug_get_tpc_name-stati.patch @@ -0,0 +1,49 @@ +From a39791fb240f8a0cc95a7b38c8d051d9c66a539c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:27:04 +0200 +Subject: memstick r592: make memstick_debug_get_tpc_name() static + +From: Arnd Bergmann + +[ Upstream commit 434587df9f7fd68575f99a889cc5f2efc2eaee5e ] + +There are no other files referencing this function, apparently +it was left global to avoid an 'unused function' warning when +the only caller is left out. With a 'W=1' build, it causes +a 'missing prototype' warning though: + +drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes] + +Annotate the function as 'static __maybe_unused' to avoid both +problems. + +Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index dd06c18495eb6..0e37c6a5ee36c 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -44,12 +44,10 @@ static const char *tpc_names[] = { + * memstick_debug_get_tpc_name - debug helper that returns string for + * a TPC number + */ +-const char *memstick_debug_get_tpc_name(int tpc) ++static __maybe_unused const char *memstick_debug_get_tpc_name(int tpc) + { + return tpc_names[tpc-1]; + } +-EXPORT_SYMBOL(memstick_debug_get_tpc_name); +- + + /* Read a register*/ + static inline u32 r592_read_reg(struct r592_device *dev, int address) +-- +2.39.2 + diff --git a/tmp-5.4/meson-saradc-fix-clock-divider-mask-length.patch b/tmp-5.4/meson-saradc-fix-clock-divider-mask-length.patch new file mode 100644 index 00000000000..7a45af73f99 --- /dev/null +++ b/tmp-5.4/meson-saradc-fix-clock-divider-mask-length.patch @@ -0,0 +1,37 @@ +From c57fa0037024c92c2ca34243e79e857da5d2c0a9 Mon Sep 17 00:00:00 2001 +From: George Stark +Date: Tue, 6 Jun 2023 19:53:57 +0300 +Subject: meson saradc: fix clock divider mask length + +From: George Stark + +commit c57fa0037024c92c2ca34243e79e857da5d2c0a9 upstream. + +According to the datasheets of supported meson SoCs length of ADC_CLK_DIV +field is 6-bit. Although all supported SoCs have the register +with that field documented later SoCs use external clock rather than +ADC internal clock so this patch affects only meson8 family (S8* SoCs). + +Fixes: 3adbf3427330 ("iio: adc: add a driver for the SAR ADC found in Amlogic Meson SoCs") +Signed-off-by: George Stark +Reviewed-by: Andy Shevchenko +Reviewed-by: Martin Blumenstingl +Link: https://lore.kernel.org/r/20230606165357.42417-1-gnstark@sberdevices.ru +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/meson_saradc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/meson_saradc.c ++++ b/drivers/iio/adc/meson_saradc.c +@@ -71,7 +71,7 @@ + #define MESON_SAR_ADC_REG3_PANEL_DETECT_COUNT_MASK GENMASK(20, 18) + #define MESON_SAR_ADC_REG3_PANEL_DETECT_FILTER_TB_MASK GENMASK(17, 16) + #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_SHIFT 10 +- #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_WIDTH 5 ++ #define MESON_SAR_ADC_REG3_ADC_CLK_DIV_WIDTH 6 + #define MESON_SAR_ADC_REG3_BLOCK_DLY_SEL_MASK GENMASK(9, 8) + #define MESON_SAR_ADC_REG3_BLOCK_DLY_MASK GENMASK(7, 0) + diff --git a/tmp-5.4/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch b/tmp-5.4/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch new file mode 100644 index 00000000000..57178837c4e --- /dev/null +++ b/tmp-5.4/mfd-intel-lpss-add-missing-check-for-platform_get_re.patch @@ -0,0 +1,38 @@ +From af1c829097481553d8ee46d138ffa2d5092f1853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 09:48:18 +0800 +Subject: mfd: intel-lpss: Add missing check for platform_get_resource + +From: Jiasheng Jiang + +[ Upstream commit d918e0d5824495a75d00b879118b098fcab36fdb ] + +Add the missing check for platform_get_resource and return error +if it fails. + +Fixes: 4b45efe85263 ("mfd: Add support for Intel Sunrisepoint LPSS devices") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20230609014818.28475-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel-lpss-acpi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mfd/intel-lpss-acpi.c b/drivers/mfd/intel-lpss-acpi.c +index 045cbf0cbe53a..993e305a232c5 100644 +--- a/drivers/mfd/intel-lpss-acpi.c ++++ b/drivers/mfd/intel-lpss-acpi.c +@@ -114,6 +114,9 @@ static int intel_lpss_acpi_probe(struct platform_device *pdev) + return -ENOMEM; + + info->mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!info->mem) ++ return -ENODEV; ++ + info->irq = platform_get_irq(pdev, 0); + + ret = intel_lpss_probe(&pdev->dev, info); +-- +2.39.2 + diff --git a/tmp-5.4/mfd-rt5033-drop-rt5033-battery-sub-device.patch b/tmp-5.4/mfd-rt5033-drop-rt5033-battery-sub-device.patch new file mode 100644 index 00000000000..11be92fc8be --- /dev/null +++ b/tmp-5.4/mfd-rt5033-drop-rt5033-battery-sub-device.patch @@ -0,0 +1,41 @@ +From e483912baac0162b153ccacef1795deddba084b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 22:57:10 +0200 +Subject: mfd: rt5033: Drop rt5033-battery sub-device + +From: Stephan Gerhold + +[ Upstream commit 43db1344e0f8c1eb687a1d6cd5b0de3009ab66cb ] + +The fuel gauge in the RT5033 PMIC (rt5033-battery) has its own I2C bus +and interrupt lines. Therefore, it is not part of the MFD device +and needs to be specified separately in the device tree. + +Fixes: 0b271258544b ("mfd: rt5033: Add Richtek RT5033 driver core.") +Signed-off-by: Stephan Gerhold +Signed-off-by: Jakob Hauser +Reviewed-by: Linus Walleij +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/6a8a19bc67b5be3732882e8131ad2ffcb546ac03.1684182964.git.jahau@rocketmail.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/rt5033.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/mfd/rt5033.c b/drivers/mfd/rt5033.c +index 48381d9bf7403..302115dabff4b 100644 +--- a/drivers/mfd/rt5033.c ++++ b/drivers/mfd/rt5033.c +@@ -41,9 +41,6 @@ static const struct mfd_cell rt5033_devs[] = { + { + .name = "rt5033-charger", + .of_compatible = "richtek,rt5033-charger", +- }, { +- .name = "rt5033-battery", +- .of_compatible = "richtek,rt5033-battery", + }, { + .name = "rt5033-led", + .of_compatible = "richtek,rt5033-led", +-- +2.39.2 + diff --git a/tmp-5.4/mfd-stmfx-fix-error-path-in-stmfx_chip_init.patch b/tmp-5.4/mfd-stmfx-fix-error-path-in-stmfx_chip_init.patch new file mode 100644 index 00000000000..8c4e7db9ffc --- /dev/null +++ b/tmp-5.4/mfd-stmfx-fix-error-path-in-stmfx_chip_init.patch @@ -0,0 +1,38 @@ +From cd60fdba993d9121829a5c238c770ac00059be33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 11:28:03 +0200 +Subject: mfd: stmfx: Fix error path in stmfx_chip_init + +From: Amelie Delaunay + +[ Upstream commit f592cf624531286f8b52e40dcfc157a5a7fb115c ] + +In error path, disable vdd regulator if it exists, but don't overload ret. +Because if regulator_disable() is successful, stmfx_chip_init will exit +successfully while chip init failed. + +Fixes: 06252ade9156 ("mfd: Add ST Multi-Function eXpander (STMFX) core driver") +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20230609092804.793100-1-amelie.delaunay@foss.st.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stmfx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/stmfx.c b/drivers/mfd/stmfx.c +index 711979afd90a0..887c92342b7f1 100644 +--- a/drivers/mfd/stmfx.c ++++ b/drivers/mfd/stmfx.c +@@ -389,7 +389,7 @@ static int stmfx_chip_init(struct i2c_client *client) + + err: + if (stmfx->vdd) +- return regulator_disable(stmfx->vdd); ++ regulator_disable(stmfx->vdd); + + return ret; + } +-- +2.39.2 + diff --git a/tmp-5.4/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch b/tmp-5.4/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch new file mode 100644 index 00000000000..d29d1d3e568 --- /dev/null +++ b/tmp-5.4/mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch @@ -0,0 +1,45 @@ +From 4cced9c67cdd53f56e8dc8831dfa79e533aabac0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Jun 2023 12:43:16 +0200 +Subject: mfd: stmpe: Only disable the regulators if they are enabled + +From: Christophe JAILLET + +[ Upstream commit 104d32bd81f620bb9f67fbf7d1159c414e89f05f ] + +In stmpe_probe(), if some regulator_enable() calls fail, probing continues +and there is only a dev_warn(). + +So, if stmpe_probe() is called the regulator may not be enabled. It is +cleaner to test it before calling regulator_disable() in the remove +function. + +Fixes: 9c9e321455fb ("mfd: stmpe: add optional regulators") +Signed-off-by: Christophe JAILLET +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/8de3aaf297931d655b9ad6aed548f4de8b85425a.1686998575.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stmpe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/stmpe.c b/drivers/mfd/stmpe.c +index 508349399f8af..7f758fb60c1fa 100644 +--- a/drivers/mfd/stmpe.c ++++ b/drivers/mfd/stmpe.c +@@ -1494,9 +1494,9 @@ int stmpe_probe(struct stmpe_client_info *ci, enum stmpe_partnum partnum) + + int stmpe_remove(struct stmpe *stmpe) + { +- if (!IS_ERR(stmpe->vio)) ++ if (!IS_ERR(stmpe->vio) && regulator_is_enabled(stmpe->vio)) + regulator_disable(stmpe->vio); +- if (!IS_ERR(stmpe->vcc)) ++ if (!IS_ERR(stmpe->vcc) && regulator_is_enabled(stmpe->vcc)) + regulator_disable(stmpe->vcc); + + __stmpe_disable(stmpe, STMPE_BLOCK_ADC); +-- +2.39.2 + diff --git a/tmp-5.4/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch b/tmp-5.4/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch new file mode 100644 index 00000000000..d881dc9bd0c --- /dev/null +++ b/tmp-5.4/misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch @@ -0,0 +1,37 @@ +From 0b4e32df3e09406b835d8230b9331273f2805058 Mon Sep 17 00:00:00 2001 +From: Ekansh Gupta +Date: Wed, 14 Jun 2023 17:24:45 +0530 +Subject: misc: fastrpc: Create fastrpc scalar with correct buffer count + +From: Ekansh Gupta + +commit 0b4e32df3e09406b835d8230b9331273f2805058 upstream. + +A process can spawn a PD on DSP with some attributes that can be +associated with the PD during spawn and run. The invocation +corresponding to the create request with attributes has total +4 buffers at the DSP side implementation. If this number is not +correct, the invocation is expected to fail on DSP. Added change +to use correct number of buffer count for creating fastrpc scalar. + +Fixes: d73f71c7c6ee ("misc: fastrpc: Add support for create remote init process") +Cc: stable +Tested-by: Ekansh Gupta +Signed-off-by: Ekansh Gupta +Message-ID: <1686743685-21715-1-git-send-email-quic_ekangupt@quicinc.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1074,7 +1074,7 @@ static int fastrpc_init_create_process(s + + sc = FASTRPC_SCALARS(FASTRPC_RMID_INIT_CREATE, 4, 0); + if (init.attrs) +- sc = FASTRPC_SCALARS(FASTRPC_RMID_INIT_CREATE_ATTR, 6, 0); ++ sc = FASTRPC_SCALARS(FASTRPC_RMID_INIT_CREATE_ATTR, 4, 0); + + err = fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, + sc, args); diff --git a/tmp-5.4/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch b/tmp-5.4/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch new file mode 100644 index 00000000000..7eac1d7ee54 --- /dev/null +++ b/tmp-5.4/misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch @@ -0,0 +1,50 @@ +From f61b7634a3249d12b9daa36ffbdb9965b6f24c6c Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 15 Apr 2023 11:35:39 +0900 +Subject: misc: pci_endpoint_test: Free IRQs before removing the device + +From: Damien Le Moal + +commit f61b7634a3249d12b9daa36ffbdb9965b6f24c6c upstream. + +In pci_endpoint_test_remove(), freeing the IRQs after removing the device +creates a small race window for IRQs to be received with the test device +memory already released, causing the IRQ handler to access invalid memory, +resulting in an oops. + +Free the device IRQs before removing the device to avoid this issue. + +Link: https://lore.kernel.org/r/20230415023542.77601-15-dlemoal@kernel.org +Fixes: e03327122e2c ("pci_endpoint_test: Add 2 ioctl commands") +Signed-off-by: Damien Le Moal +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -774,6 +774,9 @@ static void pci_endpoint_test_remove(str + if (id < 0) + return; + ++ pci_endpoint_test_release_irq(test); ++ pci_endpoint_test_free_irq_vectors(test); ++ + misc_deregister(&test->miscdev); + kfree(misc_device->name); + ida_simple_remove(&pci_endpoint_test_ida, id); +@@ -782,9 +785,6 @@ static void pci_endpoint_test_remove(str + pci_iounmap(pdev, test->bar[bar]); + } + +- pci_endpoint_test_release_irq(test); +- pci_endpoint_test_free_irq_vectors(test); +- + pci_release_regions(pdev); + pci_disable_device(pdev); + } diff --git a/tmp-5.4/misc-pci_endpoint_test-re-init-completion-for-every-test.patch b/tmp-5.4/misc-pci_endpoint_test-re-init-completion-for-every-test.patch new file mode 100644 index 00000000000..62d3e03b60e --- /dev/null +++ b/tmp-5.4/misc-pci_endpoint_test-re-init-completion-for-every-test.patch @@ -0,0 +1,44 @@ +From fb620ae73b70c2f57b9d3e911fc24c024ba2324f Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 15 Apr 2023 11:35:40 +0900 +Subject: misc: pci_endpoint_test: Re-init completion for every test + +From: Damien Le Moal + +commit fb620ae73b70c2f57b9d3e911fc24c024ba2324f upstream. + +The irq_raised completion used to detect the end of a test case is +initialized when the test device is probed, but never reinitialized again +before a test case. As a result, the irq_raised completion synchronization +is effective only for the first ioctl test case executed. Any subsequent +call to wait_for_completion() by another ioctl() call will immediately +return, potentially too early, leading to false positive failures. + +Fix this by reinitializing the irq_raised completion before starting a new +ioctl() test command. + +Link: https://lore.kernel.org/r/20230415023542.77601-16-dlemoal@kernel.org +Fixes: 2c156ac71c6b ("misc: Add host side PCI driver for PCI test function device") +Signed-off-by: Damien Le Moal +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Manivannan Sadhasivam +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/pci_endpoint_test.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/misc/pci_endpoint_test.c ++++ b/drivers/misc/pci_endpoint_test.c +@@ -590,6 +590,10 @@ static long pci_endpoint_test_ioctl(stru + struct pci_dev *pdev = test->pdev; + + mutex_lock(&test->mutex); ++ ++ reinit_completion(&test->irq_raised); ++ test->last_irq = -ENODATA; ++ + switch (cmd) { + case PCITEST_BAR: + bar = arg; diff --git a/tmp-5.4/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch b/tmp-5.4/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch new file mode 100644 index 00000000000..c77405ac358 --- /dev/null +++ b/tmp-5.4/mmc-core-disable-trim-on-kingston-emmc04g-m627.patch @@ -0,0 +1,46 @@ +From f1738a1f816233e6dfc2407f24a31d596643fd90 Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Mon, 19 Jun 2023 21:35:58 +0200 +Subject: mmc: core: disable TRIM on Kingston EMMC04G-M627 + +From: Robert Marko + +commit f1738a1f816233e6dfc2407f24a31d596643fd90 upstream. + +It seems that Kingston EMMC04G-M627 despite advertising TRIM support does +not work when the core is trying to use REQ_OP_WRITE_ZEROES. + +We are seeing I/O errors in OpenWrt under 6.1 on Zyxel NBG7815 that we did +not previously have and tracked it down to REQ_OP_WRITE_ZEROES. + +Trying to use fstrim seems to also throw errors like: +[93010.835112] I/O error, dev loop0, sector 16902 op 0x3:(DISCARD) flags 0x800 phys_seg 1 prio class 2 + +Disabling TRIM makes the error go away, so lets add a quirk for this eMMC +to disable TRIM. + +Signed-off-by: Robert Marko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230619193621.437358-1-robimarko@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/quirks.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -91,6 +91,13 @@ static const struct mmc_fixup mmc_blk_fi + MMC_QUIRK_SEC_ERASE_TRIM_BROKEN), + + /* ++ * Kingston EMMC04G-M627 advertises TRIM but it does not seems to ++ * support being used to offload WRITE_ZEROES. ++ */ ++ MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc, ++ MMC_QUIRK_TRIM_BROKEN), ++ ++ /* + * On Some Kingston eMMCs, performing trim can result in + * unrecoverable data conrruption occasionally due to a firmware bug. + */ diff --git a/tmp-5.4/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch b/tmp-5.4/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch new file mode 100644 index 00000000000..6730eea968d --- /dev/null +++ b/tmp-5.4/mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch @@ -0,0 +1,44 @@ +From dbfbddcddcebc9ce8a08757708d4e4a99d238e44 Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Tue, 30 May 2023 23:32:59 +0200 +Subject: mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M + +From: Robert Marko + +commit dbfbddcddcebc9ce8a08757708d4e4a99d238e44 upstream. + +It seems that Micron MTFC4GACAJCN-1M despite advertising TRIM support does +not work when the core is trying to use REQ_OP_WRITE_ZEROES. + +We are seeing the following errors in OpenWrt under 6.1 on Qnap Qhora 301W +that we did not previously have and tracked it down to REQ_OP_WRITE_ZEROES: +[ 18.085950] I/O error, dev loop0, sector 596 op 0x9:(WRITE_ZEROES) flags 0x800 phys_seg 0 prio class 2 + +Disabling TRIM makes the error go away, so lets add a quirk for this eMMC +to disable TRIM. + +Signed-off-by: Robert Marko +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230530213259.1776512-1-robimarko@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/quirks.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -98,6 +98,13 @@ static const struct mmc_fixup mmc_blk_fi + MMC_QUIRK_TRIM_BROKEN), + + /* ++ * Micron MTFC4GACAJCN-1M advertises TRIM but it does not seems to ++ * support being used to offload WRITE_ZEROES. ++ */ ++ MMC_FIXUP("Q2J54A", CID_MANFID_MICRON, 0x014e, add_quirk_mmc, ++ MMC_QUIRK_TRIM_BROKEN), ++ ++ /* + * On Some Kingston eMMCs, performing trim can result in + * unrecoverable data conrruption occasionally due to a firmware bug. + */ diff --git a/tmp-5.4/mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch b/tmp-5.4/mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch new file mode 100644 index 00000000000..12bbf97742d --- /dev/null +++ b/tmp-5.4/mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch @@ -0,0 +1,58 @@ +From 20dbd07ef0a8bc29eb03d6a95258ac8934cbe52d Mon Sep 17 00:00:00 2001 +From: Chevron Li +Date: Tue, 23 May 2023 19:11:14 +0800 +Subject: mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used. + +From: Chevron Li + +commit 20dbd07ef0a8bc29eb03d6a95258ac8934cbe52d upstream. + +Bayhub SD host has hardware limitation: +1.The upper 32bit address is inhibited to be written at SD Host Register + [03E][13]=0 (32bits addressing) mode, is admitted to be written only at + SD Host Register [03E][13]=1 (64bits addressing) mode. +2.Because of above item#1, need to configure SD Host Register [03E][13] to + 1(64bits addressing mode) before set 64bit ADMA system address's higher + 32bits SD Host Register [05F~05C] if 64 bits addressing mode is used. + +The hardware limitation is reasonable for below reasons: +1.Normal flow should set DMA working mode first, then do + DMA-transfer-related configuration, such as system address. +2.The hardware limitation may avoid the software to configure wrong higher + 32bit address at 32bits addressing mode although it is redundant. + +The change that set 32bits/64bits addressing mode before set ADMA address, + has no side-effect to other host IPs for below reason: +The setting order is reasonable and standard: DMA Mode setting first and + then DMA address setting. It meets all DMA setting sequence. + +Signed-off-by: Chevron Li +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230523111114.18124-1-chevron_li@126.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -1104,6 +1104,8 @@ static void sdhci_prepare_data(struct sd + } + } + ++ sdhci_config_dma(host); ++ + if (host->flags & SDHCI_REQ_USE_DMA) { + int sg_cnt = sdhci_pre_dma_transfer(host, data, COOKIE_MAPPED); + +@@ -1123,8 +1125,6 @@ static void sdhci_prepare_data(struct sd + } + } + +- sdhci_config_dma(host); +- + if (!(host->flags & SDHCI_REQ_USE_DMA)) { + int flags; + diff --git a/tmp-5.4/modpost-fix-off-by-one-in-is_executable_section.patch b/tmp-5.4/modpost-fix-off-by-one-in-is_executable_section.patch new file mode 100644 index 00000000000..e7be2880cc0 --- /dev/null +++ b/tmp-5.4/modpost-fix-off-by-one-in-is_executable_section.patch @@ -0,0 +1,36 @@ +From b87d4d45db6fc1d96fd0ef1971e19eeee6f18792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 11:23:40 +0300 +Subject: modpost: fix off by one in is_executable_section() + +From: Dan Carpenter + +[ Upstream commit 3a3f1e573a105328a2cca45a7cfbebabbf5e3192 ] + +The > comparison should be >= to prevent an out of bounds array +access. + +Fixes: 52dc0595d540 ("modpost: handle relocations mismatch in __ex_table.") +Signed-off-by: Dan Carpenter +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 75d76b8f50302..53e276bb24acd 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1633,7 +1633,7 @@ static void default_mismatch_handler(const char *modname, struct elf_info *elf, + + static int is_executable_section(struct elf_info* elf, unsigned int section_index) + { +- if (section_index > elf->num_sections) ++ if (section_index >= elf->num_sections) + fatal("section_index is outside elf->num_sections!\n"); + + return ((elf->sechdrs[section_index].sh_flags & SHF_EXECINSTR) == SHF_EXECINSTR); +-- +2.39.2 + diff --git a/tmp-5.4/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch b/tmp-5.4/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch new file mode 100644 index 00000000000..e9ce3efead0 --- /dev/null +++ b/tmp-5.4/modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch @@ -0,0 +1,106 @@ +From 18d9db07cfefd6401ee7753b30d76c0ee86a82bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:56 +0900 +Subject: modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} + +From: Masahiro Yamada + +[ Upstream commit 56a24b8ce6a7f9c4a21b2276a8644f6f3d8fc14d ] + +addend_arm_rel() processes R_ARM_PC24, R_ARM_CALL, R_ARM_JUMP24 in a +wrong way. + +Here, test code. + +[test code for R_ARM_JUMP24] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + b bar + +[test code for R_ARM_CALL] + + .section .init.text,"ax" + bar: + bx lr + + .section .text,"ax" + .globl foo + foo: + push {lr} + bl bar + pop {pc} + +If you compile it with ARM multi_v7_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: foo (section: .text) -> (unknown) (section: .init.text) + +(You need to use GNU linker instead of LLD to reproduce it.) + +Fix the code to make modpost show the correct symbol name. + +I imported (with adjustment) sign_extend32() from include/linux/bitops.h. + +The '+8' is the compensation for pc-relative instruction. It is +documented in "ELF for the Arm Architecture" [1]. + + "If the relocation is pc-relative then compensation for the PC bias + (the PC value is 8 bytes ahead of the executing instruction in Arm + state and 4 bytes in Thumb state) must be encoded in the relocation + by the object producer." + +[1]: https://github.com/ARM-software/abi-aa/blob/main/aaelf32/aaelf32.rst + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Fixes: 6e2e340b59d2 ("ARM: 7324/1: modpost: Fix section warnings for ARM for many compilers") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index ad955c45d7a53..75d76b8f50302 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1812,12 +1812,20 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + #define R_ARM_THM_JUMP19 51 + #endif + ++static int32_t sign_extend32(int32_t value, int index) ++{ ++ uint8_t shift = 31 - index; ++ ++ return (int32_t)(value << shift) >> shift; ++} ++ + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); + Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); + void *loc = reloc_location(elf, sechdr, r); + uint32_t inst; ++ int32_t offset; + + switch (r_typ) { + case R_ARM_ABS32: +@@ -1827,6 +1835,10 @@ static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + case R_ARM_PC24: + case R_ARM_CALL: + case R_ARM_JUMP24: ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ offset = sign_extend32((inst & 0x00ffffff) << 2, 25); ++ r->r_addend = offset + sym->st_value + 8; ++ break; + case R_ARM_THM_CALL: + case R_ARM_THM_JUMP24: + case R_ARM_THM_JUMP19: +-- +2.39.2 + diff --git a/tmp-5.4/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch b/tmp-5.4/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch new file mode 100644 index 00000000000..7df4ab44079 --- /dev/null +++ b/tmp-5.4/modpost-fix-section-mismatch-message-for-r_arm_abs32.patch @@ -0,0 +1,133 @@ +From 20def63b530d07096c52c0a287ada543f35a00b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 21:09:55 +0900 +Subject: modpost: fix section mismatch message for R_ARM_ABS32 + +From: Masahiro Yamada + +[ Upstream commit b7c63520f6703a25eebb4f8138fed764fcae1c6f ] + +addend_arm_rel() processes R_ARM_ABS32 in a wrong way. + +Here, test code. + + [test code 1] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + +If you compile it with ARM versatile_defconfig, modpost will show the +symbol name, (unknown). + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> (unknown) (section: .init.data) + +(You need to use GNU linker instead of LLD to reproduce it.) + +If you compile it for other architectures, modpost will show the correct +symbol name. + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + +For R_ARM_ABS32, addend_arm_rel() sets r->r_addend to a wrong value. + +I just mimicked the code in arch/arm/kernel/module.c. + +However, there is more difficulty for ARM. + +Here, test code. + + [test code 2] + + #include + + int __initdata foo; + int get_foo(void) { return foo; } + + int __initdata bar; + int get_bar(void) { return bar; } + +With this commit applied, modpost will show the following messages +for ARM versatile_defconfig: + + WARNING: modpost: vmlinux.o: section mismatch in reference: get_foo (section: .text) -> foo (section: .init.data) + WARNING: modpost: vmlinux.o: section mismatch in reference: get_bar (section: .text) -> foo (section: .init.data) + +The reference from 'get_bar' to 'foo' seems wrong. + +I have no solution for this because it is true in assembly level. + +In the following output, relocation at 0x1c is no longer associated +with 'bar'. The two relocation entries point to the same symbol, and +the offset to 'bar' is encoded in the instruction 'r0, [r3, #4]'. + + Disassembly of section .text: + + 00000000 : + 0: e59f3004 ldr r3, [pc, #4] @ c + 4: e5930000 ldr r0, [r3] + 8: e12fff1e bx lr + c: 00000000 .word 0x00000000 + + 00000010 : + 10: e59f3004 ldr r3, [pc, #4] @ 1c + 14: e5930004 ldr r0, [r3, #4] + 18: e12fff1e bx lr + 1c: 00000000 .word 0x00000000 + + Relocation section '.rel.text' at offset 0x244 contains 2 entries: + Offset Info Type Sym.Value Sym. Name + 0000000c 00000c02 R_ARM_ABS32 00000000 .init.data + 0000001c 00000c02 R_ARM_ABS32 00000000 .init.data + +When find_elf_symbol() gets into a situation where relsym->st_name is +zero, there is no guarantee to get the symbol name as written in C. + +I am keeping the current logic because it is useful in many architectures, +but the symbol name is not always correct depending on the optimization. +I left some comments in find_tosym(). + +Fixes: 56a974fa2d59 ("kbuild: make better section mismatch reports on arm") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index e5aeaf72dcdb8..ad955c45d7a53 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1325,6 +1325,10 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + if (relsym->st_name != 0) + return relsym; + ++ /* ++ * Strive to find a better symbol name, but the resulting name may not ++ * match the symbol referenced in the original code. ++ */ + relsym_secindex = get_secindex(elf, relsym); + for (sym = elf->symtab_start; sym < elf->symtab_stop; sym++) { + if (get_secindex(elf, sym) != relsym_secindex) +@@ -1811,12 +1815,14 @@ static int addend_386_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + static int addend_arm_rel(struct elf_info *elf, Elf_Shdr *sechdr, Elf_Rela *r) + { + unsigned int r_typ = ELF_R_TYPE(r->r_info); ++ Elf_Sym *sym = elf->symtab_start + ELF_R_SYM(r->r_info); ++ void *loc = reloc_location(elf, sechdr, r); ++ uint32_t inst; + + switch (r_typ) { + case R_ARM_ABS32: +- /* From ARM ABI: (S + A) | T */ +- r->r_addend = (int)(long) +- (elf->symtab_start + ELF_R_SYM(r->r_info)); ++ inst = TO_NATIVE(*(uint32_t *)loc); ++ r->r_addend = inst + sym->st_value; + break; + case R_ARM_PC24: + case R_ARM_CALL: +-- +2.39.2 + diff --git a/tmp-5.4/mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch b/tmp-5.4/mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch new file mode 100644 index 00000000000..6fcf564b932 --- /dev/null +++ b/tmp-5.4/mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch @@ -0,0 +1,44 @@ +From 98480a181a08ceeede417e5b28f6d0429d8ae156 Mon Sep 17 00:00:00 2001 +From: Arseniy Krasnov +Date: Thu, 15 Jun 2023 11:08:15 +0300 +Subject: mtd: rawnand: meson: fix unaligned DMA buffers handling + +From: Arseniy Krasnov + +commit 98480a181a08ceeede417e5b28f6d0429d8ae156 upstream. + +Meson NAND controller requires 8 bytes alignment for DMA addresses, +otherwise it "aligns" passed address by itself thus accessing invalid +location in the provided buffer. This patch makes unaligned buffers to +be reallocated to become valid. + +Fixes: 8fae856c5350 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller") +Cc: +Signed-off-by: Arseniy Krasnov +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230615080815.3291006-1-AVKrasnov@sberdevices.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/meson_nand.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mtd/nand/raw/meson_nand.c ++++ b/drivers/mtd/nand/raw/meson_nand.c +@@ -72,6 +72,7 @@ + #define GENCMDIADDRH(aih, addr) ((aih) | (((addr) >> 16) & 0xffff)) + + #define DMA_DIR(dir) ((dir) ? NFC_CMD_N2M : NFC_CMD_M2N) ++#define DMA_ADDR_ALIGN 8 + + #define ECC_CHECK_RETURN_FF (-1) + +@@ -838,6 +839,9 @@ static int meson_nfc_read_oob(struct nan + + static bool meson_nfc_is_buffer_dma_safe(const void *buffer) + { ++ if ((uintptr_t)buffer % DMA_ADDR_ALIGN) ++ return false; ++ + if (virt_addr_valid(buffer) && (!object_is_on_stack(buffer))) + return true; + return false; diff --git a/tmp-5.4/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch b/tmp-5.4/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch new file mode 100644 index 00000000000..ed65fa5a442 --- /dev/null +++ b/tmp-5.4/nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch @@ -0,0 +1,41 @@ +From 456f7e7cba47667316050e9866ad8506c9e47f6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 20:21:59 +0800 +Subject: nbd: Add the maximum limit of allocated index in nbd_dev_add + +From: Zhong Jinghua + +[ Upstream commit f12bc113ce904777fd6ca003b473b427782b3dde ] + +If the index allocated by idr_alloc greater than MINORMASK >> part_shift, +the device number will overflow, resulting in failure to create a block +device. + +Fix it by imiting the size of the max allocation. + +Signed-off-by: Zhong Jinghua +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230605122159.2134384-1-zhongjinghua@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 218aa7e419700..37994a7a1b6f4 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1708,7 +1708,8 @@ static int nbd_dev_add(int index) + if (err == -ENOSPC) + err = -EEXIST; + } else { +- err = idr_alloc(&nbd_index_idr, nbd, 0, 0, GFP_KERNEL); ++ err = idr_alloc(&nbd_index_idr, nbd, 0, ++ (MINORMASK >> part_shift) + 1, GFP_KERNEL); + if (err >= 0) + index = err; + } +-- +2.39.2 + diff --git a/tmp-5.4/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch b/tmp-5.4/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch new file mode 100644 index 00000000000..6492955c808 --- /dev/null +++ b/tmp-5.4/net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch @@ -0,0 +1,39 @@ +From 1b5ea7ffb7a3bdfffb4b7f40ce0d20a3372ee405 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 22 Jun 2023 03:31:07 -0700 +Subject: net: bcmgenet: Ensure MDIO unregistration has clocks enabled + +From: Florian Fainelli + +commit 1b5ea7ffb7a3bdfffb4b7f40ce0d20a3372ee405 upstream. + +With support for Ethernet PHY LEDs having been added, while +unregistering a MDIO bus and its child device liks PHYs there may be +"late" accesses to the MDIO bus. One typical use case is setting the PHY +LEDs brightness to OFF for instance. + +We need to ensure that the MDIO bus controller remains entirely +functional since it runs off the main GENET adapter clock. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20230617155500.4005881-1-andrew@lunn.ch/ +Fixes: 9a4e79697009 ("net: bcmgenet: utilize generic Broadcom UniMAC MDIO controller driver") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230622103107.1760280-1-florian.fainelli@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -618,5 +618,7 @@ void bcmgenet_mii_exit(struct net_device + if (of_phy_is_fixed_link(dn)) + of_phy_deregister_fixed_link(dn); + of_node_put(priv->phy_dn); ++ clk_prepare_enable(priv->clk); + platform_device_unregister(priv->mii_pdev); ++ clk_disable_unprepare(priv->clk); + } diff --git a/tmp-5.4/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch b/tmp-5.4/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch new file mode 100644 index 00000000000..99bed0d1953 --- /dev/null +++ b/tmp-5.4/net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch @@ -0,0 +1,198 @@ +From cb8c2d1ecf895f8c6b83f645391b1b44b542dd28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 19:41:18 +0300 +Subject: net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode + +From: Vladimir Oltean + +[ Upstream commit 6ca3c005d0604e8d2b439366e3923ea58db99641 ] + +According to the synchronization rules for .ndo_get_stats() as seen in +Documentation/networking/netdevices.rst, acquiring a plain spin_lock() +should not be illegal, but the bridge driver implementation makes it so. + +After running these commands, I am being faced with the following +lockdep splat: + +$ ip link add link swp0 name macsec0 type macsec encrypt on && ip link set swp0 up +$ ip link add dev br0 type bridge vlan_filtering 1 && ip link set br0 up +$ ip link set macsec0 master br0 && ip link set macsec0 up + + ======================================================== + WARNING: possible irq lock inversion dependency detected + 6.4.0-04295-g31b577b4bd4a #603 Not tainted + -------------------------------------------------------- + swapper/1/0 just changed the state of lock: + ffff6bd348724cd8 (&br->lock){+.-.}-{3:3}, at: br_forward_delay_timer_expired+0x34/0x198 + but this lock took another, SOFTIRQ-unsafe lock in the past: + (&ocelot->stats_lock){+.+.}-{3:3} + + and interrupts could create inverse lock ordering between them. + + other info that might help us debug this: + Chain exists of: + &br->lock --> &br->hash_lock --> &ocelot->stats_lock + + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&ocelot->stats_lock); + local_irq_disable(); + lock(&br->lock); + lock(&br->hash_lock); + + lock(&br->lock); + + *** DEADLOCK *** + +(details about the 3 locks skipped) + +swp0 is instantiated by drivers/net/dsa/ocelot/felix.c, and this +only matters to the extent that its .ndo_get_stats64() method calls +spin_lock(&ocelot->stats_lock). + +Documentation/locking/lockdep-design.rst says: + +| A lock is irq-safe means it was ever used in an irq context, while a lock +| is irq-unsafe means it was ever acquired with irq enabled. + +(...) + +| Furthermore, the following usage based lock dependencies are not allowed +| between any two lock-classes:: +| +| -> +| -> + +Lockdep marks br->hash_lock as softirq-safe, because it is sometimes +taken in softirq context (for example br_fdb_update() which runs in +NET_RX softirq), and when it's not in softirq context it blocks softirqs +by using spin_lock_bh(). + +Lockdep marks ocelot->stats_lock as softirq-unsafe, because it never +blocks softirqs from running, and it is never taken from softirq +context. So it can always be interrupted by softirqs. + +There is a call path through which a function that holds br->hash_lock: +fdb_add_hw_addr() will call a function that acquires ocelot->stats_lock: +ocelot_port_get_stats64(). This can be seen below: + +ocelot_port_get_stats64+0x3c/0x1e0 +felix_get_stats64+0x20/0x38 +dsa_slave_get_stats64+0x3c/0x60 +dev_get_stats+0x74/0x2c8 +rtnl_fill_stats+0x4c/0x150 +rtnl_fill_ifinfo+0x5cc/0x7b8 +rtmsg_ifinfo_build_skb+0xe4/0x150 +rtmsg_ifinfo+0x5c/0xb0 +__dev_notify_flags+0x58/0x200 +__dev_set_promiscuity+0xa0/0x1f8 +dev_set_promiscuity+0x30/0x70 +macsec_dev_change_rx_flags+0x68/0x88 +__dev_set_promiscuity+0x1a8/0x1f8 +__dev_set_rx_mode+0x74/0xa8 +dev_uc_add+0x74/0xa0 +fdb_add_hw_addr+0x68/0xd8 +fdb_add_local+0xc4/0x110 +br_fdb_add_local+0x54/0x88 +br_add_if+0x338/0x4a0 +br_add_slave+0x20/0x38 +do_setlink+0x3a4/0xcb8 +rtnl_newlink+0x758/0x9d0 +rtnetlink_rcv_msg+0x2f0/0x550 +netlink_rcv_skb+0x128/0x148 +rtnetlink_rcv+0x24/0x38 + +the plain English explanation for it is: + +The macsec0 bridge port is created without p->flags & BR_PROMISC, +because it is what br_manage_promisc() decides for a VLAN filtering +bridge with a single auto port. + +As part of the br_add_if() procedure, br_fdb_add_local() is called for +the MAC address of the device, and this results in a call to +dev_uc_add() for macsec0 while the softirq-safe br->hash_lock is taken. + +Because macsec0 does not have IFF_UNICAST_FLT, dev_uc_add() ends up +calling __dev_set_promiscuity() for macsec0, which is propagated by its +implementation, macsec_dev_change_rx_flags(), to the lower device: swp0. +This triggers the call path: + +dev_set_promiscuity(swp0) +-> rtmsg_ifinfo() + -> dev_get_stats() + -> ocelot_port_get_stats64() + +with a calling context that lockdep doesn't like (br->hash_lock held). + +Normally we don't see this, because even though many drivers that can be +bridge ports don't support IFF_UNICAST_FLT, we need a driver that + +(a) doesn't support IFF_UNICAST_FLT, *and* +(b) it forwards the IFF_PROMISC flag to another driver, and +(c) *that* driver implements ndo_get_stats64() using a softirq-unsafe + spinlock. + +Condition (b) is necessary because the first __dev_set_rx_mode() calls +__dev_set_promiscuity() with "bool notify=false", and thus, the +rtmsg_ifinfo() code path won't be entered. + +The same criteria also hold true for DSA switches which don't report +IFF_UNICAST_FLT. When the DSA master uses a spin_lock() in its +ndo_get_stats64() method, the same lockdep splat can be seen. + +I think the deadlock possibility is real, even though I didn't reproduce +it, and I'm thinking of the following situation to support that claim: + +fdb_add_hw_addr() runs on a CPU A, in a context with softirqs locally +disabled and br->hash_lock held, and may end up attempting to acquire +ocelot->stats_lock. + +In parallel, ocelot->stats_lock is currently held by a thread B (say, +ocelot_check_stats_work()), which is interrupted while holding it by a +softirq which attempts to lock br->hash_lock. + +Thread B cannot make progress because br->hash_lock is held by A. Whereas +thread A cannot make progress because ocelot->stats_lock is held by B. + +When taking the issue at face value, the bridge can avoid that problem +by simply making the ports promiscuous from a code path with a saner +calling context (br->hash_lock not held). A bridge port without +IFF_UNICAST_FLT is going to become promiscuous as soon as we call +dev_uc_add() on it (which we do unconditionally), so why not be +preemptive and make it promiscuous right from the beginning, so as to +not be taken by surprise. + +With this, we've broken the links between code that holds br->hash_lock +or br->lock and code that calls into the ndo_change_rx_flags() or +ndo_get_stats64() ops of the bridge port. + +Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.") +Signed-off-by: Vladimir Oltean +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_if.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c +index e2a999890d05e..6b650dfc084dc 100644 +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -157,8 +157,9 @@ void br_manage_promisc(struct net_bridge *br) + * This lets us disable promiscuous mode and write + * this config to hw. + */ +- if (br->auto_cnt == 0 || +- (br->auto_cnt == 1 && br_auto_port(p))) ++ if ((p->dev->priv_flags & IFF_UNICAST_FLT) && ++ (br->auto_cnt == 0 || ++ (br->auto_cnt == 1 && br_auto_port(p)))) + br_port_clear_promisc(p); + else + br_port_set_promisc(p); +-- +2.39.2 + diff --git a/tmp-5.4/net-create-netdev-dev_addr-assignment-helpers.patch b/tmp-5.4/net-create-netdev-dev_addr-assignment-helpers.patch new file mode 100644 index 00000000000..78a6d4dca46 --- /dev/null +++ b/tmp-5.4/net-create-netdev-dev_addr-assignment-helpers.patch @@ -0,0 +1,82 @@ +From 2d67803006cfe8da5b9f45fd45488caadc9bd986 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 11:10:37 -0700 +Subject: net: create netdev->dev_addr assignment helpers + +From: Jakub Kicinski + +[ Upstream commit 48eab831ae8b9f7002a533fa4235eed63ea1f1a3 ] + +Recent work on converting address list to a tree made it obvious +we need an abstraction around writing netdev->dev_addr. Without +such abstraction updating the main device address is invisible +to the core. + +Introduce a number of helpers which for now just wrap memcpy() +but in the future can make necessary changes to the address +tree. + +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + include/linux/etherdevice.h | 12 ++++++++++++ + include/linux/netdevice.h | 18 ++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/include/linux/etherdevice.h b/include/linux/etherdevice.h +index 0f1e95240c0c0..66b89189a1e2e 100644 +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -288,6 +288,18 @@ static inline void ether_addr_copy(u8 *dst, const u8 *src) + #endif + } + ++/** ++ * eth_hw_addr_set - Assign Ethernet address to a net_device ++ * @dev: pointer to net_device structure ++ * @addr: address to assign ++ * ++ * Assign given address to the net_device, addr_assign_type is not changed. ++ */ ++static inline void eth_hw_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ ether_addr_copy(dev->dev_addr, addr); ++} ++ + /** + * eth_hw_addr_inherit - Copy dev_addr from another net_device + * @dst: pointer to net_device to copy dev_addr to +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 8dea4b53d664d..bf623f0e04d64 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4189,6 +4189,24 @@ void __hw_addr_unsync_dev(struct netdev_hw_addr_list *list, + void __hw_addr_init(struct netdev_hw_addr_list *list); + + /* Functions used for device addresses handling */ ++static inline void ++__dev_addr_set(struct net_device *dev, const u8 *addr, size_t len) ++{ ++ memcpy(dev->dev_addr, addr, len); ++} ++ ++static inline void dev_addr_set(struct net_device *dev, const u8 *addr) ++{ ++ __dev_addr_set(dev, addr, dev->addr_len); ++} ++ ++static inline void ++dev_addr_mod(struct net_device *dev, unsigned int offset, ++ const u8 *addr, size_t len) ++{ ++ memcpy(&dev->dev_addr[offset], addr, len); ++} ++ + int dev_addr_add(struct net_device *dev, const unsigned char *addr, + unsigned char addr_type); + int dev_addr_del(struct net_device *dev, const unsigned char *addr, +-- +2.39.2 + diff --git a/tmp-5.4/net-dsa-tag_sja1105-fix-mac-da-patching-from-meta-fr.patch b/tmp-5.4/net-dsa-tag_sja1105-fix-mac-da-patching-from-meta-fr.patch new file mode 100644 index 00000000000..c60feec1ca7 --- /dev/null +++ b/tmp-5.4/net-dsa-tag_sja1105-fix-mac-da-patching-from-meta-fr.patch @@ -0,0 +1,46 @@ +From a257ddee39cf9408c9cb6c4787c307bb85880c66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 01:05:44 +0300 +Subject: net: dsa: tag_sja1105: fix MAC DA patching from meta frames + +From: Vladimir Oltean + +[ Upstream commit 1dcf6efd5f0c1f4496b3ef7ec5a7db104a53b38c ] + +The SJA1105 manual says that at offset 4 into the meta frame payload we +have "MAC destination byte 2" and at offset 5 we have "MAC destination +byte 1". These are counted from the LSB, so byte 1 is h_dest[ETH_HLEN-2] +aka h_dest[4] and byte 2 is h_dest[ETH_HLEN-3] aka h_dest[3]. + +The sja1105_meta_unpack() function decodes these the other way around, +so a frame with MAC DA 01:80:c2:11:22:33 is received by the network +stack as having 01:80:c2:22:11:33. + +Fixes: e53e18a6fe4d ("net: dsa: sja1105: Receive and decode meta frames") +Signed-off-by: Vladimir Oltean +Reviewed-by: Simon Horman +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/dsa/tag_sja1105.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/dsa/tag_sja1105.c b/net/dsa/tag_sja1105.c +index 12f3ce52e62eb..836a75030a520 100644 +--- a/net/dsa/tag_sja1105.c ++++ b/net/dsa/tag_sja1105.c +@@ -48,8 +48,8 @@ static void sja1105_meta_unpack(const struct sk_buff *skb, + * a unified unpacking command for both device series. + */ + packing(buf, &meta->tstamp, 31, 0, 4, UNPACK, 0); +- packing(buf + 4, &meta->dmac_byte_4, 7, 0, 1, UNPACK, 0); +- packing(buf + 5, &meta->dmac_byte_3, 7, 0, 1, UNPACK, 0); ++ packing(buf + 4, &meta->dmac_byte_3, 7, 0, 1, UNPACK, 0); ++ packing(buf + 5, &meta->dmac_byte_4, 7, 0, 1, UNPACK, 0); + packing(buf + 6, &meta->source_port, 7, 0, 1, UNPACK, 0); + packing(buf + 7, &meta->switch_id, 7, 0, 1, UNPACK, 0); + } +-- +2.39.2 + diff --git a/tmp-5.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/tmp-5.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch new file mode 100644 index 00000000000..806727c4c02 --- /dev/null +++ b/tmp-5.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch @@ -0,0 +1,78 @@ +From 08a8346073e660036a1e3e9ae04efddd220a90fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 16:36:57 +0530 +Subject: net: ethernet: ti: cpsw_ale: Fix + cpsw_ale_get_field()/cpsw_ale_set_field() + +From: Tanmay Patil + +[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] + +CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. +The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the +field will be strictly contained within one word. However, this is not +guaranteed to be the case and it is possible for ALE field entries to span +across up to two words at the most. + +Fix the methods to handle getting/setting fields spanning up to two words. + +Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") +Signed-off-by: Tanmay Patil +[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] +Signed-off-by: Siddharth Vadapalli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index e7c24396933e9..f17619c545ae5 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -60,23 +60,37 @@ + + static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + { +- int idx; ++ int idx, idx2; ++ u32 hi_val = 0; + + idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be fetched exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); ++ } + start -= idx * 32; + idx = 2 - idx; /* flip */ +- return (ale_entry[idx] >> start) & BITMASK(bits); ++ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); + } + + static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, + u32 value) + { +- int idx; ++ int idx, idx2; + + value &= BITMASK(bits); +- idx = start / 32; ++ idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be set exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); ++ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); ++ } + start -= idx * 32; +- idx = 2 - idx; /* flip */ ++ idx = 2 - idx; /* flip */ + ale_entry[idx] &= ~(BITMASK(bits) << start); + ale_entry[idx] |= (value << start); + } +-- +2.39.2 + diff --git a/tmp-5.4/net-ipv6-check-return-value-of-pskb_trim.patch b/tmp-5.4/net-ipv6-check-return-value-of-pskb_trim.patch new file mode 100644 index 00000000000..0244504e97e --- /dev/null +++ b/tmp-5.4/net-ipv6-check-return-value-of-pskb_trim.patch @@ -0,0 +1,39 @@ +From 63eb3f5f78a3465e2d34f4145321d87171922518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 22:45:19 +0800 +Subject: net:ipv6: check return value of pskb_trim() + +From: Yuanjun Gong + +[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] + +goto tx_err if an unexpected result is returned by pskb_tirm() +in ip6erspan_tunnel_xmit(). + +Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") +Signed-off-by: Yuanjun Gong +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 0977137b00dc4..2d34bd98fccea 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -941,7 +941,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + goto tx_err; + + if (skb->len > dev->mtu + dev->hard_header_len) { +- pskb_trim(skb, dev->mtu + dev->hard_header_len); ++ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) ++ goto tx_err; + truncate = true; + } + +-- +2.39.2 + diff --git a/tmp-5.4/net-lan743x-don-t-sleep-in-atomic-context.patch b/tmp-5.4/net-lan743x-don-t-sleep-in-atomic-context.patch new file mode 100644 index 00000000000..90db667a7af --- /dev/null +++ b/tmp-5.4/net-lan743x-don-t-sleep-in-atomic-context.patch @@ -0,0 +1,72 @@ +From 7a8227b2e76be506b2ac64d2beac950ca04892a5 Mon Sep 17 00:00:00 2001 +From: Moritz Fischer +Date: Tue, 27 Jun 2023 03:50:00 +0000 +Subject: net: lan743x: Don't sleep in atomic context + +From: Moritz Fischer + +commit 7a8227b2e76be506b2ac64d2beac950ca04892a5 upstream. + +dev_set_rx_mode() grabs a spin_lock, and the lan743x implementation +proceeds subsequently to go to sleep using readx_poll_timeout(). + +Introduce a helper wrapping the readx_poll_timeout_atomic() function +and use it to replace the calls to readx_polL_timeout(). + +Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") +Cc: stable@vger.kernel.org +Cc: Bryan Whitehead +Cc: UNGLinuxDriver@microchip.com +Signed-off-by: Moritz Fischer +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230627035000.1295254-1-moritzf@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/microchip/lan743x_main.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -80,6 +80,18 @@ static int lan743x_csr_light_reset(struc + !(data & HW_CFG_LRST_), 100000, 10000000); + } + ++static int lan743x_csr_wait_for_bit_atomic(struct lan743x_adapter *adapter, ++ int offset, u32 bit_mask, ++ int target_value, int udelay_min, ++ int udelay_max, int count) ++{ ++ u32 data; ++ ++ return readx_poll_timeout_atomic(LAN743X_CSR_READ_OP, offset, data, ++ target_value == !!(data & bit_mask), ++ udelay_max, udelay_min * count); ++} ++ + static int lan743x_csr_wait_for_bit(struct lan743x_adapter *adapter, + int offset, u32 bit_mask, + int target_value, int usleep_min, +@@ -675,8 +687,8 @@ static int lan743x_dp_write(struct lan74 + u32 dp_sel; + int i; + +- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_, +- 1, 40, 100, 100)) ++ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, DP_SEL_DPRDY_, ++ 1, 40, 100, 100)) + return -EIO; + dp_sel = lan743x_csr_read(adapter, DP_SEL); + dp_sel &= ~DP_SEL_MASK_; +@@ -687,8 +699,9 @@ static int lan743x_dp_write(struct lan74 + lan743x_csr_write(adapter, DP_ADDR, addr + i); + lan743x_csr_write(adapter, DP_DATA_0, buf[i]); + lan743x_csr_write(adapter, DP_CMD, DP_CMD_WRITE_); +- if (lan743x_csr_wait_for_bit(adapter, DP_SEL, DP_SEL_DPRDY_, +- 1, 40, 100, 100)) ++ if (lan743x_csr_wait_for_bit_atomic(adapter, DP_SEL, ++ DP_SEL_DPRDY_, ++ 1, 40, 100, 100)) + return -EIO; + } + diff --git a/tmp-5.4/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch b/tmp-5.4/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch new file mode 100644 index 00000000000..2d485172992 --- /dev/null +++ b/tmp-5.4/net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch @@ -0,0 +1,48 @@ +From b16067bdb0ebf87601933839b3764c64ddc0bbdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 07:37:12 +0200 +Subject: net: mvneta: fix txq_map in case of txq_number==1 + +From: Klaus Kudielka + +[ Upstream commit 21327f81db6337c8843ce755b01523c7d3df715b ] + +If we boot with mvneta.txq_number=1, the txq_map is set incorrectly: +MVNETA_CPU_TXQ_ACCESS(1) refers to TX queue 1, but only TX queue 0 is +initialized. Fix this. + +Fixes: 50bf8cb6fc9c ("net: mvneta: Configure XPS support") +Signed-off-by: Klaus Kudielka +Reviewed-by: Michal Kubiak +Link: https://lore.kernel.org/r/20230705053712.3914-1-klaus.kudielka@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index 977c2961aa2c2..110221a16bf6d 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1422,7 +1422,7 @@ static void mvneta_defaults_set(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == pp->rxq_def) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + + } else { + txq_map = MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +@@ -3762,7 +3762,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp) + */ + if (txq_number == 1) + txq_map = (cpu == elected_cpu) ? +- MVNETA_CPU_TXQ_ACCESS(1) : 0; ++ MVNETA_CPU_TXQ_ACCESS(0) : 0; + else + txq_map = mvreg_read(pp, MVNETA_CPU_MAP(cpu)) & + MVNETA_CPU_TXQ_ACCESS_ALL_MASK; +-- +2.39.2 + diff --git a/tmp-5.4/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch b/tmp-5.4/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch new file mode 100644 index 00000000000..d4467950bf0 --- /dev/null +++ b/tmp-5.4/net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch @@ -0,0 +1,558 @@ +From 7ad4204145d770a3081ea1de73e27d2644c1e4ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jun 2023 17:10:07 +0800 +Subject: net: nfc: Fix use-after-free caused by nfc_llcp_find_local + +From: Lin Ma + +[ Upstream commit 6709d4b7bc2e079241fdef15d1160581c5261c10 ] + +This commit fixes several use-after-free that caused by function +nfc_llcp_find_local(). For example, one UAF can happen when below buggy +time window occurs. + +// nfc_genl_llc_get_params | // nfc_unregister_device + | +dev = nfc_get_device(idx); | device_lock(...) +if (!dev) | dev->shutting_down = true; + return -ENODEV; | device_unlock(...); + | +device_lock(...); | // nfc_llcp_unregister_device + | nfc_llcp_find_local() +nfc_llcp_find_local(...); | + | local_cleanup() +if (!local) { | + rc = -ENODEV; | // nfc_llcp_local_put + goto exit; | kref_put(.., local_release) +} | + | // local_release + | list_del(&local->list) + // nfc_genl_send_params | kfree() + local->dev->idx !!!UAF!!! | + | + +and the crash trace for the one of the discussed UAF like: + +BUG: KASAN: slab-use-after-free in nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045 +Read of size 8 at addr ffff888105b0e410 by task 20114 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:319 [inline] + print_report+0xcc/0x620 mm/kasan/report.c:430 + kasan_report+0xb2/0xe0 mm/kasan/report.c:536 + nfc_genl_send_params net/nfc/netlink.c:999 [inline] + nfc_genl_llc_get_params+0x72f/0x780 net/nfc/netlink.c:1045 + genl_family_rcv_msg_doit.isra.0+0x1ee/0x2e0 net/netlink/genetlink.c:968 + genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] + genl_rcv_msg+0x503/0x7d0 net/netlink/genetlink.c:1065 + netlink_rcv_skb+0x161/0x430 net/netlink/af_netlink.c:2548 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x644/0x900 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x934/0xe70 net/netlink/af_netlink.c:1913 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0x1b6/0x200 net/socket.c:747 + ____sys_sendmsg+0x6e9/0x890 net/socket.c:2501 + ___sys_sendmsg+0x110/0x1b0 net/socket.c:2555 + __sys_sendmsg+0xf7/0x1d0 net/socket.c:2584 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7f34640a2389 +RSP: 002b:00007f3463415168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f34641c1f80 RCX: 00007f34640a2389 +RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000006 +RBP: 00007f34640ed493 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffe38449ecf R14: 00007f3463415300 R15: 0000000000022000 + + +Allocated by task 20116: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + ____kasan_kmalloc mm/kasan/common.c:374 [inline] + __kasan_kmalloc+0x7f/0x90 mm/kasan/common.c:383 + kmalloc include/linux/slab.h:580 [inline] + kzalloc include/linux/slab.h:720 [inline] + nfc_llcp_register_device+0x49/0xa40 net/nfc/llcp_core.c:1567 + nfc_register_device+0x61/0x260 net/nfc/core.c:1124 + nci_register_device+0x776/0xb20 net/nfc/nci/core.c:1257 + virtual_ncidev_open+0x147/0x230 drivers/nfc/virtual_ncidev.c:148 + misc_open+0x379/0x4a0 drivers/char/misc.c:165 + chrdev_open+0x26c/0x780 fs/char_dev.c:414 + do_dentry_open+0x6c4/0x12a0 fs/open.c:920 + do_open fs/namei.c:3560 [inline] + path_openat+0x24fe/0x37e0 fs/namei.c:3715 + do_filp_open+0x1ba/0x410 fs/namei.c:3742 + do_sys_openat2+0x171/0x4c0 fs/open.c:1356 + do_sys_open fs/open.c:1372 [inline] + __do_sys_openat fs/open.c:1388 [inline] + __se_sys_openat fs/open.c:1383 [inline] + __x64_sys_openat+0x143/0x200 fs/open.c:1383 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Freed by task 20115: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + kasan_set_track+0x25/0x30 mm/kasan/common.c:52 + kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:521 + ____kasan_slab_free mm/kasan/common.c:236 [inline] + ____kasan_slab_free mm/kasan/common.c:200 [inline] + __kasan_slab_free+0x10a/0x190 mm/kasan/common.c:244 + kasan_slab_free include/linux/kasan.h:162 [inline] + slab_free_hook mm/slub.c:1781 [inline] + slab_free_freelist_hook mm/slub.c:1807 [inline] + slab_free mm/slub.c:3787 [inline] + __kmem_cache_free+0x7a/0x190 mm/slub.c:3800 + local_release net/nfc/llcp_core.c:174 [inline] + kref_put include/linux/kref.h:65 [inline] + nfc_llcp_local_put net/nfc/llcp_core.c:182 [inline] + nfc_llcp_local_put net/nfc/llcp_core.c:177 [inline] + nfc_llcp_unregister_device+0x206/0x290 net/nfc/llcp_core.c:1620 + nfc_unregister_device+0x160/0x1d0 net/nfc/core.c:1179 + virtual_ncidev_close+0x52/0xa0 drivers/nfc/virtual_ncidev.c:163 + __fput+0x252/0xa20 fs/file_table.c:321 + task_work_run+0x174/0x270 kernel/task_work.c:179 + resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] + exit_to_user_mode_loop kernel/entry/common.c:171 [inline] + exit_to_user_mode_prepare+0x108/0x110 kernel/entry/common.c:204 + __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] + syscall_exit_to_user_mode+0x21/0x50 kernel/entry/common.c:297 + do_syscall_64+0x4c/0x90 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Last potentially related work creation: + kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 + __kasan_record_aux_stack+0x95/0xb0 mm/kasan/generic.c:491 + kvfree_call_rcu+0x29/0xa80 kernel/rcu/tree.c:3328 + drop_sysctl_table+0x3be/0x4e0 fs/proc/proc_sysctl.c:1735 + unregister_sysctl_table.part.0+0x9c/0x190 fs/proc/proc_sysctl.c:1773 + unregister_sysctl_table+0x24/0x30 fs/proc/proc_sysctl.c:1753 + neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3895 + addrconf_notify+0x140/0x17b0 net/ipv6/addrconf.c:3684 + notifier_call_chain+0xbe/0x210 kernel/notifier.c:87 + call_netdevice_notifiers_info+0xb5/0x150 net/core/dev.c:1937 + call_netdevice_notifiers_extack net/core/dev.c:1975 [inline] + call_netdevice_notifiers net/core/dev.c:1989 [inline] + dev_change_name+0x3c3/0x870 net/core/dev.c:1211 + dev_ifsioc+0x800/0xf70 net/core/dev_ioctl.c:376 + dev_ioctl+0x3d9/0xf80 net/core/dev_ioctl.c:542 + sock_do_ioctl+0x160/0x260 net/socket.c:1213 + sock_ioctl+0x3f9/0x670 net/socket.c:1316 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x19e/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +The buggy address belongs to the object at ffff888105b0e400 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 16 bytes inside of + freed 1024-byte region [ffff888105b0e400, ffff888105b0e800) + +The buggy address belongs to the physical page: +head:ffffea000416c200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +flags: 0x200000000010200(slab|head|node=0|zone=2) +raw: 0200000000010200 ffff8881000430c0 ffffea00044c7010 ffffea0004510e10 +raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff888105b0e300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff888105b0e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff888105b0e400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff888105b0e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff888105b0e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + +In summary, this patch solves those use-after-free by + +1. Re-implement the nfc_llcp_find_local(). The current version does not +grab the reference when getting the local from the linked list. For +example, the llcp_sock_bind() gets the reference like below: + +// llcp_sock_bind() + + local = nfc_llcp_find_local(dev); // A + ..... \ + | raceable + ..... / + llcp_sock->local = nfc_llcp_local_get(local); // B + +There is an apparent race window that one can drop the reference +and free the local object fetched in (A) before (B) gets the reference. + +2. Some callers of the nfc_llcp_find_local() do not grab the reference +at all. For example, the nfc_genl_llc_{{get/set}_params/sdreq} functions. +We add the nfc_llcp_local_put() for them. Moreover, we add the necessary +error handling function to put the reference. + +3. Add the nfc_llcp_remove_local() helper. The local object is removed +from the linked list in local_release() when all reference is gone. This +patch removes it when nfc_llcp_unregister_device() is called. + +Therefore, every caller of nfc_llcp_find_local() will get a reference +even when the nfc_llcp_unregister_device() is called. This promises no +use-after-free for the local object is ever possible. + +Fixes: 52feb444a903 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support") +Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") +Signed-off-by: Lin Ma +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/llcp.h | 1 - + net/nfc/llcp_commands.c | 12 +++++++--- + net/nfc/llcp_core.c | 49 +++++++++++++++++++++++++++++++++++------ + net/nfc/llcp_sock.c | 18 ++++++++------- + net/nfc/netlink.c | 20 ++++++++++++----- + net/nfc/nfc.h | 1 + + 6 files changed, 77 insertions(+), 24 deletions(-) + +diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h +index d49d4bf2e37c8..a81893bc06ce8 100644 +--- a/net/nfc/llcp.h ++++ b/net/nfc/llcp.h +@@ -202,7 +202,6 @@ void nfc_llcp_sock_link(struct llcp_sock_list *l, struct sock *s); + void nfc_llcp_sock_unlink(struct llcp_sock_list *l, struct sock *s); + void nfc_llcp_socket_remote_param_init(struct nfc_llcp_sock *sock); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); +-struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local); + int nfc_llcp_local_put(struct nfc_llcp_local *local); + u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local, + struct nfc_llcp_sock *sock); +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index bb9f40563ff63..5b8754ae7d3af 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -361,6 +361,7 @@ int nfc_llcp_send_symm(struct nfc_dev *dev) + struct sk_buff *skb; + struct nfc_llcp_local *local; + u16 size = 0; ++ int err; + + pr_debug("Sending SYMM\n"); + +@@ -372,8 +373,10 @@ int nfc_llcp_send_symm(struct nfc_dev *dev) + size += dev->tx_headroom + dev->tx_tailroom + NFC_HEADER_SIZE; + + skb = alloc_skb(size, GFP_KERNEL); +- if (skb == NULL) +- return -ENOMEM; ++ if (skb == NULL) { ++ err = -ENOMEM; ++ goto out; ++ } + + skb_reserve(skb, dev->tx_headroom + NFC_HEADER_SIZE); + +@@ -383,8 +386,11 @@ int nfc_llcp_send_symm(struct nfc_dev *dev) + + nfc_llcp_send_to_raw_sock(local, skb, NFC_DIRECTION_TX); + +- return nfc_data_exchange(dev, local->target_idx, skb, ++ err = nfc_data_exchange(dev, local->target_idx, skb, + nfc_llcp_recv, local); ++out: ++ nfc_llcp_local_put(local); ++ return err; + } + + int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index fd43e75abd948..ddfd159f64e13 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -17,6 +17,8 @@ + static u8 llcp_magic[3] = {0x46, 0x66, 0x6d}; + + static LIST_HEAD(llcp_devices); ++/* Protects llcp_devices list */ ++static DEFINE_SPINLOCK(llcp_devices_lock); + + static void nfc_llcp_rx_skb(struct nfc_llcp_local *local, struct sk_buff *skb); + +@@ -143,7 +145,7 @@ static void nfc_llcp_socket_release(struct nfc_llcp_local *local, bool device, + write_unlock(&local->raw_sockets.lock); + } + +-struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local) ++static struct nfc_llcp_local *nfc_llcp_local_get(struct nfc_llcp_local *local) + { + kref_get(&local->ref); + +@@ -171,7 +173,6 @@ static void local_release(struct kref *ref) + + local = container_of(ref, struct nfc_llcp_local, ref); + +- list_del(&local->list); + local_cleanup(local); + kfree(local); + } +@@ -284,12 +285,33 @@ static void nfc_llcp_sdreq_timer(struct timer_list *t) + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev) + { + struct nfc_llcp_local *local; ++ struct nfc_llcp_local *res = NULL; + ++ spin_lock(&llcp_devices_lock); + list_for_each_entry(local, &llcp_devices, list) +- if (local->dev == dev) ++ if (local->dev == dev) { ++ res = nfc_llcp_local_get(local); ++ break; ++ } ++ spin_unlock(&llcp_devices_lock); ++ ++ return res; ++} ++ ++static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev) ++{ ++ struct nfc_llcp_local *local, *tmp; ++ ++ spin_lock(&llcp_devices_lock); ++ list_for_each_entry_safe(local, tmp, &llcp_devices, list) ++ if (local->dev == dev) { ++ list_del(&local->list); ++ spin_unlock(&llcp_devices_lock); + return local; ++ } ++ spin_unlock(&llcp_devices_lock); + +- pr_debug("No device found\n"); ++ pr_warn("Shutting down device not found\n"); + + return NULL; + } +@@ -610,12 +632,15 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len) + + *general_bytes_len = local->gb_len; + ++ nfc_llcp_local_put(local); ++ + return local->gb; + } + + int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + struct nfc_llcp_local *local; ++ int err; + + if (gb_len < 3 || gb_len > NFC_MAX_GT_LEN) + return -EINVAL; +@@ -632,12 +657,16 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + + if (memcmp(local->remote_gb, llcp_magic, 3)) { + pr_err("MAC does not support LLCP\n"); +- return -EINVAL; ++ err = -EINVAL; ++ goto out; + } + +- return nfc_llcp_parse_gb_tlv(local, ++ err = nfc_llcp_parse_gb_tlv(local, + &local->remote_gb[3], + local->remote_gb_len - 3); ++out: ++ nfc_llcp_local_put(local); ++ return err; + } + + static u8 nfc_llcp_dsap(const struct sk_buff *pdu) +@@ -1527,6 +1556,8 @@ int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb) + + __nfc_llcp_recv(local, skb); + ++ nfc_llcp_local_put(local); ++ + return 0; + } + +@@ -1543,6 +1574,8 @@ void nfc_llcp_mac_is_down(struct nfc_dev *dev) + + /* Close and purge all existing sockets */ + nfc_llcp_socket_release(local, true, 0); ++ ++ nfc_llcp_local_put(local); + } + + void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, +@@ -1568,6 +1601,8 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, + mod_timer(&local->link_timer, + jiffies + msecs_to_jiffies(local->remote_lto)); + } ++ ++ nfc_llcp_local_put(local); + } + + int nfc_llcp_register_device(struct nfc_dev *ndev) +@@ -1618,7 +1653,7 @@ int nfc_llcp_register_device(struct nfc_dev *ndev) + + void nfc_llcp_unregister_device(struct nfc_dev *dev) + { +- struct nfc_llcp_local *local = nfc_llcp_find_local(dev); ++ struct nfc_llcp_local *local = nfc_llcp_remove_local(dev); + + if (local == NULL) { + pr_debug("No such device\n"); +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index 1c1748b86fae7..aea337d817025 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -99,7 +99,7 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) + } + + llcp_sock->dev = dev; +- llcp_sock->local = nfc_llcp_local_get(local); ++ llcp_sock->local = local; + llcp_sock->nfc_protocol = llcp_addr.nfc_protocol; + llcp_sock->service_name_len = min_t(unsigned int, + llcp_addr.service_name_len, +@@ -181,7 +181,7 @@ static int llcp_raw_sock_bind(struct socket *sock, struct sockaddr *addr, + } + + llcp_sock->dev = dev; +- llcp_sock->local = nfc_llcp_local_get(local); ++ llcp_sock->local = local; + llcp_sock->nfc_protocol = llcp_addr.nfc_protocol; + + nfc_llcp_sock_link(&local->raw_sockets, sk); +@@ -698,22 +698,22 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + if (dev->dep_link_up == false) { + ret = -ENOLINK; + device_unlock(&dev->dev); +- goto put_dev; ++ goto sock_llcp_put_local; + } + device_unlock(&dev->dev); + + if (local->rf_mode == NFC_RF_INITIATOR && + addr->target_idx != local->target_idx) { + ret = -ENOLINK; +- goto put_dev; ++ goto sock_llcp_put_local; + } + + llcp_sock->dev = dev; +- llcp_sock->local = nfc_llcp_local_get(local); ++ llcp_sock->local = local; + llcp_sock->ssap = nfc_llcp_get_local_ssap(local); + if (llcp_sock->ssap == LLCP_SAP_MAX) { + ret = -ENOMEM; +- goto sock_llcp_put_local; ++ goto sock_llcp_nullify; + } + + llcp_sock->reserved_ssap = llcp_sock->ssap; +@@ -759,11 +759,13 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + sock_llcp_release: + nfc_llcp_put_ssap(local, llcp_sock->ssap); + +-sock_llcp_put_local: +- nfc_llcp_local_put(llcp_sock->local); ++sock_llcp_nullify: + llcp_sock->local = NULL; + llcp_sock->dev = NULL; + ++sock_llcp_put_local: ++ nfc_llcp_local_put(local); ++ + put_dev: + nfc_put_device(dev); + +diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c +index 66ab97131fd24..5b55466fe315a 100644 +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -1047,11 +1047,14 @@ static int nfc_genl_llc_get_params(struct sk_buff *skb, struct genl_info *info) + msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!msg) { + rc = -ENOMEM; +- goto exit; ++ goto put_local; + } + + rc = nfc_genl_send_params(msg, local, info->snd_portid, info->snd_seq); + ++put_local: ++ nfc_llcp_local_put(local); ++ + exit: + device_unlock(&dev->dev); + +@@ -1113,7 +1116,7 @@ static int nfc_genl_llc_set_params(struct sk_buff *skb, struct genl_info *info) + if (info->attrs[NFC_ATTR_LLC_PARAM_LTO]) { + if (dev->dep_link_up) { + rc = -EINPROGRESS; +- goto exit; ++ goto put_local; + } + + local->lto = nla_get_u8(info->attrs[NFC_ATTR_LLC_PARAM_LTO]); +@@ -1125,6 +1128,9 @@ static int nfc_genl_llc_set_params(struct sk_buff *skb, struct genl_info *info) + if (info->attrs[NFC_ATTR_LLC_PARAM_MIUX]) + local->miux = cpu_to_be16(miux); + ++put_local: ++ nfc_llcp_local_put(local); ++ + exit: + device_unlock(&dev->dev); + +@@ -1180,7 +1186,7 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info) + + if (rc != 0) { + rc = -EINVAL; +- goto exit; ++ goto put_local; + } + + if (!sdp_attrs[NFC_SDP_ATTR_URI]) +@@ -1199,7 +1205,7 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info) + sdreq = nfc_llcp_build_sdreq_tlv(tid, uri, uri_len); + if (sdreq == NULL) { + rc = -ENOMEM; +- goto exit; ++ goto put_local; + } + + tlvs_len += sdreq->tlv_len; +@@ -1209,10 +1215,14 @@ static int nfc_genl_llc_sdreq(struct sk_buff *skb, struct genl_info *info) + + if (hlist_empty(&sdreq_list)) { + rc = -EINVAL; +- goto exit; ++ goto put_local; + } + + rc = nfc_llcp_send_snl_sdreq(local, &sdreq_list, tlvs_len); ++ ++put_local: ++ nfc_llcp_local_put(local); ++ + exit: + device_unlock(&dev->dev); + +diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h +index de2ec66d7e83a..0b1e6466f4fbf 100644 +--- a/net/nfc/nfc.h ++++ b/net/nfc/nfc.h +@@ -52,6 +52,7 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len); + u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len); + int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); ++int nfc_llcp_local_put(struct nfc_llcp_local *local); + int __init nfc_llcp_init(void); + void nfc_llcp_exit(void); + void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp); +-- +2.39.2 + diff --git a/tmp-5.4/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch b/tmp-5.4/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch new file mode 100644 index 00000000000..444d7006482 --- /dev/null +++ b/tmp-5.4/net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch @@ -0,0 +1,73 @@ +From 730715f20176f04274e6b8733bb5664b25fef36d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 16:06:16 +0800 +Subject: net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX + +From: Cambda Zhu + +[ Upstream commit f0628c524fd188c3f9418e12478dfdfadacba815 ] + +This patch changes the behavior of TCP_LINGER2 about its limit. The +sysctl_tcp_fin_timeout used to be the limit of TCP_LINGER2 but now it's +only the default value. A new macro named TCP_FIN_TIMEOUT_MAX is added +as the limit of TCP_LINGER2, which is 2 minutes. + +Since TCP_LINGER2 used sysctl_tcp_fin_timeout as the default value +and the limit in the past, the system administrator cannot set the +default value for most of sockets and let some sockets have a greater +timeout. It might be a mistake that let the sysctl to be the limit of +the TCP_LINGER2. Maybe we can add a new sysctl to set the max of +TCP_LINGER2, but FIN-WAIT-2 timeout is usually no need to be too long +and 2 minutes are legal considering TCP specs. + +Changes in v3: +- Remove the new socket option and change the TCP_LINGER2 behavior so + that the timeout can be set to value between sysctl_tcp_fin_timeout + and 2 minutes. + +Changes in v2: +- Add int overflow check for the new socket option. + +Changes in v1: +- Add a new socket option to set timeout greater than + sysctl_tcp_fin_timeout. + +Signed-off-by: Cambda Zhu +Signed-off-by: David S. Miller +Stable-dep-of: 9df5335ca974 ("tcp: annotate data-races around tp->linger2") +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 1 + + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 077feeca6c99e..2f456bed33ec3 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -125,6 +125,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo); + * to combine FIN-WAIT-2 timeout with + * TIME-WAIT timer. + */ ++#define TCP_FIN_TIMEOUT_MAX (120 * HZ) /* max TCP_LINGER2 value (two minutes) */ + + #define TCP_DELACK_MAX ((unsigned)(HZ/5)) /* maximal time to delay before sending an ACK */ + #if HZ >= 100 +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index e33abcff56080..c6c73b9407098 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3067,8 +3067,8 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + case TCP_LINGER2: + if (val < 0) + tp->linger2 = -1; +- else if (val > net->ipv4.sysctl_tcp_fin_timeout / HZ) +- tp->linger2 = 0; ++ else if (val > TCP_FIN_TIMEOUT_MAX / HZ) ++ tp->linger2 = TCP_FIN_TIMEOUT_MAX; + else + tp->linger2 = val * HZ; + break; +-- +2.39.2 + diff --git a/tmp-5.4/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch b/tmp-5.4/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch new file mode 100644 index 00000000000..6ed9c657aa6 --- /dev/null +++ b/tmp-5.4/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch @@ -0,0 +1,57 @@ +From c6d4942bfabd5aa6bc717e23b0f0fa6a5fd3166f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 19:08:42 +0800 +Subject: net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX + +From: Lin Ma + +[ Upstream commit 30c45b5361d39b4b793780ffac5538090b9e2eb1 ] + +The attribute TCA_PEDIT_PARMS_EX is not be included in pedit_policy and +one malicious user could fake a TCA_PEDIT_PARMS_EX whose length is +smaller than the intended sizeof(struct tc_pedit). Hence, the +dereference in tcf_pedit_init() could access dirty heap data. + +static int tcf_pedit_init(...) +{ + // ... + pattr = tb[TCA_PEDIT_PARMS]; // TCA_PEDIT_PARMS is included + if (!pattr) + pattr = tb[TCA_PEDIT_PARMS_EX]; // but this is not + + // ... + parm = nla_data(pattr); + + index = parm->index; // parm is able to be smaller than 4 bytes + // and this dereference gets dirty skb_buff + // data created in netlink_sendmsg +} + +This commit adds TCA_PEDIT_PARMS_EX length in pedit_policy which avoid +the above case, just like the TCA_PEDIT_PARMS. + +Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers") +Signed-off-by: Lin Ma +Reviewed-by: Pedro Tammela +Link: https://lore.kernel.org/r/20230703110842.590282-1-linma@zju.edu.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sched/act_pedit.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c +index f095a0fb75c6d..bf74f3f4c7522 100644 +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -26,6 +26,7 @@ static struct tc_action_ops act_pedit_ops; + + static const struct nla_policy pedit_policy[TCA_PEDIT_MAX + 1] = { + [TCA_PEDIT_PARMS] = { .len = sizeof(struct tc_pedit) }, ++ [TCA_PEDIT_PARMS_EX] = { .len = sizeof(struct tc_pedit) }, + [TCA_PEDIT_KEYS_EX] = { .type = NLA_NESTED }, + }; + +-- +2.39.2 + diff --git a/tmp-5.4/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch b/tmp-5.4/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch new file mode 100644 index 00000000000..61825887c73 --- /dev/null +++ b/tmp-5.4/net-sched-cls_fw-fix-improper-refcount-update-leads-.patch @@ -0,0 +1,62 @@ +From 1f32ffb150708bd9e10a0e84679ec8d6c3e7c3d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 12:15:30 -0400 +Subject: net/sched: cls_fw: Fix improper refcount update leads to + use-after-free + +From: M A Ramdhan + +[ Upstream commit 0323bce598eea038714f941ce2b22541c46d488f ] + +In the event of a failure in tcf_change_indev(), fw_set_parms() will +immediately return an error after incrementing or decrementing +reference counter in tcf_bind_filter(). If attacker can control +reference counter to zero and make reference freed, leading to +use after free. + +In order to prevent this, move the point of possible failure above the +point where the TC_FW_CLASSID is handled. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: M A Ramdhan +Signed-off-by: M A Ramdhan +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg> +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_fw.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c +index ec945294626a8..41f0898a5a565 100644 +--- a/net/sched/cls_fw.c ++++ b/net/sched/cls_fw.c +@@ -210,11 +210,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + if (err < 0) + return err; + +- if (tb[TCA_FW_CLASSID]) { +- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); +- tcf_bind_filter(tp, &f->res, base); +- } +- + if (tb[TCA_FW_INDEV]) { + int ret; + ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack); +@@ -231,6 +226,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + } else if (head->mask != 0xFFFFFFFF) + return err; + ++ if (tb[TCA_FW_CLASSID]) { ++ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); ++ tcf_bind_filter(tp, &f->res, base); ++ } ++ + return 0; + } + +-- +2.39.2 + diff --git a/tmp-5.4/net-sched-flower-ensure-both-minimum-and-maximum-por.patch b/tmp-5.4/net-sched-flower-ensure-both-minimum-and-maximum-por.patch new file mode 100644 index 00000000000..845219a596c --- /dev/null +++ b/tmp-5.4/net-sched-flower-ensure-both-minimum-and-maximum-por.patch @@ -0,0 +1,82 @@ +From f0e4752295b946e7bf100b3dd10d2626968e66f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 10:08:09 +0300 +Subject: net/sched: flower: Ensure both minimum and maximum ports are + specified + +From: Ido Schimmel + +[ Upstream commit d3f87278bcb80bd7f9519669d928b43320363d4f ] + +The kernel does not currently validate that both the minimum and maximum +ports of a port range are specified. This can lead user space to think +that a filter matching on a port range was successfully added, when in +fact it was not. For example, with a patched (buggy) iproute2 that only +sends the minimum port, the following commands do not return an error: + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp src_port 100-200 action pass + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp dst_port 100-200 action pass + + # tc filter show dev swp1 ingress + filter protocol ip pref 1 flower chain 0 + filter protocol ip pref 1 flower chain 0 handle 0x1 + eth_type ipv4 + ip_proto udp + not_in_hw + action order 1: gact action pass + random type none pass val 0 + index 1 ref 1 bind 1 + + filter protocol ip pref 1 flower chain 0 handle 0x2 + eth_type ipv4 + ip_proto udp + not_in_hw + action order 1: gact action pass + random type none pass val 0 + index 2 ref 1 bind 1 + +Fix by returning an error unless both ports are specified: + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp src_port 100-200 action pass + Error: Both min and max source ports must be specified. + We have an error talking to the kernel + + # tc filter add dev swp1 ingress pref 1 proto ip flower ip_proto udp dst_port 100-200 action pass + Error: Both min and max destination ports must be specified. + We have an error talking to the kernel + +Fixes: 5c72299fba9d ("net: sched: cls_flower: Classify packets using port ranges") +Signed-off-by: Ido Schimmel +Reviewed-by: Petr Machata +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_flower.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index f0010e4850eb6..c92318f68f92d 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -735,6 +735,16 @@ static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key, + TCA_FLOWER_KEY_PORT_SRC_MAX, &mask->tp_range.tp_max.src, + TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.src)); + ++ if (mask->tp_range.tp_min.dst != mask->tp_range.tp_max.dst) { ++ NL_SET_ERR_MSG(extack, ++ "Both min and max destination ports must be specified"); ++ return -EINVAL; ++ } ++ if (mask->tp_range.tp_min.src != mask->tp_range.tp_max.src) { ++ NL_SET_ERR_MSG(extack, ++ "Both min and max source ports must be specified"); ++ return -EINVAL; ++ } + if (mask->tp_range.tp_min.dst && mask->tp_range.tp_max.dst && + htons(key->tp_range.tp_max.dst) <= + htons(key->tp_range.tp_min.dst)) { +-- +2.39.2 + diff --git a/tmp-5.4/net-sched-make-psched_mtu-rtnl-less-safe.patch b/tmp-5.4/net-sched-make-psched_mtu-rtnl-less-safe.patch new file mode 100644 index 00000000000..eb049a499cb --- /dev/null +++ b/tmp-5.4/net-sched-make-psched_mtu-rtnl-less-safe.patch @@ -0,0 +1,49 @@ +From 9b66de5361a5a5387ec152b9d37fceb56fee8dca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 23:16:34 -0300 +Subject: net/sched: make psched_mtu() RTNL-less safe + +From: Pedro Tammela + +[ Upstream commit 150e33e62c1fa4af5aaab02776b6c3812711d478 ] + +Eric Dumazet says[1]: +------- +Speaking of psched_mtu(), I see that net/sched/sch_pie.c is using it +without holding RTNL, so dev->mtu can be changed underneath. +KCSAN could issue a warning. +------- + +Annotate dev->mtu with READ_ONCE() so KCSAN don't issue a warning. + +[1] https://lore.kernel.org/all/CANn89iJoJO5VtaJ-2=_d2aOQhb0Xw8iBT_Cxqp2HyuS-zj6azw@mail.gmail.com/ + +v1 -> v2: Fix commit message + +Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme") +Suggested-by: Eric Dumazet +Signed-off-by: Pedro Tammela +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230711021634.561598-1-pctammela@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/pkt_sched.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h +index 2d932834ed5bf..fd99650a2e229 100644 +--- a/include/net/pkt_sched.h ++++ b/include/net/pkt_sched.h +@@ -131,7 +131,7 @@ extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1]; + */ + static inline unsigned int psched_mtu(const struct net_device *dev) + { +- return dev->mtu + dev->hard_header_len; ++ return READ_ONCE(dev->mtu) + dev->hard_header_len; + } + + static inline struct net *qdisc_net(struct Qdisc *q) +-- +2.39.2 + diff --git a/tmp-5.4/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch b/tmp-5.4/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch new file mode 100644 index 00000000000..9161a221c76 --- /dev/null +++ b/tmp-5.4/netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch @@ -0,0 +1,707 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:54:56 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:54:16 +0200 +Subject: netfilter: add helper function to set up the nfnetlink header and use it +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165423.50054-4-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 19c28b1374fb1073a9ec873a6c10bf5f16b10b9d ] + +This patch adds a helper function to set up the netlink and nfnetlink headers. +Update existing codebase to use it. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netfilter/nfnetlink.h | 27 +++++++++ + net/netfilter/ipset/ip_set_core.c | 17 +---- + net/netfilter/nf_conntrack_netlink.c | 77 +++++++------------------- + net/netfilter/nf_tables_api.c | 102 +++++++++-------------------------- + net/netfilter/nf_tables_trace.c | 9 --- + net/netfilter/nfnetlink_acct.c | 11 +-- + net/netfilter/nfnetlink_cthelper.c | 11 +-- + net/netfilter/nfnetlink_cttimeout.c | 22 ++----- + net/netfilter/nfnetlink_log.c | 11 +-- + net/netfilter/nfnetlink_queue.c | 12 +--- + net/netfilter/nft_compat.c | 11 +-- + 11 files changed, 102 insertions(+), 208 deletions(-) + +--- a/include/linux/netfilter/nfnetlink.h ++++ b/include/linux/netfilter/nfnetlink.h +@@ -56,6 +56,33 @@ static inline u16 nfnl_msg_type(u8 subsy + return subsys << 8 | msg_type; + } + ++static inline void nfnl_fill_hdr(struct nlmsghdr *nlh, u8 family, u8 version, ++ __be16 res_id) ++{ ++ struct nfgenmsg *nfmsg; ++ ++ nfmsg = nlmsg_data(nlh); ++ nfmsg->nfgen_family = family; ++ nfmsg->version = version; ++ nfmsg->res_id = res_id; ++} ++ ++static inline struct nlmsghdr *nfnl_msg_put(struct sk_buff *skb, u32 portid, ++ u32 seq, int type, int flags, ++ u8 family, u8 version, ++ __be16 res_id) ++{ ++ struct nlmsghdr *nlh; ++ ++ nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); ++ if (!nlh) ++ return NULL; ++ ++ nfnl_fill_hdr(nlh, family, version, res_id); ++ ++ return nlh; ++} ++ + void nfnl_lock(__u8 subsys_id); + void nfnl_unlock(__u8 subsys_id); + #ifdef CONFIG_PROVE_LOCKING +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -811,20 +811,9 @@ static struct nlmsghdr * + start_msg(struct sk_buff *skb, u32 portid, u32 seq, unsigned int flags, + enum ipset_cmd cmd) + { +- struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; +- +- nlh = nlmsg_put(skb, portid, seq, nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd), +- sizeof(*nfmsg), flags); +- if (!nlh) +- return NULL; +- +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = NFPROTO_IPV4; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- +- return nlh; ++ return nfnl_msg_put(skb, portid, seq, ++ nfnl_msg_type(NFNL_SUBSYS_IPSET, cmd), flags, ++ NFPROTO_IPV4, NFNETLINK_V0, 0); + } + + /* Create a set */ +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -515,20 +515,15 @@ ctnetlink_fill_info(struct sk_buff *skb, + { + const struct nf_conntrack_zone *zone; + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + struct nlattr *nest_parms; + unsigned int flags = portid ? NLM_F_MULTI : 0, event; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct), ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = nf_ct_l3num(ct); +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + zone = nf_ct_zone(ct); + + nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); +@@ -685,7 +680,6 @@ ctnetlink_conntrack_event(unsigned int e + const struct nf_conntrack_zone *zone; + struct net *net; + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + struct nlattr *nest_parms; + struct nf_conn *ct = item->ct; + struct sk_buff *skb; +@@ -715,15 +709,11 @@ ctnetlink_conntrack_event(unsigned int e + goto errout; + + type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type); +- nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct), ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = nf_ct_l3num(ct); +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + zone = nf_ct_zone(ct); + + nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); +@@ -2200,20 +2190,15 @@ ctnetlink_ct_stat_cpu_fill_info(struct s + __u16 cpu, const struct ip_conntrack_stat *st) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0, event; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, + IPCTNL_MSG_CT_GET_STATS_CPU); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, htons(cpu)); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(cpu); +- + if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || + nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || + nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) || +@@ -2284,20 +2269,15 @@ ctnetlink_stat_ct_fill_info(struct sk_bu + struct net *net) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0, event; + unsigned int nr_conntracks = atomic_read(&net->ct.count); + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) + goto nla_put_failure; + +@@ -2803,19 +2783,14 @@ ctnetlink_exp_fill_info(struct sk_buff * + int event, const struct nf_conntrack_expect *exp) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, ++ exp->tuple.src.l3num, NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = exp->tuple.src.l3num; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (ctnetlink_exp_dump_expect(skb, exp) < 0) + goto nla_put_failure; + +@@ -2835,7 +2810,6 @@ ctnetlink_expect_event(unsigned int even + struct nf_conntrack_expect *exp = item->exp; + struct net *net = nf_ct_exp_net(exp); + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + struct sk_buff *skb; + unsigned int type, group; + int flags = 0; +@@ -2858,15 +2832,11 @@ ctnetlink_expect_event(unsigned int even + goto errout; + + type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type); +- nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, ++ exp->tuple.src.l3num, NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = exp->tuple.src.l3num; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (ctnetlink_exp_dump_expect(skb, exp) < 0) + goto nla_put_failure; + +@@ -3436,20 +3406,15 @@ ctnetlink_exp_stat_fill_info(struct sk_b + const struct ip_conntrack_stat *st) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0, event; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, + IPCTNL_MSG_EXP_GET_STATS_CPU); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, htons(cpu)); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(cpu); +- + if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || + nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) || + nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete))) +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -605,18 +605,13 @@ static int nf_tables_fill_table_info(str + int family, const struct nft_table *table) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, ++ NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || + nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || + nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)) || +@@ -1269,18 +1264,13 @@ static int nf_tables_fill_chain_info(str + const struct nft_chain *chain) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, ++ NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) + goto nla_put_failure; + if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle), +@@ -2359,20 +2349,15 @@ static int nf_tables_fill_rule_info(stru + const struct nft_rule *prule) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + const struct nft_expr *expr, *next; + struct nlattr *list; + u16 type = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); + +- nlh = nlmsg_put(skb, portid, seq, type, sizeof(struct nfgenmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, type, flags, family, NFNETLINK_V0, ++ nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) + goto nla_put_failure; + if (nla_put_string(skb, NFTA_RULE_CHAIN, chain->name)) +@@ -3315,23 +3300,17 @@ __be64 nf_jiffies64_to_msecs(u64 input) + static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx, + const struct nft_set *set, u16 event, u16 flags) + { +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + struct nlattr *desc; + u32 portid = ctx->portid; + u32 seq = ctx->seq; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), +- flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, ++ NFNETLINK_V0, nft_base_seq(ctx->net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = ctx->family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(ctx->net); +- + if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) + goto nla_put_failure; + if (nla_put_string(skb, NFTA_SET_NAME, set->name)) +@@ -4144,7 +4123,6 @@ static int nf_tables_dump_set(struct sk_ + struct nft_set *set; + struct nft_set_dump_args args; + bool set_found = false; +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + struct nlattr *nest; + u32 portid, seq; +@@ -4177,16 +4155,11 @@ static int nf_tables_dump_set(struct sk_ + portid = NETLINK_CB(cb->skb).portid; + seq = cb->nlh->nlmsg_seq; + +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), +- NLM_F_MULTI); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, NLM_F_MULTI, ++ table->family, NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = table->family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) + goto nla_put_failure; + if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name)) +@@ -4243,22 +4216,16 @@ static int nf_tables_fill_setelem_info(s + const struct nft_set *set, + const struct nft_set_elem *elem) + { +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + struct nlattr *nest; + int err; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), +- flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, ctx->family, ++ NFNETLINK_V0, nft_base_seq(ctx->net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = ctx->family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(ctx->net); +- + if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) + goto nla_put_failure; + if (nla_put_string(skb, NFTA_SET_NAME, set->name)) +@@ -5377,19 +5344,14 @@ static int nf_tables_fill_obj_info(struc + int family, const struct nft_table *table, + struct nft_object *obj, bool reset) + { +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, ++ NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || + nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || + nla_put_be32(skb, NFTA_OBJ_TYPE, htonl(obj->ops->type->type)) || +@@ -6052,20 +6014,15 @@ static int nf_tables_fill_flowtable_info + struct nft_flowtable *flowtable) + { + struct nlattr *nest, *nest_devs; +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + int i; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, ++ NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || + nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || + nla_put_be32(skb, NFTA_FLOWTABLE_USE, htonl(flowtable->use)) || +@@ -6291,19 +6248,14 @@ static int nf_tables_fill_gen_info(struc + u32 portid, u32 seq) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + char buf[TASK_COMM_LEN]; + int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); + +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, 0, AF_UNSPEC, ++ NFNETLINK_V0, nft_base_seq(net)); ++ if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = nft_base_seq(net); +- + if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || + nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || + nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) +--- a/net/netfilter/nf_tables_trace.c ++++ b/net/netfilter/nf_tables_trace.c +@@ -183,7 +183,6 @@ static bool nft_trace_have_verdict_chain + void nft_trace_notify(struct nft_traceinfo *info) + { + const struct nft_pktinfo *pkt = info->pkt; +- struct nfgenmsg *nfmsg; + struct nlmsghdr *nlh; + struct sk_buff *skb; + unsigned int size; +@@ -219,15 +218,11 @@ void nft_trace_notify(struct nft_tracein + return; + + event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_TRACE); +- nlh = nlmsg_put(skb, 0, 0, event, sizeof(struct nfgenmsg), 0); ++ nlh = nfnl_msg_put(skb, 0, 0, event, 0, info->basechain->type->family, ++ NFNETLINK_V0, 0); + if (!nlh) + goto nla_put_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = info->basechain->type->family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_be32(skb, NFTA_TRACE_NFPROTO, htonl(nft_pf(pkt)))) + goto nla_put_failure; + +--- a/net/netfilter/nfnetlink_acct.c ++++ b/net/netfilter/nfnetlink_acct.c +@@ -132,21 +132,16 @@ nfnl_acct_fill_info(struct sk_buff *skb, + int event, struct nf_acct *acct) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + u64 pkts, bytes; + u32 old_flags; + + event = nfnl_msg_type(NFNL_SUBSYS_ACCT, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_string(skb, NFACCT_NAME, acct->name)) + goto nla_put_failure; + +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -530,20 +530,15 @@ nfnl_cthelper_fill_info(struct sk_buff * + int event, struct nf_conntrack_helper *helper) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + int status; + + event = nfnl_msg_type(NFNL_SUBSYS_CTHELPER, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_string(skb, NFCTH_NAME, helper->name)) + goto nla_put_failure; + +--- a/net/netfilter/nfnetlink_cttimeout.c ++++ b/net/netfilter/nfnetlink_cttimeout.c +@@ -160,22 +160,17 @@ ctnl_timeout_fill_info(struct sk_buff *s + int event, struct ctnl_timeout *timeout) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + const struct nf_conntrack_l4proto *l4proto = timeout->timeout.l4proto; + struct nlattr *nest_parms; + int ret; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_string(skb, CTA_TIMEOUT_NAME, timeout->name) || + nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, + htons(timeout->timeout.l3num)) || +@@ -382,21 +377,16 @@ cttimeout_default_fill_info(struct net * + const unsigned int *timeouts) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + struct nlattr *nest_parms; + int ret; + + event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = AF_UNSPEC; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(l3num)) || + nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto)) + goto nla_put_failure; +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -452,20 +452,15 @@ __build_packet_message(struct nfnl_log_n + { + struct nfulnl_msg_packet_hdr pmsg; + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + sk_buff_data_t old_tail = inst->skb->tail; + struct sock *sk; + const unsigned char *hwhdrp; + +- nlh = nlmsg_put(inst->skb, 0, 0, +- nfnl_msg_type(NFNL_SUBSYS_ULOG, NFULNL_MSG_PACKET), +- sizeof(struct nfgenmsg), 0); ++ nlh = nfnl_msg_put(inst->skb, 0, 0, ++ nfnl_msg_type(NFNL_SUBSYS_ULOG, NFULNL_MSG_PACKET), ++ 0, pf, NFNETLINK_V0, htons(inst->group_num)); + if (!nlh) + return -1; +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = pf; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(inst->group_num); + + memset(&pmsg, 0, sizeof(pmsg)); + pmsg.hw_protocol = skb->protocol; +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -383,7 +383,6 @@ nfqnl_build_packet_message(struct net *n + struct nlattr *nla; + struct nfqnl_msg_packet_hdr *pmsg; + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + struct sk_buff *entskb = entry->skb; + struct net_device *indev; + struct net_device *outdev; +@@ -469,18 +468,15 @@ nfqnl_build_packet_message(struct net *n + goto nlmsg_failure; + } + +- nlh = nlmsg_put(skb, 0, 0, +- nfnl_msg_type(NFNL_SUBSYS_QUEUE, NFQNL_MSG_PACKET), +- sizeof(struct nfgenmsg), 0); ++ nlh = nfnl_msg_put(skb, 0, 0, ++ nfnl_msg_type(NFNL_SUBSYS_QUEUE, NFQNL_MSG_PACKET), ++ 0, entry->state.pf, NFNETLINK_V0, ++ htons(queue->queue_num)); + if (!nlh) { + skb_tx_error(entskb); + kfree_skb(skb); + goto nlmsg_failure; + } +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = entry->state.pf; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(queue->queue_num); + + nla = __nla_reserve(skb, NFQA_PACKET_HDR, sizeof(*pmsg)); + pmsg = nla_data(nla); +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -591,19 +591,14 @@ nfnl_compat_fill_info(struct sk_buff *sk + int rev, int target) + { + struct nlmsghdr *nlh; +- struct nfgenmsg *nfmsg; + unsigned int flags = portid ? NLM_F_MULTI : 0; + + event = nfnl_msg_type(NFNL_SUBSYS_NFT_COMPAT, event); +- nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); +- if (nlh == NULL) ++ nlh = nfnl_msg_put(skb, portid, seq, event, flags, family, ++ NFNETLINK_V0, 0); ++ if (!nlh) + goto nlmsg_failure; + +- nfmsg = nlmsg_data(nlh); +- nfmsg->nfgen_family = family; +- nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = 0; +- + if (nla_put_string(skb, NFTA_COMPAT_NAME, name) || + nla_put_be32(skb, NFTA_COMPAT_REV, htonl(rev)) || + nla_put_be32(skb, NFTA_COMPAT_TYPE, htonl(target))) diff --git a/tmp-5.4/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch b/tmp-5.4/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch new file mode 100644 index 00000000000..0ae4479e562 --- /dev/null +++ b/tmp-5.4/netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch @@ -0,0 +1,51 @@ +From 6eef7a2b933885a17679eb8ed0796ddf0ee5309b Mon Sep 17 00:00:00 2001 +From: Florent Revest +Date: Mon, 3 Jul 2023 16:52:16 +0200 +Subject: netfilter: conntrack: Avoid nf_ct_helper_hash uses after free + +From: Florent Revest + +commit 6eef7a2b933885a17679eb8ed0796ddf0ee5309b upstream. + +If nf_conntrack_init_start() fails (for example due to a +register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini() +clean-up path frees the nf_ct_helper_hash map. + +When built with NF_CONNTRACK=y, further netfilter modules (e.g: +netfilter_conntrack_ftp) can still be loaded and call +nf_conntrack_helpers_register(), independently of whether nf_conntrack +initialized correctly. This accesses the nf_ct_helper_hash dangling +pointer and causes a uaf, possibly leading to random memory corruption. + +This patch guards nf_conntrack_helper_register() from accessing a freed +or uninitialized nf_ct_helper_hash pointer and fixes possible +uses-after-free when loading a conntrack module. + +Cc: stable@vger.kernel.org +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Florent Revest +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_helper.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -404,6 +404,9 @@ int nf_conntrack_helper_register(struct + BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES); + BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1); + ++ if (!nf_ct_helper_hash) ++ return -ENOENT; ++ + if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT) + return -EINVAL; + +@@ -587,4 +590,5 @@ void nf_conntrack_helper_fini(void) + { + nf_ct_extend_unregister(&helper_extend); + kvfree(nf_ct_helper_hash); ++ nf_ct_helper_hash = NULL; + } diff --git a/tmp-5.4/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch b/tmp-5.4/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch new file mode 100644 index 00000000000..4ce560ffbbd --- /dev/null +++ b/tmp-5.4/netfilter-conntrack-dccp-copy-entire-header-to-stack.patch @@ -0,0 +1,149 @@ +From d5a7c6ca8c18a86b6c52b8ab4093950930df3d5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 17:56:53 +0200 +Subject: netfilter: conntrack: dccp: copy entire header to stack buffer, not + just basic one + +From: Florian Westphal + +[ Upstream commit ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30 ] + +Eric Dumazet says: + nf_conntrack_dccp_packet() has an unique: + + dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); + + And nothing more is 'pulled' from the packet, depending on the content. + dh->dccph_doff, and/or dh->dccph_x ...) + So dccp_ack_seq() is happily reading stuff past the _dh buffer. + +BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0 +Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371 +[..] + +Fix this by increasing the stack buffer to also include room for +the extra sequence numbers and all the known dccp packet type headers, +then pull again after the initial validation of the basic header. + +While at it, mark packets invalid that lack 48bit sequence bit but +where RFC says the type MUST use them. + +Compile tested only. + +v2: first skb_header_pointer() now needs to adjust the size to + only pull the generic header. (Eric) + +Heads-up: I intend to remove dccp conntrack support later this year. + +Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support") +Reported-by: Eric Dumazet +Signed-off-by: Florian Westphal +Reviewed-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_dccp.c | 52 +++++++++++++++++++++++-- + 1 file changed, 49 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c +index b3f4a334f9d78..67b8dedef2935 100644 +--- a/net/netfilter/nf_conntrack_proto_dccp.c ++++ b/net/netfilter/nf_conntrack_proto_dccp.c +@@ -430,9 +430,19 @@ static bool dccp_error(const struct dccp_hdr *dh, + struct sk_buff *skb, unsigned int dataoff, + const struct nf_hook_state *state) + { ++ static const unsigned long require_seq48 = 1 << DCCP_PKT_REQUEST | ++ 1 << DCCP_PKT_RESPONSE | ++ 1 << DCCP_PKT_CLOSEREQ | ++ 1 << DCCP_PKT_CLOSE | ++ 1 << DCCP_PKT_RESET | ++ 1 << DCCP_PKT_SYNC | ++ 1 << DCCP_PKT_SYNCACK; + unsigned int dccp_len = skb->len - dataoff; + unsigned int cscov; + const char *msg; ++ u8 type; ++ ++ BUILD_BUG_ON(DCCP_PKT_INVALID >= BITS_PER_LONG); + + if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) || + dh->dccph_doff * 4 > dccp_len) { +@@ -457,10 +467,17 @@ static bool dccp_error(const struct dccp_hdr *dh, + goto out_invalid; + } + +- if (dh->dccph_type >= DCCP_PKT_INVALID) { ++ type = dh->dccph_type; ++ if (type >= DCCP_PKT_INVALID) { + msg = "nf_ct_dccp: reserved packet type "; + goto out_invalid; + } ++ ++ if (test_bit(type, &require_seq48) && !dh->dccph_x) { ++ msg = "nf_ct_dccp: type lacks 48bit sequence numbers"; ++ goto out_invalid; ++ } ++ + return false; + out_invalid: + nf_l4proto_log_invalid(skb, state->net, state->pf, +@@ -468,24 +485,53 @@ static bool dccp_error(const struct dccp_hdr *dh, + return true; + } + ++struct nf_conntrack_dccp_buf { ++ struct dccp_hdr dh; /* generic header part */ ++ struct dccp_hdr_ext ext; /* optional depending dh->dccph_x */ ++ union { /* depends on header type */ ++ struct dccp_hdr_ack_bits ack; ++ struct dccp_hdr_request req; ++ struct dccp_hdr_response response; ++ struct dccp_hdr_reset rst; ++ } u; ++}; ++ ++static struct dccp_hdr * ++dccp_header_pointer(const struct sk_buff *skb, int offset, const struct dccp_hdr *dh, ++ struct nf_conntrack_dccp_buf *buf) ++{ ++ unsigned int hdrlen = __dccp_hdr_len(dh); ++ ++ if (hdrlen > sizeof(*buf)) ++ return NULL; ++ ++ return skb_header_pointer(skb, offset, hdrlen, buf); ++} ++ + int nf_conntrack_dccp_packet(struct nf_conn *ct, struct sk_buff *skb, + unsigned int dataoff, + enum ip_conntrack_info ctinfo, + const struct nf_hook_state *state) + { + enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); +- struct dccp_hdr _dh, *dh; ++ struct nf_conntrack_dccp_buf _dh; + u_int8_t type, old_state, new_state; + enum ct_dccp_roles role; + unsigned int *timeouts; ++ struct dccp_hdr *dh; + +- dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); ++ dh = skb_header_pointer(skb, dataoff, sizeof(*dh), &_dh.dh); + if (!dh) + return NF_DROP; + + if (dccp_error(dh, skb, dataoff, state)) + return -NF_ACCEPT; + ++ /* pull again, including possible 48 bit sequences and subtype header */ ++ dh = dccp_header_pointer(skb, dataoff, dh, &_dh); ++ if (!dh) ++ return NF_DROP; ++ + type = dh->dccph_type; + if (!nf_ct_is_confirmed(ct) && !dccp_new(ct, skb, dh)) + return -NF_ACCEPT; +-- +2.39.2 + diff --git a/tmp-5.4/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch b/tmp-5.4/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch new file mode 100644 index 00000000000..7555dff7838 --- /dev/null +++ b/tmp-5.4/netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch @@ -0,0 +1,53 @@ +From b74a41236526cab841834be8c60c4dcace27e7ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jun 2023 11:23:46 +0000 +Subject: netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() + return value. + +From: Ilia.Gavrilov + +[ Upstream commit f188d30087480eab421cd8ca552fb15f55d57f4d ] + +ct_sip_parse_numerical_param() returns only 0 or 1 now. +But process_register_request() and process_register_response() imply +checking for a negative value if parsing of a numerical header parameter +failed. +The invocation in nf_nat_sip() looks correct: + if (ct_sip_parse_numerical_param(...) > 0 && + ...) { ... } + +Make the return value of the function ct_sip_parse_numerical_param() +a tristate to fix all the cases +a) return 1 if value is found; *val is set +b) return 0 if value is not found; *val is unchanged +c) return -1 on error; *val is undefined + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: 0f32a40fc91a ("[NETFILTER]: nf_conntrack_sip: create signalling expectations") +Signed-off-by: Ilia.Gavrilov +Reviewed-by: Simon Horman +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_sip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c +index 78fd9122b70c7..751df19fe0f8a 100644 +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -611,7 +611,7 @@ int ct_sip_parse_numerical_param(const struct nf_conn *ct, const char *dptr, + start += strlen(name); + *val = simple_strtoul(start, &end, 0); + if (start == end) +- return 0; ++ return -1; + if (matchoff && matchlen) { + *matchoff = start - dptr; + *matchlen = end - start; +-- +2.39.2 + diff --git a/tmp-5.4/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch b/tmp-5.4/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch new file mode 100644 index 00000000000..94908a86bd8 --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch @@ -0,0 +1,109 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:55:01 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:54:20 +0200 +Subject: netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165423.50054-8-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 26b5a5712eb85e253724e56a54c17f8519bd8e4e ] + +Add a new state to deal with rule expressions deactivation from the +newrule error path, otherwise the anonymous set remains in the list in +inactive state for the next generation. Mark the set/chain transaction +as unbound so the abort path releases this object, set it as inactive in +the next generation so it is not reachable anymore from this transaction +and reference counter is dropped. + +Fixes: 1240eb93f061 ("netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 1 + + net/netfilter/nf_tables_api.c | 27 +++++++++++++++++++++++---- + 2 files changed, 24 insertions(+), 4 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -756,6 +756,7 @@ struct nft_expr_type { + + enum nft_trans_phase { + NFT_TRANS_PREPARE, ++ NFT_TRANS_PREPARE_ERROR, + NFT_TRANS_ABORT, + NFT_TRANS_COMMIT, + NFT_TRANS_RELEASE +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -137,7 +137,8 @@ static void nft_trans_destroy(struct nft + kfree(trans); + } + +-static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, ++ bool bind) + { + struct nftables_pernet *nft_net; + struct net *net = ctx->net; +@@ -151,16 +152,26 @@ static void nft_set_trans_bind(const str + switch (trans->msg_type) { + case NFT_MSG_NEWSET: + if (nft_trans_set(trans) == set) +- nft_trans_set_bound(trans) = true; ++ nft_trans_set_bound(trans) = bind; + break; + case NFT_MSG_NEWSETELEM: + if (nft_trans_elem_set(trans) == set) +- nft_trans_elem_set_bound(trans) = true; ++ nft_trans_elem_set_bound(trans) = bind; + break; + } + } + } + ++static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ return __nft_set_trans_bind(ctx, set, true); ++} ++ ++static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ return __nft_set_trans_bind(ctx, set, false); ++} ++ + static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) + { + struct nftables_pernet *nft_net; +@@ -2939,7 +2950,7 @@ static int nf_tables_newrule(struct net + + return 0; + err2: +- nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); ++ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR); + nf_tables_rule_destroy(&ctx, rule); + err1: + for (i = 0; i < n; i++) { +@@ -3959,6 +3970,13 @@ void nf_tables_deactivate_set(const stru + enum nft_trans_phase phase) + { + switch (phase) { ++ case NFT_TRANS_PREPARE_ERROR: ++ nft_set_trans_unbind(ctx, set); ++ if (nft_set_is_anonymous(set)) ++ nft_deactivate_next(ctx->net, set); ++ ++ set->use--; ++ break; + case NFT_TRANS_PREPARE: + if (nft_set_is_anonymous(set)) + nft_deactivate_next(ctx->net, set); +@@ -5724,6 +5742,7 @@ void nf_tables_deactivate_flowtable(cons + enum nft_trans_phase phase) + { + switch (phase) { ++ case NFT_TRANS_PREPARE_ERROR: + case NFT_TRANS_PREPARE: + case NFT_TRANS_ABORT: + case NFT_TRANS_RELEASE: diff --git a/tmp-5.4/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch b/tmp-5.4/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch new file mode 100644 index 00000000000..8905a30f650 --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch @@ -0,0 +1,50 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:54:56 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:54:18 +0200 +Subject: netfilter: nf_tables: add rescheduling points during loop detection walks +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165423.50054-6-pablo@netfilter.org> + +From: Florian Westphal + +[ 81ea010667417ef3f218dfd99b69769fe66c2b67 ] + +Add explicit rescheduling points during ruleset walk. + +Switching to a faster algorithm is possible but this is a much +smaller change, suitable for nf tree. + +Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1460 +Signed-off-by: Florian Westphal +Acked-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2712,6 +2712,8 @@ int nft_chain_validate(const struct nft_ + if (err < 0) + return err; + } ++ ++ cond_resched(); + } + + return 0; +@@ -7379,9 +7381,13 @@ static int nf_tables_check_loops(const s + break; + } + } ++ ++ cond_resched(); + } + + list_for_each_entry(set, &ctx->table->sets, list) { ++ cond_resched(); ++ + if (!nft_is_active_next(ctx->net, set)) + continue; + if (!(set->flags & NFT_SET_MAP) || diff --git a/tmp-5.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/tmp-5.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch new file mode 100644 index 00000000000..4c65e9f1972 --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch @@ -0,0 +1,64 @@ +From f58e1406f7f9e2cf7845590dd709521813d3c261 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 01:30:33 +0200 +Subject: netfilter: nf_tables: can't schedule in nft_chain_validate + +From: Florian Westphal + +[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] + +Can be called via nft set element list iteration, which may acquire +rcu and/or bh read lock (depends on set type). + +BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 +in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft +preempt_count: 0, expected: 0 +RCU nest depth: 1, expected: 0 +2 locks held by nft/1232: + #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid + #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire +Call Trace: + nft_chain_validate + nft_lookup_validate_setelem + nft_pipapo_walk + nft_lookup_validate + nft_chain_validate + nft_immediate_validate + nft_chain_validate + nf_tables_validate + nf_tables_abort + +No choice but to move it to nf_tables_validate(). + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index a64aa888751cb..7d22bc8aa2787 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2736,8 +2736,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) + if (err < 0) + return err; + } +- +- cond_resched(); + } + + return 0; +@@ -2761,6 +2759,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) + err = nft_chain_validate(&ctx, chain); + if (err < 0) + return err; ++ ++ cond_resched(); + } + + return 0; +-- +2.39.2 + diff --git a/tmp-5.4/netfilter-nf_tables-fix-nat-hook-table-deletion.patch b/tmp-5.4/netfilter-nf_tables-fix-nat-hook-table-deletion.patch new file mode 100644 index 00000000000..e7eeb4a40f3 --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-fix-nat-hook-table-deletion.patch @@ -0,0 +1,104 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:54:50 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:54:14 +0200 +Subject: netfilter: nf_tables: fix nat hook table deletion +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165423.50054-2-pablo@netfilter.org> + +From: Florian Westphal + +[ 1e9451cbda456a170518b2bfd643e2cb980880bf ] + +sybot came up with following transaction: + add table ip syz0 + add chain ip syz0 syz2 { type nat hook prerouting priority 0; policy accept; } + add table ip syz0 { flags dormant; } + delete chain ip syz0 syz2 + delete table ip syz0 + +which yields: +hook not found, pf 2 num 0 +WARNING: CPU: 0 PID: 6775 at net/netfilter/core.c:413 __nf_unregister_net_hook+0x3e6/0x4a0 net/netfilter/core.c:413 +[..] + nft_unregister_basechain_hooks net/netfilter/nf_tables_api.c:206 [inline] + nft_table_disable net/netfilter/nf_tables_api.c:835 [inline] + nf_tables_table_disable net/netfilter/nf_tables_api.c:868 [inline] + nf_tables_commit+0x32d3/0x4d70 net/netfilter/nf_tables_api.c:7550 + nfnetlink_rcv_batch net/netfilter/nfnetlink.c:486 [inline] + nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:544 [inline] + nfnetlink_rcv+0x14a5/0x1e50 net/netfilter/nfnetlink.c:562 + netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] + +Problem is that when I added ability to override base hook registration +to make nat basechains register with the nat core instead of netfilter +core, I forgot to update nft_table_disable() to use that instead of +the 'raw' hook register interface. + +In syzbot transaction, the basechain is of 'nat' type. Its registered +with the nat core. The switch to 'dormant mode' attempts to delete from +netfilter core instead. + +After updating nft_table_disable/enable to use the correct helper, +nft_(un)register_basechain_hooks can be folded into the only remaining +caller. + +Because nft_trans_table_enable() won't do anything when the DORMANT flag +is set, remove the flag first, then re-add it in case re-enablement +fails, else this patch breaks sequence: + +add table ip x { flags dormant; } +/* add base chains */ +add table ip x + +The last 'add' will remove the dormant flags, but won't have any other +effect -- base chains are not registered. +Then, next 'set dormant flag' will create another 'hook not found' +splat. + +Reported-by: syzbot+2570f2c036e3da5db176@syzkaller.appspotmail.com +Fixes: 4e25ceb80b58 ("netfilter: nf_tables: allow chain type to override hook register") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 1e9451cbda456a170518b2bfd643e2cb980880bf) +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -770,7 +770,7 @@ static void nft_table_disable(struct net + if (cnt && i++ == cnt) + break; + +- nf_unregister_net_hook(net, &nft_base_chain(chain)->ops); ++ nf_tables_unregister_hook(net, table, chain); + } + } + +@@ -785,7 +785,7 @@ static int nf_tables_table_enable(struct + if (!nft_is_base_chain(chain)) + continue; + +- err = nf_register_net_hook(net, &nft_base_chain(chain)->ops); ++ err = nf_tables_register_hook(net, table, chain); + if (err < 0) + goto err; + +@@ -829,11 +829,12 @@ static int nf_tables_updtable(struct nft + nft_trans_table_enable(trans) = false; + } else if (!(flags & NFT_TABLE_F_DORMANT) && + ctx->table->flags & NFT_TABLE_F_DORMANT) { ++ ctx->table->flags &= ~NFT_TABLE_F_DORMANT; + ret = nf_tables_table_enable(ctx->net, ctx->table); +- if (ret >= 0) { +- ctx->table->flags &= ~NFT_TABLE_F_DORMANT; ++ if (ret >= 0) + nft_trans_table_enable(trans) = true; +- } ++ else ++ ctx->table->flags |= NFT_TABLE_F_DORMANT; + } + if (ret < 0) + goto err; diff --git a/tmp-5.4/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch b/tmp-5.4/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch new file mode 100644 index 00000000000..56382fb2ce1 --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch @@ -0,0 +1,39 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:54:56 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:54:23 +0200 +Subject: netfilter: nf_tables: fix scheduling-while-atomic splat +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165423.50054-11-pablo@netfilter.org> + +From: Florian Westphal + +[ 2024439bd5ceb145eeeb428b2a59e9b905153ac3 ] + +nf_tables_check_loops() can be called from rhashtable list +walk so cond_resched() cannot be used here. + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7428,13 +7428,9 @@ static int nf_tables_check_loops(const s + break; + } + } +- +- cond_resched(); + } + + list_for_each_entry(set, &ctx->table->sets, list) { +- cond_resched(); +- + if (!nft_is_active_next(ctx->net, set)) + continue; + if (!(set->flags & NFT_SET_MAP) || diff --git a/tmp-5.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/tmp-5.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch new file mode 100644 index 00000000000..43740be294a --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch @@ -0,0 +1,49 @@ +From 9fb06bca476f67a541d7701c4c2e976894297311 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 00:29:58 +0200 +Subject: netfilter: nf_tables: fix spurious set element insertion failure + +From: Florian Westphal + +[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] + +On some platforms there is a padding hole in the nft_verdict +structure, between the verdict code and the chain pointer. + +On element insertion, if the new element clashes with an existing one and +NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as +the data associated with duplicated element is the same as the existing +one. The data equality check uses memcmp. + +For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT +padding area leads to spurious failure even if the verdict data is the +same. + +This then makes the insertion fail with 'already exists' error, even +though the new "key : data" matches an existing entry and userspace +told the kernel that it doesn't want to receive an error indication. + +Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 123ef398a10dc..a64aa888751cb 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -7655,6 +7655,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + + if (!tb[NFTA_VERDICT_CODE]) + return -EINVAL; ++ ++ /* zero padding hole for memcmp */ ++ memset(data, 0, sizeof(*data)); + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +-- +2.39.2 + diff --git a/tmp-5.4/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch b/tmp-5.4/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch new file mode 100644 index 00000000000..9f021445f0f --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch @@ -0,0 +1,73 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:54:55 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:54:19 +0200 +Subject: netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165423.50054-7-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 1240eb93f0616b21c675416516ff3d74798fdc97 ] + +In case of error when adding a new rule that refers to an anonymous set, +deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE. +Thus, the lookup expression marks anonymous sets as inactive in the next +generation to ensure it is not reachable in this transaction anymore and +decrement the set refcount as introduced by c1592a89942e ("netfilter: +nf_tables: deactivate anonymous set from preparation phase"). The abort +step takes care of undoing the anonymous set. + +This is also consistent with rule deletion, where NFT_TRANS_PREPARE is +used. Note that this error path is exercised in the preparation step of +the commit protocol. This patch replaces nf_tables_rule_release() by the +deactivate and destroy calls, this time with NFT_TRANS_PREPARE. + +Due to this incorrect error handling, it is possible to access a +dangling pointer to the anonymous set that remains in the transaction +list. + +[1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110 +[1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256 +[1009.379128] Call Trace: +[1009.379132] +[1009.379135] dump_stack_lvl+0x33/0x50 +[1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379191] print_address_description.constprop.0+0x27/0x300 +[1009.379201] kasan_report+0x107/0x120 +[1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables] +[1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables] +[1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables] +[1009.379441] ? kasan_unpoison+0x23/0x50 +[1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink] +[1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] +[1009.379485] ? __alloc_skb+0xb8/0x1e0 +[1009.379493] ? __alloc_skb+0xb8/0x1e0 +[1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 +[1009.379509] ? unwind_get_return_address+0x2a/0x40 +[1009.379517] ? write_profile+0xc0/0xc0 +[1009.379524] ? avc_lookup+0x8f/0xc0 +[1009.379532] ? __rcu_read_unlock+0x43/0x60 + +Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2939,7 +2939,8 @@ static int nf_tables_newrule(struct net + + return 0; + err2: +- nf_tables_rule_release(&ctx, rule); ++ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); ++ nf_tables_rule_destroy(&ctx, rule); + err1: + for (i = 0; i < n; i++) { + if (info[i].ops) { diff --git a/tmp-5.4/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch b/tmp-5.4/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch new file mode 100644 index 00000000000..4651546ad4a --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch @@ -0,0 +1,211 @@ +From caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Wed, 5 Jul 2023 18:05:35 -0300 +Subject: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval + +From: Thadeu Lima de Souza Cascardo + +commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd upstream. + +When evaluating byteorder expressions with size 2, a union with 32-bit and +16-bit members is used. Since the 16-bit members are aligned to 32-bit, +the array accesses will be out-of-bounds. + +It may lead to a stack-out-of-bounds access like the one below: + +[ 23.095215] ================================================================== +[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 +[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 +[ 23.096358] +[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 +[ 23.096770] Call Trace: +[ 23.096910] +[ 23.097030] dump_stack_lvl+0x60/0xc0 +[ 23.097218] print_report+0xcf/0x630 +[ 23.097388] ? nft_byteorder_eval+0x13c/0x320 +[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 +[ 23.097760] ? nft_byteorder_eval+0x13c/0x320 +[ 23.097949] kasan_report+0xc9/0x110 +[ 23.098106] ? nft_byteorder_eval+0x13c/0x320 +[ 23.098298] __asan_load2+0x83/0xd0 +[ 23.098453] nft_byteorder_eval+0x13c/0x320 +[ 23.098659] nft_do_chain+0x1c8/0xc50 +[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 +[ 23.099078] ? __kasan_check_read+0x11/0x20 +[ 23.099295] ? __pfx___lock_acquire+0x10/0x10 +[ 23.099535] ? __pfx___lock_acquire+0x10/0x10 +[ 23.099745] ? __kasan_check_read+0x11/0x20 +[ 23.099929] nft_do_chain_ipv4+0xfe/0x140 +[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 +[ 23.100327] ? lock_release+0x204/0x400 +[ 23.100515] ? nf_hook.constprop.0+0x340/0x550 +[ 23.100779] nf_hook_slow+0x6c/0x100 +[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 +[ 23.101223] nf_hook.constprop.0+0x334/0x550 +[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 +[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 +[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 +[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 +[ 23.102291] ? rcu_read_lock_held+0x4b/0x70 +[ 23.102481] ip_local_deliver+0xbb/0x110 +[ 23.102665] ? __pfx_ip_rcv+0x10/0x10 +[ 23.102839] ip_rcv+0x199/0x2a0 +[ 23.102980] ? __pfx_ip_rcv+0x10/0x10 +[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 +[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 +[ 23.103647] ? mark_held_locks+0x48/0xa0 +[ 23.103819] ? process_backlog+0x36c/0x380 +[ 23.103999] __netif_receive_skb+0x23/0xc0 +[ 23.104179] process_backlog+0x91/0x380 +[ 23.104350] __napi_poll.constprop.0+0x66/0x360 +[ 23.104589] ? net_rx_action+0x1cb/0x610 +[ 23.104811] net_rx_action+0x33e/0x610 +[ 23.105024] ? _raw_spin_unlock+0x23/0x50 +[ 23.105257] ? __pfx_net_rx_action+0x10/0x10 +[ 23.105485] ? mark_held_locks+0x48/0xa0 +[ 23.105741] __do_softirq+0xfa/0x5ab +[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 +[ 23.106193] do_softirq.part.0+0x49/0xc0 +[ 23.106423] +[ 23.106547] +[ 23.106670] __local_bh_enable_ip+0xf5/0x120 +[ 23.106903] __dev_queue_xmit+0x789/0x1c00 +[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 +[ 23.107381] ? find_held_lock+0x8e/0xb0 +[ 23.107585] ? lock_release+0x204/0x400 +[ 23.107798] ? neigh_resolve_output+0x185/0x350 +[ 23.108049] ? mark_held_locks+0x48/0xa0 +[ 23.108265] ? neigh_resolve_output+0x185/0x350 +[ 23.108514] neigh_resolve_output+0x246/0x350 +[ 23.108753] ? neigh_resolve_output+0x246/0x350 +[ 23.109003] ip_finish_output2+0x3c3/0x10b0 +[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 +[ 23.109510] ? __pfx_nf_hook+0x10/0x10 +[ 23.109732] __ip_finish_output+0x217/0x390 +[ 23.109978] ip_finish_output+0x2f/0x130 +[ 23.110207] ip_output+0xc9/0x170 +[ 23.110404] ip_push_pending_frames+0x1a0/0x240 +[ 23.110652] raw_sendmsg+0x102e/0x19e0 +[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 +[ 23.111093] ? lock_release+0x204/0x400 +[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 +[ 23.111567] ? find_held_lock+0x8e/0xb0 +[ 23.111777] ? find_held_lock+0x8e/0xb0 +[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 +[ 23.112225] ? aa_sk_perm+0x18a/0x550 +[ 23.112431] ? filemap_map_pages+0x4f1/0x900 +[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 +[ 23.112880] ? find_held_lock+0x8e/0xb0 +[ 23.113098] inet_sendmsg+0xa0/0xb0 +[ 23.113297] ? inet_sendmsg+0xa0/0xb0 +[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 +[ 23.113727] sock_sendmsg+0xf4/0x100 +[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 +[ 23.114190] __sys_sendto+0x1d4/0x290 +[ 23.114391] ? __pfx___sys_sendto+0x10/0x10 +[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 +[ 23.114869] ? lock_release+0x204/0x400 +[ 23.115076] ? find_held_lock+0x8e/0xb0 +[ 23.115287] ? rcu_is_watching+0x23/0x60 +[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 +[ 23.115778] ? __kasan_check_write+0x14/0x30 +[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 +[ 23.116285] ? mark_held_locks+0x28/0xa0 +[ 23.116503] ? do_syscall_64+0x37/0x90 +[ 23.116713] __x64_sys_sendto+0x7f/0xb0 +[ 23.116924] do_syscall_64+0x59/0x90 +[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 +[ 23.117387] ? irqentry_exit+0x77/0xb0 +[ 23.117593] ? exc_page_fault+0x92/0x140 +[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 23.118081] RIP: 0033:0x7f744aee2bba +[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba +[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 +[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 +[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 +[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 +[ 23.121617] +[ 23.121749] +[ 23.121845] The buggy address belongs to the virtual mapping at +[ 23.121845] [ffffc90000000000, ffffc90000009000) created by: +[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 +[ 23.122707] +[ 23.122803] The buggy address belongs to the physical page: +[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 +[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) +[ 23.123998] page_type: 0xffffffff() +[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 +[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 +[ 23.125023] page dumped because: kasan: bad access detected +[ 23.125326] +[ 23.125421] Memory state around the buggy address: +[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 +[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 +[ 23.126840] ^ +[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 +[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 +[ 23.127906] ================================================================== +[ 23.128324] Disabling lock debugging due to kernel taint + +Using simple s16 pointers for the 16-bit accesses fixes the problem. For +the 32-bit accesses, src and dst can be used directly. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Cc: stable@vger.kernel.org +Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_byteorder.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/netfilter/nft_byteorder.c ++++ b/net/netfilter/nft_byteorder.c +@@ -30,11 +30,11 @@ void nft_byteorder_eval(const struct nft + const struct nft_byteorder *priv = nft_expr_priv(expr); + u32 *src = ®s->data[priv->sreg]; + u32 *dst = ®s->data[priv->dreg]; +- union { u32 u32; u16 u16; } *s, *d; ++ u16 *s16, *d16; + unsigned int i; + +- s = (void *)src; +- d = (void *)dst; ++ s16 = (void *)src; ++ d16 = (void *)dst; + + switch (priv->size) { + case 8: { +@@ -61,11 +61,11 @@ void nft_byteorder_eval(const struct nft + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = ntohl((__force __be32)s[i].u32); ++ dst[i] = ntohl((__force __be32)src[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = (__force __u32)htonl(s[i].u32); ++ dst[i] = (__force __u32)htonl(src[i]); + break; + } + break; +@@ -73,11 +73,11 @@ void nft_byteorder_eval(const struct nft + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = ntohs((__force __be16)s[i].u16); ++ d16[i] = ntohs((__force __be16)s16[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = (__force __u16)htons(s[i].u16); ++ d16[i] = (__force __u16)htons(s16[i]); + break; + } + break; diff --git a/tmp-5.4/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch b/tmp-5.4/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch new file mode 100644 index 00000000000..5c341b110b8 --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch @@ -0,0 +1,142 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:54:56 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:54:21 +0200 +Subject: netfilter: nf_tables: reject unbound anonymous set before commit phase +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165423.50054-9-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 938154b93be8cd611ddfd7bafc1849f3c4355201 ] + +Add a new list to track set transaction and to check for unbound +anonymous sets before entering the commit phase. + +Bail out at the end of the transaction handling if an anonymous set +remains unbound. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 3 +++ + net/netfilter/nf_tables_api.c | 36 +++++++++++++++++++++++++++++++----- + 2 files changed, 34 insertions(+), 5 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1364,6 +1364,7 @@ static inline void nft_set_elem_clear_bu + * struct nft_trans - nf_tables object update in transaction + * + * @list: used internally ++ * @binding_list: list of objects with possible bindings + * @msg_type: message type + * @put_net: ctx->net needs to be put + * @ctx: transaction context +@@ -1371,6 +1372,7 @@ static inline void nft_set_elem_clear_bu + */ + struct nft_trans { + struct list_head list; ++ struct list_head binding_list; + int msg_type; + bool put_net; + struct nft_ctx ctx; +@@ -1476,6 +1478,7 @@ __be64 nf_jiffies64_to_msecs(u64 input); + struct nftables_pernet { + struct list_head tables; + struct list_head commit_list; ++ struct list_head binding_list; + struct list_head module_list; + struct list_head notify_list; + struct mutex commit_mutex; +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -119,6 +119,7 @@ static struct nft_trans *nft_trans_alloc + return NULL; + + INIT_LIST_HEAD(&trans->list); ++ INIT_LIST_HEAD(&trans->binding_list); + trans->msg_type = msg_type; + trans->ctx = *ctx; + +@@ -131,9 +132,15 @@ static struct nft_trans *nft_trans_alloc + return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL); + } + +-static void nft_trans_destroy(struct nft_trans *trans) ++static void nft_trans_list_del(struct nft_trans *trans) + { + list_del(&trans->list); ++ list_del(&trans->binding_list); ++} ++ ++static void nft_trans_destroy(struct nft_trans *trans) ++{ ++ nft_trans_list_del(trans); + kfree(trans); + } + +@@ -174,9 +181,15 @@ static void nft_set_trans_unbind(const s + + static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) + { +- struct nftables_pernet *nft_net; ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWSET: ++ if (nft_set_is_anonymous(nft_trans_set(trans))) ++ list_add_tail(&trans->binding_list, &nft_net->binding_list); ++ break; ++ } + +- nft_net = net_generic(net, nf_tables_net_id); + list_add_tail(&trans->list, &nft_net->commit_list); + } + +@@ -6697,7 +6710,7 @@ static void nf_tables_trans_destroy_work + synchronize_rcu(); + + list_for_each_entry_safe(trans, next, &head, list) { +- list_del(&trans->list); ++ nft_trans_list_del(trans); + nft_commit_release(trans); + } + } +@@ -6901,6 +6914,18 @@ static int nf_tables_commit(struct net * + return 0; + } + ++ list_for_each_entry(trans, &nft_net->binding_list, binding_list) { ++ switch (trans->msg_type) { ++ case NFT_MSG_NEWSET: ++ if (nft_set_is_anonymous(nft_trans_set(trans)) && ++ !nft_trans_set_bound(trans)) { ++ pr_warn_once("nftables ruleset with unbound set\n"); ++ return -EINVAL; ++ } ++ break; ++ } ++ } ++ + /* 0. Validate ruleset, otherwise roll back for error reporting. */ + if (nf_tables_validate(net) < 0) + return -EAGAIN; +@@ -7249,7 +7274,7 @@ static int __nf_tables_abort(struct net + + list_for_each_entry_safe_reverse(trans, next, + &nft_net->commit_list, list) { +- list_del(&trans->list); ++ nft_trans_list_del(trans); + nf_tables_abort_release(trans); + } + +@@ -7914,6 +7939,7 @@ static int __net_init nf_tables_init_net + + INIT_LIST_HEAD(&nft_net->tables); + INIT_LIST_HEAD(&nft_net->commit_list); ++ INIT_LIST_HEAD(&nft_net->binding_list); + INIT_LIST_HEAD(&nft_net->module_list); + INIT_LIST_HEAD(&nft_net->notify_list); + mutex_init(&nft_net->commit_mutex); diff --git a/tmp-5.4/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch b/tmp-5.4/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch new file mode 100644 index 00000000000..b16cedfa942 --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch @@ -0,0 +1,33 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:54:56 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:54:22 +0200 +Subject: netfilter: nf_tables: unbind non-anonymous set if rule construction fails +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165423.50054-10-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 3e70489721b6c870252c9082c496703677240f53 ] + +Otherwise a dangling reference to a rule object that is gone remains +in the set binding list. + +Fixes: 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3987,6 +3987,8 @@ void nf_tables_deactivate_set(const stru + nft_set_trans_unbind(ctx, set); + if (nft_set_is_anonymous(set)) + nft_deactivate_next(ctx->net, set); ++ else ++ list_del_rcu(&binding->list); + + set->use--; + break; diff --git a/tmp-5.4/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch b/tmp-5.4/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch new file mode 100644 index 00000000000..72ceee23a7f --- /dev/null +++ b/tmp-5.4/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch @@ -0,0 +1,1214 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:54:55 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:54:17 +0200 +Subject: netfilter: nf_tables: use net_generic infra for transaction data +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165423.50054-5-pablo@netfilter.org> + +From: Florian Westphal + +[ 0854db2aaef3fcdd3498a9d299c60adea2aa3dc6 ] + +This moves all nf_tables pernet data from struct net to a net_generic +extension, with the exception of the gencursor. + +The latter is used in the data path and also outside of the nf_tables +core. All others are only used from the configuration plane. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 10 + + include/net/netns/nftables.h | 6 + net/netfilter/nf_tables_api.c | 330 +++++++++++++++++++++++--------------- + net/netfilter/nf_tables_offload.c | 29 ++- + net/netfilter/nft_chain_filter.c | 11 - + net/netfilter/nft_dynset.c | 6 + 6 files changed, 245 insertions(+), 147 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -1472,4 +1472,14 @@ void nf_tables_trans_destroy_flush_work( + int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result); + __be64 nf_jiffies64_to_msecs(u64 input); + ++struct nftables_pernet { ++ struct list_head tables; ++ struct list_head commit_list; ++ struct list_head module_list; ++ struct list_head notify_list; ++ struct mutex commit_mutex; ++ unsigned int base_seq; ++ u8 validate_state; ++}; ++ + #endif /* _NET_NF_TABLES_H */ +--- a/include/net/netns/nftables.h ++++ b/include/net/netns/nftables.h +@@ -5,13 +5,7 @@ + #include + + struct netns_nftables { +- struct list_head tables; +- struct list_head commit_list; +- struct list_head module_list; +- struct mutex commit_mutex; +- unsigned int base_seq; + u8 gencursor; +- u8 validate_state; + }; + + #endif +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -20,10 +20,13 @@ + #include + #include + #include ++#include + #include + + #define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) + ++unsigned int nf_tables_net_id __read_mostly; ++ + static LIST_HEAD(nf_tables_expressions); + static LIST_HEAD(nf_tables_objects); + static LIST_HEAD(nf_tables_flowtables); +@@ -67,7 +70,9 @@ static const struct rhashtable_params nf + + static void nft_validate_state_update(struct net *net, u8 new_validate_state) + { +- switch (net->nft.validate_state) { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ switch (nft_net->validate_state) { + case NFT_VALIDATE_SKIP: + WARN_ON_ONCE(new_validate_state == NFT_VALIDATE_DO); + break; +@@ -78,7 +83,7 @@ static void nft_validate_state_update(st + return; + } + +- net->nft.validate_state = new_validate_state; ++ nft_net->validate_state = new_validate_state; + } + static void nf_tables_trans_destroy_work(struct work_struct *w); + static DECLARE_WORK(trans_destroy_work, nf_tables_trans_destroy_work); +@@ -134,13 +139,15 @@ static void nft_trans_destroy(struct nft + + static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) + { ++ struct nftables_pernet *nft_net; + struct net *net = ctx->net; + struct nft_trans *trans; + + if (!nft_set_is_anonymous(set)) + return; + +- list_for_each_entry_reverse(trans, &net->nft.commit_list, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry_reverse(trans, &nft_net->commit_list, list) { + switch (trans->msg_type) { + case NFT_MSG_NEWSET: + if (nft_trans_set(trans) == set) +@@ -154,6 +161,14 @@ static void nft_set_trans_bind(const str + } + } + ++static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *trans) ++{ ++ struct nftables_pernet *nft_net; ++ ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_add_tail(&trans->list, &nft_net->commit_list); ++} ++ + static int nf_tables_register_hook(struct net *net, + const struct nft_table *table, + struct nft_chain *chain) +@@ -204,7 +219,7 @@ static int nft_trans_table_add(struct nf + if (msg_type == NFT_MSG_NEWTABLE) + nft_activate_next(ctx->net, ctx->table); + +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + } + +@@ -231,7 +246,7 @@ static struct nft_trans *nft_trans_chain + if (msg_type == NFT_MSG_NEWCHAIN) + nft_activate_next(ctx->net, ctx->chain); + +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return trans; + } + +@@ -304,7 +319,7 @@ static struct nft_trans *nft_trans_rule_ + ntohl(nla_get_be32(ctx->nla[NFTA_RULE_ID])); + } + nft_trans_rule(trans) = rule; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return trans; + } +@@ -359,7 +374,7 @@ static int nft_trans_set_add(const struc + nft_activate_next(ctx->net, set); + } + nft_trans_set(trans) = set; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + } +@@ -391,7 +406,7 @@ static int nft_trans_obj_add(struct nft_ + nft_activate_next(ctx->net, obj); + + nft_trans_obj(trans) = obj; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + } +@@ -424,7 +439,7 @@ static int nft_trans_flowtable_add(struc + nft_activate_next(ctx->net, flowtable); + + nft_trans_flowtable(trans) = flowtable; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + } +@@ -452,13 +467,15 @@ static struct nft_table *nft_table_looku + const struct nlattr *nla, + u8 family, u8 genmask) + { ++ struct nftables_pernet *nft_net; + struct nft_table *table; + + if (nla == NULL) + return ERR_PTR(-EINVAL); + +- list_for_each_entry_rcu(table, &net->nft.tables, list, +- lockdep_is_held(&net->nft.commit_mutex)) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry_rcu(table, &nft_net->tables, list, ++ lockdep_is_held(&nft_net->commit_mutex)) { + if (!nla_strcmp(nla, table->name) && + table->family == family && + nft_active_genmask(table, genmask)) +@@ -472,9 +489,11 @@ static struct nft_table *nft_table_looku + const struct nlattr *nla, + u8 genmask) + { ++ struct nftables_pernet *nft_net; + struct nft_table *table; + +- list_for_each_entry(table, &net->nft.tables, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry(table, &nft_net->tables, list) { + if (be64_to_cpu(nla_get_be64(nla)) == table->handle && + nft_active_genmask(table, genmask)) + return table; +@@ -526,6 +545,7 @@ struct nft_module_request { + static int nft_request_module(struct net *net, const char *fmt, ...) + { + char module_name[MODULE_NAME_LEN]; ++ struct nftables_pernet *nft_net; + struct nft_module_request *req; + va_list args; + int ret; +@@ -536,7 +556,8 @@ static int nft_request_module(struct net + if (ret >= MODULE_NAME_LEN) + return 0; + +- list_for_each_entry(req, &net->nft.module_list, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry(req, &nft_net->module_list, list) { + if (!strcmp(req->module, module_name)) { + if (req->done) + return 0; +@@ -552,7 +573,7 @@ static int nft_request_module(struct net + + req->done = false; + strlcpy(req->module, module_name, MODULE_NAME_LEN); +- list_add_tail(&req->list, &net->nft.module_list); ++ list_add_tail(&req->list, &nft_net->module_list); + + return -EAGAIN; + } +@@ -590,7 +611,9 @@ nf_tables_chain_type_lookup(struct net * + + static __be16 nft_base_seq(const struct net *net) + { +- return htons(net->nft.base_seq & 0xffff); ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ return htons(nft_net->base_seq & 0xffff); + } + + static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { +@@ -658,15 +681,17 @@ static int nf_tables_dump_tables(struct + struct netlink_callback *cb) + { + const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); ++ struct nftables_pernet *nft_net; + const struct nft_table *table; + unsigned int idx = 0, s_idx = cb->args[0]; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -840,7 +865,7 @@ static int nf_tables_updtable(struct nft + goto err; + + nft_trans_table_update(trans) = true; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + err: + nft_trans_destroy(trans); +@@ -903,6 +928,7 @@ static int nf_tables_newtable(struct net + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + const struct nfgenmsg *nfmsg = nlmsg_data(nlh); + u8 genmask = nft_genmask_next(net); + int family = nfmsg->nfgen_family; +@@ -912,7 +938,7 @@ static int nf_tables_newtable(struct net + struct nft_ctx ctx; + int err; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + attr = nla[NFTA_TABLE_NAME]; + table = nft_table_lookup(net, attr, family, genmask); + if (IS_ERR(table)) { +@@ -962,7 +988,7 @@ static int nf_tables_newtable(struct net + if (err < 0) + goto err_trans; + +- list_add_tail_rcu(&table->list, &net->nft.tables); ++ list_add_tail_rcu(&table->list, &nft_net->tables); + return 0; + err_trans: + rhltable_destroy(&table->chains_ht); +@@ -1042,11 +1068,12 @@ out: + + static int nft_flush(struct nft_ctx *ctx, int family) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct nft_table *table, *nt; + const struct nlattr * const *nla = ctx->nla; + int err = 0; + +- list_for_each_entry_safe(table, nt, &ctx->net->nft.tables, list) { ++ list_for_each_entry_safe(table, nt, &nft_net->tables, list) { + if (family != AF_UNSPEC && table->family != family) + continue; + +@@ -1160,7 +1187,9 @@ nft_chain_lookup_byhandle(const struct n + static bool lockdep_commit_lock_is_held(const struct net *net) + { + #ifdef CONFIG_PROVE_LOCKING +- return lockdep_is_held(&net->nft.commit_mutex); ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ return lockdep_is_held(&nft_net->commit_mutex); + #else + return true; + #endif +@@ -1363,11 +1392,13 @@ static int nf_tables_dump_chains(struct + unsigned int idx = 0, s_idx = cb->args[0]; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; ++ struct nftables_pernet *nft_net; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -1553,12 +1584,13 @@ static int nft_chain_parse_hook(struct n + struct nft_chain_hook *hook, u8 family, + bool autoload) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nlattr *ha[NFTA_HOOK_MAX + 1]; + const struct nft_chain_type *type; + struct net_device *dev; + int err; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + lockdep_nfnl_nft_mutex_not_held(); + + err = nla_parse_nested_deprecated(ha, NFTA_HOOK_MAX, +@@ -1843,6 +1875,7 @@ static int nf_tables_updchain(struct nft + + if (nla[NFTA_CHAIN_HANDLE] && + nla[NFTA_CHAIN_NAME]) { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct nft_trans *tmp; + char *name; + +@@ -1852,7 +1885,7 @@ static int nf_tables_updchain(struct nft + goto err; + + err = -EEXIST; +- list_for_each_entry(tmp, &ctx->net->nft.commit_list, list) { ++ list_for_each_entry(tmp, &nft_net->commit_list, list) { + if (tmp->msg_type == NFT_MSG_NEWCHAIN && + tmp->ctx.table == table && + nft_trans_chain_update(tmp) && +@@ -1865,7 +1898,7 @@ static int nf_tables_updchain(struct nft + + nft_trans_chain_name(trans) = name; + } +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + err: +@@ -1879,6 +1912,7 @@ static int nf_tables_newchain(struct net + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + const struct nfgenmsg *nfmsg = nlmsg_data(nlh); + u8 genmask = nft_genmask_next(net); + int family = nfmsg->nfgen_family; +@@ -1890,7 +1924,7 @@ static int nf_tables_newchain(struct net + u64 handle = 0; + u32 flags = 0; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + + table = nft_table_lookup(net, nla[NFTA_CHAIN_TABLE], family, genmask); + if (IS_ERR(table)) { +@@ -2478,11 +2512,13 @@ static int nf_tables_dump_rules(struct s + unsigned int idx = 0; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; ++ struct nftables_pernet *nft_net; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -2715,6 +2751,7 @@ static int nf_tables_newrule(struct net + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + const struct nfgenmsg *nfmsg = nlmsg_data(nlh); + u8 genmask = nft_genmask_next(net); + struct nft_expr_info *info = NULL; +@@ -2732,7 +2769,7 @@ static int nf_tables_newrule(struct net + int err, rem; + u64 handle, pos_handle; + +- lockdep_assert_held(&net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + + table = nft_table_lookup(net, nla[NFTA_RULE_TABLE], family, genmask); + if (IS_ERR(table)) { +@@ -2887,7 +2924,7 @@ static int nf_tables_newrule(struct net + kvfree(info); + chain->use++; + +- if (net->nft.validate_state == NFT_VALIDATE_DO) ++ if (nft_net->validate_state == NFT_VALIDATE_DO) + return nft_table_validate(net, table); + + if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { +@@ -2917,10 +2954,11 @@ static struct nft_rule *nft_rule_lookup_ + const struct nft_chain *chain, + const struct nlattr *nla) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + u32 id = ntohl(nla_get_be32(nla)); + struct nft_trans *trans; + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + struct nft_rule *rule = nft_trans_rule(trans); + + if (trans->msg_type == NFT_MSG_NEWRULE && +@@ -3039,12 +3077,13 @@ nft_select_set_ops(const struct nft_ctx + const struct nft_set_desc *desc, + enum nft_set_policies policy) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + const struct nft_set_ops *ops, *bops; + struct nft_set_estimate est, best; + const struct nft_set_type *type; + u32 flags = 0; + +- lockdep_assert_held(&ctx->net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + lockdep_nfnl_nft_mutex_not_held(); + #ifdef CONFIG_MODULES + if (list_empty(&nf_tables_set_types)) { +@@ -3189,10 +3228,11 @@ static struct nft_set *nft_set_lookup_by + const struct nft_table *table, + const struct nlattr *nla, u8 genmask) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans; + u32 id = ntohl(nla_get_be32(nla)); + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + if (trans->msg_type == NFT_MSG_NEWSET) { + struct nft_set *set = nft_trans_set(trans); + +@@ -3406,14 +3446,16 @@ static int nf_tables_dump_sets(struct sk + struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2]; + struct net *net = sock_net(skb->sk); + struct nft_ctx *ctx = cb->data, ctx_set; ++ struct nftables_pernet *nft_net; + + if (cb->args[1]) + return skb->len; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (ctx->family != NFPROTO_UNSPEC && + ctx->family != table->family) + continue; +@@ -4119,6 +4161,7 @@ static int nf_tables_dump_set(struct sk_ + { + struct nft_set_dump_ctx *dump_ctx = cb->data; + struct net *net = sock_net(skb->sk); ++ struct nftables_pernet *nft_net; + struct nft_table *table; + struct nft_set *set; + struct nft_set_dump_args args; +@@ -4129,7 +4172,8 @@ static int nf_tables_dump_set(struct sk_ + int event; + + rcu_read_lock(); +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (dump_ctx->ctx.family != NFPROTO_UNSPEC && + dump_ctx->ctx.family != table->family) + continue; +@@ -4733,7 +4777,7 @@ static int nft_add_set_elem(struct nft_c + } + + nft_trans_elem(trans) = elem; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + + err6: +@@ -4758,6 +4802,7 @@ static int nf_tables_newsetelem(struct n + const struct nlattr * const nla[], + struct netlink_ext_ack *extack) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + u8 genmask = nft_genmask_next(net); + const struct nlattr *attr; + struct nft_set *set; +@@ -4787,7 +4832,7 @@ static int nf_tables_newsetelem(struct n + return err; + } + +- if (net->nft.validate_state == NFT_VALIDATE_DO) ++ if (nft_net->validate_state == NFT_VALIDATE_DO) + return nft_table_validate(net, ctx.table); + + return 0; +@@ -4900,7 +4945,7 @@ static int nft_del_setelem(struct nft_ct + nft_set_elem_deactivate(ctx->net, set, &elem); + + nft_trans_elem(trans) = elem; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + return 0; + + fail_ops: +@@ -4934,7 +4979,7 @@ static int nft_flush_set(const struct nf + nft_set_elem_deactivate(ctx->net, set, elem); + nft_trans_elem_set(trans) = set; + nft_trans_elem(trans) = *elem; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + err1: +@@ -5233,7 +5278,7 @@ static int nf_tables_updobj(const struct + nft_trans_obj(trans) = obj; + nft_trans_obj_update(trans) = true; + nft_trans_obj_newobj(trans) = newobj; +- list_add_tail(&trans->list, &ctx->net->nft.commit_list); ++ nft_trans_commit_list_add_tail(ctx->net, trans); + + return 0; + +@@ -5382,6 +5427,7 @@ static int nf_tables_dump_obj(struct sk_ + struct nft_obj_filter *filter = cb->data; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; ++ struct nftables_pernet *nft_net; + struct nft_object *obj; + bool reset = false; + +@@ -5389,9 +5435,10 @@ static int nf_tables_dump_obj(struct sk_ + reset = true; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -6071,13 +6118,15 @@ static int nf_tables_dump_flowtable(stru + unsigned int idx = 0, s_idx = cb->args[0]; + struct net *net = sock_net(skb->sk); + int family = nfmsg->nfgen_family; ++ struct nftables_pernet *nft_net; + struct nft_flowtable *flowtable; + const struct nft_table *table; + + rcu_read_lock(); +- cb->seq = net->nft.base_seq; ++ nft_net = net_generic(net, nf_tables_net_id); ++ cb->seq = nft_net->base_seq; + +- list_for_each_entry_rcu(table, &net->nft.tables, list) { ++ list_for_each_entry_rcu(table, &nft_net->tables, list) { + if (family != NFPROTO_UNSPEC && family != table->family) + continue; + +@@ -6247,6 +6296,7 @@ static void nf_tables_flowtable_destroy( + static int nf_tables_fill_gen_info(struct sk_buff *skb, struct net *net, + u32 portid, u32 seq) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nlmsghdr *nlh; + char buf[TASK_COMM_LEN]; + int event = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWGEN); +@@ -6256,7 +6306,7 @@ static int nf_tables_fill_gen_info(struc + if (!nlh) + goto nla_put_failure; + +- if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || ++ if (nla_put_be32(skb, NFTA_GEN_ID, htonl(nft_net->base_seq)) || + nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || + nla_put_string(skb, NFTA_GEN_PROC_NAME, get_task_comm(buf, current))) + goto nla_put_failure; +@@ -6289,6 +6339,7 @@ static int nf_tables_flowtable_event(str + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); + struct nft_flowtable *flowtable; ++ struct nftables_pernet *nft_net; + struct nft_table *table; + struct net *net; + +@@ -6296,13 +6347,14 @@ static int nf_tables_flowtable_event(str + return 0; + + net = dev_net(dev); +- mutex_lock(&net->nft.commit_mutex); +- list_for_each_entry(table, &net->nft.tables, list) { ++ nft_net = net_generic(net, nf_tables_net_id); ++ mutex_lock(&nft_net->commit_mutex); ++ list_for_each_entry(table, &nft_net->tables, list) { + list_for_each_entry(flowtable, &table->flowtables, list) { + nft_flowtable_event(event, dev, flowtable); + } + } +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return NOTIFY_DONE; + } +@@ -6483,16 +6535,17 @@ static const struct nfnl_callback nf_tab + + static int nf_tables_validate(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_table *table; + +- switch (net->nft.validate_state) { ++ switch (nft_net->validate_state) { + case NFT_VALIDATE_SKIP: + break; + case NFT_VALIDATE_NEED: + nft_validate_state_update(net, NFT_VALIDATE_DO); + /* fall through */ + case NFT_VALIDATE_DO: +- list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(table, &nft_net->tables, list) { + if (nft_table_validate(net, table) < 0) + return -EAGAIN; + } +@@ -6666,9 +6719,10 @@ static int nf_tables_commit_chain_prepar + + static void nf_tables_commit_chain_prepare_cancel(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + +- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { ++ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { + struct nft_chain *chain = trans->ctx.chain; + + if (trans->msg_type == NFT_MSG_NEWRULE || +@@ -6766,10 +6820,11 @@ static void nft_chain_del(struct nft_cha + + static void nf_tables_module_autoload_cleanup(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_module_request *req, *next; + +- WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); +- list_for_each_entry_safe(req, next, &net->nft.module_list, list) { ++ WARN_ON_ONCE(!list_empty(&nft_net->commit_list)); ++ list_for_each_entry_safe(req, next, &nft_net->module_list, list) { + WARN_ON_ONCE(!req->done); + list_del(&req->list); + kfree(req); +@@ -6778,6 +6833,7 @@ static void nf_tables_module_autoload_cl + + static void nf_tables_commit_release(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans; + + /* all side effects have to be made visible. +@@ -6787,38 +6843,39 @@ static void nf_tables_commit_release(str + * Memory reclaim happens asynchronously from work queue + * to prevent expensive synchronize_rcu() in commit phase. + */ +- if (list_empty(&net->nft.commit_list)) { ++ if (list_empty(&nft_net->commit_list)) { + nf_tables_module_autoload_cleanup(net); +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + return; + } + +- trans = list_last_entry(&net->nft.commit_list, ++ trans = list_last_entry(&nft_net->commit_list, + struct nft_trans, list); + get_net(trans->ctx.net); + WARN_ON_ONCE(trans->put_net); + + trans->put_net = true; + spin_lock(&nf_tables_destroy_list_lock); +- list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list); ++ list_splice_tail_init(&nft_net->commit_list, &nf_tables_destroy_list); + spin_unlock(&nf_tables_destroy_list_lock); + + nf_tables_module_autoload_cleanup(net); + schedule_work(&trans_destroy_work); + +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + } + + static int nf_tables_commit(struct net *net, struct sk_buff *skb) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + struct nft_trans_elem *te; + struct nft_chain *chain; + struct nft_table *table; + int err; + +- if (list_empty(&net->nft.commit_list)) { +- mutex_unlock(&net->nft.commit_mutex); ++ if (list_empty(&nft_net->commit_list)) { ++ mutex_unlock(&nft_net->commit_mutex); + return 0; + } + +@@ -6831,7 +6888,7 @@ static int nf_tables_commit(struct net * + return err; + + /* 1. Allocate space for next generation rules_gen_X[] */ +- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { ++ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { + int ret; + + if (trans->msg_type == NFT_MSG_NEWRULE || +@@ -6847,7 +6904,7 @@ static int nf_tables_commit(struct net * + } + + /* step 2. Make rules_gen_X visible to packet path */ +- list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(table, &nft_net->tables, list) { + list_for_each_entry(chain, &table->chains, list) + nf_tables_commit_chain(net, chain); + } +@@ -6856,12 +6913,13 @@ static int nf_tables_commit(struct net * + * Bump generation counter, invalidate any dump in progress. + * Cannot fail after this point. + */ +- while (++net->nft.base_seq == 0); ++ while (++nft_net->base_seq == 0) ++ ; + + /* step 3. Start new generation, rules_gen_X now in use. */ + net->nft.gencursor = nft_gencursor_next(net); + +- list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { ++ list_for_each_entry_safe(trans, next, &nft_net->commit_list, list) { + switch (trans->msg_type) { + case NFT_MSG_NEWTABLE: + if (nft_trans_table_update(trans)) { +@@ -7003,17 +7061,18 @@ static int nf_tables_commit(struct net * + + static void nf_tables_module_autoload(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_module_request *req, *next; + LIST_HEAD(module_list); + +- list_splice_init(&net->nft.module_list, &module_list); +- mutex_unlock(&net->nft.commit_mutex); ++ list_splice_init(&nft_net->module_list, &module_list); ++ mutex_unlock(&nft_net->commit_mutex); + list_for_each_entry_safe(req, next, &module_list, list) { + request_module("%s", req->module); + req->done = true; + } +- mutex_lock(&net->nft.commit_mutex); +- list_splice(&module_list, &net->nft.module_list); ++ mutex_lock(&nft_net->commit_mutex); ++ list_splice(&module_list, &nft_net->module_list); + } + + static void nf_tables_abort_release(struct nft_trans *trans) +@@ -7047,6 +7106,7 @@ static void nf_tables_abort_release(stru + + static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans, *next; + struct nft_trans_elem *te; + +@@ -7054,7 +7114,7 @@ static int __nf_tables_abort(struct net + nf_tables_validate(net) < 0) + return -EAGAIN; + +- list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list, ++ list_for_each_entry_safe_reverse(trans, next, &nft_net->commit_list, + list) { + switch (trans->msg_type) { + case NFT_MSG_NEWTABLE: +@@ -7166,7 +7226,7 @@ static int __nf_tables_abort(struct net + synchronize_rcu(); + + list_for_each_entry_safe_reverse(trans, next, +- &net->nft.commit_list, list) { ++ &nft_net->commit_list, list) { + list_del(&trans->list); + nf_tables_abort_release(trans); + } +@@ -7182,22 +7242,24 @@ static int __nf_tables_abort(struct net + static int nf_tables_abort(struct net *net, struct sk_buff *skb, + enum nfnl_abort_action action) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + int ret = __nf_tables_abort(net, action); + +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return ret; + } + + static bool nf_tables_valid_genid(struct net *net, u32 genid) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + bool genid_ok; + +- mutex_lock(&net->nft.commit_mutex); ++ mutex_lock(&nft_net->commit_mutex); + +- genid_ok = genid == 0 || net->nft.base_seq == genid; ++ genid_ok = genid == 0 || nft_net->base_seq == genid; + if (!genid_ok) +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + /* else, commit mutex has to be released by commit or abort function */ + return genid_ok; +@@ -7754,19 +7816,19 @@ EXPORT_SYMBOL_GPL(__nft_release_basechai + + static void __nft_release_hooks(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_table *table; + struct nft_chain *chain; + +- list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(table, &nft_net->tables, list) { + list_for_each_entry(chain, &table->chains, list) + nf_tables_unregister_hook(net, table, chain); + } + } + +-static void __nft_release_tables(struct net *net) ++static void __nft_release_table(struct net *net, struct nft_table *table) + { + struct nft_flowtable *flowtable, *nf; +- struct nft_table *table, *nt; + struct nft_chain *chain, *nc; + struct nft_object *obj, *ne; + struct nft_rule *rule, *nr; +@@ -7776,77 +7838,93 @@ static void __nft_release_tables(struct + .family = NFPROTO_NETDEV, + }; + +- list_for_each_entry_safe(table, nt, &net->nft.tables, list) { +- ctx.family = table->family; +- ctx.table = table; +- list_for_each_entry(chain, &table->chains, list) { +- ctx.chain = chain; +- list_for_each_entry_safe(rule, nr, &chain->rules, list) { +- list_del(&rule->list); +- chain->use--; +- nf_tables_rule_release(&ctx, rule); +- } +- } +- list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { +- list_del(&flowtable->list); +- table->use--; +- nf_tables_flowtable_destroy(flowtable); +- } +- list_for_each_entry_safe(set, ns, &table->sets, list) { +- list_del(&set->list); +- table->use--; +- nft_set_destroy(set); +- } +- list_for_each_entry_safe(obj, ne, &table->objects, list) { +- nft_obj_del(obj); +- table->use--; +- nft_obj_destroy(&ctx, obj); +- } +- list_for_each_entry_safe(chain, nc, &table->chains, list) { +- ctx.chain = chain; +- nft_chain_del(chain); +- table->use--; +- nf_tables_chain_destroy(&ctx); ++ ctx.family = table->family; ++ ctx.table = table; ++ list_for_each_entry(chain, &table->chains, list) { ++ ctx.chain = chain; ++ list_for_each_entry_safe(rule, nr, &chain->rules, list) { ++ list_del(&rule->list); ++ chain->use--; ++ nf_tables_rule_release(&ctx, rule); + } +- list_del(&table->list); +- nf_tables_table_destroy(&ctx); + } ++ list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { ++ list_del(&flowtable->list); ++ table->use--; ++ nf_tables_flowtable_destroy(flowtable); ++ } ++ list_for_each_entry_safe(set, ns, &table->sets, list) { ++ list_del(&set->list); ++ table->use--; ++ nft_set_destroy(set); ++ } ++ list_for_each_entry_safe(obj, ne, &table->objects, list) { ++ nft_obj_del(obj); ++ table->use--; ++ nft_obj_destroy(&ctx, obj); ++ } ++ list_for_each_entry_safe(chain, nc, &table->chains, list) { ++ ctx.chain = chain; ++ nft_chain_del(chain); ++ table->use--; ++ nf_tables_chain_destroy(&ctx); ++ } ++ list_del(&table->list); ++ nf_tables_table_destroy(&ctx); ++} ++ ++static void __nft_release_tables(struct net *net) ++{ ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ struct nft_table *table, *nt; ++ ++ list_for_each_entry_safe(table, nt, &nft_net->tables, list) ++ __nft_release_table(net, table); + } + + static int __net_init nf_tables_init_net(struct net *net) + { +- INIT_LIST_HEAD(&net->nft.tables); +- INIT_LIST_HEAD(&net->nft.commit_list); +- INIT_LIST_HEAD(&net->nft.module_list); +- mutex_init(&net->nft.commit_mutex); +- net->nft.base_seq = 1; +- net->nft.validate_state = NFT_VALIDATE_SKIP; ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ INIT_LIST_HEAD(&nft_net->tables); ++ INIT_LIST_HEAD(&nft_net->commit_list); ++ INIT_LIST_HEAD(&nft_net->module_list); ++ INIT_LIST_HEAD(&nft_net->notify_list); ++ mutex_init(&nft_net->commit_mutex); ++ nft_net->base_seq = 1; ++ nft_net->validate_state = NFT_VALIDATE_SKIP; + + return 0; + } + + static void __net_exit nf_tables_pre_exit_net(struct net *net) + { +- mutex_lock(&net->nft.commit_mutex); ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ mutex_lock(&nft_net->commit_mutex); + __nft_release_hooks(net); +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + } + + static void __net_exit nf_tables_exit_net(struct net *net) + { +- mutex_lock(&net->nft.commit_mutex); +- if (!list_empty(&net->nft.commit_list)) ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); ++ ++ mutex_lock(&nft_net->commit_mutex); ++ if (!list_empty(&nft_net->commit_list)) + __nf_tables_abort(net, NFNL_ABORT_NONE); + __nft_release_tables(net); +- mutex_unlock(&net->nft.commit_mutex); +- WARN_ON_ONCE(!list_empty(&net->nft.tables)); +- WARN_ON_ONCE(!list_empty(&net->nft.module_list)); ++ mutex_unlock(&nft_net->commit_mutex); ++ WARN_ON_ONCE(!list_empty(&nft_net->tables)); ++ WARN_ON_ONCE(!list_empty(&nft_net->module_list)); + } + + static struct pernet_operations nf_tables_net_ops = { + .init = nf_tables_init_net, + .pre_exit = nf_tables_pre_exit_net, + .exit = nf_tables_exit_net, ++ .id = &nf_tables_net_id, ++ .size = sizeof(struct nftables_pernet), + }; + + static int __init nf_tables_module_init(void) +--- a/net/netfilter/nf_tables_offload.c ++++ b/net/netfilter/nf_tables_offload.c +@@ -7,6 +7,8 @@ + #include + #include + ++extern unsigned int nf_tables_net_id; ++ + static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions) + { + struct nft_flow_rule *flow; +@@ -345,11 +347,12 @@ static int nft_flow_offload_chain(struct + + int nft_flow_rule_offload_commit(struct net *net) + { ++ struct nftables_pernet *nft_net = net_generic(net, nf_tables_net_id); + struct nft_trans *trans; + int err = 0; + u8 policy; + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + if (trans->ctx.family != NFPROTO_NETDEV) + continue; + +@@ -400,7 +403,7 @@ int nft_flow_rule_offload_commit(struct + break; + } + +- list_for_each_entry(trans, &net->nft.commit_list, list) { ++ list_for_each_entry(trans, &nft_net->commit_list, list) { + if (trans->ctx.family != NFPROTO_NETDEV) + continue; + +@@ -419,14 +422,14 @@ int nft_flow_rule_offload_commit(struct + return err; + } + +-static struct nft_chain *__nft_offload_get_chain(struct net_device *dev) ++static struct nft_chain *__nft_offload_get_chain(const struct nftables_pernet *nft_net, ++ struct net_device *dev) + { + struct nft_base_chain *basechain; +- struct net *net = dev_net(dev); + const struct nft_table *table; + struct nft_chain *chain; + +- list_for_each_entry(table, &net->nft.tables, list) { ++ list_for_each_entry(table, &nft_net->tables, list) { + if (table->family != NFPROTO_NETDEV) + continue; + +@@ -450,18 +453,20 @@ static void nft_indr_block_cb(struct net + flow_indr_block_bind_cb_t *cb, void *cb_priv, + enum flow_block_command cmd) + { ++ struct nftables_pernet *nft_net; + struct net *net = dev_net(dev); + struct nft_chain *chain; + +- mutex_lock(&net->nft.commit_mutex); +- chain = __nft_offload_get_chain(dev); ++ nft_net = net_generic(net, nf_tables_net_id); ++ mutex_lock(&nft_net->commit_mutex); ++ chain = __nft_offload_get_chain(nft_net, dev); + if (chain && chain->flags & NFT_CHAIN_HW_OFFLOAD) { + struct nft_base_chain *basechain; + + basechain = nft_base_chain(chain); + nft_indr_block_ing_cmd(dev, basechain, cb, cb_priv, cmd); + } +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + } + + static void nft_offload_chain_clean(struct nft_chain *chain) +@@ -480,17 +485,19 @@ static int nft_offload_netdev_event(stru + unsigned long event, void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct nftables_pernet *nft_net; + struct net *net = dev_net(dev); + struct nft_chain *chain; + + if (event != NETDEV_UNREGISTER) + return NOTIFY_DONE; + +- mutex_lock(&net->nft.commit_mutex); +- chain = __nft_offload_get_chain(dev); ++ nft_net = net_generic(net, nf_tables_net_id); ++ mutex_lock(&nft_net->commit_mutex); ++ chain = __nft_offload_get_chain(nft_net, dev); + if (chain) + nft_offload_chain_clean(chain); +- mutex_unlock(&net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return NOTIFY_DONE; + } +--- a/net/netfilter/nft_chain_filter.c ++++ b/net/netfilter/nft_chain_filter.c +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -10,6 +11,8 @@ + #include + #include + ++extern unsigned int nf_tables_net_id; ++ + #ifdef CONFIG_NF_TABLES_IPV4 + static unsigned int nft_do_chain_ipv4(void *priv, + struct sk_buff *skb, +@@ -315,6 +318,7 @@ static int nf_tables_netdev_event(struct + unsigned long event, void *ptr) + { + struct net_device *dev = netdev_notifier_info_to_dev(ptr); ++ struct nftables_pernet *nft_net; + struct nft_table *table; + struct nft_chain *chain, *nr; + struct nft_ctx ctx = { +@@ -325,8 +329,9 @@ static int nf_tables_netdev_event(struct + event != NETDEV_CHANGENAME) + return NOTIFY_DONE; + +- mutex_lock(&ctx.net->nft.commit_mutex); +- list_for_each_entry(table, &ctx.net->nft.tables, list) { ++ nft_net = net_generic(ctx.net, nf_tables_net_id); ++ mutex_lock(&nft_net->commit_mutex); ++ list_for_each_entry(table, &nft_net->tables, list) { + if (table->family != NFPROTO_NETDEV) + continue; + +@@ -340,7 +345,7 @@ static int nf_tables_netdev_event(struct + nft_netdev_event(event, dev, &ctx); + } + } +- mutex_unlock(&ctx.net->nft.commit_mutex); ++ mutex_unlock(&nft_net->commit_mutex); + + return NOTIFY_DONE; + } +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -11,6 +11,9 @@ + #include + #include + #include ++#include ++ ++extern unsigned int nf_tables_net_id; + + struct nft_dynset { + struct nft_set *set; +@@ -129,13 +132,14 @@ static int nft_dynset_init(const struct + const struct nft_expr *expr, + const struct nlattr * const tb[]) + { ++ struct nftables_pernet *nft_net = net_generic(ctx->net, nf_tables_net_id); + struct nft_dynset *priv = nft_expr_priv(expr); + u8 genmask = nft_genmask_next(ctx->net); + struct nft_set *set; + u64 timeout; + int err; + +- lockdep_assert_held(&ctx->net->nft.commit_mutex); ++ lockdep_assert_held(&nft_net->commit_mutex); + + if (tb[NFTA_DYNSET_SET_NAME] == NULL || + tb[NFTA_DYNSET_OP] == NULL || diff --git a/tmp-5.4/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch b/tmp-5.4/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch new file mode 100644 index 00000000000..deec0868261 --- /dev/null +++ b/tmp-5.4/netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch @@ -0,0 +1,117 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:54:50 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:54:15 +0200 +Subject: netfilter: nftables: add helper function to set the base sequence number +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165423.50054-3-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 802b805162a1b7d8391c40ac8a878e9e63287aff ] + +This patch adds a helper function to calculate the base sequence number +field that is stored in the nfnetlink header. Use the helper function +whenever possible. + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -588,6 +588,11 @@ nf_tables_chain_type_lookup(struct net * + return ERR_PTR(-ENOENT); + } + ++static __be16 nft_base_seq(const struct net *net) ++{ ++ return htons(net->nft.base_seq & 0xffff); ++} ++ + static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { + [NFTA_TABLE_NAME] = { .type = NLA_STRING, + .len = NFT_TABLE_MAXNAMELEN - 1 }, +@@ -610,7 +615,7 @@ static int nf_tables_fill_table_info(str + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_TABLE_NAME, table->name) || + nla_put_be32(skb, NFTA_TABLE_FLAGS, htonl(table->flags)) || +@@ -1274,7 +1279,7 @@ static int nf_tables_fill_chain_info(str + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name)) + goto nla_put_failure; +@@ -2366,7 +2371,7 @@ static int nf_tables_fill_rule_info(stru + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_RULE_TABLE, table->name)) + goto nla_put_failure; +@@ -3325,7 +3330,7 @@ static int nf_tables_fill_set(struct sk_ + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = ctx->family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(ctx->net); + + if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) + goto nla_put_failure; +@@ -4180,7 +4185,7 @@ static int nf_tables_dump_set(struct sk_ + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = table->family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name)) + goto nla_put_failure; +@@ -4252,7 +4257,7 @@ static int nf_tables_fill_setelem_info(s + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = ctx->family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(ctx->net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(ctx->net); + + if (nla_put_string(skb, NFTA_SET_TABLE, ctx->table->name)) + goto nla_put_failure; +@@ -5383,7 +5388,7 @@ static int nf_tables_fill_obj_info(struc + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_OBJ_TABLE, table->name) || + nla_put_string(skb, NFTA_OBJ_NAME, obj->key.name) || +@@ -6059,7 +6064,7 @@ static int nf_tables_fill_flowtable_info + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = family; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_string(skb, NFTA_FLOWTABLE_TABLE, flowtable->table->name) || + nla_put_string(skb, NFTA_FLOWTABLE_NAME, flowtable->name) || +@@ -6297,7 +6302,7 @@ static int nf_tables_fill_gen_info(struc + nfmsg = nlmsg_data(nlh); + nfmsg->nfgen_family = AF_UNSPEC; + nfmsg->version = NFNETLINK_V0; +- nfmsg->res_id = htons(net->nft.base_seq & 0xffff); ++ nfmsg->res_id = nft_base_seq(net); + + if (nla_put_be32(skb, NFTA_GEN_ID, htonl(net->nft.base_seq)) || + nla_put_be32(skb, NFTA_GEN_PROC_PID, htonl(task_pid_nr(current))) || diff --git a/tmp-5.4/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch b/tmp-5.4/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch new file mode 100644 index 00000000000..2c4fc922355 --- /dev/null +++ b/tmp-5.4/netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch @@ -0,0 +1,152 @@ +From 778da9b0089a01d054cff210e6250f4fdb1821da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 09:43:13 -0700 +Subject: netlink: Add __sock_i_ino() for __netlink_diag_dump(). + +From: Kuniyuki Iwashima + +[ Upstream commit 25a9c8a4431c364f97f75558cb346d2ad3f53fbb ] + +syzbot reported a warning in __local_bh_enable_ip(). [0] + +Commit 8d61f926d420 ("netlink: fix potential deadlock in +netlink_set_err()") converted read_lock(&nl_table_lock) to +read_lock_irqsave() in __netlink_diag_dump() to prevent a deadlock. + +However, __netlink_diag_dump() calls sock_i_ino() that uses +read_lock_bh() and read_unlock_bh(). If CONFIG_TRACE_IRQFLAGS=y, +read_unlock_bh() finally enables IRQ even though it should stay +disabled until the following read_unlock_irqrestore(). + +Using read_lock() in sock_i_ino() would trigger a lockdep splat +in another place that was fixed in commit f064af1e500a ("net: fix +a lockdep splat"), so let's add __sock_i_ino() that would be safe +to use under BH disabled. + +[0]: +WARNING: CPU: 0 PID: 5012 at kernel/softirq.c:376 __local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Modules linked in: +CPU: 0 PID: 5012 Comm: syz-executor487 Not tainted 6.4.0-rc7-syzkaller-00202-g6f68fc395f49 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +RIP: 0010:__local_bh_enable_ip+0xbe/0x130 kernel/softirq.c:376 +Code: 45 bf 01 00 00 00 e8 91 5b 0a 00 e8 3c 15 3d 00 fb 65 8b 05 ec e9 b5 7e 85 c0 74 58 5b 5d c3 65 8b 05 b2 b6 b4 7e 85 c0 75 a2 <0f> 0b eb 9e e8 89 15 3d 00 eb 9f 48 89 ef e8 6f 49 18 00 eb a8 0f +RSP: 0018:ffffc90003a1f3d0 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000201 RCX: 1ffffffff1cf5996 +RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff8805c6f3 +RBP: ffffffff8805c6f3 R08: 0000000000000001 R09: ffff8880152b03a3 +R10: ffffed1002a56074 R11: 0000000000000005 R12: 00000000000073e4 +R13: dffffc0000000000 R14: 0000000000000002 R15: 0000000000000000 +FS: 0000555556726300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000045ad50 CR3: 000000007c646000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sock_i_ino+0x83/0xa0 net/core/sock.c:2559 + __netlink_diag_dump+0x45c/0x790 net/netlink/diag.c:171 + netlink_diag_dump+0xd6/0x230 net/netlink/diag.c:207 + netlink_dump+0x570/0xc50 net/netlink/af_netlink.c:2269 + __netlink_dump_start+0x64b/0x910 net/netlink/af_netlink.c:2374 + netlink_dump_start include/linux/netlink.h:329 [inline] + netlink_diag_handler_dump+0x1ae/0x250 net/netlink/diag.c:238 + __sock_diag_cmd net/core/sock_diag.c:238 [inline] + sock_diag_rcv_msg+0x31e/0x440 net/core/sock_diag.c:269 + netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2547 + sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280 + netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] + netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1365 + netlink_sendmsg+0x925/0xe30 net/netlink/af_netlink.c:1914 + sock_sendmsg_nosec net/socket.c:724 [inline] + sock_sendmsg+0xde/0x190 net/socket.c:747 + ____sys_sendmsg+0x71c/0x900 net/socket.c:2503 + ___sys_sendmsg+0x110/0x1b0 net/socket.c:2557 + __sys_sendmsg+0xf7/0x1c0 net/socket.c:2586 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f5303aaabb9 +Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc7506e548 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5303aaabb9 +RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003 +RBP: 00007f5303a6ed60 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5303a6edf0 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +Fixes: 8d61f926d420 ("netlink: fix potential deadlock in netlink_set_err()") +Reported-by: syzbot+5da61cf6a9bc1902d422@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=5da61cf6a9bc1902d422 +Suggested-by: Eric Dumazet +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230626164313.52528-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 1 + + net/core/sock.c | 17 ++++++++++++++--- + net/netlink/diag.c | 2 +- + 3 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 87e57f81ee82b..ee8630d6abc16 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1863,6 +1863,7 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) + } + + kuid_t sock_i_uid(struct sock *sk); ++unsigned long __sock_i_ino(struct sock *sk); + unsigned long sock_i_ino(struct sock *sk); + + static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk) +diff --git a/net/core/sock.c b/net/core/sock.c +index 5e1dccbd61a60..d55eea5538bce 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2085,13 +2085,24 @@ kuid_t sock_i_uid(struct sock *sk) + } + EXPORT_SYMBOL(sock_i_uid); + +-unsigned long sock_i_ino(struct sock *sk) ++unsigned long __sock_i_ino(struct sock *sk) + { + unsigned long ino; + +- read_lock_bh(&sk->sk_callback_lock); ++ read_lock(&sk->sk_callback_lock); + ino = sk->sk_socket ? SOCK_INODE(sk->sk_socket)->i_ino : 0; +- read_unlock_bh(&sk->sk_callback_lock); ++ read_unlock(&sk->sk_callback_lock); ++ return ino; ++} ++EXPORT_SYMBOL(__sock_i_ino); ++ ++unsigned long sock_i_ino(struct sock *sk) ++{ ++ unsigned long ino; ++ ++ local_bh_disable(); ++ ino = __sock_i_ino(sk); ++ local_bh_enable(); + return ino; + } + EXPORT_SYMBOL(sock_i_ino); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index 4143b2ea4195a..e4f21b1067bcc 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -168,7 +168,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, + NLM_F_MULTI, +- sock_i_ino(sk)) < 0) { ++ __sock_i_ino(sk)) < 0) { + ret = 1; + break; + } +-- +2.39.2 + diff --git a/tmp-5.4/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch b/tmp-5.4/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch new file mode 100644 index 00000000000..3f63bf4330f --- /dev/null +++ b/tmp-5.4/netlink-do-not-hard-code-device-address-lenth-in-fdb.patch @@ -0,0 +1,157 @@ +From 5f258f295e9638b079527a816407f29a70aaf082 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 17:47:20 +0000 +Subject: netlink: do not hard code device address lenth in fdb dumps + +From: Eric Dumazet + +[ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ] + +syzbot reports that some netdev devices do not have a six bytes +address [1] + +Replace ETH_ALEN by dev->addr_len. + +[1] (Case of a device where dev->addr_len = 4) + +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 +instrument_copy_to_user include/linux/instrumented.h:114 [inline] +copyout+0xb8/0x100 lib/iov_iter.c:169 +_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 +copy_to_iter include/linux/uio.h:206 [inline] +simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 +__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 +skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 +skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] +netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 +sock_recvmsg_nosec net/socket.c:1019 [inline] +sock_recvmsg net/socket.c:1040 [inline] +____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was stored to memory at: +__nla_put lib/nlattr.c:1009 [inline] +nla_put+0x1c6/0x230 lib/nlattr.c:1067 +nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 +nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] +ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 +rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 +netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 +netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 +sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 +____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 +___sys_recvmsg+0x223/0x840 net/socket.c:2764 +do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 +__sys_recvmmsg net/socket.c:2937 [inline] +__do_sys_recvmmsg net/socket.c:2960 [inline] +__se_sys_recvmmsg net/socket.c:2953 [inline] +__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: +slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 +slab_alloc_node mm/slub.c:3451 [inline] +__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 +kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 +kmalloc include/linux/slab.h:559 [inline] +__hw_addr_create net/core/dev_addr_lists.c:60 [inline] +__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 +__dev_mc_add net/core/dev_addr_lists.c:867 [inline] +dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 +igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 +ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 +ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 +addrconf_type_change net/ipv6/addrconf.c:3731 [inline] +addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 +notifier_call_chain kernel/notifier.c:93 [inline] +raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 +call_netdevice_notifiers_info net/core/dev.c:1935 [inline] +call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] +call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 +bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 +do_set_master net/core/rtnetlink.c:2626 [inline] +rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] +__rtnl_newlink net/core/rtnetlink.c:3660 [inline] +rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 +rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 +netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 +rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 +netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] +netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365 +netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913 +sock_sendmsg_nosec net/socket.c:724 [inline] +sock_sendmsg net/socket.c:747 [inline] +____sys_sendmsg+0x999/0xd50 net/socket.c:2503 +___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557 +__sys_sendmsg net/socket.c:2586 [inline] +__do_sys_sendmsg net/socket.c:2595 [inline] +__se_sys_sendmsg net/socket.c:2593 [inline] +__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Bytes 2856-2857 of 3500 are uninitialized +Memory access of size 3500 starts at ffff888018d99104 +Data copied to user address 0000000020000480 + +Fixes: d83b06036048 ("net: add fdb generic dump routine") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 0b0107797e490..1db92a44548f0 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3586,7 +3586,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + ndm->ndm_ifindex = dev->ifindex; + ndm->ndm_state = ndm_state; + +- if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr)) ++ if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr)) + goto nla_put_failure; + if (vid) + if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid)) +@@ -3600,10 +3600,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb, + return -EMSGSIZE; + } + +-static inline size_t rtnl_fdb_nlmsg_size(void) ++static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev) + { + return NLMSG_ALIGN(sizeof(struct ndmsg)) + +- nla_total_size(ETH_ALEN) + /* NDA_LLADDR */ ++ nla_total_size(dev->addr_len) + /* NDA_LLADDR */ + nla_total_size(sizeof(u16)) + /* NDA_VLAN */ + 0; + } +@@ -3615,7 +3615,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type, + struct sk_buff *skb; + int err = -ENOBUFS; + +- skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC); ++ skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC); + if (!skb) + goto errout; + +-- +2.39.2 + diff --git a/tmp-5.4/netlink-fix-potential-deadlock-in-netlink_set_err.patch b/tmp-5.4/netlink-fix-potential-deadlock-in-netlink_set_err.patch new file mode 100644 index 00000000000..dcb8e7d95e1 --- /dev/null +++ b/tmp-5.4/netlink-fix-potential-deadlock-in-netlink_set_err.patch @@ -0,0 +1,117 @@ +From 948b5b0cabac04cbb909065b88e8498feb9c99ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 15:43:37 +0000 +Subject: netlink: fix potential deadlock in netlink_set_err() + +From: Eric Dumazet + +[ Upstream commit 8d61f926d42045961e6b65191c09e3678d86a9cf ] + +syzbot reported a possible deadlock in netlink_set_err() [1] + +A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQs +for netlink_lock_table()") in netlink_lock_table() + +This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump() +which were not covered by cited commit. + +[1] + +WARNING: possible irq lock inversion dependency detected +6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not tainted + +syz-executor.2/23011 just changed the state of lock: +ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612 +but this lock was taken by another, SOFTIRQ-safe lock in the past: + (&local->queue_stop_reason_lock){..-.}-{2:2} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(nl_table_lock); + local_irq_disable(); + lock(&local->queue_stop_reason_lock); + lock(nl_table_lock); + + lock(&local->queue_stop_reason_lock); + + *** DEADLOCK *** + +Fixes: 1d482e666b8e ("netlink: disable IRQs for netlink_lock_table()") +Reported-by: syzbot+a7d200a347f912723e5c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=a7d200a347f912723e5c +Link: https://lore.kernel.org/netdev/000000000000e38d1605fea5747e@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Johannes Berg +Link: https://lore.kernel.org/r/20230621154337.1668594-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 5 +++-- + net/netlink/diag.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index bf7e300e8c25d..29eabd45b832a 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -1601,6 +1601,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p) + int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + { + struct netlink_set_err_data info; ++ unsigned long flags; + struct sock *sk; + int ret = 0; + +@@ -1610,12 +1611,12 @@ int netlink_set_err(struct sock *ssk, u32 portid, u32 group, int code) + /* sk->sk_err wants a positive error value */ + info.code = -code; + +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + + sk_for_each_bound(sk, &nl_table[ssk->sk_protocol].mc_list) + ret += do_one_set_err(sk, &info); + +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + return ret; + } + EXPORT_SYMBOL(netlink_set_err); +diff --git a/net/netlink/diag.c b/net/netlink/diag.c +index c6255eac305c7..4143b2ea4195a 100644 +--- a/net/netlink/diag.c ++++ b/net/netlink/diag.c +@@ -94,6 +94,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + struct net *net = sock_net(skb->sk); + struct netlink_diag_req *req; + struct netlink_sock *nlsk; ++ unsigned long flags; + struct sock *sk; + int num = 2; + int ret = 0; +@@ -152,7 +153,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + num++; + + mc_list: +- read_lock(&nl_table_lock); ++ read_lock_irqsave(&nl_table_lock, flags); + sk_for_each_bound(sk, &tbl->mc_list) { + if (sk_hashed(sk)) + continue; +@@ -173,7 +174,7 @@ static int __netlink_diag_dump(struct sk_buff *skb, struct netlink_callback *cb, + } + num++; + } +- read_unlock(&nl_table_lock); ++ read_unlock_irqrestore(&nl_table_lock, flags); + + done: + cb->args[0] = num; +-- +2.39.2 + diff --git a/tmp-5.4/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch b/tmp-5.4/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch new file mode 100644 index 00000000000..9ac1d733574 --- /dev/null +++ b/tmp-5.4/nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch @@ -0,0 +1,465 @@ +From d7791cb815175aa568c4ce42a8772e693d9331a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 16:41:59 +0200 +Subject: nfc: constify several pointers to u8, char and sk_buff + +From: Krzysztof Kozlowski + +[ Upstream commit 3df40eb3a2ea58bf404a38f15a7a2768e4762cb0 ] + +Several functions receive pointers to u8, char or sk_buff but do not +modify the contents so make them const. This allows doing the same for +local variables and in total makes the code a little bit safer. + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Stable-dep-of: 0d9b41daa590 ("nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()") +Signed-off-by: Sasha Levin +--- + include/net/nfc/nfc.h | 4 ++-- + net/nfc/core.c | 4 ++-- + net/nfc/hci/llc_shdlc.c | 10 ++++----- + net/nfc/llcp.h | 8 +++---- + net/nfc/llcp_commands.c | 46 ++++++++++++++++++++++------------------- + net/nfc/llcp_core.c | 44 +++++++++++++++++++++------------------ + net/nfc/nfc.h | 2 +- + 7 files changed, 63 insertions(+), 55 deletions(-) + +diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h +index 5d277d68fd8d9..c55e72474eb2b 100644 +--- a/include/net/nfc/nfc.h ++++ b/include/net/nfc/nfc.h +@@ -266,7 +266,7 @@ struct sk_buff *nfc_alloc_send_skb(struct nfc_dev *dev, struct sock *sk, + struct sk_buff *nfc_alloc_recv_skb(unsigned int size, gfp_t gfp); + + int nfc_set_remote_general_bytes(struct nfc_dev *dev, +- u8 *gt, u8 gt_len); ++ const u8 *gt, u8 gt_len); + u8 *nfc_get_local_general_bytes(struct nfc_dev *dev, size_t *gb_len); + + int nfc_fw_download_done(struct nfc_dev *dev, const char *firmware_name, +@@ -280,7 +280,7 @@ int nfc_dep_link_is_up(struct nfc_dev *dev, u32 target_idx, + u8 comm_mode, u8 rf_mode); + + int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, +- u8 *gb, size_t gb_len); ++ const u8 *gb, size_t gb_len); + int nfc_tm_deactivated(struct nfc_dev *dev); + int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb); + +diff --git a/net/nfc/core.c b/net/nfc/core.c +index 2d4729d1f0eb9..fef112fb49930 100644 +--- a/net/nfc/core.c ++++ b/net/nfc/core.c +@@ -634,7 +634,7 @@ int nfc_disable_se(struct nfc_dev *dev, u32 se_idx) + return rc; + } + +-int nfc_set_remote_general_bytes(struct nfc_dev *dev, u8 *gb, u8 gb_len) ++int nfc_set_remote_general_bytes(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + pr_debug("dev_name=%s gb_len=%d\n", dev_name(&dev->dev), gb_len); + +@@ -663,7 +663,7 @@ int nfc_tm_data_received(struct nfc_dev *dev, struct sk_buff *skb) + EXPORT_SYMBOL(nfc_tm_data_received); + + int nfc_tm_activated(struct nfc_dev *dev, u32 protocol, u8 comm_mode, +- u8 *gb, size_t gb_len) ++ const u8 *gb, size_t gb_len) + { + int rc; + +diff --git a/net/nfc/hci/llc_shdlc.c b/net/nfc/hci/llc_shdlc.c +index 0eb4ddc056e78..02909e3e91ef1 100644 +--- a/net/nfc/hci/llc_shdlc.c ++++ b/net/nfc/hci/llc_shdlc.c +@@ -123,7 +123,7 @@ static bool llc_shdlc_x_lteq_y_lt_z(int x, int y, int z) + return ((y >= x) || (y < z)) ? true : false; + } + +-static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, ++static struct sk_buff *llc_shdlc_alloc_skb(const struct llc_shdlc *shdlc, + int payload_len) + { + struct sk_buff *skb; +@@ -137,7 +137,7 @@ static struct sk_buff *llc_shdlc_alloc_skb(struct llc_shdlc *shdlc, + } + + /* immediately sends an S frame. */ +-static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, ++static int llc_shdlc_send_s_frame(const struct llc_shdlc *shdlc, + enum sframe_type sframe_type, int nr) + { + int r; +@@ -159,7 +159,7 @@ static int llc_shdlc_send_s_frame(struct llc_shdlc *shdlc, + } + + /* immediately sends an U frame. skb may contain optional payload */ +-static int llc_shdlc_send_u_frame(struct llc_shdlc *shdlc, ++static int llc_shdlc_send_u_frame(const struct llc_shdlc *shdlc, + struct sk_buff *skb, + enum uframe_modifier uframe_modifier) + { +@@ -361,7 +361,7 @@ static void llc_shdlc_connect_complete(struct llc_shdlc *shdlc, int r) + wake_up(shdlc->connect_wq); + } + +-static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) ++static int llc_shdlc_connect_initiate(const struct llc_shdlc *shdlc) + { + struct sk_buff *skb; + +@@ -377,7 +377,7 @@ static int llc_shdlc_connect_initiate(struct llc_shdlc *shdlc) + return llc_shdlc_send_u_frame(shdlc, skb, U_FRAME_RSET); + } + +-static int llc_shdlc_connect_send_ua(struct llc_shdlc *shdlc) ++static int llc_shdlc_connect_send_ua(const struct llc_shdlc *shdlc) + { + struct sk_buff *skb; + +diff --git a/net/nfc/llcp.h b/net/nfc/llcp.h +index 97853c9cefc70..d49d4bf2e37c8 100644 +--- a/net/nfc/llcp.h ++++ b/net/nfc/llcp.h +@@ -221,15 +221,15 @@ struct sock *nfc_llcp_accept_dequeue(struct sock *sk, struct socket *newsock); + + /* TLV API */ + int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, +- u8 *tlv_array, u16 tlv_array_len); ++ const u8 *tlv_array, u16 tlv_array_len); + int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, +- u8 *tlv_array, u16 tlv_array_len); ++ const u8 *tlv_array, u16 tlv_array_len); + + /* Commands API */ + void nfc_llcp_recv(void *data, struct sk_buff *skb, int err); +-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length); ++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length); + struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap); +-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, ++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, + size_t uri_len); + void nfc_llcp_free_sdp_tlv(struct nfc_llcp_sdp_tlv *sdp); + void nfc_llcp_free_sdp_tlv_list(struct hlist_head *sdp_head); +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 475061c79c442..3c4172a5aeb5e 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -15,7 +15,7 @@ + #include "nfc.h" + #include "llcp.h" + +-static u8 llcp_tlv_length[LLCP_TLV_MAX] = { ++static const u8 llcp_tlv_length[LLCP_TLV_MAX] = { + 0, + 1, /* VERSION */ + 2, /* MIUX */ +@@ -29,7 +29,7 @@ static u8 llcp_tlv_length[LLCP_TLV_MAX] = { + + }; + +-static u8 llcp_tlv8(u8 *tlv, u8 type) ++static u8 llcp_tlv8(const u8 *tlv, u8 type) + { + if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) + return 0; +@@ -37,7 +37,7 @@ static u8 llcp_tlv8(u8 *tlv, u8 type) + return tlv[2]; + } + +-static u16 llcp_tlv16(u8 *tlv, u8 type) ++static u16 llcp_tlv16(const u8 *tlv, u8 type) + { + if (tlv[0] != type || tlv[1] != llcp_tlv_length[tlv[0]]) + return 0; +@@ -46,37 +46,37 @@ static u16 llcp_tlv16(u8 *tlv, u8 type) + } + + +-static u8 llcp_tlv_version(u8 *tlv) ++static u8 llcp_tlv_version(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_VERSION); + } + +-static u16 llcp_tlv_miux(u8 *tlv) ++static u16 llcp_tlv_miux(const u8 *tlv) + { + return llcp_tlv16(tlv, LLCP_TLV_MIUX) & 0x7ff; + } + +-static u16 llcp_tlv_wks(u8 *tlv) ++static u16 llcp_tlv_wks(const u8 *tlv) + { + return llcp_tlv16(tlv, LLCP_TLV_WKS); + } + +-static u16 llcp_tlv_lto(u8 *tlv) ++static u16 llcp_tlv_lto(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_LTO); + } + +-static u8 llcp_tlv_opt(u8 *tlv) ++static u8 llcp_tlv_opt(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_OPT); + } + +-static u8 llcp_tlv_rw(u8 *tlv) ++static u8 llcp_tlv_rw(const u8 *tlv) + { + return llcp_tlv8(tlv, LLCP_TLV_RW) & 0xf; + } + +-u8 *nfc_llcp_build_tlv(u8 type, u8 *value, u8 value_length, u8 *tlv_length) ++u8 *nfc_llcp_build_tlv(u8 type, const u8 *value, u8 value_length, u8 *tlv_length) + { + u8 *tlv, length; + +@@ -130,7 +130,7 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdres_tlv(u8 tid, u8 sap) + return sdres; + } + +-struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri, ++struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, const char *uri, + size_t uri_len) + { + struct nfc_llcp_sdp_tlv *sdreq; +@@ -190,9 +190,10 @@ void nfc_llcp_free_sdp_tlv_list(struct hlist_head *head) + } + + int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, +- u8 *tlv_array, u16 tlv_array_len) ++ const u8 *tlv_array, u16 tlv_array_len) + { +- u8 *tlv = tlv_array, type, length, offset = 0; ++ const u8 *tlv = tlv_array; ++ u8 type, length, offset = 0; + + pr_debug("TLV array length %d\n", tlv_array_len); + +@@ -239,9 +240,10 @@ int nfc_llcp_parse_gb_tlv(struct nfc_llcp_local *local, + } + + int nfc_llcp_parse_connection_tlv(struct nfc_llcp_sock *sock, +- u8 *tlv_array, u16 tlv_array_len) ++ const u8 *tlv_array, u16 tlv_array_len) + { +- u8 *tlv = tlv_array, type, length, offset = 0; ++ const u8 *tlv = tlv_array; ++ u8 type, length, offset = 0; + + pr_debug("TLV array length %d\n", tlv_array_len); + +@@ -295,7 +297,7 @@ static struct sk_buff *llcp_add_header(struct sk_buff *pdu, + return pdu; + } + +-static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, u8 *tlv, ++static struct sk_buff *llcp_add_tlv(struct sk_buff *pdu, const u8 *tlv, + u8 tlv_length) + { + /* XXX Add an skb length check */ +@@ -389,9 +391,10 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + { + struct nfc_llcp_local *local; + struct sk_buff *skb; +- u8 *service_name_tlv = NULL, service_name_tlv_length; +- u8 *miux_tlv = NULL, miux_tlv_length; +- u8 *rw_tlv = NULL, rw_tlv_length, rw; ++ const u8 *service_name_tlv = NULL; ++ const u8 *miux_tlv = NULL; ++ const u8 *rw_tlv = NULL; ++ u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +@@ -465,8 +468,9 @@ int nfc_llcp_send_cc(struct nfc_llcp_sock *sock) + { + struct nfc_llcp_local *local; + struct sk_buff *skb; +- u8 *miux_tlv = NULL, miux_tlv_length; +- u8 *rw_tlv = NULL, rw_tlv_length, rw; ++ const u8 *miux_tlv = NULL; ++ const u8 *rw_tlv = NULL; ++ u8 miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index edadebb3efd2a..fd43e75abd948 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -302,7 +302,7 @@ static char *wks[] = { + "urn:nfc:sn:snep", + }; + +-static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) ++static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len) + { + int sap, num_wks; + +@@ -326,7 +326,7 @@ static int nfc_llcp_wks_sap(char *service_name, size_t service_name_len) + + static + struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local, +- u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len) + { + struct sock *sk; + struct nfc_llcp_sock *llcp_sock, *tmp_sock; +@@ -523,7 +523,7 @@ static int nfc_llcp_build_gb(struct nfc_llcp_local *local) + { + u8 *gb_cur, version, version_length; + u8 lto_length, wks_length, miux_length; +- u8 *version_tlv = NULL, *lto_tlv = NULL, ++ const u8 *version_tlv = NULL, *lto_tlv = NULL, + *wks_tlv = NULL, *miux_tlv = NULL; + __be16 wks = cpu_to_be16(local->local_wks); + u8 gb_len = 0; +@@ -613,7 +613,7 @@ u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len) + return local->gb; + } + +-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) ++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len) + { + struct nfc_llcp_local *local; + +@@ -640,27 +640,27 @@ int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len) + local->remote_gb_len - 3); + } + +-static u8 nfc_llcp_dsap(struct sk_buff *pdu) ++static u8 nfc_llcp_dsap(const struct sk_buff *pdu) + { + return (pdu->data[0] & 0xfc) >> 2; + } + +-static u8 nfc_llcp_ptype(struct sk_buff *pdu) ++static u8 nfc_llcp_ptype(const struct sk_buff *pdu) + { + return ((pdu->data[0] & 0x03) << 2) | ((pdu->data[1] & 0xc0) >> 6); + } + +-static u8 nfc_llcp_ssap(struct sk_buff *pdu) ++static u8 nfc_llcp_ssap(const struct sk_buff *pdu) + { + return pdu->data[1] & 0x3f; + } + +-static u8 nfc_llcp_ns(struct sk_buff *pdu) ++static u8 nfc_llcp_ns(const struct sk_buff *pdu) + { + return pdu->data[2] >> 4; + } + +-static u8 nfc_llcp_nr(struct sk_buff *pdu) ++static u8 nfc_llcp_nr(const struct sk_buff *pdu) + { + return pdu->data[2] & 0xf; + } +@@ -802,7 +802,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local + } + + static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, +- u8 *sn, size_t sn_len) ++ const u8 *sn, size_t sn_len) + { + struct nfc_llcp_sock *llcp_sock; + +@@ -816,9 +816,10 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local, + return llcp_sock; + } + +-static u8 *nfc_llcp_connect_sn(struct sk_buff *skb, size_t *sn_len) ++static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len) + { +- u8 *tlv = &skb->data[2], type, length; ++ u8 type, length; ++ const u8 *tlv = &skb->data[2]; + size_t tlv_array_len = skb->len - LLCP_HEADER_SIZE, offset = 0; + + while (offset < tlv_array_len) { +@@ -876,7 +877,7 @@ static void nfc_llcp_recv_ui(struct nfc_llcp_local *local, + } + + static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct sock *new_sk, *parent; + struct nfc_llcp_sock *sock, *new_sock; +@@ -894,7 +895,7 @@ static void nfc_llcp_recv_connect(struct nfc_llcp_local *local, + goto fail; + } + } else { +- u8 *sn; ++ const u8 *sn; + size_t sn_len; + + sn = nfc_llcp_connect_sn(skb, &sn_len); +@@ -1113,7 +1114,7 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local, + } + + static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1156,7 +1157,8 @@ static void nfc_llcp_recv_disc(struct nfc_llcp_local *local, + nfc_llcp_sock_put(llcp_sock); + } + +-static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) ++static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1189,7 +1191,8 @@ static void nfc_llcp_recv_cc(struct nfc_llcp_local *local, struct sk_buff *skb) + nfc_llcp_sock_put(llcp_sock); + } + +-static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) ++static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; + struct sock *sk; +@@ -1227,12 +1230,13 @@ static void nfc_llcp_recv_dm(struct nfc_llcp_local *local, struct sk_buff *skb) + } + + static void nfc_llcp_recv_snl(struct nfc_llcp_local *local, +- struct sk_buff *skb) ++ const struct sk_buff *skb) + { + struct nfc_llcp_sock *llcp_sock; +- u8 dsap, ssap, *tlv, type, length, tid, sap; ++ u8 dsap, ssap, type, length, tid, sap; ++ const u8 *tlv; + u16 tlv_len, offset; +- char *service_name; ++ const char *service_name; + size_t service_name_len; + struct nfc_llcp_sdp_tlv *sdp; + HLIST_HEAD(llc_sdres_list); +diff --git a/net/nfc/nfc.h b/net/nfc/nfc.h +index 889fefd64e56b..de2ec66d7e83a 100644 +--- a/net/nfc/nfc.h ++++ b/net/nfc/nfc.h +@@ -48,7 +48,7 @@ void nfc_llcp_mac_is_up(struct nfc_dev *dev, u32 target_idx, + u8 comm_mode, u8 rf_mode); + int nfc_llcp_register_device(struct nfc_dev *dev); + void nfc_llcp_unregister_device(struct nfc_dev *dev); +-int nfc_llcp_set_remote_gb(struct nfc_dev *dev, u8 *gb, u8 gb_len); ++int nfc_llcp_set_remote_gb(struct nfc_dev *dev, const u8 *gb, u8 gb_len); + u8 *nfc_llcp_general_bytes(struct nfc_dev *dev, size_t *general_bytes_len); + int nfc_llcp_data_received(struct nfc_dev *dev, struct sk_buff *skb); + struct nfc_llcp_local *nfc_llcp_find_local(struct nfc_dev *dev); +-- +2.39.2 + diff --git a/tmp-5.4/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch b/tmp-5.4/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch new file mode 100644 index 00000000000..07e924fee5e --- /dev/null +++ b/tmp-5.4/nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch @@ -0,0 +1,41 @@ +From c435c43b07ef6b17b7b90f150282902f2a503788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 May 2023 13:52:04 +0200 +Subject: nfc: llcp: fix possible use of uninitialized variable in + nfc_llcp_send_connect() + +From: Krzysztof Kozlowski + +[ Upstream commit 0d9b41daa5907756a31772d8af8ac5ff25cf17c1 ] + +If sock->service_name is NULL, the local variable +service_name_tlv_length will not be assigned by nfc_llcp_build_tlv(), +later leading to using value frmo the stack. Smatch warning: + + net/nfc/llcp_commands.c:442 nfc_llcp_send_connect() error: uninitialized symbol 'service_name_tlv_length'. + +Fixes: de9e5aeb4f40 ("NFC: llcp: Fix usage of llcp_add_tlv()") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_commands.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c +index 3c4172a5aeb5e..bb9f40563ff63 100644 +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -394,7 +394,8 @@ int nfc_llcp_send_connect(struct nfc_llcp_sock *sock) + const u8 *service_name_tlv = NULL; + const u8 *miux_tlv = NULL; + const u8 *rw_tlv = NULL; +- u8 service_name_tlv_length, miux_tlv_length, rw_tlv_length, rw; ++ u8 service_name_tlv_length = 0; ++ u8 miux_tlv_length, rw_tlv_length, rw; + int err; + u16 size = 0; + __be16 miux; +-- +2.39.2 + diff --git a/tmp-5.4/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch b/tmp-5.4/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch new file mode 100644 index 00000000000..cd0d7f1b5ce --- /dev/null +++ b/tmp-5.4/nfc-llcp-simplify-llcp_sock_connect-error-paths.patch @@ -0,0 +1,51 @@ +From 03432eeff906bb9019659266c1377b092d9035c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 20:25:19 +0100 +Subject: nfc: llcp: simplify llcp_sock_connect() error paths + +From: Krzysztof Kozlowski + +[ Upstream commit ec10fd154d934cc4195da3cbd017a12817b41d51 ] + +The llcp_sock_connect() error paths were using a mixed way of central +exit (goto) and cleanup + +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Stable-dep-of: 6709d4b7bc2e ("net: nfc: Fix use-after-free caused by nfc_llcp_find_local") +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index bd2174699af97..1c1748b86fae7 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -712,10 +712,8 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + llcp_sock->local = nfc_llcp_local_get(local); + llcp_sock->ssap = nfc_llcp_get_local_ssap(local); + if (llcp_sock->ssap == LLCP_SAP_MAX) { +- nfc_llcp_local_put(llcp_sock->local); +- llcp_sock->local = NULL; + ret = -ENOMEM; +- goto put_dev; ++ goto sock_llcp_put_local; + } + + llcp_sock->reserved_ssap = llcp_sock->ssap; +@@ -760,8 +758,11 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, + + sock_llcp_release: + nfc_llcp_put_ssap(local, llcp_sock->ssap); ++ ++sock_llcp_put_local: + nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ++ llcp_sock->dev = NULL; + + put_dev: + nfc_put_device(dev); +-- +2.39.2 + diff --git a/tmp-5.4/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch b/tmp-5.4/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch new file mode 100644 index 00000000000..560fb054aca --- /dev/null +++ b/tmp-5.4/nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch @@ -0,0 +1,32 @@ +From 58f5d894006d82ed7335e1c37182fbc5f08c2f51 Mon Sep 17 00:00:00 2001 +From: Dai Ngo +Date: Tue, 6 Jun 2023 16:41:02 -0700 +Subject: NFSD: add encoding of op_recall flag for write delegation + +From: Dai Ngo + +commit 58f5d894006d82ed7335e1c37182fbc5f08c2f51 upstream. + +Modified nfsd4_encode_open to encode the op_recall flag properly +for OPEN result with write delegation granted. + +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3409,7 +3409,7 @@ nfsd4_encode_open(struct nfsd4_compoundr + p = xdr_reserve_space(xdr, 32); + if (!p) + return nfserr_resource; +- *p++ = cpu_to_be32(0); ++ *p++ = cpu_to_be32(open->op_recall); + + /* + * TODO: space_limit's in delegations diff --git a/tmp-5.4/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch b/tmp-5.4/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch new file mode 100644 index 00000000000..9311b1044d8 --- /dev/null +++ b/tmp-5.4/nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch @@ -0,0 +1,41 @@ +From c75abb197fd47273f1a9756a46daaf04dc03bb9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jun 2023 17:32:25 -0400 +Subject: NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION + +From: Olga Kornievskaia + +[ Upstream commit c907e72f58ed979a24a9fdcadfbc447c51d5e509 ] + +When the client received NFS4ERR_BADSESSION, it schedules recovery +and start the state manager thread which in turn freezes the +session table and does not allow for any new requests to use the +no-longer valid session. However, it is possible that before +the state manager thread runs, a new operation would use the +released slot that received BADSESSION and was therefore not +updated its sequence number. Such re-use of the slot can lead +the application errors. + +Fixes: 5c441544f045 ("NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index c54dd49c993c5..231da9fadf098 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -915,6 +915,7 @@ static int nfs41_sequence_process(struct rpc_task *task, + out_noaction: + return ret; + session_recover: ++ set_bit(NFS4_SLOT_TBL_DRAINING, &session->fc_slot_table.slot_tbl_state); + nfs4_schedule_session_recovery(session, status); + dprintk("%s ERROR: %d Reset session\n", __func__, status); + nfs41_sequence_free_slot(res); +-- +2.39.2 + diff --git a/tmp-5.4/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch b/tmp-5.4/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch new file mode 100644 index 00000000000..0c8cc6a576c --- /dev/null +++ b/tmp-5.4/ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch @@ -0,0 +1,64 @@ +From 2e98e6c87f04443127e5606b13ea075b6ef49577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:09 +0000 +Subject: NTB: amd: Fix error handling in amd_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 98af0a33c1101c29b3ce4f0cf4715fd927c717f9 ] + +A problem about ntb_hw_amd create debugfs failed is triggered with the +following log given: + + [ 618.431232] AMD(R) PCI-E Non-Transparent Bridge Driver 1.0 + [ 618.433284] debugfs: Directory 'ntb_hw_amd' with parent '/' already present! + +The reason is that amd_ntb_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_amd can never be created later. + + amd_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/amd/ntb_hw_amd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c +index abb37659de343..50983d77329ea 100644 +--- a/drivers/ntb/hw/amd/ntb_hw_amd.c ++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c +@@ -1153,12 +1153,17 @@ static struct pci_driver amd_ntb_pci_driver = { + + static int __init amd_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&amd_ntb_pci_driver); ++ ret = pci_register_driver(&amd_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(amd_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/tmp-5.4/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch b/tmp-5.4/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch new file mode 100644 index 00000000000..6090eed3c9c --- /dev/null +++ b/tmp-5.4/ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch @@ -0,0 +1,66 @@ +From 52c09ad833ec6fa1e44be33a1551a422a3678e2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:01 +0000 +Subject: ntb: idt: Fix error handling in idt_pci_driver_init() + +From: Yuan Can + +[ Upstream commit c012968259b451dc4db407f2310fe131eaefd800 ] + +A problem about ntb_hw_idt create debugfs failed is triggered with the +following log given: + + [ 1236.637636] IDT PCI-E Non-Transparent Bridge Driver 2.0 + [ 1236.639292] debugfs: Directory 'ntb_hw_idt' with parent '/' already present! + +The reason is that idt_pci_driver_init() returns pci_register_driver() +directly without checking its return value, if pci_register_driver() +failed, it returns without destroy the newly created debugfs, resulting +the debugfs of ntb_hw_idt can never be created later. + + idt_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: bf2a952d31d2 ("NTB: Add IDT 89HPESxNTx PCIe-switches support") +Signed-off-by: Yuan Can +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/idt/ntb_hw_idt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c +index dcf2346805350..a0091900b0cfb 100644 +--- a/drivers/ntb/hw/idt/ntb_hw_idt.c ++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c +@@ -2908,6 +2908,7 @@ static struct pci_driver idt_pci_driver = { + + static int __init idt_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + /* Create the top DebugFS directory if the FS is initialized */ +@@ -2915,7 +2916,11 @@ static int __init idt_pci_driver_init(void) + dbgfs_topdir = debugfs_create_dir(KBUILD_MODNAME, NULL); + + /* Register the NTB hardware driver to handle the PCI device */ +- return pci_register_driver(&idt_pci_driver); ++ ret = pci_register_driver(&idt_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(dbgfs_topdir); ++ ++ return ret; + } + module_init(idt_pci_driver_init); + +-- +2.39.2 + diff --git a/tmp-5.4/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch b/tmp-5.4/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch new file mode 100644 index 00000000000..2e7486e1545 --- /dev/null +++ b/tmp-5.4/ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch @@ -0,0 +1,65 @@ +From 6a6c978dd2cf3ce1b4ca8012454c522d2142c785 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Nov 2022 09:43:22 +0000 +Subject: ntb: intel: Fix error handling in intel_ntb_pci_driver_init() + +From: Yuan Can + +[ Upstream commit 4c3c796aca02883ad35bb117468938cc4022ca41 ] + +A problem about ntb_hw_intel create debugfs failed is triggered with the +following log given: + + [ 273.112733] Intel(R) PCI-E Non-Transparent Bridge Driver 2.0 + [ 273.115342] debugfs: Directory 'ntb_hw_intel' with parent '/' already present! + +The reason is that intel_ntb_pci_driver_init() returns +pci_register_driver() directly without checking its return value, if +pci_register_driver() failed, it returns without destroy the newly created +debugfs, resulting the debugfs of ntb_hw_intel can never be created later. + + intel_ntb_pci_driver_init() + debugfs_create_dir() # create debugfs directory + pci_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without destroy debugfs directory + +Fix by removing debugfs when pci_register_driver() returns error. + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Yuan Can +Acked-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen1.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c +index bb57ec2390299..8d8739bff9f3c 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c +@@ -2065,12 +2065,17 @@ static struct pci_driver intel_ntb_pci_driver = { + + static int __init intel_ntb_pci_driver_init(void) + { ++ int ret; + pr_info("%s %s\n", NTB_DESC, NTB_VER); + + if (debugfs_initialized()) + debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); + +- return pci_register_driver(&intel_ntb_pci_driver); ++ ret = pci_register_driver(&intel_ntb_pci_driver); ++ if (ret) ++ debugfs_remove_recursive(debugfs_dir); ++ ++ return ret; + } + module_init(intel_ntb_pci_driver_init); + +-- +2.39.2 + diff --git a/tmp-5.4/ntb-ntb_tool-add-check-for-devm_kcalloc.patch b/tmp-5.4/ntb-ntb_tool-add-check-for-devm_kcalloc.patch new file mode 100644 index 00000000000..84059f98e54 --- /dev/null +++ b/tmp-5.4/ntb-ntb_tool-add-check-for-devm_kcalloc.patch @@ -0,0 +1,39 @@ +From cd15fb43ec3eaa15b043cecae779f693ef7e9ee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 11:32:44 +0800 +Subject: NTB: ntb_tool: Add check for devm_kcalloc + +From: Jiasheng Jiang + +[ Upstream commit 2790143f09938776a3b4f69685b380bae8fd06c7 ] + +As the devm_kcalloc may return NULL pointer, +it should be better to add check for the return +value, as same as the others. + +Fixes: 7f46c8b3a552 ("NTB: ntb_tool: Add full multi-port NTB API support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Serge Semin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/test/ntb_tool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c +index 6301aa413c3b8..1f64146546221 100644 +--- a/drivers/ntb/test/ntb_tool.c ++++ b/drivers/ntb/test/ntb_tool.c +@@ -998,6 +998,8 @@ static int tool_init_mws(struct tool_ctx *tc) + tc->peers[pidx].outmws = + devm_kcalloc(&tc->ntb->dev, tc->peers[pidx].outmw_cnt, + sizeof(*tc->peers[pidx].outmws), GFP_KERNEL); ++ if (tc->peers[pidx].outmws == NULL) ++ return -ENOMEM; + + for (widx = 0; widx < tc->peers[pidx].outmw_cnt; widx++) { + tc->peers[pidx].outmws[widx].pidx = pidx; +-- +2.39.2 + diff --git a/tmp-5.4/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch b/tmp-5.4/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch new file mode 100644 index 00000000000..e9bd3ce8837 --- /dev/null +++ b/tmp-5.4/ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch @@ -0,0 +1,42 @@ +From afbb71de53d84a6a5469fd81b15266391e189cec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 23:19:17 +0800 +Subject: NTB: ntb_transport: fix possible memory leak while device_register() + fails + +From: Yang Yingliang + +[ Upstream commit 8623ccbfc55d962e19a3537652803676ad7acb90 ] + +If device_register() returns error, the name allocated by +dev_set_name() need be freed. As comment of device_register() +says, it should use put_device() to give up the reference in +the error path. So fix this by calling put_device(), then the +name can be freed in kobject_cleanup(), and client_dev is freed +in ntb_transport_client_release(). + +Fixes: fce8a7bb5b4b ("PCI-Express Non-Transparent Bridge Support") +Signed-off-by: Yang Yingliang +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/ntb_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c +index 00a5d5764993c..3cc0e8ebcdd5c 100644 +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -412,7 +412,7 @@ int ntb_transport_register_client_dev(char *device_name) + + rc = device_register(dev); + if (rc) { +- kfree(client_dev); ++ put_device(dev); + goto err; + } + +-- +2.39.2 + diff --git a/tmp-5.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch b/tmp-5.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch new file mode 100644 index 00000000000..cb52bf7543d --- /dev/null +++ b/tmp-5.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch @@ -0,0 +1,36 @@ +From 88d341716b83abd355558523186ca488918627ee Mon Sep 17 00:00:00 2001 +From: Robin Murphy +Date: Wed, 7 Jun 2023 18:18:47 +0100 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9235 + +From: Robin Murphy + +commit 88d341716b83abd355558523186ca488918627ee upstream. + +Marvell's own product brief implies the 92xx series are a closely related +family, and sure enough it turns out that 9235 seems to need the same quirk +as the other three, although possibly only when certain ports are used. + +Link: https://lore.kernel.org/linux-iommu/2a699a99-545c-1324-e052-7d2f41fed1ae@yahoo.co.uk/ +Link: https://lore.kernel.org/r/731507e05d70239aec96fcbfab6e65d8ce00edd2.1686157165.git.robin.murphy@arm.com +Reported-by: Jason Adriaanse +Signed-off-by: Robin Murphy +Signed-off-by: Bjorn Helgaas +Reviewed-by: Christoph Hellwig +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4168,6 +4168,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9235, ++ quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642, + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645, diff --git a/tmp-5.4/pci-add-pci_clear_master-stub-for-non-config_pci.patch b/tmp-5.4/pci-add-pci_clear_master-stub-for-non-config_pci.patch new file mode 100644 index 00000000000..66f54ef8cac --- /dev/null +++ b/tmp-5.4/pci-add-pci_clear_master-stub-for-non-config_pci.patch @@ -0,0 +1,39 @@ +From db25f854d571d3fcae22d49953b6f83a15aafd41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 18:27:44 +0800 +Subject: PCI: Add pci_clear_master() stub for non-CONFIG_PCI + +From: Sui Jingfeng + +[ Upstream commit 2aa5ac633259843f656eb6ecff4cf01e8e810c5e ] + +Add a pci_clear_master() stub when CONFIG_PCI is not set so drivers that +support both PCI and platform devices don't need #ifdefs or extra Kconfig +symbols for the PCI parts. + +[bhelgaas: commit log] +Fixes: 6a479079c072 ("PCI: Add pci_clear_master() as opposite of pci_set_master()") +Link: https://lore.kernel.org/r/20230531102744.2354313-1-suijingfeng@loongson.cn +Signed-off-by: Sui Jingfeng +Signed-off-by: Bjorn Helgaas +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + include/linux/pci.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/pci.h b/include/linux/pci.h +index fc343d123127b..1cd5caa567cf5 100644 +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1687,6 +1687,7 @@ static inline struct pci_dev *pci_get_class(unsigned int class, + #define pci_dev_put(dev) do { } while (0) + + static inline void pci_set_master(struct pci_dev *dev) { } ++static inline void pci_clear_master(struct pci_dev *dev) { } + static inline int pci_enable_device(struct pci_dev *dev) { return -EIO; } + static inline void pci_disable_device(struct pci_dev *dev) { } + static inline int pci_assign_resource(struct pci_dev *dev, int i) +-- +2.39.2 + diff --git a/tmp-5.4/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch b/tmp-5.4/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch new file mode 100644 index 00000000000..9806e4f59e4 --- /dev/null +++ b/tmp-5.4/pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch @@ -0,0 +1,94 @@ +From 32b72de1b29eb74c3946b4b5b4d5775d6514b4dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 May 2023 11:40:57 +0800 +Subject: PCI/ASPM: Disable ASPM on MFD function removal to avoid + use-after-free + +From: Ding Hui + +[ Upstream commit 456d8aa37d0f56fc9e985e812496e861dcd6f2f2 ] + +Struct pcie_link_state->downstream is a pointer to the pci_dev of function +0. Previously we retained that pointer when removing function 0, and +subsequent ASPM policy changes dereferenced it, resulting in a +use-after-free warning from KASAN, e.g.: + + # echo 1 > /sys/bus/pci/devices/0000:03:00.0/remove + # echo powersave > /sys/module/pcie_aspm/parameters/policy + + BUG: KASAN: slab-use-after-free in pcie_config_aspm_link+0x42d/0x500 + Call Trace: + kasan_report+0xae/0xe0 + pcie_config_aspm_link+0x42d/0x500 + pcie_aspm_set_policy+0x8e/0x1a0 + param_attr_store+0x162/0x2c0 + module_attr_store+0x3e/0x80 + +PCIe spec r6.0, sec 7.5.3.7, recommends that software program the same ASPM +Control value in all functions of multi-function devices. + +Disable ASPM and free the pcie_link_state when any child function is +removed so we can discard the dangling pcie_link_state->downstream pointer +and maintain the same ASPM Control configuration for all functions. + +[bhelgaas: commit log and comment] +Debugged-by: Zongquan Qin +Suggested-by: Bjorn Helgaas +Fixes: b5a0a9b59c81 ("PCI/ASPM: Read and set up L1 substate capabilities") +Link: https://lore.kernel.org/r/20230507034057.20970-1-dinghui@sangfor.com.cn +Signed-off-by: Ding Hui +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index 7624c71011c6e..d8d27b11b48c4 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -991,21 +991,24 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + + down_read(&pci_bus_sem); + mutex_lock(&aspm_lock); +- /* +- * All PCIe functions are in one slot, remove one function will remove +- * the whole slot, so just wait until we are the last function left. +- */ +- if (!list_empty(&parent->subordinate->devices)) +- goto out; + + link = parent->link_state; + root = link->root; + parent_link = link->parent; + +- /* All functions are removed, so just disable ASPM for the link */ ++ /* ++ * link->downstream is a pointer to the pci_dev of function 0. If ++ * we remove that function, the pci_dev is about to be deallocated, ++ * so we can't use link->downstream again. Free the link state to ++ * avoid this. ++ * ++ * If we're removing a non-0 function, it's possible we could ++ * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends ++ * programming the same ASPM Control value for all functions of ++ * multi-function devices, so disable ASPM for all of them. ++ */ + pcie_config_aspm_link(link, 0); + list_del(&link->sibling); +- /* Clock PM is for endpoint device */ + free_link_state(link); + + /* Recheck latencies and configure upstream links */ +@@ -1013,7 +1016,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + pcie_update_aspm_capable(root); + pcie_config_aspm_path(parent_link); + } +-out: ++ + mutex_unlock(&aspm_lock); + up_read(&pci_bus_sem); + } +-- +2.39.2 + diff --git a/tmp-5.4/pci-ftpci100-release-the-clock-resources.patch b/tmp-5.4/pci-ftpci100-release-the-clock-resources.patch new file mode 100644 index 00000000000..d415b4a0ff5 --- /dev/null +++ b/tmp-5.4/pci-ftpci100-release-the-clock-resources.patch @@ -0,0 +1,75 @@ +From d9c83ad50e70e515f58d592e5a298a460e44da62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 12:36:41 +0800 +Subject: PCI: ftpci100: Release the clock resources + +From: Junyan Ye + +[ Upstream commit c60738de85f40b0b9f5cb23c21f9246e5a47908c ] + +Smatch reported: +1. drivers/pci/controller/pci-ftpci100.c:526 faraday_pci_probe() warn: +'clk' from clk_prepare_enable() not released on lines: 442,451,462,478,512,517. +2. drivers/pci/controller/pci-ftpci100.c:526 faraday_pci_probe() warn: +'p->bus_clk' from clk_prepare_enable() not released on lines: 451,462,478,512,517. + +The clock resource is obtained by devm_clk_get(), and then +clk_prepare_enable() makes the clock resource ready for use. After that, +clk_disable_unprepare() should be called to release the clock resource +when it is no longer needed. However, while doing some error handling +in faraday_pci_probe(), clk_disable_unprepare() is not called to release +clk and p->bus_clk before returning. These return lines are exactly 442, +451, 462, 478, 512, 517. + +Fix this warning by replacing devm_clk_get() with devm_clk_get_enabled(), +which is equivalent to devm_clk_get() + clk_prepare_enable(). And with +devm_clk_get_enabled(), the clock will automatically be disabled, +unprepared and freed when the device is unbound from the bus. + +Link: https://lore.kernel.org/r/20230508043641.23807-1-yejunyan@hust.edu.cn +Fixes: b3c433efb8a3 ("PCI: faraday: Fix wrong pointer passed to PTR_ERR()") +Fixes: 2eeb02b28579 ("PCI: faraday: Add clock handling") +Fixes: 783a862563f7 ("PCI: faraday: Use pci_parse_request_of_pci_ranges()") +Fixes: d3c68e0a7e34 ("PCI: faraday: Add Faraday Technology FTPCI100 PCI Host Bridge driver") +Fixes: f1e8bd21e39e ("PCI: faraday: Convert IRQ masking to raw PCI config accessors") +Signed-off-by: Junyan Ye +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Dongliang Mu +Reviewed-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-ftpci100.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/drivers/pci/controller/pci-ftpci100.c b/drivers/pci/controller/pci-ftpci100.c +index bf5ece5d9291f..88983fd0c1bdd 100644 +--- a/drivers/pci/controller/pci-ftpci100.c ++++ b/drivers/pci/controller/pci-ftpci100.c +@@ -458,22 +458,12 @@ static int faraday_pci_probe(struct platform_device *pdev) + p->dev = dev; + + /* Retrieve and enable optional clocks */ +- clk = devm_clk_get(dev, "PCLK"); ++ clk = devm_clk_get_enabled(dev, "PCLK"); + if (IS_ERR(clk)) + return PTR_ERR(clk); +- ret = clk_prepare_enable(clk); +- if (ret) { +- dev_err(dev, "could not prepare PCLK\n"); +- return ret; +- } +- p->bus_clk = devm_clk_get(dev, "PCICLK"); ++ p->bus_clk = devm_clk_get_enabled(dev, "PCICLK"); + if (IS_ERR(p->bus_clk)) + return PTR_ERR(p->bus_clk); +- ret = clk_prepare_enable(p->bus_clk); +- if (ret) { +- dev_err(dev, "could not prepare PCICLK\n"); +- return ret; +- } + + regs = platform_get_resource(pdev, IORESOURCE_MEM, 0); + p->base = devm_ioremap_resource(dev, regs); +-- +2.39.2 + diff --git a/tmp-5.4/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch b/tmp-5.4/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch new file mode 100644 index 00000000000..939d1ce18e5 --- /dev/null +++ b/tmp-5.4/pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch @@ -0,0 +1,74 @@ +From 5b574f7d148a6cd0058b8187e37a6e1b390861e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 10:15:18 +0800 +Subject: PCI: pciehp: Cancel bringup sequence if card is not present + +From: Rongguang Wei + +[ Upstream commit e8afd0d9fccc27c8ad263db5cf5952cfcf72d6fe ] + +If a PCIe hotplug slot has an Attention Button, the normal hot-add flow is: + + - Slot is empty and slot power is off + - User inserts card in slot and presses Attention Button + - OS blinks Power Indicator for 5 seconds + - After 5 seconds, OS turns on Power Indicator, turns on slot power, and + enumerates the device + +Previously, if a user pressed the Attention Button on an *empty* slot, +pciehp logged the following messages and blinked the Power Indicator +until a second button press: + + [0.000] pciehp: Button press: will power on in 5 sec + [0.001] # Power Indicator starts blinking + [5.001] # 5 second timeout; slot is empty, so we should cancel the + request to power on and turn off Power Indicator + + [7.000] # Power Indicator still blinking + [8.000] # possible card insertion + [9.000] pciehp: Button press: canceling request to power on + +The first button press incorrectly left the slot in BLINKINGON_STATE, so +the second was interpreted as a "cancel power on" event regardless of +whether a card was present. + +If the slot is empty, turn off the Power Indicator and return from +BLINKINGON_STATE to OFF_STATE after 5 seconds, effectively canceling the +request to power on. Putting the slot in OFF_STATE also means the second +button press will correctly request a slot power on if the slot is +occupied. + +[bhelgaas: commit log] +Link: https://lore.kernel.org/r/20230512021518.336460-1-clementwei90@163.com +Fixes: d331710ea78f ("PCI: pciehp: Become resilient to missed events") +Suggested-by: Lukas Wunner +Signed-off-by: Rongguang Wei +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pciehp_ctrl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/hotplug/pciehp_ctrl.c b/drivers/pci/hotplug/pciehp_ctrl.c +index 6503d15effbbd..45d0f63707158 100644 +--- a/drivers/pci/hotplug/pciehp_ctrl.c ++++ b/drivers/pci/hotplug/pciehp_ctrl.c +@@ -258,6 +258,14 @@ void pciehp_handle_presence_or_link_change(struct controller *ctrl, u32 events) + present = pciehp_card_present(ctrl); + link_active = pciehp_check_link_active(ctrl); + if (present <= 0 && link_active <= 0) { ++ if (ctrl->state == BLINKINGON_STATE) { ++ ctrl->state = OFF_STATE; ++ cancel_delayed_work(&ctrl->button_work); ++ pciehp_set_indicators(ctrl, PCI_EXP_SLTCTL_PWR_IND_OFF, ++ INDICATOR_NOOP); ++ ctrl_info(ctrl, "Slot(%s): Card not present\n", ++ slot_name(ctrl)); ++ } + mutex_unlock(&ctrl->state_lock); + return; + } +-- +2.39.2 + diff --git a/tmp-5.4/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch b/tmp-5.4/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch new file mode 100644 index 00000000000..097e70602bc --- /dev/null +++ b/tmp-5.4/pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch @@ -0,0 +1,46 @@ +From 9e30fd26f43b89cb6b4e850a86caa2e50dedb454 Mon Sep 17 00:00:00 2001 +From: Ondrej Zary +Date: Wed, 14 Jun 2023 09:42:53 +0200 +Subject: PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold + +From: Ondrej Zary + +commit 9e30fd26f43b89cb6b4e850a86caa2e50dedb454 upstream. + +The quirk for Elo i2 introduced in commit 92597f97a40b ("PCI/PM: Avoid +putting Elo i2 PCIe Ports in D3cold") is also needed by EloPOS E2/S2/H2 +which uses the same Continental Z2 board. + +Change the quirk to match the board instead of system. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215715 +Link: https://lore.kernel.org/r/20230614074253.22318-1-linux@zary.sk +Signed-off-by: Ondrej Zary +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -2617,13 +2617,13 @@ static const struct dmi_system_id bridge + { + /* + * Downstream device is not accessible after putting a root port +- * into D3cold and back into D0 on Elo i2. ++ * into D3cold and back into D0 on Elo Continental Z2 board + */ +- .ident = "Elo i2", ++ .ident = "Elo Continental Z2", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Elo Touch Solutions"), +- DMI_MATCH(DMI_PRODUCT_NAME, "Elo i2"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "RevB"), ++ DMI_MATCH(DMI_BOARD_VENDOR, "Elo Touch Solutions"), ++ DMI_MATCH(DMI_BOARD_NAME, "Geminilake"), ++ DMI_MATCH(DMI_BOARD_VERSION, "Continental Z2"), + }, + }, + #endif diff --git a/tmp-5.4/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch b/tmp-5.4/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch new file mode 100644 index 00000000000..b92ef972890 --- /dev/null +++ b/tmp-5.4/pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch @@ -0,0 +1,34 @@ +From a33d700e8eea76c62120cb3dbf5e01328f18319a Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Mon, 19 Jun 2023 20:34:00 +0530 +Subject: PCI: qcom: Disable write access to read only registers for IP v2.3.3 + +From: Manivannan Sadhasivam + +commit a33d700e8eea76c62120cb3dbf5e01328f18319a upstream. + +In the post init sequence of v2.9.0, write access to read only registers +are not disabled after updating the registers. Fix it by disabling the +access after register update. + +Link: https://lore.kernel.org/r/20230619150408.8468-2-manivannan.sadhasivam@linaro.org +Fixes: 5d76117f070d ("PCI: qcom: Add support for IPQ8074 PCIe controller") +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Lorenzo Pieralisi +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pcie-qcom.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/controller/dwc/pcie-qcom.c ++++ b/drivers/pci/controller/dwc/pcie-qcom.c +@@ -807,6 +807,8 @@ static int qcom_pcie_get_resources_2_4_0 + return PTR_ERR(res->phy_ahb_reset); + } + ++ dw_pcie_dbi_ro_wr_dis(pci); ++ + return 0; + } + diff --git a/tmp-5.4/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch b/tmp-5.4/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch new file mode 100644 index 00000000000..4dfcd00274a --- /dev/null +++ b/tmp-5.4/pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch @@ -0,0 +1,81 @@ +From 9dd3c7c4c8c3f7f010d9cdb7c3f42506d93c9527 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:51 +0200 +Subject: PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked + +From: Rick Wertenbroek + +commit 9dd3c7c4c8c3f7f010d9cdb7c3f42506d93c9527 upstream. + +The RK3399 PCIe controller should wait until the PHY PLLs are locked. +Add poll and timeout to wait for PHY PLLs to be locked. If they cannot +be locked generate error message and jump to error handler. Accessing +registers in the PHY clock domain when PLLs are not locked causes hang +The PHY PLLs status is checked through a side channel register. +This is documented in the TRM section 17.5.8.1 "PCIe Initialization +Sequence". + +Link: https://lore.kernel.org/r/20230418074700.1083505-5-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip.c | 17 +++++++++++++++++ + drivers/pci/controller/pcie-rockchip.h | 2 ++ + 2 files changed, 19 insertions(+) + +--- a/drivers/pci/controller/pcie-rockchip.c ++++ b/drivers/pci/controller/pcie-rockchip.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -154,6 +155,12 @@ int rockchip_pcie_parse_dt(struct rockch + } + EXPORT_SYMBOL_GPL(rockchip_pcie_parse_dt); + ++#define rockchip_pcie_read_addr(addr) rockchip_pcie_read(rockchip, addr) ++/* 100 ms max wait time for PHY PLLs to lock */ ++#define RK_PHY_PLL_LOCK_TIMEOUT_US 100000 ++/* Sleep should be less than 20ms */ ++#define RK_PHY_PLL_LOCK_SLEEP_US 1000 ++ + int rockchip_pcie_init_port(struct rockchip_pcie *rockchip) + { + struct device *dev = rockchip->dev; +@@ -255,6 +262,16 @@ int rockchip_pcie_init_port(struct rockc + } + } + ++ err = readx_poll_timeout(rockchip_pcie_read_addr, ++ PCIE_CLIENT_SIDE_BAND_STATUS, ++ regs, !(regs & PCIE_CLIENT_PHY_ST), ++ RK_PHY_PLL_LOCK_SLEEP_US, ++ RK_PHY_PLL_LOCK_TIMEOUT_US); ++ if (err) { ++ dev_err(dev, "PHY PLLs could not lock, %d\n", err); ++ goto err_power_off_phy; ++ } ++ + /* + * Please don't reorder the deassert sequence of the following + * four reset pins. +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -37,6 +37,8 @@ + #define PCIE_CLIENT_MODE_EP HIWORD_UPDATE(0x0040, 0) + #define PCIE_CLIENT_GEN_SEL_1 HIWORD_UPDATE(0x0080, 0) + #define PCIE_CLIENT_GEN_SEL_2 HIWORD_UPDATE_BIT(0x0080) ++#define PCIE_CLIENT_SIDE_BAND_STATUS (PCIE_CLIENT_BASE + 0x20) ++#define PCIE_CLIENT_PHY_ST BIT(12) + #define PCIE_CLIENT_DEBUG_OUT_0 (PCIE_CLIENT_BASE + 0x3c) + #define PCIE_CLIENT_DEBUG_LTSSM_MASK GENMASK(5, 0) + #define PCIE_CLIENT_DEBUG_LTSSM_L1 0x18 diff --git a/tmp-5.4/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch b/tmp-5.4/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch new file mode 100644 index 00000000000..7f191dc5cc3 --- /dev/null +++ b/tmp-5.4/pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch @@ -0,0 +1,40 @@ +From f397fd4ac1fa3afcabd8cee030f953ccaed2a364 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:50 +0200 +Subject: PCI: rockchip: Assert PCI Configuration Enable bit after probe + +From: Rick Wertenbroek + +commit f397fd4ac1fa3afcabd8cee030f953ccaed2a364 upstream. + +Assert PCI Configuration Enable bit after probe. When this bit is left to +0 in the endpoint mode, the RK3399 PCIe endpoint core will generate +configuration request retry status (CRS) messages back to the root complex. +Assert this bit after probe to allow the RK3399 PCIe endpoint core to reply +to configuration requests from the root complex. +This is documented in section 17.5.8.1.2 of the RK3399 TRM. + +Link: https://lore.kernel.org/r/20230418074700.1083505-4-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -630,6 +630,9 @@ static int rockchip_pcie_ep_probe(struct + + ep->irq_pci_addr = ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR; + ++ rockchip_pcie_write(rockchip, PCIE_CLIENT_CONF_ENABLE, ++ PCIE_CLIENT_CONFIG); ++ + return 0; + err_epc_mem_exit: + pci_epc_mem_exit(epc); diff --git a/tmp-5.4/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch b/tmp-5.4/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch new file mode 100644 index 00000000000..91128349f15 --- /dev/null +++ b/tmp-5.4/pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch @@ -0,0 +1,113 @@ +From 166e89d99dd85a856343cca51eee781b793801f2 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:54 +0200 +Subject: PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core + +From: Rick Wertenbroek + +commit 166e89d99dd85a856343cca51eee781b793801f2 upstream. + +Fix legacy IRQ generation for RK3399 PCIe endpoint core according to +the technical reference manual (TRM). Assert and deassert legacy +interrupt (INTx) through the legacy interrupt control register +("PCIE_CLIENT_LEGACY_INT_CTRL") instead of manually generating a PCIe +message. The generation of the legacy interrupt was tested and validated +with the PCIe endpoint test driver. + +Link: https://lore.kernel.org/r/20230418074700.1083505-8-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 45 +++++++----------------------- + drivers/pci/controller/pcie-rockchip.h | 6 +++- + 2 files changed, 16 insertions(+), 35 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -346,48 +346,25 @@ static int rockchip_pcie_ep_get_msi(stru + } + + static void rockchip_pcie_ep_assert_intx(struct rockchip_pcie_ep *ep, u8 fn, +- u8 intx, bool is_asserted) ++ u8 intx, bool do_assert) + { + struct rockchip_pcie *rockchip = &ep->rockchip; +- u32 r = ep->max_regions - 1; +- u32 offset; +- u32 status; +- u8 msg_code; +- +- if (unlikely(ep->irq_pci_addr != ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR || +- ep->irq_pci_fn != fn)) { +- rockchip_pcie_prog_ep_ob_atu(rockchip, fn, r, +- AXI_WRAPPER_NOR_MSG, +- ep->irq_phys_addr, 0, 0); +- ep->irq_pci_addr = ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR; +- ep->irq_pci_fn = fn; +- } + + intx &= 3; +- if (is_asserted) { ++ ++ if (do_assert) { + ep->irq_pending |= BIT(intx); +- msg_code = ROCKCHIP_PCIE_MSG_CODE_ASSERT_INTA + intx; ++ rockchip_pcie_write(rockchip, ++ PCIE_CLIENT_INT_IN_ASSERT | ++ PCIE_CLIENT_INT_PEND_ST_PEND, ++ PCIE_CLIENT_LEGACY_INT_CTRL); + } else { + ep->irq_pending &= ~BIT(intx); +- msg_code = ROCKCHIP_PCIE_MSG_CODE_DEASSERT_INTA + intx; ++ rockchip_pcie_write(rockchip, ++ PCIE_CLIENT_INT_IN_DEASSERT | ++ PCIE_CLIENT_INT_PEND_ST_NORMAL, ++ PCIE_CLIENT_LEGACY_INT_CTRL); + } +- +- status = rockchip_pcie_read(rockchip, +- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +- ROCKCHIP_PCIE_EP_CMD_STATUS); +- status &= ROCKCHIP_PCIE_EP_CMD_STATUS_IS; +- +- if ((status != 0) ^ (ep->irq_pending != 0)) { +- status ^= ROCKCHIP_PCIE_EP_CMD_STATUS_IS; +- rockchip_pcie_write(rockchip, status, +- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +- ROCKCHIP_PCIE_EP_CMD_STATUS); +- } +- +- offset = +- ROCKCHIP_PCIE_MSG_ROUTING(ROCKCHIP_PCIE_MSG_ROUTING_LOCAL_INTX) | +- ROCKCHIP_PCIE_MSG_CODE(msg_code) | ROCKCHIP_PCIE_MSG_NO_DATA; +- writel(0, ep->irq_cpu_addr + offset); + } + + static int rockchip_pcie_ep_send_legacy_irq(struct rockchip_pcie_ep *ep, u8 fn, +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -37,6 +37,11 @@ + #define PCIE_CLIENT_MODE_EP HIWORD_UPDATE(0x0040, 0) + #define PCIE_CLIENT_GEN_SEL_1 HIWORD_UPDATE(0x0080, 0) + #define PCIE_CLIENT_GEN_SEL_2 HIWORD_UPDATE_BIT(0x0080) ++#define PCIE_CLIENT_LEGACY_INT_CTRL (PCIE_CLIENT_BASE + 0x0c) ++#define PCIE_CLIENT_INT_IN_ASSERT HIWORD_UPDATE_BIT(0x0002) ++#define PCIE_CLIENT_INT_IN_DEASSERT HIWORD_UPDATE(0x0002, 0) ++#define PCIE_CLIENT_INT_PEND_ST_PEND HIWORD_UPDATE_BIT(0x0001) ++#define PCIE_CLIENT_INT_PEND_ST_NORMAL HIWORD_UPDATE(0x0001, 0) + #define PCIE_CLIENT_SIDE_BAND_STATUS (PCIE_CLIENT_BASE + 0x20) + #define PCIE_CLIENT_PHY_ST BIT(12) + #define PCIE_CLIENT_DEBUG_OUT_0 (PCIE_CLIENT_BASE + 0x3c) +@@ -234,7 +239,6 @@ + #define ROCKCHIP_PCIE_EP_MSI_CTRL_ME BIT(16) + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP BIT(24) + #define ROCKCHIP_PCIE_EP_DUMMY_IRQ_ADDR 0x1 +-#define ROCKCHIP_PCIE_EP_PCI_LEGACY_IRQ_ADDR 0x3 + #define ROCKCHIP_PCIE_EP_FUNC_BASE(fn) (((fn) << 12) & GENMASK(19, 12)) + #define ROCKCHIP_PCIE_AT_IB_EP_FUNC_BAR_ADDR0(fn, bar) \ + (PCIE_RC_RP_ATS_BASE + 0x0840 + (fn) * 0x0040 + (bar) * 0x0008) diff --git a/tmp-5.4/pci-rockchip-set-address-alignment-for-endpoint-mode.patch b/tmp-5.4/pci-rockchip-set-address-alignment-for-endpoint-mode.patch new file mode 100644 index 00000000000..ad7f9e72876 --- /dev/null +++ b/tmp-5.4/pci-rockchip-set-address-alignment-for-endpoint-mode.patch @@ -0,0 +1,35 @@ +From 7e6689b34a815bd379dfdbe9855d36f395ef056c Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 18 Apr 2023 09:46:58 +0200 +Subject: PCI: rockchip: Set address alignment for endpoint mode + +From: Damien Le Moal + +commit 7e6689b34a815bd379dfdbe9855d36f395ef056c upstream. + +The address translation unit of the rockchip EP controller does not use +the lower 8 bits of a PCIe-space address to map local memory. Thus we +must set the align feature field to 256 to let the user know about this +constraint. + +Link: https://lore.kernel.org/r/20230418074700.1083505-12-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Signed-off-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -484,6 +484,7 @@ static const struct pci_epc_features roc + .linkup_notifier = false, + .msi_capable = true, + .msix_capable = false, ++ .align = 256, + }; + + static const struct pci_epc_features* diff --git a/tmp-5.4/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch b/tmp-5.4/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch new file mode 100644 index 00000000000..8efd0dcdc05 --- /dev/null +++ b/tmp-5.4/pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch @@ -0,0 +1,76 @@ +From 8962b2cb39119cbda4fc69a1f83957824f102f81 Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:56 +0200 +Subject: PCI: rockchip: Use u32 variable to access 32-bit registers + +From: Rick Wertenbroek + +commit 8962b2cb39119cbda4fc69a1f83957824f102f81 upstream. + +Previously u16 variables were used to access 32-bit registers, this +resulted in not all of the data being read from the registers. Also +the left shift of more than 16-bits would result in moving data out +of the variable. Use u32 variables to access 32-bit registers + +Link: https://lore.kernel.org/r/20230418074700.1083505-10-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 10 +++++----- + drivers/pci/controller/pcie-rockchip.h | 1 + + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -313,15 +313,15 @@ static int rockchip_pcie_ep_set_msi(stru + { + struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); + struct rockchip_pcie *rockchip = &ep->rockchip; +- u16 flags; ++ u32 flags; + + flags = rockchip_pcie_read(rockchip, + ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + + ROCKCHIP_PCIE_EP_MSI_CTRL_REG); + flags &= ~ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_MASK; + flags |= +- ((multi_msg_cap << 1) << ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET) | +- PCI_MSI_FLAGS_64BIT; ++ (multi_msg_cap << ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET) | ++ (PCI_MSI_FLAGS_64BIT << ROCKCHIP_PCIE_EP_MSI_FLAGS_OFFSET); + flags &= ~ROCKCHIP_PCIE_EP_MSI_CTRL_MASK_MSI_CAP; + rockchip_pcie_write(rockchip, flags, + ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +@@ -333,7 +333,7 @@ static int rockchip_pcie_ep_get_msi(stru + { + struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); + struct rockchip_pcie *rockchip = &ep->rockchip; +- u16 flags; ++ u32 flags; + + flags = rockchip_pcie_read(rockchip, + ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + +@@ -394,7 +394,7 @@ static int rockchip_pcie_ep_send_msi_irq + u8 interrupt_num) + { + struct rockchip_pcie *rockchip = &ep->rockchip; +- u16 flags, mme, data, data_mask; ++ u32 flags, mme, data, data_mask; + u8 msi_count; + u64 pci_addr, pci_addr_mask = 0xff; + +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -232,6 +232,7 @@ + #define ROCKCHIP_PCIE_EP_CMD_STATUS 0x4 + #define ROCKCHIP_PCIE_EP_CMD_STATUS_IS BIT(19) + #define ROCKCHIP_PCIE_EP_MSI_CTRL_REG 0x90 ++#define ROCKCHIP_PCIE_EP_MSI_FLAGS_OFFSET 16 + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_OFFSET 17 + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MMC_MASK GENMASK(19, 17) + #define ROCKCHIP_PCIE_EP_MSI_CTRL_MME_OFFSET 20 diff --git a/tmp-5.4/pci-rockchip-write-pci-device-id-to-correct-register.patch b/tmp-5.4/pci-rockchip-write-pci-device-id-to-correct-register.patch new file mode 100644 index 00000000000..e0393daa2ca --- /dev/null +++ b/tmp-5.4/pci-rockchip-write-pci-device-id-to-correct-register.patch @@ -0,0 +1,60 @@ +From 1f1c42ece18de365c976a060f3c8eb481b038e3a Mon Sep 17 00:00:00 2001 +From: Rick Wertenbroek +Date: Tue, 18 Apr 2023 09:46:49 +0200 +Subject: PCI: rockchip: Write PCI Device ID to correct register + +From: Rick Wertenbroek + +commit 1f1c42ece18de365c976a060f3c8eb481b038e3a upstream. + +Write PCI Device ID (DID) to the correct register. The Device ID was not +updated through the correct register. Device ID was written to a read-only +register and therefore did not work. The Device ID is now set through the +correct register. This is documented in the RK3399 TRM section 17.6.6.1.1 + +Link: https://lore.kernel.org/r/20230418074700.1083505-3-rick.wertenbroek@gmail.com +Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller") +Tested-by: Damien Le Moal +Signed-off-by: Rick Wertenbroek +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Damien Le Moal +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/pcie-rockchip-ep.c | 6 ++++-- + drivers/pci/controller/pcie-rockchip.h | 2 ++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/pcie-rockchip-ep.c ++++ b/drivers/pci/controller/pcie-rockchip-ep.c +@@ -124,6 +124,7 @@ static void rockchip_pcie_prog_ep_ob_atu + static int rockchip_pcie_ep_write_header(struct pci_epc *epc, u8 fn, + struct pci_epf_header *hdr) + { ++ u32 reg; + struct rockchip_pcie_ep *ep = epc_get_drvdata(epc); + struct rockchip_pcie *rockchip = &ep->rockchip; + +@@ -136,8 +137,9 @@ static int rockchip_pcie_ep_write_header + PCIE_CORE_CONFIG_VENDOR); + } + +- rockchip_pcie_write(rockchip, hdr->deviceid << 16, +- ROCKCHIP_PCIE_EP_FUNC_BASE(fn) + PCI_VENDOR_ID); ++ reg = rockchip_pcie_read(rockchip, PCIE_EP_CONFIG_DID_VID); ++ reg = (reg & 0xFFFF) | (hdr->deviceid << 16); ++ rockchip_pcie_write(rockchip, reg, PCIE_EP_CONFIG_DID_VID); + + rockchip_pcie_write(rockchip, + hdr->revid | +--- a/drivers/pci/controller/pcie-rockchip.h ++++ b/drivers/pci/controller/pcie-rockchip.h +@@ -132,6 +132,8 @@ + #define PCIE_RC_RP_ATS_BASE 0x400000 + #define PCIE_RC_CONFIG_NORMAL_BASE 0x800000 + #define PCIE_RC_CONFIG_BASE 0xa00000 ++#define PCIE_EP_CONFIG_BASE 0xa00000 ++#define PCIE_EP_CONFIG_DID_VID (PCIE_EP_CONFIG_BASE + 0x00) + #define PCIE_RC_CONFIG_RID_CCR (PCIE_RC_CONFIG_BASE + 0x08) + #define PCIE_RC_CONFIG_SCC_SHIFT 16 + #define PCIE_RC_CONFIG_DCR (PCIE_RC_CONFIG_BASE + 0xc4) diff --git a/tmp-5.4/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch b/tmp-5.4/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch new file mode 100644 index 00000000000..40436364670 --- /dev/null +++ b/tmp-5.4/perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch @@ -0,0 +1,45 @@ +From a1737631184f4487cf332e1462297552a0c010ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jun 2023 16:41:01 -0700 +Subject: perf dwarf-aux: Fix off-by-one in die_get_varname() + +From: Namhyung Kim + +[ Upstream commit 3abfcfd847717d232e36963f31a361747c388fe7 ] + +The die_get_varname() returns "(unknown_type)" string if it failed to +find a type for the variable. But it had a space before the opening +parenthesis and it made the closing parenthesis cut off due to the +off-by-one in the string length (14). + +Signed-off-by: Namhyung Kim +Fixes: 88fd633cdfa19060 ("perf probe: No need to use formatting strbuf method") +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230612234102.3909116-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/dwarf-aux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c +index f1e2f566ce6fc..1d51aa88f4cb6 100644 +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -1007,7 +1007,7 @@ int die_get_varname(Dwarf_Die *vr_die, struct strbuf *buf) + ret = die_get_typename(vr_die, buf); + if (ret < 0) { + pr_debug("Failed to get type, make it unknown.\n"); +- ret = strbuf_add(buf, " (unknown_type)", 14); ++ ret = strbuf_add(buf, "(unknown_type)", 14); + } + + return ret < 0 ? ret : strbuf_addf(buf, "\t%s", dwarf_diename(vr_die)); +-- +2.39.2 + diff --git a/tmp-5.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/tmp-5.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch new file mode 100644 index 00000000000..ac282bd2634 --- /dev/null +++ b/tmp-5.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch @@ -0,0 +1,115 @@ +From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Georg=20M=C3=BCller?= +Date: Wed, 28 Jun 2023 10:45:50 +0200 +Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Georg Müller + +commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream. + +This patch adds a test to validate that 'perf probe' works for binaries +where DWARF info is split into multiple CUs + +Signed-off-by: Georg Müller +Acked-by: Masami Hiramatsu (Google) +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: regressions@lists.linux.dev +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++ + 1 file changed, 77 insertions(+) + create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh + +--- /dev/null ++++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +@@ -0,0 +1,77 @@ ++#!/bin/bash ++# test perf probe of function from different CU ++# SPDX-License-Identifier: GPL-2.0 ++ ++set -e ++ ++temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) ++ ++cleanup() ++{ ++ trap - EXIT TERM INT ++ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then ++ echo "--- Cleaning up ---" ++ perf probe -x ${temp_dir}/testfile -d foo ++ rm -f "${temp_dir}/"* ++ rmdir "${temp_dir}" ++ fi ++} ++ ++trap_cleanup() ++{ ++ cleanup ++ exit 1 ++} ++ ++trap trap_cleanup EXIT TERM INT ++ ++cat > ${temp_dir}/testfile-foo.h << EOF ++struct t ++{ ++ int *p; ++ int c; ++}; ++ ++extern int foo (int i, struct t *t); ++EOF ++ ++cat > ${temp_dir}/testfile-foo.c << EOF ++#include "testfile-foo.h" ++ ++int ++foo (int i, struct t *t) ++{ ++ int j, res = 0; ++ for (j = 0; j < i && j < t->c; j++) ++ res += t->p[j]; ++ ++ return res; ++} ++EOF ++ ++cat > ${temp_dir}/testfile-main.c << EOF ++#include "testfile-foo.h" ++ ++static struct t g; ++ ++int ++main (int argc, char **argv) ++{ ++ int i; ++ int j[argc]; ++ g.c = argc; ++ g.p = j; ++ for (i = 0; i < argc; i++) ++ j[i] = (int) argv[i][0]; ++ return foo (3, &g); ++} ++EOF ++ ++gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o ++gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o ++gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o ++ ++perf probe -x ${temp_dir}/testfile --funcs foo ++perf probe -x ${temp_dir}/testfile foo ++ ++cleanup diff --git a/tmp-5.4/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch b/tmp-5.4/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch new file mode 100644 index 00000000000..2cf6df7d4b3 --- /dev/null +++ b/tmp-5.4/pinctrl-amd-detect-internal-gpio0-debounce-handling.patch @@ -0,0 +1,77 @@ +From 968ab9261627fa305307e3935ca1a32fcddd36cb Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 21 Apr 2023 07:06:21 -0500 +Subject: pinctrl: amd: Detect internal GPIO0 debounce handling + +From: Mario Limonciello + +commit 968ab9261627fa305307e3935ca1a32fcddd36cb upstream. + +commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe") +had a mistake in loop iteration 63 that it would clear offset 0xFC instead +of 0x100. Offset 0xFC is actually `WAKE_INT_MASTER_REG`. This was +clearing bits 13 and 15 from the register which significantly changed the +expected handling for some platforms for GPIO0. + +commit b26cd9325be4 ("pinctrl: amd: Disable and mask interrupts on resume") +actually fixed this bug, but lead to regressions on Lenovo Z13 and some +other systems. This is because there was no handling in the driver for bit +15 debounce behavior. + +Quoting a public BKDG: +``` +EnWinBlueBtn. Read-write. Reset: 0. 0=GPIO0 detect debounced power button; +Power button override is 4 seconds. 1=GPIO0 detect debounced power button +in S3/S5/S0i3, and detect "pressed less than 2 seconds" and "pressed 2~10 +seconds" in S0; Power button override is 10 seconds +``` + +Cross referencing the same master register in Windows it's obvious that +Windows doesn't use debounce values in this configuration. So align the +Linux driver to do this as well. This fixes wake on lid when +WAKE_INT_MASTER_REG is properly programmed. + +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217315 +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20230421120625.3366-2-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 7 +++++++ + drivers/pinctrl/pinctrl-amd.h | 1 + + 2 files changed, 8 insertions(+) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -123,6 +123,12 @@ static int amd_gpio_set_debounce(struct + struct amd_gpio *gpio_dev = gpiochip_get_data(gc); + + raw_spin_lock_irqsave(&gpio_dev->lock, flags); ++ ++ /* Use special handling for Pin0 debounce */ ++ pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); ++ if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) ++ debounce = 0; ++ + pin_reg = readl(gpio_dev->base + offset * 4); + + if (debounce) { +@@ -212,6 +218,7 @@ static void amd_gpio_dbg_show(struct seq + char *output_value; + char *output_enable; + ++ seq_printf(s, "WAKE_INT_MASTER_REG: 0x%08x\n", readl(gpio_dev->base + WAKE_INT_MASTER_REG)); + for (bank = 0; bank < gpio_dev->hwbank_num; bank++) { + seq_printf(s, "GPIO bank%d\t", bank); + +--- a/drivers/pinctrl/pinctrl-amd.h ++++ b/drivers/pinctrl/pinctrl-amd.h +@@ -17,6 +17,7 @@ + #define AMD_GPIO_PINS_BANK3 32 + + #define WAKE_INT_MASTER_REG 0xfc ++#define INTERNAL_GPIO0_DEBOUNCE (1 << 15) + #define EOI_MASK (1 << 29) + + #define WAKE_INT_STATUS_REG0 0x2f8 diff --git a/tmp-5.4/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch b/tmp-5.4/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch new file mode 100644 index 00000000000..ac6a83a7e29 --- /dev/null +++ b/tmp-5.4/pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch @@ -0,0 +1,39 @@ +From a855724dc08b8cb0c13ab1e065a4922f1e5a7552 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 21 Apr 2023 07:06:22 -0500 +Subject: pinctrl: amd: Fix mistake in handling clearing pins at startup + +From: Mario Limonciello + +commit a855724dc08b8cb0c13ab1e065a4922f1e5a7552 upstream. + +commit 4e5a04be88fe ("pinctrl: amd: disable and mask interrupts on probe") +had a mistake in loop iteration 63 that it would clear offset 0xFC instead +of 0x100. Offset 0xFC is actually `WAKE_INT_MASTER_REG`. This was +clearing bits 13 and 15 from the register which significantly changed the +expected handling for some platforms for GPIO0. + +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217315 +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20230421120625.3366-3-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -790,9 +790,9 @@ static void amd_gpio_irq_init(struct amd + + raw_spin_lock_irqsave(&gpio_dev->lock, flags); + +- pin_reg = readl(gpio_dev->base + i * 4); ++ pin_reg = readl(gpio_dev->base + pin * 4); + pin_reg &= ~mask; +- writel(pin_reg, gpio_dev->base + i * 4); ++ writel(pin_reg, gpio_dev->base + pin * 4); + + raw_spin_unlock_irqrestore(&gpio_dev->lock, flags); + } diff --git a/tmp-5.4/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch b/tmp-5.4/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch new file mode 100644 index 00000000000..53373c7e749 --- /dev/null +++ b/tmp-5.4/pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch @@ -0,0 +1,40 @@ +From 0d5ace1a07f7e846d0f6d972af60d05515599d0b Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Wed, 5 Jul 2023 08:30:02 -0500 +Subject: pinctrl: amd: Only use special debounce behavior for GPIO 0 + +From: Mario Limonciello + +commit 0d5ace1a07f7e846d0f6d972af60d05515599d0b upstream. + +It's uncommon to use debounce on any other pin, but technically +we should only set debounce to 0 when working off GPIO0. + +Cc: stable@vger.kernel.org +Tested-by: Jan Visser +Fixes: 968ab9261627 ("pinctrl: amd: Detect internal GPIO0 debounce handling") +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20230705133005.577-2-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-amd.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -125,9 +125,11 @@ static int amd_gpio_set_debounce(struct + raw_spin_lock_irqsave(&gpio_dev->lock, flags); + + /* Use special handling for Pin0 debounce */ +- pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); +- if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) +- debounce = 0; ++ if (offset == 0) { ++ pin_reg = readl(gpio_dev->base + WAKE_INT_MASTER_REG); ++ if (pin_reg & INTERNAL_GPIO0_DEBOUNCE) ++ debounce = 0; ++ } + + pin_reg = readl(gpio_dev->base + offset * 4); + diff --git a/tmp-5.4/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch b/tmp-5.4/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch new file mode 100644 index 00000000000..57476bd164e --- /dev/null +++ b/tmp-5.4/pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch @@ -0,0 +1,108 @@ +From d60135b3aeb1520fdaae6864d4c4d75d8cc1aa49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 08:30:03 -0500 +Subject: pinctrl: amd: Use amd_pinconf_set() for all config options + +From: Mario Limonciello + +[ Upstream commit 635a750d958e158e17af0f524bedc484b27fbb93 ] + +On ASUS TUF A16 it is reported that the ITE5570 ACPI device connected to +GPIO 7 is causing an interrupt storm. This issue doesn't happen on +Windows. + +Comparing the GPIO register configuration between Windows and Linux +bit 20 has been configured as a pull up on Windows, but not on Linux. +Checking GPIO declaration from the firmware it is clear it *should* have +been a pull up on Linux as well. + +``` +GpioInt (Level, ActiveLow, Exclusive, PullUp, 0x0000, + "\\_SB.GPIO", 0x00, ResourceConsumer, ,) +{ // Pin list +0x0007 +} +``` + +On Linux amd_gpio_set_config() is currently only used for programming +the debounce. Actually the GPIO core calls it with all the arguments +that are supported by a GPIO, pinctrl-amd just responds `-ENOTSUPP`. + +To solve this issue expand amd_gpio_set_config() to support the other +arguments amd_pinconf_set() supports, namely `PIN_CONFIG_BIAS_PULL_DOWN`, +`PIN_CONFIG_BIAS_PULL_UP`, and `PIN_CONFIG_DRIVE_STRENGTH`. + +Reported-by: Nik P +Reported-by: Nathan Schulte +Reported-by: Friedrich Vock +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217336 +Reported-by: dridri85@gmail.com +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217493 +Link: https://lore.kernel.org/linux-input/20230530154058.17594-1-friedrich.vock@gmx.de/ +Tested-by: Jan Visser +Fixes: 2956b5d94a76 ("pinctrl / gpio: Introduce .set_config() callback for GPIO chips") +Signed-off-by: Mario Limonciello +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230705133005.577-3-mario.limonciello@amd.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-amd.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c +index ba446271e17b6..2415085eadeda 100644 +--- a/drivers/pinctrl/pinctrl-amd.c ++++ b/drivers/pinctrl/pinctrl-amd.c +@@ -186,18 +186,6 @@ static int amd_gpio_set_debounce(struct gpio_chip *gc, unsigned offset, + return ret; + } + +-static int amd_gpio_set_config(struct gpio_chip *gc, unsigned offset, +- unsigned long config) +-{ +- u32 debounce; +- +- if (pinconf_to_config_param(config) != PIN_CONFIG_INPUT_DEBOUNCE) +- return -ENOTSUPP; +- +- debounce = pinconf_to_config_argument(config); +- return amd_gpio_set_debounce(gc, offset, debounce); +-} +- + #ifdef CONFIG_DEBUG_FS + static void amd_gpio_dbg_show(struct seq_file *s, struct gpio_chip *gc) + { +@@ -682,7 +670,7 @@ static int amd_pinconf_get(struct pinctrl_dev *pctldev, + } + + static int amd_pinconf_set(struct pinctrl_dev *pctldev, unsigned int pin, +- unsigned long *configs, unsigned num_configs) ++ unsigned long *configs, unsigned int num_configs) + { + int i; + u32 arg; +@@ -772,6 +760,20 @@ static int amd_pinconf_group_set(struct pinctrl_dev *pctldev, + return 0; + } + ++static int amd_gpio_set_config(struct gpio_chip *gc, unsigned int pin, ++ unsigned long config) ++{ ++ struct amd_gpio *gpio_dev = gpiochip_get_data(gc); ++ ++ if (pinconf_to_config_param(config) == PIN_CONFIG_INPUT_DEBOUNCE) { ++ u32 debounce = pinconf_to_config_argument(config); ++ ++ return amd_gpio_set_debounce(gc, pin, debounce); ++ } ++ ++ return amd_pinconf_set(gpio_dev->pctrl, pin, &config, 1); ++} ++ + static const struct pinconf_ops amd_pinconf_ops = { + .pin_config_get = amd_pinconf_get, + .pin_config_set = amd_pinconf_set, +-- +2.39.2 + diff --git a/tmp-5.4/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch b/tmp-5.4/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch new file mode 100644 index 00000000000..548919ce5aa --- /dev/null +++ b/tmp-5.4/pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch @@ -0,0 +1,41 @@ +From 152d13a34e904600505943e1e6716353de95a91f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 13:53:33 +0300 +Subject: pinctrl: at91-pio4: check return value of devm_kasprintf() + +From: Claudiu Beznea + +[ Upstream commit f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 ] + +devm_kasprintf() returns a pointer to dynamically allocated memory. +Pointer could be NULL in case allocation fails. Check pointer validity. +Identified with coccinelle (kmerr.cocci script). + +Fixes: 776180848b57 ("pinctrl: introduce driver for Atmel PIO4 controller") +Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") +Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") +Signed-off-by: Claudiu Beznea +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230615105333.585304-4-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c +index 064b7c3c942a9..9c225256e3f4e 100644 +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -1013,6 +1013,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev) + /* Pin naming convention: P(bank_name)(bank_pin_number). */ + pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d", + bank + 'A', line); ++ if (!pin_desc[i].name) ++ return -ENOMEM; + + group->name = group_names[i] = pin_desc[i].name; + group->pin = pin_desc[i].number; +-- +2.39.2 + diff --git a/tmp-5.4/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch b/tmp-5.4/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch new file mode 100644 index 00000000000..69326a5c889 --- /dev/null +++ b/tmp-5.4/pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch @@ -0,0 +1,57 @@ +From d9266e338efc1bc6091314de4a485fbb7464cc50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 17:37:34 +0300 +Subject: pinctrl: cherryview: Return correct value if pin in push-pull mode + +From: Andy Shevchenko + +[ Upstream commit 5835196a17be5cfdcad0b617f90cf4abe16951a4 ] + +Currently the getter returns ENOTSUPP on pin configured in +the push-pull mode. Fix this by adding the missed switch case. + +Fixes: ccdf81d08dbe ("pinctrl: cherryview: add option to set open-drain pin config") +Fixes: 6e08d6bbebeb ("pinctrl: Add Intel Cherryview/Braswell pin controller support") +Acked-by: Mika Westerberg +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c +index 8f06445a8e39c..2b48901f1b2af 100644 +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1021,11 +1021,6 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned int pin, + + break; + +- case PIN_CONFIG_DRIVE_OPEN_DRAIN: +- if (!(ctrl1 & CHV_PADCTRL1_ODEN)) +- return -EINVAL; +- break; +- + case PIN_CONFIG_BIAS_HIGH_IMPEDANCE: { + u32 cfg; + +@@ -1035,6 +1030,16 @@ static int chv_config_get(struct pinctrl_dev *pctldev, unsigned int pin, + return -EINVAL; + + break; ++ ++ case PIN_CONFIG_DRIVE_PUSH_PULL: ++ if (ctrl1 & CHV_PADCTRL1_ODEN) ++ return -EINVAL; ++ break; ++ ++ case PIN_CONFIG_DRIVE_OPEN_DRAIN: ++ if (!(ctrl1 & CHV_PADCTRL1_ODEN)) ++ return -EINVAL; ++ break; + } + + default: +-- +2.39.2 + diff --git a/tmp-5.4/platform-x86-wmi-break-possible-infinite-loop-when-p.patch b/tmp-5.4/platform-x86-wmi-break-possible-infinite-loop-when-p.patch new file mode 100644 index 00000000000..4a894ceda6d --- /dev/null +++ b/tmp-5.4/platform-x86-wmi-break-possible-infinite-loop-when-p.patch @@ -0,0 +1,84 @@ +From 202d5f392162a5bbd1d8ed12a371cfc74ebc500f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 18:11:54 +0300 +Subject: platform/x86: wmi: Break possible infinite loop when parsing GUID + +From: Andy Shevchenko + +[ Upstream commit 028e6e204ace1f080cfeacd72c50397eb8ae8883 ] + +The while-loop may break on one of the two conditions, either ID string +is empty or GUID matches. The second one, may never be reached if the +parsed string is not correct GUID. In such a case the loop will never +advance to check the next ID. + +Break possible infinite loop by factoring out guid_parse_and_compare() +helper which may be moved to the generic header for everyone later on +and preventing from similar mistake in the future. + +Interestingly that firstly it appeared when WMI was turned into a bus +driver, but later when duplicated GUIDs were checked, the while-loop +has been replaced by for-loop and hence no mistake made again. + +Fixes: a48e23385fcf ("platform/x86: wmi: add context pointer field to struct wmi_device_id") +Fixes: 844af950da94 ("platform/x86: wmi: Turn WMI into a bus driver") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230621151155.78279-1-andriy.shevchenko@linux.intel.com +Tested-by: Armin Wolf +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 8d1a7923c03b6..67c4ec554ada8 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -129,6 +129,16 @@ static bool find_guid(const char *guid_string, struct wmi_block **out) + return false; + } + ++static bool guid_parse_and_compare(const char *string, const guid_t *guid) ++{ ++ guid_t guid_input; ++ ++ if (guid_parse(string, &guid_input)) ++ return false; ++ ++ return guid_equal(&guid_input, guid); ++} ++ + static const void *find_guid_context(struct wmi_block *wblock, + struct wmi_driver *wdriver) + { +@@ -141,11 +151,7 @@ static const void *find_guid_context(struct wmi_block *wblock, + + id = wdriver->id_table; + while (*id->guid_string) { +- guid_t guid_input; +- +- if (guid_parse(id->guid_string, &guid_input)) +- continue; +- if (guid_equal(&wblock->gblock.guid, &guid_input)) ++ if (guid_parse_and_compare(id->guid_string, &wblock->gblock.guid)) + return id->context; + id++; + } +@@ -801,11 +807,7 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + return 0; + + while (*id->guid_string) { +- guid_t driver_guid; +- +- if (WARN_ON(guid_parse(id->guid_string, &driver_guid))) +- continue; +- if (guid_equal(&driver_guid, &wblock->gblock.guid)) ++ if (guid_parse_and_compare(id->guid_string, &wblock->gblock.guid)) + return 1; + + id++; +-- +2.39.2 + diff --git a/tmp-5.4/platform-x86-wmi-fix-indentation-in-some-cases.patch b/tmp-5.4/platform-x86-wmi-fix-indentation-in-some-cases.patch new file mode 100644 index 00000000000..2102a647561 --- /dev/null +++ b/tmp-5.4/platform-x86-wmi-fix-indentation-in-some-cases.patch @@ -0,0 +1,48 @@ +From e879a7db78a688c30bc440337341769a13faf12e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2020 15:30:15 +0300 +Subject: platform/x86: wmi: Fix indentation in some cases + +From: Andy Shevchenko + +[ Upstream commit 6701cc8f70710826a4de69cbb1f66c52db2c36ac ] + +There is no need to split lines as they perfectly fit 80 character limit. + +Signed-off-by: Andy Shevchenko +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 62b146af35679..1aa29d594b7ab 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -1122,8 +1122,7 @@ static void wmi_free_devices(struct acpi_device *device) + } + } + +-static bool guid_already_parsed(struct acpi_device *device, +- const u8 *guid) ++static bool guid_already_parsed(struct acpi_device *device, const u8 *guid) + { + struct wmi_block *wblock; + +@@ -1333,10 +1332,8 @@ static void acpi_wmi_notify_handler(acpi_handle handle, u32 event, + wblock->handler(event, wblock->handler_data); + } + +- if (debug_event) { +- pr_info("DEBUG Event GUID: %pUL\n", +- wblock->gblock.guid); +- } ++ if (debug_event) ++ pr_info("DEBUG Event GUID: %pUL\n", wblock->gblock.guid); + + acpi_bus_generate_netlink_event( + wblock->acpi_device->pnp.device_class, +-- +2.39.2 + diff --git a/tmp-5.4/platform-x86-wmi-move-variables.patch b/tmp-5.4/platform-x86-wmi-move-variables.patch new file mode 100644 index 00000000000..c1b574dcd64 --- /dev/null +++ b/tmp-5.4/platform-x86-wmi-move-variables.patch @@ -0,0 +1,80 @@ +From 8fd2c43c42e8b4baaba5d9cdcd83836460096406 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:56:10 +0000 +Subject: platform/x86: wmi: move variables +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit f5431bf1e6781e876bdc8ae10fb1e7da6f1aa9b5 ] + +Move some variables in order to keep them +in the narrowest possible scope. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-22-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 41a680b39f9d1..8d1a7923c03b6 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -133,7 +133,6 @@ static const void *find_guid_context(struct wmi_block *wblock, + struct wmi_driver *wdriver) + { + const struct wmi_device_id *id; +- guid_t guid_input; + + if (wblock == NULL || wdriver == NULL) + return NULL; +@@ -142,6 +141,8 @@ static const void *find_guid_context(struct wmi_block *wblock, + + id = wdriver->id_table; + while (*id->guid_string) { ++ guid_t guid_input; ++ + if (guid_parse(id->guid_string, &guid_input)) + continue; + if (guid_equal(&wblock->gblock.guid, &guid_input)) +@@ -612,7 +613,6 @@ acpi_status wmi_get_event_data(u32 event, struct acpi_buffer *out) + { + struct acpi_object_list input; + union acpi_object params[1]; +- struct guid_block *gblock; + struct wmi_block *wblock; + + input.count = 1; +@@ -621,7 +621,7 @@ acpi_status wmi_get_event_data(u32 event, struct acpi_buffer *out) + params[0].integer.value = event; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- gblock = &wblock->gblock; ++ struct guid_block *gblock = &wblock->gblock; + + if ((gblock->flags & ACPI_WMI_EVENT) && + (gblock->notify_id == event)) +@@ -1278,12 +1278,11 @@ acpi_wmi_ec_space_handler(u32 function, acpi_physical_address address, + static void acpi_wmi_notify_handler(acpi_handle handle, u32 event, + void *context) + { +- struct guid_block *block; + struct wmi_block *wblock; + bool found_it = false; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- block = &wblock->gblock; ++ struct guid_block *block = &wblock->gblock; + + if (wblock->acpi_device->handle == handle && + (block->flags & ACPI_WMI_EVENT) && +-- +2.39.2 + diff --git a/tmp-5.4/platform-x86-wmi-remove-unnecessary-argument.patch b/tmp-5.4/platform-x86-wmi-remove-unnecessary-argument.patch new file mode 100644 index 00000000000..368421c969e --- /dev/null +++ b/tmp-5.4/platform-x86-wmi-remove-unnecessary-argument.patch @@ -0,0 +1,75 @@ +From ff057dce1ee797ad683ec89dfb6397527cbd1c70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:55:16 +0000 +Subject: platform/x86: wmi: remove unnecessary argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 84eacf7e6413d5e2d2f4f9dddf9216c18a3631cf ] + +The GUID block is available for `wmi_create_device()` +through `wblock->gblock`. Use that consistently in +the function instead of using a mix of `gblock` and +`wblock->gblock`. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-8-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 1aa29d594b7ab..7de866ca30e51 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -1039,7 +1039,6 @@ static const struct device_type wmi_type_data = { + }; + + static int wmi_create_device(struct device *wmi_bus_dev, +- const struct guid_block *gblock, + struct wmi_block *wblock, + struct acpi_device *device) + { +@@ -1047,12 +1046,12 @@ static int wmi_create_device(struct device *wmi_bus_dev, + char method[5]; + int result; + +- if (gblock->flags & ACPI_WMI_EVENT) { ++ if (wblock->gblock.flags & ACPI_WMI_EVENT) { + wblock->dev.dev.type = &wmi_type_event; + goto out_init; + } + +- if (gblock->flags & ACPI_WMI_METHOD) { ++ if (wblock->gblock.flags & ACPI_WMI_METHOD) { + wblock->dev.dev.type = &wmi_type_method; + mutex_init(&wblock->char_mutex); + goto out_init; +@@ -1102,7 +1101,7 @@ static int wmi_create_device(struct device *wmi_bus_dev, + wblock->dev.dev.bus = &wmi_bus_type; + wblock->dev.dev.parent = wmi_bus_dev; + +- dev_set_name(&wblock->dev.dev, "%pUL", gblock->guid); ++ dev_set_name(&wblock->dev.dev, "%pUL", wblock->gblock.guid); + + device_initialize(&wblock->dev.dev); + +@@ -1194,7 +1193,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + wblock->acpi_device = device; + wblock->gblock = gblock[i]; + +- retval = wmi_create_device(wmi_bus_dev, &gblock[i], wblock, device); ++ retval = wmi_create_device(wmi_bus_dev, wblock, device); + if (retval) { + kfree(wblock); + continue; +-- +2.39.2 + diff --git a/tmp-5.4/platform-x86-wmi-replace-uuid-redefinitions-by-their.patch b/tmp-5.4/platform-x86-wmi-replace-uuid-redefinitions-by-their.patch new file mode 100644 index 00000000000..88ab04faa04 --- /dev/null +++ b/tmp-5.4/platform-x86-wmi-replace-uuid-redefinitions-by-their.patch @@ -0,0 +1,100 @@ +From c9a6ff7affc212a596d7671d1c265748941228d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2017 16:36:06 +0300 +Subject: platform/x86: wmi: Replace UUID redefinitions by their originals + +From: Andy Shevchenko + +[ Upstream commit f9dffc1417130a2d465e2edaf6663d99738792a3 ] + +There are types and helpers that are redefined with old names. +Convert the WMI library to use those types and helpers directly. + +Signed-off-by: Andy Shevchenko +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index cb029126a68c6..62b146af35679 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -110,11 +110,11 @@ static struct platform_driver acpi_wmi_driver = { + + static bool find_guid(const char *guid_string, struct wmi_block **out) + { +- uuid_le guid_input; ++ guid_t guid_input; + struct wmi_block *wblock; + struct guid_block *block; + +- if (uuid_le_to_bin(guid_string, &guid_input)) ++ if (guid_parse(guid_string, &guid_input)) + return false; + + list_for_each_entry(wblock, &wmi_block_list, list) { +@@ -133,7 +133,7 @@ static const void *find_guid_context(struct wmi_block *wblock, + struct wmi_driver *wdriver) + { + const struct wmi_device_id *id; +- uuid_le guid_input; ++ guid_t guid_input; + + if (wblock == NULL || wdriver == NULL) + return NULL; +@@ -142,7 +142,7 @@ static const void *find_guid_context(struct wmi_block *wblock, + + id = wdriver->id_table; + while (*id->guid_string) { +- if (uuid_le_to_bin(id->guid_string, &guid_input)) ++ if (guid_parse(id->guid_string, &guid_input)) + continue; + if (!memcmp(wblock->gblock.guid, &guid_input, 16)) + return id->context; +@@ -526,12 +526,12 @@ wmi_notify_handler handler, void *data) + { + struct wmi_block *block; + acpi_status status = AE_NOT_EXIST; +- uuid_le guid_input; ++ guid_t guid_input; + + if (!guid || !handler) + return AE_BAD_PARAMETER; + +- if (uuid_le_to_bin(guid, &guid_input)) ++ if (guid_parse(guid, &guid_input)) + return AE_BAD_PARAMETER; + + list_for_each_entry(block, &wmi_block_list, list) { +@@ -565,12 +565,12 @@ acpi_status wmi_remove_notify_handler(const char *guid) + { + struct wmi_block *block; + acpi_status status = AE_NOT_EXIST; +- uuid_le guid_input; ++ guid_t guid_input; + + if (!guid) + return AE_BAD_PARAMETER; + +- if (uuid_le_to_bin(guid, &guid_input)) ++ if (guid_parse(guid, &guid_input)) + return AE_BAD_PARAMETER; + + list_for_each_entry(block, &wmi_block_list, list) { +@@ -801,9 +801,9 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + return 0; + + while (*id->guid_string) { +- uuid_le driver_guid; ++ guid_t driver_guid; + +- if (WARN_ON(uuid_le_to_bin(id->guid_string, &driver_guid))) ++ if (WARN_ON(guid_parse(id->guid_string, &driver_guid))) + continue; + if (!memcmp(&driver_guid, wblock->gblock.guid, 16)) + return 1; +-- +2.39.2 + diff --git a/tmp-5.4/platform-x86-wmi-use-guid_t-and-guid_equal.patch b/tmp-5.4/platform-x86-wmi-use-guid_t-and-guid_equal.patch new file mode 100644 index 00000000000..907dbc5f3cf --- /dev/null +++ b/tmp-5.4/platform-x86-wmi-use-guid_t-and-guid_equal.patch @@ -0,0 +1,177 @@ +From 709e8d534f129b213be59fd0bee783bd48565bb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:55:39 +0000 +Subject: platform/x86: wmi: use guid_t and guid_equal() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 67f472fdacf4a691b1c3c20c27800b23ce31e2de ] + +Instead of hard-coding a 16 long byte array, +use the available `guid_t` type and related methods. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-15-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Stable-dep-of: 028e6e204ace ("platform/x86: wmi: Break possible infinite loop when parsing GUID") +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 7de866ca30e51..41a680b39f9d1 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -39,7 +39,7 @@ MODULE_LICENSE("GPL"); + static LIST_HEAD(wmi_block_list); + + struct guid_block { +- char guid[16]; ++ guid_t guid; + union { + char object_id[2]; + struct { +@@ -120,7 +120,7 @@ static bool find_guid(const char *guid_string, struct wmi_block **out) + list_for_each_entry(wblock, &wmi_block_list, list) { + block = &wblock->gblock; + +- if (memcmp(block->guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->guid, &guid_input)) { + if (out) + *out = wblock; + return true; +@@ -144,7 +144,7 @@ static const void *find_guid_context(struct wmi_block *wblock, + while (*id->guid_string) { + if (guid_parse(id->guid_string, &guid_input)) + continue; +- if (!memcmp(wblock->gblock.guid, &guid_input, 16)) ++ if (guid_equal(&wblock->gblock.guid, &guid_input)) + return id->context; + id++; + } +@@ -456,7 +456,7 @@ EXPORT_SYMBOL_GPL(wmi_set_block); + + static void wmi_dump_wdg(const struct guid_block *g) + { +- pr_info("%pUL:\n", g->guid); ++ pr_info("%pUL:\n", &g->guid); + if (g->flags & ACPI_WMI_EVENT) + pr_info("\tnotify_id: 0x%02X\n", g->notify_id); + else +@@ -537,7 +537,7 @@ wmi_notify_handler handler, void *data) + list_for_each_entry(block, &wmi_block_list, list) { + acpi_status wmi_status; + +- if (memcmp(block->gblock.guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->gblock.guid, &guid_input)) { + if (block->handler && + block->handler != wmi_notify_debug) + return AE_ALREADY_ACQUIRED; +@@ -576,7 +576,7 @@ acpi_status wmi_remove_notify_handler(const char *guid) + list_for_each_entry(block, &wmi_block_list, list) { + acpi_status wmi_status; + +- if (memcmp(block->gblock.guid, &guid_input, 16) == 0) { ++ if (guid_equal(&block->gblock.guid, &guid_input)) { + if (!block->handler || + block->handler == wmi_notify_debug) + return AE_NULL_ENTRY; +@@ -682,7 +682,7 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- return sprintf(buf, "wmi:%pUL\n", wblock->gblock.guid); ++ return sprintf(buf, "wmi:%pUL\n", &wblock->gblock.guid); + } + static DEVICE_ATTR_RO(modalias); + +@@ -691,7 +691,7 @@ static ssize_t guid_show(struct device *dev, struct device_attribute *attr, + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- return sprintf(buf, "%pUL\n", wblock->gblock.guid); ++ return sprintf(buf, "%pUL\n", &wblock->gblock.guid); + } + static DEVICE_ATTR_RO(guid); + +@@ -774,10 +774,10 @@ static int wmi_dev_uevent(struct device *dev, struct kobj_uevent_env *env) + { + struct wmi_block *wblock = dev_to_wblock(dev); + +- if (add_uevent_var(env, "MODALIAS=wmi:%pUL", wblock->gblock.guid)) ++ if (add_uevent_var(env, "MODALIAS=wmi:%pUL", &wblock->gblock.guid)) + return -ENOMEM; + +- if (add_uevent_var(env, "WMI_GUID=%pUL", wblock->gblock.guid)) ++ if (add_uevent_var(env, "WMI_GUID=%pUL", &wblock->gblock.guid)) + return -ENOMEM; + + return 0; +@@ -805,7 +805,7 @@ static int wmi_dev_match(struct device *dev, struct device_driver *driver) + + if (WARN_ON(guid_parse(id->guid_string, &driver_guid))) + continue; +- if (!memcmp(&driver_guid, wblock->gblock.guid, 16)) ++ if (guid_equal(&driver_guid, &wblock->gblock.guid)) + return 1; + + id++; +@@ -1101,7 +1101,7 @@ static int wmi_create_device(struct device *wmi_bus_dev, + wblock->dev.dev.bus = &wmi_bus_type; + wblock->dev.dev.parent = wmi_bus_dev; + +- dev_set_name(&wblock->dev.dev, "%pUL", wblock->gblock.guid); ++ dev_set_name(&wblock->dev.dev, "%pUL", &wblock->gblock.guid); + + device_initialize(&wblock->dev.dev); + +@@ -1121,12 +1121,12 @@ static void wmi_free_devices(struct acpi_device *device) + } + } + +-static bool guid_already_parsed(struct acpi_device *device, const u8 *guid) ++static bool guid_already_parsed(struct acpi_device *device, const guid_t *guid) + { + struct wmi_block *wblock; + + list_for_each_entry(wblock, &wmi_block_list, list) { +- if (memcmp(wblock->gblock.guid, guid, 16) == 0) { ++ if (guid_equal(&wblock->gblock.guid, guid)) { + /* + * Because we historically didn't track the relationship + * between GUIDs and ACPI nodes, we don't know whether +@@ -1181,7 +1181,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + * case yet, so for now, we'll just ignore the duplicate + * for device creation. + */ +- if (guid_already_parsed(device, gblock[i].guid)) ++ if (guid_already_parsed(device, &gblock[i].guid)) + continue; + + wblock = kzalloc(sizeof(struct wmi_block), GFP_KERNEL); +@@ -1218,7 +1218,7 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + retval = device_add(&wblock->dev.dev); + if (retval) { + dev_err(wmi_bus_dev, "failed to register %pUL\n", +- wblock->gblock.guid); ++ &wblock->gblock.guid); + if (debug_event) + wmi_method_enable(wblock, 0); + list_del(&wblock->list); +@@ -1332,7 +1332,7 @@ static void acpi_wmi_notify_handler(acpi_handle handle, u32 event, + } + + if (debug_event) +- pr_info("DEBUG Event GUID: %pUL\n", wblock->gblock.guid); ++ pr_info("DEBUG Event GUID: %pUL\n", &wblock->gblock.guid); + + acpi_bus_generate_netlink_event( + wblock->acpi_device->pnp.device_class, +-- +2.39.2 + diff --git a/tmp-5.4/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch b/tmp-5.4/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch new file mode 100644 index 00000000000..e37e7ff7de1 --- /dev/null +++ b/tmp-5.4/pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch @@ -0,0 +1,48 @@ +From dbaf9f92815b85a8f4615e155ec975e17a19d3db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 06:07:43 -0700 +Subject: PM: domains: fix integer overflow issues in genpd_parse_state() + +From: Nikita Zhandarovich + +[ Upstream commit e5d1c8722083f0332dcd3c85fa1273d85fb6bed8 ] + +Currently, while calculating residency and latency values, right +operands may overflow if resulting values are big enough. + +To prevent this, albeit unlikely case, play it safe and convert +right operands to left ones' type s64. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: 30f604283e05 ("PM / Domains: Allow domain power states to be read from DT") +Signed-off-by: Nikita Zhandarovich +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/domain.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c +index edb791354421b..5be76197bc361 100644 +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2596,10 +2596,10 @@ static int genpd_parse_state(struct genpd_power_state *genpd_state, + + err = of_property_read_u32(state_node, "min-residency-us", &residency); + if (!err) +- genpd_state->residency_ns = 1000 * residency; ++ genpd_state->residency_ns = 1000LL * residency; + +- genpd_state->power_on_latency_ns = 1000 * exit_latency; +- genpd_state->power_off_latency_ns = 1000 * entry_latency; ++ genpd_state->power_on_latency_ns = 1000LL * exit_latency; ++ genpd_state->power_off_latency_ns = 1000LL * entry_latency; + genpd_state->fwnode = &state_node->fwnode; + + return 0; +-- +2.39.2 + diff --git a/tmp-5.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch b/tmp-5.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch new file mode 100644 index 00000000000..f96f0e79c9d --- /dev/null +++ b/tmp-5.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch @@ -0,0 +1,115 @@ +From 4a8a548125e5818c03f7f74d4ff93ea8cb7dd43c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 20:58:47 +0200 +Subject: posix-timers: Ensure timer ID search-loop limit is valid + +From: Thomas Gleixner + +[ Upstream commit 8ce8849dd1e78dadcee0ec9acbd259d239b7069f ] + +posix_timer_add() tries to allocate a posix timer ID by starting from the +cached ID which was stored by the last successful allocation. + +This is done in a loop searching the ID space for a free slot one by +one. The loop has to terminate when the search wrapped around to the +starting point. + +But that's racy vs. establishing the starting point. That is read out +lockless, which leads to the following problem: + +CPU0 CPU1 +posix_timer_add() + start = sig->posix_timer_id; + lock(hash_lock); + ... posix_timer_add() + if (++sig->posix_timer_id < 0) + start = sig->posix_timer_id; + sig->posix_timer_id = 0; + +So CPU1 can observe a negative start value, i.e. -1, and the loop break +never happens because the condition can never be true: + + if (sig->posix_timer_id == start) + break; + +While this is unlikely to ever turn into an endless loop as the ID space is +huge (INT_MAX), the racy read of the start value caught the attention of +KCSAN and Dmitry unearthed that incorrectness. + +Rewrite it so that all id operations are under the hash lock. + +Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com +Reported-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/87bkhzdn6g.ffs@tglx +Signed-off-by: Sasha Levin +--- + include/linux/sched/signal.h | 2 +- + kernel/time/posix-timers.c | 31 ++++++++++++++++++------------- + 2 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h +index b3f88470cbb58..2f355c3c0d15f 100644 +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -123,7 +123,7 @@ struct signal_struct { + #ifdef CONFIG_POSIX_TIMERS + + /* POSIX.1b Interval Timers */ +- int posix_timer_id; ++ unsigned int next_posix_timer_id; + struct list_head posix_timers; + + /* ITIMER_REAL timer for the process */ +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index efe3873021a37..f3b8313475acd 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -138,25 +138,30 @@ static struct k_itimer *posix_timer_by_id(timer_t id) + static int posix_timer_add(struct k_itimer *timer) + { + struct signal_struct *sig = current->signal; +- int first_free_id = sig->posix_timer_id; + struct hlist_head *head; +- int ret = -ENOENT; ++ unsigned int cnt, id; + +- do { ++ /* ++ * FIXME: Replace this by a per signal struct xarray once there is ++ * a plan to handle the resulting CRIU regression gracefully. ++ */ ++ for (cnt = 0; cnt <= INT_MAX; cnt++) { + spin_lock(&hash_lock); +- head = &posix_timers_hashtable[hash(sig, sig->posix_timer_id)]; +- if (!__posix_timers_find(head, sig, sig->posix_timer_id)) { ++ id = sig->next_posix_timer_id; ++ ++ /* Write the next ID back. Clamp it to the positive space */ ++ sig->next_posix_timer_id = (id + 1) & INT_MAX; ++ ++ head = &posix_timers_hashtable[hash(sig, id)]; ++ if (!__posix_timers_find(head, sig, id)) { + hlist_add_head_rcu(&timer->t_hash, head); +- ret = sig->posix_timer_id; ++ spin_unlock(&hash_lock); ++ return id; + } +- if (++sig->posix_timer_id < 0) +- sig->posix_timer_id = 0; +- if ((sig->posix_timer_id == first_free_id) && (ret == -ENOENT)) +- /* Loop over all possible ids completed */ +- ret = -EAGAIN; + spin_unlock(&hash_lock); +- } while (ret == -ENOENT); +- return ret; ++ } ++ /* POSIX return code when no timer ID could be allocated */ ++ return -EAGAIN; + } + + static inline void unlock_timer(struct k_itimer *timr, unsigned long flags) +-- +2.39.2 + diff --git a/tmp-5.4/powercap-rapl-fix-config_iosf_mbi-dependency.patch b/tmp-5.4/powercap-rapl-fix-config_iosf_mbi-dependency.patch new file mode 100644 index 00000000000..81912f09243 --- /dev/null +++ b/tmp-5.4/powercap-rapl-fix-config_iosf_mbi-dependency.patch @@ -0,0 +1,73 @@ +From 41525058e2272364af898c8cf1c11dc7ca4a4d98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 22:00:00 +0800 +Subject: powercap: RAPL: Fix CONFIG_IOSF_MBI dependency + +From: Zhang Rui + +[ Upstream commit 4658fe81b3f8afe8adf37734ec5fe595d90415c6 ] + +After commit 3382388d7148 ("intel_rapl: abstract RAPL common code"), +accessing to IOSF_MBI interface is done in the RAPL common code. + +Thus it is the CONFIG_INTEL_RAPL_CORE that has dependency of +CONFIG_IOSF_MBI, while CONFIG_INTEL_RAPL_MSR does not. + +This problem was not exposed previously because all the previous RAPL +common code users, aka, the RAPL MSR and MMIO I/F drivers, have +CONFIG_IOSF_MBI selected. + +Fix the CONFIG_IOSF_MBI dependency in RAPL code. This also fixes a build +time failure when the RAPL TPMI I/F driver is introduced without +selecting CONFIG_IOSF_MBI. + +x86_64-linux-ld: vmlinux.o: in function `set_floor_freq_atom': +intel_rapl_common.c:(.text+0x2dac9b8): undefined reference to `iosf_mbi_write' +x86_64-linux-ld: intel_rapl_common.c:(.text+0x2daca66): undefined reference to `iosf_mbi_read' + +Reference to iosf_mbi.h is also removed from the RAPL MSR I/F driver. + +Fixes: 3382388d7148 ("intel_rapl: abstract RAPL common code") +Reported-by: Arnd Bergmann +Link: https://lore.kernel.org/all/20230601213246.3271412-1-arnd@kernel.org +Signed-off-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/Kconfig | 4 +++- + drivers/powercap/intel_rapl_msr.c | 1 - + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/powercap/Kconfig b/drivers/powercap/Kconfig +index dc1c1381d7fa9..61fd5dfaf7a0f 100644 +--- a/drivers/powercap/Kconfig ++++ b/drivers/powercap/Kconfig +@@ -18,10 +18,12 @@ if POWERCAP + # Client driver configurations go here. + config INTEL_RAPL_CORE + tristate ++ depends on PCI ++ select IOSF_MBI + + config INTEL_RAPL + tristate "Intel RAPL Support via MSR Interface" +- depends on X86 && IOSF_MBI ++ depends on X86 && PCI + select INTEL_RAPL_CORE + ---help--- + This enables support for the Intel Running Average Power Limit (RAPL) +diff --git a/drivers/powercap/intel_rapl_msr.c b/drivers/powercap/intel_rapl_msr.c +index d5487965bdfe9..6091e462626a4 100644 +--- a/drivers/powercap/intel_rapl_msr.c ++++ b/drivers/powercap/intel_rapl_msr.c +@@ -22,7 +22,6 @@ + #include + #include + +-#include + #include + #include + +-- +2.39.2 + diff --git a/tmp-5.4/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch b/tmp-5.4/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch new file mode 100644 index 00000000000..c8f5ac728af --- /dev/null +++ b/tmp-5.4/powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch @@ -0,0 +1,46 @@ +From 6a3c1b16314d82eaae596f572e79085f899c7632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 22:47:12 -0700 +Subject: powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 39f49684036d24af800ff194c33c7b2653c591d7 ] + +In a randconfig with CONFIG_SERIAL_CPM=m and +CONFIG_PPC_EARLY_DEBUG_CPM=y, there is a build error: +ERROR: modpost: "udbg_putc" [drivers/tty/serial/cpm_uart/cpm_uart.ko] undefined! + +Prevent the build error by allowing PPC_EARLY_DEBUG_CPM only when +SERIAL_CPM=y. + +Fixes: c374e00e17f1 ("[POWERPC] Add early debug console for CPM serial ports.") +Signed-off-by: Randy Dunlap +Reviewed-by: Pali Rohár +Reviewed-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230701054714.30512-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug +index 2ca9114fcf002..0c8436b06c494 100644 +--- a/arch/powerpc/Kconfig.debug ++++ b/arch/powerpc/Kconfig.debug +@@ -234,7 +234,7 @@ config PPC_EARLY_DEBUG_40x + + config PPC_EARLY_DEBUG_CPM + bool "Early serial debugging for Freescale CPM-based serial ports" +- depends on SERIAL_CPM ++ depends on SERIAL_CPM=y + help + Select this to enable early debugging for Freescale chips + using a CPM-based serial port. This assumes that the bootwrapper +-- +2.39.2 + diff --git a/tmp-5.4/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch b/tmp-5.4/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch new file mode 100644 index 00000000000..8451a134647 --- /dev/null +++ b/tmp-5.4/powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch @@ -0,0 +1,49 @@ +From 25ea739ea1d4d3de41acc4f4eb2d1a97eee0eb75 Mon Sep 17 00:00:00 2001 +From: Naveen N Rao +Date: Tue, 30 May 2023 11:44:36 +0530 +Subject: powerpc: Fail build if using recordmcount with binutils v2.37 + +From: Naveen N Rao + +commit 25ea739ea1d4d3de41acc4f4eb2d1a97eee0eb75 upstream. + +binutils v2.37 drops unused section symbols, which prevents recordmcount +from capturing mcount locations in sections that have no non-weak +symbols. This results in a build failure with a message such as: + Cannot find symbol for section 12: .text.perf_callchain_kernel. + kernel/events/callchain.o: failed + +The change to binutils was reverted for v2.38, so this behavior is +specific to binutils v2.37: +https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c09c8b42021180eee9495bd50d8b35e683d3901b + +Objtool is able to cope with such sections, so this issue is specific to +recordmcount. + +Fail the build and print a warning if binutils v2.37 is detected and if +we are using recordmcount. + +Cc: stable@vger.kernel.org +Suggested-by: Joel Stanley +Signed-off-by: Naveen N Rao +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230530061436.56925-1-naveen@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Makefile | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -425,3 +425,11 @@ checkbin: + echo -n '*** Please use a different binutils version.' ; \ + false ; \ + fi ++ @if test "x${CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT}" = "xy" -a \ ++ "x${CONFIG_LD_IS_BFD}" = "xy" -a \ ++ "${CONFIG_LD_VERSION}" = "23700" ; then \ ++ echo -n '*** binutils 2.37 drops unused section symbols, which recordmcount ' ; \ ++ echo 'is unable to handle.' ; \ ++ echo '*** Please use a different binutils version.' ; \ ++ false ; \ ++ fi diff --git a/tmp-5.4/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch b/tmp-5.4/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch new file mode 100644 index 00000000000..a0222fa0be8 --- /dev/null +++ b/tmp-5.4/powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch @@ -0,0 +1,40 @@ +From 90ee0d92192c1f49b6949c2bb419a14f084acc69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 16:38:15 +0530 +Subject: powerpc/mm/dax: Fix the condition when checking if altmap vmemap can + cross-boundary + +From: Aneesh Kumar K.V + +[ Upstream commit c8eebc4a99f15280654f23e914e746c40a516e50 ] + +Without this fix, the last subsection vmemmap can end up in memory even if +the namespace is created with -M mem and has sufficient space in the altmap +area. + +Fixes: cf387d9644d8 ("libnvdimm/altmap: Track namespace boundaries in altmap") +Signed-off-by: Aneesh Kumar K.V +Tested-by: Sachin Sant > +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230616110826.344417-6-aneesh.kumar@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/init_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/mm/init_64.c b/arch/powerpc/mm/init_64.c +index 210f1c28b8e41..e4fb5ab41e2d3 100644 +--- a/arch/powerpc/mm/init_64.c ++++ b/arch/powerpc/mm/init_64.c +@@ -178,7 +178,7 @@ static bool altmap_cross_boundary(struct vmem_altmap *altmap, unsigned long star + unsigned long nr_pfn = page_size / sizeof(struct page); + unsigned long start_pfn = page_to_pfn((struct page *)start); + +- if ((start_pfn + nr_pfn) > altmap->end_pfn) ++ if ((start_pfn + nr_pfn - 1) > altmap->end_pfn) + return true; + + if (start_pfn < altmap->base_pfn) +-- +2.39.2 + diff --git a/tmp-5.4/pstore-ram-add-check-for-kstrdup.patch b/tmp-5.4/pstore-ram-add-check-for-kstrdup.patch new file mode 100644 index 00000000000..82b2da7c06d --- /dev/null +++ b/tmp-5.4/pstore-ram-add-check-for-kstrdup.patch @@ -0,0 +1,37 @@ +From d8abc2ef0d780ff00ba6d1003735e7a8c95dc465 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 17:37:33 +0800 +Subject: pstore/ram: Add check for kstrdup + +From: Jiasheng Jiang + +[ Upstream commit d97038d5ec2062733c1e016caf9baaf68cf64ea1 ] + +Add check for the return value of kstrdup() and return the error +if it fails in order to avoid NULL pointer dereference. + +Fixes: e163fdb3f7f8 ("pstore/ram: Regularize prz label allocation lifetime") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230614093733.36048-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + fs/pstore/ram_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c +index 286340f312dcb..73aed51447b9a 100644 +--- a/fs/pstore/ram_core.c ++++ b/fs/pstore/ram_core.c +@@ -579,6 +579,8 @@ struct persistent_ram_zone *persistent_ram_new(phys_addr_t start, size_t size, + raw_spin_lock_init(&prz->buffer_lock); + prz->flags = flags; + prz->label = kstrdup(label, GFP_KERNEL); ++ if (!prz->label) ++ goto err; + + ret = persistent_ram_buffer_map(start, size, prz, memtype); + if (ret) +-- +2.39.2 + diff --git a/tmp-5.4/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch b/tmp-5.4/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch new file mode 100644 index 00000000000..fd047457b8a --- /dev/null +++ b/tmp-5.4/pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch @@ -0,0 +1,48 @@ +From a92b7ac7410e183bb2f6e41d0f3746d835de0c68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 14:58:39 +0800 +Subject: pwm: imx-tpm: force 'real_period' to be zero in suspend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fancy Fang + +[ Upstream commit 661dfb7f46298e53f6c3deaa772fa527aae86193 ] + +During suspend, all the tpm registers will lose values. +So the 'real_period' value of struct 'imx_tpm_pwm_chip' +should be forced to be zero to force the period update +code can be executed after system resume back. + +Signed-off-by: Fancy Fang +Signed-off-by: Clark Wang +Acked-by: Uwe Kleine-König +Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support") +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-imx-tpm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/pwm/pwm-imx-tpm.c b/drivers/pwm/pwm-imx-tpm.c +index 9145f61606497..85aad55b7a8f0 100644 +--- a/drivers/pwm/pwm-imx-tpm.c ++++ b/drivers/pwm/pwm-imx-tpm.c +@@ -405,6 +405,13 @@ static int __maybe_unused pwm_imx_tpm_suspend(struct device *dev) + if (tpm->enable_count > 0) + return -EBUSY; + ++ /* ++ * Force 'real_period' to be zero to force period update code ++ * can be executed after system resume back, since suspend causes ++ * the period related registers to become their reset values. ++ */ ++ tpm->real_period = 0; ++ + clk_disable_unprepare(tpm->clk); + + return 0; +-- +2.39.2 + diff --git a/tmp-5.4/pwm-sysfs-do-not-apply-state-to-already-disabled-pwm.patch b/tmp-5.4/pwm-sysfs-do-not-apply-state-to-already-disabled-pwm.patch new file mode 100644 index 00000000000..b3b6472eb71 --- /dev/null +++ b/tmp-5.4/pwm-sysfs-do-not-apply-state-to-already-disabled-pwm.patch @@ -0,0 +1,90 @@ +From fa6912a8dd82c69bf7e1b9dda0dc7ce9cc0170fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 18:47:36 +0200 +Subject: pwm: sysfs: Do not apply state to already disabled PWMs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Vasut + +[ Upstream commit 38ba83598633373f47951384cfc389181c8d1bed ] + +If the PWM is exported but not enabled, do not call pwm_class_apply_state(). +First of all, in this case, period may still be unconfigured and this would +make pwm_class_apply_state() return -EINVAL, and then suspend would fail. +Second, it makes little sense to apply state onto PWM that is not enabled +before suspend. + +Failing case: +" +$ echo 1 > /sys/class/pwm/pwmchip4/export +$ echo mem > /sys/power/state +... +pwm pwmchip4: PM: dpm_run_callback(): pwm_class_suspend+0x1/0xa8 returns -22 +pwm pwmchip4: PM: failed to suspend: error -22 +PM: Some devices failed to suspend, or early wake event detected +" + +Working case: +" +$ echo 1 > /sys/class/pwm/pwmchip4/export +$ echo 100 > /sys/class/pwm/pwmchip4/pwm1/period +$ echo 10 > /sys/class/pwm/pwmchip4/pwm1/duty_cycle +$ echo mem > /sys/power/state +... +" + +Do not call pwm_class_apply_state() in case the PWM is disabled +to fix this issue. + +Fixes: 7fd4edc57bbae ("pwm: sysfs: Add suspend/resume support") +Signed-off-by: Marek Vasut +Fixes: ef2bf4997f7d ("pwm: Improve args checking in pwm_apply_state()") +Reviewed-by: Brian Norris +Reviewed-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/sysfs.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/pwm/sysfs.c b/drivers/pwm/sysfs.c +index 2389b86698468..986f3a29a13d5 100644 +--- a/drivers/pwm/sysfs.c ++++ b/drivers/pwm/sysfs.c +@@ -424,6 +424,13 @@ static int pwm_class_resume_npwm(struct device *parent, unsigned int npwm) + if (!export) + continue; + ++ /* If pwmchip was not enabled before suspend, do nothing. */ ++ if (!export->suspend.enabled) { ++ /* release lock taken in pwm_class_get_state */ ++ mutex_unlock(&export->lock); ++ continue; ++ } ++ + state.enabled = export->suspend.enabled; + ret = pwm_class_apply_state(export, pwm, &state); + if (ret < 0) +@@ -448,7 +455,17 @@ static int __maybe_unused pwm_class_suspend(struct device *parent) + if (!export) + continue; + ++ /* ++ * If pwmchip was not enabled before suspend, save ++ * state for resume time and do nothing else. ++ */ + export->suspend = state; ++ if (!state.enabled) { ++ /* release lock taken in pwm_class_get_state */ ++ mutex_unlock(&export->lock); ++ continue; ++ } ++ + state.enabled = false; + ret = pwm_class_apply_state(export, pwm, &state); + if (ret < 0) { +-- +2.39.2 + diff --git a/tmp-5.4/radeon-avoid-double-free-in-ci_dpm_init.patch b/tmp-5.4/radeon-avoid-double-free-in-ci_dpm_init.patch new file mode 100644 index 00000000000..b1e2cce03a3 --- /dev/null +++ b/tmp-5.4/radeon-avoid-double-free-in-ci_dpm_init.patch @@ -0,0 +1,110 @@ +From e2c127f46914a54e4105b6f582029ebd80336dac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 08:12:28 -0700 +Subject: radeon: avoid double free in ci_dpm_init() + +From: Nikita Zhandarovich + +[ Upstream commit 20c3dffdccbd494e0dd631d1660aeecbff6775f2 ] + +Several calls to ci_dpm_fini() will attempt to free resources that +either have been freed before or haven't been allocated yet. This +may lead to undefined or dangerous behaviour. + +For instance, if r600_parse_extended_power_table() fails, it might +call r600_free_extended_power_table() as will ci_dpm_fini() later +during error handling. + +Fix this by only freeing pointers to objects previously allocated. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: cc8dbbb4f62a ("drm/radeon: add dpm support for CI dGPUs (v2)") +Co-developed-by: Natalia Petrova +Signed-off-by: Nikita Zhandarovich +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/ci_dpm.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/ci_dpm.c b/drivers/gpu/drm/radeon/ci_dpm.c +index 1e62e7bbf1b1d..5403f4c902b64 100644 +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -5556,6 +5556,7 @@ static int ci_parse_power_table(struct radeon_device *rdev) + u8 frev, crev; + u8 *power_state_offset; + struct ci_ps *ps; ++ int ret; + + if (!atom_parse_data_header(mode_info->atom_context, index, NULL, + &frev, &crev, &data_offset)) +@@ -5585,11 +5586,15 @@ static int ci_parse_power_table(struct radeon_device *rdev) + non_clock_array_index = power_state->v2.nonClockInfoIndex; + non_clock_info = (struct _ATOM_PPLIB_NONCLOCK_INFO *) + &non_clock_info_array->nonClockInfo[non_clock_array_index]; +- if (!rdev->pm.power_state[i].clock_info) +- return -EINVAL; ++ if (!rdev->pm.power_state[i].clock_info) { ++ ret = -EINVAL; ++ goto err_free_ps; ++ } + ps = kzalloc(sizeof(struct ci_ps), GFP_KERNEL); +- if (ps == NULL) +- return -ENOMEM; ++ if (ps == NULL) { ++ ret = -ENOMEM; ++ goto err_free_ps; ++ } + rdev->pm.dpm.ps[i].ps_priv = ps; + ci_parse_pplib_non_clock_info(rdev, &rdev->pm.dpm.ps[i], + non_clock_info, +@@ -5629,6 +5634,12 @@ static int ci_parse_power_table(struct radeon_device *rdev) + } + + return 0; ++ ++err_free_ps: ++ for (i = 0; i < rdev->pm.dpm.num_ps; i++) ++ kfree(rdev->pm.dpm.ps[i].ps_priv); ++ kfree(rdev->pm.dpm.ps); ++ return ret; + } + + static int ci_get_vbios_boot_values(struct radeon_device *rdev, +@@ -5717,25 +5728,26 @@ int ci_dpm_init(struct radeon_device *rdev) + + ret = ci_get_vbios_boot_values(rdev, &pi->vbios_boot_state); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_get_platform_caps(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = r600_parse_extended_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); + return ret; + } + + ret = ci_parse_power_table(rdev); + if (ret) { +- ci_dpm_fini(rdev); ++ kfree(rdev->pm.dpm.priv); ++ r600_free_extended_power_table(rdev); + return ret; + } + +-- +2.39.2 + diff --git a/tmp-5.4/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch b/tmp-5.4/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch new file mode 100644 index 00000000000..4ff6711918e --- /dev/null +++ b/tmp-5.4/rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch @@ -0,0 +1,44 @@ +From 88597efc4f3c7716484af6ddfcd97f57e714380e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 May 2023 23:48:15 -0700 +Subject: RDMA/bnxt_re: Fix to remove an unnecessary log + +From: Kalesh AP + +[ Upstream commit 43774bc156614346fe5dacabc8e8c229167f2536 ] + +During destroy_qp, driver sets the qp handle in the existing CQEs +belonging to the QP being destroyed to NULL. As a result, a poll_cq after +destroy_qp can report unnecessary messages. Remove this noise from system +logs. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Link: https://lore.kernel.org/r/1684478897-12247-6-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Kalesh AP +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index 5fc5ab7813c0f..18b579c8a8c55 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -2606,11 +2606,8 @@ static int bnxt_qplib_cq_process_terminal(struct bnxt_qplib_cq *cq, + + qp = (struct bnxt_qplib_qp *)((unsigned long) + le64_to_cpu(hwcqe->qp_handle)); +- if (!qp) { +- dev_err(&cq->hwq.pdev->dev, +- "FP: CQ Process terminal qp is NULL\n"); ++ if (!qp) + return -EINVAL; +- } + + /* Must block new posting of SQ and RQ */ + qp->state = CMDQ_MODIFY_QP_NEW_STATE_ERR; +-- +2.39.2 + diff --git a/tmp-5.4/regulator-core-fix-more-error-checking-for-debugfs_c.patch b/tmp-5.4/regulator-core-fix-more-error-checking-for-debugfs_c.patch new file mode 100644 index 00000000000..f23c54aa57b --- /dev/null +++ b/tmp-5.4/regulator-core-fix-more-error-checking-for-debugfs_c.patch @@ -0,0 +1,40 @@ +From 388374e93efa26da04d6ee279b68a8efcc466553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 13:13:58 +0200 +Subject: regulator: core: Fix more error checking for debugfs_create_dir() + +From: Geert Uytterhoeven + +[ Upstream commit 2715bb11cfff964aa33946847f9527cfbd4874f5 ] + +In case of failure, debugfs_create_dir() does not return NULL, but an +error pointer. Most incorrect error checks were fixed, but the one in +create_regulator() was forgotten. + +Fix the remaining error check. + +Fixes: 2bf1c45be3b8f3a3 ("regulator: Fix error checking for debugfs_create_dir") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/ee980a108b5854dd8ce3630f8f673e784e057d17.1685013051.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index cc9aa95d69691..0ac9c763942f9 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1710,7 +1710,7 @@ static struct regulator *create_regulator(struct regulator_dev *rdev, + + if (err != -EEXIST) + regulator->debugfs = debugfs_create_dir(supply_name, rdev->debugfs); +- if (!regulator->debugfs) { ++ if (IS_ERR(regulator->debugfs)) { + rdev_dbg(rdev, "Failed to create debugfs directory\n"); + } else { + debugfs_create_u32("uA_load", 0444, regulator->debugfs, +-- +2.39.2 + diff --git a/tmp-5.4/regulator-core-streamline-debugfs-operations.patch b/tmp-5.4/regulator-core-streamline-debugfs-operations.patch new file mode 100644 index 00000000000..c08ea129cab --- /dev/null +++ b/tmp-5.4/regulator-core-streamline-debugfs-operations.patch @@ -0,0 +1,100 @@ +From 286608c89dc3e5d2200a1ef9e3bcaef22e6d3237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 May 2023 13:13:59 +0200 +Subject: regulator: core: Streamline debugfs operations + +From: Geert Uytterhoeven + +[ Upstream commit 08880713ceec023dd94d634f1e8902728c385939 ] + +If CONFIG_DEBUG_FS is not set: + + regulator: Failed to create debugfs directory + ... + regulator-dummy: Failed to create debugfs directory + +As per the comments for debugfs_create_dir(), errors returned by this +function should be expected, and ignored: + + * If debugfs is not enabled in the kernel, the value -%ENODEV will be + * returned. + * + * NOTE: it's expected that most callers should _ignore_ the errors returned + * by this function. Other debugfs functions handle the fact that the "dentry" + * passed to them could be an error and they don't crash in that case. + * Drivers should generally work fine even if debugfs fails to init anyway. + +Adhere to the debugfs spirit, and streamline all operations by: + 1. Demoting the importance of the printed error messages to debug + level, like is already done in create_regulator(), + 2. Further ignoring any returned errors, as by design, all debugfs + functions are no-ops when passed an error pointer. + +Fixes: 2bf1c45be3b8f3a3 ("regulator: Fix error checking for debugfs_create_dir") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/2f8bb6e113359ddfab7b59e4d4274bd4c06d6d0a.1685013051.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 0ac9c763942f9..fe4b666edd037 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1710,19 +1710,17 @@ static struct regulator *create_regulator(struct regulator_dev *rdev, + + if (err != -EEXIST) + regulator->debugfs = debugfs_create_dir(supply_name, rdev->debugfs); +- if (IS_ERR(regulator->debugfs)) { ++ if (IS_ERR(regulator->debugfs)) + rdev_dbg(rdev, "Failed to create debugfs directory\n"); +- } else { +- debugfs_create_u32("uA_load", 0444, regulator->debugfs, +- ®ulator->uA_load); +- debugfs_create_u32("min_uV", 0444, regulator->debugfs, +- ®ulator->voltage[PM_SUSPEND_ON].min_uV); +- debugfs_create_u32("max_uV", 0444, regulator->debugfs, +- ®ulator->voltage[PM_SUSPEND_ON].max_uV); +- debugfs_create_file("constraint_flags", 0444, +- regulator->debugfs, regulator, +- &constraint_flags_fops); +- } ++ ++ debugfs_create_u32("uA_load", 0444, regulator->debugfs, ++ ®ulator->uA_load); ++ debugfs_create_u32("min_uV", 0444, regulator->debugfs, ++ ®ulator->voltage[PM_SUSPEND_ON].min_uV); ++ debugfs_create_u32("max_uV", 0444, regulator->debugfs, ++ ®ulator->voltage[PM_SUSPEND_ON].max_uV); ++ debugfs_create_file("constraint_flags", 0444, regulator->debugfs, ++ regulator, &constraint_flags_fops); + + /* + * Check now if the regulator is an always on regulator - if +@@ -4906,10 +4904,8 @@ static void rdev_init_debugfs(struct regulator_dev *rdev) + } + + rdev->debugfs = debugfs_create_dir(rname, debugfs_root); +- if (IS_ERR(rdev->debugfs)) { +- rdev_warn(rdev, "Failed to create debugfs directory\n"); +- return; +- } ++ if (IS_ERR(rdev->debugfs)) ++ rdev_dbg(rdev, "Failed to create debugfs directory\n"); + + debugfs_create_u32("use_count", 0444, rdev->debugfs, + &rdev->use_count); +@@ -5797,7 +5793,7 @@ static int __init regulator_init(void) + + debugfs_root = debugfs_create_dir("regulator", NULL); + if (IS_ERR(debugfs_root)) +- pr_warn("regulator: Failed to create debugfs directory\n"); ++ pr_debug("regulator: Failed to create debugfs directory\n"); + + #ifdef CONFIG_DEBUG_FS + debugfs_create_file("supply_map", 0444, debugfs_root, NULL, +-- +2.39.2 + diff --git a/tmp-5.4/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch b/tmp-5.4/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch new file mode 100644 index 00000000000..63ec5ce1978 --- /dev/null +++ b/tmp-5.4/revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch @@ -0,0 +1,139 @@ +From a82d62f708545d22859584e0e0620da8e3759bbc Mon Sep 17 00:00:00 2001 +From: Jiaqing Zhao +Date: Mon, 19 Jun 2023 15:57:44 +0000 +Subject: Revert "8250: add support for ASIX devices with a FIFO bug" + +From: Jiaqing Zhao + +commit a82d62f708545d22859584e0e0620da8e3759bbc upstream. + +This reverts commit eb26dfe8aa7eeb5a5aa0b7574550125f8aa4c3b3. + +Commit eb26dfe8aa7e ("8250: add support for ASIX devices with a FIFO +bug") merged on Jul 13, 2012 adds a quirk for PCI_VENDOR_ID_ASIX +(0x9710). But that ID is the same as PCI_VENDOR_ID_NETMOS defined in +1f8b061050c7 ("[PATCH] Netmos parallel/serial/combo support") merged +on Mar 28, 2005. In pci_serial_quirks array, the NetMos entry always +takes precedence over the ASIX entry even since it was initially +merged, code in that commit is always unreachable. + +In my tests, adding the FIFO workaround to pci_netmos_init() makes no +difference, and the vendor driver also does not have such workaround. +Given that the code was never used for over a decade, it's safe to +revert it. + +Also, the real PCI_VENDOR_ID_ASIX should be 0x125b, which is used on +their newer AX99100 PCIe serial controllers released on 2016. The FIFO +workaround should not be intended for these newer controllers, and it +was never implemented in vendor driver. + +Fixes: eb26dfe8aa7e ("8250: add support for ASIX devices with a FIFO bug") +Cc: stable +Signed-off-by: Jiaqing Zhao +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230619155743.827859-1-jiaqing.zhao@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250.h | 1 - + drivers/tty/serial/8250/8250_pci.c | 19 ------------------- + drivers/tty/serial/8250/8250_port.c | 11 +++-------- + include/linux/serial_8250.h | 1 - + 4 files changed, 3 insertions(+), 29 deletions(-) + +--- a/drivers/tty/serial/8250/8250.h ++++ b/drivers/tty/serial/8250/8250.h +@@ -87,7 +87,6 @@ struct serial8250_config { + #define UART_BUG_TXEN (1 << 1) /* UART has buggy TX IIR status */ + #define UART_BUG_NOMSR (1 << 2) /* UART has buggy MSR status bits (Au1x00) */ + #define UART_BUG_THRE (1 << 3) /* UART has buggy THRE reassertion */ +-#define UART_BUG_PARITY (1 << 4) /* UART mishandles parity if FIFO enabled */ + + + #ifdef CONFIG_SERIAL_8250_SHARE_IRQ +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -1068,14 +1068,6 @@ static int pci_oxsemi_tornado_init(struc + return number_uarts; + } + +-static int pci_asix_setup(struct serial_private *priv, +- const struct pciserial_board *board, +- struct uart_8250_port *port, int idx) +-{ +- port->bugs |= UART_BUG_PARITY; +- return pci_default_setup(priv, board, port, idx); +-} +- + /* Quatech devices have their own extra interface features */ + + struct quatech_feature { +@@ -1872,7 +1864,6 @@ pci_moxa_setup(struct serial_private *pr + #define PCI_DEVICE_ID_WCH_CH355_4S 0x7173 + #define PCI_VENDOR_ID_AGESTAR 0x5372 + #define PCI_DEVICE_ID_AGESTAR_9375 0x6872 +-#define PCI_VENDOR_ID_ASIX 0x9710 + #define PCI_DEVICE_ID_BROADCOM_TRUMANAGE 0x160a + #define PCI_DEVICE_ID_AMCC_ADDIDATA_APCI7800 0x818e + +@@ -2672,16 +2663,6 @@ static struct pci_serial_quirk pci_seria + .setup = pci_wch_ch38x_setup, + }, + /* +- * ASIX devices with FIFO bug +- */ +- { +- .vendor = PCI_VENDOR_ID_ASIX, +- .device = PCI_ANY_ID, +- .subvendor = PCI_ANY_ID, +- .subdevice = PCI_ANY_ID, +- .setup = pci_asix_setup, +- }, +- /* + * Broadcom TruManage (NetXtreme) + */ + { +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2535,11 +2535,8 @@ static unsigned char serial8250_compute_ + + if (c_cflag & CSTOPB) + cval |= UART_LCR_STOP; +- if (c_cflag & PARENB) { ++ if (c_cflag & PARENB) + cval |= UART_LCR_PARITY; +- if (up->bugs & UART_BUG_PARITY) +- up->fifo_bug = true; +- } + if (!(c_cflag & PARODD)) + cval |= UART_LCR_EPAR; + #ifdef CMSPAR +@@ -2646,8 +2643,7 @@ serial8250_do_set_termios(struct uart_po + up->lcr = cval; /* Save computed LCR */ + + if (up->capabilities & UART_CAP_FIFO && port->fifosize > 1) { +- /* NOTE: If fifo_bug is not set, a user can set RX_trigger. */ +- if ((baud < 2400 && !up->dma) || up->fifo_bug) { ++ if (baud < 2400 && !up->dma) { + up->fcr &= ~UART_FCR_TRIGGER_MASK; + up->fcr |= UART_FCR_TRIGGER_1; + } +@@ -2983,8 +2979,7 @@ static int do_set_rxtrig(struct tty_port + struct uart_8250_port *up = up_to_u8250p(uport); + int rxtrig; + +- if (!(up->capabilities & UART_CAP_FIFO) || uport->fifosize <= 1 || +- up->fifo_bug) ++ if (!(up->capabilities & UART_CAP_FIFO) || uport->fifosize <= 1) + return -EINVAL; + + rxtrig = bytes_to_fcr_rxtrig(up, bytes); +--- a/include/linux/serial_8250.h ++++ b/include/linux/serial_8250.h +@@ -95,7 +95,6 @@ struct uart_8250_port { + struct list_head list; /* ports on this IRQ */ + u32 capabilities; /* port capabilities */ + unsigned short bugs; /* port bugs */ +- bool fifo_bug; /* min RX trigger if enabled */ + unsigned int tx_loadsz; /* transmit fifo load size */ + unsigned char acr; + unsigned char fcr; diff --git a/tmp-5.4/revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch b/tmp-5.4/revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch new file mode 100644 index 00000000000..239c487f011 --- /dev/null +++ b/tmp-5.4/revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch @@ -0,0 +1,66 @@ +From cde3c9d7e2a359e337216855dcb333a19daaa436 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 1 Jun 2023 12:58:23 +0200 +Subject: Revert "f2fs: fix potential corruption when moving a directory" + +From: Jan Kara + +commit cde3c9d7e2a359e337216855dcb333a19daaa436 upstream. + +This reverts commit d94772154e524b329a168678836745d2773a6e02. The +locking is going to be provided by VFS. + +CC: Jaegeuk Kim +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Message-Id: <20230601105830.13168-3-jack@suse.cz> +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/namei.c | 16 +--------------- + 1 file changed, 1 insertion(+), 15 deletions(-) + +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -892,20 +892,12 @@ static int f2fs_rename(struct inode *old + goto out; + } + +- /* +- * Copied from ext4_rename: we need to protect against old.inode +- * directory getting converted from inline directory format into +- * a normal one. +- */ +- if (S_ISDIR(old_inode->i_mode)) +- inode_lock_nested(old_inode, I_MUTEX_NONDIR2); +- + err = -ENOENT; + old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page); + if (!old_entry) { + if (IS_ERR(old_page)) + err = PTR_ERR(old_page); +- goto out_unlock_old; ++ goto out; + } + + if (S_ISDIR(old_inode->i_mode)) { +@@ -1033,9 +1025,6 @@ static int f2fs_rename(struct inode *old + + f2fs_unlock_op(sbi); + +- if (S_ISDIR(old_inode->i_mode)) +- inode_unlock(old_inode); +- + if (IS_DIRSYNC(old_dir) || IS_DIRSYNC(new_dir)) + f2fs_sync_fs(sbi->sb, 1); + +@@ -1051,9 +1040,6 @@ out_dir: + f2fs_put_page(old_dir_page, 0); + out_old: + f2fs_put_page(old_page, 0); +-out_unlock_old: +- if (S_ISDIR(old_inode->i_mode)) +- inode_unlock(old_inode); + out: + if (whiteout) + iput(whiteout); diff --git a/tmp-5.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/tmp-5.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch new file mode 100644 index 00000000000..02715a1a0c1 --- /dev/null +++ b/tmp-5.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch @@ -0,0 +1,113 @@ +From a53cef2f4c210eba249992848f53ba4b0cbfe8be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:59:18 -0700 +Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash + table" + +From: Kuniyuki Iwashima + +[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] + +This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. + +Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in +ehash table") reversed the order in how a socket is inserted into ehash +to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are +swapped. However, it introduced another lookup failure. + +The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU +and does not have SOCK_RCU_FREE, so the socket could be reused even while +it is being referenced on another CPU doing RCU lookup. + +Let's say a socket is reused and inserted into the same hash bucket during +lookup. After the blamed commit, a new socket is inserted at the end of +the list. If that happens, we will skip sockets placed after the previous +position of the reused socket, resulting in ehash lookup failure. + +As described in Documentation/RCU/rculist_nulls.rst, we should insert a +new socket at the head of the list to avoid such an issue. + +This issue, the swap-lookup-failure, and another variant reported in [0] +can all be handled properly by adding a locked ehash lookup suggested by +Eric Dumazet [1]. + +However, this issue could occur for every packet, thus more likely than +the other two races, so let's revert the change for now. + +Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] +Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] +Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 ++--------------- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 6 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 9d14b3289f003..e4f2790fd6410 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -536,20 +536,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_hashed(osk); +- if (ret) { +- /* Before deleting the node, we insert a new one to make +- * sure that the look-up-sk process would not miss either +- * of them and that at least one node would exist in ehash +- * table all the time. Otherwise there's a tiny chance +- * that lookup process could find nothing in ehash table. +- */ +- __sk_nulls_add_node_tail_rcu(sk, list); +- sk_nulls_del_node_init_rcu(osk); +- } +- goto unlock; +- } +- if (found_dup_sk) { ++ ret = sk_nulls_del_node_init_rcu(osk); ++ } else if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -558,7 +546,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + +-unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index a00102d7c7fd4..c411c87ae865f 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -81,10 +81,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_tail_rcu(&tw->tw_node, list); ++ hlist_nulls_add_head_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -120,7 +120,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.2 + diff --git a/tmp-5.4/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch b/tmp-5.4/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch new file mode 100644 index 00000000000..1a933beaca3 --- /dev/null +++ b/tmp-5.4/ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch @@ -0,0 +1,128 @@ +From 7e42907f3a7b4ce3a2d1757f6d78336984daf8f5 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Sun, 9 Jul 2023 06:51:44 +0800 +Subject: ring-buffer: Fix deadloop issue on reading trace_pipe + +From: Zheng Yejian + +commit 7e42907f3a7b4ce3a2d1757f6d78336984daf8f5 upstream. + +Soft lockup occurs when reading file 'trace_pipe': + + watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488] + [...] + RIP: 0010:ring_buffer_empty_cpu+0xed/0x170 + RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246 + RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb + RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218 + RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f + R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901 + R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000 + [...] + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + __find_next_entry+0x1a8/0x4b0 + ? peek_next_entry+0x250/0x250 + ? down_write+0xa5/0x120 + ? down_write_killable+0x130/0x130 + trace_find_next_entry_inc+0x3b/0x1d0 + tracing_read_pipe+0x423/0xae0 + ? tracing_splice_read_pipe+0xcb0/0xcb0 + vfs_read+0x16b/0x490 + ksys_read+0x105/0x210 + ? __ia32_sys_pwrite64+0x200/0x200 + ? switch_fpu_return+0x108/0x220 + do_syscall_64+0x33/0x40 + entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +Through the vmcore, I found it's because in tracing_read_pipe(), +ring_buffer_empty_cpu() found some buffer is not empty but then it +cannot read anything due to "rb_num_of_entries() == 0" always true, +Then it infinitely loop the procedure due to user buffer not been +filled, see following code path: + + tracing_read_pipe() { + ... ... + waitagain: + tracing_wait_pipe() // 1. find non-empty buffer here + trace_find_next_entry_inc() // 2. loop here try to find an entry + __find_next_entry() + ring_buffer_empty_cpu(); // 3. find non-empty buffer + peek_next_entry() // 4. but peek always return NULL + ring_buffer_peek() + rb_buffer_peek() + rb_get_reader_page() + // 5. because rb_num_of_entries() == 0 always true here + // then return NULL + // 6. user buffer not been filled so goto 'waitgain' + // and eventually leads to an deadloop in kernel!!! + } + +By some analyzing, I found that when resetting ringbuffer, the 'entries' +of its pages are not all cleared (see rb_reset_cpu()). Then when reducing +the ringbuffer, and if some reduced pages exist dirty 'entries' data, they +will be added into 'cpu_buffer->overrun' (see rb_remove_pages()), which +cause wrong 'overrun' count and eventually cause the deadloop issue. + +To fix it, we need to clear every pages in rb_reset_cpu(). + +Link: https://lore.kernel.org/linux-trace-kernel/20230708225144.3785600-1-zhengyejian1@huawei.com + +Cc: stable@vger.kernel.org +Fixes: a5fb833172eca ("ring-buffer: Fix uninitialized read_stamp") +Signed-off-by: Zheng Yejian +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4487,28 +4487,34 @@ unsigned long ring_buffer_size(struct ri + } + EXPORT_SYMBOL_GPL(ring_buffer_size); + ++static void rb_clear_buffer_page(struct buffer_page *page) ++{ ++ local_set(&page->write, 0); ++ local_set(&page->entries, 0); ++ rb_init_page(page->page); ++ page->read = 0; ++} ++ + static void + rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer) + { ++ struct buffer_page *page; ++ + rb_head_page_deactivate(cpu_buffer); + + cpu_buffer->head_page + = list_entry(cpu_buffer->pages, struct buffer_page, list); +- local_set(&cpu_buffer->head_page->write, 0); +- local_set(&cpu_buffer->head_page->entries, 0); +- local_set(&cpu_buffer->head_page->page->commit, 0); +- +- cpu_buffer->head_page->read = 0; ++ rb_clear_buffer_page(cpu_buffer->head_page); ++ list_for_each_entry(page, cpu_buffer->pages, list) { ++ rb_clear_buffer_page(page); ++ } + + cpu_buffer->tail_page = cpu_buffer->head_page; + cpu_buffer->commit_page = cpu_buffer->head_page; + + INIT_LIST_HEAD(&cpu_buffer->reader_page->list); + INIT_LIST_HEAD(&cpu_buffer->new_pages); +- local_set(&cpu_buffer->reader_page->write, 0); +- local_set(&cpu_buffer->reader_page->entries, 0); +- local_set(&cpu_buffer->reader_page->page->commit, 0); +- cpu_buffer->reader_page->read = 0; ++ rb_clear_buffer_page(cpu_buffer->reader_page); + + local_set(&cpu_buffer->entries_bytes, 0); + local_set(&cpu_buffer->overrun, 0); diff --git a/tmp-5.4/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch b/tmp-5.4/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch new file mode 100644 index 00000000000..cd17ccdd4d9 --- /dev/null +++ b/tmp-5.4/rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch @@ -0,0 +1,40 @@ +From 8c82f084a7d7497bc68e19dd0dba3712c6515447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 21:11:42 +0200 +Subject: rtc: st-lpc: Release some resources in st_rtc_probe() in case of + error + +From: Christophe JAILLET + +[ Upstream commit 06c6e1b01d9261f03629cefd1f3553503291e6cf ] + +If an error occurs after clk_get(), the corresponding resources should be +released. + +Use devm_clk_get() to fix it. + +Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/866af6adbc7454a7b4505eb6c28fbdc86ccff39e.1686251455.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-st-lpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c +index 27261b020f8dd..2031d042c5e44 100644 +--- a/drivers/rtc/rtc-st-lpc.c ++++ b/drivers/rtc/rtc-st-lpc.c +@@ -231,7 +231,7 @@ static int st_rtc_probe(struct platform_device *pdev) + enable_irq_wake(rtc->irq); + disable_irq(rtc->irq); + +- rtc->clk = clk_get(&pdev->dev, NULL); ++ rtc->clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(rtc->clk)) { + dev_err(&pdev->dev, "Unable to request clock\n"); + return PTR_ERR(rtc->clk); +-- +2.39.2 + diff --git a/tmp-5.4/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch b/tmp-5.4/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch new file mode 100644 index 00000000000..9fd9c1baacd --- /dev/null +++ b/tmp-5.4/rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch @@ -0,0 +1,167 @@ +From fefb2d8ee61360931f99c7d7d29e3846834e27a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jun 2023 13:51:08 +0300 +Subject: rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO + +From: Edwin Peer + +[ Upstream commit fa0e21fa44438a0e856d42224bfa24641d37b979 ] + +This filter already exists for excluding IPv6 SNMP stats. Extend its +definition to also exclude IFLA_VF_INFO stats in RTM_GETLINK. + +This patch constitutes a partial fix for a netlink attribute nesting +overflow bug in IFLA_VFINFO_LIST. By excluding the stats when the +requester doesn't need them, the truncation of the VF list is avoided. + +While it was technically only the stats added in commit c5a9f6f0ab40 +("net/core: Add drop counters to VF statistics") breaking the camel's +back, the appreciable size of the stats data should never have been +included without due consideration for the maximum number of VFs +supported by PCI. + +Fixes: 3b766cd83232 ("net/core: Add reading VF statistics through the PF netdevice") +Fixes: c5a9f6f0ab40 ("net/core: Add drop counters to VF statistics") +Signed-off-by: Edwin Peer +Cc: Edwin Peer +Signed-off-by: Gal Pressman +Link: https://lore.kernel.org/r/20230611105108.122586-1-gal@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 96 +++++++++++++++++++++++--------------------- + 1 file changed, 51 insertions(+), 45 deletions(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index da1ef00fc9cc2..0b0107797e490 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -922,24 +922,27 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev, + nla_total_size(sizeof(struct ifla_vf_rate)) + + nla_total_size(sizeof(struct ifla_vf_link_state)) + + nla_total_size(sizeof(struct ifla_vf_rss_query_en)) + +- nla_total_size(0) + /* nest IFLA_VF_STATS */ +- /* IFLA_VF_STATS_RX_PACKETS */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_TX_PACKETS */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_RX_BYTES */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_TX_BYTES */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_BROADCAST */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_MULTICAST */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_RX_DROPPED */ +- nla_total_size_64bit(sizeof(__u64)) + +- /* IFLA_VF_STATS_TX_DROPPED */ +- nla_total_size_64bit(sizeof(__u64)) + + nla_total_size(sizeof(struct ifla_vf_trust))); ++ if (~ext_filter_mask & RTEXT_FILTER_SKIP_STATS) { ++ size += num_vfs * ++ (nla_total_size(0) + /* nest IFLA_VF_STATS */ ++ /* IFLA_VF_STATS_RX_PACKETS */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_TX_PACKETS */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_RX_BYTES */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_TX_BYTES */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_BROADCAST */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_MULTICAST */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_RX_DROPPED */ ++ nla_total_size_64bit(sizeof(__u64)) + ++ /* IFLA_VF_STATS_TX_DROPPED */ ++ nla_total_size_64bit(sizeof(__u64))); ++ } + return size; + } else + return 0; +@@ -1189,7 +1192,8 @@ static noinline_for_stack int rtnl_fill_stats(struct sk_buff *skb, + static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, + struct net_device *dev, + int vfs_num, +- struct nlattr *vfinfo) ++ struct nlattr *vfinfo, ++ u32 ext_filter_mask) + { + struct ifla_vf_rss_query_en vf_rss_query_en; + struct nlattr *vf, *vfstats, *vfvlanlist; +@@ -1279,33 +1283,35 @@ static noinline_for_stack int rtnl_fill_vfinfo(struct sk_buff *skb, + goto nla_put_vf_failure; + } + nla_nest_end(skb, vfvlanlist); +- memset(&vf_stats, 0, sizeof(vf_stats)); +- if (dev->netdev_ops->ndo_get_vf_stats) +- dev->netdev_ops->ndo_get_vf_stats(dev, vfs_num, +- &vf_stats); +- vfstats = nla_nest_start_noflag(skb, IFLA_VF_STATS); +- if (!vfstats) +- goto nla_put_vf_failure; +- if (nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_PACKETS, +- vf_stats.rx_packets, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_PACKETS, +- vf_stats.tx_packets, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_BYTES, +- vf_stats.rx_bytes, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_BYTES, +- vf_stats.tx_bytes, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_BROADCAST, +- vf_stats.broadcast, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_MULTICAST, +- vf_stats.multicast, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_DROPPED, +- vf_stats.rx_dropped, IFLA_VF_STATS_PAD) || +- nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_DROPPED, +- vf_stats.tx_dropped, IFLA_VF_STATS_PAD)) { +- nla_nest_cancel(skb, vfstats); +- goto nla_put_vf_failure; ++ if (~ext_filter_mask & RTEXT_FILTER_SKIP_STATS) { ++ memset(&vf_stats, 0, sizeof(vf_stats)); ++ if (dev->netdev_ops->ndo_get_vf_stats) ++ dev->netdev_ops->ndo_get_vf_stats(dev, vfs_num, ++ &vf_stats); ++ vfstats = nla_nest_start_noflag(skb, IFLA_VF_STATS); ++ if (!vfstats) ++ goto nla_put_vf_failure; ++ if (nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_PACKETS, ++ vf_stats.rx_packets, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_PACKETS, ++ vf_stats.tx_packets, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_BYTES, ++ vf_stats.rx_bytes, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_BYTES, ++ vf_stats.tx_bytes, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_BROADCAST, ++ vf_stats.broadcast, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_MULTICAST, ++ vf_stats.multicast, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_RX_DROPPED, ++ vf_stats.rx_dropped, IFLA_VF_STATS_PAD) || ++ nla_put_u64_64bit(skb, IFLA_VF_STATS_TX_DROPPED, ++ vf_stats.tx_dropped, IFLA_VF_STATS_PAD)) { ++ nla_nest_cancel(skb, vfstats); ++ goto nla_put_vf_failure; ++ } ++ nla_nest_end(skb, vfstats); + } +- nla_nest_end(skb, vfstats); + nla_nest_end(skb, vf); + return 0; + +@@ -1338,7 +1344,7 @@ static noinline_for_stack int rtnl_fill_vf(struct sk_buff *skb, + return -EMSGSIZE; + + for (i = 0; i < num_vfs; i++) { +- if (rtnl_fill_vfinfo(skb, dev, i, vfinfo)) ++ if (rtnl_fill_vfinfo(skb, dev, i, vfinfo, ext_filter_mask)) + return -EMSGSIZE; + } + +-- +2.39.2 + diff --git a/tmp-5.4/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch b/tmp-5.4/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch new file mode 100644 index 00000000000..837ca484375 --- /dev/null +++ b/tmp-5.4/samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch @@ -0,0 +1,36 @@ +From 0ee82b960f4dc01a0d320e8313ba5f9117652bcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 16:50:58 +0800 +Subject: samples/bpf: Fix buffer overflow in tcp_basertt + +From: Pengcheng Yang + +[ Upstream commit f4dea9689c5fea3d07170c2cb0703e216f1a0922 ] + +Using sizeof(nv) or strlen(nv)+1 is correct. + +Fixes: c890063e4404 ("bpf: sample BPF_SOCKET_OPS_BASE_RTT program") +Signed-off-by: Pengcheng Yang +Link: https://lore.kernel.org/r/1683276658-2860-1-git-send-email-yangpc@wangsu.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + samples/bpf/tcp_basertt_kern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/bpf/tcp_basertt_kern.c b/samples/bpf/tcp_basertt_kern.c +index 9dba48c2b9207..66dd58f78d528 100644 +--- a/samples/bpf/tcp_basertt_kern.c ++++ b/samples/bpf/tcp_basertt_kern.c +@@ -47,7 +47,7 @@ int bpf_basertt(struct bpf_sock_ops *skops) + case BPF_SOCK_OPS_BASE_RTT: + n = bpf_getsockopt(skops, SOL_TCP, TCP_CONGESTION, + cong, sizeof(cong)); +- if (!n && !__builtin_memcmp(cong, nv, sizeof(nv)+1)) { ++ if (!n && !__builtin_memcmp(cong, nv, sizeof(nv))) { + /* Set base_rtt to 80us */ + rv = 80; + } else if (n) { +-- +2.39.2 + diff --git a/tmp-5.4/sched-fair-don-t-balance-task-to-its-current-running.patch b/tmp-5.4/sched-fair-don-t-balance-task-to-its-current-running.patch new file mode 100644 index 00000000000..a7976f25fdc --- /dev/null +++ b/tmp-5.4/sched-fair-don-t-balance-task-to-its-current-running.patch @@ -0,0 +1,96 @@ +From 6d50b7798c7af9c0a47321925555356fa38aa6e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 16:25:07 +0800 +Subject: sched/fair: Don't balance task to its current running CPU + +From: Yicong Yang + +[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] + +We've run into the case that the balancer tries to balance a migration +disabled task and trigger the warning in set_task_cpu() like below: + + ------------[ cut here ]------------ + WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 + Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> + CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 + Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 + pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : set_task_cpu+0x188/0x240 + lr : load_balance+0x5d0/0xc60 + sp : ffff80000803bc70 + x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 + x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 + x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 + x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 + x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 + x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 + x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e + x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a + x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 + Call trace: + set_task_cpu+0x188/0x240 + load_balance+0x5d0/0xc60 + rebalance_domains+0x26c/0x380 + _nohz_idle_balance.isra.0+0x1e0/0x370 + run_rebalance_domains+0x6c/0x80 + __do_softirq+0x128/0x3d8 + ____do_softirq+0x18/0x24 + call_on_irq_stack+0x2c/0x38 + do_softirq_own_stack+0x24/0x3c + __irq_exit_rcu+0xcc/0xf4 + irq_exit_rcu+0x18/0x24 + el1_interrupt+0x4c/0xe4 + el1h_64_irq_handler+0x18/0x2c + el1h_64_irq+0x74/0x78 + arch_cpu_idle+0x18/0x4c + default_idle_call+0x58/0x194 + do_idle+0x244/0x2b0 + cpu_startup_entry+0x30/0x3c + secondary_start_kernel+0x14c/0x190 + __secondary_switched+0xb0/0xb4 + ---[ end trace 0000000000000000 ]--- + +Further investigation shows that the warning is superfluous, the migration +disabled task is just going to be migrated to its current running CPU. +This is because that on load balance if the dst_cpu is not allowed by the +task, we'll re-select a new_dst_cpu as a candidate. If no task can be +balanced to dst_cpu we'll try to balance the task to the new_dst_cpu +instead. In this case when the migration disabled task is not on CPU it +only allows to run on its current CPU, load balance will select its +current CPU as new_dst_cpu and later triggers the warning above. + +The new_dst_cpu is chosen from the env->dst_grpmask. Currently it +contains CPUs in sched_group_span() and if we have overlapped groups it's +possible to run into this case. This patch makes env->dst_grpmask of +group_balance_mask() which exclude any CPUs from the busiest group and +solve the issue. For balancing in a domain with no overlapped groups +the behaviour keeps same as before. + +Suggested-by: Vincent Guittot +Signed-off-by: Yicong Yang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 9fcba0d2ab19b..2680216234ff2 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -8938,7 +8938,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, + .sd = sd, + .dst_cpu = this_cpu, + .dst_rq = this_rq, +- .dst_grpmask = sched_group_span(sd->groups), ++ .dst_grpmask = group_balance_mask(sd->groups), + .idle = idle, + .loop_break = sched_nr_migrate_break, + .cpus = cpus, +-- +2.39.2 + diff --git a/tmp-5.4/scripts-tags.sh-resolve-gtags-empty-index-generation.patch b/tmp-5.4/scripts-tags.sh-resolve-gtags-empty-index-generation.patch new file mode 100644 index 00000000000..f06a70839ad --- /dev/null +++ b/tmp-5.4/scripts-tags.sh-resolve-gtags-empty-index-generation.patch @@ -0,0 +1,65 @@ +From e1b37563caffc410bb4b55f153ccb14dede66815 Mon Sep 17 00:00:00 2001 +From: "Ahmed S. Darwish" +Date: Mon, 15 May 2023 19:32:16 +0200 +Subject: scripts/tags.sh: Resolve gtags empty index generation + +From: Ahmed S. Darwish + +commit e1b37563caffc410bb4b55f153ccb14dede66815 upstream. + +gtags considers any file outside of its current working directory +"outside the source tree" and refuses to index it. For O= kernel builds, +or when "make" is invoked from a directory other then the kernel source +tree, gtags ignores the entire kernel source and generates an empty +index. + +Force-set gtags current working directory to the kernel source tree. + +Due to commit 9da0763bdd82 ("kbuild: Use relative path when building in +a subdir of the source tree"), if the kernel build is done in a +sub-directory of the kernel source tree, the kernel Makefile will set +the kernel's $srctree to ".." for shorter compile-time and run-time +warnings. Consequently, the list of files to be indexed will be in the +"../*" form, rendering all such paths invalid once gtags switches to the +kernel source tree as its current working directory. + +If gtags indexing is requested and the build directory is not the kernel +source tree, index all files in absolute-path form. + +Note, indexing in absolute-path form will not affect the generated +index, as paths in gtags indices are always relative to the gtags "root +directory" anyway (as evidenced by "gtags --dump"). + +Signed-off-by: Ahmed S. Darwish +Cc: +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/tags.sh | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/scripts/tags.sh ++++ b/scripts/tags.sh +@@ -28,6 +28,13 @@ fi + # ignore userspace tools + ignore="$ignore ( -path ${tree}tools ) -prune -o" + ++# gtags(1) refuses to index any file outside of its current working dir. ++# If gtags indexing is requested and the build output directory is not ++# the kernel source tree, index all files in absolute-path form. ++if [[ "$1" == "gtags" && -n "${tree}" ]]; then ++ tree=$(realpath "$tree")/ ++fi ++ + # Detect if ALLSOURCE_ARCHS is set. If not, we assume SRCARCH + if [ "${ALLSOURCE_ARCHS}" = "" ]; then + ALLSOURCE_ARCHS=${SRCARCH} +@@ -134,7 +141,7 @@ docscope() + + dogtags() + { +- all_target_sources | gtags -i -f - ++ all_target_sources | gtags -i -C "${tree:-.}" -f - "$PWD" + } + + # Basic regular expressions with an optional /kind-spec/ for ctags and diff --git a/tmp-5.4/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch b/tmp-5.4/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch new file mode 100644 index 00000000000..8d072a64d48 --- /dev/null +++ b/tmp-5.4/scsi-3w-xxxx-add-error-handling-for-initialization-f.patch @@ -0,0 +1,47 @@ +From faf7e47be6d7209421b9e209b652521f3d411e10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 May 2023 22:12:55 +0800 +Subject: scsi: 3w-xxxx: Add error handling for initialization failure in + tw_probe() + +From: Yuchen Yang + +[ Upstream commit 2e2fe5ac695a00ab03cab4db1f4d6be07168ed9d ] + +Smatch complains that: + +tw_probe() warn: missing error code 'retval' + +This patch adds error checking to tw_probe() to handle initialization +failure. If tw_reset_sequence() function returns a non-zero value, the +function will return -EINVAL to indicate initialization failure. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yuchen Yang +Link: https://lore.kernel.org/r/20230505141259.7730-1-u202114568@hust.edu.cn +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/3w-xxxx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/3w-xxxx.c b/drivers/scsi/3w-xxxx.c +index 2b1e0d5030201..75290aabd543b 100644 +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -2310,8 +2310,10 @@ static int tw_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id) + TW_DISABLE_INTERRUPTS(tw_dev); + + /* Initialize the card */ +- if (tw_reset_sequence(tw_dev)) ++ if (tw_reset_sequence(tw_dev)) { ++ retval = -EINVAL; + goto out_release_mem_region; ++ } + + /* Set host specific parameters */ + host->max_id = TW_MAX_UNITS; +-- +2.39.2 + diff --git a/tmp-5.4/scsi-qedf-fix-null-dereference-in-error-handling.patch b/tmp-5.4/scsi-qedf-fix-null-dereference-in-error-handling.patch new file mode 100644 index 00000000000..94338e5f183 --- /dev/null +++ b/tmp-5.4/scsi-qedf-fix-null-dereference-in-error-handling.patch @@ -0,0 +1,47 @@ +From 80fe24ae9795741038f5de36d24f410e3915dfe2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 May 2023 22:00:21 +0800 +Subject: scsi: qedf: Fix NULL dereference in error handling + +From: Jinhong Zhu + +[ Upstream commit f025312b089474a54e4859f3453771314d9e3d4f ] + +Smatch reported: + +drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues() +warn: missing unwind goto? + +At this point in the function, nothing has been allocated so we can return +directly. In particular the "qedf->global_queues" have not been allocated +so calling qedf_free_global_queues() will lead to a NULL dereference when +we check if (!gl[i]) and "gl" is NULL. + +Fixes: 61d8658b4a43 ("scsi: qedf: Add QLogic FastLinQ offload FCoE driver framework.") +Signed-off-by: Jinhong Zhu +Link: https://lore.kernel.org/r/20230502140022.2852-1-jinhongzhu@hust.edu.cn +Reviewed-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedf/qedf_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index f864ef059d29e..858058f228191 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -2914,9 +2914,8 @@ static int qedf_alloc_global_queues(struct qedf_ctx *qedf) + * addresses of our queues + */ + if (!qedf->p_cpuq) { +- status = -EINVAL; + QEDF_ERR(&qedf->dbg_ctx, "p_cpuq is NULL.\n"); +- goto mem_alloc_failure; ++ return -EINVAL; + } + + qedf->global_queues = kzalloc((sizeof(struct global_queue *) +-- +2.39.2 + diff --git a/tmp-5.4/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch b/tmp-5.4/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch new file mode 100644 index 00000000000..d05e2e0cae7 --- /dev/null +++ b/tmp-5.4/scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch @@ -0,0 +1,37 @@ +From af73f23a27206ffb3c477cac75b5fcf03410556e Mon Sep 17 00:00:00 2001 +From: Nilesh Javali +Date: Wed, 7 Jun 2023 17:08:39 +0530 +Subject: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() + +From: Nilesh Javali + +commit af73f23a27206ffb3c477cac75b5fcf03410556e upstream. + +Klocwork reported warning of rport maybe NULL and will be dereferenced. +rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. + +Check valid rport returned by fc_bsg_to_rport(). + +Cc: stable@vger.kernel.org +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-5-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -259,6 +259,10 @@ qla2x00_process_els(struct bsg_job *bsg_ + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { + rport = fc_bsg_to_rport(bsg_job); ++ if (!rport) { ++ rval = -ENOMEM; ++ goto done; ++ } + fcport = *(fc_port_t **) rport->dd_data; + host = rport_to_shost(rport); + vha = shost_priv(host); diff --git a/tmp-5.4/scsi-qla2xxx-correct-the-index-of-array.patch b/tmp-5.4/scsi-qla2xxx-correct-the-index-of-array.patch new file mode 100644 index 00000000000..3f6e2147795 --- /dev/null +++ b/tmp-5.4/scsi-qla2xxx-correct-the-index-of-array.patch @@ -0,0 +1,51 @@ +From b1b9d3825df4c757d653d0b1df66f084835db9c3 Mon Sep 17 00:00:00 2001 +From: Bikash Hazarika +Date: Wed, 7 Jun 2023 17:08:42 +0530 +Subject: scsi: qla2xxx: Correct the index of array + +From: Bikash Hazarika + +commit b1b9d3825df4c757d653d0b1df66f084835db9c3 upstream. + +Klocwork reported array 'port_dstate_str' of size 10 may use index value(s) +10..15. + +Add a fix to correct the index of array. + +Cc: stable@vger.kernel.org +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-8-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_inline.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_inline.h ++++ b/drivers/scsi/qla2xxx/qla_inline.h +@@ -110,11 +110,13 @@ qla2x00_set_fcport_disc_state(fc_port_t + { + int old_val; + uint8_t shiftbits, mask; ++ uint8_t port_dstate_str_sz; + + /* This will have to change when the max no. of states > 16 */ + shiftbits = 4; + mask = (1 << shiftbits) - 1; + ++ port_dstate_str_sz = sizeof(port_dstate_str) / sizeof(char *); + fcport->disc_state = state; + while (1) { + old_val = atomic_read(&fcport->shadow_disc_state); +@@ -122,7 +124,8 @@ qla2x00_set_fcport_disc_state(fc_port_t + old_val, (old_val << shiftbits) | state)) { + ql_dbg(ql_dbg_disc, fcport->vha, 0x2134, + "FCPort %8phC disc_state transition: %s to %s - portid=%06x.\n", +- fcport->port_name, port_dstate_str[old_val & mask], ++ fcport->port_name, (old_val & mask) < port_dstate_str_sz ? ++ port_dstate_str[old_val & mask] : "Unknown", + port_dstate_str[state], fcport->d_id.b24); + return; + } diff --git a/tmp-5.4/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch b/tmp-5.4/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch new file mode 100644 index 00000000000..5cef55a89e9 --- /dev/null +++ b/tmp-5.4/scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch @@ -0,0 +1,38 @@ +From 49654d52e468856ea4004f6d3ac2178d67f99cfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 13:58:47 +0300 +Subject: scsi: qla2xxx: Fix error code in qla2x00_start_sp() + +From: Dan Carpenter + +[ Upstream commit e579b007eff3ff8d29d59d16214cd85fb9e573f7 ] + +This should be negative -EAGAIN instead of positive. The callers treat +non-zero error codes the same so it doesn't really impact runtime beyond +some trivial differences to debug output. + +Fixes: 80676d054e5a ("scsi: qla2xxx: Fix session cleanup hang") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/49866d28-4cfe-47b0-842b-78f110e61aab@moroto.mountain +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_iocb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c +index 103288b0377e0..cbdc84fdc52c1 100644 +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -3665,7 +3665,7 @@ qla2x00_start_sp(srb_t *sp) + spin_lock_irqsave(qp->qp_lock_ptr, flags); + pkt = __qla2x00_alloc_iocbs(sp->qpair, sp); + if (!pkt) { +- rval = EAGAIN; ++ rval = -EAGAIN; + ql_log(ql_log_warn, vha, 0x700c, + "qla2x00_alloc_iocbs failed.\n"); + goto done; +-- +2.39.2 + diff --git a/tmp-5.4/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch b/tmp-5.4/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..e580ecb4a9f --- /dev/null +++ b/tmp-5.4/scsi-qla2xxx-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,35 @@ +From 464ea494a40c6e3e0e8f91dd325408aaf21515ba Mon Sep 17 00:00:00 2001 +From: Bikash Hazarika +Date: Wed, 7 Jun 2023 17:08:37 +0530 +Subject: scsi: qla2xxx: Fix potential NULL pointer dereference + +From: Bikash Hazarika + +commit 464ea494a40c6e3e0e8f91dd325408aaf21515ba upstream. + +Klocwork tool reported 'cur_dsd' may be dereferenced. Add fix to validate +pointer before dereferencing the pointer. + +Cc: stable@vger.kernel.org +Signed-off-by: Bikash Hazarika +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-3-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_iocb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -601,7 +601,8 @@ qla24xx_build_scsi_type_6_iocbs(srb_t *s + put_unaligned_le32(COMMAND_TYPE_6, &cmd_pkt->entry_type); + + /* No data transfer */ +- if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE) { ++ if (!scsi_bufflen(cmd) || cmd->sc_data_direction == DMA_NONE || ++ tot_dsds == 0) { + cmd_pkt->byte_count = cpu_to_le32(0); + return 0; + } diff --git a/tmp-5.4/scsi-qla2xxx-pointer-may-be-dereferenced.patch b/tmp-5.4/scsi-qla2xxx-pointer-may-be-dereferenced.patch new file mode 100644 index 00000000000..7ab2c061d5e --- /dev/null +++ b/tmp-5.4/scsi-qla2xxx-pointer-may-be-dereferenced.patch @@ -0,0 +1,36 @@ +From 00eca15319d9ce8c31cdf22f32a3467775423df4 Mon Sep 17 00:00:00 2001 +From: Shreyas Deodhar +Date: Wed, 7 Jun 2023 17:08:41 +0530 +Subject: scsi: qla2xxx: Pointer may be dereferenced + +From: Shreyas Deodhar + +commit 00eca15319d9ce8c31cdf22f32a3467775423df4 upstream. + +Klocwork tool reported pointer 'rport' returned from call to function +fc_bsg_to_rport() may be NULL and will be dereferenced. + +Add a fix to validate rport before dereferencing. + +Cc: stable@vger.kernel.org +Signed-off-by: Shreyas Deodhar +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230607113843.37185-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_bsg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -2530,6 +2530,8 @@ qla24xx_bsg_request(struct bsg_job *bsg_ + + if (bsg_request->msgcode == FC_BSG_RPT_ELS) { + rport = fc_bsg_to_rport(bsg_job); ++ if (!rport) ++ return ret; + host = rport_to_shost(rport); + vha = shost_priv(host); + } else { diff --git a/tmp-5.4/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch b/tmp-5.4/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch new file mode 100644 index 00000000000..bb7b73bad34 --- /dev/null +++ b/tmp-5.4/scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch @@ -0,0 +1,91 @@ +From 20fce500b232b970e40312a9c97e7f3b6d7a709c Mon Sep 17 00:00:00 2001 +From: Manish Rangankar +Date: Thu, 15 Jun 2023 13:16:33 +0530 +Subject: scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue + +From: Manish Rangankar + +commit 20fce500b232b970e40312a9c97e7f3b6d7a709c upstream. + +System crash when qla2x00_start_sp(sp) returns error code EGAIN and wake_up +gets called for uninitialized wait queue sp->nvme_ls_waitq. + + qla2xxx [0000:37:00.1]-2121:5: Returning existing qpair of ffff8ae2c0513400 for idx=0 + qla2xxx [0000:37:00.1]-700e:5: qla2x00_start_sp failed = 11 + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + PGD 0 P4D 0 + Oops: 0000 [#1] SMP NOPTI + Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021 + Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc] + RIP: 0010:__wake_up_common+0x4c/0x190 + RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086 + RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000 + RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320 + RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8 + R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20 + R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + __wake_up_common_lock+0x7c/0xc0 + qla_nvme_ls_req+0x355/0x4c0 [qla2xxx] + ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc] + ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc] + ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc] + +Remove unused nvme_ls_waitq wait queue. nvme_ls_waitq logic was removed +previously in the commits tagged Fixed: below. + +Fixes: 219d27d7147e ("scsi: qla2xxx: Fix race conditions in the code for aborting SCSI commands") +Fixes: 5621b0dd7453 ("scsi: qla2xxx: Simpify unregistration of FC-NVMe local/remote ports") +Cc: stable@vger.kernel.org +Signed-off-by: Manish Rangankar +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230615074633.12721-1-njavali@marvell.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 1 - + drivers/scsi/qla2xxx/qla_nvme.c | 3 --- + 2 files changed, 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -593,7 +593,6 @@ typedef struct srb { + uint8_t pad[3]; + struct kref cmd_kref; /* need to migrate ref_count over to this */ + void *priv; +- wait_queue_head_t nvme_ls_waitq; + struct fc_port *fcport; + struct scsi_qla_host *vha; + unsigned int start_timer:1; +--- a/drivers/scsi/qla2xxx/qla_nvme.c ++++ b/drivers/scsi/qla2xxx/qla_nvme.c +@@ -318,7 +318,6 @@ static int qla_nvme_ls_req(struct nvme_f + if (rval != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x700e, + "qla2x00_start_sp failed = %d\n", rval); +- wake_up(&sp->nvme_ls_waitq); + sp->priv = NULL; + priv->sp = NULL; + qla2x00_rel_sp(sp); +@@ -563,7 +562,6 @@ static int qla_nvme_post_cmd(struct nvme + if (!sp) + return -EBUSY; + +- init_waitqueue_head(&sp->nvme_ls_waitq); + kref_init(&sp->cmd_kref); + spin_lock_init(&priv->cmd_lock); + sp->priv = (void *)priv; +@@ -581,7 +579,6 @@ static int qla_nvme_post_cmd(struct nvme + if (rval != QLA_SUCCESS) { + ql_log(ql_log_warn, vha, 0x212d, + "qla2x00_start_nvme_mq failed = %d\n", rval); +- wake_up(&sp->nvme_ls_waitq); + sp->priv = NULL; + priv->sp = NULL; + qla2xxx_rel_qpair_sp(sp->qpair, sp); diff --git a/tmp-5.4/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch b/tmp-5.4/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch new file mode 100644 index 00000000000..a602941efd9 --- /dev/null +++ b/tmp-5.4/scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch @@ -0,0 +1,71 @@ +From fc0cba0c7be8261a1625098bd1d695077ec621c9 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 28 Apr 2023 00:53:38 -0700 +Subject: scsi: qla2xxx: Wait for io return on terminate rport + +From: Quinn Tran + +commit fc0cba0c7be8261a1625098bd1d695077ec621c9 upstream. + +System crash due to use after free. +Current code allows terminate_rport_io to exit before making +sure all IOs has returned. For FCP-2 device, IO's can hang +on in HW because driver has not tear down the session in FW at +first sign of cable pull. When dev_loss_tmo timer pops, +terminate_rport_io is called and upper layer is about to +free various resources. Terminate_rport_io trigger qla to do +the final cleanup, but the cleanup might not be fast enough where it +leave qla still holding on to the same resource. + +Wait for IO's to return to upper layer before resources are freed. + +Cc: stable@vger.kernel.org +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_attr.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -2574,6 +2574,7 @@ static void + qla2x00_terminate_rport_io(struct fc_rport *rport) + { + fc_port_t *fcport = *(fc_port_t **)rport->dd_data; ++ scsi_qla_host_t *vha; + + if (!fcport) + return; +@@ -2583,9 +2584,12 @@ qla2x00_terminate_rport_io(struct fc_rpo + + if (test_bit(ABORT_ISP_ACTIVE, &fcport->vha->dpc_flags)) + return; ++ vha = fcport->vha; + + if (unlikely(pci_channel_offline(fcport->vha->hw->pdev))) { + qla2x00_abort_all_cmds(fcport->vha, DID_NO_CONNECT << 16); ++ qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, ++ 0, WAIT_TARGET); + return; + } + /* +@@ -2600,6 +2604,15 @@ qla2x00_terminate_rport_io(struct fc_rpo + else + qla2x00_port_logout(fcport->vha, fcport); + } ++ ++ /* check for any straggling io left behind */ ++ if (qla2x00_eh_wait_for_pending_commands(fcport->vha, fcport->d_id.b24, 0, WAIT_TARGET)) { ++ ql_log(ql_log_warn, vha, 0x300b, ++ "IO not return. Resetting. \n"); ++ set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags); ++ qla2xxx_wake_dpc(vha); ++ qla2x00_wait_for_chip_reset(vha); ++ } + } + + static int diff --git a/tmp-5.4/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch b/tmp-5.4/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch new file mode 100644 index 00000000000..38840a92fbc --- /dev/null +++ b/tmp-5.4/sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch @@ -0,0 +1,57 @@ +From a6f7a997392fb2d43f8c55c7b2bda3e3cfc93ba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 12:03:40 +0000 +Subject: sctp: fix potential deadlock on &net->sctp.addr_wq_lock + +From: Chengfeng Ye + +[ Upstream commit 6feb37b3b06e9049e20dcf7e23998f92c9c5be9a ] + +As &net->sctp.addr_wq_lock is also acquired by the timer +sctp_addr_wq_timeout_handler() in protocal.c, the same lock acquisition +at sctp_auto_asconf_init() seems should disable irq since it is called +from sctp_accept() under process context. + +Possible deadlock scenario: +sctp_accept() + -> sctp_sock_migrate() + -> sctp_auto_asconf_init() + -> spin_lock(&net->sctp.addr_wq_lock) + + -> sctp_addr_wq_timeout_handler() + -> spin_lock_bh(&net->sctp.addr_wq_lock); (deadlock here) + +This flaw was found using an experimental static analysis tool we are +developing for irq-related deadlock. + +The tentative patch fix the potential deadlock by spin_lock_bh(). + +Signed-off-by: Chengfeng Ye +Fixes: 34e5b0118685 ("sctp: delay auto_asconf init until binding the first addr") +Acked-by: Xin Long +Link: https://lore.kernel.org/r/20230627120340.19432-1-dg573847474@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index bf3fed5b91d2b..7cff1a031f761 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -362,9 +362,9 @@ static void sctp_auto_asconf_init(struct sctp_sock *sp) + struct net *net = sock_net(&sp->inet.sk); + + if (net->sctp.default_auto_asconf) { +- spin_lock(&net->sctp.addr_wq_lock); ++ spin_lock_bh(&net->sctp.addr_wq_lock); + list_add_tail(&sp->auto_asconf_list, &net->sctp.auto_asconf_splist); +- spin_unlock(&net->sctp.addr_wq_lock); ++ spin_unlock_bh(&net->sctp.addr_wq_lock); + sp->do_auto_asconf = 1; + } + } +-- +2.39.2 + diff --git a/tmp-5.4/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch b/tmp-5.4/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch new file mode 100644 index 00000000000..11284168de6 --- /dev/null +++ b/tmp-5.4/selftests-rtnetlink-remove-netdevsim-device-after-ip.patch @@ -0,0 +1,40 @@ +From 99215f1936d6398e88b17ca7218713097f26f412 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jun 2023 23:03:34 +0200 +Subject: selftests: rtnetlink: remove netdevsim device after ipsec offload + test + +From: Sabrina Dubroca + +[ Upstream commit 5f789f103671fec3733ebe756e56adf15c90c21d ] + +On systems where netdevsim is built-in or loaded before the test +starts, kci_test_ipsec_offload doesn't remove the netdevsim device it +created during the test. + +Fixes: e05b2d141fef ("netdevsim: move netdev creation/destruction to dev probe") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Simon Horman +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/e1cb94f4f82f4eca4a444feec4488a1323396357.1687466906.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/rtnetlink.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh +index 911c549f186fb..3b929e031f59c 100755 +--- a/tools/testing/selftests/net/rtnetlink.sh ++++ b/tools/testing/selftests/net/rtnetlink.sh +@@ -833,6 +833,7 @@ EOF + fi + + # clean up any leftovers ++ echo 0 > /sys/bus/netdevsim/del_device + $probed && rmmod netdevsim + + if [ $ret -ne 0 ]; then +-- +2.39.2 + diff --git a/tmp-5.4/selftests-tc-set-timeout-to-15-minutes.patch b/tmp-5.4/selftests-tc-set-timeout-to-15-minutes.patch new file mode 100644 index 00000000000..35642928c4c --- /dev/null +++ b/tmp-5.4/selftests-tc-set-timeout-to-15-minutes.patch @@ -0,0 +1,49 @@ +From fda05798c22a354efde09a76bdfc276b2d591829 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:44 +0200 +Subject: selftests: tc: set timeout to 15 minutes + +From: Matthieu Baerts + +commit fda05798c22a354efde09a76bdfc276b2d591829 upstream. + +When looking for something else in LKFT reports [1], I noticed that the +TC selftest ended with a timeout error: + + not ok 1 selftests: tc-testing: tdc.sh # TIMEOUT 45 seconds + +The timeout had been introduced 3 years ago, see the Fixes commit below. + +This timeout is only in place when executing the selftests via the +kselftests runner scripts. I guess this is not what most TC devs are +using and nobody noticed the issue before. + +The new timeout is set to 15 minutes as suggested by Pedro [2]. It looks +like it is plenty more time than what it takes in "normal" conditions. + +Fixes: 852c8cbf34d3 ("selftests/kselftest/runner.sh: Add 45 second timeout per test") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Reviewed-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-1-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/settings | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tools/testing/selftests/tc-testing/settings + +diff --git a/tools/testing/selftests/tc-testing/settings b/tools/testing/selftests/tc-testing/settings +new file mode 100644 +index 000000000000..e2206265f67c +--- /dev/null ++++ b/tools/testing/selftests/tc-testing/settings +@@ -0,0 +1 @@ ++timeout=900 +-- +2.41.0 + diff --git a/tmp-5.4/serial-8250_omap-use-force_suspend-and-resume-for-sy.patch b/tmp-5.4/serial-8250_omap-use-force_suspend-and-resume-for-sy.patch new file mode 100644 index 00000000000..ebcd5b14c40 --- /dev/null +++ b/tmp-5.4/serial-8250_omap-use-force_suspend-and-resume-for-sy.patch @@ -0,0 +1,78 @@ +From 80745984ddc2e5e98f17784c2a91d4af61ddeca5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 07:59:19 +0300 +Subject: serial: 8250_omap: Use force_suspend and resume for system suspend + +From: Tony Lindgren + +[ Upstream commit 20a41a62618df85f3a2981008edec5cadd785e0a ] + +We should not rely on autosuspend timeout for system suspend. Instead, +let's use force_suspend and force_resume functions. Otherwise the serial +port controller device may not be idled on suspend. + +As we are doing a register write on suspend to configure the serial port, +we still need to runtime PM resume the port on suspend. + +While at it, let's switch to pm_runtime_resume_and_get() and check for +errors returned. And let's add the missing line break before return to the +suspend function while at it. + +Fixes: 09d8b2bdbc5c ("serial: 8250: omap: Provide ability to enable/disable UART as wakeup source") +Signed-off-by: Tony Lindgren +Tested-by: Dhruva Gole +Message-ID: <20230614045922.4798-1-tony@atomide.com> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index 928b35b87dcf3..a2db055278a17 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1314,25 +1314,35 @@ static int omap8250_suspend(struct device *dev) + { + struct omap8250_priv *priv = dev_get_drvdata(dev); + struct uart_8250_port *up = serial8250_get_port(priv->line); ++ int err; + + serial8250_suspend_port(priv->line); + +- pm_runtime_get_sync(dev); ++ err = pm_runtime_resume_and_get(dev); ++ if (err) ++ return err; + if (!device_may_wakeup(dev)) + priv->wer = 0; + serial_out(up, UART_OMAP_WER, priv->wer); +- pm_runtime_mark_last_busy(dev); +- pm_runtime_put_autosuspend(dev); +- ++ err = pm_runtime_force_suspend(dev); + flush_work(&priv->qos_work); +- return 0; ++ ++ return err; + } + + static int omap8250_resume(struct device *dev) + { + struct omap8250_priv *priv = dev_get_drvdata(dev); ++ int err; + ++ err = pm_runtime_force_resume(dev); ++ if (err) ++ return err; + serial8250_resume_port(priv->line); ++ /* Paired with pm_runtime_resume_and_get() in omap8250_suspend() */ ++ pm_runtime_mark_last_busy(dev); ++ pm_runtime_put_autosuspend(dev); ++ + return 0; + } + #else +-- +2.39.2 + diff --git a/tmp-5.4/serial-atmel-don-t-enable-irqs-prematurely.patch b/tmp-5.4/serial-atmel-don-t-enable-irqs-prematurely.patch new file mode 100644 index 00000000000..d99ccd4a63d --- /dev/null +++ b/tmp-5.4/serial-atmel-don-t-enable-irqs-prematurely.patch @@ -0,0 +1,45 @@ +From 27a826837ec9a3e94cc44bd9328b8289b0fcecd7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 19 Jun 2023 12:45:17 +0300 +Subject: serial: atmel: don't enable IRQs prematurely + +From: Dan Carpenter + +commit 27a826837ec9a3e94cc44bd9328b8289b0fcecd7 upstream. + +The atmel_complete_tx_dma() function disables IRQs at the start +of the function by calling spin_lock_irqsave(&port->lock, flags); +There is no need to disable them a second time using the +spin_lock_irq() function and, in fact, doing so is a bug because +it will enable IRQs prematurely when we call spin_unlock_irq(). + +Just use spin_lock/unlock() instead without disabling or enabling +IRQs. + +Fixes: 08f738be88bb ("serial: at91: add tx dma support") +Signed-off-by: Dan Carpenter +Reviewed-by: Jiri Slaby +Acked-by: Richard Genoud +Link: https://lore.kernel.org/r/cb7c39a9-c004-4673-92e1-be4e34b85368@moroto.mountain +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/atmel_serial.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -884,11 +884,11 @@ static void atmel_complete_tx_dma(void * + + port->icount.tx += atmel_port->tx_len; + +- spin_lock_irq(&atmel_port->lock_tx); ++ spin_lock(&atmel_port->lock_tx); + async_tx_ack(atmel_port->desc_tx); + atmel_port->cookie_tx = -EINVAL; + atmel_port->desc_tx = NULL; +- spin_unlock_irq(&atmel_port->lock_tx); ++ spin_unlock(&atmel_port->lock_tx); + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) + uart_write_wakeup(port); diff --git a/tmp-5.4/series b/tmp-5.4/series new file mode 100644 index 00000000000..1e762abf70a --- /dev/null +++ b/tmp-5.4/series @@ -0,0 +1,316 @@ +gfs2-don-t-deref-jdesc-in-evict.patch +x86-microcode-amd-load-late-on-both-threads-too.patch +x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch +video-imsttfb-check-for-ioremap-failures.patch +fbdev-imsttfb-fix-use-after-free-bug-in-imsttfb_probe.patch +hid-wacom-use-ktime_t-rather-than-int-when-dealing-with-timestamps.patch +drm-i915-initialise-outparam-for-error-return-from-wait_for_register.patch +scripts-tags.sh-resolve-gtags-empty-index-generation.patch +drm-amdgpu-validate-vm-ioctl-flags.patch +bgmac-fix-initial-chip-reset-to-support-bcm5358.patch +x86-resctrl-use-is_closid_match-in-more-places.patch +x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch +md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch +md-raid10-fix-overflow-of-md-safe_mode_delay.patch +md-raid10-fix-wrong-setting-of-max_corr_read_errors.patch +md-raid10-fix-null-ptr-deref-of-mreplace-in-raid10_s.patch +md-raid10-fix-io-loss-while-replacement-replace-rdev.patch +irqchip-jcore-aic-kill-use-of-irq_create_strict_mapp.patch +irqchip-jcore-aic-fix-missing-allocation-of-irq-desc.patch +tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch +clocksource-drivers-cadence-ttc-use-ttc-driver-as-pl.patch +clocksource-drivers-cadence-ttc-fix-memory-leak-in-t.patch +pm-domains-fix-integer-overflow-issues-in-genpd_pars.patch +powercap-rapl-fix-config_iosf_mbi-dependency.patch +arm-9303-1-kprobes-avoid-missing-declaration-warning.patch +evm-complete-description-of-evm_inode_setattr.patch +pstore-ram-add-check-for-kstrdup.patch +ima-fix-build-warnings.patch +wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch +wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch +samples-bpf-fix-buffer-overflow-in-tcp_basertt.patch +spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch +wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch +nfc-constify-several-pointers-to-u8-char-and-sk_buff.patch +nfc-llcp-fix-possible-use-of-uninitialized-variable-.patch +regulator-core-fix-more-error-checking-for-debugfs_c.patch +regulator-core-streamline-debugfs-operations.patch +wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch +wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch +wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch +wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch +wl3501_cs-remove-unnecessary-null-check.patch +wl3501_cs-fix-misspelling-and-provide-missing-docume.patch +net-create-netdev-dev_addr-assignment-helpers.patch +wl3501_cs-use-eth_hw_addr_set.patch +wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch +wifi-ray_cs-utilize-strnlen-in-parse_addr.patch +wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch +wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch +wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch +wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch +watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch +watchdog-perf-more-properly-prevent-false-positives-.patch +kexec-fix-a-memory-leak-in-crash_shrink_memory.patch +memstick-r592-make-memstick_debug_get_tpc_name-stati.patch +wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch +rtnetlink-extend-rtext_filter_skip_stats-to-ifla_vf_.patch +wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch +wifi-cfg80211-rewrite-merging-of-inherited-elements.patch +wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch +netlink-fix-potential-deadlock-in-netlink_set_err.patch +netlink-do-not-hard-code-device-address-lenth-in-fdb.patch +selftests-rtnetlink-remove-netdevsim-device-after-ip.patch +gtp-fix-use-after-free-in-__gtp_encap_destroy.patch +nfc-llcp-simplify-llcp_sock_connect-error-paths.patch +net-nfc-fix-use-after-free-caused-by-nfc_llcp_find_l.patch +lib-ts_bm-reset-initial-match-offset-for-every-block.patch +netfilter-conntrack-dccp-copy-entire-header-to-stack.patch +netfilter-nf_conntrack_sip-fix-the-ct_sip_parse_nume.patch +ipvlan-fix-return-value-of-ipvlan_queue_xmit.patch +netlink-add-__sock_i_ino-for-__netlink_diag_dump.patch +radeon-avoid-double-free-in-ci_dpm_init.patch +input-drv260x-sleep-between-polling-go-bit.patch +arm-dts-bcm5301x-drop-clock-names-from-the-spi-node.patch +input-adxl34x-do-not-hardcode-interrupt-trigger-type.patch +drm-sun4i_tcon-use-devm_clk_get_enabled-in-sun4i_tco.patch +rdma-bnxt_re-fix-to-remove-an-unnecessary-log.patch +arm-dts-gta04-move-model-property-out-of-pinctrl-nod.patch +arm64-dts-qcom-msm8916-correct-camss-unit-address.patch +drm-panel-simple-fix-active-size-for-ampire-am-48027.patch +arm-ep93xx-fix-missing-prototype-warnings.patch +memory-brcmstb_dpfe-fix-testing-array-offset-after-u.patch +asoc-es8316-increment-max-value-for-alc-capture-targ.patch +asoc-es8316-do-not-set-rate-constraints-for-unsuppor.patch +soc-fsl-qe-fix-usb.c-build-errors.patch +ib-hfi1-fix-sdma.h-tx-num_descs-off-by-one-errors.patch +arm64-dts-renesas-ulcb-kf-remove-flow-control-for-sc.patch +fbdev-omapfb-lcd_mipid-fix-an-error-handling-path-in.patch +drm-amdkfd-fix-potential-deallocation-of-previously-.patch +drm-radeon-fix-possible-division-by-zero-errors.patch +clk-tegra-tegra124-emc-fix-potential-memory-leak.patch +alsa-ac97-fix-possible-null-dereference-in-snd_ac97_.patch +clk-cdce925-check-return-value-of-kasprintf.patch +clk-keystone-sci-clk-check-return-value-of-kasprintf.patch +asoc-imx-audmix-check-return-value-of-devm_kasprintf.patch +scsi-qedf-fix-null-dereference-in-error-handling.patch +pci-aspm-disable-aspm-on-mfd-function-removal-to-avo.patch +scsi-3w-xxxx-add-error-handling-for-initialization-f.patch +pci-pciehp-cancel-bringup-sequence-if-card-is-not-pr.patch +pci-ftpci100-release-the-clock-resources.patch +pci-add-pci_clear_master-stub-for-non-config_pci.patch +pinctrl-cherryview-return-correct-value-if-pin-in-pu.patch +perf-dwarf-aux-fix-off-by-one-in-die_get_varname.patch +pinctrl-at91-pio4-check-return-value-of-devm_kasprin.patch +powerpc-mm-dax-fix-the-condition-when-checking-if-al.patch +hwrng-virtio-add-an-internal-buffer.patch +hwrng-virtio-don-t-wait-on-cleanup.patch +hwrng-virtio-don-t-waste-entropy.patch +hwrng-virtio-always-add-a-pending-request.patch +hwrng-virtio-fix-race-on-data_avail-and-actual-data.patch +crypto-nx-fix-build-warnings-when-debug_fs-is-not-en.patch +modpost-fix-section-mismatch-message-for-r_arm_abs32.patch +modpost-fix-section-mismatch-message-for-r_arm_-pc24.patch +crypto-skcipher-unify-the-crypto_has_skcipher-functi.patch +crypto-skcipher-remove-crypto_has_ablkcipher.patch +crypto-marvell-cesa-fix-type-mismatch-warning.patch +modpost-fix-off-by-one-in-is_executable_section.patch +arc-define-asm_nl-and-__align-_str-outside-ifdef-__a.patch +nfsv4.1-freeze-the-session-table-upon-receiving-nfs4.patch +hwrng-st-fix-w-1-unused-variable-warning.patch +hwrng-st-keep-clock-enabled-while-hwrng-is-registere.patch +usb-serial-option-add-lara-r6-01b-pids.patch +usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch +block-fix-signed-int-overflow-in-amiga-partition-support.patch +block-change-all-__u32-annotations-to-__be32-in-affs_hardblocks.h.patch +w1-fix-loop-in-w1_fini.patch +sh-j2-use-ioremap-to-translate-device-tree-address-i.patch +media-usb-check-az6007_read-return-value.patch +media-videodev2.h-fix-struct-v4l2_input-tuner-index-.patch +media-usb-siano-fix-warning-due-to-null-work_func_t-.patch +usb-dwc3-qcom-fix-potential-memory-leak.patch +extcon-fix-kernel-doc-of-property-fields-to-avoid-wa.patch +extcon-fix-kernel-doc-of-property-capability-fields-.patch +usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch +usb-hide-unused-usbfs_notify_suspend-resume-function.patch +mfd-rt5033-drop-rt5033-battery-sub-device.patch +kvm-s390-fix-kvm_s390_get_cmma_bits-for-gfns-in-mems.patch +usb-dwc3-qcom-release-the-correct-resources-in-dwc3_.patch +mfd-intel-lpss-add-missing-check-for-platform_get_re.patch +serial-8250_omap-use-force_suspend-and-resume-for-sy.patch +mfd-stmfx-fix-error-path-in-stmfx_chip_init.patch +kvm-s390-vsie-fix-the-length-of-apcb-bitmap.patch +mfd-stmpe-only-disable-the-regulators-if-they-are-en.patch +pwm-imx-tpm-force-real_period-to-be-zero-in-suspend.patch +pwm-sysfs-do-not-apply-state-to-already-disabled-pwm.patch +rtc-st-lpc-release-some-resources-in-st_rtc_probe-in.patch +sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch +add-module_firmware-for-firmware_tg357766.patch +spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch +mailbox-ti-msgmgr-fill-non-message-tx-data-fields-wi.patch +f2fs-fix-error-path-handling-in-truncate_dnode.patch +powerpc-allow-ppc_early_debug_cpm-only-when-serial_c.patch +net-bridge-keep-ports-without-iff_unicast_flt-in-br_.patch +tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch +xsk-improve-documentation-for-af_xdp.patch +xsk-honor-so_bindtodevice-on-bind.patch +net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch +net-dsa-tag_sja1105-fix-mac-da-patching-from-meta-fr.patch +sh-dma-fix-dma-channel-offset-calculation.patch +i2c-xiic-defer-xiic_wakeup-and-__xiic_start_xfer-in-.patch +i2c-xiic-don-t-try-to-handle-more-interrupt-events-a.patch +alsa-jack-fix-mutex-call-in-snd_jack_report.patch +nfsd-add-encoding-of-op_recall-flag-for-write-delegation.patch +mmc-core-disable-trim-on-kingston-emmc04g-m627.patch +mmc-core-disable-trim-on-micron-mtfc4gacajcn-1m.patch +mmc-sdhci-fix-dma-configure-compatibility-issue-when-64bit-dma-mode-is-used.patch +bcache-remove-unnecessary-null-point-check-in-node-allocations.patch +integrity-fix-possible-multiple-allocation-in-integrity_inode_get.patch +jffs2-reduce-stack-usage-in-jffs2_build_xattr_subsystem.patch +fs-avoid-empty-option-when-generating-legacy-mount-string.patch +ext4-remove-ext4-locking-of-moved-directory.patch +revert-f2fs-fix-potential-corruption-when-moving-a-directory.patch +fs-establish-locking-order-for-unrelated-directories.patch +fs-lock-moved-directories.patch +btrfs-fix-race-when-deleting-quota-root-from-the-dirty-cow-roots-list.patch +arm-orion5x-fix-d2net-gpio-initialization.patch +fs-no-need-to-check-source.patch +fanotify-disallow-mount-sb-marks-on-kernel-internal-pseudo-fs.patch +block-add-overflow-checks-for-amiga-partition-support.patch +netfilter-nf_tables-fix-nat-hook-table-deletion.patch +netfilter-nftables-add-helper-function-to-set-the-base-sequence-number.patch +netfilter-add-helper-function-to-set-up-the-nfnetlink-header-and-use-it.patch +netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch +netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch +netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch +netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch +netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch +netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch +netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch +netfilter-conntrack-avoid-nf_ct_helper_hash-uses-after-free.patch +netfilter-nf_tables-prevent-oob-access-in-nft_byteorder_eval.patch +tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch +block-partition-fix-signedness-issue-for-amiga-partitions.patch +net-lan743x-don-t-sleep-in-atomic-context.patch +workqueue-clean-up-work_-constant-types-clarify-masking.patch +drm-panel-initialise-panel-dev-and-funcs-through-drm.patch +drm-panel-add-and-fill-drm_panel-type-field.patch +drm-panel-simple-add-connector_type-for-innolux_at04.patch +igc-remove-delay-during-tx-ring-configuration.patch +igc-set-tp-bit-in-supported-and-advertising-fields-o.patch +scsi-qla2xxx-fix-error-code-in-qla2x00_start_sp.patch +net-mvneta-fix-txq_map-in-case-of-txq_number-1.patch +net-sched-cls_fw-fix-improper-refcount-update-leads-.patch +ionic-improve-irq-numa-locality.patch +ionic-clean-irq-affinity-on-queue-deinit.patch +ionic-move-irq-request-to-qcq-alloc.patch +ionic-ionic_intr_free-parameter-change.patch +ionic-remove-warn_on-to-prevent-panic_on_warn.patch +icmp6-fix-null-ptr-deref-of-ip6_null_entry-rt6i_idev.patch +udp6-fix-udp6_ehashfn-typo.patch +ntb-idt-fix-error-handling-in-idt_pci_driver_init.patch +ntb-amd-fix-error-handling-in-amd_ntb_pci_driver_ini.patch +ntb-intel-fix-error-handling-in-intel_ntb_pci_driver.patch +ntb-ntb_transport-fix-possible-memory-leak-while-dev.patch +ntb-ntb_tool-add-check-for-devm_kcalloc.patch +ipv6-addrconf-fix-a-potential-refcount-underflow-for.patch +platform-x86-wmi-replace-uuid-redefinitions-by-their.patch +platform-x86-wmi-fix-indentation-in-some-cases.patch +platform-x86-wmi-remove-unnecessary-argument.patch +platform-x86-wmi-use-guid_t-and-guid_equal.patch +platform-x86-wmi-move-variables.patch +platform-x86-wmi-break-possible-infinite-loop-when-p.patch +erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch +wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch +cls_flower-add-extack-support-for-src-and-dst-port-r.patch +net-sched-flower-ensure-both-minimum-and-maximum-por.patch +net-sched-make-psched_mtu-rtnl-less-safe.patch +pinctrl-amd-fix-mistake-in-handling-clearing-pins-at-startup.patch +pinctrl-amd-detect-internal-gpio0-debounce-handling.patch +pinctrl-amd-only-use-special-debounce-behavior-for-gpio-0.patch +tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch +mtd-rawnand-meson-fix-unaligned-dma-buffers-handling.patch +net-bcmgenet-ensure-mdio-unregistration-has-clocks-enabled.patch +powerpc-fail-build-if-using-recordmcount-with-binutils-v2.37.patch +misc-fastrpc-create-fastrpc-scalar-with-correct-buffer-count.patch +sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch +erofs-fix-compact-4b-support-for-16k-block-size.patch +ext4-fix-wrong-unit-use-in-ext4_mb_clear_bb.patch +ext4-fix-to-check-return-value-of-freeze_bdev-in-ext4_shutdown.patch +ext4-only-update-i_reserved_data_blocks-on-successful-block-allocation.patch +jfs-jfs_dmap-validate-db_l2nbperpage-while-mounting.patch +pci-pm-avoid-putting-elopos-e2-s2-h2-pcie-ports-in-d3cold.patch +pci-add-function-1-dma-alias-quirk-for-marvell-88se9235.patch +pci-qcom-disable-write-access-to-read-only-registers-for-ip-v2.3.3.patch +pci-rockchip-assert-pci-configuration-enable-bit-after-probe.patch +pci-rockchip-write-pci-device-id-to-correct-register.patch +pci-rockchip-add-poll-and-timeout-to-wait-for-phy-plls-to-be-locked.patch +pci-rockchip-fix-legacy-irq-generation-for-rk3399-pcie-endpoint-core.patch +pci-rockchip-use-u32-variable-to-access-32-bit-registers.patch +pci-rockchip-set-address-alignment-for-endpoint-mode.patch +misc-pci_endpoint_test-free-irqs-before-removing-the-device.patch +misc-pci_endpoint_test-re-init-completion-for-every-test.patch +md-raid0-add-discard-support-for-the-original-layout.patch +fs-dlm-return-positive-pid-value-for-f_getlk.patch +drm-atomic-allow-vblank-enabled-self-refresh-disable.patch +drm-rockchip-vop-leave-vblank-enabled-in-self-refresh.patch +serial-atmel-don-t-enable-irqs-prematurely.patch +firmware-stratix10-svc-fix-a-potential-resource-leak-in-svc_create_memory_pool.patch +hwrng-imx-rngc-fix-the-timeout-for-init-and-self-check.patch +ceph-don-t-let-check_caps-skip-sending-responses-for-revoke-msgs.patch +meson-saradc-fix-clock-divider-mask-length.patch +revert-8250-add-support-for-asix-devices-with-a-fifo-bug.patch +tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch +tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch +tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch +ring-buffer-fix-deadloop-issue-on-reading-trace_pipe.patch +xtensa-iss-fix-call-to-split_if_spec.patch +tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch +tracing-probes-fix-not-to-count-error-code-to-total-length.patch +scsi-qla2xxx-wait-for-io-return-on-terminate-rport.patch +scsi-qla2xxx-fix-potential-null-pointer-dereference.patch +scsi-qla2xxx-check-valid-rport-returned-by-fc_bsg_to_rport.patch +scsi-qla2xxx-correct-the-index-of-array.patch +scsi-qla2xxx-pointer-may-be-dereferenced.patch +scsi-qla2xxx-remove-unused-nvme_ls_waitq-wait-queue.patch +drm-atomic-fix-potential-use-after-free-in-nonblocking-commits.patch +perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch +btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch +fuse-revalidate-don-t-invalidate-if-interrupted.patch +selftests-tc-set-timeout-to-15-minutes.patch +can-bcm-fix-uaf-in-bcm_proc_show.patch +drm-client-fix-memory-leak-in-drm_client_target_cloned.patch +drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch +ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +debugobjects-recheck-debug_objects_enabled-before-re.patch +nbd-add-the-maximum-limit-of-allocated-index-in-nbd_.patch +md-fix-data-corruption-for-raid456-when-reshape-rest.patch +md-raid10-prevent-soft-lockup-while-flush-writes.patch +posix-timers-ensure-timer-id-search-loop-limit-is-va.patch +arm64-mm-fix-va-range-sanity-check.patch +sched-fair-don-t-balance-task-to-its-current-running.patch +bpf-address-kcsan-report-on-bpf_lru_list.patch +devlink-report-devlink_port_type_warn-source-device.patch +wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +igb-fix-igb_down-hung-on-surprise-removal.patch +spi-bcm63xx-fix-max-prepend-length.patch +fbdev-imxfb-warn-about-invalid-left-right-margin.patch +pinctrl-amd-use-amd_pinconf_set-for-all-config-optio.patch +net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +iavf-fix-use-after-free-in-free_netdev.patch +net-ipv6-check-return-value-of-pskb_trim.patch +revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +llc-don-t-drop-packet-from-non-root-netns.patch +netfilter-nf_tables-fix-spurious-set-element-inserti.patch +netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +tcp-annotate-data-races-around-tp-tcp_tx_delay.patch +net-replace-the-limit-of-tcp_linger2-with-tcp_fin_ti.patch +tcp-annotate-data-races-around-tp-linger2.patch +tcp-annotate-data-races-around-rskq_defer_accept.patch +tcp-annotate-data-races-around-tp-notsent_lowat.patch +tcp-annotate-data-races-around-fastopenq.max_qlen.patch +tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch +x86-cpu-amd-move-the-errata-checking-functionality-up.patch +x86-cpu-amd-add-a-zenbleed-fix.patch diff --git a/tmp-5.4/sh-dma-fix-dma-channel-offset-calculation.patch b/tmp-5.4/sh-dma-fix-dma-channel-offset-calculation.patch new file mode 100644 index 00000000000..05eaa895355 --- /dev/null +++ b/tmp-5.4/sh-dma-fix-dma-channel-offset-calculation.patch @@ -0,0 +1,103 @@ +From 0b15731deafacf13c37fa4409c56568222978b95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 May 2023 18:44:50 +0200 +Subject: sh: dma: Fix DMA channel offset calculation + +From: Artur Rojek + +[ Upstream commit e82e47584847129a20b8c9f4a1dcde09374fb0e0 ] + +Various SoCs of the SH3, SH4 and SH4A family, which use this driver, +feature a differing number of DMA channels, which can be distributed +between up to two DMAC modules. The existing implementation fails to +correctly accommodate for all those variations, resulting in wrong +channel offset calculations and leading to kernel panics. + +Rewrite dma_base_addr() in order to properly calculate channel offsets +in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that +the correct DMAC module base is selected for the DMAOR register. + +Fixes: 7f47c7189b3e8f19 ("sh: dma: More legacy cpu dma chainsawing.") +Signed-off-by: Artur Rojek +Reviewed-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/20230527164452.64797-2-contact@artur-rojek.eu +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/drivers/dma/dma-sh.c | 37 +++++++++++++++++++++++------------- + 1 file changed, 24 insertions(+), 13 deletions(-) + +diff --git a/arch/sh/drivers/dma/dma-sh.c b/arch/sh/drivers/dma/dma-sh.c +index 96c626c2cd0a4..306fba1564e5e 100644 +--- a/arch/sh/drivers/dma/dma-sh.c ++++ b/arch/sh/drivers/dma/dma-sh.c +@@ -18,6 +18,18 @@ + #include + #include + ++/* ++ * Some of the SoCs feature two DMAC modules. In such a case, the channels are ++ * distributed equally among them. ++ */ ++#ifdef SH_DMAC_BASE1 ++#define SH_DMAC_NR_MD_CH (CONFIG_NR_ONCHIP_DMA_CHANNELS / 2) ++#else ++#define SH_DMAC_NR_MD_CH CONFIG_NR_ONCHIP_DMA_CHANNELS ++#endif ++ ++#define SH_DMAC_CH_SZ 0x10 ++ + /* + * Define the default configuration for dual address memory-memory transfer. + * The 0x400 value represents auto-request, external->external. +@@ -29,7 +41,7 @@ static unsigned long dma_find_base(unsigned int chan) + unsigned long base = SH_DMAC_BASE0; + + #ifdef SH_DMAC_BASE1 +- if (chan >= 6) ++ if (chan >= SH_DMAC_NR_MD_CH) + base = SH_DMAC_BASE1; + #endif + +@@ -40,13 +52,13 @@ static unsigned long dma_base_addr(unsigned int chan) + { + unsigned long base = dma_find_base(chan); + +- /* Normalize offset calculation */ +- if (chan >= 9) +- chan -= 6; +- if (chan >= 4) +- base += 0x10; ++ chan = (chan % SH_DMAC_NR_MD_CH) * SH_DMAC_CH_SZ; ++ ++ /* DMAOR is placed inside the channel register space. Step over it. */ ++ if (chan >= DMAOR) ++ base += SH_DMAC_CH_SZ; + +- return base + (chan * 0x10); ++ return base + chan; + } + + #ifdef CONFIG_SH_DMA_IRQ_MULTI +@@ -250,12 +262,11 @@ static int sh_dmac_get_dma_residue(struct dma_channel *chan) + #define NR_DMAOR 1 + #endif + +-/* +- * DMAOR bases are broken out amongst channel groups. DMAOR0 manages +- * channels 0 - 5, DMAOR1 6 - 11 (optional). +- */ +-#define dmaor_read_reg(n) __raw_readw(dma_find_base((n)*6)) +-#define dmaor_write_reg(n, data) __raw_writew(data, dma_find_base(n)*6) ++#define dmaor_read_reg(n) __raw_readw(dma_find_base((n) * \ ++ SH_DMAC_NR_MD_CH) + DMAOR) ++#define dmaor_write_reg(n, data) __raw_writew(data, \ ++ dma_find_base((n) * \ ++ SH_DMAC_NR_MD_CH) + DMAOR) + + static inline int dmaor_reset(int no) + { +-- +2.39.2 + diff --git a/tmp-5.4/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch b/tmp-5.4/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch new file mode 100644 index 00000000000..1af332e5e5b --- /dev/null +++ b/tmp-5.4/sh-j2-use-ioremap-to-translate-device-tree-address-i.patch @@ -0,0 +1,44 @@ +From 5e5c6c3b152e912c822ba227130d0d57b0b214b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 May 2023 14:57:41 +0200 +Subject: sh: j2: Use ioremap() to translate device tree address into kernel + memory + +From: John Paul Adrian Glaubitz + +[ Upstream commit bc9d1f0cecd2407cfb2364a7d4be2f52d1d46a9d ] + +Addresses the following warning when building j2_defconfig: + +arch/sh/kernel/cpu/sh2/probe.c: In function 'scan_cache': +arch/sh/kernel/cpu/sh2/probe.c:24:16: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] + 24 | j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node); + | + +Fixes: 5a846abad07f ("sh: add support for J-Core J2 processor") +Reviewed-by: Geert Uytterhoeven +Tested-by: Rob Landley +Signed-off-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/20230503125746.331835-1-glaubitz@physik.fu-berlin.de +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/kernel/cpu/sh2/probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sh/kernel/cpu/sh2/probe.c b/arch/sh/kernel/cpu/sh2/probe.c +index d342ea08843f6..70a07f4f2142f 100644 +--- a/arch/sh/kernel/cpu/sh2/probe.c ++++ b/arch/sh/kernel/cpu/sh2/probe.c +@@ -21,7 +21,7 @@ static int __init scan_cache(unsigned long node, const char *uname, + if (!of_flat_dt_is_compatible(node, "jcore,cache")) + return 0; + +- j2_ccr_base = (u32 __iomem *)of_flat_dt_translate_address(node); ++ j2_ccr_base = ioremap(of_flat_dt_translate_address(node), 4); + + return 1; + } +-- +2.39.2 + diff --git a/tmp-5.4/soc-fsl-qe-fix-usb.c-build-errors.patch b/tmp-5.4/soc-fsl-qe-fix-usb.c-build-errors.patch new file mode 100644 index 00000000000..21c39fd1550 --- /dev/null +++ b/tmp-5.4/soc-fsl-qe-fix-usb.c-build-errors.patch @@ -0,0 +1,60 @@ +From c3b66daa3de5c5e4f9b2e88b0dc50d38221b515e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 May 2023 15:52:16 -0700 +Subject: soc/fsl/qe: fix usb.c build errors + +From: Randy Dunlap + +[ Upstream commit 7b1a78babd0d2cd27aa07255dee0c2d7ac0f31e3 ] + +Fix build errors in soc/fsl/qe/usb.c when QUICC_ENGINE is not set. +This happens when PPC_EP88XC is set, which selects CPM1 & CPM. +When CPM is set, USB_FSL_QE can be set without QUICC_ENGINE +being set. When USB_FSL_QE is set, QE_USB deafults to y, which +causes build errors when QUICC_ENGINE is not set. Making +QE_USB depend on QUICC_ENGINE prevents QE_USB from defaulting to y. + +Fixes these build errors: + +drivers/soc/fsl/qe/usb.o: in function `qe_usb_clock_set': +usb.c:(.text+0x1e): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0x2a): undefined reference to `qe_immr' +powerpc-linux-ld: usb.c:(.text+0xbc): undefined reference to `qe_setbrg' +powerpc-linux-ld: usb.c:(.text+0xca): undefined reference to `cmxgcr_lock' +powerpc-linux-ld: usb.c:(.text+0xce): undefined reference to `cmxgcr_lock' + +Fixes: 5e41486c408e ("powerpc/QE: add support for QE USB clocks routing") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Link: https://lore.kernel.org/all/202301101500.pillNv6R-lkp@intel.com/ +Suggested-by: Michael Ellerman +Cc: Christophe Leroy +Cc: Leo Li +Cc: Masahiro Yamada +Cc: Nicolas Schier +Cc: Qiang Zhao +Cc: linuxppc-dev +Cc: linux-arm-kernel@lists.infradead.org +Cc: Kumar Gala +Acked-by: Nicolas Schier +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/qe/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/fsl/qe/Kconfig b/drivers/soc/fsl/qe/Kconfig +index cfa4b2939992c..3ed0838607647 100644 +--- a/drivers/soc/fsl/qe/Kconfig ++++ b/drivers/soc/fsl/qe/Kconfig +@@ -38,6 +38,7 @@ config QE_TDM + + config QE_USB + bool ++ depends on QUICC_ENGINE + default y if USB_FSL_QE + help + QE USB Controller support +-- +2.39.2 + diff --git a/tmp-5.4/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch b/tmp-5.4/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch new file mode 100644 index 00000000000..d74ec6d7917 --- /dev/null +++ b/tmp-5.4/spi-bcm-qspi-return-error-if-neither-hif_mspi-nor-ms.patch @@ -0,0 +1,58 @@ +From 5eac33d10c2667b17f978abbd37d508c4a697e90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 15:43:05 +0200 +Subject: spi: bcm-qspi: return error if neither hif_mspi nor mspi is available + +From: Jonas Gorski + +[ Upstream commit 7c1f23ad34fcdace50275a6aa1e1969b41c6233f ] + +If neither a "hif_mspi" nor "mspi" resource is present, the driver will +just early exit in probe but still return success. Apart from not doing +anything meaningful, this would then also lead to a null pointer access +on removal, as platform_get_drvdata() would return NULL, which it would +then try to dereference when trying to unregister the spi master. + +Fix this by unconditionally calling devm_ioremap_resource(), as it can +handle a NULL res and will then return a viable ERR_PTR() if we get one. + +The "return 0;" was previously a "goto qspi_resource_err;" where then +ret was returned, but since ret was still initialized to 0 at this place +this was a valid conversion in 63c5395bb7a9 ("spi: bcm-qspi: Fix +use-after-free on unbind"). The issue was not introduced by this commit, +only made more obvious. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Jonas Gorski +Reviewed-by: Kamal Dasu +Link: https://lore.kernel.org/r/20230629134306.95823-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm-qspi.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index d933a6eda5fdc..118d9161a7886 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1250,13 +1250,9 @@ int bcm_qspi_probe(struct platform_device *pdev, + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, + "mspi"); + +- if (res) { +- qspi->base[MSPI] = devm_ioremap_resource(dev, res); +- if (IS_ERR(qspi->base[MSPI])) +- return PTR_ERR(qspi->base[MSPI]); +- } else { +- return 0; +- } ++ qspi->base[MSPI] = devm_ioremap_resource(dev, res); ++ if (IS_ERR(qspi->base[MSPI])) ++ return PTR_ERR(qspi->base[MSPI]); + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "bspi"); + if (res) { +-- +2.39.2 + diff --git a/tmp-5.4/spi-bcm63xx-fix-max-prepend-length.patch b/tmp-5.4/spi-bcm63xx-fix-max-prepend-length.patch new file mode 100644 index 00000000000..f384b46166b --- /dev/null +++ b/tmp-5.4/spi-bcm63xx-fix-max-prepend-length.patch @@ -0,0 +1,47 @@ +From 6545437f3ac3092bddedf85b05718088e4af7b13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:14:52 +0200 +Subject: spi: bcm63xx: fix max prepend length + +From: Jonas Gorski + +[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] + +The command word is defined as following: + + /* Command */ + #define SPI_CMD_COMMAND_SHIFT 0 + #define SPI_CMD_DEVICE_ID_SHIFT 4 + #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 + #define SPI_CMD_ONE_BYTE_SHIFT 11 + #define SPI_CMD_ONE_WIRE_SHIFT 12 + +If the prepend byte count field starts at bit 8, and the next defined +bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and +thus the max value is 7, not 15. + +Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") +Signed-off-by: Jonas Gorski +Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index fdd7eaa0b8ede..ff27596168732 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -125,7 +125,7 @@ enum bcm63xx_regs_spi { + SPI_MSG_DATA_SIZE, + }; + +-#define BCM63XX_SPI_MAX_PREPEND 15 ++#define BCM63XX_SPI_MAX_PREPEND 7 + + #define BCM63XX_SPI_MAX_CS 8 + #define BCM63XX_SPI_BUS_NUM 0 +-- +2.39.2 + diff --git a/tmp-5.4/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch b/tmp-5.4/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch new file mode 100644 index 00000000000..c3b0fe67416 --- /dev/null +++ b/tmp-5.4/spi-spi-geni-qcom-correct-cs_toggle-bit-in-spi_trans.patch @@ -0,0 +1,44 @@ +From f34cc0a8e911f3ac14b6bd726de7eb97e1254bda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Apr 2023 14:12:08 +0530 +Subject: spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG + +From: Vijaya Krishna Nivarthi + +[ Upstream commit 5fd7c99ecf45c8ee8a9b1268f0ffc91cc6271da2 ] + +The CS_TOGGLE bit when set is supposed to instruct FW to +toggle CS line between words. The driver with intent of +disabling this behaviour has been unsetting BIT(0). This has +not caused any trouble so far because the original BIT(1) +is untouched and BIT(0) likely wasn't being used. + +Correct this to prevent a potential future bug. + +Signed-off-by: Vijaya Krishna Nivarthi +--- + drivers/spi/spi-geni-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-geni-qcom.c b/drivers/spi/spi-geni-qcom.c +index 01b53d816497c..ae1cbc3215366 100644 +--- a/drivers/spi/spi-geni-qcom.c ++++ b/drivers/spi/spi-geni-qcom.c +@@ -32,7 +32,7 @@ + #define CS_DEMUX_OUTPUT_SEL GENMASK(3, 0) + + #define SE_SPI_TRANS_CFG 0x25c +-#define CS_TOGGLE BIT(0) ++#define CS_TOGGLE BIT(1) + + #define SE_SPI_WORD_LEN 0x268 + #define WORD_LEN_MSK GENMASK(9, 0) +-- +2.39.2 + diff --git a/tmp-5.4/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch b/tmp-5.4/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch new file mode 100644 index 00000000000..d3742a7e467 --- /dev/null +++ b/tmp-5.4/sunrpc-fix-uaf-in-svc_tcp_listen_data_ready.patch @@ -0,0 +1,142 @@ +From fc80fc2d4e39137869da3150ee169b40bf879287 Mon Sep 17 00:00:00 2001 +From: Ding Hui +Date: Mon, 15 May 2023 10:13:07 +0800 +Subject: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() + +From: Ding Hui + +commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream. + +After the listener svc_sock is freed, and before invoking svc_tcp_accept() +for the established child sock, there is a window that the newsock +retaining a freed listener svc_sock in sk_user_data which cloning from +parent. In the race window, if data is received on the newsock, we will +observe use-after-free report in svc_tcp_listen_data_ready(). + +Reproduce by two tasks: + +1. while :; do rpc.nfsd 0 ; rpc.nfsd; done +2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done + +KASAN report: + + ================================================================== + BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + Read of size 8 at addr ffff888139d96228 by task nc/102553 + CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 + Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 + Call Trace: + + dump_stack_lvl+0x33/0x50 + print_address_description.constprop.0+0x27/0x310 + print_report+0x3e/0x70 + kasan_report+0xae/0xe0 + svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] + tcp_data_queue+0x9f4/0x20e0 + tcp_rcv_established+0x666/0x1f60 + tcp_v4_do_rcv+0x51c/0x850 + tcp_v4_rcv+0x23fc/0x2e80 + ip_protocol_deliver_rcu+0x62/0x300 + ip_local_deliver_finish+0x267/0x350 + ip_local_deliver+0x18b/0x2d0 + ip_rcv+0x2fb/0x370 + __netif_receive_skb_one_core+0x166/0x1b0 + process_backlog+0x24c/0x5e0 + __napi_poll+0xa2/0x500 + net_rx_action+0x854/0xc90 + __do_softirq+0x1bb/0x5de + do_softirq+0xcb/0x100 + + + ... + + + Allocated by task 102371: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x7b/0x90 + svc_setup_socket+0x52/0x4f0 [sunrpc] + svc_addsock+0x20d/0x400 [sunrpc] + __write_ports_addfd+0x209/0x390 [nfsd] + write_ports+0x239/0x2c0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + + Freed by task 102551: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x50 + __kasan_slab_free+0x106/0x190 + __kmem_cache_free+0x133/0x270 + svc_xprt_free+0x1e2/0x350 [sunrpc] + svc_xprt_destroy_all+0x25a/0x440 [sunrpc] + nfsd_put+0x125/0x240 [nfsd] + nfsd_svc+0x2cb/0x3c0 [nfsd] + write_threads+0x1ac/0x2a0 [nfsd] + nfsctl_transaction_write+0xac/0x110 [nfsd] + vfs_write+0x1c3/0xae0 + ksys_write+0xed/0x1c0 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() +if state != TCP_LISTEN, that will avoid dereferencing svsk for all +child socket. + +Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/ +Fixes: fa9251afc33c ("SUNRPC: Call the default socket callbacks instead of open coding") +Signed-off-by: Ding Hui +Cc: +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/svcsock.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +--- a/net/sunrpc/svcsock.c ++++ b/net/sunrpc/svcsock.c +@@ -728,12 +728,6 @@ static void svc_tcp_listen_data_ready(st + dprintk("svc: socket %p TCP (listen) state change %d\n", + sk, sk->sk_state); + +- if (svsk) { +- /* Refer to svc_setup_socket() for details. */ +- rmb(); +- svsk->sk_odata(sk); +- } +- + /* + * This callback may called twice when a new connection + * is established as a child socket inherits everything +@@ -742,15 +736,20 @@ static void svc_tcp_listen_data_ready(st + * when one of child sockets become ESTABLISHED. + * 2) data_ready method of the child socket may be called + * when it receives data before the socket is accepted. +- * In case of 2, we should ignore it silently. ++ * In case of 2, we should ignore it silently and DO NOT ++ * dereference svsk. + */ +- if (sk->sk_state == TCP_LISTEN) { +- if (svsk) { +- set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); +- svc_xprt_enqueue(&svsk->sk_xprt); +- } else +- printk("svc: socket %p: no user data\n", sk); +- } ++ if (sk->sk_state != TCP_LISTEN) ++ return; ++ ++ if (svsk) { ++ /* Refer to svc_setup_socket() for details. */ ++ rmb(); ++ svsk->sk_odata(sk); ++ set_bit(XPT_CONN, &svsk->sk_xprt.xpt_flags); ++ svc_xprt_enqueue(&svsk->sk_xprt); ++ } else ++ printk("svc: socket %p: no user data\n", sk); + } + + /* diff --git a/tmp-5.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/tmp-5.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch new file mode 100644 index 00000000000..9e8382c208c --- /dev/null +++ b/tmp-5.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch @@ -0,0 +1,77 @@ +From 5064c367a8407c3937794c8a11c980beb080c348 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:57 +0000 +Subject: tcp: annotate data-races around fastopenq.max_qlen + +From: Eric Dumazet + +[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] + +This field can be read locklessly. + +Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_fastopen.c | 6 ++++-- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index 89751c89f11f4..68dacc1994376 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -458,7 +458,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) + struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; + int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); + +- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); ++ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); + } + + static inline void tcp_move_syn(struct tcp_sock *tp, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c980d18d99094..647cb664c2ad0 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3623,7 +3623,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_FASTOPEN: +- val = icsk->icsk_accept_queue.fastopenq.max_qlen; ++ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); + break; + + case TCP_FASTOPEN_CONNECT: +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 21705b2ddaffa..35088cd30840d 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -312,6 +312,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, + static bool tcp_fastopen_queue_check(struct sock *sk) + { + struct fastopen_queue *fastopenq; ++ int max_qlen; + + /* Make sure the listener has enabled fastopen, and we don't + * exceed the max # of pending TFO requests allowed before trying +@@ -324,10 +325,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) + * temporarily vs a server not supporting Fast Open at all. + */ + fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; +- if (fastopenq->max_qlen == 0) ++ max_qlen = READ_ONCE(fastopenq->max_qlen); ++ if (max_qlen == 0) + return false; + +- if (fastopenq->qlen >= fastopenq->max_qlen) { ++ if (fastopenq->qlen >= max_qlen) { + struct request_sock *req1; + spin_lock(&fastopenq->lock); + req1 = fastopenq->rskq_rst_head; +-- +2.39.2 + diff --git a/tmp-5.4/tcp-annotate-data-races-around-rskq_defer_accept.patch b/tmp-5.4/tcp-annotate-data-races-around-rskq_defer_accept.patch new file mode 100644 index 00000000000..a9db98d0bbc --- /dev/null +++ b/tmp-5.4/tcp-annotate-data-races-around-rskq_defer_accept.patch @@ -0,0 +1,53 @@ +From 2cb6b6537610c3fffde9a74654ad89cc87671b53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:54 +0000 +Subject: tcp: annotate data-races around rskq_defer_accept + +From: Eric Dumazet + +[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] + +do_tcp_getsockopt() reads rskq_defer_accept while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index b9475fcaa6c4f..eb70c1b866d0f 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3075,9 +3075,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + + case TCP_DEFER_ACCEPT: + /* Translate value in seconds to number of retransmits */ +- icsk->icsk_accept_queue.rskq_defer_accept = +- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, +- TCP_RTO_MAX / HZ); ++ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, ++ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ)); + break; + + case TCP_WINDOW_CLAMP: +@@ -3481,8 +3481,9 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; + case TCP_DEFER_ACCEPT: +- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, +- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); ++ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); ++ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ); + break; + case TCP_WINDOW_CLAMP: + val = tp->window_clamp; +-- +2.39.2 + diff --git a/tmp-5.4/tcp-annotate-data-races-around-tp-linger2.patch b/tmp-5.4/tcp-annotate-data-races-around-tp-linger2.patch new file mode 100644 index 00000000000..be6c0993833 --- /dev/null +++ b/tmp-5.4/tcp-annotate-data-races-around-tp-linger2.patch @@ -0,0 +1,52 @@ +From 5227a8526cd7b418601ee6b5cf385be0030c4937 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:53 +0000 +Subject: tcp: annotate data-races around tp->linger2 + +From: Eric Dumazet + +[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] + +do_tcp_getsockopt() reads tp->linger2 while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c6c73b9407098..b9475fcaa6c4f 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3066,11 +3066,11 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + + case TCP_LINGER2: + if (val < 0) +- tp->linger2 = -1; ++ WRITE_ONCE(tp->linger2, -1); + else if (val > TCP_FIN_TIMEOUT_MAX / HZ) +- tp->linger2 = TCP_FIN_TIMEOUT_MAX; ++ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); + else +- tp->linger2 = val * HZ; ++ WRITE_ONCE(tp->linger2, val * HZ); + break; + + case TCP_DEFER_ACCEPT: +@@ -3476,7 +3476,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries; + break; + case TCP_LINGER2: +- val = tp->linger2; ++ val = READ_ONCE(tp->linger2); + if (val >= 0) + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; +-- +2.39.2 + diff --git a/tmp-5.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/tmp-5.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch new file mode 100644 index 00000000000..5b77ab9c4f4 --- /dev/null +++ b/tmp-5.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch @@ -0,0 +1,64 @@ +From 3537464fefdcffe80ddaabe1713aab6c192844dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:55 +0000 +Subject: tcp: annotate data-races around tp->notsent_lowat + +From: Eric Dumazet + +[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] + +tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() +and tcp_poll(). + +Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 6 +++++- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 2f456bed33ec3..4e909148fce39 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1953,7 +1953,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); +- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); ++ u32 val; ++ ++ val = READ_ONCE(tp->notsent_lowat); ++ ++ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); + } + + /* @wake is one when sk_stream_write_space() calls us. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index eb70c1b866d0f..c980d18d99094 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3165,7 +3165,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + err = tcp_repair_set_window(tp, optval, optlen); + break; + case TCP_NOTSENT_LOWAT: +- tp->notsent_lowat = val; ++ WRITE_ONCE(tp->notsent_lowat, val); + sk->sk_write_space(sk); + break; + case TCP_INQ: +@@ -3642,7 +3642,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + val = tcp_time_stamp_raw() + tp->tsoffset; + break; + case TCP_NOTSENT_LOWAT: +- val = tp->notsent_lowat; ++ val = READ_ONCE(tp->notsent_lowat); + break; + case TCP_INQ: + val = tp->recvmsg_inq; +-- +2.39.2 + diff --git a/tmp-5.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch b/tmp-5.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch new file mode 100644 index 00000000000..f445a0dc8d6 --- /dev/null +++ b/tmp-5.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch @@ -0,0 +1,46 @@ +From 26a4b494c6e89c44e7b5897579e5dced37127a5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:47 +0000 +Subject: tcp: annotate data-races around tp->tcp_tx_delay + +From: Eric Dumazet + +[ Upstream commit 348b81b68b13ebd489a3e6a46aa1c384c731c919 ] + +do_tcp_getsockopt() reads tp->tcp_tx_delay while another cpu +might change its value. + +Fixes: a842fe1425cb ("tcp: add optional per socket transmit delay") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index fdf2ddc4864df..e33abcff56080 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3177,7 +3177,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level, + case TCP_TX_DELAY: + if (val) + tcp_enable_tx_delay(); +- tp->tcp_tx_delay = val; ++ WRITE_ONCE(tp->tcp_tx_delay, val); + break; + default: + err = -ENOPROTOOPT; +@@ -3634,7 +3634,7 @@ static int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_TX_DELAY: +- val = tp->tcp_tx_delay; ++ val = READ_ONCE(tp->tcp_tx_delay); + break; + + case TCP_TIMESTAMP: +-- +2.39.2 + diff --git a/tmp-5.4/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch b/tmp-5.4/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch new file mode 100644 index 00000000000..861ee8f4abe --- /dev/null +++ b/tmp-5.4/tcp-annotate-data-races-in-__tcp_oow_rate_limited.patch @@ -0,0 +1,55 @@ +From 18c2a5a44f150dbf7f29d80f288aeb6d5c6d88bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 16:41:50 +0000 +Subject: tcp: annotate data races in __tcp_oow_rate_limited() + +From: Eric Dumazet + +[ Upstream commit 998127cdb4699b9d470a9348ffe9f1154346be5f ] + +request sockets are lockless, __tcp_oow_rate_limited() could be called +on the same object from different cpus. This is harmless. + +Add READ_ONCE()/WRITE_ONCE() annotations to avoid a KCSAN report. + +Fixes: 4ce7e93cb3fe ("tcp: rate limit ACK sent by SYN_RECV request sockets") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 44398317f033a..8308c3c3a6e46 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3445,8 +3445,11 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32 + static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, + u32 *last_oow_ack_time) + { +- if (*last_oow_ack_time) { +- s32 elapsed = (s32)(tcp_jiffies32 - *last_oow_ack_time); ++ /* Paired with the WRITE_ONCE() in this function. */ ++ u32 val = READ_ONCE(*last_oow_ack_time); ++ ++ if (val) { ++ s32 elapsed = (s32)(tcp_jiffies32 - val); + + if (0 <= elapsed && + elapsed < READ_ONCE(net->ipv4.sysctl_tcp_invalid_ratelimit)) { +@@ -3455,7 +3458,10 @@ static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, + } + } + +- *last_oow_ack_time = tcp_jiffies32; ++ /* Paired with the prior READ_ONCE() and with itself, ++ * as we might be lockless. ++ */ ++ WRITE_ONCE(*last_oow_ack_time, tcp_jiffies32); + + return false; /* not rate-limited: go ahead, send dupack now! */ + } +-- +2.39.2 + diff --git a/tmp-5.4/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch b/tmp-5.4/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch new file mode 100644 index 00000000000..16723c43da3 --- /dev/null +++ b/tmp-5.4/tpm-tpm_vtpm_proxy-fix-a-race-condition-in-dev-vtpmx-creation.patch @@ -0,0 +1,80 @@ +From f4032d615f90970d6c3ac1d9c0bce3351eb4445c Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Tue, 16 May 2023 01:25:54 +0300 +Subject: tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation + +From: Jarkko Sakkinen + +commit f4032d615f90970d6c3ac1d9c0bce3351eb4445c upstream. + +/dev/vtpmx is made visible before 'workqueue' is initialized, which can +lead to a memory corruption in the worst case scenario. + +Address this by initializing 'workqueue' as the very first step of the +driver initialization. + +Cc: stable@vger.kernel.org +Fixes: 6f99612e2500 ("tpm: Proxy driver for supporting multiple emulated TPMs") +Reviewed-by: Stefan Berger +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_vtpm_proxy.c | 30 +++++++----------------------- + 1 file changed, 7 insertions(+), 23 deletions(-) + +--- a/drivers/char/tpm/tpm_vtpm_proxy.c ++++ b/drivers/char/tpm/tpm_vtpm_proxy.c +@@ -693,37 +693,21 @@ static struct miscdevice vtpmx_miscdev = + .fops = &vtpmx_fops, + }; + +-static int vtpmx_init(void) +-{ +- return misc_register(&vtpmx_miscdev); +-} +- +-static void vtpmx_cleanup(void) +-{ +- misc_deregister(&vtpmx_miscdev); +-} +- + static int __init vtpm_module_init(void) + { + int rc; + +- rc = vtpmx_init(); +- if (rc) { +- pr_err("couldn't create vtpmx device\n"); +- return rc; +- } +- + workqueue = create_workqueue("tpm-vtpm"); + if (!workqueue) { + pr_err("couldn't create workqueue\n"); +- rc = -ENOMEM; +- goto err_vtpmx_cleanup; ++ return -ENOMEM; + } + +- return 0; +- +-err_vtpmx_cleanup: +- vtpmx_cleanup(); ++ rc = misc_register(&vtpmx_miscdev); ++ if (rc) { ++ pr_err("couldn't create vtpmx device\n"); ++ destroy_workqueue(workqueue); ++ } + + return rc; + } +@@ -731,7 +715,7 @@ err_vtpmx_cleanup: + static void __exit vtpm_module_exit(void) + { + destroy_workqueue(workqueue); +- vtpmx_cleanup(); ++ misc_deregister(&vtpmx_miscdev); + } + + module_init(vtpm_module_init); diff --git a/tmp-5.4/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch b/tmp-5.4/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch new file mode 100644 index 00000000000..e1436cb1d78 --- /dev/null +++ b/tmp-5.4/tracing-fix-null-pointer-dereference-in-tracing_err_log_open.patch @@ -0,0 +1,61 @@ +From 02b0095e2fbbc060560c1065f86a211d91e27b26 Mon Sep 17 00:00:00 2001 +From: Mateusz Stachyra +Date: Tue, 4 Jul 2023 12:27:06 +0200 +Subject: tracing: Fix null pointer dereference in tracing_err_log_open() + +From: Mateusz Stachyra + +commit 02b0095e2fbbc060560c1065f86a211d91e27b26 upstream. + +Fix an issue in function 'tracing_err_log_open'. +The function doesn't call 'seq_open' if the file is opened only with +write permissions, which results in 'file->private_data' being left as null. +If we then use 'lseek' on that opened file, 'seq_lseek' dereferences +'file->private_data' in 'mutex_lock(&m->lock)', resulting in a kernel panic. +Writing to this node requires root privileges, therefore this bug +has very little security impact. + +Tracefs node: /sys/kernel/tracing/error_log + +Example Kernel panic: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 +Call trace: + mutex_lock+0x30/0x110 + seq_lseek+0x34/0xb8 + __arm64_sys_lseek+0x6c/0xb8 + invoke_syscall+0x58/0x13c + el0_svc_common+0xc4/0x10c + do_el0_svc+0x24/0x98 + el0_svc+0x24/0x88 + el0t_64_sync_handler+0x84/0xe4 + el0t_64_sync+0x1b4/0x1b8 +Code: d503201f aa0803e0 aa1f03e1 aa0103e9 (c8e97d02) +---[ end trace 561d1b49c12cf8a5 ]--- +Kernel panic - not syncing: Oops: Fatal exception + +Link: https://lore.kernel.org/linux-trace-kernel/20230703155237eucms1p4dfb6a19caa14c79eb6c823d127b39024@eucms1p4 +Link: https://lore.kernel.org/linux-trace-kernel/20230704102706eucms1p30d7ecdcc287f46ad67679fc8491b2e0f@eucms1p3 + +Cc: stable@vger.kernel.org +Fixes: 8a062902be725 ("tracing: Add tracing error log") +Signed-off-by: Mateusz Stachyra +Suggested-by: Steven Rostedt +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -7263,7 +7263,7 @@ static const struct file_operations trac + .open = tracing_err_log_open, + .write = tracing_err_log_write, + .read = seq_read, +- .llseek = seq_lseek, ++ .llseek = tracing_lseek, + .release = tracing_err_log_release, + }; + diff --git a/tmp-5.4/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch b/tmp-5.4/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch new file mode 100644 index 00000000000..06a9608b308 --- /dev/null +++ b/tmp-5.4/tracing-histograms-add-histograms-to-hist_vars-if-they-have-referenced-variables.patch @@ -0,0 +1,127 @@ +From 6018b585e8c6fa7d85d4b38d9ce49a5b67be7078 Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Wed, 12 Jul 2023 22:30:21 +0000 +Subject: tracing/histograms: Add histograms to hist_vars if they have referenced variables + +From: Mohamed Khalfella + +commit 6018b585e8c6fa7d85d4b38d9ce49a5b67be7078 upstream. + +Hist triggers can have referenced variables without having direct +variables fields. This can be the case if referenced variables are added +for trigger actions. In this case the newly added references will not +have field variables. Not taking such referenced variables into +consideration can result in a bug where it would be possible to remove +hist trigger with variables being refenced. This will result in a bug +that is easily reproducable like so + +$ cd /sys/kernel/tracing +$ echo 'synthetic_sys_enter char[] comm; long id' >> synthetic_events +$ echo 'hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger +$ echo 'hist:keys=common_pid.execname,id.syscall:onmatch(raw_syscalls.sys_enter).synthetic_sys_enter($comm, id)' >> events/raw_syscalls/sys_enter/trigger +$ echo '!hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger + +[ 100.263533] ================================================================== +[ 100.264634] BUG: KASAN: slab-use-after-free in resolve_var_refs+0xc7/0x180 +[ 100.265520] Read of size 8 at addr ffff88810375d0f0 by task bash/439 +[ 100.266320] +[ 100.266533] CPU: 2 PID: 439 Comm: bash Not tainted 6.5.0-rc1 #4 +[ 100.267277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 +[ 100.268561] Call Trace: +[ 100.268902] +[ 100.269189] dump_stack_lvl+0x4c/0x70 +[ 100.269680] print_report+0xc5/0x600 +[ 100.270165] ? resolve_var_refs+0xc7/0x180 +[ 100.270697] ? kasan_complete_mode_report_info+0x80/0x1f0 +[ 100.271389] ? resolve_var_refs+0xc7/0x180 +[ 100.271913] kasan_report+0xbd/0x100 +[ 100.272380] ? resolve_var_refs+0xc7/0x180 +[ 100.272920] __asan_load8+0x71/0xa0 +[ 100.273377] resolve_var_refs+0xc7/0x180 +[ 100.273888] event_hist_trigger+0x749/0x860 +[ 100.274505] ? kasan_save_stack+0x2a/0x50 +[ 100.275024] ? kasan_set_track+0x29/0x40 +[ 100.275536] ? __pfx_event_hist_trigger+0x10/0x10 +[ 100.276138] ? ksys_write+0xd1/0x170 +[ 100.276607] ? do_syscall_64+0x3c/0x90 +[ 100.277099] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 100.277771] ? destroy_hist_data+0x446/0x470 +[ 100.278324] ? event_hist_trigger_parse+0xa6c/0x3860 +[ 100.278962] ? __pfx_event_hist_trigger_parse+0x10/0x10 +[ 100.279627] ? __kasan_check_write+0x18/0x20 +[ 100.280177] ? mutex_unlock+0x85/0xd0 +[ 100.280660] ? __pfx_mutex_unlock+0x10/0x10 +[ 100.281200] ? kfree+0x7b/0x120 +[ 100.281619] ? ____kasan_slab_free+0x15d/0x1d0 +[ 100.282197] ? event_trigger_write+0xac/0x100 +[ 100.282764] ? __kasan_slab_free+0x16/0x20 +[ 100.283293] ? __kmem_cache_free+0x153/0x2f0 +[ 100.283844] ? sched_mm_cid_remote_clear+0xb1/0x250 +[ 100.284550] ? __pfx_sched_mm_cid_remote_clear+0x10/0x10 +[ 100.285221] ? event_trigger_write+0xbc/0x100 +[ 100.285781] ? __kasan_check_read+0x15/0x20 +[ 100.286321] ? __bitmap_weight+0x66/0xa0 +[ 100.286833] ? _find_next_bit+0x46/0xe0 +[ 100.287334] ? task_mm_cid_work+0x37f/0x450 +[ 100.287872] event_triggers_call+0x84/0x150 +[ 100.288408] trace_event_buffer_commit+0x339/0x430 +[ 100.289073] ? ring_buffer_event_data+0x3f/0x60 +[ 100.292189] trace_event_raw_event_sys_enter+0x8b/0xe0 +[ 100.295434] syscall_trace_enter.constprop.0+0x18f/0x1b0 +[ 100.298653] syscall_enter_from_user_mode+0x32/0x40 +[ 100.301808] do_syscall_64+0x1a/0x90 +[ 100.304748] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 100.307775] RIP: 0033:0x7f686c75c1cb +[ 100.310617] Code: 73 01 c3 48 8b 0d 65 3c 10 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 21 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 3c 10 00 f7 d8 64 89 01 48 +[ 100.317847] RSP: 002b:00007ffc60137a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000021 +[ 100.321200] RAX: ffffffffffffffda RBX: 000055f566469ea0 RCX: 00007f686c75c1cb +[ 100.324631] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 000000000000000a +[ 100.328104] RBP: 00007ffc60137ac0 R08: 00007f686c818460 R09: 000000000000000a +[ 100.331509] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 +[ 100.334992] R13: 0000000000000007 R14: 000000000000000a R15: 0000000000000007 +[ 100.338381] + +We hit the bug because when second hist trigger has was created +has_hist_vars() returned false because hist trigger did not have +variables. As a result of that save_hist_vars() was not called to add +the trigger to trace_array->hist_vars. Later on when we attempted to +remove the first histogram find_any_var_ref() failed to detect it is +being used because it did not find the second trigger in hist_vars list. + +With this change we wait until trigger actions are created so we can take +into consideration if hist trigger has variable references. Also, now we +check the return value of save_hist_vars() and fail trigger creation if +save_hist_vars() fails. + +Link: https://lore.kernel.org/linux-trace-kernel/20230712223021.636335-1-mkhalfella@purestorage.com + +Cc: stable@vger.kernel.org +Fixes: 067fe038e70f6 ("tracing: Add variable reference handling to hist triggers") +Signed-off-by: Mohamed Khalfella +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -6423,13 +6423,15 @@ static int event_hist_trigger_func(struc + if (get_named_trigger_data(trigger_data)) + goto enable; + +- if (has_hist_vars(hist_data)) +- save_hist_vars(hist_data); +- + ret = create_actions(hist_data); + if (ret) + goto out_unreg; + ++ if (has_hist_vars(hist_data) || hist_data->n_var_refs) { ++ if (save_hist_vars(hist_data)) ++ goto out_unreg; ++ } ++ + ret = tracing_map_init(hist_data->map); + if (ret) + goto out_unreg; diff --git a/tmp-5.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch b/tmp-5.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch new file mode 100644 index 00000000000..aeb138f3cd2 --- /dev/null +++ b/tmp-5.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch @@ -0,0 +1,38 @@ +From 4b8b3905165ef98386a3c06f196c85d21292d029 Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Fri, 14 Jul 2023 20:33:41 +0000 +Subject: tracing/histograms: Return an error if we fail to add histogram to hist_vars list + +From: Mohamed Khalfella + +commit 4b8b3905165ef98386a3c06f196c85d21292d029 upstream. + +Commit 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if +they have referenced variables") added a check to fail histogram creation +if save_hist_vars() failed to add histogram to hist_vars list. But the +commit failed to set ret to failed return code before jumping to +unregister histogram, fix it. + +Link: https://lore.kernel.org/linux-trace-kernel/20230714203341.51396-1-mkhalfella@purestorage.com + +Cc: stable@vger.kernel.org +Fixes: 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if they have referenced variables") +Signed-off-by: Mohamed Khalfella +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -6428,7 +6428,8 @@ static int event_hist_trigger_func(struc + goto out_unreg; + + if (has_hist_vars(hist_data) || hist_data->n_var_refs) { +- if (save_hist_vars(hist_data)) ++ ret = save_hist_vars(hist_data); ++ if (ret) + goto out_unreg; + } + diff --git a/tmp-5.4/tracing-probes-fix-not-to-count-error-code-to-total-length.patch b/tmp-5.4/tracing-probes-fix-not-to-count-error-code-to-total-length.patch new file mode 100644 index 00000000000..60fcee2e7ad --- /dev/null +++ b/tmp-5.4/tracing-probes-fix-not-to-count-error-code-to-total-length.patch @@ -0,0 +1,38 @@ +From b41326b5e0f82e93592c4366359917b5d67b529f Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Tue, 11 Jul 2023 23:15:38 +0900 +Subject: tracing/probes: Fix not to count error code to total length + +From: Masami Hiramatsu (Google) + +commit b41326b5e0f82e93592c4366359917b5d67b529f upstream. + +Fix not to count the error code (which is minus value) to the total +used length of array, because it can mess up the return code of +process_fetch_insn_bottom(). Also clear the 'ret' value because it +will be used for calculating next data_loc entry. + +Link: https://lore.kernel.org/all/168908493827.123124.2175257289106364229.stgit@devnote2/ + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/all/8819b154-2ba1-43c3-98a2-cbde20892023@moroto.mountain/ +Fixes: 9b960a38835f ("tracing: probeevent: Unify fetch_insn processing common part") +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_probe_tmpl.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/trace/trace_probe_tmpl.h ++++ b/kernel/trace/trace_probe_tmpl.h +@@ -143,6 +143,8 @@ stage3: + array: + /* the last stage: Loop on array */ + if (code->op == FETCH_OP_LP_ARRAY) { ++ if (ret < 0) ++ ret = 0; + total += ret; + if (++i < code->param) { + code = s3; diff --git a/tmp-5.4/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch b/tmp-5.4/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch new file mode 100644 index 00000000000..3faf7fc92b1 --- /dev/null +++ b/tmp-5.4/tracing-timer-add-missing-hrtimer-modes-to-decode_hr.patch @@ -0,0 +1,47 @@ +From dcbe7117f0e1afd5766b9340d5a6b27fc655acf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 16:38:54 +0200 +Subject: tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode(). + +From: Sebastian Andrzej Siewior + +[ Upstream commit 2951580ba6adb082bb6b7154a5ecb24e7c1f7569 ] + +The trace output for the HRTIMER_MODE_.*_HARD modes is seen as a number +since these modes are not decoded. The author was not aware of the fancy +decoding function which makes the life easier. + +Extend decode_hrtimer_mode() with the additional HRTIMER_MODE_.*_HARD +modes. + +Fixes: ae6683d815895 ("hrtimer: Introduce HARD expiry mode") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Reviewed-by: Mukesh Ojha +Acked-by: Steven Rostedt (Google) +Link: https://lore.kernel.org/r/20230418143854.8vHWQKLM@linutronix.de +Signed-off-by: Sasha Levin +--- + include/trace/events/timer.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h +index 295517f109d71..1b5371f0317af 100644 +--- a/include/trace/events/timer.h ++++ b/include/trace/events/timer.h +@@ -156,7 +156,11 @@ DEFINE_EVENT(timer_class, timer_cancel, + { HRTIMER_MODE_ABS_SOFT, "ABS|SOFT" }, \ + { HRTIMER_MODE_REL_SOFT, "REL|SOFT" }, \ + { HRTIMER_MODE_ABS_PINNED_SOFT, "ABS|PINNED|SOFT" }, \ +- { HRTIMER_MODE_REL_PINNED_SOFT, "REL|PINNED|SOFT" }) ++ { HRTIMER_MODE_REL_PINNED_SOFT, "REL|PINNED|SOFT" }, \ ++ { HRTIMER_MODE_ABS_HARD, "ABS|HARD" }, \ ++ { HRTIMER_MODE_REL_HARD, "REL|HARD" }, \ ++ { HRTIMER_MODE_ABS_PINNED_HARD, "ABS|PINNED|HARD" }, \ ++ { HRTIMER_MODE_REL_PINNED_HARD, "REL|PINNED|HARD" }) + + /** + * hrtimer_init - called when the hrtimer is initialized +-- +2.39.2 + diff --git a/tmp-5.4/tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch b/tmp-5.4/tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch new file mode 100644 index 00000000000..ef171934ad2 --- /dev/null +++ b/tmp-5.4/tty-serial-fsl_lpuart-add-earlycon-for-imx8ulp-platform.patch @@ -0,0 +1,29 @@ +From e0edfdc15863ec80a1d9ac6e174dbccc00206dd0 Mon Sep 17 00:00:00 2001 +From: Sherry Sun +Date: Mon, 19 Jun 2023 16:06:13 +0800 +Subject: tty: serial: fsl_lpuart: add earlycon for imx8ulp platform + +From: Sherry Sun + +commit e0edfdc15863ec80a1d9ac6e174dbccc00206dd0 upstream. + +Add earlycon support for imx8ulp platform. + +Signed-off-by: Sherry Sun +Cc: stable +Link: https://lore.kernel.org/r/20230619080613.16522-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -2409,6 +2409,7 @@ static int __init lpuart32_imx_early_con + OF_EARLYCON_DECLARE(lpuart, "fsl,vf610-lpuart", lpuart_early_console_setup); + OF_EARLYCON_DECLARE(lpuart32, "fsl,ls1021a-lpuart", lpuart32_early_console_setup); + OF_EARLYCON_DECLARE(lpuart32, "fsl,imx7ulp-lpuart", lpuart32_imx_early_console_setup); ++OF_EARLYCON_DECLARE(lpuart32, "fsl,imx8ulp-lpuart", lpuart32_imx_early_console_setup); + OF_EARLYCON_DECLARE(lpuart32, "fsl,imx8qxp-lpuart", lpuart32_imx_early_console_setup); + EARLYCON_DECLARE(lpuart, lpuart_early_console_setup); + EARLYCON_DECLARE(lpuart32, lpuart32_early_console_setup); diff --git a/tmp-5.4/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch b/tmp-5.4/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch new file mode 100644 index 00000000000..c25ee1b0cf2 --- /dev/null +++ b/tmp-5.4/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-in-case-of-error.patch @@ -0,0 +1,40 @@ +From a9c09546e903f1068acfa38e1ee18bded7114b37 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 10 Jun 2023 17:59:25 +0200 +Subject: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error + +From: Christophe JAILLET + +commit a9c09546e903f1068acfa38e1ee18bded7114b37 upstream. + +If clk_get_rate() fails, the clk that has just been allocated needs to be +freed. + +Cc: # v3.3+ +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Andi Shyti +Fixes: 5f5a7a5578c5 ("serial: samsung: switch to clkdev based clock lookup") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jiri Slaby +Message-ID: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/samsung.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1199,8 +1199,12 @@ static unsigned int s3c24xx_serial_getcl + continue; + + rate = clk_get_rate(clk); +- if (!rate) ++ if (!rate) { ++ dev_err(ourport->port.dev, ++ "Failed to get clock rate for %s.\n", clkname); ++ clk_put(clk); + continue; ++ } + + if (ourport->info->has_divslot) { + unsigned long div = rate / req_baud; diff --git a/tmp-5.4/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch b/tmp-5.4/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch new file mode 100644 index 00000000000..7c7198883ca --- /dev/null +++ b/tmp-5.4/tty-serial-samsung_tty-fix-a-memory-leak-in-s3c24xx_serial_getclk-when-iterating-clk.patch @@ -0,0 +1,48 @@ +From 832e231cff476102e8204a9e7bddfe5c6154a375 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 10 Jun 2023 17:59:26 +0200 +Subject: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk + +From: Christophe JAILLET + +commit 832e231cff476102e8204a9e7bddfe5c6154a375 upstream. + +When the best clk is searched, we iterate over all possible clk. + +If we find a better match, the previous one, if any, needs to be freed. +If a better match has already been found, we still need to free the new +one, otherwise it leaks. + +Cc: # v3.3+ +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Andi Shyti +Fixes: 5f5a7a5578c5 ("serial: samsung: switch to clkdev based clock lookup") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jiri Slaby +Message-ID: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/samsung.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1230,10 +1230,18 @@ static unsigned int s3c24xx_serial_getcl + calc_deviation = -calc_deviation; + + if (calc_deviation < deviation) { ++ /* ++ * If we find a better clk, release the previous one, if ++ * any. ++ */ ++ if (!IS_ERR(*best_clk)) ++ clk_put(*best_clk); + *best_clk = clk; + best_quot = quot; + *clk_num = cnt; + deviation = calc_deviation; ++ } else { ++ clk_put(clk); + } + } + diff --git a/tmp-5.4/udp6-fix-udp6_ehashfn-typo.patch b/tmp-5.4/udp6-fix-udp6_ehashfn-typo.patch new file mode 100644 index 00000000000..ce9107975b6 --- /dev/null +++ b/tmp-5.4/udp6-fix-udp6_ehashfn-typo.patch @@ -0,0 +1,40 @@ +From a7d9235386176f89cbf5c25a4186b73b60a03f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jul 2023 08:29:58 +0000 +Subject: udp6: fix udp6_ehashfn() typo + +From: Eric Dumazet + +[ Upstream commit 51d03e2f2203e76ed02d33fb5ffbb5fc85ffaf54 ] + +Amit Klein reported that udp6_ehash_secret was initialized but never used. + +Fixes: 1bbdceef1e53 ("inet: convert inet_ehash_secret and ipv6_hash_secret to net_get_random_once") +Reported-by: Amit Klein +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Cc: Willem de Bruijn +Cc: David Ahern +Cc: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 797d45ceb2c74..93eb622219756 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -87,7 +87,7 @@ static u32 udp6_ehashfn(const struct net *net, + fhash = __ipv6_addr_jhash(faddr, udp_ipv6_hash_secret); + + return __inet6_ehashfn(lhash, lport, fhash, fport, +- udp_ipv6_hash_secret + net_hash_mix(net)); ++ udp6_ehash_secret + net_hash_mix(net)); + } + + int udp_v6_get_port(struct sock *sk, unsigned short snum) +-- +2.39.2 + diff --git a/tmp-5.4/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch b/tmp-5.4/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch new file mode 100644 index 00000000000..8d6cc4adcf5 --- /dev/null +++ b/tmp-5.4/usb-dwc3-gadget-propagate-core-init-errors-to-udc-during-pullup.patch @@ -0,0 +1,52 @@ +From c0aabed9cabe057309779a9e26fe86a113d24dad Mon Sep 17 00:00:00 2001 +From: Krishna Kurapati +Date: Sun, 18 Jun 2023 17:39:49 +0530 +Subject: usb: dwc3: gadget: Propagate core init errors to UDC during pullup + +From: Krishna Kurapati + +commit c0aabed9cabe057309779a9e26fe86a113d24dad upstream. + +In scenarios where pullup relies on resume (get sync) to initialize +the controller and set the run stop bit, then core_init is followed by +gadget_resume which will eventually set run stop bit. + +But in cases where the core_init fails, the return value is not sent +back to udc appropriately. So according to UDC the controller has +started but in reality we never set the run stop bit. + +On systems like Android, there are uevents sent to HAL depending on +whether the configfs_bind / configfs_disconnect were invoked. In the +above mentioned scnenario, if the core init fails, the run stop won't +be set and the cable plug-out won't result in generation of any +disconnect event and userspace would never get any uevent regarding +cable plug out and we never call pullup(0) again. Furthermore none of +the next Plug-In/Plug-Out's would be known to configfs. + +Return back the appropriate result to UDC to let the userspace/ +configfs know that the pullup failed so they can take appropriate +action. + +Fixes: 77adb8bdf422 ("usb: dwc3: gadget: Allow runtime suspend if UDC unbinded") +Cc: stable +Signed-off-by: Krishna Kurapati +Acked-by: Thinh Nguyen +Message-ID: <20230618120949.14868-1-quic_kriskura@quicinc.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2077,7 +2077,9 @@ static int dwc3_gadget_pullup(struct usb + ret = pm_runtime_get_sync(dwc->dev); + if (!ret || ret < 0) { + pm_runtime_put(dwc->dev); +- return 0; ++ if (ret < 0) ++ pm_runtime_set_suspended(dwc->dev); ++ return ret; + } + + if (dwc->pullups_connected == is_on) { diff --git a/tmp-5.4/usb-dwc3-qcom-fix-potential-memory-leak.patch b/tmp-5.4/usb-dwc3-qcom-fix-potential-memory-leak.patch new file mode 100644 index 00000000000..6868c466e11 --- /dev/null +++ b/tmp-5.4/usb-dwc3-qcom-fix-potential-memory-leak.patch @@ -0,0 +1,53 @@ +From 0d77c20807fb276e36370300c4c66cda0f328b23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 20:25:18 +0300 +Subject: usb: dwc3: qcom: Fix potential memory leak + +From: Vladislav Efanov + +[ Upstream commit 097fb3ee710d4de83b8d4f5589e8ee13e0f0541e ] + +Function dwc3_qcom_probe() allocates memory for resource structure +which is pointed by parent_res pointer. This memory is not +freed. This leads to memory leak. Use stack memory to prevent +memory leak. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI") +Signed-off-by: Vladislav Efanov +Acked-by: Shawn Guo +Link: https://lore.kernel.org/r/20230517172518.442591-1-VEfanov@ispras.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c +index 2dcdeb52fc293..7d3de23147fd5 100644 +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -574,6 +574,7 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + struct device *dev = &pdev->dev; + struct dwc3_qcom *qcom; + struct resource *res, *parent_res = NULL; ++ struct resource local_res; + int ret, i; + bool ignore_pipe_clk; + +@@ -624,9 +625,8 @@ static int dwc3_qcom_probe(struct platform_device *pdev) + if (np) { + parent_res = res; + } else { +- parent_res = kmemdup(res, sizeof(struct resource), GFP_KERNEL); +- if (!parent_res) +- return -ENOMEM; ++ memcpy(&local_res, res, sizeof(struct resource)); ++ parent_res = &local_res; + + parent_res->start = res->start + + qcom->acpi_pdata->qscratch_base_offset; +-- +2.39.2 + diff --git a/tmp-5.4/usb-dwc3-qcom-release-the-correct-resources-in-dwc3_.patch b/tmp-5.4/usb-dwc3-qcom-release-the-correct-resources-in-dwc3_.patch new file mode 100644 index 00000000000..3665d167362 --- /dev/null +++ b/tmp-5.4/usb-dwc3-qcom-release-the-correct-resources-in-dwc3_.patch @@ -0,0 +1,44 @@ +From 0111895332a37f31641ebb0ee9d8090513358b8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 17:04:37 +0200 +Subject: usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove() + +From: Christophe JAILLET + +[ Upstream commit 8fd95da2cfb5046c4bb5a3cdc9eb7963ba8b10dd ] + +In the probe, some resources are allocated with +dwc3_qcom_of_register_core() or dwc3_qcom_acpi_register_core(). The +corresponding resources are already coorectly freed in the error handling +path of the probe, but not in the remove function. + +Fix it. + +Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI") +Signed-off-by: Christophe JAILLET +Reviewed-by: Andrew Halaney +Message-ID: +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-qcom.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-qcom.c ++++ b/drivers/usb/dwc3/dwc3-qcom.c +@@ -704,10 +704,14 @@ reset_assert: + static int dwc3_qcom_remove(struct platform_device *pdev) + { + struct dwc3_qcom *qcom = platform_get_drvdata(pdev); ++ struct device_node *np = pdev->dev.of_node; + struct device *dev = &pdev->dev; + int i; + +- of_platform_depopulate(dev); ++ if (np) ++ of_platform_depopulate(&pdev->dev); ++ else ++ platform_device_put(pdev); + + for (i = qcom->num_clocks - 1; i >= 0; i--) { + clk_disable_unprepare(qcom->clks[i]); diff --git a/tmp-5.4/usb-hide-unused-usbfs_notify_suspend-resume-function.patch b/tmp-5.4/usb-hide-unused-usbfs_notify_suspend-resume-function.patch new file mode 100644 index 00000000000..8df5273b760 --- /dev/null +++ b/tmp-5.4/usb-hide-unused-usbfs_notify_suspend-resume-function.patch @@ -0,0 +1,52 @@ +From 882a68da590d8b5700ab16a88f2c6e06cb19395b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 22:17:42 +0200 +Subject: usb: hide unused usbfs_notify_suspend/resume functions + +From: Arnd Bergmann + +[ Upstream commit 8e6bd945e6dde64fbc60ec3fe252164493a8d3a2 ] + +The declaration is in an #ifdef, which causes warnings when building +with 'make W=1' and without CONFIG_PM: + +drivers/usb/core/devio.c:742:6: error: no previous prototype for 'usbfs_notify_suspend' +drivers/usb/core/devio.c:747:6: error: no previous prototype for 'usbfs_notify_resume' + +Use the same #ifdef check around the function definitions to avoid +the warnings and slightly shrink the USB core. + +Fixes: 7794f486ed0b ("usbfs: Add ioctls for runtime power management") +Signed-off-by: Arnd Bergmann +Reviewed-by: Sebastian Reichel +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20230516202103.558301-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/devio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 44922e6381da6..087ab22488552 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -734,6 +734,7 @@ static int driver_resume(struct usb_interface *intf) + return 0; + } + ++#ifdef CONFIG_PM + /* The following routines apply to the entire device, not interfaces */ + void usbfs_notify_suspend(struct usb_device *udev) + { +@@ -752,6 +753,7 @@ void usbfs_notify_resume(struct usb_device *udev) + } + mutex_unlock(&usbfs_mutex); + } ++#endif + + struct usb_driver usbfs_driver = { + .name = "usbfs", +-- +2.39.2 + diff --git a/tmp-5.4/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch b/tmp-5.4/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch new file mode 100644 index 00000000000..ed551dedc05 --- /dev/null +++ b/tmp-5.4/usb-phy-phy-tahvo-fix-memory-leak-in-tahvo_usb_probe.patch @@ -0,0 +1,43 @@ +From 8aa7a6d4305067f4b75c7f64661b981d72060166 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 22:08:31 +0800 +Subject: usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() + +From: Li Yang + +[ Upstream commit 342161c11403ea00e9febc16baab1d883d589d04 ] + +Smatch reports: +drivers/usb/phy/phy-tahvo.c: tahvo_usb_probe() +warn: missing unwind goto? + +After geting irq, if ret < 0, it will return without error handling to +free memory. +Just add error handling to fix this problem. + +Fixes: 0d45a1373e66 ("usb: phy: tahvo: add IRQ check") +Signed-off-by: Li Yang +Reviewed-by: Dongliang Mu +Link: https://lore.kernel.org/r/20230420140832.9110-1-lidaxian@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-tahvo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/phy/phy-tahvo.c b/drivers/usb/phy/phy-tahvo.c +index a3e043e3e4aae..d0672b6712985 100644 +--- a/drivers/usb/phy/phy-tahvo.c ++++ b/drivers/usb/phy/phy-tahvo.c +@@ -395,7 +395,7 @@ static int tahvo_usb_probe(struct platform_device *pdev) + + tu->irq = ret = platform_get_irq(pdev, 0); + if (ret < 0) +- return ret; ++ goto err_remove_phy; + ret = request_threaded_irq(tu->irq, NULL, tahvo_usb_vbus_interrupt, + IRQF_ONESHOT, + "tahvo-vbus", tu); +-- +2.39.2 + diff --git a/tmp-5.4/usb-serial-option-add-lara-r6-01b-pids.patch b/tmp-5.4/usb-serial-option-add-lara-r6-01b-pids.patch new file mode 100644 index 00000000000..2e014e97597 --- /dev/null +++ b/tmp-5.4/usb-serial-option-add-lara-r6-01b-pids.patch @@ -0,0 +1,65 @@ +From ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 Mon Sep 17 00:00:00 2001 +From: Davide Tronchin +Date: Thu, 22 Jun 2023 11:29:21 +0200 +Subject: USB: serial: option: add LARA-R6 01B PIDs + +From: Davide Tronchin + +commit ffa5f7a3bf28c1306eef85d4056539c2d4b8eb09 upstream. + +The new LARA-R6 product variant identified by the "01B" string can be +configured (by AT interface) in three different USB modes: + +* Default mode (Vendor ID: 0x1546 Product ID: 0x1311) with 4 serial +interfaces + +* RmNet mode (Vendor ID: 0x1546 Product ID: 0x1312) with 4 serial +interfaces and 1 RmNet virtual network interface + +* CDC-ECM mode (Vendor ID: 0x1546 Product ID: 0x1313) with 4 serial +interface and 1 CDC-ECM virtual network interface +The first 4 interfaces of all the 3 USB configurations (default, RmNet, +CDC-ECM) are the same. + +In default mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions + +In RmNet mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions +If 4: RMNET interface + +In CDC-ECM mode LARA-R6 01B exposes the following interfaces: +If 0: Diagnostic +If 1: AT parser +If 2: AT parser +If 3: AT parser/alternative functions +If 4: CDC-ECM interface + +Signed-off-by: Davide Tronchin +Link: https://lore.kernel.org/r/20230622092921.12651-1-davide.tronchin.94@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1151,6 +1151,10 @@ static const struct usb_device_id option + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x90fa), + .driver_info = RSVD(3) }, + /* u-blox products */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1311) }, /* u-blox LARA-R6 01B */ ++ { USB_DEVICE(UBLOX_VENDOR_ID, 0x1312), /* u-blox LARA-R6 01B (RMNET) */ ++ .driver_info = RSVD(4) }, ++ { USB_DEVICE_INTERFACE_CLASS(UBLOX_VENDOR_ID, 0x1313, 0xff) }, /* u-blox LARA-R6 01B (ECM) */ + { USB_DEVICE(UBLOX_VENDOR_ID, 0x1341) }, /* u-blox LARA-L6 */ + { USB_DEVICE(UBLOX_VENDOR_ID, 0x1342), /* u-blox LARA-L6 (RMNET) */ + .driver_info = RSVD(4) }, diff --git a/tmp-5.4/video-imsttfb-check-for-ioremap-failures.patch b/tmp-5.4/video-imsttfb-check-for-ioremap-failures.patch new file mode 100644 index 00000000000..e0a661784fb --- /dev/null +++ b/tmp-5.4/video-imsttfb-check-for-ioremap-failures.patch @@ -0,0 +1,78 @@ +From 13b7c0390a5d3840e1e2cda8f44a310fdbb982de Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 3 May 2021 13:57:34 +0200 +Subject: video: imsttfb: check for ioremap() failures + +From: Greg Kroah-Hartman + +commit 13b7c0390a5d3840e1e2cda8f44a310fdbb982de upstream. + +We should check if ioremap() were to somehow fail in imsttfb_probe() and +handle the unwinding of the resources allocated here properly. + +Ideally if anyone cares about this driver (it's for a PowerMac era PCI +display card), they wouldn't even be using fbdev anymore. Or the devm_* +apis could be used, but that's just extra work for diminishing +returns... + +Cc: Finn Thain +Cc: Bartlomiej Zolnierkiewicz +Reviewed-by: Rob Herring +Link: https://lore.kernel.org/r/20210503115736.2104747-68-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/imsttfb.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/video/fbdev/imsttfb.c ++++ b/drivers/video/fbdev/imsttfb.c +@@ -1469,6 +1469,7 @@ static int imsttfb_probe(struct pci_dev + struct imstt_par *par; + struct fb_info *info; + struct device_node *dp; ++ int ret = -ENOMEM; + + dp = pci_device_to_OF_node(pdev); + if(dp) +@@ -1504,23 +1505,37 @@ static int imsttfb_probe(struct pci_dev + default: + printk(KERN_INFO "imsttfb: Device 0x%x unknown, " + "contact maintainer.\n", pdev->device); +- release_mem_region(addr, size); +- framebuffer_release(info); +- return -ENODEV; ++ ret = -ENODEV; ++ goto error; + } + + info->fix.smem_start = addr; + info->screen_base = (__u8 *)ioremap(addr, par->ramdac == IBM ? + 0x400000 : 0x800000); ++ if (!info->screen_base) ++ goto error; + info->fix.mmio_start = addr + 0x800000; + par->dc_regs = ioremap(addr + 0x800000, 0x1000); ++ if (!par->dc_regs) ++ goto error; + par->cmap_regs_phys = addr + 0x840000; + par->cmap_regs = (__u8 *)ioremap(addr + 0x840000, 0x1000); ++ if (!par->cmap_regs) ++ goto error; + info->pseudo_palette = par->palette; + init_imstt(info); + + pci_set_drvdata(pdev, info); + return 0; ++ ++error: ++ if (par->dc_regs) ++ iounmap(par->dc_regs); ++ if (info->screen_base) ++ iounmap(info->screen_base); ++ release_mem_region(addr, size); ++ framebuffer_release(info); ++ return ret; + } + + static void imsttfb_remove(struct pci_dev *pdev) diff --git a/tmp-5.4/w1-fix-loop-in-w1_fini.patch b/tmp-5.4/w1-fix-loop-in-w1_fini.patch new file mode 100644 index 00000000000..47c0c20cf3f --- /dev/null +++ b/tmp-5.4/w1-fix-loop-in-w1_fini.patch @@ -0,0 +1,43 @@ +From 34e6fe9641d5d7402b033346c99fd48cab3bd172 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 17:17:45 +0300 +Subject: w1: fix loop in w1_fini() + +From: Dan Carpenter + +[ Upstream commit 83f3fcf96fcc7e5405b37d9424c7ef26bfa203f8 ] + +The __w1_remove_master_device() function calls: + + list_del(&dev->w1_master_entry); + +So presumably this can cause an endless loop. + +Fixes: 7785925dd8e0 ("[PATCH] w1: cleanups.") +Signed-off-by: Dan Carpenter +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/w1/w1.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 2a7970a10533e..e08f40c9d54c9 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -1228,10 +1228,10 @@ static int __init w1_init(void) + + static void __exit w1_fini(void) + { +- struct w1_master *dev; ++ struct w1_master *dev, *n; + + /* Set netlink removal messages and some cleanup */ +- list_for_each_entry(dev, &w1_masters, w1_master_entry) ++ list_for_each_entry_safe(dev, n, &w1_masters, w1_master_entry) + __w1_remove_master_device(dev); + + w1_fini_netlink(); +-- +2.39.2 + diff --git a/tmp-5.4/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch b/tmp-5.4/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch new file mode 100644 index 00000000000..824280a8cbd --- /dev/null +++ b/tmp-5.4/watchdog-perf-define-dummy-watchdog_update_hrtimer_t.patch @@ -0,0 +1,89 @@ +From 4f82659bdc1c56f32ea954b80471985ae827e31a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:25 -0700 +Subject: watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on + correct config + +From: Douglas Anderson + +[ Upstream commit 5e008df11c55228a86a1bae692cc2002503572c9 ] + +Patch series "watchdog/hardlockup: Add the buddy hardlockup detector", v5. + +This patch series adds the "buddy" hardlockup detector. In brief, the +buddy hardlockup detector can detect hardlockups without arch-level +support by having CPUs checkup on a "buddy" CPU periodically. + +Given the new design of this patch series, testing all combinations is +fairly difficult. I've attempted to make sure that all combinations of +CONFIG_ options are good, but it wouldn't surprise me if I missed +something. I apologize in advance and I'll do my best to fix any +problems that are found. + +This patch (of 18): + +The real watchdog_update_hrtimer_threshold() is defined in +kernel/watchdog_hld.c. That file is included if +CONFIG_HARDLOCKUP_DETECTOR_PERF and the function is defined in that file +if CONFIG_HARDLOCKUP_CHECK_TIMESTAMP. + +The dummy version of the function in "nmi.h" didn't get that quite right. +While this doesn't appear to be a huge deal, it's nice to make it +consistent. + +It doesn't break builds because CHECK_TIMESTAMP is only defined by x86 so +others don't get a double definition, and x86 uses perf lockup detector, +so it gets the out of line version. + +Link: https://lkml.kernel.org/r/20230519101840.v5.18.Ia44852044cdcb074f387e80df6b45e892965d4a1@changeid +Link: https://lkml.kernel.org/r/20230519101840.v5.1.I8cbb2f4fa740528fcfade4f5439b6cdcdd059251@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Reviewed-by: Nicholas Piggin +Reviewed-by: Petr Mladek +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Cc: Colin Cross +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/nmi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/nmi.h b/include/linux/nmi.h +index e972d1ae1ee63..6cb593d9ed08a 100644 +--- a/include/linux/nmi.h ++++ b/include/linux/nmi.h +@@ -197,7 +197,7 @@ u64 hw_nmi_get_sample_period(int watchdog_thresh); + #endif + + #if defined(CONFIG_HARDLOCKUP_CHECK_TIMESTAMP) && \ +- defined(CONFIG_HARDLOCKUP_DETECTOR) ++ defined(CONFIG_HARDLOCKUP_DETECTOR_PERF) + void watchdog_update_hrtimer_threshold(u64 period); + #else + static inline void watchdog_update_hrtimer_threshold(u64 period) { } +-- +2.39.2 + diff --git a/tmp-5.4/watchdog-perf-more-properly-prevent-false-positives-.patch b/tmp-5.4/watchdog-perf-more-properly-prevent-false-positives-.patch new file mode 100644 index 00000000000..e77bbab4a3e --- /dev/null +++ b/tmp-5.4/watchdog-perf-more-properly-prevent-false-positives-.patch @@ -0,0 +1,84 @@ +From e2905033dff78f08fe660d4115a13ee9bacfe8b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 10:18:26 -0700 +Subject: watchdog/perf: more properly prevent false positives with turbo modes + +From: Douglas Anderson + +[ Upstream commit 4379e59fe5665cfda737e45b8bf2f05321ef049c ] + +Currently, in the watchdog_overflow_callback() we first check to see if +the watchdog had been touched and _then_ we handle the workaround for +turbo mode. This order should be reversed. + +Specifically, "touching" the hardlockup detector's watchdog should avoid +lockups being detected for one period that should be roughly the same +regardless of whether we're running turbo or not. That means that we +should do the extra accounting for turbo _before_ we look at (and clear) +the global indicating that we've been touched. + +NOTE: this fix is made based on code inspection. I am not aware of any +reports where the old code would have generated false positives. That +being said, this order seems more correct and also makes it easier down +the line to share code with the "buddy" hardlockup detector. + +Link: https://lkml.kernel.org/r/20230519101840.v5.2.I843b0d1de3e096ba111a179f3adb16d576bef5c7@changeid +Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") +Signed-off-by: Douglas Anderson +Cc: Andi Kleen +Cc: Catalin Marinas +Cc: Chen-Yu Tsai +Cc: Christophe Leroy +Cc: Colin Cross +Cc: Daniel Thompson +Cc: "David S. Miller" +Cc: Guenter Roeck +Cc: Ian Rogers +Cc: Lecopzer Chen +Cc: Marc Zyngier +Cc: Mark Rutland +Cc: Masayoshi Mizuma +Cc: Matthias Kaehlcke +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: Petr Mladek +Cc: Pingfan Liu +Cc: Randy Dunlap +Cc: "Ravi V. Shankar" +Cc: Ricardo Neri +Cc: Stephane Eranian +Cc: Stephen Boyd +Cc: Sumit Garg +Cc: Tzung-Bi Shih +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/watchdog_hld.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c +index 247bf0b1582ca..1e8a49dc956e2 100644 +--- a/kernel/watchdog_hld.c ++++ b/kernel/watchdog_hld.c +@@ -114,14 +114,14 @@ static void watchdog_overflow_callback(struct perf_event *event, + /* Ensure the watchdog never gets throttled */ + event->hw.interrupts = 0; + ++ if (!watchdog_check_timestamp()) ++ return; ++ + if (__this_cpu_read(watchdog_nmi_touch) == true) { + __this_cpu_write(watchdog_nmi_touch, false); + return; + } + +- if (!watchdog_check_timestamp()) +- return; +- + /* check for a hardlockup + * This is done by making sure our timer interrupt + * is incrementing. The timer interrupt should have +-- +2.39.2 + diff --git a/tmp-5.4/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch b/tmp-5.4/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch new file mode 100644 index 00000000000..dbdf1d55d51 --- /dev/null +++ b/tmp-5.4/wifi-airo-avoid-uninitialized-warning-in-airo_get_ra.patch @@ -0,0 +1,47 @@ +From 30e1defc749aedf9906d96856cf4526fbbfe2d5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jul 2023 06:31:54 -0700 +Subject: wifi: airo: avoid uninitialized warning in airo_get_rate() + +From: Randy Dunlap + +[ Upstream commit 9373771aaed17f5c2c38485f785568abe3a9f8c1 ] + +Quieten a gcc (11.3.0) build error or warning by checking the function +call status and returning -EBUSY if the function call failed. +This is similar to what several other wireless drivers do for the +SIOCGIWRATE ioctl call when there is a locking problem. + +drivers/net/wireless/cisco/airo.c: error: 'status_rid.currentXmitRate' is used uninitialized [-Werror=uninitialized] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Randy Dunlap +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/39abf2c7-24a-f167-91da-ed4c5435d1c4@linux-m68k.org +Link: https://lore.kernel.org/r/20230709133154.26206-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/cisco/airo.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c +index da0d3834b5f01..ebf0d3072290e 100644 +--- a/drivers/net/wireless/cisco/airo.c ++++ b/drivers/net/wireless/cisco/airo.c +@@ -6104,8 +6104,11 @@ static int airo_get_rate(struct net_device *dev, + { + struct airo_info *local = dev->ml_priv; + StatusRid status_rid; /* Card status info */ ++ int ret; + +- readStatusRid(local, &status_rid, 1); ++ ret = readStatusRid(local, &status_rid, 1); ++ if (ret) ++ return -EBUSY; + + vwrq->value = le16_to_cpu(status_rid.currentXmitRate) * 500000; + /* If more than one rate, set auto */ +-- +2.39.2 + diff --git a/tmp-5.4/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch b/tmp-5.4/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch new file mode 100644 index 00000000000..7238641bb26 --- /dev/null +++ b/tmp-5.4/wifi-ath9k-avoid-referencing-uninit-memory-in-ath9k_.patch @@ -0,0 +1,58 @@ +From c85c822808eddcd72b92e6eaf3b44ce43fd81baf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:01 +0300 +Subject: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit f24292e827088bba8de7158501ac25a59b064953 ] + +For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid +uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should +validate pkt_len before accessing the SKB. + +For example, the obtained SKB may have been badly constructed with +pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr +but after being processed in ath9k_htc_rx_msg() and passed to +ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI +command header which should be located inside its data payload. + +Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit +memory can be referenced. + +Tested on Qualcomm Atheros Communications AR9271 802.11n . + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index deb22b8c2065f..ef861b19fd477 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -218,6 +218,10 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, + if (unlikely(wmi->stopped)) + goto free_skb; + ++ /* Validate the obtained SKB. */ ++ if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr))) ++ goto free_skb; ++ + hdr = (struct wmi_cmd_hdr *) skb->data; + cmd_id = be16_to_cpu(hdr->command_id); + +-- +2.39.2 + diff --git a/tmp-5.4/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch b/tmp-5.4/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch new file mode 100644 index 00000000000..de2d5c3ff59 --- /dev/null +++ b/tmp-5.4/wifi-ath9k-convert-msecs-to-jiffies-where-needed.patch @@ -0,0 +1,51 @@ +From 7a4ec3cd48756c3a4c45c84747bce2b2d8d347b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 16:46:55 +0300 +Subject: wifi: ath9k: convert msecs to jiffies where needed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Antipov + +[ Upstream commit 2aa083acea9f61be3280184384551178f510ff51 ] + +Since 'ieee80211_queue_delayed_work()' expects timeout in +jiffies and not milliseconds, 'msecs_to_jiffies()' should +be used in 'ath_restart_work()' and '__ath9k_flush()'. + +Fixes: d63ffc45c5d3 ("ath9k: rename tx_complete_work to hw_check_work") +Signed-off-by: Dmitry Antipov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230613134655.248728-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index 4e606a4b19f2d..5968fcec11737 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -200,7 +200,7 @@ void ath_cancel_work(struct ath_softc *sc) + void ath_restart_work(struct ath_softc *sc) + { + ieee80211_queue_delayed_work(sc->hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + + if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah)) + ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work, +@@ -2228,7 +2228,7 @@ void __ath9k_flush(struct ieee80211_hw *hw, u32 queues, bool drop, + } + + ieee80211_queue_delayed_work(hw, &sc->hw_check_work, +- ATH_HW_CHECK_POLL_INT); ++ msecs_to_jiffies(ATH_HW_CHECK_POLL_INT)); + } + + static bool ath9k_tx_frames_pending(struct ieee80211_hw *hw) +-- +2.39.2 + diff --git a/tmp-5.4/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch b/tmp-5.4/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch new file mode 100644 index 00000000000..d327d565ef2 --- /dev/null +++ b/tmp-5.4/wifi-ath9k-don-t-allow-to-overwrite-endpoint0-attrib.patch @@ -0,0 +1,54 @@ +From 5160d3edafaccfd69a7f737c6a937a832bbf2a36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 18:03:17 +0300 +Subject: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 061b0cb9327b80d7a0f63a33e7c3e2a91a71f142 ] + +A bad USB device is able to construct a service connection response +message with target endpoint being ENDPOINT0 which is reserved for +HTC_CTRL_RSVD_SVC and should not be modified to be used for any other +services. + +Reject such service connection responses. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+b68fbebe56d8362907e8@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230516150427.79469-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index fe62ff668f757..99667aba289df 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -114,7 +114,13 @@ static void htc_process_conn_rsp(struct htc_target *target, + + if (svc_rspmsg->status == HTC_SERVICE_SUCCESS) { + epid = svc_rspmsg->endpoint_id; +- if (epid < 0 || epid >= ENDPOINT_MAX) ++ ++ /* Check that the received epid for the endpoint to attach ++ * a new service is valid. ENDPOINT0 can't be used here as it ++ * is already reserved for HTC_CTRL_RSVD_SVC service and thus ++ * should not be modified. ++ */ ++ if (epid <= ENDPOINT0 || epid >= ENDPOINT_MAX) + return; + + service_id = be16_to_cpu(svc_rspmsg->service_id); +-- +2.39.2 + diff --git a/tmp-5.4/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch b/tmp-5.4/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch new file mode 100644 index 00000000000..0756ed454f5 --- /dev/null +++ b/tmp-5.4/wifi-ath9k-fix-ar9003-mac-hardware-hang-check-regist.patch @@ -0,0 +1,95 @@ +From ac13d161aec4344df878948dd0a7edd2ebd65d67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 17:35:00 +0300 +Subject: wifi: ath9k: fix AR9003 mac hardware hang check register offset + calculation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Seiderer + +[ Upstream commit 3e56c80931c7615250fe4bf83f93b57881969266 ] + +Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset +calculation (do not overflow the shift for the second register/queues +above five, use the register layout described in the comments above +ath9k_hw_verify_hang() instead). + +Fixes: 222e04830ff0 ("ath9k: Fix MAC HW hang check for AR9003") + +Reported-by: Gregg Wonderly +Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/ +Signed-off-by: Peter Seiderer +Acked-by: Toke Høiland-Jørgensen +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230422212423.26065-1-ps.report@gmx.net +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/ar9003_hw.c | 27 ++++++++++++++-------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ar9003_hw.c b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +index 2fe12b0de5b4f..dea8a998fb622 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c +@@ -1099,17 +1099,22 @@ static bool ath9k_hw_verify_hang(struct ath_hw *ah, unsigned int queue) + { + u32 dma_dbg_chain, dma_dbg_complete; + u8 dcu_chain_state, dcu_complete_state; ++ unsigned int dbg_reg, reg_offset; + int i; + +- for (i = 0; i < NUM_STATUS_READS; i++) { +- if (queue < 6) +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_4); +- else +- dma_dbg_chain = REG_READ(ah, AR_DMADBG_5); ++ if (queue < 6) { ++ dbg_reg = AR_DMADBG_4; ++ reg_offset = queue * 5; ++ } else { ++ dbg_reg = AR_DMADBG_5; ++ reg_offset = (queue - 6) * 5; ++ } + ++ for (i = 0; i < NUM_STATUS_READS; i++) { ++ dma_dbg_chain = REG_READ(ah, dbg_reg); + dma_dbg_complete = REG_READ(ah, AR_DMADBG_6); + +- dcu_chain_state = (dma_dbg_chain >> (5 * queue)) & 0x1f; ++ dcu_chain_state = (dma_dbg_chain >> reg_offset) & 0x1f; + dcu_complete_state = dma_dbg_complete & 0x3; + + if ((dcu_chain_state != 0x6) || (dcu_complete_state != 0x1)) +@@ -1128,6 +1133,7 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + u8 dcu_chain_state, dcu_complete_state; + bool dcu_wait_frdone = false; + unsigned long chk_dcu = 0; ++ unsigned int reg_offset; + unsigned int i = 0; + + dma_dbg_4 = REG_READ(ah, AR_DMADBG_4); +@@ -1139,12 +1145,15 @@ static bool ar9003_hw_detect_mac_hang(struct ath_hw *ah) + goto exit; + + for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) { +- if (i < 6) ++ if (i < 6) { + chk_dbg = dma_dbg_4; +- else ++ reg_offset = i * 5; ++ } else { + chk_dbg = dma_dbg_5; ++ reg_offset = (i - 6) * 5; ++ } + +- dcu_chain_state = (chk_dbg >> (5 * i)) & 0x1f; ++ dcu_chain_state = (chk_dbg >> reg_offset) & 0x1f; + if (dcu_chain_state == 0x6) { + dcu_wait_frdone = true; + chk_dcu |= BIT(i); +-- +2.39.2 + diff --git a/tmp-5.4/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch b/tmp-5.4/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch new file mode 100644 index 00000000000..6f8e781b335 --- /dev/null +++ b/tmp-5.4/wifi-ath9k-fix-possible-stall-on-ath9k_txq_list_has_.patch @@ -0,0 +1,111 @@ +From 5d57e9c45741a6ae31def7e692e434e493f9bdff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jun 2023 11:37:44 +0200 +Subject: wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Remi Pommarel + +[ Upstream commit 75086cc6dee046e3fbb3dba148b376d8802f83bc ] + +On EDMA capable hardware, ath9k_txq_list_has_key() can enter infinite +loop if it is called while all txq_fifos have packets that use different +key that the one we are looking for. Fix it by exiting the loop if all +txq_fifos have been checked already. + +Because this loop is called under spin_lock_bh() (see ath_txq_lock) it +causes the following rcu stall: + +rcu: INFO: rcu_sched self-detected stall on CPU +ath10k_pci 0000:01:00.0: failed to read temperature -11 +rcu: 1-....: (5254 ticks this GP) idle=189/1/0x4000000000000002 softirq=8442983/8442984 fqs=2579 + (t=5257 jiffies g=17983297 q=334) +Task dump for CPU 1: +task:hostapd state:R running task stack: 0 pid: 297 ppid: 289 flags:0x0000000a +Call trace: + dump_backtrace+0x0/0x170 + show_stack+0x1c/0x24 + sched_show_task+0x140/0x170 + dump_cpu_task+0x48/0x54 + rcu_dump_cpu_stacks+0xf0/0x134 + rcu_sched_clock_irq+0x8d8/0x9fc + update_process_times+0xa0/0xec + tick_sched_timer+0x5c/0xd0 + __hrtimer_run_queues+0x154/0x320 + hrtimer_interrupt+0x120/0x2f0 + arch_timer_handler_virt+0x38/0x44 + handle_percpu_devid_irq+0x9c/0x1e0 + handle_domain_irq+0x64/0x90 + gic_handle_irq+0x78/0xb0 + call_on_irq_stack+0x28/0x38 + do_interrupt_handler+0x54/0x5c + el1_interrupt+0x2c/0x4c + el1h_64_irq_handler+0x14/0x1c + el1h_64_irq+0x74/0x78 + ath9k_txq_has_key+0x1bc/0x250 [ath9k] + ath9k_set_key+0x1cc/0x3dc [ath9k] + drv_set_key+0x78/0x170 + ieee80211_key_replace+0x564/0x6cc + ieee80211_key_link+0x174/0x220 + ieee80211_add_key+0x11c/0x300 + nl80211_new_key+0x12c/0x330 + genl_family_rcv_msg_doit+0xbc/0x11c + genl_rcv_msg+0xd8/0x1c4 + netlink_rcv_skb+0x40/0x100 + genl_rcv+0x3c/0x50 + netlink_unicast+0x1ec/0x2c0 + netlink_sendmsg+0x198/0x3c0 + ____sys_sendmsg+0x210/0x250 + ___sys_sendmsg+0x78/0xc4 + __sys_sendmsg+0x4c/0x90 + __arm64_sys_sendmsg+0x28/0x30 + invoke_syscall.constprop.0+0x60/0x100 + do_el0_svc+0x48/0xd0 + el0_svc+0x14/0x50 + el0t_64_sync_handler+0xa8/0xb0 + el0t_64_sync+0x158/0x15c + +This rcu stall is hard to reproduce as is, but changing ATH_TXFIFO_DEPTH +from 8 to 2 makes it reasonably easy to reproduce. + +Fixes: ca2848022c12 ("ath9k: Postpone key cache entry deletion for TXQ frames reference it") +Signed-off-by: Remi Pommarel +Tested-by: Nicolas Escande +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230609093744.1985-1-repk@triplefau.lt +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index eb5751a45f266..4e606a4b19f2d 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -847,7 +847,7 @@ static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix) + static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + { + struct ath_hw *ah = sc->sc_ah; +- int i; ++ int i, j; + struct ath_txq *txq; + bool key_in_use = false; + +@@ -865,8 +865,9 @@ static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix) + if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { + int idx = txq->txq_tailidx; + +- while (!key_in_use && +- !list_empty(&txq->txq_fifo[idx])) { ++ for (j = 0; !key_in_use && ++ !list_empty(&txq->txq_fifo[idx]) && ++ j < ATH_TXFIFO_DEPTH; j++) { + key_in_use = ath9k_txq_list_has_key( + &txq->txq_fifo[idx], keyix); + INCR(idx, ATH_TXFIFO_DEPTH); +-- +2.39.2 + diff --git a/tmp-5.4/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch b/tmp-5.4/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch new file mode 100644 index 00000000000..1a4799b317f --- /dev/null +++ b/tmp-5.4/wifi-atmel-fix-an-error-handling-path-in-atmel_probe.patch @@ -0,0 +1,59 @@ +From 41583092311a31bbcc90465936756f233013064d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:53:14 +0200 +Subject: wifi: atmel: Fix an error handling path in atmel_probe() + +From: Christophe JAILLET + +[ Upstream commit 6b92e4351a29af52c285fe235e6e4d1a75de04b2 ] + +Should atmel_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +atmel_probe(), not atmel_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1e65f174607a83348034197fa7d603bab10ba4a9.1684569156.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/atmel/atmel_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/atmel/atmel_cs.c b/drivers/net/wireless/atmel/atmel_cs.c +index 7afc9c5329fb1..f5fa1a95b0c15 100644 +--- a/drivers/net/wireless/atmel/atmel_cs.c ++++ b/drivers/net/wireless/atmel/atmel_cs.c +@@ -73,6 +73,7 @@ struct local_info { + static int atmel_probe(struct pcmcia_device *p_dev) + { + struct local_info *local; ++ int ret; + + dev_dbg(&p_dev->dev, "atmel_attach()\n"); + +@@ -83,8 +84,16 @@ static int atmel_probe(struct pcmcia_device *p_dev) + + p_dev->priv = local; + +- return atmel_config(p_dev); +-} /* atmel_attach */ ++ ret = atmel_config(p_dev); ++ if (ret) ++ goto err_free_priv; ++ ++ return 0; ++ ++err_free_priv: ++ kfree(p_dev->priv); ++ return ret; ++} + + static void atmel_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-5.4/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch b/tmp-5.4/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch new file mode 100644 index 00000000000..8f6856119a4 --- /dev/null +++ b/tmp-5.4/wifi-cfg80211-rewrite-merging-of-inherited-elements.patch @@ -0,0 +1,290 @@ +From a425af437544a834e787a98d16a6d4c9f473d0d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 09:54:03 +0300 +Subject: wifi: cfg80211: rewrite merging of inherited elements + +From: Benjamin Berg + +[ Upstream commit dfd9aa3e7a456d57b18021d66472ab7ff8373ab7 ] + +The cfg80211_gen_new_ie function merges the IEs using inheritance rules. +Rewrite this function to fix issues around inheritance rules. In +particular, vendor elements do not require any special handling, as they +are either all inherited or overridden by the subprofile. +Also, add fragmentation handling as this may be needed in some cases. + +This also changes the function to not require making a copy. The new +version could be optimized a bit by explicitly tracking which IEs have +been handled already rather than looking that up again every time. + +Note that a small behavioural change is the removal of the SSID special +handling. This should be fine for the MBSSID element, as the SSID must +be included in the subelement. + +Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") +Signed-off-by: Benjamin Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230616094949.bc6152e146db.I2b5f3bc45085e1901e5b5192a674436adaf94748@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 213 ++++++++++++++++++++++++++------------------ + 1 file changed, 124 insertions(+), 89 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index c4c124cb5332b..e35c54ba2fd56 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -223,117 +223,152 @@ bool cfg80211_is_element_inherited(const struct element *elem, + } + EXPORT_SYMBOL(cfg80211_is_element_inherited); + +-static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, +- const u8 *subelement, size_t subie_len, +- u8 *new_ie, gfp_t gfp) ++static size_t cfg80211_copy_elem_with_frags(const struct element *elem, ++ const u8 *ie, size_t ie_len, ++ u8 **pos, u8 *buf, size_t buf_len) + { +- u8 *pos, *tmp; +- const u8 *tmp_old, *tmp_new; +- const struct element *non_inherit_elem; +- u8 *sub_copy; ++ if (WARN_ON((u8 *)elem < ie || elem->data > ie + ie_len || ++ elem->data + elem->datalen > ie + ie_len)) ++ return 0; + +- /* copy subelement as we need to change its content to +- * mark an ie after it is processed. +- */ +- sub_copy = kmemdup(subelement, subie_len, gfp); +- if (!sub_copy) ++ if (elem->datalen + 2 > buf + buf_len - *pos) + return 0; + +- pos = &new_ie[0]; ++ memcpy(*pos, elem, elem->datalen + 2); ++ *pos += elem->datalen + 2; + +- /* set new ssid */ +- tmp_new = cfg80211_find_ie(WLAN_EID_SSID, sub_copy, subie_len); +- if (tmp_new) { +- memcpy(pos, tmp_new, tmp_new[1] + 2); +- pos += (tmp_new[1] + 2); ++ /* Finish if it is not fragmented */ ++ if (elem->datalen != 255) ++ return *pos - buf; ++ ++ ie_len = ie + ie_len - elem->data - elem->datalen; ++ ie = (const u8 *)elem->data + elem->datalen; ++ ++ for_each_element(elem, ie, ie_len) { ++ if (elem->id != WLAN_EID_FRAGMENT) ++ break; ++ ++ if (elem->datalen + 2 > buf + buf_len - *pos) ++ return 0; ++ ++ memcpy(*pos, elem, elem->datalen + 2); ++ *pos += elem->datalen + 2; ++ ++ if (elem->datalen != 255) ++ break; + } + +- /* get non inheritance list if exists */ +- non_inherit_elem = +- cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, +- sub_copy, subie_len); ++ return *pos - buf; ++} + +- /* go through IEs in ie (skip SSID) and subelement, +- * merge them into new_ie ++static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen, ++ const u8 *subie, size_t subie_len, ++ u8 *new_ie, size_t new_ie_len) ++{ ++ const struct element *non_inherit_elem, *parent, *sub; ++ u8 *pos = new_ie; ++ u8 id, ext_id; ++ unsigned int match_len; ++ ++ non_inherit_elem = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, ++ subie, subie_len); ++ ++ /* We copy the elements one by one from the parent to the generated ++ * elements. ++ * If they are not inherited (included in subie or in the non ++ * inheritance element), then we copy all occurrences the first time ++ * we see this element type. + */ +- tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen); +- tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie; +- +- while (tmp_old + 2 - ie <= ielen && +- tmp_old + tmp_old[1] + 2 - ie <= ielen) { +- if (tmp_old[0] == 0) { +- tmp_old++; ++ for_each_element(parent, ie, ielen) { ++ if (parent->id == WLAN_EID_FRAGMENT) + continue; ++ ++ if (parent->id == WLAN_EID_EXTENSION) { ++ if (parent->datalen < 1) ++ continue; ++ ++ id = WLAN_EID_EXTENSION; ++ ext_id = parent->data[0]; ++ match_len = 1; ++ } else { ++ id = parent->id; ++ match_len = 0; + } + +- if (tmp_old[0] == WLAN_EID_EXTENSION) +- tmp = (u8 *)cfg80211_find_ext_ie(tmp_old[2], sub_copy, +- subie_len); +- else +- tmp = (u8 *)cfg80211_find_ie(tmp_old[0], sub_copy, +- subie_len); ++ /* Find first occurrence in subie */ ++ sub = cfg80211_find_elem_match(id, subie, subie_len, ++ &ext_id, match_len, 0); + +- if (!tmp) { +- const struct element *old_elem = (void *)tmp_old; ++ /* Copy from parent if not in subie and inherited */ ++ if (!sub && ++ cfg80211_is_element_inherited(parent, non_inherit_elem)) { ++ if (!cfg80211_copy_elem_with_frags(parent, ++ ie, ielen, ++ &pos, new_ie, ++ new_ie_len)) ++ return 0; + +- /* ie in old ie but not in subelement */ +- if (cfg80211_is_element_inherited(old_elem, +- non_inherit_elem)) { +- memcpy(pos, tmp_old, tmp_old[1] + 2); +- pos += tmp_old[1] + 2; +- } +- } else { +- /* ie in transmitting ie also in subelement, +- * copy from subelement and flag the ie in subelement +- * as copied (by setting eid field to WLAN_EID_SSID, +- * which is skipped anyway). +- * For vendor ie, compare OUI + type + subType to +- * determine if they are the same ie. +- */ +- if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) { +- if (tmp_old[1] >= 5 && tmp[1] >= 5 && +- !memcmp(tmp_old + 2, tmp + 2, 5)) { +- /* same vendor ie, copy from +- * subelement +- */ +- memcpy(pos, tmp, tmp[1] + 2); +- pos += tmp[1] + 2; +- tmp[0] = WLAN_EID_SSID; +- } else { +- memcpy(pos, tmp_old, tmp_old[1] + 2); +- pos += tmp_old[1] + 2; +- } +- } else { +- /* copy ie from subelement into new ie */ +- memcpy(pos, tmp, tmp[1] + 2); +- pos += tmp[1] + 2; +- tmp[0] = WLAN_EID_SSID; +- } ++ continue; + } + +- if (tmp_old + tmp_old[1] + 2 - ie == ielen) +- break; ++ /* Already copied if an earlier element had the same type */ ++ if (cfg80211_find_elem_match(id, ie, (u8 *)parent - ie, ++ &ext_id, match_len, 0)) ++ continue; + +- tmp_old += tmp_old[1] + 2; ++ /* Not inheriting, copy all similar elements from subie */ ++ while (sub) { ++ if (!cfg80211_copy_elem_with_frags(sub, ++ subie, subie_len, ++ &pos, new_ie, ++ new_ie_len)) ++ return 0; ++ ++ sub = cfg80211_find_elem_match(id, ++ sub->data + sub->datalen, ++ subie_len + subie - ++ (sub->data + ++ sub->datalen), ++ &ext_id, match_len, 0); ++ } + } + +- /* go through subelement again to check if there is any ie not +- * copied to new ie, skip ssid, capability, bssid-index ie ++ /* The above misses elements that are included in subie but not in the ++ * parent, so do a pass over subie and append those. ++ * Skip the non-tx BSSID caps and non-inheritance element. + */ +- tmp_new = sub_copy; +- while (tmp_new + 2 - sub_copy <= subie_len && +- tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) { +- if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP || +- tmp_new[0] == WLAN_EID_SSID)) { +- memcpy(pos, tmp_new, tmp_new[1] + 2); +- pos += tmp_new[1] + 2; ++ for_each_element(sub, subie, subie_len) { ++ if (sub->id == WLAN_EID_NON_TX_BSSID_CAP) ++ continue; ++ ++ if (sub->id == WLAN_EID_FRAGMENT) ++ continue; ++ ++ if (sub->id == WLAN_EID_EXTENSION) { ++ if (sub->datalen < 1) ++ continue; ++ ++ id = WLAN_EID_EXTENSION; ++ ext_id = sub->data[0]; ++ match_len = 1; ++ ++ if (ext_id == WLAN_EID_EXT_NON_INHERITANCE) ++ continue; ++ } else { ++ id = sub->id; ++ match_len = 0; + } +- if (tmp_new + tmp_new[1] + 2 - sub_copy == subie_len) +- break; +- tmp_new += tmp_new[1] + 2; ++ ++ /* Processed if one was included in the parent */ ++ if (cfg80211_find_elem_match(id, ie, ielen, ++ &ext_id, match_len, 0)) ++ continue; ++ ++ if (!cfg80211_copy_elem_with_frags(sub, subie, subie_len, ++ &pos, new_ie, new_ie_len)) ++ return 0; + } + +- kfree(sub_copy); + return pos - new_ie; + } + +@@ -1659,7 +1694,7 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy, + new_ie_len = cfg80211_gen_new_ie(ie, ielen, + profile, + profile_len, new_ie, +- gfp); ++ IEEE80211_MAX_DATA_LEN); + if (!new_ie_len) + continue; + +-- +2.39.2 + diff --git a/tmp-5.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/tmp-5.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch new file mode 100644 index 00000000000..4f154c0950b --- /dev/null +++ b/tmp-5.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch @@ -0,0 +1,47 @@ +From d9c11a2569b0a90e134d2e38e12c135e5abd3856 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:04:02 +0300 +Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow + +From: Johannes Berg + +[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] + +Roee reported various hard-to-debug crashes with pings in +EHT aggregation scenarios. Enabling KASAN showed that we +access the BAID allocation out of bounds, and looking at +the code a bit shows that since the reorder buffer entry +(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug +such as lockdep is enabled, then staring from an agg size +512 we overflow the size calculation, and allocate a much +smaller structure than we should, causing slab corruption +once we initialize this. + +Fix this by simply using u32 instead of u16. + +Reported-by: Roee Goldfiner +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index a3255100e3fee..7befb92b5159c 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2557,7 +2557,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + } + + if (iwl_mvm_has_new_rx_api(mvm) && start) { +- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); ++ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); + + /* sparse doesn't like the __align() so don't check */ + #ifndef __CHECKER__ +-- +2.39.2 + diff --git a/tmp-5.4/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch b/tmp-5.4/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch new file mode 100644 index 00000000000..45855f05071 --- /dev/null +++ b/tmp-5.4/wifi-iwlwifi-pull-from-txqs-with-softirqs-disabled.patch @@ -0,0 +1,47 @@ +From ad0c4ac8adf759d2f50c28ae3a1e881c1d5d6a35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 12:41:22 +0300 +Subject: wifi: iwlwifi: pull from TXQs with softirqs disabled + +From: Johannes Berg + +[ Upstream commit 96fb6f47db24a712d650b0a9b9074873f273fb0e ] + +In mac80211, it's required that we pull from TXQs by calling +ieee80211_tx_dequeue() only with softirqs disabled. However, +in iwl_mvm_queue_state_change() we're often called with them +enabled, e.g. from flush if anything was flushed, triggering +a mac80211 warning. + +Fix that by disabling the softirqs across the TX call. + +Fixes: cfbc6c4c5b91 ("iwlwifi: mvm: support mac80211 TXQs model") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230614123446.0feef7fa81db.I4dd62542d955b40dd8f0af34fa4accb9d0d17c7e@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +index 5973eecbc0378..18c5975d7c037 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -1167,8 +1167,11 @@ static void iwl_mvm_queue_state_change(struct iwl_op_mode *op_mode, + mvmtxq = iwl_mvm_txq_from_mac80211(txq); + mvmtxq->stopped = !start; + +- if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST) ++ if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST) { ++ local_bh_disable(); + iwl_mvm_mac_itxq_xmit(mvm->hw, txq); ++ local_bh_enable(); ++ } + } + + out: +-- +2.39.2 + diff --git a/tmp-5.4/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch b/tmp-5.4/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch new file mode 100644 index 00000000000..3b73b3017ce --- /dev/null +++ b/tmp-5.4/wifi-mwifiex-fix-the-size-of-a-memory-allocation-in-.patch @@ -0,0 +1,48 @@ +From 1085d36afdf3f8cf7e74b83e56c317c600b0b3ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 May 2023 15:53:15 +0200 +Subject: wifi: mwifiex: Fix the size of a memory allocation in + mwifiex_ret_802_11_scan() + +From: Christophe JAILLET + +[ Upstream commit d9aef04fcfa81ee4fb2804a21a3712b7bbd936af ] + +The type of "mwifiex_adapter->nd_info" is "struct cfg80211_wowlan_nd_info", +not "struct cfg80211_wowlan_nd_match". + +Use struct_size() to ease the computation of the needed size. + +The current code over-allocates some memory, so is safe. +But it wastes 32 bytes. + +Fixes: 7d7f07d8c5d3 ("mwifiex: add wowlan net-detect support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7a6074fb056d2181e058a3cc6048d8155c20aec7.1683371982.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/scan.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c +index 629af26675cf1..1ab04adc53dcd 100644 +--- a/drivers/net/wireless/marvell/mwifiex/scan.c ++++ b/drivers/net/wireless/marvell/mwifiex/scan.c +@@ -2202,9 +2202,9 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv, + + if (nd_config) { + adapter->nd_info = +- kzalloc(sizeof(struct cfg80211_wowlan_nd_match) + +- sizeof(struct cfg80211_wowlan_nd_match *) * +- scan_rsp->number_of_sets, GFP_ATOMIC); ++ kzalloc(struct_size(adapter->nd_info, matches, ++ scan_rsp->number_of_sets), ++ GFP_ATOMIC); + + if (adapter->nd_info) + adapter->nd_info->n_matches = scan_rsp->number_of_sets; +-- +2.39.2 + diff --git a/tmp-5.4/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch b/tmp-5.4/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch new file mode 100644 index 00000000000..e3d05a9c99f --- /dev/null +++ b/tmp-5.4/wifi-orinoco-fix-an-error-handling-path-in-orinoco_c.patch @@ -0,0 +1,58 @@ +From a82b964dc29e02673beba88eb3f3fac5fe8b3372 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:38:22 +0200 +Subject: wifi: orinoco: Fix an error handling path in orinoco_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 67a81d911c01225f426cc6bee2373df044c1a9b7 ] + +Should orinoco_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +orinoco_cs_probe(), not orinoco_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/e24735ce4d82901d5f7ea08419eea53bfdde3d65.1684568286.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/orinoco_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +index a956f965a1e5e..03bfd2482656c 100644 +--- a/drivers/net/wireless/intersil/orinoco/orinoco_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/orinoco_cs.c +@@ -96,6 +96,7 @@ orinoco_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + orinoco_cs_hard_reset, NULL); +@@ -107,8 +108,16 @@ orinoco_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return orinoco_cs_config(link); +-} /* orinoco_cs_attach */ ++ ret = orinoco_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void orinoco_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-5.4/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch b/tmp-5.4/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch new file mode 100644 index 00000000000..89c54373fa3 --- /dev/null +++ b/tmp-5.4/wifi-orinoco-fix-an-error-handling-path-in-spectrum_.patch @@ -0,0 +1,59 @@ +From a6a54d691126bd157751bdc6406d43f6dc884f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 09:29:46 +0200 +Subject: wifi: orinoco: Fix an error handling path in spectrum_cs_probe() + +From: Christophe JAILLET + +[ Upstream commit 925244325159824385209e3e0e3f91fa6bf0646c ] + +Should spectrum_cs_config() fail, some resources need to be released as +already done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +spectrum_cs_probe(), not spectrum_cs_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/c0bc0c21c58ca477fc5521607615bafbf2aef8eb.1684567733.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/spectrum_cs.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +index b60048c95e0a8..011c86e55923e 100644 +--- a/drivers/net/wireless/intersil/orinoco/spectrum_cs.c ++++ b/drivers/net/wireless/intersil/orinoco/spectrum_cs.c +@@ -157,6 +157,7 @@ spectrum_cs_probe(struct pcmcia_device *link) + { + struct orinoco_private *priv; + struct orinoco_pccard *card; ++ int ret; + + priv = alloc_orinocodev(sizeof(*card), &link->dev, + spectrum_cs_hard_reset, +@@ -169,8 +170,16 @@ spectrum_cs_probe(struct pcmcia_device *link) + card->p_dev = link; + link->priv = priv; + +- return spectrum_cs_config(link); +-} /* spectrum_cs_attach */ ++ ret = spectrum_cs_config(link); ++ if (ret) ++ goto err_free_orinocodev; ++ ++ return 0; ++ ++err_free_orinocodev: ++ free_orinocodev(priv); ++ return ret; ++} + + static void spectrum_cs_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-5.4/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch b/tmp-5.4/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch new file mode 100644 index 00000000000..9d5d25b4ffd --- /dev/null +++ b/tmp-5.4/wifi-ray_cs-drop-useless-status-variable-in-parse_ad.patch @@ -0,0 +1,53 @@ +From e5f704120e9c7703b284cdd5aba6b59e33ee59e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 19:44:14 +0300 +Subject: wifi: ray_cs: Drop useless status variable in parse_addr() + +From: Andy Shevchenko + +[ Upstream commit 4dfc63c002a555a2c3c34d89009532ad803be876 ] + +The status variable assigned only once and used also only once. +Replace it's usage by actual value. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164414.48436-2-andriy.shevchenko@linux.intel.com +Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 29dd303a7beae..be2d599536cd5 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -1643,7 +1643,6 @@ static int parse_addr(char *in_str, UCHAR *out) + { + int i, k; + int len; +- int status; + + if (in_str == NULL) + return 0; +@@ -1652,7 +1651,6 @@ static int parse_addr(char *in_str, UCHAR *out) + return 0; + memset(out, 0, ADDRLEN); + +- status = 1; + i = 5; + + while (len > 0) { +@@ -1670,7 +1668,7 @@ static int parse_addr(char *in_str, UCHAR *out) + if (!i--) + break; + } +- return status; ++ return 1; + } + + /*===========================================================================*/ +-- +2.39.2 + diff --git a/tmp-5.4/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch b/tmp-5.4/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch new file mode 100644 index 00000000000..0429aaa9f04 --- /dev/null +++ b/tmp-5.4/wifi-ray_cs-fix-an-error-handling-path-in-ray_probe.patch @@ -0,0 +1,69 @@ +From 65be62ae0f66659dce4b99ad44de5557f5859187 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:13:22 +0200 +Subject: wifi: ray_cs: Fix an error handling path in ray_probe() + +From: Christophe JAILLET + +[ Upstream commit 4f8d66a9fb2edcd05c1e563456a55a08910bfb37 ] + +Should ray_config() fail, some resources need to be released as already +done in the remove function. + +While at it, remove a useless and erroneous comment. The probe is +ray_probe(), not ray_attach(). + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/8c544d18084f8b37dd108e844f7e79e85ff708ff.1684570373.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index be2d599536cd5..d9c1ac5cb5626 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -270,13 +270,14 @@ static int ray_probe(struct pcmcia_device *p_dev) + { + ray_dev_t *local; + struct net_device *dev; ++ int ret; + + dev_dbg(&p_dev->dev, "ray_attach()\n"); + + /* Allocate space for private device-specific data */ + dev = alloc_etherdev(sizeof(ray_dev_t)); + if (!dev) +- goto fail_alloc_dev; ++ return -ENOMEM; + + local = netdev_priv(dev); + local->finder = p_dev; +@@ -313,11 +314,16 @@ static int ray_probe(struct pcmcia_device *p_dev) + timer_setup(&local->timer, NULL, 0); + + this_device = p_dev; +- return ray_config(p_dev); ++ ret = ray_config(p_dev); ++ if (ret) ++ goto err_free_dev; ++ ++ return 0; + +-fail_alloc_dev: +- return -ENOMEM; +-} /* ray_attach */ ++err_free_dev: ++ free_netdev(dev); ++ return ret; ++} + + static void ray_detach(struct pcmcia_device *link) + { +-- +2.39.2 + diff --git a/tmp-5.4/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch b/tmp-5.4/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch new file mode 100644 index 00000000000..caf89aa20d5 --- /dev/null +++ b/tmp-5.4/wifi-ray_cs-utilize-strnlen-in-parse_addr.patch @@ -0,0 +1,67 @@ +From c404c684d64e7ee50c7ab10cc256f416600336ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 19:44:13 +0300 +Subject: wifi: ray_cs: Utilize strnlen() in parse_addr() + +From: Andy Shevchenko + +[ Upstream commit 9e8e9187673cb24324f9165dd47b2b28f60b0b10 ] + +Instead of doing simple operations and using an additional variable on stack, +utilize strnlen() and reuse len variable. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164414.48436-1-andriy.shevchenko@linux.intel.com +Stable-dep-of: 4f8d66a9fb2e ("wifi: ray_cs: Fix an error handling path in ray_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ray_cs.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c +index 3836d6ac53049..29dd303a7beae 100644 +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -1641,31 +1641,29 @@ static void authenticate_timeout(struct timer_list *t) + /*===========================================================================*/ + static int parse_addr(char *in_str, UCHAR *out) + { ++ int i, k; + int len; +- int i, j, k; + int status; + + if (in_str == NULL) + return 0; +- if ((len = strlen(in_str)) < 2) ++ len = strnlen(in_str, ADDRLEN * 2 + 1) - 1; ++ if (len < 1) + return 0; + memset(out, 0, ADDRLEN); + + status = 1; +- j = len - 1; +- if (j > 12) +- j = 12; + i = 5; + +- while (j > 0) { +- if ((k = hex_to_bin(in_str[j--])) != -1) ++ while (len > 0) { ++ if ((k = hex_to_bin(in_str[len--])) != -1) + out[i] = k; + else + return 0; + +- if (j == 0) ++ if (len == 0) + break; +- if ((k = hex_to_bin(in_str[j--])) != -1) ++ if ((k = hex_to_bin(in_str[len--])) != -1) + out[i] += k << 4; + else + return 0; +-- +2.39.2 + diff --git a/tmp-5.4/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch b/tmp-5.4/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch new file mode 100644 index 00000000000..0f5992cfe7a --- /dev/null +++ b/tmp-5.4/wifi-rsi-do-not-set-mmc_pm_keep_power-in-shutdown.patch @@ -0,0 +1,41 @@ +From 7f54909fa4d4f617280082714baa5f5e1d8eb7f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 May 2023 00:28:59 +0200 +Subject: wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown + +From: Marek Vasut + +[ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ] + +It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag +indicates to the MMC subsystem to keep the slot powered on during +suspend, but in shutdown the slot should actually be powered off. +Drop this call. + +Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state") +Signed-off-by: Marek Vasut +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c +index 4fe837090cdae..22b0567ad8261 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -1479,9 +1479,6 @@ static void rsi_shutdown(struct device *dev) + if (sdev->write_fail) + rsi_dbg(INFO_ZONE, "###### Device is not ready #######\n"); + +- if (rsi_set_sdio_pm_caps(adapter)) +- rsi_dbg(INFO_ZONE, "Setting power management caps failed\n"); +- + rsi_dbg(INFO_ZONE, "***** RSI module shut down *****\n"); + } + +-- +2.39.2 + diff --git a/tmp-5.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/tmp-5.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch new file mode 100644 index 00000000000..c3c97165380 --- /dev/null +++ b/tmp-5.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch @@ -0,0 +1,71 @@ +From 993fa417304ccbc8f9e32804e8c193cccb79430c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:04:07 -0600 +Subject: wifi: wext-core: Fix -Wstringop-overflow warning in + ioctl_standard_iw_point() + +From: Gustavo A. R. Silva + +[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] + +-Wstringop-overflow is legitimately warning us about extra_size +pontentially being zero at some point, hence potenially ending +up _allocating_ zero bytes of memory for extra pointer and then +trying to access such object in a call to copy_from_user(). + +Fix this by adding a sanity check to ensure we never end up +trying to allocate zero bytes of data for extra pointer, before +continue executing the rest of the code in the function. + +Address the following -Wstringop-overflow warning seen when built +m68k architecture with allyesconfig configuration: + from net/wireless/wext-core.c:11: +In function '_copy_from_user', + inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: +arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] + 48 | #define memset(d, c, n) __builtin_memset(d, c, n) + | ^~~~~~~~~~~~~~~~~~~~~~~~~ +include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' + 153 | memset(to + (n - res), 0, res); + | ^~~~~~ +In function 'kmalloc', + inlined from 'kzalloc' at include/linux/slab.h:694:9, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: +include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' + 577 | return __kmalloc(size, flags); + | ^~~~~~~~~~~~~~~~~~~~~~ + +This help with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/315 +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/wext-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index 76a80a41615be..a57f54bc0e1a7 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -796,6 +796,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, + } + } + ++ /* Sanity-check to ensure we never end up _allocating_ zero ++ * bytes of data for extra. ++ */ ++ if (extra_size <= 0) ++ return -EFAULT; ++ + /* kzalloc() ensures NULL-termination for essid_compat. */ + extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) +-- +2.39.2 + diff --git a/tmp-5.4/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch b/tmp-5.4/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch new file mode 100644 index 00000000000..5b5193437cb --- /dev/null +++ b/tmp-5.4/wifi-wl3501_cs-fix-an-error-handling-path-in-wl3501_.patch @@ -0,0 +1,66 @@ +From 27ed8f9cf820b41bbf02b9d9948fd443406b59b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 May 2023 10:05:08 +0200 +Subject: wifi: wl3501_cs: Fix an error handling path in wl3501_probe() + +From: Christophe JAILLET + +[ Upstream commit 391af06a02e7642039ac5f6c4b2c034ab0992b5d ] + +Should wl3501_config() fail, some resources need to be released as already +done in the remove function. + +Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions") +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7cc9c9316489b7d69b36aeb0edd3123538500b41.1684569865.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index ae660f25a0e5a..e6505624f0c28 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1862,6 +1862,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + { + struct net_device *dev; + struct wl3501_card *this; ++ int ret; + + /* The io structure describes IO port mapping */ + p_dev->resource[0]->end = 16; +@@ -1873,8 +1874,7 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + + dev = alloc_etherdev(sizeof(struct wl3501_card)); + if (!dev) +- goto out_link; +- ++ return -ENOMEM; + + dev->netdev_ops = &wl3501_netdev_ops; + dev->watchdog_timeo = 5 * HZ; +@@ -1887,9 +1887,15 @@ static int wl3501_probe(struct pcmcia_device *p_dev) + netif_stop_queue(dev); + p_dev->priv = dev; + +- return wl3501_config(p_dev); +-out_link: +- return -ENOMEM; ++ ret = wl3501_config(p_dev); ++ if (ret) ++ goto out_free_etherdev; ++ ++ return 0; ++ ++out_free_etherdev: ++ free_netdev(dev); ++ return ret; + } + + static int wl3501_config(struct pcmcia_device *link) +-- +2.39.2 + diff --git a/tmp-5.4/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch b/tmp-5.4/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch new file mode 100644 index 00000000000..37d30d2a967 --- /dev/null +++ b/tmp-5.4/wl3501_cs-fix-a-bunch-of-formatting-issues-related-t.patch @@ -0,0 +1,143 @@ +From 4df70183be4ba1ea9facec6034f736cafe92768c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 10:33:51 +0100 +Subject: wl3501_cs: Fix a bunch of formatting issues related to function docs + +From: Lee Jones + +[ Upstream commit 2307d0bc9d8b60299f255d1771ce0d997162a957 ] + +Fixes the following W=1 kernel build warning(s): + + In file included from drivers/net/wireless/wl3501_cs.c:57: + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'channel' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:162: warning: Function parameter or member 'reg_domain' not described in 'iw_default_channel' + drivers/net/wireless/wl3501_cs.c:248: warning: Function parameter or member 'this' not described in 'wl3501_set_to_wla' + drivers/net/wireless/wl3501_cs.c:270: warning: Function parameter or member 'this' not described in 'wl3501_get_from_wla' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'this' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:467: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:729: warning: Function parameter or member 'this' not described in 'wl3501_block_interrupt' + drivers/net/wireless/wl3501_cs.c:746: warning: Function parameter or member 'this' not described in 'wl3501_unblock_interrupt' + drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'irq' not described in 'wl3501_interrupt' + drivers/net/wireless/wl3501_cs.c:1124: warning: Function parameter or member 'dev_id' not described in 'wl3501_interrupt' + drivers/net/wireless/wl3501_cs.c:1257: warning: Function parameter or member 'dev' not described in 'wl3501_reset' + drivers/net/wireless/wl3501_cs.c:1420: warning: Function parameter or member 'link' not described in 'wl3501_detach' + +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Fox Chen +Cc: de Melo +Cc: Gustavo Niemeyer +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200826093401.1458456-21-lee.jones@linaro.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 8638c7c72bc30..b66c7d4798977 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -134,8 +134,8 @@ static const struct { + + /** + * iw_valid_channel - validate channel in regulatory domain +- * @reg_comain - regulatory domain +- * @channel - channel to validate ++ * @reg_comain: regulatory domain ++ * @channel: channel to validate + * + * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. + */ +@@ -154,7 +154,7 @@ static int iw_valid_channel(int reg_domain, int channel) + + /** + * iw_default_channel - get default channel for a regulatory domain +- * @reg_comain - regulatory domain ++ * @reg_domain: regulatory domain + * + * Returns the default channel for a regulatory domain + */ +@@ -237,6 +237,7 @@ static int wl3501_get_flash_mac_addr(struct wl3501_card *this) + + /** + * wl3501_set_to_wla - Move 'size' bytes from PC to card ++ * @this: Card + * @dest: Card addressing space + * @src: PC addressing space + * @size: Bytes to move +@@ -259,6 +260,7 @@ static void wl3501_set_to_wla(struct wl3501_card *this, u16 dest, void *src, + + /** + * wl3501_get_from_wla - Move 'size' bytes from card to PC ++ * @this: Card + * @src: Card addressing space + * @dest: PC addressing space + * @size: Bytes to move +@@ -455,7 +457,7 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) + + /** + * wl3501_send_pkt - Send a packet. +- * @this - card ++ * @this: Card + * + * Send a packet. + * +@@ -723,7 +725,7 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr) + + /** + * wl3501_block_interrupt - Mask interrupt from SUTRO +- * @this - card ++ * @this: Card + * + * Mask interrupt from SUTRO. (i.e. SUTRO cannot interrupt the HOST) + * Return: 1 if interrupt is originally enabled +@@ -740,7 +742,7 @@ static int wl3501_block_interrupt(struct wl3501_card *this) + + /** + * wl3501_unblock_interrupt - Enable interrupt from SUTRO +- * @this - card ++ * @this: Card + * + * Enable interrupt from SUTRO. (i.e. SUTRO can interrupt the HOST) + * Return: 1 if interrupt is originally enabled +@@ -1114,8 +1116,8 @@ static inline void wl3501_ack_interrupt(struct wl3501_card *this) + + /** + * wl3501_interrupt - Hardware interrupt from card. +- * @irq - Interrupt number +- * @dev_id - net_device ++ * @irq: Interrupt number ++ * @dev_id: net_device + * + * We must acknowledge the interrupt as soon as possible, and block the + * interrupt from the same card immediately to prevent re-entry. +@@ -1251,7 +1253,7 @@ static int wl3501_close(struct net_device *dev) + + /** + * wl3501_reset - Reset the SUTRO. +- * @dev - network device ++ * @dev: network device + * + * It is almost the same as wl3501_open(). In fact, we may just wl3501_close() + * and wl3501_open() again, but I wouldn't like to free_irq() when the driver +@@ -1414,7 +1416,7 @@ static struct iw_statistics *wl3501_get_wireless_stats(struct net_device *dev) + + /** + * wl3501_detach - deletes a driver "instance" +- * @link - FILL_IN ++ * @link: FILL_IN + * + * This deletes a driver "instance". The device is de-registered with Card + * Services. If it has been released, all local data structures are freed. +-- +2.39.2 + diff --git a/tmp-5.4/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch b/tmp-5.4/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch new file mode 100644 index 00000000000..f1a12d70e04 --- /dev/null +++ b/tmp-5.4/wl3501_cs-fix-misspelling-and-provide-missing-docume.patch @@ -0,0 +1,64 @@ +From d06d8d3ae789dbce1284e8b6b777fc79b1b5c8c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Nov 2020 11:23:53 +0000 +Subject: wl3501_cs: Fix misspelling and provide missing documentation + +From: Lee Jones + +[ Upstream commit 8b8a6f8c3b50193d161c598a6784e721128d6dc3 ] + +Fixes the following W=1 kernel build warning(s): + + In file included from drivers/net/wireless/wl3501_cs.c:57: + drivers/net/wireless/wl3501_cs.c:143: warning: Function parameter or member 'reg_domain' not described in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:143: warning: Excess function parameter 'reg_comain' description in 'iw_valid_channel' + drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'data' not described in 'wl3501_send_pkt' + drivers/net/wireless/wl3501_cs.c:469: warning: Function parameter or member 'len' not described in 'wl3501_send_pkt' + +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: Fox Chen +Cc: de Melo +Cc: Gustavo Niemeyer +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201102112410.1049272-25-lee.jones@linaro.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index cf67ea13dd8dc..115bb408d4f20 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -134,7 +134,7 @@ static const struct { + + /** + * iw_valid_channel - validate channel in regulatory domain +- * @reg_comain: regulatory domain ++ * @reg_domain: regulatory domain + * @channel: channel to validate + * + * Returns 0 if invalid in the specified regulatory domain, non-zero if valid. +@@ -458,11 +458,9 @@ static int wl3501_pwr_mgmt(struct wl3501_card *this, int suspend) + /** + * wl3501_send_pkt - Send a packet. + * @this: Card +- * +- * Send a packet. +- * +- * data = Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, ++ * @data: Ethernet raw frame. (e.g. data[0] - data[5] is Dest MAC Addr, + * data[6] - data[11] is Src MAC Addr) ++ * @len: Packet length + * Ref: IEEE 802.11 + */ + static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len) +-- +2.39.2 + diff --git a/tmp-5.4/wl3501_cs-remove-unnecessary-null-check.patch b/tmp-5.4/wl3501_cs-remove-unnecessary-null-check.patch new file mode 100644 index 00000000000..40652f5a538 --- /dev/null +++ b/tmp-5.4/wl3501_cs-remove-unnecessary-null-check.patch @@ -0,0 +1,41 @@ +From b36352bf9fdd7de7a64645153974a7cbd0efbd00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Sep 2020 18:45:58 +0100 +Subject: wl3501_cs: Remove unnecessary NULL check + +From: Alex Dewar + +[ Upstream commit 1d2a85382282e7c77cbde5650335c3ffc6073fa1 ] + +In wl3501_detach(), link->priv is checked for a NULL value before being +passed to free_netdev(). However, it cannot be NULL at this point as it +has already been passed to other functions, so just remove the check. + +Addresses-Coverity: CID 710499: Null pointer dereferences (REVERSE_INULL) +Signed-off-by: Alex Dewar +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200926174558.9436-1-alex.dewar90@gmail.com +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index b66c7d4798977..cf67ea13dd8dc 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1437,9 +1437,7 @@ static void wl3501_detach(struct pcmcia_device *link) + wl3501_release(link); + + unregister_netdev(dev); +- +- if (link->priv) +- free_netdev(link->priv); ++ free_netdev(dev); + } + + static int wl3501_get_name(struct net_device *dev, struct iw_request_info *info, +-- +2.39.2 + diff --git a/tmp-5.4/wl3501_cs-use-eth_hw_addr_set.patch b/tmp-5.4/wl3501_cs-use-eth_hw_addr_set.patch new file mode 100644 index 00000000000..84dace2bc0e --- /dev/null +++ b/tmp-5.4/wl3501_cs-use-eth_hw_addr_set.patch @@ -0,0 +1,40 @@ +From 3e39d5992157add9db25d94eac1b2b90e2a50a00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 16:50:20 -0700 +Subject: wl3501_cs: use eth_hw_addr_set() + +From: Jakub Kicinski + +[ Upstream commit 18774612246d036c04ce9fee7f67192f96f48725 ] + +Commit 406f42fa0d3c ("net-next: When a bond have a massive amount +of VLANs...") introduced a rbtree for faster Ethernet address look +up. To maintain netdev->dev_addr in this tree we need to make all +the writes to it got through appropriate helpers. + +Signed-off-by: Jakub Kicinski +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211018235021.1279697-15-kuba@kernel.org +Stable-dep-of: 391af06a02e7 ("wifi: wl3501_cs: Fix an error handling path in wl3501_probe()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 115bb408d4f20..ae660f25a0e5a 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1945,8 +1945,7 @@ static int wl3501_config(struct pcmcia_device *link) + goto failed; + } + +- for (i = 0; i < 6; i++) +- dev->dev_addr[i] = ((char *)&this->mac_addr)[i]; ++ eth_hw_addr_set(dev, this->mac_addr); + + /* print probe information */ + printk(KERN_INFO "%s: wl3501 @ 0x%3.3x, IRQ %d, " +-- +2.39.2 + diff --git a/tmp-5.4/workqueue-clean-up-work_-constant-types-clarify-masking.patch b/tmp-5.4/workqueue-clean-up-work_-constant-types-clarify-masking.patch new file mode 100644 index 00000000000..10d5fd72de7 --- /dev/null +++ b/tmp-5.4/workqueue-clean-up-work_-constant-types-clarify-masking.patch @@ -0,0 +1,140 @@ +From afa4bb778e48d79e4a642ed41e3b4e0de7489a6c Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 23 Jun 2023 12:08:14 -0700 +Subject: workqueue: clean up WORK_* constant types, clarify masking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +commit afa4bb778e48d79e4a642ed41e3b4e0de7489a6c upstream. + +Dave Airlie reports that gcc-13.1.1 has started complaining about some +of the workqueue code in 32-bit arm builds: + + kernel/workqueue.c: In function ‘get_work_pwq’: + kernel/workqueue.c:713:24: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] + 713 | return (void *)(data & WORK_STRUCT_WQ_DATA_MASK); + | ^ + [ ... a couple of other cases ... ] + +and while it's not immediately clear exactly why gcc started complaining +about it now, I suspect it's some C23-induced enum type handlign fixup in +gcc-13 is the cause. + +Whatever the reason for starting to complain, the code and data types +are indeed disgusting enough that the complaint is warranted. + +The wq code ends up creating various "helper constants" (like that +WORK_STRUCT_WQ_DATA_MASK) using an enum type, which is all kinds of +confused. The mask needs to be 'unsigned long', not some unspecified +enum type. + +To make matters worse, the actual "mask and cast to a pointer" is +repeated a couple of times, and the cast isn't even always done to the +right pointer, but - as the error case above - to a 'void *' with then +the compiler finishing the job. + +That's now how we roll in the kernel. + +So create the masks using the proper types rather than some ambiguous +enumeration, and use a nice helper that actually does the type +conversion in one well-defined place. + +Incidentally, this magically makes clang generate better code. That, +admittedly, is really just a sign of clang having been seriously +confused before, and cleaning up the typing unconfuses the compiler too. + +Reported-by: Dave Airlie +Link: https://lore.kernel.org/lkml/CAPM=9twNnV4zMCvrPkw3H-ajZOH-01JVh_kDrxdPYQErz8ZTdA@mail.gmail.com/ +Cc: Arnd Bergmann +Cc: Tejun Heo +Cc: Nick Desaulniers +Cc: Nathan Chancellor +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/workqueue.h | 15 ++++++++------- + kernel/workqueue.c | 13 ++++++++----- + 2 files changed, 16 insertions(+), 12 deletions(-) + +--- a/include/linux/workqueue.h ++++ b/include/linux/workqueue.h +@@ -73,7 +73,6 @@ enum { + WORK_OFFQ_FLAG_BASE = WORK_STRUCT_COLOR_SHIFT, + + __WORK_OFFQ_CANCELING = WORK_OFFQ_FLAG_BASE, +- WORK_OFFQ_CANCELING = (1 << __WORK_OFFQ_CANCELING), + + /* + * When a work item is off queue, its high bits point to the last +@@ -84,12 +83,6 @@ enum { + WORK_OFFQ_POOL_SHIFT = WORK_OFFQ_FLAG_BASE + WORK_OFFQ_FLAG_BITS, + WORK_OFFQ_LEFT = BITS_PER_LONG - WORK_OFFQ_POOL_SHIFT, + WORK_OFFQ_POOL_BITS = WORK_OFFQ_LEFT <= 31 ? WORK_OFFQ_LEFT : 31, +- WORK_OFFQ_POOL_NONE = (1LU << WORK_OFFQ_POOL_BITS) - 1, +- +- /* convenience constants */ +- WORK_STRUCT_FLAG_MASK = (1UL << WORK_STRUCT_FLAG_BITS) - 1, +- WORK_STRUCT_WQ_DATA_MASK = ~WORK_STRUCT_FLAG_MASK, +- WORK_STRUCT_NO_POOL = (unsigned long)WORK_OFFQ_POOL_NONE << WORK_OFFQ_POOL_SHIFT, + + /* bit mask for work_busy() return values */ + WORK_BUSY_PENDING = 1 << 0, +@@ -99,6 +92,14 @@ enum { + WORKER_DESC_LEN = 24, + }; + ++/* Convenience constants - of type 'unsigned long', not 'enum'! */ ++#define WORK_OFFQ_CANCELING (1ul << __WORK_OFFQ_CANCELING) ++#define WORK_OFFQ_POOL_NONE ((1ul << WORK_OFFQ_POOL_BITS) - 1) ++#define WORK_STRUCT_NO_POOL (WORK_OFFQ_POOL_NONE << WORK_OFFQ_POOL_SHIFT) ++ ++#define WORK_STRUCT_FLAG_MASK ((1ul << WORK_STRUCT_FLAG_BITS) - 1) ++#define WORK_STRUCT_WQ_DATA_MASK (~WORK_STRUCT_FLAG_MASK) ++ + struct work_struct { + atomic_long_t data; + struct list_head entry; +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -684,12 +684,17 @@ static void clear_work_data(struct work_ + set_work_data(work, WORK_STRUCT_NO_POOL, 0); + } + ++static inline struct pool_workqueue *work_struct_pwq(unsigned long data) ++{ ++ return (struct pool_workqueue *)(data & WORK_STRUCT_WQ_DATA_MASK); ++} ++ + static struct pool_workqueue *get_work_pwq(struct work_struct *work) + { + unsigned long data = atomic_long_read(&work->data); + + if (data & WORK_STRUCT_PWQ) +- return (void *)(data & WORK_STRUCT_WQ_DATA_MASK); ++ return work_struct_pwq(data); + else + return NULL; + } +@@ -717,8 +722,7 @@ static struct worker_pool *get_work_pool + assert_rcu_or_pool_mutex(); + + if (data & WORK_STRUCT_PWQ) +- return ((struct pool_workqueue *) +- (data & WORK_STRUCT_WQ_DATA_MASK))->pool; ++ return work_struct_pwq(data)->pool; + + pool_id = data >> WORK_OFFQ_POOL_SHIFT; + if (pool_id == WORK_OFFQ_POOL_NONE) +@@ -739,8 +743,7 @@ static int get_work_pool_id(struct work_ + unsigned long data = atomic_long_read(&work->data); + + if (data & WORK_STRUCT_PWQ) +- return ((struct pool_workqueue *) +- (data & WORK_STRUCT_WQ_DATA_MASK))->pool->id; ++ return work_struct_pwq(data)->pool->id; + + return data >> WORK_OFFQ_POOL_SHIFT; + } diff --git a/tmp-5.4/x86-cpu-amd-add-a-zenbleed-fix.patch b/tmp-5.4/x86-cpu-amd-add-a-zenbleed-fix.patch new file mode 100644 index 00000000000..781910d72f9 --- /dev/null +++ b/tmp-5.4/x86-cpu-amd-add-a-zenbleed-fix.patch @@ -0,0 +1,161 @@ +From b2d362e150f1a48e95b4224e6ad860948f48c158 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:41:28 +0200 +Subject: x86/cpu/amd: Add a Zenbleed fix + +From: "Borislav Petkov (AMD)" + +Upstream commit: 522b1d69219d8f083173819fde04f994aa051a98 + +Add a fix for the Zen2 VZEROUPPER data corruption bug where under +certain circumstances executing VZEROUPPER can cause register +corruption or leak data. + +The optimal fix is through microcode but in the case the proper +microcode revision has not been applied, enable a fallback fix using +a chicken bit. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/microcode.h | 1 + arch/x86/include/asm/microcode_amd.h | 2 + + arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 60 +++++++++++++++++++++++++++++++++++ + arch/x86/kernel/cpu/common.c | 2 + + 5 files changed, 66 insertions(+) + +--- a/arch/x86/include/asm/microcode.h ++++ b/arch/x86/include/asm/microcode.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + struct ucode_patch { + struct list_head plist; +--- a/arch/x86/include/asm/microcode_amd.h ++++ b/arch/x86/include/asm/microcode_amd.h +@@ -48,11 +48,13 @@ extern void __init load_ucode_amd_bsp(un + extern void load_ucode_amd_ap(unsigned int family); + extern int __init save_microcode_in_initrd_amd(unsigned int family); + void reload_ucode_amd(unsigned int cpu); ++extern void amd_check_microcode(void); + #else + static inline void __init load_ucode_amd_bsp(unsigned int family) {} + static inline void load_ucode_amd_ap(unsigned int family) {} + static inline int __init + save_microcode_in_initrd_amd(unsigned int family) { return -EINVAL; } + static inline void reload_ucode_amd(unsigned int cpu) {} ++static inline void amd_check_microcode(void) {} + #endif + #endif /* _ASM_X86_MICROCODE_AMD_H */ +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -462,6 +462,7 @@ + #define MSR_AMD64_DE_CFG 0xc0011029 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT 1 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE BIT_ULL(MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT) ++#define MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT 9 + + #define MSR_AMD64_BU_CFG2 0xc001102a + #define MSR_AMD64_IBSFETCHCTL 0xc0011030 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -69,6 +69,11 @@ static const int amd_erratum_383[] = + static const int amd_erratum_1054[] = + AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); + ++static const int amd_zenbleed[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x30, 0x0, 0x4f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0x60, 0x0, 0x7f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0xa0, 0x0, 0xaf, 0xf)); ++ + static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) + { + int osvw_id = *erratum++; +@@ -980,6 +985,47 @@ static void init_amd_zn(struct cpuinfo_x + } + } + ++static bool cpu_has_zenbleed_microcode(void) ++{ ++ u32 good_rev = 0; ++ ++ switch (boot_cpu_data.x86_model) { ++ case 0x30 ... 0x3f: good_rev = 0x0830107a; break; ++ case 0x60 ... 0x67: good_rev = 0x0860010b; break; ++ case 0x68 ... 0x6f: good_rev = 0x08608105; break; ++ case 0x70 ... 0x7f: good_rev = 0x08701032; break; ++ case 0xa0 ... 0xaf: good_rev = 0x08a00008; break; ++ ++ default: ++ return false; ++ break; ++ } ++ ++ if (boot_cpu_data.microcode < good_rev) ++ return false; ++ ++ return true; ++} ++ ++static void zenbleed_check(struct cpuinfo_x86 *c) ++{ ++ if (!cpu_has_amd_erratum(c, amd_zenbleed)) ++ return; ++ ++ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ return; ++ ++ if (!cpu_has(c, X86_FEATURE_AVX)) ++ return; ++ ++ if (!cpu_has_zenbleed_microcode()) { ++ pr_notice_once("Zenbleed: please update your microcode for the most optimal fix\n"); ++ msr_set_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } else { ++ msr_clear_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + early_init_amd(c); +@@ -1067,6 +1113,8 @@ static void init_amd(struct cpuinfo_x86 + msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT); + + check_null_seg_clears_base(c); ++ ++ zenbleed_check(c); + } + + #ifdef CONFIG_X86_32 +@@ -1180,3 +1228,15 @@ void set_dr_addr_mask(unsigned long mask + break; + } + } ++ ++static void zenbleed_check_cpu(void *unused) ++{ ++ struct cpuinfo_x86 *c = &cpu_data(smp_processor_id()); ++ ++ zenbleed_check(c); ++} ++ ++void amd_check_microcode(void) ++{ ++ on_each_cpu(zenbleed_check_cpu, NULL, 1); ++} +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -2125,6 +2125,8 @@ void microcode_check(void) + + perf_check_microcode(); + ++ amd_check_microcode(); ++ + /* Reload CPUID max function as it might've changed. */ + info.cpuid_level = cpuid_eax(0); + diff --git a/tmp-5.4/x86-cpu-amd-move-the-errata-checking-functionality-up.patch b/tmp-5.4/x86-cpu-amd-move-the-errata-checking-functionality-up.patch new file mode 100644 index 00000000000..26d7baf7bdf --- /dev/null +++ b/tmp-5.4/x86-cpu-amd-move-the-errata-checking-functionality-up.patch @@ -0,0 +1,181 @@ +From 334baad709246598bfd30587a0e98b0d90f3f596 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:31:32 +0200 +Subject: x86/cpu/amd: Move the errata checking functionality up + +From: "Borislav Petkov (AMD)" + +Upstream commit: 8b6f687743dacce83dbb0c7cfacf88bab00f808a + +Avoid new and remove old forward declarations. + +No functional changes. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 139 ++++++++++++++++++++++------------------------ + 1 file changed, 67 insertions(+), 72 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -26,11 +26,6 @@ + + #include "cpu.h" + +-static const int amd_erratum_383[]; +-static const int amd_erratum_400[]; +-static const int amd_erratum_1054[]; +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); +- + /* + * nodes_per_socket: Stores the number of nodes per socket. + * Refer to Fam15h Models 00-0fh BKDG - CPUID Fn8000_001E_ECX +@@ -38,6 +33,73 @@ static bool cpu_has_amd_erratum(struct c + */ + static u32 nodes_per_socket = 1; + ++/* ++ * AMD errata checking ++ * ++ * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or ++ * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that ++ * have an OSVW id assigned, which it takes as first argument. Both take a ++ * variable number of family-specific model-stepping ranges created by ++ * AMD_MODEL_RANGE(). ++ * ++ * Example: ++ * ++ * const int amd_erratum_319[] = ++ * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), ++ * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), ++ * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); ++ */ ++ ++#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } ++#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } ++#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ ++ ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) ++#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) ++#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) ++#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) ++ ++static const int amd_erratum_400[] = ++ AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), ++ AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); ++ ++static const int amd_erratum_383[] = ++ AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); ++ ++/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ ++static const int amd_erratum_1054[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); ++ ++static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) ++{ ++ int osvw_id = *erratum++; ++ u32 range; ++ u32 ms; ++ ++ if (osvw_id >= 0 && osvw_id < 65536 && ++ cpu_has(cpu, X86_FEATURE_OSVW)) { ++ u64 osvw_len; ++ ++ rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); ++ if (osvw_id < osvw_len) { ++ u64 osvw_bits; ++ ++ rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), ++ osvw_bits); ++ return osvw_bits & (1ULL << (osvw_id & 0x3f)); ++ } ++ } ++ ++ /* OSVW unavailable or ID unknown, match family-model-stepping range */ ++ ms = (cpu->x86_model << 4) | cpu->x86_stepping; ++ while ((range = *erratum++)) ++ if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && ++ (ms >= AMD_MODEL_RANGE_START(range)) && ++ (ms <= AMD_MODEL_RANGE_END(range))) ++ return true; ++ ++ return false; ++} ++ + static inline int rdmsrl_amd_safe(unsigned msr, unsigned long long *p) + { + u32 gprs[8] = { 0 }; +@@ -1100,73 +1162,6 @@ static const struct cpu_dev amd_cpu_dev + + cpu_dev_register(amd_cpu_dev); + +-/* +- * AMD errata checking +- * +- * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or +- * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that +- * have an OSVW id assigned, which it takes as first argument. Both take a +- * variable number of family-specific model-stepping ranges created by +- * AMD_MODEL_RANGE(). +- * +- * Example: +- * +- * const int amd_erratum_319[] = +- * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), +- * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), +- * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); +- */ +- +-#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } +-#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } +-#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ +- ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) +-#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) +-#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) +-#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) +- +-static const int amd_erratum_400[] = +- AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), +- AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); +- +-static const int amd_erratum_383[] = +- AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); +- +-/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ +-static const int amd_erratum_1054[] = +- AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); +- +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) +-{ +- int osvw_id = *erratum++; +- u32 range; +- u32 ms; +- +- if (osvw_id >= 0 && osvw_id < 65536 && +- cpu_has(cpu, X86_FEATURE_OSVW)) { +- u64 osvw_len; +- +- rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); +- if (osvw_id < osvw_len) { +- u64 osvw_bits; +- +- rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), +- osvw_bits); +- return osvw_bits & (1ULL << (osvw_id & 0x3f)); +- } +- } +- +- /* OSVW unavailable or ID unknown, match family-model-stepping range */ +- ms = (cpu->x86_model << 4) | cpu->x86_stepping; +- while ((range = *erratum++)) +- if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && +- (ms >= AMD_MODEL_RANGE_START(range)) && +- (ms <= AMD_MODEL_RANGE_END(range))) +- return true; +- +- return false; +-} +- + void set_dr_addr_mask(unsigned long mask, int dr) + { + if (!boot_cpu_has(X86_FEATURE_BPEXT)) diff --git a/tmp-5.4/x86-microcode-amd-load-late-on-both-threads-too.patch b/tmp-5.4/x86-microcode-amd-load-late-on-both-threads-too.patch new file mode 100644 index 00000000000..6348e1be3de --- /dev/null +++ b/tmp-5.4/x86-microcode-amd-load-late-on-both-threads-too.patch @@ -0,0 +1,30 @@ +From a32b0f0db3f396f1c9be2fe621e77c09ec3d8e7d Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Tue, 2 May 2023 19:53:50 +0200 +Subject: x86/microcode/AMD: Load late on both threads too + +From: Borislav Petkov (AMD) + +commit a32b0f0db3f396f1c9be2fe621e77c09ec3d8e7d upstream. + +Do the same as early loading - load on both threads. + +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/r/20230605141332.25948-1-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/microcode/amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -700,7 +700,7 @@ static enum ucode_state apply_microcode_ + rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy); + + /* need to apply patch? */ +- if (rev >= mc_amd->hdr.patch_id) { ++ if (rev > mc_amd->hdr.patch_id) { + ret = UCODE_OK; + goto out; + } diff --git a/tmp-5.4/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch b/tmp-5.4/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch new file mode 100644 index 00000000000..da32d8dccd5 --- /dev/null +++ b/tmp-5.4/x86-resctrl-only-show-tasks-pid-in-current-pid-names.patch @@ -0,0 +1,55 @@ +From 2998ac05b3d91d2d6eefb6428647f8668e5b752e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 14:04:48 +0800 +Subject: x86/resctrl: Only show tasks' pid in current pid namespace + +From: Shawn Wang + +[ Upstream commit 2997d94b5dd0e8b10076f5e0b6f18410c73e28bd ] + +When writing a task id to the "tasks" file in an rdtgroup, +rdtgroup_tasks_write() treats the pid as a number in the current pid +namespace. But when reading the "tasks" file, rdtgroup_tasks_show() shows +the list of global pids from the init namespace, which is confusing and +incorrect. + +To be more robust, let the "tasks" file only show pids in the current pid +namespace. + +Fixes: e02737d5b826 ("x86/intel_rdt: Add tasks files") +Signed-off-by: Shawn Wang +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Reinette Chatre +Acked-by: Fenghua Yu +Tested-by: Reinette Chatre +Link: https://lore.kernel.org/all/20230116071246.97717-1-shawnwang@linux.alibaba.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +index 9de55fd77937c..91016bb18d4f9 100644 +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -715,11 +715,15 @@ static ssize_t rdtgroup_tasks_write(struct kernfs_open_file *of, + static void show_rdt_tasks(struct rdtgroup *r, struct seq_file *s) + { + struct task_struct *p, *t; ++ pid_t pid; + + rcu_read_lock(); + for_each_process_thread(p, t) { +- if (is_closid_match(t, r) || is_rmid_match(t, r)) +- seq_printf(s, "%d\n", t->pid); ++ if (is_closid_match(t, r) || is_rmid_match(t, r)) { ++ pid = task_pid_vnr(t); ++ if (pid) ++ seq_printf(s, "%d\n", pid); ++ } + } + rcu_read_unlock(); + } +-- +2.39.2 + diff --git a/tmp-5.4/x86-resctrl-use-is_closid_match-in-more-places.patch b/tmp-5.4/x86-resctrl-use-is_closid_match-in-more-places.patch new file mode 100644 index 00000000000..f506418469b --- /dev/null +++ b/tmp-5.4/x86-resctrl-use-is_closid_match-in-more-places.patch @@ -0,0 +1,93 @@ +From 5d6ccb5d9f775e13243d8b7284ea6b7abb0a0e2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 16:39:25 +0000 +Subject: x86/resctrl: Use is_closid_match() in more places + +From: James Morse + +[ Upstream commit e6b2fac36fcc0b73cbef063d700a9841850e37a0 ] + +rdtgroup_tasks_assigned() and show_rdt_tasks() loop over threads testing +for a CTRL/MON group match by closid/rmid with the provided rdtgrp. +Further down the file are helpers to do this, move these further up and +make use of them here. + +These helpers additionally check for alloc/mon capable. This is harmless +as rdtgroup_mkdir() tests these capable flags before allowing the config +directories to be created. + +Signed-off-by: James Morse +Signed-off-by: Borislav Petkov +Reviewed-by: Reinette Chatre +Link: https://lkml.kernel.org/r/20200708163929.2783-7-james.morse@arm.com +Stable-dep-of: 2997d94b5dd0 ("x86/resctrl: Only show tasks' pid in current pid namespace") +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/rdtgroup.c | 30 ++++++++++++-------------- + 1 file changed, 14 insertions(+), 16 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/rdtgroup.c b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +index 0e4f14dae1c05..9de55fd77937c 100644 +--- a/arch/x86/kernel/cpu/resctrl/rdtgroup.c ++++ b/arch/x86/kernel/cpu/resctrl/rdtgroup.c +@@ -593,6 +593,18 @@ static int __rdtgroup_move_task(struct task_struct *tsk, + return 0; + } + ++static bool is_closid_match(struct task_struct *t, struct rdtgroup *r) ++{ ++ return (rdt_alloc_capable && ++ (r->type == RDTCTRL_GROUP) && (t->closid == r->closid)); ++} ++ ++static bool is_rmid_match(struct task_struct *t, struct rdtgroup *r) ++{ ++ return (rdt_mon_capable && ++ (r->type == RDTMON_GROUP) && (t->rmid == r->mon.rmid)); ++} ++ + /** + * rdtgroup_tasks_assigned - Test if tasks have been assigned to resource group + * @r: Resource group +@@ -608,8 +620,7 @@ int rdtgroup_tasks_assigned(struct rdtgroup *r) + + rcu_read_lock(); + for_each_process_thread(p, t) { +- if ((r->type == RDTCTRL_GROUP && t->closid == r->closid) || +- (r->type == RDTMON_GROUP && t->rmid == r->mon.rmid)) { ++ if (is_closid_match(t, r) || is_rmid_match(t, r)) { + ret = 1; + break; + } +@@ -707,8 +718,7 @@ static void show_rdt_tasks(struct rdtgroup *r, struct seq_file *s) + + rcu_read_lock(); + for_each_process_thread(p, t) { +- if ((r->type == RDTCTRL_GROUP && t->closid == r->closid) || +- (r->type == RDTMON_GROUP && t->rmid == r->mon.rmid)) ++ if (is_closid_match(t, r) || is_rmid_match(t, r)) + seq_printf(s, "%d\n", t->pid); + } + rcu_read_unlock(); +@@ -2148,18 +2158,6 @@ static int reset_all_ctrls(struct rdt_resource *r) + return 0; + } + +-static bool is_closid_match(struct task_struct *t, struct rdtgroup *r) +-{ +- return (rdt_alloc_capable && +- (r->type == RDTCTRL_GROUP) && (t->closid == r->closid)); +-} +- +-static bool is_rmid_match(struct task_struct *t, struct rdtgroup *r) +-{ +- return (rdt_mon_capable && +- (r->type == RDTMON_GROUP) && (t->rmid == r->mon.rmid)); +-} +- + /* + * Move tasks from one to the other group. If @from is NULL, then all tasks + * in the systems are moved unconditionally (used for teardown). +-- +2.39.2 + diff --git a/tmp-5.4/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch b/tmp-5.4/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch new file mode 100644 index 00000000000..ffc59744619 --- /dev/null +++ b/tmp-5.4/x86-smp-use-dedicated-cache-line-for-mwait_play_dead.patch @@ -0,0 +1,91 @@ +From f9c9987bf52f4e42e940ae217333ebb5a4c3b506 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 15 Jun 2023 22:33:55 +0200 +Subject: x86/smp: Use dedicated cache-line for mwait_play_dead() + +From: Thomas Gleixner + +commit f9c9987bf52f4e42e940ae217333ebb5a4c3b506 upstream. + +Monitoring idletask::thread_info::flags in mwait_play_dead() has been an +obvious choice as all what is needed is a cache line which is not written +by other CPUs. + +But there is a use case where a "dead" CPU needs to be brought out of +MWAIT: kexec(). + +This is required as kexec() can overwrite text, pagetables, stacks and the +monitored cacheline of the original kernel. The latter causes MWAIT to +resume execution which obviously causes havoc on the kexec kernel which +results usually in triple faults. + +Use a dedicated per CPU storage to prepare for that. + +Signed-off-by: Thomas Gleixner +Reviewed-by: Ashok Raj +Reviewed-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230615193330.434553750@linutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/smpboot.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -99,6 +99,17 @@ DEFINE_PER_CPU_READ_MOSTLY(cpumask_var_t + DEFINE_PER_CPU_READ_MOSTLY(struct cpuinfo_x86, cpu_info); + EXPORT_PER_CPU_SYMBOL(cpu_info); + ++struct mwait_cpu_dead { ++ unsigned int control; ++ unsigned int status; ++}; ++ ++/* ++ * Cache line aligned data for mwait_play_dead(). Separate on purpose so ++ * that it's unlikely to be touched by other CPUs. ++ */ ++static DEFINE_PER_CPU_ALIGNED(struct mwait_cpu_dead, mwait_cpu_dead); ++ + /* Logical package management. We might want to allocate that dynamically */ + unsigned int __max_logical_packages __read_mostly; + EXPORT_SYMBOL(__max_logical_packages); +@@ -1675,10 +1686,10 @@ static bool wakeup_cpu0(void) + */ + static inline void mwait_play_dead(void) + { ++ struct mwait_cpu_dead *md = this_cpu_ptr(&mwait_cpu_dead); + unsigned int eax, ebx, ecx, edx; + unsigned int highest_cstate = 0; + unsigned int highest_subcstate = 0; +- void *mwait_ptr; + int i; + + if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD || +@@ -1713,13 +1724,6 @@ static inline void mwait_play_dead(void) + (highest_subcstate - 1); + } + +- /* +- * This should be a memory location in a cache line which is +- * unlikely to be touched by other processors. The actual +- * content is immaterial as it is not actually modified in any way. +- */ +- mwait_ptr = ¤t_thread_info()->flags; +- + wbinvd(); + + while (1) { +@@ -1731,9 +1735,9 @@ static inline void mwait_play_dead(void) + * case where we return around the loop. + */ + mb(); +- clflush(mwait_ptr); ++ clflush(md); + mb(); +- __monitor(mwait_ptr, 0, 0); ++ __monitor(md, 0, 0); + mb(); + __mwait(eax, 0); + /* diff --git a/tmp-5.4/xsk-honor-so_bindtodevice-on-bind.patch b/tmp-5.4/xsk-honor-so_bindtodevice-on-bind.patch new file mode 100644 index 00000000000..5ab4fa4185b --- /dev/null +++ b/tmp-5.4/xsk-honor-so_bindtodevice-on-bind.patch @@ -0,0 +1,101 @@ +From 846711fa26e61e053082b3796fa85fc102d26a60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 19:53:29 +0200 +Subject: xsk: Honor SO_BINDTODEVICE on bind + +From: Ilya Maximets + +[ Upstream commit f7306acec9aae9893d15e745c8791124d42ab10a ] + +Initial creation of an AF_XDP socket requires CAP_NET_RAW capability. A +privileged process might create the socket and pass it to a non-privileged +process for later use. However, that process will be able to bind the socket +to any network interface. Even though it will not be able to receive any +traffic without modification of the BPF map, the situation is not ideal. + +Sockets already have a mechanism that can be used to restrict what interface +they can be attached to. That is SO_BINDTODEVICE. + +To change the SO_BINDTODEVICE binding the process will need CAP_NET_RAW. + +Make xsk_bind() honor the SO_BINDTODEVICE in order to allow safer workflow +when non-privileged process is using AF_XDP. + +The intended workflow is following: + + 1. First process creates a bare socket with socket(AF_XDP, ...). + 2. First process loads the XSK program to the interface. + 3. First process adds the socket fd to a BPF map. + 4. First process ties socket fd to a particular interface using + SO_BINDTODEVICE. + 5. First process sends socket fd to a second process. + 6. Second process allocates UMEM. + 7. Second process binds socket to the interface with bind(...). + 8. Second process sends/receives the traffic. + +All the steps above are possible today if the first process is privileged +and the second one has sufficient RLIMIT_MEMLOCK and no capabilities. +However, the second process will be able to bind the socket to any interface +it wants on step 7 and send traffic from it. With the proposed change, the +second process will be able to bind the socket only to a specific interface +chosen by the first process at step 4. + +Fixes: 965a99098443 ("xsk: add support for bind for Rx") +Signed-off-by: Ilya Maximets +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Acked-by: John Fastabend +Acked-by: Jason Wang +Link: https://lore.kernel.org/bpf/20230703175329.3259672-1-i.maximets@ovn.org +Signed-off-by: Sasha Levin +--- + Documentation/networking/af_xdp.rst | 9 +++++++++ + net/xdp/xsk.c | 5 +++++ + 2 files changed, 14 insertions(+) + +diff --git a/Documentation/networking/af_xdp.rst b/Documentation/networking/af_xdp.rst +index 7a4caaaf3a179..09b3943b3b719 100644 +--- a/Documentation/networking/af_xdp.rst ++++ b/Documentation/networking/af_xdp.rst +@@ -378,6 +378,15 @@ start N bytes into the buffer leaving the first N bytes for the + application to use. The final option is the flags field, but it will + be dealt with in separate sections for each UMEM flag. + ++SO_BINDTODEVICE setsockopt ++-------------------------- ++ ++This is a generic SOL_SOCKET option that can be used to tie AF_XDP ++socket to a particular network interface. It is useful when a socket ++is created by a privileged process and passed to a non-privileged one. ++Once the option is set, kernel will refuse attempts to bind that socket ++to a different interface. Updating the value requires CAP_NET_RAW. ++ + XDP_STATISTICS getsockopt + ------------------------- + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 2bc0d6e3e124c..d04a2345bc3f5 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -613,6 +613,7 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) + struct sock *sk = sock->sk; + struct xdp_sock *xs = xdp_sk(sk); + struct net_device *dev; ++ int bound_dev_if; + u32 flags, qid; + int err = 0; + +@@ -626,6 +627,10 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) + XDP_USE_NEED_WAKEUP)) + return -EINVAL; + ++ bound_dev_if = READ_ONCE(sk->sk_bound_dev_if); ++ if (bound_dev_if && bound_dev_if != sxdp->sxdp_ifindex) ++ return -EINVAL; ++ + rtnl_lock(); + mutex_lock(&xs->mutex); + if (xs->state != XSK_READY) { +-- +2.39.2 + diff --git a/tmp-5.4/xsk-improve-documentation-for-af_xdp.patch b/tmp-5.4/xsk-improve-documentation-for-af_xdp.patch new file mode 100644 index 00000000000..ede2b97a9ef --- /dev/null +++ b/tmp-5.4/xsk-improve-documentation-for-af_xdp.patch @@ -0,0 +1,423 @@ +From 0465515ac2c363884f8310d98987d80ba1245e80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2019 10:57:04 +0200 +Subject: xsk: Improve documentation for AF_XDP + +From: Magnus Karlsson + +[ Upstream commit e0e4f8e938c48b7c5377661fa3e4738901e6a19b ] + +Added sections on all the bind flags, libbpf, all the setsockopts and +all the getsockopts. Also updated the document to reflect the latest +features and to correct some spelling errors. + +v1 -> v2: +* Updated XDP program with latest BTF map format +* Added one more FAQ entry +* Some minor edits and corrections + +v2 -> v3: +* Simplified XDP_SHARED_UMEM example XDP program + +Signed-off-by: Magnus Karlsson +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/1571648224-16889-1-git-send-email-magnus.karlsson@intel.com +Stable-dep-of: f7306acec9aa ("xsk: Honor SO_BINDTODEVICE on bind") +Signed-off-by: Sasha Levin +--- + Documentation/networking/af_xdp.rst | 259 +++++++++++++++++++++++++--- + 1 file changed, 231 insertions(+), 28 deletions(-) + +diff --git a/Documentation/networking/af_xdp.rst b/Documentation/networking/af_xdp.rst +index 83f7ae5fc045e..7a4caaaf3a179 100644 +--- a/Documentation/networking/af_xdp.rst ++++ b/Documentation/networking/af_xdp.rst +@@ -40,13 +40,13 @@ allocates memory for this UMEM using whatever means it feels is most + appropriate (malloc, mmap, huge pages, etc). This memory area is then + registered with the kernel using the new setsockopt XDP_UMEM_REG. The + UMEM also has two rings: the FILL ring and the COMPLETION ring. The +-fill ring is used by the application to send down addr for the kernel ++FILL ring is used by the application to send down addr for the kernel + to fill in with RX packet data. References to these frames will then + appear in the RX ring once each packet has been received. The +-completion ring, on the other hand, contains frame addr that the ++COMPLETION ring, on the other hand, contains frame addr that the + kernel has transmitted completely and can now be used again by user + space, for either TX or RX. Thus, the frame addrs appearing in the +-completion ring are addrs that were previously transmitted using the ++COMPLETION ring are addrs that were previously transmitted using the + TX ring. In summary, the RX and FILL rings are used for the RX path + and the TX and COMPLETION rings are used for the TX path. + +@@ -91,11 +91,16 @@ Concepts + ======== + + In order to use an AF_XDP socket, a number of associated objects need +-to be setup. ++to be setup. These objects and their options are explained in the ++following sections. + +-Jonathan Corbet has also written an excellent article on LWN, +-"Accelerating networking with AF_XDP". It can be found at +-https://lwn.net/Articles/750845/. ++For an overview on how AF_XDP works, you can also take a look at the ++Linux Plumbers paper from 2018 on the subject: ++http://vger.kernel.org/lpc_net2018_talks/lpc18_paper_af_xdp_perf-v2.pdf. Do ++NOT consult the paper from 2017 on "AF_PACKET v4", the first attempt ++at AF_XDP. Nearly everything changed since then. Jonathan Corbet has ++also written an excellent article on LWN, "Accelerating networking ++with AF_XDP". It can be found at https://lwn.net/Articles/750845/. + + UMEM + ---- +@@ -113,22 +118,22 @@ the next socket B can do this by setting the XDP_SHARED_UMEM flag in + struct sockaddr_xdp member sxdp_flags, and passing the file descriptor + of A to struct sockaddr_xdp member sxdp_shared_umem_fd. + +-The UMEM has two single-producer/single-consumer rings, that are used ++The UMEM has two single-producer/single-consumer rings that are used + to transfer ownership of UMEM frames between the kernel and the + user-space application. + + Rings + ----- + +-There are a four different kind of rings: Fill, Completion, RX and ++There are a four different kind of rings: FILL, COMPLETION, RX and + TX. All rings are single-producer/single-consumer, so the user-space + application need explicit synchronization of multiple + processes/threads are reading/writing to them. + +-The UMEM uses two rings: Fill and Completion. Each socket associated ++The UMEM uses two rings: FILL and COMPLETION. Each socket associated + with the UMEM must have an RX queue, TX queue or both. Say, that there + is a setup with four sockets (all doing TX and RX). Then there will be +-one Fill ring, one Completion ring, four TX rings and four RX rings. ++one FILL ring, one COMPLETION ring, four TX rings and four RX rings. + + The rings are head(producer)/tail(consumer) based rings. A producer + writes the data ring at the index pointed out by struct xdp_ring +@@ -146,7 +151,7 @@ The size of the rings need to be of size power of two. + UMEM Fill Ring + ~~~~~~~~~~~~~~ + +-The Fill ring is used to transfer ownership of UMEM frames from ++The FILL ring is used to transfer ownership of UMEM frames from + user-space to kernel-space. The UMEM addrs are passed in the ring. As + an example, if the UMEM is 64k and each chunk is 4k, then the UMEM has + 16 chunks and can pass addrs between 0 and 64k. +@@ -164,8 +169,8 @@ chunks mode, then the incoming addr will be left untouched. + UMEM Completion Ring + ~~~~~~~~~~~~~~~~~~~~ + +-The Completion Ring is used transfer ownership of UMEM frames from +-kernel-space to user-space. Just like the Fill ring, UMEM indicies are ++The COMPLETION Ring is used transfer ownership of UMEM frames from ++kernel-space to user-space. Just like the FILL ring, UMEM indices are + used. + + Frames passed from the kernel to user-space are frames that has been +@@ -181,7 +186,7 @@ The RX ring is the receiving side of a socket. Each entry in the ring + is a struct xdp_desc descriptor. The descriptor contains UMEM offset + (addr) and the length of the data (len). + +-If no frames have been passed to kernel via the Fill ring, no ++If no frames have been passed to kernel via the FILL ring, no + descriptors will (or can) appear on the RX ring. + + The user application consumes struct xdp_desc descriptors from this +@@ -199,8 +204,24 @@ be relaxed in the future. + The user application produces struct xdp_desc descriptors to this + ring. + ++Libbpf ++====== ++ ++Libbpf is a helper library for eBPF and XDP that makes using these ++technologies a lot simpler. It also contains specific helper functions ++in tools/lib/bpf/xsk.h for facilitating the use of AF_XDP. It ++contains two types of functions: those that can be used to make the ++setup of AF_XDP socket easier and ones that can be used in the data ++plane to access the rings safely and quickly. To see an example on how ++to use this API, please take a look at the sample application in ++samples/bpf/xdpsock_usr.c which uses libbpf for both setup and data ++plane operations. ++ ++We recommend that you use this library unless you have become a power ++user. It will make your program a lot simpler. ++ + XSKMAP / BPF_MAP_TYPE_XSKMAP +----------------------------- ++============================ + + On XDP side there is a BPF map type BPF_MAP_TYPE_XSKMAP (XSKMAP) that + is used in conjunction with bpf_redirect_map() to pass the ingress +@@ -216,21 +237,184 @@ queue 17. Only the XDP program executing for eth0 and queue 17 will + successfully pass data to the socket. Please refer to the sample + application (samples/bpf/) in for an example. + ++Configuration Flags and Socket Options ++====================================== ++ ++These are the various configuration flags that can be used to control ++and monitor the behavior of AF_XDP sockets. ++ ++XDP_COPY and XDP_ZERO_COPY bind flags ++------------------------------------- ++ ++When you bind to a socket, the kernel will first try to use zero-copy ++copy. If zero-copy is not supported, it will fall back on using copy ++mode, i.e. copying all packets out to user space. But if you would ++like to force a certain mode, you can use the following flags. If you ++pass the XDP_COPY flag to the bind call, the kernel will force the ++socket into copy mode. If it cannot use copy mode, the bind call will ++fail with an error. Conversely, the XDP_ZERO_COPY flag will force the ++socket into zero-copy mode or fail. ++ ++XDP_SHARED_UMEM bind flag ++------------------------- ++ ++This flag enables you to bind multiple sockets to the same UMEM, but ++only if they share the same queue id. In this mode, each socket has ++their own RX and TX rings, but the UMEM (tied to the fist socket ++created) only has a single FILL ring and a single COMPLETION ++ring. To use this mode, create the first socket and bind it in the normal ++way. Create a second socket and create an RX and a TX ring, or at ++least one of them, but no FILL or COMPLETION rings as the ones from ++the first socket will be used. In the bind call, set he ++XDP_SHARED_UMEM option and provide the initial socket's fd in the ++sxdp_shared_umem_fd field. You can attach an arbitrary number of extra ++sockets this way. ++ ++What socket will then a packet arrive on? This is decided by the XDP ++program. Put all the sockets in the XSK_MAP and just indicate which ++index in the array you would like to send each packet to. A simple ++round-robin example of distributing packets is shown below: ++ ++.. code-block:: c ++ ++ #include ++ #include "bpf_helpers.h" ++ ++ #define MAX_SOCKS 16 ++ ++ struct { ++ __uint(type, BPF_MAP_TYPE_XSKMAP); ++ __uint(max_entries, MAX_SOCKS); ++ __uint(key_size, sizeof(int)); ++ __uint(value_size, sizeof(int)); ++ } xsks_map SEC(".maps"); ++ ++ static unsigned int rr; ++ ++ SEC("xdp_sock") int xdp_sock_prog(struct xdp_md *ctx) ++ { ++ rr = (rr + 1) & (MAX_SOCKS - 1); ++ ++ return bpf_redirect_map(&xsks_map, rr, 0); ++ } ++ ++Note, that since there is only a single set of FILL and COMPLETION ++rings, and they are single producer, single consumer rings, you need ++to make sure that multiple processes or threads do not use these rings ++concurrently. There are no synchronization primitives in the ++libbpf code that protects multiple users at this point in time. ++ ++XDP_USE_NEED_WAKEUP bind flag ++----------------------------- ++ ++This option adds support for a new flag called need_wakeup that is ++present in the FILL ring and the TX ring, the rings for which user ++space is a producer. When this option is set in the bind call, the ++need_wakeup flag will be set if the kernel needs to be explicitly ++woken up by a syscall to continue processing packets. If the flag is ++zero, no syscall is needed. ++ ++If the flag is set on the FILL ring, the application needs to call ++poll() to be able to continue to receive packets on the RX ring. This ++can happen, for example, when the kernel has detected that there are no ++more buffers on the FILL ring and no buffers left on the RX HW ring of ++the NIC. In this case, interrupts are turned off as the NIC cannot ++receive any packets (as there are no buffers to put them in), and the ++need_wakeup flag is set so that user space can put buffers on the ++FILL ring and then call poll() so that the kernel driver can put these ++buffers on the HW ring and start to receive packets. ++ ++If the flag is set for the TX ring, it means that the application ++needs to explicitly notify the kernel to send any packets put on the ++TX ring. This can be accomplished either by a poll() call, as in the ++RX path, or by calling sendto(). ++ ++An example of how to use this flag can be found in ++samples/bpf/xdpsock_user.c. An example with the use of libbpf helpers ++would look like this for the TX path: ++ ++.. code-block:: c ++ ++ if (xsk_ring_prod__needs_wakeup(&my_tx_ring)) ++ sendto(xsk_socket__fd(xsk_handle), NULL, 0, MSG_DONTWAIT, NULL, 0); ++ ++I.e., only use the syscall if the flag is set. ++ ++We recommend that you always enable this mode as it usually leads to ++better performance especially if you run the application and the ++driver on the same core, but also if you use different cores for the ++application and the kernel driver, as it reduces the number of ++syscalls needed for the TX path. ++ ++XDP_{RX|TX|UMEM_FILL|UMEM_COMPLETION}_RING setsockopts ++------------------------------------------------------ ++ ++These setsockopts sets the number of descriptors that the RX, TX, ++FILL, and COMPLETION rings respectively should have. It is mandatory ++to set the size of at least one of the RX and TX rings. If you set ++both, you will be able to both receive and send traffic from your ++application, but if you only want to do one of them, you can save ++resources by only setting up one of them. Both the FILL ring and the ++COMPLETION ring are mandatory if you have a UMEM tied to your socket, ++which is the normal case. But if the XDP_SHARED_UMEM flag is used, any ++socket after the first one does not have a UMEM and should in that ++case not have any FILL or COMPLETION rings created. ++ ++XDP_UMEM_REG setsockopt ++----------------------- ++ ++This setsockopt registers a UMEM to a socket. This is the area that ++contain all the buffers that packet can recide in. The call takes a ++pointer to the beginning of this area and the size of it. Moreover, it ++also has parameter called chunk_size that is the size that the UMEM is ++divided into. It can only be 2K or 4K at the moment. If you have an ++UMEM area that is 128K and a chunk size of 2K, this means that you ++will be able to hold a maximum of 128K / 2K = 64 packets in your UMEM ++area and that your largest packet size can be 2K. ++ ++There is also an option to set the headroom of each single buffer in ++the UMEM. If you set this to N bytes, it means that the packet will ++start N bytes into the buffer leaving the first N bytes for the ++application to use. The final option is the flags field, but it will ++be dealt with in separate sections for each UMEM flag. ++ ++XDP_STATISTICS getsockopt ++------------------------- ++ ++Gets drop statistics of a socket that can be useful for debug ++purposes. The supported statistics are shown below: ++ ++.. code-block:: c ++ ++ struct xdp_statistics { ++ __u64 rx_dropped; /* Dropped for reasons other than invalid desc */ ++ __u64 rx_invalid_descs; /* Dropped due to invalid descriptor */ ++ __u64 tx_invalid_descs; /* Dropped due to invalid descriptor */ ++ }; ++ ++XDP_OPTIONS getsockopt ++---------------------- ++ ++Gets options from an XDP socket. The only one supported so far is ++XDP_OPTIONS_ZEROCOPY which tells you if zero-copy is on or not. ++ + Usage + ===== + +-In order to use AF_XDP sockets there are two parts needed. The ++In order to use AF_XDP sockets two parts are needed. The + user-space application and the XDP program. For a complete setup and + usage example, please refer to the sample application. The user-space + side is xdpsock_user.c and the XDP side is part of libbpf. + +-The XDP code sample included in tools/lib/bpf/xsk.c is the following:: ++The XDP code sample included in tools/lib/bpf/xsk.c is the following: ++ ++.. code-block:: c + + SEC("xdp_sock") int xdp_sock_prog(struct xdp_md *ctx) + { + int index = ctx->rx_queue_index; + +- // A set entry here means that the correspnding queue_id ++ // A set entry here means that the corresponding queue_id + // has an active AF_XDP socket bound to it. + if (bpf_map_lookup_elem(&xsks_map, &index)) + return bpf_redirect_map(&xsks_map, index, 0); +@@ -238,7 +422,10 @@ The XDP code sample included in tools/lib/bpf/xsk.c is the following:: + return XDP_PASS; + } + +-Naive ring dequeue and enqueue could look like this:: ++A simple but not so performance ring dequeue and enqueue could look ++like this: ++ ++.. code-block:: c + + // struct xdp_rxtx_ring { + // __u32 *producer; +@@ -287,17 +474,16 @@ Naive ring dequeue and enqueue could look like this:: + return 0; + } + +- +-For a more optimized version, please refer to the sample application. ++But please use the libbpf functions as they are optimized and ready to ++use. Will make your life easier. + + Sample application + ================== + + There is a xdpsock benchmarking/test application included that +-demonstrates how to use AF_XDP sockets with both private and shared +-UMEMs. Say that you would like your UDP traffic from port 4242 to end +-up in queue 16, that we will enable AF_XDP on. Here, we use ethtool +-for this:: ++demonstrates how to use AF_XDP sockets with private UMEMs. Say that ++you would like your UDP traffic from port 4242 to end up in queue 16, ++that we will enable AF_XDP on. Here, we use ethtool for this:: + + ethtool -N p3p2 rx-flow-hash udp4 fn + ethtool -N p3p2 flow-type udp4 src-port 4242 dst-port 4242 \ +@@ -311,13 +497,18 @@ using:: + For XDP_SKB mode, use the switch "-S" instead of "-N" and all options + can be displayed with "-h", as usual. + ++This sample application uses libbpf to make the setup and usage of ++AF_XDP simpler. If you want to know how the raw uapi of AF_XDP is ++really used to make something more advanced, take a look at the libbpf ++code in tools/lib/bpf/xsk.[ch]. ++ + FAQ + ======= + + Q: I am not seeing any traffic on the socket. What am I doing wrong? + + A: When a netdev of a physical NIC is initialized, Linux usually +- allocates one Rx and Tx queue pair per core. So on a 8 core system, ++ allocates one RX and TX queue pair per core. So on a 8 core system, + queue ids 0 to 7 will be allocated, one per core. In the AF_XDP + bind call or the xsk_socket__create libbpf function call, you + specify a specific queue id to bind to and it is only the traffic +@@ -343,9 +534,21 @@ A: When a netdev of a physical NIC is initialized, Linux usually + sudo ethtool -N flow-type udp4 src-port 4242 dst-port \ + 4242 action 2 + +- A number of other ways are possible all up to the capabilitites of ++ A number of other ways are possible all up to the capabilities of + the NIC you have. + ++Q: Can I use the XSKMAP to implement a switch betwen different umems ++ in copy mode? ++ ++A: The short answer is no, that is not supported at the moment. The ++ XSKMAP can only be used to switch traffic coming in on queue id X ++ to sockets bound to the same queue id X. The XSKMAP can contain ++ sockets bound to different queue ids, for example X and Y, but only ++ traffic goming in from queue id Y can be directed to sockets bound ++ to the same queue id Y. In zero-copy mode, you should use the ++ switch, or other distribution mechanism, in your NIC to direct ++ traffic to the correct queue id and socket. ++ + Credits + ======= + +-- +2.39.2 + diff --git a/tmp-5.4/xtensa-iss-fix-call-to-split_if_spec.patch b/tmp-5.4/xtensa-iss-fix-call-to-split_if_spec.patch new file mode 100644 index 00000000000..9d44f1d6a98 --- /dev/null +++ b/tmp-5.4/xtensa-iss-fix-call-to-split_if_spec.patch @@ -0,0 +1,34 @@ +From bc8d5916541fa19ca5bc598eb51a5f78eb891a36 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Mon, 3 Jul 2023 11:01:42 -0700 +Subject: xtensa: ISS: fix call to split_if_spec + +From: Max Filippov + +commit bc8d5916541fa19ca5bc598eb51a5f78eb891a36 upstream. + +split_if_spec expects a NULL-pointer as an end marker for the argument +list, but tuntap_probe never supplied that terminating NULL. As a result +incorrectly formatted interface specification string may cause a crash +because of the random memory access. Fix that by adding NULL terminator +to the split_if_spec argument list. + +Cc: stable@vger.kernel.org +Fixes: 7282bee78798 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 8") +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman +--- + arch/xtensa/platforms/iss/network.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/xtensa/platforms/iss/network.c ++++ b/arch/xtensa/platforms/iss/network.c +@@ -231,7 +231,7 @@ static int tuntap_probe(struct iss_net_p + + init += sizeof(TRANSPORT_TUNTAP_NAME) - 1; + if (*init == ',') { +- rem = split_if_spec(init + 1, &mac_str, &dev_name); ++ rem = split_if_spec(init + 1, &mac_str, &dev_name, NULL); + if (rem != NULL) { + pr_err("%s: extra garbage on specification : '%s'\n", + dev->name, rem); diff --git a/tmp-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch b/tmp-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch new file mode 100644 index 00000000000..b2ef9946ee4 --- /dev/null +++ b/tmp-6.1/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch @@ -0,0 +1,41 @@ +From 92bf9e7e60ec477f33e9520a2f8ed58c717a4f9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 20:45:04 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Dell Studio 1569 + +From: Hans de Goede + +[ Upstream commit 23d28cc0444be3f694eb986cd653b6888b78431d ] + +The Dell Studio 1569 predates Windows 8, so it defaults to using +acpi_video# for backlight control, but this is non functional on +this model. + +Add a DMI quirk to use the native intel_backlight interface which +does work properly. + +Reported-by: raycekarneal +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -512,6 +512,14 @@ static const struct dmi_system_id video_ + }, + { + .callback = video_detect_force_native, ++ /* Dell Studio 1569 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Studio 1569"), ++ }, ++ }, ++ { ++ .callback = video_detect_force_native, + /* Acer Aspire 3830TG */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Acer"), diff --git a/tmp-6.1/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch b/tmp-6.1/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch new file mode 100644 index 00000000000..6ea2cf0afbf --- /dev/null +++ b/tmp-6.1/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch @@ -0,0 +1,150 @@ +From af0f59a65f332284ca2bf7579e4158dff37dc62d Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Wed, 10 May 2023 19:39:05 +0200 +Subject: [PATCH AUTOSEL 4.19 02/11] ALSA: emu10k1: roll up loops in DSP setup + code for Audigy +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit 8cabf83c7aa54530e699be56249fb44f9505c4f3 ] + +There is no apparent reason for the massive code duplication. + +Signed-off-by: Oswald Buddenhagen +Link: https://lore.kernel.org/r/20230510173917.3073107-3-oswald.buddenhagen@gmx.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/emu10k1/emufx.c | 112 +++------------------------------------------- + 1 file changed, 9 insertions(+), 103 deletions(-) + +--- a/sound/pci/emu10k1/emufx.c ++++ b/sound/pci/emu10k1/emufx.c +@@ -1563,14 +1563,8 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_G + gpr += 2; + + /* Master volume (will be renamed later) */ +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS)); ++ for (z = 0; z < 8; z++) ++ A_OP(icode, &ptr, iMAC0, A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS)); + snd_emu10k1_init_mono_control(&controls[nctl++], "Wave Master Playback Volume", gpr, 0); + gpr += 2; + +@@ -1654,102 +1648,14 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_G + dev_dbg(emu->card->dev, "emufx.c: gpr=0x%x, tmp=0x%x\n", + gpr, tmp); + */ +- /* For the EMU1010: How to get 32bit values from the DSP. High 16bits into L, low 16bits into R. */ +- /* A_P16VIN(0) is delayed by one sample, +- * so all other A_P16VIN channels will need to also be delayed +- */ +- /* Left ADC in. 1 of 2 */ + snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_P16VIN(0x0), A_FXBUS2(0) ); +- /* Right ADC in 1 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- /* Delaying by one sample: instead of copying the input +- * value A_P16VIN to output A_FXBUS2 as in the first channel, +- * we use an auxiliary register, delaying the value by one +- * sample +- */ +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(2) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x1), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(4) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x2), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(6) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x3), A_C_00000000, A_C_00000000); +- /* For 96kHz mode */ +- /* Left ADC in. 2 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0x8) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x4), A_C_00000000, A_C_00000000); +- /* Right ADC in 2 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xa) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x5), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xc) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x6), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xe) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x7), A_C_00000000, A_C_00000000); +- /* Pavel Hofman - we still have voices, A_FXBUS2s, and +- * A_P16VINs available - +- * let's add 8 more capture channels - total of 16 +- */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x10)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x8), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x12)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x9), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x14)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xa), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x16)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xb), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x18)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xc), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1a)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xd), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1c)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xe), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1e)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xf), +- A_C_00000000, A_C_00000000); ++ /* A_P16VIN(0) is delayed by one sample, so all other A_P16VIN channels ++ * will need to also be delayed; we use an auxiliary register for that. */ ++ for (z = 1; z < 0x10; z++) { ++ snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr), A_FXBUS2(z * 2) ); ++ A_OP(icode, &ptr, iACC3, A_GPR(gpr), A_P16VIN(z), A_C_00000000, A_C_00000000); ++ gpr_map[gpr++] = 0x00000000; ++ } + } + + #if 0 diff --git a/tmp-6.1/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch b/tmp-6.1/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch new file mode 100644 index 00000000000..e6acbcb4f99 --- /dev/null +++ b/tmp-6.1/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch @@ -0,0 +1,32 @@ +From c250ef8954eda2024c8861c36e9fc1b589481fe7 Mon Sep 17 00:00:00 2001 +From: Christoffer Sandberg +Date: Tue, 18 Jul 2023 16:57:22 +0200 +Subject: ALSA: hda/realtek: Add quirk for Clevo NS70AU + +From: Christoffer Sandberg + +commit c250ef8954eda2024c8861c36e9fc1b589481fe7 upstream. + +Fixes headset detection on Clevo NS70AU. + +Co-developed-by: Werner Sembach +Signed-off-by: Werner Sembach +Signed-off-by: Christoffer Sandberg +Cc: +Link: https://lore.kernel.org/r/20230718145722.10592-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9645,6 +9645,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x5157, "Clevo W517GU1", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x51a1, "Clevo NS50MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x51b1, "Clevo NS50AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x51b3, "Clevo NS70AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x5630, "Clevo NP50RNJS", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70a1, "Clevo NB70T[HJK]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70b3, "Clevo NK70SB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/tmp-6.1/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch b/tmp-6.1/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch new file mode 100644 index 00000000000..d6ee0323806 --- /dev/null +++ b/tmp-6.1/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch @@ -0,0 +1,73 @@ +From 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Tue, 18 Jul 2023 18:12:41 +0200 +Subject: ALSA: hda/realtek: Enable Mute LED on HP Laptop 15s-eq2xxx + +From: Luka Guzenko + +commit 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 upstream. + +The HP Laptop 15s-eq2xxx uses ALC236 codec and controls the mute LED using +COEF 0x07 index 1. No existing quirk covers this configuration. +Adds a new quirk and enables it for the device. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20230718161241.393181-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4624,6 +4624,21 @@ static void alc236_fixup_hp_mute_led_coe + } + } + ++static void alc236_fixup_hp_mute_led_coefbit2(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ spec->mute_led_polarity = 0; ++ spec->mute_led_coef.idx = 0x07; ++ spec->mute_led_coef.mask = 1; ++ spec->mute_led_coef.on = 1; ++ spec->mute_led_coef.off = 0; ++ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set); ++ } ++} ++ + /* turn on/off mic-mute LED per capture hook by coef bit */ + static int coef_micmute_led_set(struct led_classdev *led_cdev, + enum led_brightness brightness) +@@ -7134,6 +7149,7 @@ enum { + ALC285_FIXUP_HP_GPIO_LED, + ALC285_FIXUP_HP_MUTE_LED, + ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED, ++ ALC236_FIXUP_HP_MUTE_LED_COEFBIT2, + ALC236_FIXUP_HP_GPIO_LED, + ALC236_FIXUP_HP_MUTE_LED, + ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, +@@ -8557,6 +8573,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_hp_spectre_x360_mute_led, + }, ++ [ALC236_FIXUP_HP_MUTE_LED_COEFBIT2] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc236_fixup_hp_mute_led_coefbit2, ++ }, + [ALC236_FIXUP_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc236_fixup_hp_gpio_led, +@@ -9441,6 +9461,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x887a, "HP Laptop 15s-eq2xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x888d, "HP ZBook Power 15.6 inch G8 Mobile Workstation PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8895, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED), diff --git a/tmp-6.1/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch b/tmp-6.1/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch new file mode 100644 index 00000000000..3f4c3ac4924 --- /dev/null +++ b/tmp-6.1/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch @@ -0,0 +1,82 @@ +From 3d60fd0a504a6c9938b831d63bf6bc1a74979fdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:20:21 +0100 +Subject: ALSA: hda/realtek: Fix generic fixup definition for cs35l41 amp + +From: Vitaly Rodionov + +[ Upstream commit f7b069cf08816252f494d193b9ecdff172bf9aa1 ] + +Generic fixup for CS35L41 amplifies should not have vendor specific +chained fixup. For ThinkPad laptops with led issue, we can just add +specific fixup. + +Fixes: a6ac60b36dade (ALSA: hda/realtek: Fix mute led issue on thinkpad with cs35l41 s-codec) +Signed-off-by: Vitaly Rodionov +Link: https://lore.kernel.org/r/20230720082022.13033-1-vitalyr@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 1a8ca119ffe45..cb34a62075b13 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7220,6 +7220,7 @@ enum { + ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN, + ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS, + ALC236_FIXUP_DELL_DUAL_CODECS, ++ ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI, + }; + + /* A special fixup for Lenovo C940 and Yoga Duet 7; +@@ -9090,8 +9091,6 @@ static const struct hda_fixup alc269_fixups[] = { + [ALC287_FIXUP_CS35L41_I2C_2] = { + .type = HDA_FIXUP_FUNC, + .v.func = cs35l41_fixup_i2c_two, +- .chained = true, +- .chain_id = ALC269_FIXUP_THINKPAD_ACPI, + }, + [ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, +@@ -9228,6 +9227,12 @@ static const struct hda_fixup alc269_fixups[] = { + .chained = true, + .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + }, ++ [ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = cs35l41_fixup_i2c_two, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -9750,14 +9755,14 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x22be, "Thinkpad X1 Carbon 8th", ALC285_FIXUP_THINKPAD_HEADSET_JACK), + SND_PCI_QUIRK(0x17aa, 0x22c1, "Thinkpad P1 Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK), + SND_PCI_QUIRK(0x17aa, 0x22c2, "Thinkpad X1 Extreme Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK), +- SND_PCI_QUIRK(0x17aa, 0x22f1, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x22f2, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x22f3, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2316, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2317, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2318, "Thinkpad Z13 Gen2", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2319, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x17aa, 0x22f1, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x22f2, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x22f3, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2316, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2317, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2318, "Thinkpad Z13 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2319, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), +-- +2.39.2 + diff --git a/tmp-6.1/alsa-hda-realtek-remove-3k-pull-low-procedure.patch b/tmp-6.1/alsa-hda-realtek-remove-3k-pull-low-procedure.patch new file mode 100644 index 00000000000..c1559070c25 --- /dev/null +++ b/tmp-6.1/alsa-hda-realtek-remove-3k-pull-low-procedure.patch @@ -0,0 +1,66 @@ +From 69ea4c9d02b7947cdd612335a61cc1a02e544ccd Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Thu, 13 Jul 2023 15:57:13 +0800 +Subject: ALSA: hda/realtek - remove 3k pull low procedure + +From: Kailang Yang + +commit 69ea4c9d02b7947cdd612335a61cc1a02e544ccd upstream. + +This was the ALC283 depop procedure. +Maybe this procedure wasn't suitable with new codec. +So, let us remove it. But HP 15z-fc000 must do 3k pull low. If it +reboot with plugged headset, +it will have errors show don't find codec error messages. Run 3k pull +low will solve issues. +So, let AMD chipset will run this for workarround. + +Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue") +Signed-off-by: Kailang Yang +Cc: +Reported-by: Joseph C. Sible +Closes: https://lore.kernel.org/r/CABpewhE4REgn9RJZduuEU6Z_ijXNeQWnrxO1tg70Gkw=F8qNYg@mail.gmail.com/ +Link: https://lore.kernel.org/r/4678992299664babac4403d9978e7ba7@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -122,6 +122,7 @@ struct alc_spec { + unsigned int ultra_low_power:1; + unsigned int has_hs_key:1; + unsigned int no_internal_mic_pin:1; ++ unsigned int en_3kpull_low:1; + + /* for PLL fix */ + hda_nid_t pll_nid; +@@ -3622,6 +3623,7 @@ static void alc256_shutup(struct hda_cod + if (!hp_pin) + hp_pin = 0x21; + ++ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ + hp_pin_sense = snd_hda_jack_detect(codec, hp_pin); + + if (hp_pin_sense) +@@ -3638,8 +3640,7 @@ static void alc256_shutup(struct hda_cod + /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly + * when booting with headset plugged. So skip setting it for the codec alc257 + */ +- if (codec->core.vendor_id != 0x10ec0236 && +- codec->core.vendor_id != 0x10ec0257) ++ if (spec->en_3kpull_low) + alc_update_coef_idx(codec, 0x46, 0, 3 << 12); + + if (!spec->no_shutup_pins) +@@ -10599,6 +10600,8 @@ static int patch_alc269(struct hda_codec + spec->shutup = alc256_shutup; + spec->init_hook = alc256_init; + spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ ++ if (codec->bus->pci->vendor == PCI_VENDOR_ID_AMD) ++ spec->en_3kpull_low = true; + break; + case 0x10ec0257: + spec->codec_variant = ALC269_TYPE_ALC257; diff --git a/tmp-6.1/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch b/tmp-6.1/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch new file mode 100644 index 00000000000..19d5f56cb49 --- /dev/null +++ b/tmp-6.1/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch @@ -0,0 +1,93 @@ +From d4d5be94a87872421ea2569044092535aff0b886 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 20 Jul 2023 19:38:58 +0100 +Subject: arm64/fpsimd: Ensure SME storage is allocated after SVE VL changes + +From: Mark Brown + +commit d4d5be94a87872421ea2569044092535aff0b886 upstream. + +When we reconfigure the SVE vector length we discard the backing storage +for the SVE vectors and then reallocate on next SVE use, leaving the SME +specific state alone. This means that we do not enable SME traps if they +were already disabled. That means that userspace code can enter streaming +mode without trapping, putting the task in a state where if we try to save +the state of the task we will fault. + +Since the ABI does not specify that changing the SVE vector length disturbs +SME state, and since SVE code may not be aware of SME code in the process, +we shouldn't simply discard any ZA state. Instead immediately reallocate +the storage for SVE, and disable SME if we change the SVE vector length +while there is no SME state active. + +Disabling SME traps on SVE vector length changes would make the overall +code more complex since we would have a state where we have valid SME state +stored but might get a SME trap. + +Fixes: 9e4ab6c89109 ("arm64/sme: Implement vector length configuration prctl()s") +Reported-by: David Spickett +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230720-arm64-fix-sve-sme-vl-change-v2-1-8eea06b82d57@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/fpsimd.c | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -803,6 +803,8 @@ void sve_sync_from_fpsimd_zeropad(struct + int vec_set_vector_length(struct task_struct *task, enum vec_type type, + unsigned long vl, unsigned long flags) + { ++ bool free_sme = false; ++ + if (flags & ~(unsigned long)(PR_SVE_VL_INHERIT | + PR_SVE_SET_VL_ONEXEC)) + return -EINVAL; +@@ -851,21 +853,36 @@ int vec_set_vector_length(struct task_st + thread_sm_enabled(&task->thread)) + sve_to_fpsimd(task); + +- if (system_supports_sme() && type == ARM64_VEC_SME) { +- task->thread.svcr &= ~(SVCR_SM_MASK | +- SVCR_ZA_MASK); +- clear_thread_flag(TIF_SME); ++ if (system_supports_sme()) { ++ if (type == ARM64_VEC_SME || ++ !(task->thread.svcr & (SVCR_SM_MASK | SVCR_ZA_MASK))) { ++ /* ++ * We are changing the SME VL or weren't using ++ * SME anyway, discard the state and force a ++ * reallocation. ++ */ ++ task->thread.svcr &= ~(SVCR_SM_MASK | ++ SVCR_ZA_MASK); ++ clear_thread_flag(TIF_SME); ++ free_sme = true; ++ } + } + + if (task == current) + put_cpu_fpsimd_context(); + + /* +- * Force reallocation of task SVE and SME state to the correct +- * size on next use: ++ * Free the changed states if they are not in use, SME will be ++ * reallocated to the correct size on next use and we just ++ * allocate SVE now in case it is needed for use in streaming ++ * mode. + */ +- sve_free(task); +- if (system_supports_sme() && type == ARM64_VEC_SME) ++ if (system_supports_sve()) { ++ sve_free(task); ++ sve_alloc(task, true); ++ } ++ ++ if (free_sme) + sme_free(task); + + task_set_vl(task, type, vl); diff --git a/tmp-6.1/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch b/tmp-6.1/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch new file mode 100644 index 00000000000..dc7aa29a72f --- /dev/null +++ b/tmp-6.1/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch @@ -0,0 +1,63 @@ +From 01fe45bc121655c2ea7d823e3442f3c388fb23b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 16:23:54 +0530 +Subject: ASoC: amd: acp: fix for invalid dai id handling in + acp_get_byte_count() + +From: Vijendar Mukunda + +[ Upstream commit 85aeab362201cf52c34cd429e4f6c75a0b42f9a3 ] + +For invalid dai id, instead of returning -EINVAL +return bytes count as zero in acp_get_byte_count() function. + +Fixes: 623621a9f9e1 ("ASoC: amd: Add common framework to support I2S on ACP SOC") + +Signed-off-by: Vijendar Mukunda +Link: https://lore.kernel.org/r/20230626105356.2580125-6-Vijendar.Mukunda@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/amd.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/amd/acp/amd.h b/sound/soc/amd/acp/amd.h +index 5f2119f422715..12a176a50fd6e 100644 +--- a/sound/soc/amd/acp/amd.h ++++ b/sound/soc/amd/acp/amd.h +@@ -173,7 +173,7 @@ int snd_amd_acp_find_config(struct pci_dev *pci); + + static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int direction) + { +- u64 byte_count, low = 0, high = 0; ++ u64 byte_count = 0, low = 0, high = 0; + + if (direction == SNDRV_PCM_STREAM_PLAYBACK) { + switch (dai_id) { +@@ -191,7 +191,7 @@ static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int + break; + default: + dev_err(adata->dev, "Invalid dai id %x\n", dai_id); +- return -EINVAL; ++ goto POINTER_RETURN_BYTES; + } + } else { + switch (dai_id) { +@@ -213,12 +213,13 @@ static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int + break; + default: + dev_err(adata->dev, "Invalid dai id %x\n", dai_id); +- return -EINVAL; ++ goto POINTER_RETURN_BYTES; + } + } + /* Get 64 bit value from two 32 bit registers */ + byte_count = (high << 32) | low; + ++POINTER_RETURN_BYTES: + return byte_count; + } + +-- +2.39.2 + diff --git a/tmp-6.1/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch b/tmp-6.1/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..aabe42628e5 --- /dev/null +++ b/tmp-6.1/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,157 @@ +From a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:16 +0200 +Subject: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove + +From: Johan Hovold + +commit a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 upstream. + +The MBHC resources must be released on component probe failure and +removal so can not be tied to the lifetime of the component device. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component: + + snd-sc8280xp sound: ASoC: failed to instantiate card -517 + genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) + wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 + wcd938x_codec audio-codec: mbhc initialization failed + wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16 + snd-sc8280xp sound: ASoC: failed to instantiate card -16 + +Fixes: 0e5c9e7ff899 ("ASoC: codecs: wcd: add multi button Headset detection support") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-7-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd-mbhc-v2.c | 57 +++++++++++++++++++++++++++++------------ + 1 file changed, 41 insertions(+), 16 deletions(-) + +--- a/sound/soc/codecs/wcd-mbhc-v2.c ++++ b/sound/soc/codecs/wcd-mbhc-v2.c +@@ -1454,7 +1454,7 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn + return ERR_PTR(-EINVAL); + } + +- mbhc = devm_kzalloc(dev, sizeof(*mbhc), GFP_KERNEL); ++ mbhc = kzalloc(sizeof(*mbhc), GFP_KERNEL); + if (!mbhc) + return ERR_PTR(-ENOMEM); + +@@ -1474,61 +1474,76 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn + + INIT_WORK(&mbhc->correct_plug_swch, wcd_correct_swch_plug); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_sw_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_sw_intr, NULL, + wcd_mbhc_mech_plug_detect_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "mbhc sw intr", mbhc); + if (ret) +- goto err; ++ goto err_free_mbhc; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_press_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_press_intr, NULL, + wcd_mbhc_btn_press_handler, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Button Press detect", mbhc); + if (ret) +- goto err; ++ goto err_free_sw_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_release_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_release_intr, NULL, + wcd_mbhc_btn_release_handler, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Button Release detect", mbhc); + if (ret) +- goto err; ++ goto err_free_btn_press_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_ins_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_ins_intr, NULL, + wcd_mbhc_adc_hs_ins_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Elect Insert", mbhc); + if (ret) +- goto err; ++ goto err_free_btn_release_intr; + + disable_irq_nosync(mbhc->intr_ids->mbhc_hs_ins_intr); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_rem_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_rem_intr, NULL, + wcd_mbhc_adc_hs_rem_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Elect Remove", mbhc); + if (ret) +- goto err; ++ goto err_free_hs_ins_intr; + + disable_irq_nosync(mbhc->intr_ids->mbhc_hs_rem_intr); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_left_ocp, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->hph_left_ocp, NULL, + wcd_mbhc_hphl_ocp_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPH_L OCP detect", mbhc); + if (ret) +- goto err; ++ goto err_free_hs_rem_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_right_ocp, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->hph_right_ocp, NULL, + wcd_mbhc_hphr_ocp_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPH_R OCP detect", mbhc); + if (ret) +- goto err; ++ goto err_free_hph_left_ocp; + + return mbhc; +-err: ++ ++err_free_hph_left_ocp: ++ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); ++err_free_hs_rem_intr: ++ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); ++err_free_hs_ins_intr: ++ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); ++err_free_btn_release_intr: ++ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); ++err_free_btn_press_intr: ++ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); ++err_free_sw_intr: ++ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); ++err_free_mbhc: ++ kfree(mbhc); ++ + dev_err(dev, "Failed to request mbhc interrupts %d\n", ret); + + return ERR_PTR(ret); +@@ -1537,9 +1552,19 @@ EXPORT_SYMBOL(wcd_mbhc_init); + + void wcd_mbhc_deinit(struct wcd_mbhc *mbhc) + { ++ free_irq(mbhc->intr_ids->hph_right_ocp, mbhc); ++ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); ++ + mutex_lock(&mbhc->lock); + wcd_cancel_hs_detect_plug(mbhc, &mbhc->correct_plug_swch); + mutex_unlock(&mbhc->lock); ++ ++ kfree(mbhc); + } + EXPORT_SYMBOL(wcd_mbhc_deinit); + diff --git a/tmp-6.1/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch b/tmp-6.1/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..c86cf2752f1 --- /dev/null +++ b/tmp-6.1/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,54 @@ +From 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:15 +0200 +Subject: ASoC: codecs: wcd934x: fix resource leaks on component remove + +From: Johan Hovold + +commit 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 upstream. + +Make sure to release allocated MBHC resources also on component remove. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component. + +Fixes: 9fb9b1690f0b ("ASoC: codecs: wcd934x: add mbhc support") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-6-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd934x.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -3044,6 +3044,17 @@ static int wcd934x_mbhc_init(struct snd_ + + return 0; + } ++ ++static void wcd934x_mbhc_deinit(struct snd_soc_component *component) ++{ ++ struct wcd934x_codec *wcd = snd_soc_component_get_drvdata(component); ++ ++ if (!wcd->mbhc) ++ return; ++ ++ wcd_mbhc_deinit(wcd->mbhc); ++} ++ + static int wcd934x_comp_probe(struct snd_soc_component *component) + { + struct wcd934x_codec *wcd = dev_get_drvdata(component->dev); +@@ -3077,6 +3088,7 @@ static void wcd934x_comp_remove(struct s + { + struct wcd934x_codec *wcd = dev_get_drvdata(comp->dev); + ++ wcd934x_mbhc_deinit(comp); + wcd_clsh_ctrl_free(wcd->clsh_ctrl); + } + diff --git a/tmp-6.1/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch b/tmp-6.1/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch new file mode 100644 index 00000000000..3e47419b85b --- /dev/null +++ b/tmp-6.1/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch @@ -0,0 +1,54 @@ +From 85a61b1ce461a3f62f1019e5e6423c393c542bff Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 30 Jun 2023 14:03:18 +0200 +Subject: ASoC: codecs: wcd938x: fix codec initialisation race + +From: Johan Hovold + +commit 85a61b1ce461a3f62f1019e5e6423c393c542bff upstream. + +Make sure to resume the codec and soundwire device before trying to read +the codec variant and configure the device during component probe. + +This specifically avoids interpreting (a masked and shifted) -EBUSY +errno as the variant: + + wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 + +when the soundwire device happens to be suspended, which in turn +prevents some headphone controls from being registered. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Reported-by: Steev Klimaszewski +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230630120318.6571-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3095,6 +3095,10 @@ static int wcd938x_soc_codec_probe(struc + + snd_soc_component_init_regmap(component, wcd938x->regmap); + ++ ret = pm_runtime_resume_and_get(dev); ++ if (ret < 0) ++ return ret; ++ + wcd938x->variant = snd_soc_component_read_field(component, + WCD938X_DIGITAL_EFUSE_REG_0, + WCD938X_ID_MASK); +@@ -3112,6 +3116,8 @@ static int wcd938x_soc_codec_probe(struc + (WCD938X_DIGITAL_INTR_LEVEL_0 + i), 0); + } + ++ pm_runtime_put(dev); ++ + wcd938x->hphr_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, + WCD938X_IRQ_HPHR_PDM_WD_INT); + wcd938x->hphl_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, diff --git a/tmp-6.1/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch b/tmp-6.1/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch new file mode 100644 index 00000000000..2f4c267613e --- /dev/null +++ b/tmp-6.1/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch @@ -0,0 +1,51 @@ +From 8fdb4c209948ee94e6e06e178741f29d84f4e4d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 13:57:23 +0100 +Subject: ASoC: codecs: wcd938x: fix dB range for HPHL and HPHR + +From: Srinivas Kandagatla + +[ Upstream commit c03226ba15fe3c42d13907ec7d8536396602557b ] + +dB range for HPHL and HPHR gains are from +6dB to -30dB in steps of +1.5dB with register values range from 0 to 24. + +Current code maps these dB ranges incorrectly, fix them to allow proper +volume setting. + +Fixes: e8ba1e05bdc0 ("ASoC: codecs: wcd938x: add basic controls") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705125723.40464-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd938x.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/wcd938x.c b/sound/soc/codecs/wcd938x.c +index 7715040383840..2316481c2541b 100644 +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -210,7 +210,7 @@ struct wcd938x_priv { + }; + + static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(ear_pa_gain, 600, -1800); +-static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(line_gain, 600, -3000); ++static const DECLARE_TLV_DB_SCALE(line_gain, -3000, 150, -3000); + static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(analog_gain, 0, 3000); + + struct wcd938x_mbhc_zdet_param { +@@ -2662,8 +2662,8 @@ static const struct snd_kcontrol_new wcd938x_snd_controls[] = { + wcd938x_get_swr_port, wcd938x_set_swr_port), + SOC_SINGLE_EXT("DSD_R Switch", WCD938X_DSD_R, 0, 1, 0, + wcd938x_get_swr_port, wcd938x_set_swr_port), +- SOC_SINGLE_TLV("HPHL Volume", WCD938X_HPH_L_EN, 0, 0x18, 0, line_gain), +- SOC_SINGLE_TLV("HPHR Volume", WCD938X_HPH_R_EN, 0, 0x18, 0, line_gain), ++ SOC_SINGLE_TLV("HPHL Volume", WCD938X_HPH_L_EN, 0, 0x18, 1, line_gain), ++ SOC_SINGLE_TLV("HPHR Volume", WCD938X_HPH_R_EN, 0, 0x18, 1, line_gain), + WCD938X_EAR_PA_GAIN_TLV("EAR_PA Volume", WCD938X_ANA_EAR_COMPANDER_CTL, + 2, 0x10, 0, ear_pa_gain), + SOC_SINGLE_EXT("ADC1 Switch", WCD938X_ADC1, 1, 1, 0, +-- +2.39.2 + diff --git a/tmp-6.1/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch b/tmp-6.1/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch new file mode 100644 index 00000000000..5a1143b5bf8 --- /dev/null +++ b/tmp-6.1/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch @@ -0,0 +1,43 @@ +From 6837fd2094a0338619e2fbd26039c39ad53d3cf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 16:27:13 +0200 +Subject: ASoC: codecs: wcd938x: fix mbhc impedance loglevel + +From: Johan Hovold + +[ Upstream commit e5ce198bd5c6923b6a51e1493b1401f84c24b26d ] + +Demote the MBHC impedance measurement printk, which is not an error +message, from error to debug level. + +While at it, fix the capitalisation of "ohm" and add the missing space +before the opening parenthesis. + +Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230630142717.5314-2-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd938x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/wcd938x.c b/sound/soc/codecs/wcd938x.c +index df0b3ac7f1321..7715040383840 100644 +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -2165,8 +2165,8 @@ static inline void wcd938x_mbhc_get_result_params(struct wcd938x_priv *wcd938x, + else if (x1 < minCode_param[noff]) + *zdet = WCD938X_ZDET_FLOATING_IMPEDANCE; + +- pr_err("%s: d1=%d, c1=%d, x1=0x%x, z_val=%d(milliOhm)\n", +- __func__, d1, c1, x1, *zdet); ++ pr_debug("%s: d1=%d, c1=%d, x1=0x%x, z_val=%d (milliohm)\n", ++ __func__, d1, c1, x1, *zdet); + ramp_down: + i = 0; + while (x1) { +-- +2.39.2 + diff --git a/tmp-6.1/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch b/tmp-6.1/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch new file mode 100644 index 00000000000..a2e1b76ba60 --- /dev/null +++ b/tmp-6.1/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch @@ -0,0 +1,37 @@ +From ed0dd9205bf69593edb495cb4b086dbae96a3f05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:13 +0200 +Subject: ASoC: codecs: wcd938x: fix missing clsh ctrl error handling + +From: Johan Hovold + +commit ed0dd9205bf69593edb495cb4b086dbae96a3f05 upstream. + +Allocation of the clash control structure may fail so add the missing +error handling to avoid dereferencing an error pointer. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-4-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3090,6 +3090,10 @@ static int wcd938x_soc_codec_probe(struc + WCD938X_ID_MASK); + + wcd938x->clsh_info = wcd_clsh_ctrl_alloc(component, WCD938X); ++ if (IS_ERR(wcd938x->clsh_info)) { ++ pm_runtime_put(dev); ++ return PTR_ERR(wcd938x->clsh_info); ++ } + + wcd938x_io_init(wcd938x); + /* Set all interrupts as edge triggered */ diff --git a/tmp-6.1/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch b/tmp-6.1/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch new file mode 100644 index 00000000000..a98d816a471 --- /dev/null +++ b/tmp-6.1/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch @@ -0,0 +1,51 @@ +From 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 3 Jul 2023 14:47:01 +0200 +Subject: ASoC: codecs: wcd938x: fix missing mbhc init error handling + +From: Johan Hovold + +commit 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 upstream. + +MBHC initialisation can fail so add the missing error handling to avoid +dereferencing an error pointer when later configuring the jack: + + Unable to handle kernel paging request at virtual address fffffffffffffff8 + + pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] + lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] + + Call trace: + wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] + wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] + snd_soc_component_set_jack+0x28/0x8c [snd_soc_core] + qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common] + sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp] + snd_soc_link_init+0x28/0x90 [snd_soc_core] + snd_soc_bind_card+0x628/0xbfc [snd_soc_core] + snd_soc_register_card+0xec/0x104 [snd_soc_core] + devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core] + sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp] + +Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") +Cc: stable@vger.kernel.org # 5.15 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230703124701.11734-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -2625,6 +2625,8 @@ static int wcd938x_mbhc_init(struct snd_ + WCD938X_IRQ_HPHR_OCP_INT); + + wcd938x->wcd_mbhc = wcd_mbhc_init(component, &mbhc_cb, intr_ids, wcd_mbhc_fields, true); ++ if (IS_ERR(wcd938x->wcd_mbhc)) ++ return PTR_ERR(wcd938x->wcd_mbhc); + + snd_soc_add_component_controls(component, impedance_detect_controls, + ARRAY_SIZE(impedance_detect_controls)); diff --git a/tmp-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch b/tmp-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..40f70a75c04 --- /dev/null +++ b/tmp-6.1/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,151 @@ +From a3406f87775fee986876e03f93a84385f54d5999 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:14 +0200 +Subject: ASoC: codecs: wcd938x: fix resource leaks on component remove + +From: Johan Hovold + +commit a3406f87775fee986876e03f93a84385f54d5999 upstream. + +Make sure to release allocated resources on component probe failure and +on remove. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component: + + snd-sc8280xp sound: ASoC: failed to instantiate card -517 + genirq: Flags mismatch irq 289. 00002001 (HPHR PDM WD INT) vs. 00002001 (HPHR PDM WD INT) + wcd938x_codec audio-codec: Failed to request HPHR WD interrupt (-16) + genirq: Flags mismatch irq 290. 00002001 (HPHL PDM WD INT) vs. 00002001 (HPHL PDM WD INT) + wcd938x_codec audio-codec: Failed to request HPHL WD interrupt (-16) + genirq: Flags mismatch irq 291. 00002001 (AUX PDM WD INT) vs. 00002001 (AUX PDM WD INT) + wcd938x_codec audio-codec: Failed to request Aux WD interrupt (-16) + genirq: Flags mismatch irq 292. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) + wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-5-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 55 +++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 48 insertions(+), 7 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -2633,6 +2633,14 @@ static int wcd938x_mbhc_init(struct snd_ + + return 0; + } ++ ++static void wcd938x_mbhc_deinit(struct snd_soc_component *component) ++{ ++ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ ++ wcd_mbhc_deinit(wcd938x->wcd_mbhc); ++} ++ + /* END MBHC */ + + static const struct snd_kcontrol_new wcd938x_snd_controls[] = { +@@ -3113,20 +3121,26 @@ static int wcd938x_soc_codec_probe(struc + ret = request_threaded_irq(wcd938x->hphr_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPHR PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request HPHR WD interrupt (%d)\n", ret); ++ goto err_free_clsh_ctrl; ++ } + + ret = request_threaded_irq(wcd938x->hphl_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPHL PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request HPHL WD interrupt (%d)\n", ret); ++ goto err_free_hphr_pdm_wd_int; ++ } + + ret = request_threaded_irq(wcd938x->aux_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "AUX PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request Aux WD interrupt (%d)\n", ret); ++ goto err_free_hphl_pdm_wd_int; ++ } + + /* Disable watchdog interrupt for HPH and AUX */ + disable_irq_nosync(wcd938x->hphr_pdm_wd_int); +@@ -3141,7 +3155,7 @@ static int wcd938x_soc_codec_probe(struc + dev_err(component->dev, + "%s: Failed to add snd ctrls for variant: %d\n", + __func__, wcd938x->variant); +- goto err; ++ goto err_free_aux_pdm_wd_int; + } + break; + case WCD9385: +@@ -3151,7 +3165,7 @@ static int wcd938x_soc_codec_probe(struc + dev_err(component->dev, + "%s: Failed to add snd ctrls for variant: %d\n", + __func__, wcd938x->variant); +- goto err; ++ goto err_free_aux_pdm_wd_int; + } + break; + default: +@@ -3159,12 +3173,38 @@ static int wcd938x_soc_codec_probe(struc + } + + ret = wcd938x_mbhc_init(component); +- if (ret) ++ if (ret) { + dev_err(component->dev, "mbhc initialization failed\n"); +-err: ++ goto err_free_aux_pdm_wd_int; ++ } ++ ++ return 0; ++ ++err_free_aux_pdm_wd_int: ++ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); ++err_free_hphl_pdm_wd_int: ++ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); ++err_free_hphr_pdm_wd_int: ++ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); ++err_free_clsh_ctrl: ++ wcd_clsh_ctrl_free(wcd938x->clsh_info); ++ + return ret; + } + ++static void wcd938x_soc_codec_remove(struct snd_soc_component *component) ++{ ++ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ ++ wcd938x_mbhc_deinit(component); ++ ++ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); ++ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); ++ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); ++ ++ wcd_clsh_ctrl_free(wcd938x->clsh_info); ++} ++ + static int wcd938x_codec_set_jack(struct snd_soc_component *comp, + struct snd_soc_jack *jack, void *data) + { +@@ -3181,6 +3221,7 @@ static int wcd938x_codec_set_jack(struct + static const struct snd_soc_component_driver soc_codec_dev_wcd938x = { + .name = "wcd938x_codec", + .probe = wcd938x_soc_codec_probe, ++ .remove = wcd938x_soc_codec_remove, + .controls = wcd938x_snd_controls, + .num_controls = ARRAY_SIZE(wcd938x_snd_controls), + .dapm_widgets = wcd938x_dapm_widgets, diff --git a/tmp-6.1/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch b/tmp-6.1/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch new file mode 100644 index 00000000000..b36252e567d --- /dev/null +++ b/tmp-6.1/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch @@ -0,0 +1,55 @@ +From 6f49256897083848ce9a59651f6b53fc80462397 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sat, 1 Jul 2023 11:47:23 +0200 +Subject: ASoC: codecs: wcd938x: fix soundwire initialisation race + +From: Johan Hovold + +commit 6f49256897083848ce9a59651f6b53fc80462397 upstream. + +Make sure that the soundwire device used for register accesses has been +enumerated and initialised before trying to read the codec variant +during component probe. + +This specifically avoids interpreting (a masked and shifted) -EBUSY +errno as the variant: + + wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 + +in case the soundwire device has not yet been initialised, which in turn +prevents some headphone controls from being registered. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Reported-by: Steev Klimaszewski +Signed-off-by: Johan Hovold +Tested-by: Steev Klimaszewski +Link: https://lore.kernel.org/r/20230701094723.29379-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3090,9 +3090,18 @@ static int wcd938x_irq_init(struct wcd93 + static int wcd938x_soc_codec_probe(struct snd_soc_component *component) + { + struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ struct sdw_slave *tx_sdw_dev = wcd938x->tx_sdw_dev; + struct device *dev = component->dev; ++ unsigned long time_left; + int ret, i; + ++ time_left = wait_for_completion_timeout(&tx_sdw_dev->initialization_complete, ++ msecs_to_jiffies(2000)); ++ if (!time_left) { ++ dev_err(dev, "soundwire device init timeout\n"); ++ return -ETIMEDOUT; ++ } ++ + snd_soc_component_init_regmap(component, wcd938x->regmap); + + ret = pm_runtime_resume_and_get(dev); diff --git a/tmp-6.1/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch b/tmp-6.1/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch new file mode 100644 index 00000000000..6729b149d1e --- /dev/null +++ b/tmp-6.1/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch @@ -0,0 +1,86 @@ +From e51df4f81b02bcdd828a04de7c1eb6a92988b61e Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Thu, 13 Jul 2023 13:21:12 +0200 +Subject: ASoC: cs42l51: fix driver to properly autoload with automatic module loading + +From: Thomas Petazzoni + +commit e51df4f81b02bcdd828a04de7c1eb6a92988b61e upstream. + +In commit 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table +pointer"), 9 years ago, some random guy fixed the cs42l51 after it was +split into a core part and an I2C part to properly match based on a +Device Tree compatible string. + +However, the fix in this commit is wrong: the MODULE_DEVICE_TABLE(of, +....) is in the core part of the driver, not the I2C part. Therefore, +automatic module loading based on module.alias, based on matching with +the DT compatible string, loads the core part of the driver, but not +the I2C part. And threfore, the i2c_driver is not registered, and the +codec is not known to the system, nor matched with a DT node with the +corresponding compatible string. + +In order to fix that, we move the MODULE_DEVICE_TABLE(of, ...) into +the I2C part of the driver. The cs42l51_of_match[] array is also moved +as well, as it is not possible to have this definition in one file, +and the MODULE_DEVICE_TABLE(of, ...) invocation in another file, due +to how MODULE_DEVICE_TABLE works. + +Thanks to this commit, the I2C part of the driver now properly +autoloads, and thanks to its dependency on the core part, the core +part gets autoloaded as well, resulting in a functional sound card +without having to manually load kernel modules. + +Fixes: 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table pointer") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Petazzoni +Link: https://lore.kernel.org/r/20230713112112.778576-1-thomas.petazzoni@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/cs42l51-i2c.c | 6 ++++++ + sound/soc/codecs/cs42l51.c | 7 ------- + sound/soc/codecs/cs42l51.h | 1 - + 3 files changed, 6 insertions(+), 8 deletions(-) + +--- a/sound/soc/codecs/cs42l51-i2c.c ++++ b/sound/soc/codecs/cs42l51-i2c.c +@@ -19,6 +19,12 @@ static struct i2c_device_id cs42l51_i2c_ + }; + MODULE_DEVICE_TABLE(i2c, cs42l51_i2c_id); + ++const struct of_device_id cs42l51_of_match[] = { ++ { .compatible = "cirrus,cs42l51", }, ++ { } ++}; ++MODULE_DEVICE_TABLE(of, cs42l51_of_match); ++ + static int cs42l51_i2c_probe(struct i2c_client *i2c) + { + struct regmap_config config; +--- a/sound/soc/codecs/cs42l51.c ++++ b/sound/soc/codecs/cs42l51.c +@@ -826,13 +826,6 @@ int __maybe_unused cs42l51_resume(struct + } + EXPORT_SYMBOL_GPL(cs42l51_resume); + +-const struct of_device_id cs42l51_of_match[] = { +- { .compatible = "cirrus,cs42l51", }, +- { } +-}; +-MODULE_DEVICE_TABLE(of, cs42l51_of_match); +-EXPORT_SYMBOL_GPL(cs42l51_of_match); +- + MODULE_AUTHOR("Arnaud Patard "); + MODULE_DESCRIPTION("Cirrus Logic CS42L51 ALSA SoC Codec Driver"); + MODULE_LICENSE("GPL"); +--- a/sound/soc/codecs/cs42l51.h ++++ b/sound/soc/codecs/cs42l51.h +@@ -16,7 +16,6 @@ int cs42l51_probe(struct device *dev, st + void cs42l51_remove(struct device *dev); + int __maybe_unused cs42l51_suspend(struct device *dev); + int __maybe_unused cs42l51_resume(struct device *dev); +-extern const struct of_device_id cs42l51_of_match[]; + + #define CS42L51_CHIP_ID 0x1B + #define CS42L51_CHIP_REV_A 0x00 diff --git a/tmp-6.1/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch b/tmp-6.1/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch new file mode 100644 index 00000000000..6e550a45412 --- /dev/null +++ b/tmp-6.1/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch @@ -0,0 +1,43 @@ +From 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 Mon Sep 17 00:00:00 2001 +From: Matus Gajdos +Date: Wed, 12 Jul 2023 14:49:33 +0200 +Subject: ASoC: fsl_sai: Disable bit clock with transmitter + +From: Matus Gajdos + +commit 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 upstream. + +Otherwise bit clock remains running writing invalid data to the DAC. + +Signed-off-by: Matus Gajdos +Acked-by: Shengjiu Wang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230712124934.32232-1-matuszpd@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_sai.c | 2 +- + sound/soc/fsl/fsl_sai.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -719,7 +719,7 @@ static void fsl_sai_config_disable(struc + u32 xcsr, count = 100; + + regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), +- FSL_SAI_CSR_TERE, 0); ++ FSL_SAI_CSR_TERE | FSL_SAI_CSR_BCE, 0); + + /* TERE will remain set till the end of current frame */ + do { +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -91,6 +91,7 @@ + /* SAI Transmit/Receive Control Register */ + #define FSL_SAI_CSR_TERE BIT(31) + #define FSL_SAI_CSR_SE BIT(30) ++#define FSL_SAI_CSR_BCE BIT(28) + #define FSL_SAI_CSR_FR BIT(25) + #define FSL_SAI_CSR_SR BIT(24) + #define FSL_SAI_CSR_xF_SHIFT 16 diff --git a/tmp-6.1/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch b/tmp-6.1/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch new file mode 100644 index 00000000000..a55b0cded21 --- /dev/null +++ b/tmp-6.1/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch @@ -0,0 +1,58 @@ +From 86867aca7330e4fbcfa2a117e20b48bbb6c758a9 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 6 Jul 2023 19:18:27 -0300 +Subject: ASoC: fsl_sai: Revert "ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode" + +From: Fabio Estevam + +commit 86867aca7330e4fbcfa2a117e20b48bbb6c758a9 upstream. + +This reverts commit ff87d619ac180444db297f043962a5c325ded47b. + +Andreas reports that on an i.MX8MP-based system where MCLK needs to be +used as an input, the MCLK pin is actually an output, despite not having +the 'fsl,sai-mclk-direction-output' property present in the devicetree. + +This is caused by commit ff87d619ac18 ("ASoC: fsl_sai: Enable +MCTL_MCLK_EN bit for master mode") that sets FSL_SAI_MCTL_MCLK_EN +unconditionally for imx8mm/8mn/8mp/93, causing the MCLK to always +be configured as output. + +FSL_SAI_MCTL_MCLK_EN corresponds to the MOE (MCLK Output Enable) bit +of register MCR and the drivers sets it when the +'fsl,sai-mclk-direction-output' devicetree property is present. + +Revert the commit to allow SAI to use MCLK as input as well. + +Cc: stable@vger.kernel.org +Fixes: ff87d619ac18 ("ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode") +Reported-by: Andreas Henriksson +Signed-off-by: Fabio Estevam +Acked-by: Shengjiu Wang +Link: https://lore.kernel.org/r/20230706221827.1938990-1-festevam@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_sai.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 5e09f634c61b..54b4bf3744c6 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -507,12 +507,6 @@ static int fsl_sai_set_bclk(struct snd_soc_dai *dai, bool tx, u32 freq) + savediv / 2 - 1); + } + +- if (sai->soc_data->max_register >= FSL_SAI_MCTL) { +- /* SAI is in master mode at this point, so enable MCLK */ +- regmap_update_bits(sai->regmap, FSL_SAI_MCTL, +- FSL_SAI_MCTL_MCLK_EN, FSL_SAI_MCTL_MCLK_EN); +- } +- + return 0; + } + +-- +2.41.0 + diff --git a/tmp-6.1/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch b/tmp-6.1/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch new file mode 100644 index 00000000000..a14f4ebf759 --- /dev/null +++ b/tmp-6.1/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch @@ -0,0 +1,60 @@ +From 4b2b48aa8c43caaeef24802e4265e3ba2daa7ba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 14:18:42 +0100 +Subject: ASoC: qcom: q6apm: do not close GPR port before closing graph + +From: Srinivas Kandagatla + +[ Upstream commit c1be62923d4d86e7c06b1224626e27eb8d9ab32e ] + +Closing GPR port before graph close can result in un handled notifications +from DSP, this results in spam of errors from GPR driver as there is no +one to handle these notification at that point in time. + +Fix this by closing GPR port after graph close is finished. + +Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705131842.41584-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6apm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/qcom/qdsp6/q6apm.c b/sound/soc/qcom/qdsp6/q6apm.c +index 794019286c704..16acdf3a99e1c 100644 +--- a/sound/soc/qcom/qdsp6/q6apm.c ++++ b/sound/soc/qcom/qdsp6/q6apm.c +@@ -515,6 +515,8 @@ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) + + switch (hdr->opcode) { + case DATA_CMD_RSP_WR_SH_MEM_EP_DATA_BUFFER_DONE_V2: ++ if (!graph->ar_graph) ++ break; + client_event = APM_CLIENT_EVENT_DATA_WRITE_DONE; + mutex_lock(&graph->lock); + token = hdr->token & APM_WRITE_TOKEN_MASK; +@@ -548,6 +550,8 @@ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) + wake_up(&graph->cmd_wait); + break; + case DATA_CMD_RSP_RD_SH_MEM_EP_DATA_BUFFER_V2: ++ if (!graph->ar_graph) ++ break; + client_event = APM_CLIENT_EVENT_DATA_READ_DONE; + mutex_lock(&graph->lock); + rd_done = data->payload; +@@ -650,8 +654,9 @@ int q6apm_graph_close(struct q6apm_graph *graph) + { + struct audioreach_graph *ar_graph = graph->ar_graph; + +- gpr_free_port(graph->port); ++ graph->ar_graph = NULL; + kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph); ++ gpr_free_port(graph->port); + kfree(graph); + + return 0; +-- +2.39.2 + diff --git a/tmp-6.1/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch b/tmp-6.1/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch new file mode 100644 index 00000000000..05bc39f7c2d --- /dev/null +++ b/tmp-6.1/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch @@ -0,0 +1,37 @@ +From 46ec420573cefa1fc98025e7e6841bdafd6f1e20 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:12 +0200 +Subject: ASoC: qdsp6: audioreach: fix topology probe deferral + +From: Johan Hovold + +commit 46ec420573cefa1fc98025e7e6841bdafd6f1e20 upstream. + +Propagate errors when failing to load the topology component so that +probe deferrals can be handled. + +Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support") +Cc: stable@vger.kernel.org # 5.17 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-3-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/topology.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/qdsp6/topology.c ++++ b/sound/soc/qcom/qdsp6/topology.c +@@ -1100,8 +1100,8 @@ int audioreach_tplg_init(struct snd_soc_ + + ret = snd_soc_tplg_component_load(component, &audioreach_tplg_ops, fw); + if (ret < 0) { +- dev_err(dev, "tplg component load failed%d\n", ret); +- ret = -EINVAL; ++ if (ret != -EPROBE_DEFER) ++ dev_err(dev, "tplg component load failed: %d\n", ret); + } + + release_firmware(fw); diff --git a/tmp-6.1/asoc-rt5640-fix-sleep-in-atomic-context.patch b/tmp-6.1/asoc-rt5640-fix-sleep-in-atomic-context.patch new file mode 100644 index 00000000000..b9768db1672 --- /dev/null +++ b/tmp-6.1/asoc-rt5640-fix-sleep-in-atomic-context.patch @@ -0,0 +1,65 @@ +From 70a6404ff610aa4889d98977da131c37f9ff9d1f Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Thu, 29 Jun 2023 10:42:15 +0530 +Subject: ASoC: rt5640: Fix sleep in atomic context + +From: Sameer Pujar + +commit 70a6404ff610aa4889d98977da131c37f9ff9d1f upstream. + +Following prints are observed while testing audio on Jetson AGX Orin which +has onboard RT5640 audio codec: + + BUG: sleeping function called from invalid context at kernel/workqueue.c:3027 + in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/0 + preempt_count: 10001, expected: 0 + RCU nest depth: 0, expected: 0 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x1e0/0x270 + ---[ end trace ad1c64905aac14a6 ]- + +The IRQ handler rt5640_irq() runs in interrupt context and can sleep +during cancel_delayed_work_sync(). + +Fix this by running IRQ handler, rt5640_irq(), in thread context. +Hence replace request_irq() calls with devm_request_threaded_irq(). + +Fixes: 051dade34695 ("ASoC: rt5640: Fix the wrong state of JD1 and JD2") +Cc: stable@vger.kernel.org +Cc: Oder Chiou +Signed-off-by: Sameer Pujar +Link: https://lore.kernel.org/r/1688015537-31682-4-git-send-email-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5640.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/sound/soc/codecs/rt5640.c ++++ b/sound/soc/codecs/rt5640.c +@@ -2562,9 +2562,10 @@ static void rt5640_enable_jack_detect(st + if (jack_data && jack_data->use_platform_clock) + rt5640->use_platform_clock = jack_data->use_platform_clock; + +- ret = request_irq(rt5640->irq, rt5640_irq, +- IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, +- "rt5640", rt5640); ++ ret = devm_request_threaded_irq(component->dev, rt5640->irq, ++ NULL, rt5640_irq, ++ IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, ++ "rt5640", rt5640); + if (ret) { + dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); + rt5640_disable_jack_detect(component); +@@ -2617,8 +2618,9 @@ static void rt5640_enable_hda_jack_detec + + rt5640->jack = jack; + +- ret = request_irq(rt5640->irq, rt5640_irq, +- IRQF_TRIGGER_RISING | IRQF_ONESHOT, "rt5640", rt5640); ++ ret = devm_request_threaded_irq(component->dev, rt5640->irq, ++ NULL, rt5640_irq, IRQF_TRIGGER_RISING | IRQF_ONESHOT, ++ "rt5640", rt5640); + if (ret) { + dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); + rt5640->irq = -ENXIO; diff --git a/tmp-6.1/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch b/tmp-6.1/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch new file mode 100644 index 00000000000..15bf7cc98a3 --- /dev/null +++ b/tmp-6.1/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch @@ -0,0 +1,60 @@ +From f51906ec30b0242c56247bae4862008fd7ae2eeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 14:25:23 +0300 +Subject: ASoC: SOF: ipc3-dtrace: uninitialized data in + dfsentry_trace_filter_write() + +From: Dan Carpenter + +[ Upstream commit 469e2f28c2cbee2430058c1c9bb6d1675d7195fb ] + +This doesn't check how many bytes the simple_write_to_buffer() writes to +the buffer. The only thing that we know is that the first byte is +initialized and the last byte of the buffer is set to NUL. However +the middle bytes could be uninitialized. + +There is no need to use simple_write_to_buffer(). This code does not +support partial writes but instead passes "pos = 0" as the starting +offset regardless of what the user passed as "*ppos". Just use the +copy_from_user() function and initialize the whole buffer. + +Fixes: 671e0b90051e ("ASoC: SOF: Clone the trace code to ipc3-dtrace as fw_tracing implementation") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/74148292-ce4d-4e01-a1a7-921e6767da14@moroto.mountain +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc3-dtrace.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/sof/ipc3-dtrace.c b/sound/soc/sof/ipc3-dtrace.c +index b815b0244d9e4..8cf421577378c 100644 +--- a/sound/soc/sof/ipc3-dtrace.c ++++ b/sound/soc/sof/ipc3-dtrace.c +@@ -187,7 +187,6 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user + struct snd_sof_dfsentry *dfse = file->private_data; + struct sof_ipc_trace_filter_elem *elems = NULL; + struct snd_sof_dev *sdev = dfse->sdev; +- loff_t pos = 0; + int num_elems; + char *string; + int ret; +@@ -202,11 +201,11 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user + if (!string) + return -ENOMEM; + +- /* assert null termination */ +- string[count] = 0; +- ret = simple_write_to_buffer(string, count, &pos, from, count); +- if (ret < 0) ++ if (copy_from_user(string, from, count)) { ++ ret = -EFAULT; + goto error; ++ } ++ string[count] = '\0'; + + ret = trace_filter_parse(sdev, string, &num_elems, &elems); + if (ret < 0) +-- +2.39.2 + diff --git a/tmp-6.1/asoc-tegra-fix-adx-byte-map.patch b/tmp-6.1/asoc-tegra-fix-adx-byte-map.patch new file mode 100644 index 00000000000..f0550624f34 --- /dev/null +++ b/tmp-6.1/asoc-tegra-fix-adx-byte-map.patch @@ -0,0 +1,124 @@ +From 6dfe70be0b0dec0f9297811501bec26c05fd96ad Mon Sep 17 00:00:00 2001 +From: Sheetal +Date: Thu, 29 Jun 2023 10:42:14 +0530 +Subject: ASoC: tegra: Fix ADX byte map + +From: Sheetal + +commit 6dfe70be0b0dec0f9297811501bec26c05fd96ad upstream. + +Byte mask for channel-1 of stream-1 is not getting enabled and this +causes failures during ADX use cases. This happens because the byte +map value 0 matches the byte map array and put() callback returns +without enabling the corresponding bits in the byte mask. + +ADX supports 4 output streams and each stream can have a maximum of +16 channels. Each byte in the input frame is uniquely mapped to a +byte in one of these 4 outputs. This mapping is done with the help of +byte map array via user space control setting. The byte map array +size in the driver is 16 and each array element is of size 4 bytes. +This corresponds to 64 byte map values. + +Each byte in the byte map array can have any value between 0 to 255 +to enable the corresponding bits in the byte mask. The value 256 is +used as a way to disable the byte map. However the byte map array +element cannot store this value. The put() callback disables the byte +mask for 256 value and byte map value is reset to 0 for this case. +This causes problems during subsequent runs since put() callback, +for value of 0, just returns without enabling the byte mask. In short, +the problem is coming because 0 and 256 control values are stored as +0 in the byte map array. + +Right now fix the put() callback by actually looking at the byte mask +array state to identify if any change is needed and update the fields +accordingly. The get() callback needs an update as well to return the +correct control value that user has set before. Note that when user +set 256, the value is stored as 0 and byte mask is disabled. So byte +mask state is used to either return 256 or the value from byte map +array. + +Given above, this looks bit complicated and all this happens because +the byte map array is tightly packed and cannot actually store the 256 +value. Right now the priority is to fix the existing failure and a TODO +item is put to improve this logic. + +Fixes: 3c97881b8c8a ("ASoC: tegra: Fix kcontrol put callback in ADX") +Cc: stable@vger.kernel.org +Signed-off-by: Sheetal +Reviewed-by: Mohan Kumar D +Reviewed-by: Sameer Pujar +Link: https://lore.kernel.org/r/1688015537-31682-3-git-send-email-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/tegra/tegra210_adx.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +diff --git a/sound/soc/tegra/tegra210_adx.c b/sound/soc/tegra/tegra210_adx.c +index bd0b10c70c4c..7d003f0c8d0f 100644 +--- a/sound/soc/tegra/tegra210_adx.c ++++ b/sound/soc/tegra/tegra210_adx.c +@@ -2,7 +2,7 @@ + // + // tegra210_adx.c - Tegra210 ADX driver + // +-// Copyright (c) 2021 NVIDIA CORPORATION. All rights reserved. ++// Copyright (c) 2021-2023 NVIDIA CORPORATION. All rights reserved. + + #include + #include +@@ -175,10 +175,20 @@ static int tegra210_adx_get_byte_map(struct snd_kcontrol *kcontrol, + mc = (struct soc_mixer_control *)kcontrol->private_value; + enabled = adx->byte_mask[mc->reg / 32] & (1 << (mc->reg % 32)); + ++ /* ++ * TODO: Simplify this logic to just return from bytes_map[] ++ * ++ * Presently below is required since bytes_map[] is ++ * tightly packed and cannot store the control value of 256. ++ * Byte mask state is used to know if 256 needs to be returned. ++ * Note that for control value of 256, the put() call stores 0 ++ * in the bytes_map[] and disables the corresponding bit in ++ * byte_mask[]. ++ */ + if (enabled) + ucontrol->value.integer.value[0] = bytes_map[mc->reg]; + else +- ucontrol->value.integer.value[0] = 0; ++ ucontrol->value.integer.value[0] = 256; + + return 0; + } +@@ -192,19 +202,19 @@ static int tegra210_adx_put_byte_map(struct snd_kcontrol *kcontrol, + int value = ucontrol->value.integer.value[0]; + struct soc_mixer_control *mc = + (struct soc_mixer_control *)kcontrol->private_value; ++ unsigned int mask_val = adx->byte_mask[mc->reg / 32]; + +- if (value == bytes_map[mc->reg]) ++ if (value >= 0 && value <= 255) ++ mask_val |= (1 << (mc->reg % 32)); ++ else ++ mask_val &= ~(1 << (mc->reg % 32)); ++ ++ if (mask_val == adx->byte_mask[mc->reg / 32]) + return 0; + +- if (value >= 0 && value <= 255) { +- /* update byte map and enable slot */ +- bytes_map[mc->reg] = value; +- adx->byte_mask[mc->reg / 32] |= (1 << (mc->reg % 32)); +- } else { +- /* reset byte map and disable slot */ +- bytes_map[mc->reg] = 0; +- adx->byte_mask[mc->reg / 32] &= ~(1 << (mc->reg % 32)); +- } ++ /* Update byte map and slot */ ++ bytes_map[mc->reg] = value % 256; ++ adx->byte_mask[mc->reg / 32] = mask_val; + + return 1; + } +-- +2.41.0 + diff --git a/tmp-6.1/asoc-tegra-fix-amx-byte-map.patch b/tmp-6.1/asoc-tegra-fix-amx-byte-map.patch new file mode 100644 index 00000000000..c707318c8b8 --- /dev/null +++ b/tmp-6.1/asoc-tegra-fix-amx-byte-map.patch @@ -0,0 +1,125 @@ +From 49bd7b08149417a30aa7d92c8c85b3518de44a76 Mon Sep 17 00:00:00 2001 +From: Sheetal +Date: Thu, 29 Jun 2023 10:42:13 +0530 +Subject: ASoC: tegra: Fix AMX byte map + +From: Sheetal + +commit 49bd7b08149417a30aa7d92c8c85b3518de44a76 upstream. + +Byte mask for channel-1 of stream-1 is not getting enabled and this +causes failures during AMX use cases. This happens because the byte +map value 0 matches the byte map array and put() callback returns +without enabling the corresponding bits in the byte mask. + +AMX supports 4 input streams and each stream can take a maximum of +16 channels. Each byte in the output frame is uniquely mapped to a +byte in one of these 4 inputs. This mapping is done with the help of +byte map array via user space control setting. The byte map array +size in the driver is 16 and each array element is of size 4 bytes. +This corresponds to 64 byte map values. + +Each byte in the byte map array can have any value between 0 to 255 +to enable the corresponding bits in the byte mask. The value 256 is +used as a way to disable the byte map. However the byte map array +element cannot store this value. The put() callback disables the byte +mask for 256 value and byte map value is reset to 0 for this case. +This causes problems during subsequent runs since put() callback, +for value of 0, just returns without enabling the byte mask. In short, +the problem is coming because 0 and 256 control values are stored as +0 in the byte map array. + +Right now fix the put() callback by actually looking at the byte mask +array state to identify if any change is needed and update the fields +accordingly. The get() callback needs an update as well to return the +correct control value that user has set before. Note that when user +sets 256, the value is stored as 0 and byte mask is disabled. So byte +mask state is used to either return 256 or the value from byte map +array. + +Given above, this looks bit complicated and all this happens because +the byte map array is tightly packed and cannot actually store the 256 +value. Right now the priority is to fix the existing failure and a TODO +item is put to improve this logic. + +Fixes: 8db78ace1ba8 ("ASoC: tegra: Fix kcontrol put callback in AMX") +Cc: stable@vger.kernel.org +Signed-off-by: Sheetal +Reviewed-by: Mohan Kumar D +Reviewed-by: Sameer Pujar +Link: https://lore.kernel.org/r/1688015537-31682-2-git-send-email-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/tegra/tegra210_amx.c | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +--- a/sound/soc/tegra/tegra210_amx.c ++++ b/sound/soc/tegra/tegra210_amx.c +@@ -2,7 +2,7 @@ + // + // tegra210_amx.c - Tegra210 AMX driver + // +-// Copyright (c) 2021 NVIDIA CORPORATION. All rights reserved. ++// Copyright (c) 2021-2023 NVIDIA CORPORATION. All rights reserved. + + #include + #include +@@ -203,10 +203,20 @@ static int tegra210_amx_get_byte_map(str + else + enabled = amx->byte_mask[0] & (1 << reg); + ++ /* ++ * TODO: Simplify this logic to just return from bytes_map[] ++ * ++ * Presently below is required since bytes_map[] is ++ * tightly packed and cannot store the control value of 256. ++ * Byte mask state is used to know if 256 needs to be returned. ++ * Note that for control value of 256, the put() call stores 0 ++ * in the bytes_map[] and disables the corresponding bit in ++ * byte_mask[]. ++ */ + if (enabled) + ucontrol->value.integer.value[0] = bytes_map[reg]; + else +- ucontrol->value.integer.value[0] = 0; ++ ucontrol->value.integer.value[0] = 256; + + return 0; + } +@@ -221,25 +231,19 @@ static int tegra210_amx_put_byte_map(str + unsigned char *bytes_map = (unsigned char *)&amx->map; + int reg = mc->reg; + int value = ucontrol->value.integer.value[0]; ++ unsigned int mask_val = amx->byte_mask[reg / 32]; + +- if (value == bytes_map[reg]) ++ if (value >= 0 && value <= 255) ++ mask_val |= (1 << (reg % 32)); ++ else ++ mask_val &= ~(1 << (reg % 32)); ++ ++ if (mask_val == amx->byte_mask[reg / 32]) + return 0; + +- if (value >= 0 && value <= 255) { +- /* Update byte map and enable slot */ +- bytes_map[reg] = value; +- if (reg > 31) +- amx->byte_mask[1] |= (1 << (reg - 32)); +- else +- amx->byte_mask[0] |= (1 << reg); +- } else { +- /* Reset byte map and disable slot */ +- bytes_map[reg] = 0; +- if (reg > 31) +- amx->byte_mask[1] &= ~(1 << (reg - 32)); +- else +- amx->byte_mask[0] &= ~(1 << reg); +- } ++ /* Update byte map and slot */ ++ bytes_map[reg] = value % 256; ++ amx->byte_mask[reg / 32] = mask_val; + + return 1; + } diff --git a/tmp-6.1/bluetooth-hci_event-call-disconnect-callback-before-.patch b/tmp-6.1/bluetooth-hci_event-call-disconnect-callback-before-.patch new file mode 100644 index 00000000000..625180f5a80 --- /dev/null +++ b/tmp-6.1/bluetooth-hci_event-call-disconnect-callback-before-.patch @@ -0,0 +1,168 @@ +From f56314f8f520be77c9344013ed73653e992d3600 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 01:04:32 +0300 +Subject: Bluetooth: hci_event: call disconnect callback before deleting conn + +From: Pauli Virtanen + +[ Upstream commit 7f7cfcb6f0825652973b780f248603e23f16ee90 ] + +In hci_cs_disconnect, we do hci_conn_del even if disconnection failed. + +ISO, L2CAP and SCO connections refer to the hci_conn without +hci_conn_get, so disconn_cfm must be called so they can clean up their +conn, otherwise use-after-free occurs. + +ISO: +========================================================== +iso_sock_connect:880: sk 00000000eabd6557 +iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +... +iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073 +hci_dev_put:1487: hci0 orig refcnt 17 +__iso_chan_add:214: conn 00000000b6251073 +iso_sock_clear_timer:117: sock 00000000eabd6557 state 3 +... +hci_rx_work:4085: hci0 Event packet +hci_event_packet:7601: hci0: event 0x0f +hci_cmd_status_evt:4346: hci0: opcode 0x0406 +hci_cs_disconnect:2760: hci0: status 0x0c +hci_sent_cmd_data:3107: hci0 opcode 0x0406 +hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560 +hci_conn_unlink:1102: hci0: hcon 000000001696f1fd +hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2 +hci_chan_list_flush:2780: hcon 000000001696f1fd +hci_dev_put:1487: hci0 orig refcnt 21 +hci_dev_put:1487: hci0 orig refcnt 20 +hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c +... ... +iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557 +BUG: kernel NULL pointer dereference, address: 0000000000000668 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth +========================================================== + +L2CAP: +================================================================== +hci_cmd_status_evt:4359: hci0: opcode 0x0406 +hci_cs_disconnect:2760: hci0: status 0x0c +hci_sent_cmd_data:3085: hci0 opcode 0x0406 +hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585 +hci_conn_unlink:1102: hci0: hcon ffff88800c999000 +hci_chan_list_flush:2780: hcon ffff88800c999000 +hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280 +... +BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth] +Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175 + +CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +Call Trace: + + dump_stack_lvl+0x5b/0x90 + print_report+0xcf/0x670 + ? __virt_addr_valid+0xf8/0x180 + ? hci_send_acl+0x2d/0x540 [bluetooth] + kasan_report+0xa8/0xe0 + ? hci_send_acl+0x2d/0x540 [bluetooth] + hci_send_acl+0x2d/0x540 [bluetooth] + ? __pfx___lock_acquire+0x10/0x10 + l2cap_chan_send+0x1fd/0x1300 [bluetooth] + ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth] + ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth] + ? lock_release+0x1d5/0x3c0 + ? mark_held_locks+0x1a/0x90 + l2cap_sock_sendmsg+0x100/0x170 [bluetooth] + sock_write_iter+0x275/0x280 + ? __pfx_sock_write_iter+0x10/0x10 + ? __pfx___lock_acquire+0x10/0x10 + do_iter_readv_writev+0x176/0x220 + ? __pfx_do_iter_readv_writev+0x10/0x10 + ? find_held_lock+0x83/0xa0 + ? selinux_file_permission+0x13e/0x210 + do_iter_write+0xda/0x340 + vfs_writev+0x1b4/0x400 + ? __pfx_vfs_writev+0x10/0x10 + ? __seccomp_filter+0x112/0x750 + ? populate_seccomp_data+0x182/0x220 + ? __fget_light+0xdf/0x100 + ? do_writev+0x19d/0x210 + do_writev+0x19d/0x210 + ? __pfx_do_writev+0x10/0x10 + ? mark_held_locks+0x1a/0x90 + do_syscall_64+0x60/0x90 + ? lockdep_hardirqs_on_prepare+0x149/0x210 + ? do_syscall_64+0x6c/0x90 + ? lockdep_hardirqs_on_prepare+0x149/0x210 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7ff45cb23e64 +Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 +RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64 +RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017 +RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40 +R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0 +R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040 + + +Allocated by task 771: + kasan_save_stack+0x33/0x60 + kasan_set_track+0x25/0x30 + __kasan_kmalloc+0xaa/0xb0 + hci_chan_create+0x67/0x1b0 [bluetooth] + l2cap_conn_add.part.0+0x17/0x590 [bluetooth] + l2cap_connect_cfm+0x266/0x6b0 [bluetooth] + hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth] + hci_event_packet+0x38d/0x800 [bluetooth] + hci_rx_work+0x287/0xb20 [bluetooth] + process_one_work+0x4f7/0x970 + worker_thread+0x8f/0x620 + kthread+0x17f/0x1c0 + ret_from_fork+0x2c/0x50 + +Freed by task 771: + kasan_save_stack+0x33/0x60 + kasan_set_track+0x25/0x30 + kasan_save_free_info+0x2e/0x50 + ____kasan_slab_free+0x169/0x1c0 + slab_free_freelist_hook+0x9e/0x1c0 + __kmem_cache_free+0xc0/0x310 + hci_chan_list_flush+0x46/0x90 [bluetooth] + hci_conn_cleanup+0x7d/0x330 [bluetooth] + hci_cs_disconnect+0x35d/0x530 [bluetooth] + hci_cmd_status_evt+0xef/0x2b0 [bluetooth] + hci_event_packet+0x38d/0x800 [bluetooth] + hci_rx_work+0x287/0xb20 [bluetooth] + process_one_work+0x4f7/0x970 + worker_thread+0x8f/0x620 + kthread+0x17f/0x1c0 + ret_from_fork+0x2c/0x50 +================================================================== + +Fixes: b8d290525e39 ("Bluetooth: clean up connection in hci_cs_disconnect") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index ec9b0612f2761..83eaf25ece465 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2789,6 +2789,9 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) + hci_enable_advertising(hdev); + } + ++ /* Inform sockets conn is gone before we delete it */ ++ hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); ++ + goto done; + } + +-- +2.39.2 + diff --git a/tmp-6.1/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch b/tmp-6.1/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch new file mode 100644 index 00000000000..f4cce427f91 --- /dev/null +++ b/tmp-6.1/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch @@ -0,0 +1,60 @@ +From 37d8d1ea773870a99ffb70e4fb61facc4b296dfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 15:33:14 -0700 +Subject: Bluetooth: hci_sync: Avoid use-after-free in dbg for + hci_remove_adv_monitor() + +From: Douglas Anderson + +[ Upstream commit de6dfcefd107667ce2dbedf4d9337f5ed557a4a1 ] + +KASAN reports that there's a use-after-free in +hci_remove_adv_monitor(). Trawling through the disassembly, you can +see that the complaint is from the access in bt_dev_dbg() under the +HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because +msft_remove_monitor() can end up freeing the monitor +structure. Specifically: + hci_remove_adv_monitor() -> + msft_remove_monitor() -> + msft_remove_monitor_sync() -> + msft_le_cancel_monitor_advertisement_cb() -> + hci_free_adv_monitor() + +Let's fix the problem by just stashing the relevant data when it's +still valid. + +Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor") +Signed-off-by: Douglas Anderson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index be0e6865b340f..d034bf2a999e1 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1972,6 +1972,7 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev, + struct adv_monitor *monitor) + { + int status = 0; ++ int handle; + + switch (hci_get_adv_monitor_offload_ext(hdev)) { + case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */ +@@ -1980,9 +1981,10 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev, + goto free_monitor; + + case HCI_ADV_MONITOR_EXT_MSFT: ++ handle = monitor->handle; + status = msft_remove_monitor(hdev, monitor); + bt_dev_dbg(hdev, "%s remove monitor %d msft status %d", +- hdev->name, monitor->handle, status); ++ hdev->name, handle, status); + break; + } + +-- +2.39.2 + diff --git a/tmp-6.1/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch b/tmp-6.1/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch new file mode 100644 index 00000000000..997d943298e --- /dev/null +++ b/tmp-6.1/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch @@ -0,0 +1,292 @@ +From 1bba473b620234ccdcf3a2b08e021f5b27202ce4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 01:04:33 +0300 +Subject: Bluetooth: ISO: fix iso_conn related locking and validity issues + +From: Pauli Virtanen + +[ Upstream commit d40ae85ee62e3666f45bc61864b22121346f88ef ] + +sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations +that check/update sk_state and access conn should hold lock_sock, +otherwise they can race. + +The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock, +which is how it is in connect/disconnect_cfm -> iso_conn_del -> +iso_chan_del. + +Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock +around updating sk_state and conn. + +iso_conn_del must not occur during iso_connect_cis/bis, as it frees the +iso_conn. Hold hdev->lock longer to prevent that. + +This should not reintroduce the issue fixed in commit 241f51931c35 +("Bluetooth: ISO: Avoid circular locking dependency"), since the we +acquire locks in order. We retain the fix in iso_sock_connect to release +lock_sock before iso_connect_* acquires hdev->lock. + +Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible +circular locking dependency"). We retain the fix in iso_conn_ready to +not acquire iso_conn_lock before lock_sock. + +iso_conn_add shall return iso_conn with valid hcon. Make it so also when +reusing an old CIS connection waiting for disconnect timeout (see +__iso_sock_close where conn->hcon is set to NULL). + +Trace with iso_conn_del after iso_chan_add in iso_connect_cis: +=============================================================== +iso_sock_create:771: sock 00000000be9b69b7 +iso_sock_init:693: sk 000000004dff667e +iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1 +iso_sock_setsockopt:1289: sk 000000004dff667e +iso_sock_setsockopt:1289: sk 000000004dff667e +iso_sock_setsockopt:1289: sk 000000004dff667e +iso_sock_connect:875: sk 000000004dff667e +iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da +iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e +__iso_chan_add:214: conn 00000000daf8625e +iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12 +iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16 +iso_sock_clear_timer:117: sock 000000004dff667e state 3 + +iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16 +hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535 +hci_conn_unlink:1102: hci0: hcon 000000007b65d182 +hci_chan_list_flush:2780: hcon 000000007b65d182 +iso_sock_getsockopt:1376: sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_getsockopt:1376: sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1 +__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7 + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP PTI +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth +=============================================================== + +Trace with iso_conn_del before iso_chan_add in iso_connect_cis: +=============================================================== +iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +... +iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504 +hci_dev_put:1487: hci0 orig refcnt 21 +hci_event_packet:7607: hci0: event 0x0e +hci_cmd_complete_evt:4231: hci0: opcode 0x2062 +hci_cc_le_set_cig_params:3846: hci0: status 0x07 +hci_sent_cmd_data:3107: hci0 opcode 0x2062 +iso_connect_cfm:1703: hcon 0000000093bc551f bdaddr 28:3d:c2:4a:7e:da status 7 +iso_conn_del:187: hcon 0000000093bc551f conn 00000000768ae504, err 12 +hci_conn_del:1151: hci0 hcon 0000000093bc551f handle 65535 +hci_conn_unlink:1102: hci0: hcon 0000000093bc551f +hci_chan_list_flush:2780: hcon 0000000093bc551f +__iso_chan_add:214: conn 00000000768ae504 + +iso_sock_clear_timer:117: sock 0000000098323f95 state 3 +general protection fault, probably for non-canonical address 0x30b29c630930aec8: 0000 [#1] PREEMPT SMP PTI +CPU: 1 PID: 1920 Comm: bluetoothd Tainted: G E 6.3.0-rc7+ #4 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:detach_if_pending+0x28/0xd0 +Code: 90 90 0f 1f 44 00 00 48 8b 47 08 48 85 c0 0f 84 ad 00 00 00 55 89 d5 53 48 83 3f 00 48 89 fb 74 7d 66 90 48 8b 03 48 8b 53 08 <> +RSP: 0018:ffffb90841a67d08 EFLAGS: 00010007 +RAX: 0000000000000000 RBX: ffff9141bd5061b8 RCX: 0000000000000000 +RDX: 30b29c630930aec8 RSI: ffff9141fdd21e80 RDI: ffff9141bd5061b8 +RBP: 0000000000000001 R08: 0000000000000000 R09: ffffb90841a67b88 +R10: 0000000000000003 R11: ffffffff8613f558 R12: ffff9141fdd21e80 +R13: 0000000000000000 R14: ffff9141b5976010 R15: ffff914185755338 +FS: 00007f45768bd840(0000) GS:ffff9141fdd00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000619000424074 CR3: 0000000009f5e005 CR4: 0000000000170ee0 +Call Trace: + + timer_delete+0x48/0x80 + try_to_grab_pending+0xdf/0x170 + __cancel_work+0x37/0xb0 + iso_connect_cis+0x141/0x400 [bluetooth] +=============================================================== + +Trace with NULL conn->hcon in state BT_CONNECT: +=============================================================== +__iso_sock_close:619: sk 00000000f7c71fc5 state 1 socket 00000000d90c5fe5 +... +__iso_sock_close:619: sk 00000000f7c71fc5 state 8 socket 00000000d90c5fe5 +iso_chan_del:153: sk 00000000f7c71fc5, conn 0000000022c03a7e, err 104 +... +iso_sock_connect:862: sk 00000000129b56c3 +iso_connect_cis:348: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a +hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a +hci_dev_hold:1495: hci0 orig refcnt 19 +__iso_chan_add:214: conn 0000000022c03a7e + +iso_sock_clear_timer:117: sock 00000000129b56c3 state 3 +... +iso_sock_ready:1485: sk 00000000129b56c3 +... +iso_sock_sendmsg:1077: sock 00000000e5013966, sk 00000000129b56c3 +BUG: kernel NULL pointer dereference, address: 00000000000006a8 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 1 PID: 1403 Comm: wireplumber Tainted: G E 6.3.0-rc7+ #4 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:iso_sock_sendmsg+0x63/0x2a0 [bluetooth] +=============================================================== + +Fixes: 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency") +Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 53 ++++++++++++++++++++++++++------------------- + 1 file changed, 31 insertions(+), 22 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index cb959e8eac185..699e4f400df29 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -116,8 +116,11 @@ static struct iso_conn *iso_conn_add(struct hci_conn *hcon) + { + struct iso_conn *conn = hcon->iso_data; + +- if (conn) ++ if (conn) { ++ if (!conn->hcon) ++ conn->hcon = hcon; + return conn; ++ } + + conn = kzalloc(sizeof(*conn), GFP_KERNEL); + if (!conn) +@@ -285,14 +288,13 @@ static int iso_connect_bis(struct sock *sk) + goto unlock; + } + +- hci_dev_unlock(hdev); +- hci_dev_put(hdev); ++ lock_sock(sk); + + err = iso_chan_add(conn, sk, NULL); +- if (err) +- return err; +- +- lock_sock(sk); ++ if (err) { ++ release_sock(sk); ++ goto unlock; ++ } + + /* Update source addr of the socket */ + bacpy(&iso_pi(sk)->src, &hcon->src); +@@ -306,7 +308,6 @@ static int iso_connect_bis(struct sock *sk) + } + + release_sock(sk); +- return err; + + unlock: + hci_dev_unlock(hdev); +@@ -367,14 +368,13 @@ static int iso_connect_cis(struct sock *sk) + goto unlock; + } + +- hci_dev_unlock(hdev); +- hci_dev_put(hdev); ++ lock_sock(sk); + + err = iso_chan_add(conn, sk, NULL); +- if (err) +- return err; +- +- lock_sock(sk); ++ if (err) { ++ release_sock(sk); ++ goto unlock; ++ } + + /* Update source addr of the socket */ + bacpy(&iso_pi(sk)->src, &hcon->src); +@@ -391,7 +391,6 @@ static int iso_connect_cis(struct sock *sk) + } + + release_sock(sk); +- return err; + + unlock: + hci_dev_unlock(hdev); +@@ -1036,8 +1035,8 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, + size_t len) + { + struct sock *sk = sock->sk; +- struct iso_conn *conn = iso_pi(sk)->conn; + struct sk_buff *skb, **frag; ++ size_t mtu; + int err; + + BT_DBG("sock %p, sk %p", sock, sk); +@@ -1049,11 +1048,18 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, + if (msg->msg_flags & MSG_OOB) + return -EOPNOTSUPP; + +- if (sk->sk_state != BT_CONNECTED) ++ lock_sock(sk); ++ ++ if (sk->sk_state != BT_CONNECTED) { ++ release_sock(sk); + return -ENOTCONN; ++ } ++ ++ mtu = iso_pi(sk)->conn->hcon->hdev->iso_mtu; ++ ++ release_sock(sk); + +- skb = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu, +- HCI_ISO_DATA_HDR_SIZE, 0); ++ skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0); + if (IS_ERR(skb)) + return PTR_ERR(skb); + +@@ -1066,8 +1072,7 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, + while (len) { + struct sk_buff *tmp; + +- tmp = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu, +- 0, 0); ++ tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0); + if (IS_ERR(tmp)) { + kfree_skb(skb); + return PTR_ERR(tmp); +@@ -1122,15 +1127,19 @@ static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, + BT_DBG("sk %p", sk); + + if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { ++ lock_sock(sk); + switch (sk->sk_state) { + case BT_CONNECT2: +- lock_sock(sk); + iso_conn_defer_accept(pi->conn->hcon); + sk->sk_state = BT_CONFIG; + release_sock(sk); + return 0; + case BT_CONNECT: ++ release_sock(sk); + return iso_connect_cis(sk); ++ default: ++ release_sock(sk); ++ break; + } + } + +-- +2.39.2 + diff --git a/tmp-6.1/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch b/tmp-6.1/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch new file mode 100644 index 00000000000..8a341ebde67 --- /dev/null +++ b/tmp-6.1/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch @@ -0,0 +1,594 @@ +From 6fa1ac47040a970b9823dd880eeff4a1f5d2c7a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 01:04:31 +0300 +Subject: Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync + +From: Pauli Virtanen + +[ Upstream commit 195ef75e19287b4bc413da3e3e3722b030ac881e ] + +hci_update_accept_list_sync iterates over hdev->pend_le_conns and +hdev->pend_le_reports, and waits for controller events in the loop body, +without holding hdev lock. + +Meanwhile, these lists and the items may be modified e.g. by +le_scan_cleanup. This can invalidate the list cursor or any other item +in the list, resulting to invalid behavior (eg use-after-free). + +Use RCU for the hci_conn_params action lists. Since the loop bodies in +hci_sync block and we cannot use RCU or hdev->lock for the whole loop, +copy list items first and then iterate on the copy. Only the flags field +is written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we +read valid values. + +Free params everywhere with hci_conn_params_free so the cleanup is +guaranteed to be done properly. + +This fixes the following, which can be triggered e.g. by BlueZ new +mgmt-tester case "Add + Remove Device Nowait - Success", or by changing +hci_le_set_cig_params to always return false, and running iso-tester: + +================================================================== +BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32 + +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +Workqueue: hci0 hci_cmd_sync_work +Call Trace: + +dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107) +print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) +? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65) +? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +kasan_report (mm/kasan/report.c:538) +? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780) +? mutex_lock (kernel/locking/mutex.c:282) +? __pfx_mutex_lock (kernel/locking/mutex.c:282) +? __pfx_mutex_unlock (kernel/locking/mutex.c:538) +? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861) +hci_cmd_sync_work (net/bluetooth/hci_sync.c:306) +process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) +worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) +? __pfx_worker_thread (kernel/workqueue.c:2480) +kthread (kernel/kthread.c:376) +? __pfx_kthread (kernel/kthread.c:331) +ret_from_fork (arch/x86/entry/entry_64.S:314) + + +Allocated by task 31: +kasan_save_stack (mm/kasan/common.c:46) +kasan_set_track (mm/kasan/common.c:52) +__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383) +hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277) +hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589) +hci_connect_cis (net/bluetooth/hci_conn.c:2266) +iso_connect_cis (net/bluetooth/iso.c:390) +iso_sock_connect (net/bluetooth/iso.c:899) +__sys_connect (net/socket.c:2003 net/socket.c:2020) +__x64_sys_connect (net/socket.c:2027) +do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +Freed by task 15: +kasan_save_stack (mm/kasan/common.c:46) +kasan_set_track (mm/kasan/common.c:52) +kasan_save_free_info (mm/kasan/generic.c:523) +__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) +__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800) +hci_conn_params_del (net/bluetooth/hci_core.c:2323) +le_scan_cleanup (net/bluetooth/hci_conn.c:202) +process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) +worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) +kthread (kernel/kthread.c:376) +ret_from_fork (arch/x86/entry/entry_64.S:314) +================================================================== + +Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 5 ++ + net/bluetooth/hci_conn.c | 10 +-- + net/bluetooth/hci_core.c | 38 ++++++++-- + net/bluetooth/hci_event.c | 12 ++-- + net/bluetooth/hci_sync.c | 117 ++++++++++++++++++++++++++++--- + net/bluetooth/mgmt.c | 26 +++---- + 6 files changed, 164 insertions(+), 44 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 84c5ce57eab69..ddbcbf9ccb2ce 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -807,6 +807,7 @@ struct hci_conn_params { + + struct hci_conn *conn; + bool explicit_connect; ++ /* Accessed without hdev->lock: */ + hci_conn_flags_t flags; + u8 privacy_mode; + }; +@@ -1536,7 +1537,11 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, + bdaddr_t *addr, u8 addr_type); + void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type); + void hci_conn_params_clear_disabled(struct hci_dev *hdev); ++void hci_conn_params_free(struct hci_conn_params *param); + ++void hci_pend_le_list_del_init(struct hci_conn_params *param); ++void hci_pend_le_list_add(struct hci_conn_params *param, ++ struct list_head *list); + struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, + bdaddr_t *addr, + u8 addr_type); +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index fef09d2121384..61059571c8779 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -117,7 +117,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) + */ + params->explicit_connect = false; + +- list_del_init(¶ms->action); ++ hci_pend_le_list_del_init(params); + + switch (params->auto_connect) { + case HCI_AUTO_CONN_EXPLICIT: +@@ -126,10 +126,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) + return; + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + case HCI_AUTO_CONN_REPORT: +- list_add(¶ms->action, &hdev->pend_le_reports); ++ hci_pend_le_list_add(params, &hdev->pend_le_reports); + break; + default: + break; +@@ -1398,8 +1398,8 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev, + if (params->auto_connect == HCI_AUTO_CONN_DISABLED || + params->auto_connect == HCI_AUTO_CONN_REPORT || + params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { +- list_del_init(¶ms->action); +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_del_init(params); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + } + + params->explicit_connect = true; +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index ca42129f8f91a..be0e6865b340f 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2249,21 +2249,45 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev, + return NULL; + } + +-/* This function requires the caller holds hdev->lock */ ++/* This function requires the caller holds hdev->lock or rcu_read_lock */ + struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, + bdaddr_t *addr, u8 addr_type) + { + struct hci_conn_params *param; + +- list_for_each_entry(param, list, action) { ++ rcu_read_lock(); ++ ++ list_for_each_entry_rcu(param, list, action) { + if (bacmp(¶m->addr, addr) == 0 && +- param->addr_type == addr_type) ++ param->addr_type == addr_type) { ++ rcu_read_unlock(); + return param; ++ } + } + ++ rcu_read_unlock(); ++ + return NULL; + } + ++/* This function requires the caller holds hdev->lock */ ++void hci_pend_le_list_del_init(struct hci_conn_params *param) ++{ ++ if (list_empty(¶m->action)) ++ return; ++ ++ list_del_rcu(¶m->action); ++ synchronize_rcu(); ++ INIT_LIST_HEAD(¶m->action); ++} ++ ++/* This function requires the caller holds hdev->lock */ ++void hci_pend_le_list_add(struct hci_conn_params *param, ++ struct list_head *list) ++{ ++ list_add_rcu(¶m->action, list); ++} ++ + /* This function requires the caller holds hdev->lock */ + struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, + bdaddr_t *addr, u8 addr_type) +@@ -2297,14 +2321,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, + return params; + } + +-static void hci_conn_params_free(struct hci_conn_params *params) ++void hci_conn_params_free(struct hci_conn_params *params) + { ++ hci_pend_le_list_del_init(params); ++ + if (params->conn) { + hci_conn_drop(params->conn); + hci_conn_put(params->conn); + } + +- list_del(¶ms->action); + list_del(¶ms->list); + kfree(params); + } +@@ -2342,8 +2367,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev) + continue; + } + +- list_del(¶ms->list); +- kfree(params); ++ hci_conn_params_free(params); + } + + BT_DBG("All LE disabled connection parameters were removed"); +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index b272cc1f36481..ec9b0612f2761 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1558,7 +1558,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, + + params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); + if (params) +- params->privacy_mode = cp->mode; ++ WRITE_ONCE(params->privacy_mode, cp->mode); + + hci_dev_unlock(hdev); + +@@ -2809,8 +2809,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) + + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_del_init(¶ms->action); +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_del_init(params); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + + default: +@@ -3428,8 +3428,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, + + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_del_init(¶ms->action); +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_del_init(params); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + hci_update_passive_scan(hdev); + break; + +@@ -5952,7 +5952,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, + params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, + conn->dst_type); + if (params) { +- list_del_init(¶ms->action); ++ hci_pend_le_list_del_init(params); + if (params->conn) { + hci_conn_drop(params->conn); + hci_conn_put(params->conn); +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 37131a36700a1..2ae038dfc39f7 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2139,15 +2139,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev, + return 0; + } + ++struct conn_params { ++ bdaddr_t addr; ++ u8 addr_type; ++ hci_conn_flags_t flags; ++ u8 privacy_mode; ++}; ++ + /* Adds connection to resolve list if needed. + * Setting params to NULL programs local hdev->irk + */ + static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, +- struct hci_conn_params *params) ++ struct conn_params *params) + { + struct hci_cp_le_add_to_resolv_list cp; + struct smp_irk *irk; + struct bdaddr_list_with_irk *entry; ++ struct hci_conn_params *p; + + if (!use_ll_privacy(hdev)) + return 0; +@@ -2182,6 +2190,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, + /* Default privacy mode is always Network */ + params->privacy_mode = HCI_NETWORK_PRIVACY; + ++ rcu_read_lock(); ++ p = hci_pend_le_action_lookup(&hdev->pend_le_conns, ++ ¶ms->addr, params->addr_type); ++ if (!p) ++ p = hci_pend_le_action_lookup(&hdev->pend_le_reports, ++ ¶ms->addr, params->addr_type); ++ if (p) ++ WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY); ++ rcu_read_unlock(); ++ + done: + if (hci_dev_test_flag(hdev, HCI_PRIVACY)) + memcpy(cp.local_irk, hdev->irk, 16); +@@ -2194,7 +2212,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, + + /* Set Device Privacy Mode. */ + static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, +- struct hci_conn_params *params) ++ struct conn_params *params) + { + struct hci_cp_le_set_privacy_mode cp; + struct smp_irk *irk; +@@ -2219,6 +2237,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, + bacpy(&cp.bdaddr, &irk->bdaddr); + cp.mode = HCI_DEVICE_PRIVACY; + ++ /* Note: params->privacy_mode is not updated since it is a copy */ ++ + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE, + sizeof(cp), &cp, HCI_CMD_TIMEOUT); + } +@@ -2228,7 +2248,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, + * properly set the privacy mode. + */ + static int hci_le_add_accept_list_sync(struct hci_dev *hdev, +- struct hci_conn_params *params, ++ struct conn_params *params, + u8 *num_entries) + { + struct hci_cp_le_add_to_accept_list cp; +@@ -2426,6 +2446,52 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev, + return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk); + } + ++static struct conn_params *conn_params_copy(struct list_head *list, size_t *n) ++{ ++ struct hci_conn_params *params; ++ struct conn_params *p; ++ size_t i; ++ ++ rcu_read_lock(); ++ ++ i = 0; ++ list_for_each_entry_rcu(params, list, action) ++ ++i; ++ *n = i; ++ ++ rcu_read_unlock(); ++ ++ p = kvcalloc(*n, sizeof(struct conn_params), GFP_KERNEL); ++ if (!p) ++ return NULL; ++ ++ rcu_read_lock(); ++ ++ i = 0; ++ list_for_each_entry_rcu(params, list, action) { ++ /* Racing adds are handled in next scan update */ ++ if (i >= *n) ++ break; ++ ++ /* No hdev->lock, but: addr, addr_type are immutable. ++ * privacy_mode is only written by us or in ++ * hci_cc_le_set_privacy_mode that we wait for. ++ * We should be idempotent so MGMT updating flags ++ * while we are processing is OK. ++ */ ++ bacpy(&p[i].addr, ¶ms->addr); ++ p[i].addr_type = params->addr_type; ++ p[i].flags = READ_ONCE(params->flags); ++ p[i].privacy_mode = READ_ONCE(params->privacy_mode); ++ ++i; ++ } ++ ++ rcu_read_unlock(); ++ ++ *n = i; ++ return p; ++} ++ + /* Device must not be scanning when updating the accept list. + * + * Update is done using the following sequence: +@@ -2445,11 +2511,12 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev, + */ + static u8 hci_update_accept_list_sync(struct hci_dev *hdev) + { +- struct hci_conn_params *params; ++ struct conn_params *params; + struct bdaddr_list *b, *t; + u8 num_entries = 0; + bool pend_conn, pend_report; + u8 filter_policy; ++ size_t i, n; + int err; + + /* Pause advertising if resolving list can be used as controllers +@@ -2483,6 +2550,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) + if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type)) + continue; + ++ /* Pointers not dereferenced, no locks needed */ + pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns, + &b->bdaddr, + b->bdaddr_type); +@@ -2511,23 +2579,50 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) + * available accept list entries in the controller, then + * just abort and return filer policy value to not use the + * accept list. ++ * ++ * The list and params may be mutated while we wait for events, ++ * so make a copy and iterate it. + */ +- list_for_each_entry(params, &hdev->pend_le_conns, action) { +- err = hci_le_add_accept_list_sync(hdev, params, &num_entries); +- if (err) ++ ++ params = conn_params_copy(&hdev->pend_le_conns, &n); ++ if (!params) { ++ err = -ENOMEM; ++ goto done; ++ } ++ ++ for (i = 0; i < n; ++i) { ++ err = hci_le_add_accept_list_sync(hdev, ¶ms[i], ++ &num_entries); ++ if (err) { ++ kvfree(params); + goto done; ++ } + } + ++ kvfree(params); ++ + /* After adding all new pending connections, walk through + * the list of pending reports and also add these to the + * accept list if there is still space. Abort if space runs out. + */ +- list_for_each_entry(params, &hdev->pend_le_reports, action) { +- err = hci_le_add_accept_list_sync(hdev, params, &num_entries); +- if (err) ++ ++ params = conn_params_copy(&hdev->pend_le_reports, &n); ++ if (!params) { ++ err = -ENOMEM; ++ goto done; ++ } ++ ++ for (i = 0; i < n; ++i) { ++ err = hci_le_add_accept_list_sync(hdev, ¶ms[i], ++ &num_entries); ++ if (err) { ++ kvfree(params); + goto done; ++ } + } + ++ kvfree(params); ++ + /* Use the allowlist unless the following conditions are all true: + * - We are not currently suspending + * - There are 1 or more ADV monitors registered and it's not offloaded +@@ -4778,12 +4873,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev) + struct hci_conn_params *p; + + list_for_each_entry(p, &hdev->le_conn_params, list) { ++ hci_pend_le_list_del_init(p); + if (p->conn) { + hci_conn_drop(p->conn); + hci_conn_put(p->conn); + p->conn = NULL; + } +- list_del_init(&p->action); + } + + BT_DBG("All LE pending actions cleared"); +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 815f2abe918ef..89c94f3e96bc3 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1297,15 +1297,15 @@ static void restart_le_actions(struct hci_dev *hdev) + /* Needed for AUTO_OFF case where might not "really" + * have been powered off. + */ +- list_del_init(&p->action); ++ hci_pend_le_list_del_init(p); + + switch (p->auto_connect) { + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_add(&p->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(p, &hdev->pend_le_conns); + break; + case HCI_AUTO_CONN_REPORT: +- list_add(&p->action, &hdev->pend_le_reports); ++ hci_pend_le_list_add(p, &hdev->pend_le_reports); + break; + default: + break; +@@ -5161,7 +5161,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + goto unlock; + } + +- params->flags = current_flags; ++ WRITE_ONCE(params->flags, current_flags); + status = MGMT_STATUS_SUCCESS; + + /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY +@@ -7573,7 +7573,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr, + if (params->auto_connect == auto_connect) + return 0; + +- list_del_init(¶ms->action); ++ hci_pend_le_list_del_init(params); + + switch (auto_connect) { + case HCI_AUTO_CONN_DISABLED: +@@ -7582,18 +7582,18 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr, + * connect to device, keep connecting. + */ + if (params->explicit_connect) +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + case HCI_AUTO_CONN_REPORT: + if (params->explicit_connect) +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + else +- list_add(¶ms->action, &hdev->pend_le_reports); ++ hci_pend_le_list_add(params, &hdev->pend_le_reports); + break; + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: + if (!is_connected(hdev, addr, addr_type)) +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + } + +@@ -7816,9 +7816,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev, + goto unlock; + } + +- list_del(¶ms->action); +- list_del(¶ms->list); +- kfree(params); ++ hci_conn_params_free(params); + + device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type); + } else { +@@ -7849,9 +7847,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev, + p->auto_connect = HCI_AUTO_CONN_EXPLICIT; + continue; + } +- list_del(&p->action); +- list_del(&p->list); +- kfree(p); ++ hci_conn_params_free(p); + } + + bt_dev_dbg(hdev, "All LE connection parameters were removed"); +-- +2.39.2 + diff --git a/tmp-6.1/bpf-address-kcsan-report-on-bpf_lru_list.patch b/tmp-6.1/bpf-address-kcsan-report-on-bpf_lru_list.patch new file mode 100644 index 00000000000..9da0f1b277e --- /dev/null +++ b/tmp-6.1/bpf-address-kcsan-report-on-bpf_lru_list.patch @@ -0,0 +1,177 @@ +From ccf4979c64a589eed4428fcc3fc6a92a8627c659 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 21:37:48 -0700 +Subject: bpf: Address KCSAN report on bpf_lru_list + +From: Martin KaFai Lau + +[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] + +KCSAN reported a data-race when accessing node->ref. +Although node->ref does not have to be accurate, +take this chance to use a more common READ_ONCE() and WRITE_ONCE() +pattern instead of data_race(). + +There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). +This patch also adds bpf_lru_node_clear_ref() to do the +WRITE_ONCE(node->ref, 0) also. + +================================================================== +BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem + +write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: +__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] +__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] +__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 +bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] +bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] +bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 +prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] +__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: +bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] +__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x01 -> 0x00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 +================================================================== + +Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com +Signed-off-by: Martin KaFai Lau +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- + kernel/bpf/bpf_lru_list.h | 7 ++----- + 2 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c +index d99e89f113c43..3dabdd137d102 100644 +--- a/kernel/bpf/bpf_lru_list.c ++++ b/kernel/bpf/bpf_lru_list.c +@@ -41,7 +41,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) + /* bpf_lru_node helpers */ + static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) + { +- return node->ref; ++ return READ_ONCE(node->ref); ++} ++ ++static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) ++{ ++ WRITE_ONCE(node->ref, 0); + } + + static void bpf_lru_list_count_inc(struct bpf_lru_list *l, +@@ -89,7 +94,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, + + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, &l->lists[tgt_type]); + } + +@@ -110,7 +115,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; + } +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + + /* If the moving node is the next_inactive_rotation candidate, + * move the next_inactive_rotation pointer also. +@@ -353,7 +358,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, + *(u32 *)((void *)node + lru->hash_offset) = hash; + node->cpu = cpu; + node->type = BPF_LRU_LOCAL_LIST_T_PENDING; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, local_pending_list(loc_l)); + } + +@@ -419,7 +424,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, + if (!list_empty(free_list)) { + node = list_first_entry(free_list, struct bpf_lru_node, list); + *(u32 *)((void *)node + lru->hash_offset) = hash; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); + } + +@@ -522,7 +527,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, + } + + node->type = BPF_LRU_LOCAL_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, local_free_list(loc_l)); + + raw_spin_unlock_irqrestore(&loc_l->lock, flags); +@@ -568,7 +573,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, + + node = (struct bpf_lru_node *)(buf + node_offset); + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + buf += elem_size; + } +@@ -594,7 +599,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, + node = (struct bpf_lru_node *)(buf + node_offset); + node->cpu = cpu; + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + i++; + buf += elem_size; +diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h +index 4ea227c9c1ade..8f3c8b2b4490e 100644 +--- a/kernel/bpf/bpf_lru_list.h ++++ b/kernel/bpf/bpf_lru_list.h +@@ -64,11 +64,8 @@ struct bpf_lru { + + static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) + { +- /* ref is an approximation on access frequency. It does not +- * have to be very accurate. Hence, no protection is used. +- */ +- if (!node->ref) +- node->ref = 1; ++ if (!READ_ONCE(node->ref)) ++ WRITE_ONCE(node->ref, 1); + } + + int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, +-- +2.39.2 + diff --git a/tmp-6.1/bpf-aggressively-forget-precise-markings-during-state-checkpointing.patch b/tmp-6.1/bpf-aggressively-forget-precise-markings-during-state-checkpointing.patch new file mode 100644 index 00000000000..d3ca2081c08 --- /dev/null +++ b/tmp-6.1/bpf-aggressively-forget-precise-markings-during-state-checkpointing.patch @@ -0,0 +1,128 @@ +From stable-owner@vger.kernel.org Mon Jul 24 14:42:44 2023 +From: Eduard Zingerman +Date: Mon, 24 Jul 2023 15:42:20 +0300 +Subject: bpf: aggressively forget precise markings during state checkpointing +To: stable@vger.kernel.org, ast@kernel.org +Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Eduard Zingerman +Message-ID: <20230724124223.1176479-4-eddyz87@gmail.com> + +From: Andrii Nakryiko + +[ Upstream commit 7a830b53c17bbadcf99f778f28aaaa4e6c41df5f ] + +Exploit the property of about-to-be-checkpointed state to be able to +forget all precise markings up to that point even more aggressively. We +now clear all potentially inherited precise markings right before +checkpointing and branching off into child state. If any of children +states require precise knowledge of any SCALAR register, those will be +propagated backwards later on before this state is finalized, preserving +correctness. + +There is a single selftests BPF program change, but tremendous one: 25x +reduction in number of verified instructions and states in +trace_virtqueue_add_sgs. + +Cilium results are more modest, but happen across wider range of programs. + +SELFTESTS RESULTS +================= + +$ ./veristat -C -e file,prog,insns,states ~/imprecise-early-results.csv ~/imprecise-aggressive-results.csv | grep -v '+0' +File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) +------------------- ----------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- +loop6.bpf.linked1.o trace_virtqueue_add_sgs 398057 15114 -382943 (-96.20%) 8717 336 -8381 (-96.15%) +------------------- ----------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- + +CILIUM RESULTS +============== + +$ ./veristat -C -e file,prog,insns,states ~/imprecise-early-results-cilium.csv ~/imprecise-aggressive-results-cilium.csv | grep -v '+0' +File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) +------------- -------------------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- +bpf_host.o tail_handle_nat_fwd_ipv4 23426 23221 -205 (-0.88%) 1537 1515 -22 (-1.43%) +bpf_host.o tail_handle_nat_fwd_ipv6 13009 12904 -105 (-0.81%) 719 708 -11 (-1.53%) +bpf_host.o tail_nodeport_nat_ingress_ipv6 5261 5196 -65 (-1.24%) 247 243 -4 (-1.62%) +bpf_host.o tail_nodeport_nat_ipv6_egress 3446 3406 -40 (-1.16%) 203 198 -5 (-2.46%) +bpf_lxc.o tail_handle_nat_fwd_ipv4 23426 23221 -205 (-0.88%) 1537 1515 -22 (-1.43%) +bpf_lxc.o tail_handle_nat_fwd_ipv6 13009 12904 -105 (-0.81%) 719 708 -11 (-1.53%) +bpf_lxc.o tail_ipv4_ct_egress 5074 4897 -177 (-3.49%) 255 248 -7 (-2.75%) +bpf_lxc.o tail_ipv4_ct_ingress 5100 4923 -177 (-3.47%) 255 248 -7 (-2.75%) +bpf_lxc.o tail_ipv4_ct_ingress_policy_only 5100 4923 -177 (-3.47%) 255 248 -7 (-2.75%) +bpf_lxc.o tail_ipv6_ct_egress 4558 4536 -22 (-0.48%) 188 187 -1 (-0.53%) +bpf_lxc.o tail_ipv6_ct_ingress 4578 4556 -22 (-0.48%) 188 187 -1 (-0.53%) +bpf_lxc.o tail_ipv6_ct_ingress_policy_only 4578 4556 -22 (-0.48%) 188 187 -1 (-0.53%) +bpf_lxc.o tail_nodeport_nat_ingress_ipv6 5261 5196 -65 (-1.24%) 247 243 -4 (-1.62%) +bpf_overlay.o tail_nodeport_nat_ingress_ipv6 5261 5196 -65 (-1.24%) 247 243 -4 (-1.62%) +bpf_overlay.o tail_nodeport_nat_ipv6_egress 3482 3442 -40 (-1.15%) 204 201 -3 (-1.47%) +bpf_xdp.o tail_nodeport_nat_egress_ipv4 17200 15619 -1581 (-9.19%) 1111 1010 -101 (-9.09%) +------------- -------------------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- + +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20221104163649.121784-6-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Eduard Zingerman +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2813,6 +2813,31 @@ static void mark_all_scalars_precise(str + } + } + ++static void mark_all_scalars_imprecise(struct bpf_verifier_env *env, struct bpf_verifier_state *st) ++{ ++ struct bpf_func_state *func; ++ struct bpf_reg_state *reg; ++ int i, j; ++ ++ for (i = 0; i <= st->curframe; i++) { ++ func = st->frame[i]; ++ for (j = 0; j < BPF_REG_FP; j++) { ++ reg = &func->regs[j]; ++ if (reg->type != SCALAR_VALUE) ++ continue; ++ reg->precise = false; ++ } ++ for (j = 0; j < func->allocated_stack / BPF_REG_SIZE; j++) { ++ if (!is_spilled_reg(&func->stack[j])) ++ continue; ++ reg = &func->stack[j].spilled_ptr; ++ if (reg->type != SCALAR_VALUE) ++ continue; ++ reg->precise = false; ++ } ++ } ++} ++ + /* + * __mark_chain_precision() backtracks BPF program instruction sequence and + * chain of verifier states making sure that register *regno* (if regno >= 0) +@@ -2891,6 +2916,14 @@ static void mark_all_scalars_precise(str + * be imprecise. If any child state does require this register to be precise, + * we'll mark it precise later retroactively during precise markings + * propagation from child state to parent states. ++ * ++ * Skipping precise marking setting in current state is a mild version of ++ * relying on the above observation. But we can utilize this property even ++ * more aggressively by proactively forgetting any precise marking in the ++ * current state (which we inherited from the parent state), right before we ++ * checkpoint it and branch off into new child state. This is done by ++ * mark_all_scalars_imprecise() to hopefully get more permissive and generic ++ * finalized states which help in short circuiting more future states. + */ + static int __mark_chain_precision(struct bpf_verifier_env *env, int frame, int regno, + int spi) +@@ -12296,6 +12329,10 @@ next: + env->prev_jmps_processed = env->jmps_processed; + env->prev_insn_processed = env->insn_processed; + ++ /* forget precise markings we inherited, see __mark_chain_precision */ ++ if (env->bpf_capable) ++ mark_all_scalars_imprecise(env, cur); ++ + /* add new state to the head of linked list */ + new = &new_sl->state; + err = copy_verifier_state(new, cur); diff --git a/tmp-6.1/bpf-allow-precision-tracking-for-programs-with-subprogs.patch b/tmp-6.1/bpf-allow-precision-tracking-for-programs-with-subprogs.patch new file mode 100644 index 00000000000..acec2f6d51e --- /dev/null +++ b/tmp-6.1/bpf-allow-precision-tracking-for-programs-with-subprogs.patch @@ -0,0 +1,246 @@ +From stable-owner@vger.kernel.org Mon Jul 24 14:42:40 2023 +From: Eduard Zingerman +Date: Mon, 24 Jul 2023 15:42:18 +0300 +Subject: bpf: allow precision tracking for programs with subprogs +To: stable@vger.kernel.org, ast@kernel.org +Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Eduard Zingerman +Message-ID: <20230724124223.1176479-2-eddyz87@gmail.com> + +From: Andrii Nakryiko + +[ Upstream commit be2ef8161572ec1973124ebc50f56dafc2925e07 ] + +Stop forcing precise=true for SCALAR registers when BPF program has any +subprograms. Current restriction means that any BPF program, as soon as +it uses subprograms, will end up not getting any of the precision +tracking benefits in reduction of number of verified states. + +This patch keeps the fallback mark_all_scalars_precise() behavior if +precise marking has to cross function frames. E.g., if subprogram +requires R1 (first input arg) to be marked precise, ideally we'd need to +backtrack to the parent function and keep marking R1 and its +dependencies as precise. But right now we give up and force all the +SCALARs in any of the current and parent states to be forced to +precise=true. We can lift that restriction in the future. + +But this patch fixes two issues identified when trying to enable +precision tracking for subprogs. + +First, prevent "escaping" from top-most state in a global subprog. While +with entry-level BPF program we never end up requesting precision for +R1-R5 registers, because R2-R5 are not initialized (and so not readable +in correct BPF program), and R1 is PTR_TO_CTX, not SCALAR, and so is +implicitly precise. With global subprogs, though, it's different, as +global subprog a) can have up to 5 SCALAR input arguments, which might +get marked as precise=true and b) it is validated in isolation from its +main entry BPF program. b) means that we can end up exhausting parent +state chain and still not mark all registers in reg_mask as precise, +which would lead to verifier bug warning. + +To handle that, we need to consider two cases. First, if the very first +state is not immediately "checkpointed" (i.e., stored in state lookup +hashtable), it will get correct first_insn_idx and last_insn_idx +instruction set during state checkpointing. As such, this case is +already handled and __mark_chain_precision() already handles that by +just doing nothing when we reach to the very first parent state. +st->parent will be NULL and we'll just stop. Perhaps some extra check +for reg_mask and stack_mask is due here, but this patch doesn't address +that issue. + +More problematic second case is when global function's initial state is +immediately checkpointed before we manage to process the very first +instruction. This is happening because when there is a call to global +subprog from the main program the very first subprog's instruction is +marked as pruning point, so before we manage to process first +instruction we have to check and checkpoint state. This patch adds +a special handling for such "empty" state, which is identified by having +st->last_insn_idx set to -1. In such case, we check that we are indeed +validating global subprog, and with some sanity checking we mark input +args as precise if requested. + +Note that we also initialize state->first_insn_idx with correct start +insn_idx offset. For main program zero is correct value, but for any +subprog it's quite confusing to not have first_insn_idx set. This +doesn't have any functional impact, but helps with debugging and state +printing. We also explicitly initialize state->last_insns_idx instead of +relying on is_state_visited() to do this with env->prev_insns_idx, which +will be -1 on the very first instruction. This concludes necessary +changes to handle specifically global subprog's precision tracking. + +Second identified problem was missed handling of BPF helper functions +that call into subprogs (e.g., bpf_loop and few others). From precision +tracking and backtracking logic's standpoint those are effectively calls +into subprogs and should be called as BPF_PSEUDO_CALL calls. + +This patch takes the least intrusive way and just checks against a short +list of current BPF helpers that do call subprogs, encapsulated in +is_callback_calling_function() function. But to prevent accidentally +forgetting to add new BPF helpers to this "list", we also do a sanity +check in __check_func_call, which has to be called for each such special +BPF helper, to validate that BPF helper is indeed recognized as +callback-calling one. This should catch any missed checks in the future. +Adding some special flags to be added in function proto definitions +seemed like an overkill in this case. + +With the above changes, it's possible to remove forceful setting of +reg->precise to true in __mark_reg_unknown, which turns on precision +tracking both inside subprogs and entry progs that have subprogs. No +warnings or errors were detected across all the selftests, but also when +validating with veristat against internal Meta BPF objects and Cilium +objects. Further, in some BPF programs there are noticeable reduction in +number of states and instructions validated due to more effective +precision tracking, especially benefiting syncookie test. + +$ ./veristat -C -e file,prog,insns,states ~/baseline-results.csv ~/subprog-precise-results.csv | grep -v '+0' +File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) +---------------------------------------- -------------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- +pyperf600_bpf_loop.bpf.linked1.o on_event 3966 3678 -288 (-7.26%) 306 276 -30 (-9.80%) +pyperf_global.bpf.linked1.o on_event 7563 7530 -33 (-0.44%) 520 517 -3 (-0.58%) +pyperf_subprogs.bpf.linked1.o on_event 36358 36934 +576 (+1.58%) 2499 2531 +32 (+1.28%) +setget_sockopt.bpf.linked1.o skops_sockopt 3965 4038 +73 (+1.84%) 343 347 +4 (+1.17%) +test_cls_redirect_subprogs.bpf.linked1.o cls_redirect 64965 64901 -64 (-0.10%) 4619 4612 -7 (-0.15%) +test_misc_tcp_hdr_options.bpf.linked1.o misc_estab 1491 1307 -184 (-12.34%) 110 100 -10 (-9.09%) +test_pkt_access.bpf.linked1.o test_pkt_access 354 349 -5 (-1.41%) 25 24 -1 (-4.00%) +test_sock_fields.bpf.linked1.o egress_read_sock_fields 435 375 -60 (-13.79%) 22 20 -2 (-9.09%) +test_sysctl_loop2.bpf.linked1.o sysctl_tcp_mem 1508 1501 -7 (-0.46%) 29 28 -1 (-3.45%) +test_tc_dtime.bpf.linked1.o egress_fwdns_prio100 468 435 -33 (-7.05%) 45 41 -4 (-8.89%) +test_tc_dtime.bpf.linked1.o ingress_fwdns_prio100 398 408 +10 (+2.51%) 42 39 -3 (-7.14%) +test_tc_dtime.bpf.linked1.o ingress_fwdns_prio101 1096 842 -254 (-23.18%) 97 73 -24 (-24.74%) +test_tcp_hdr_options.bpf.linked1.o estab 2758 2408 -350 (-12.69%) 208 181 -27 (-12.98%) +test_urandom_usdt.bpf.linked1.o urand_read_with_sema 466 448 -18 (-3.86%) 31 28 -3 (-9.68%) +test_urandom_usdt.bpf.linked1.o urand_read_without_sema 466 448 -18 (-3.86%) 31 28 -3 (-9.68%) +test_urandom_usdt.bpf.linked1.o urandlib_read_with_sema 466 448 -18 (-3.86%) 31 28 -3 (-9.68%) +test_urandom_usdt.bpf.linked1.o urandlib_read_without_sema 466 448 -18 (-3.86%) 31 28 -3 (-9.68%) +test_xdp_noinline.bpf.linked1.o balancer_ingress_v6 4302 4294 -8 (-0.19%) 257 256 -1 (-0.39%) +xdp_synproxy_kern.bpf.linked1.o syncookie_tc 583722 405757 -177965 (-30.49%) 35846 25735 -10111 (-28.21%) +xdp_synproxy_kern.bpf.linked1.o syncookie_xdp 609123 479055 -130068 (-21.35%) 35452 29145 -6307 (-17.79%) +---------------------------------------- -------------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- + +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20221104163649.121784-4-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Eduard Zingerman +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 61 insertions(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -511,6 +511,15 @@ static bool is_dynptr_ref_function(enum + return func_id == BPF_FUNC_dynptr_data; + } + ++static bool is_callback_calling_function(enum bpf_func_id func_id) ++{ ++ return func_id == BPF_FUNC_for_each_map_elem || ++ func_id == BPF_FUNC_timer_set_callback || ++ func_id == BPF_FUNC_find_vma || ++ func_id == BPF_FUNC_loop || ++ func_id == BPF_FUNC_user_ringbuf_drain; ++} ++ + static bool helper_multiple_ref_obj_use(enum bpf_func_id func_id, + const struct bpf_map *map) + { +@@ -1693,7 +1702,7 @@ static void __mark_reg_unknown(const str + reg->type = SCALAR_VALUE; + reg->var_off = tnum_unknown; + reg->frameno = 0; +- reg->precise = env->subprog_cnt > 1 || !env->bpf_capable; ++ reg->precise = !env->bpf_capable; + __mark_reg_unbounded(reg); + } + +@@ -2670,6 +2679,11 @@ static int backtrack_insn(struct bpf_ver + */ + if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL && insn->imm == 0) + return -ENOTSUPP; ++ /* BPF helpers that invoke callback subprogs are ++ * equivalent to BPF_PSEUDO_CALL above ++ */ ++ if (insn->src_reg == 0 && is_callback_calling_function(insn->imm)) ++ return -ENOTSUPP; + /* regular helper call sets R0 */ + *reg_mask &= ~1; + if (*reg_mask & 0x3f) { +@@ -2848,12 +2862,42 @@ static int __mark_chain_precision(struct + return 0; + if (!reg_mask && !stack_mask) + return 0; ++ + for (;;) { + DECLARE_BITMAP(mask, 64); + u32 history = st->jmp_history_cnt; + + if (env->log.level & BPF_LOG_LEVEL2) + verbose(env, "last_idx %d first_idx %d\n", last_idx, first_idx); ++ ++ if (last_idx < 0) { ++ /* we are at the entry into subprog, which ++ * is expected for global funcs, but only if ++ * requested precise registers are R1-R5 ++ * (which are global func's input arguments) ++ */ ++ if (st->curframe == 0 && ++ st->frame[0]->subprogno > 0 && ++ st->frame[0]->callsite == BPF_MAIN_FUNC && ++ stack_mask == 0 && (reg_mask & ~0x3e) == 0) { ++ bitmap_from_u64(mask, reg_mask); ++ for_each_set_bit(i, mask, 32) { ++ reg = &st->frame[0]->regs[i]; ++ if (reg->type != SCALAR_VALUE) { ++ reg_mask &= ~(1u << i); ++ continue; ++ } ++ reg->precise = true; ++ } ++ return 0; ++ } ++ ++ verbose(env, "BUG backtracing func entry subprog %d reg_mask %x stack_mask %llx\n", ++ st->frame[0]->subprogno, reg_mask, stack_mask); ++ WARN_ONCE(1, "verifier backtracking bug"); ++ return -EFAULT; ++ } ++ + for (i = last_idx;;) { + if (skip_first) { + err = 0; +@@ -6732,6 +6776,10 @@ typedef int (*set_callee_state_fn)(struc + struct bpf_func_state *callee, + int insn_idx); + ++static int set_callee_state(struct bpf_verifier_env *env, ++ struct bpf_func_state *caller, ++ struct bpf_func_state *callee, int insn_idx); ++ + static int __check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn, + int *insn_idx, int subprog, + set_callee_state_fn set_callee_state_cb) +@@ -6782,6 +6830,16 @@ static int __check_func_call(struct bpf_ + } + } + ++ /* set_callee_state is used for direct subprog calls, but we are ++ * interested in validating only BPF helpers that can call subprogs as ++ * callbacks ++ */ ++ if (set_callee_state_cb != set_callee_state && !is_callback_calling_function(insn->imm)) { ++ verbose(env, "verifier bug: helper %s#%d is not marked as callback-calling\n", ++ func_id_name(insn->imm), insn->imm); ++ return -EFAULT; ++ } ++ + if (insn->code == (BPF_JMP | BPF_CALL) && + insn->src_reg == 0 && + insn->imm == BPF_FUNC_timer_set_callback) { +@@ -14713,6 +14771,8 @@ static int do_check_common(struct bpf_ve + BPF_MAIN_FUNC /* callsite */, + 0 /* frameno */, + subprog); ++ state->first_insn_idx = env->subprog_info[subprog].start; ++ state->last_insn_idx = -1; + + regs = state->frame[state->curframe]->regs; + if (subprog || env->prog->type == BPF_PROG_TYPE_EXT) { diff --git a/tmp-6.1/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch b/tmp-6.1/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch new file mode 100644 index 00000000000..c3a7b30b4e4 --- /dev/null +++ b/tmp-6.1/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch @@ -0,0 +1,55 @@ +From 0a9f7c72db338d808de8b35708d487940038ce8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 09:49:31 -0700 +Subject: bpf, arm64: Fix BTI type used for freplace attached functions + +From: Alexander Duyck + +[ Upstream commit a3f25d614bc73b45e8f02adc6769876dfd16ca84 ] + +When running an freplace attached bpf program on an arm64 system w were +seeing the following issue: + Unhandled 64-bit el1h sync exception on CPU47, ESR 0x0000000036000003 -- BTI + +After a bit of work to track it down I determined that what appeared to be +happening is that the 'bti c' at the start of the program was somehow being +reached after a 'br' instruction. Further digging pointed me toward the +fact that the function was attached via freplace. This in turn led me to +build_plt which I believe is invoking the long jump which is triggering +this error. + +To resolve it we can replace the 'bti c' with 'bti jc' and add a comment +explaining why this has to be modified as such. + +Fixes: b2ad54e1533e ("bpf, arm64: Implement bpf_arch_text_poke() for arm64") +Signed-off-by: Alexander Duyck +Acked-by: Xu Kuohai +Link: https://lore.kernel.org/r/168926677665.316237.9953845318337455525.stgit@ahduyck-xeon-server.home.arpa +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/arm64/net/bpf_jit_comp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index 8f16217c111c8..14134fd34ff79 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -322,7 +322,13 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf) + * + */ + +- emit_bti(A64_BTI_C, ctx); ++ /* bpf function may be invoked by 3 instruction types: ++ * 1. bl, attached via freplace to bpf prog via short jump ++ * 2. br, attached via freplace to bpf prog via long jump ++ * 3. blr, working as a function pointer, used by emit_call. ++ * So BTI_JC should used here to support both br and blr. ++ */ ++ emit_bti(A64_BTI_JC, ctx); + + emit(A64_MOV(1, A64_R(9), A64_LR), ctx); + emit(A64_NOP, ctx); +-- +2.39.2 + diff --git a/tmp-6.1/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch b/tmp-6.1/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch new file mode 100644 index 00000000000..fce380e970d --- /dev/null +++ b/tmp-6.1/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch @@ -0,0 +1,75 @@ +From 6136de53109de1a3979843917ce4f9c78823e3e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 21:45:28 +0530 +Subject: bpf: Fix subprog idx logic in check_max_stack_depth + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit ba7b3e7d5f9014be65879ede8fd599cb222901c9 ] + +The assignment to idx in check_max_stack_depth happens once we see a +bpf_pseudo_call or bpf_pseudo_func. This is not an issue as the rest of +the code performs a few checks and then pushes the frame to the frame +stack, except the case of async callbacks. If the async callback case +causes the loop iteration to be skipped, the idx assignment will be +incorrect on the next iteration of the loop. The value stored in the +frame stack (as the subprogno of the current subprog) will be incorrect. + +This leads to incorrect checks and incorrect tail_call_reachable +marking. Save the target subprog in a new variable and only assign to +idx once we are done with the is_async_cb check which may skip pushing +of frame to the frame stack and subsequent stack depth checks and tail +call markings. + +Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230717161530.1238-2-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 8c3ededef3172..fdba4086881b3 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4336,7 +4336,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + continue_func: + subprog_end = subprog[idx + 1].start; + for (; i < subprog_end; i++) { +- int next_insn; ++ int next_insn, sidx; + + if (!bpf_pseudo_call(insn + i) && !bpf_pseudo_func(insn + i)) + continue; +@@ -4346,14 +4346,14 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + + /* find the callee */ + next_insn = i + insn[i].imm + 1; +- idx = find_subprog(env, next_insn); +- if (idx < 0) { ++ sidx = find_subprog(env, next_insn); ++ if (sidx < 0) { + WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", + next_insn); + return -EFAULT; + } +- if (subprog[idx].is_async_cb) { +- if (subprog[idx].has_tail_call) { ++ if (subprog[sidx].is_async_cb) { ++ if (subprog[sidx].has_tail_call) { + verbose(env, "verifier bug. subprog has tail_call and async cb\n"); + return -EFAULT; + } +@@ -4362,6 +4362,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + continue; + } + i = next_insn; ++ idx = sidx; + + if (subprog[idx].has_tail_call) + tail_call_reachable = true; +-- +2.39.2 + diff --git a/tmp-6.1/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch b/tmp-6.1/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch new file mode 100644 index 00000000000..c1133994d09 --- /dev/null +++ b/tmp-6.1/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch @@ -0,0 +1,47 @@ +From cb24f938e033cedcefaf283a9d5f44beb406005c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 May 2023 11:14:18 -0700 +Subject: bpf: Print a warning only if writing to unprivileged_bpf_disabled. + +From: Kui-Feng Lee + +[ Upstream commit fedf99200ab086c42a572fca1d7266b06cdc3e3f ] + +Only print the warning message if you are writing to +"/proc/sys/kernel/unprivileged_bpf_disabled". + +The kernel may print an annoying warning when you read +"/proc/sys/kernel/unprivileged_bpf_disabled" saying + + WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible + via Spectre v2 BHB attacks! + +However, this message is only meaningful when the feature is +disabled or enabled. + +Signed-off-by: Kui-Feng Lee +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20230502181418.308479-1-kuifeng@meta.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 8633ec4f92df3..0c44a716f0a24 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -5289,7 +5289,8 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write, + *(int *)table->data = unpriv_enable; + } + +- unpriv_ebpf_notify(unpriv_enable); ++ if (write) ++ unpriv_ebpf_notify(unpriv_enable); + + return ret; + } +-- +2.39.2 + diff --git a/tmp-6.1/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch b/tmp-6.1/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch new file mode 100644 index 00000000000..80144d50777 --- /dev/null +++ b/tmp-6.1/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch @@ -0,0 +1,102 @@ +From 765e8a472e267495e5ef26af7754684c76f6627f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 21:45:29 +0530 +Subject: bpf: Repeat check_max_stack_depth for async callbacks + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit b5e9ad522c4ccd32d322877515cff8d47ed731b9 ] + +While the check_max_stack_depth function explores call chains emanating +from the main prog, which is typically enough to cover all possible call +chains, it doesn't explore those rooted at async callbacks unless the +async callback will have been directly called, since unlike non-async +callbacks it skips their instruction exploration as they don't +contribute to stack depth. + +It could be the case that the async callback leads to a callchain which +exceeds the stack depth, but this is never reachable while only +exploring the entry point from main subprog. Hence, repeat the check for +the main subprog *and* all async callbacks marked by the symbolic +execution pass of the verifier, as execution of the program may begin at +any of them. + +Consider functions with following stack depths: +main: 256 +async: 256 +foo: 256 + +main: + rX = async + bpf_timer_set_callback(...) + +async: + foo() + +Here, async is not descended as it does not contribute to stack depth of +main (since it is referenced using bpf_pseudo_func and not +bpf_pseudo_call). However, when async is invoked asynchronously, it will +end up breaching the MAX_BPF_STACK limit by calling foo. + +Hence, in addition to main, we also need to explore call chains +beginning at all async callback subprogs in a program. + +Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230717161530.1238-3-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index fdba4086881b3..f25ce959fae64 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4288,16 +4288,17 @@ static int update_stack_depth(struct bpf_verifier_env *env, + * Since recursion is prevented by check_cfg() this algorithm + * only needs a local stack of MAX_CALL_FRAMES to remember callsites + */ +-static int check_max_stack_depth(struct bpf_verifier_env *env) ++static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx) + { +- int depth = 0, frame = 0, idx = 0, i = 0, subprog_end; + struct bpf_subprog_info *subprog = env->subprog_info; + struct bpf_insn *insn = env->prog->insnsi; ++ int depth = 0, frame = 0, i, subprog_end; + bool tail_call_reachable = false; + int ret_insn[MAX_CALL_FRAMES]; + int ret_prog[MAX_CALL_FRAMES]; + int j; + ++ i = subprog[idx].start; + process_func: + /* protect against potential stack overflow that might happen when + * bpf2bpf calls get combined with tailcalls. Limit the caller's stack +@@ -4398,6 +4399,22 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + goto continue_func; + } + ++static int check_max_stack_depth(struct bpf_verifier_env *env) ++{ ++ struct bpf_subprog_info *si = env->subprog_info; ++ int ret; ++ ++ for (int i = 0; i < env->subprog_cnt; i++) { ++ if (!i || si[i].is_async_cb) { ++ ret = check_max_stack_depth_subprog(env, i); ++ if (ret < 0) ++ return ret; ++ } ++ continue; ++ } ++ return 0; ++} ++ + #ifndef CONFIG_BPF_JIT_ALWAYS_ON + static int get_callee_stack_depth(struct bpf_verifier_env *env, + const struct bpf_insn *insn, int idx) +-- +2.39.2 + diff --git a/tmp-6.1/bpf-stop-setting-precise-in-current-state.patch b/tmp-6.1/bpf-stop-setting-precise-in-current-state.patch new file mode 100644 index 00000000000..0ca70ac779b --- /dev/null +++ b/tmp-6.1/bpf-stop-setting-precise-in-current-state.patch @@ -0,0 +1,234 @@ +From stable-owner@vger.kernel.org Mon Jul 24 14:42:43 2023 +From: Eduard Zingerman +Date: Mon, 24 Jul 2023 15:42:19 +0300 +Subject: bpf: stop setting precise in current state +To: stable@vger.kernel.org, ast@kernel.org +Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Eduard Zingerman +Message-ID: <20230724124223.1176479-3-eddyz87@gmail.com> + +From: Andrii Nakryiko + +[ Upstream commit f63181b6ae79fd3b034cde641db774268c2c3acf ] + +Setting reg->precise to true in current state is not necessary from +correctness standpoint, but it does pessimise the whole precision (or +rather "imprecision", because that's what we want to keep as much as +possible) tracking. Why is somewhat subtle and my best attempt to +explain this is recorded in an extensive comment for __mark_chain_precise() +function. Some more careful thinking and code reading is probably required +still to grok this completely, unfortunately. Whiteboarding and a bunch +of extra handwaiving in person would be even more helpful, but is deemed +impractical in Git commit. + +Next patch pushes this imprecision property even further, building on top of +the insights described in this patch. + +End results are pretty nice, we get reduction in number of total instructions +and states verified due to a better states reuse, as some of the states are now +more generic and permissive due to less unnecessary precise=true requirements. + +SELFTESTS RESULTS +================= + +$ ./veristat -C -e file,prog,insns,states ~/subprog-precise-results.csv ~/imprecise-early-results.csv | grep -v '+0' +File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) +--------------------------------------- ---------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- +bpf_iter_ksym.bpf.linked1.o dump_ksym 347 285 -62 (-17.87%) 20 19 -1 (-5.00%) +pyperf600_bpf_loop.bpf.linked1.o on_event 3678 3736 +58 (+1.58%) 276 285 +9 (+3.26%) +setget_sockopt.bpf.linked1.o skops_sockopt 4038 3947 -91 (-2.25%) 347 343 -4 (-1.15%) +test_l4lb.bpf.linked1.o balancer_ingress 4559 2611 -1948 (-42.73%) 118 105 -13 (-11.02%) +test_l4lb_noinline.bpf.linked1.o balancer_ingress 6279 6268 -11 (-0.18%) 237 236 -1 (-0.42%) +test_misc_tcp_hdr_options.bpf.linked1.o misc_estab 1307 1303 -4 (-0.31%) 100 99 -1 (-1.00%) +test_sk_lookup.bpf.linked1.o ctx_narrow_access 456 447 -9 (-1.97%) 39 38 -1 (-2.56%) +test_sysctl_loop1.bpf.linked1.o sysctl_tcp_mem 1389 1384 -5 (-0.36%) 26 25 -1 (-3.85%) +test_tc_dtime.bpf.linked1.o egress_fwdns_prio101 518 485 -33 (-6.37%) 51 46 -5 (-9.80%) +test_tc_dtime.bpf.linked1.o egress_host 519 468 -51 (-9.83%) 50 44 -6 (-12.00%) +test_tc_dtime.bpf.linked1.o ingress_fwdns_prio101 842 1000 +158 (+18.76%) 73 88 +15 (+20.55%) +xdp_synproxy_kern.bpf.linked1.o syncookie_tc 405757 373173 -32584 (-8.03%) 25735 22882 -2853 (-11.09%) +xdp_synproxy_kern.bpf.linked1.o syncookie_xdp 479055 371590 -107465 (-22.43%) 29145 22207 -6938 (-23.81%) +--------------------------------------- ---------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- + +Slight regression in test_tc_dtime.bpf.linked1.o/ingress_fwdns_prio101 +is left for a follow up, there might be some more precision-related bugs +in existing BPF verifier logic. + +CILIUM RESULTS +============== + +$ ./veristat -C -e file,prog,insns,states ~/subprog-precise-results-cilium.csv ~/imprecise-early-results-cilium.csv | grep -v '+0' +File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) +------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- +bpf_host.o cil_from_host 762 556 -206 (-27.03%) 43 37 -6 (-13.95%) +bpf_host.o tail_handle_nat_fwd_ipv4 23541 23426 -115 (-0.49%) 1538 1537 -1 (-0.07%) +bpf_host.o tail_nodeport_nat_egress_ipv4 33592 33566 -26 (-0.08%) 2163 2161 -2 (-0.09%) +bpf_lxc.o tail_handle_nat_fwd_ipv4 23541 23426 -115 (-0.49%) 1538 1537 -1 (-0.07%) +bpf_overlay.o tail_nodeport_nat_egress_ipv4 33581 33543 -38 (-0.11%) 2160 2157 -3 (-0.14%) +bpf_xdp.o tail_handle_nat_fwd_ipv4 21659 20920 -739 (-3.41%) 1440 1376 -64 (-4.44%) +bpf_xdp.o tail_handle_nat_fwd_ipv6 17084 17039 -45 (-0.26%) 907 905 -2 (-0.22%) +bpf_xdp.o tail_lb_ipv4 73442 73430 -12 (-0.02%) 4370 4369 -1 (-0.02%) +bpf_xdp.o tail_lb_ipv6 152114 151895 -219 (-0.14%) 6493 6479 -14 (-0.22%) +bpf_xdp.o tail_nodeport_nat_egress_ipv4 17377 17200 -177 (-1.02%) 1125 1111 -14 (-1.24%) +bpf_xdp.o tail_nodeport_nat_ingress_ipv6 6405 6397 -8 (-0.12%) 309 308 -1 (-0.32%) +bpf_xdp.o tail_rev_nodeport_lb4 7126 6934 -192 (-2.69%) 414 402 -12 (-2.90%) +bpf_xdp.o tail_rev_nodeport_lb6 18059 17905 -154 (-0.85%) 1105 1096 -9 (-0.81%) +------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- + +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20221104163649.121784-5-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Eduard Zingerman +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 103 ++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 91 insertions(+), 12 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2788,8 +2788,11 @@ static void mark_all_scalars_precise(str + + /* big hammer: mark all scalars precise in this path. + * pop_stack may still get !precise scalars. ++ * We also skip current state and go straight to first parent state, ++ * because precision markings in current non-checkpointed state are ++ * not needed. See why in the comment in __mark_chain_precision below. + */ +- for (; st; st = st->parent) ++ for (st = st->parent; st; st = st->parent) { + for (i = 0; i <= st->curframe; i++) { + func = st->frame[i]; + for (j = 0; j < BPF_REG_FP; j++) { +@@ -2807,8 +2810,88 @@ static void mark_all_scalars_precise(str + reg->precise = true; + } + } ++ } + } + ++/* ++ * __mark_chain_precision() backtracks BPF program instruction sequence and ++ * chain of verifier states making sure that register *regno* (if regno >= 0) ++ * and/or stack slot *spi* (if spi >= 0) are marked as precisely tracked ++ * SCALARS, as well as any other registers and slots that contribute to ++ * a tracked state of given registers/stack slots, depending on specific BPF ++ * assembly instructions (see backtrack_insns() for exact instruction handling ++ * logic). This backtracking relies on recorded jmp_history and is able to ++ * traverse entire chain of parent states. This process ends only when all the ++ * necessary registers/slots and their transitive dependencies are marked as ++ * precise. ++ * ++ * One important and subtle aspect is that precise marks *do not matter* in ++ * the currently verified state (current state). It is important to understand ++ * why this is the case. ++ * ++ * First, note that current state is the state that is not yet "checkpointed", ++ * i.e., it is not yet put into env->explored_states, and it has no children ++ * states as well. It's ephemeral, and can end up either a) being discarded if ++ * compatible explored state is found at some point or BPF_EXIT instruction is ++ * reached or b) checkpointed and put into env->explored_states, branching out ++ * into one or more children states. ++ * ++ * In the former case, precise markings in current state are completely ++ * ignored by state comparison code (see regsafe() for details). Only ++ * checkpointed ("old") state precise markings are important, and if old ++ * state's register/slot is precise, regsafe() assumes current state's ++ * register/slot as precise and checks value ranges exactly and precisely. If ++ * states turn out to be compatible, current state's necessary precise ++ * markings and any required parent states' precise markings are enforced ++ * after the fact with propagate_precision() logic, after the fact. But it's ++ * important to realize that in this case, even after marking current state ++ * registers/slots as precise, we immediately discard current state. So what ++ * actually matters is any of the precise markings propagated into current ++ * state's parent states, which are always checkpointed (due to b) case above). ++ * As such, for scenario a) it doesn't matter if current state has precise ++ * markings set or not. ++ * ++ * Now, for the scenario b), checkpointing and forking into child(ren) ++ * state(s). Note that before current state gets to checkpointing step, any ++ * processed instruction always assumes precise SCALAR register/slot ++ * knowledge: if precise value or range is useful to prune jump branch, BPF ++ * verifier takes this opportunity enthusiastically. Similarly, when ++ * register's value is used to calculate offset or memory address, exact ++ * knowledge of SCALAR range is assumed, checked, and enforced. So, similar to ++ * what we mentioned above about state comparison ignoring precise markings ++ * during state comparison, BPF verifier ignores and also assumes precise ++ * markings *at will* during instruction verification process. But as verifier ++ * assumes precision, it also propagates any precision dependencies across ++ * parent states, which are not yet finalized, so can be further restricted ++ * based on new knowledge gained from restrictions enforced by their children ++ * states. This is so that once those parent states are finalized, i.e., when ++ * they have no more active children state, state comparison logic in ++ * is_state_visited() would enforce strict and precise SCALAR ranges, if ++ * required for correctness. ++ * ++ * To build a bit more intuition, note also that once a state is checkpointed, ++ * the path we took to get to that state is not important. This is crucial ++ * property for state pruning. When state is checkpointed and finalized at ++ * some instruction index, it can be correctly and safely used to "short ++ * circuit" any *compatible* state that reaches exactly the same instruction ++ * index. I.e., if we jumped to that instruction from a completely different ++ * code path than original finalized state was derived from, it doesn't ++ * matter, current state can be discarded because from that instruction ++ * forward having a compatible state will ensure we will safely reach the ++ * exit. States describe preconditions for further exploration, but completely ++ * forget the history of how we got here. ++ * ++ * This also means that even if we needed precise SCALAR range to get to ++ * finalized state, but from that point forward *that same* SCALAR register is ++ * never used in a precise context (i.e., it's precise value is not needed for ++ * correctness), it's correct and safe to mark such register as "imprecise" ++ * (i.e., precise marking set to false). This is what we rely on when we do ++ * not set precise marking in current state. If no child state requires ++ * precision for any given SCALAR register, it's safe to dictate that it can ++ * be imprecise. If any child state does require this register to be precise, ++ * we'll mark it precise later retroactively during precise markings ++ * propagation from child state to parent states. ++ */ + static int __mark_chain_precision(struct bpf_verifier_env *env, int frame, int regno, + int spi) + { +@@ -2826,6 +2909,10 @@ static int __mark_chain_precision(struct + if (!env->bpf_capable) + return 0; + ++ /* Do sanity checks against current state of register and/or stack ++ * slot, but don't set precise flag in current state, as precision ++ * tracking in the current state is unnecessary. ++ */ + func = st->frame[frame]; + if (regno >= 0) { + reg = &func->regs[regno]; +@@ -2833,11 +2920,7 @@ static int __mark_chain_precision(struct + WARN_ONCE(1, "backtracing misuse"); + return -EFAULT; + } +- if (!reg->precise) +- new_marks = true; +- else +- reg_mask = 0; +- reg->precise = true; ++ new_marks = true; + } + + while (spi >= 0) { +@@ -2850,11 +2933,7 @@ static int __mark_chain_precision(struct + stack_mask = 0; + break; + } +- if (!reg->precise) +- new_marks = true; +- else +- stack_mask = 0; +- reg->precise = true; ++ new_marks = true; + break; + } + +@@ -11668,7 +11747,7 @@ static bool regsafe(struct bpf_verifier_ + if (env->explore_alu_limits) + return false; + if (rcur->type == SCALAR_VALUE) { +- if (!rold->precise && !rcur->precise) ++ if (!rold->precise) + return true; + /* new val must satisfy old val knowledge */ + return range_within(rold, rcur) && diff --git a/tmp-6.1/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch b/tmp-6.1/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch new file mode 100644 index 00000000000..2d88a8a5300 --- /dev/null +++ b/tmp-6.1/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch @@ -0,0 +1,152 @@ +From 76b79c254cf2d798a26a7e99c73226b2df0ff1bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 22:51:49 +0000 +Subject: bpf: tcp: Avoid taking fast sock lock in iterator + +From: Aditi Ghag + +[ Upstream commit 9378096e8a656fb5c4099b26b1370c56f056eab9 ] + +This is a preparatory commit to replace `lock_sock_fast` with +`lock_sock`,and facilitate BPF programs executed from the TCP sockets +iterator to be able to destroy TCP sockets using the bpf_sock_destroy +kfunc (implemented in follow-up commits). + +Previously, BPF TCP iterator was acquiring the sock lock with BH +disabled. This led to scenarios where the sockets hash table bucket lock +can be acquired with BH enabled in some path versus disabled in other. +In such situation, kernel issued a warning since it thinks that in the +BH enabled path the same bucket lock *might* be acquired again in the +softirq context (BH disabled), which will lead to a potential dead lock. +Since bpf_sock_destroy also happens in a process context, the potential +deadlock warning is likely a false alarm. + +Here is a snippet of annotated stack trace that motivated this change: + +``` + +Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&h->lhash2[i].lock); + local_bh_disable(); + lock(&h->lhash2[i].lock); +kernel imagined possible scenario: + local_bh_disable(); /* Possible softirq */ + lock(&h->lhash2[i].lock); +*** Potential Deadlock *** + +process context: + +lock_acquire+0xcd/0x330 +_raw_spin_lock+0x33/0x40 +------> Acquire (bucket) lhash2.lock with BH enabled +__inet_hash+0x4b/0x210 +inet_csk_listen_start+0xe6/0x100 +inet_listen+0x95/0x1d0 +__sys_listen+0x69/0xb0 +__x64_sys_listen+0x14/0x20 +do_syscall_64+0x3c/0x90 +entry_SYSCALL_64_after_hwframe+0x72/0xdc + +bpf_sock_destroy run from iterator: + +lock_acquire+0xcd/0x330 +_raw_spin_lock+0x33/0x40 +------> Acquire (bucket) lhash2.lock with BH disabled +inet_unhash+0x9a/0x110 +tcp_set_state+0x6a/0x210 +tcp_abort+0x10d/0x200 +bpf_prog_6793c5ca50c43c0d_iter_tcp6_server+0xa4/0xa9 +bpf_iter_run_prog+0x1ff/0x340 +------> lock_sock_fast that acquires sock lock with BH disabled +bpf_iter_tcp_seq_show+0xca/0x190 +bpf_seq_read+0x177/0x450 + +``` + +Also, Yonghong reported a deadlock for non-listening TCP sockets that +this change resolves. Previously, `lock_sock_fast` held the sock spin +lock with BH which was again being acquired in `tcp_abort`: + +``` +watchdog: BUG: soft lockup - CPU#0 stuck for 86s! [test_progs:2331] +RIP: 0010:queued_spin_lock_slowpath+0xd8/0x500 +Call Trace: + + _raw_spin_lock+0x84/0x90 + tcp_abort+0x13c/0x1f0 + bpf_prog_88539c5453a9dd47_iter_tcp6_client+0x82/0x89 + bpf_iter_run_prog+0x1aa/0x2c0 + ? preempt_count_sub+0x1c/0xd0 + ? from_kuid_munged+0x1c8/0x210 + bpf_iter_tcp_seq_show+0x14e/0x1b0 + bpf_seq_read+0x36c/0x6a0 + +bpf_iter_tcp_seq_show + lock_sock_fast + __lock_sock_fast + spin_lock_bh(&sk->sk_lock.slock); + /* * Fast path return with bottom halves disabled and * sock::sk_lock.slock held.* */ + + ... + tcp_abort + local_bh_disable(); + spin_lock(&((sk)->sk_lock.slock)); // from bh_lock_sock(sk) + +``` + +With the switch to `lock_sock`, it calls `spin_unlock_bh` before returning: + +``` +lock_sock + lock_sock_nested + spin_lock_bh(&sk->sk_lock.slock); + : + spin_unlock_bh(&sk->sk_lock.slock); +``` + +Acked-by: Yonghong Song +Acked-by: Stanislav Fomichev +Signed-off-by: Aditi Ghag +Link: https://lore.kernel.org/r/20230519225157.760788-2-aditi.ghag@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index b37c1bcb15097..a7de5ba74e7f7 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2911,7 +2911,6 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) + struct bpf_iter_meta meta; + struct bpf_prog *prog; + struct sock *sk = v; +- bool slow; + uid_t uid; + int ret; + +@@ -2919,7 +2918,7 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) + return 0; + + if (sk_fullsock(sk)) +- slow = lock_sock_fast(sk); ++ lock_sock(sk); + + if (unlikely(sk_unhashed(sk))) { + ret = SEQ_SKIP; +@@ -2943,7 +2942,7 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) + + unlock: + if (sk_fullsock(sk)) +- unlock_sock_fast(sk, slow); ++ release_sock(sk); + return ret; + + } +-- +2.39.2 + diff --git a/tmp-6.1/bridge-add-extack-warning-when-enabling-stp-in-netns.patch b/tmp-6.1/bridge-add-extack-warning-when-enabling-stp-in-netns.patch new file mode 100644 index 00000000000..b6461aa64a5 --- /dev/null +++ b/tmp-6.1/bridge-add-extack-warning-when-enabling-stp-in-netns.patch @@ -0,0 +1,71 @@ +From 5841124edbf8b166987956c008ec9eafe491d36b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 08:44:49 -0700 +Subject: bridge: Add extack warning when enabling STP in netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 56a16035bb6effb37177867cea94c13a8382f745 ] + +When we create an L2 loop on a bridge in netns, we will see packets storm +even if STP is enabled. + + # unshare -n + # ip link add br0 type bridge + # ip link add veth0 type veth peer name veth1 + # ip link set veth0 master br0 up + # ip link set veth1 master br0 up + # ip link set br0 type bridge stp_state 1 + # ip link set br0 up + # sleep 30 + # ip -s link show br0 + 2: br0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 + link/ether b6:61:98:1c:1c:b5 brd ff:ff:ff:ff:ff:ff + RX: bytes packets errors dropped missed mcast + 956553768 12861249 0 0 0 12861249 <-. Keep + TX: bytes packets errors dropped carrier collsns | increasing + 1027834 11951 0 0 0 0 <-' rapidly + +This is because llc_rcv() drops all packets in non-root netns and BPDU +is dropped. + +Let's add extack warning when enabling STP in netns. + + # unshare -n + # ip link add br0 type bridge + # ip link set br0 type bridge stp_state 1 + Warning: bridge: STP does not work in non-root netns. + +Note this commit will be reverted later when we namespacify the whole LLC +infra. + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Suggested-by: Harry Coin +Link: https://lore.kernel.org/netdev/0f531295-e289-022d-5add-5ceffa0df9bc@quietfountain.com/ +Suggested-by: Ido Schimmel +Signed-off-by: Kuniyuki Iwashima +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_stp_if.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index 75204d36d7f90..b65962682771f 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -201,6 +201,9 @@ int br_stp_set_enabled(struct net_bridge *br, unsigned long val, + { + ASSERT_RTNL(); + ++ if (!net_eq(dev_net(br->dev), &init_net)) ++ NL_SET_ERR_MSG_MOD(extack, "STP does not work in non-root netns"); ++ + if (br_mrp_enabled(br)) { + NL_SET_ERR_MSG_MOD(extack, + "STP can't be enabled if MRP is already enabled"); +-- +2.39.2 + diff --git a/tmp-6.1/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch b/tmp-6.1/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch new file mode 100644 index 00000000000..893e406609d --- /dev/null +++ b/tmp-6.1/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch @@ -0,0 +1,50 @@ +From 34038040cc781e64ecfa341e776b1d3ca1839d8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 08:13:23 +0200 +Subject: btrfs: be a bit more careful when setting mirror_num_ret in + btrfs_map_block + +From: Christoph Hellwig + +[ Upstream commit 4e7de35eb7d1a1d4f2dda15f39fbedd4798a0b8d ] + +The mirror_num_ret is allowed to be NULL, although it has to be set when +smap is set. Unfortunately that is not a well enough specifiable +invariant for static type checkers, so add a NULL check to make sure they +are fine. + +Fixes: 03793cbbc80f ("btrfs: add fast path for single device io in __btrfs_map_block") +Reported-by: Dan Carpenter +Reviewed-by: Qu Wenruo +Reviewed-by: Johannes Thumshirn +Signed-off-by: Christoph Hellwig +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 7433ae929fdcb..2e0832d70406c 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6595,11 +6595,13 @@ static int __btrfs_map_block(struct btrfs_fs_info *fs_info, + if (patch_the_first_stripe_for_dev_replace) { + smap->dev = dev_replace->tgtdev; + smap->physical = physical_to_patch_in_first_stripe; +- *mirror_num_ret = map->num_stripes + 1; ++ if (mirror_num_ret) ++ *mirror_num_ret = map->num_stripes + 1; + } else { + set_io_stripe(smap, map, stripe_index, stripe_offset, + stripe_nr); +- *mirror_num_ret = mirror_num; ++ if (mirror_num_ret) ++ *mirror_num_ret = mirror_num; + } + *bioc_ret = NULL; + ret = 0; +-- +2.39.2 + diff --git a/tmp-6.1/btrfs-fix-race-between-balance-and-cancel-pause.patch b/tmp-6.1/btrfs-fix-race-between-balance-and-cancel-pause.patch new file mode 100644 index 00000000000..3ed2af4c02b --- /dev/null +++ b/tmp-6.1/btrfs-fix-race-between-balance-and-cancel-pause.patch @@ -0,0 +1,96 @@ +From b19c98f237cd76981aaded52c258ce93f7daa8cb Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 23 Jun 2023 01:05:41 -0400 +Subject: btrfs: fix race between balance and cancel/pause + +From: Josef Bacik + +commit b19c98f237cd76981aaded52c258ce93f7daa8cb upstream. + +Syzbot reported a panic that looks like this: + + assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 + ------------[ cut here ]------------ + kernel BUG at fs/btrfs/messages.c:259! + RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 + Call Trace: + + btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] + btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] + btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The reproducer is running a balance and a cancel or pause in parallel. +The way balance finishes is a bit wonky, if we were paused we need to +save the balance_ctl in the fs_info, but clear it otherwise and cleanup. +However we rely on the return values being specific errors, or having a +cancel request or no pause request. If balance completes and returns 0, +but we have a pause or cancel request we won't do the appropriate +cleanup, and then the next time we try to start a balance we'll trip +this ASSERT. + +The error handling is just wrong here, we always want to clean up, +unless we got -ECANCELLED and we set the appropriate pause flag in the +exclusive op. With this patch the reproducer ran for an hour without +tripping, previously it would trip in less than a few minutes. + +Reported-by: syzbot+c0f3acf145cb465426d5@syzkaller.appspotmail.com +CC: stable@vger.kernel.org # 6.1+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4092,14 +4092,6 @@ static int alloc_profile_is_valid(u64 fl + return has_single_bit_set(flags); + } + +-static inline int balance_need_close(struct btrfs_fs_info *fs_info) +-{ +- /* cancel requested || normal exit path */ +- return atomic_read(&fs_info->balance_cancel_req) || +- (atomic_read(&fs_info->balance_pause_req) == 0 && +- atomic_read(&fs_info->balance_cancel_req) == 0); +-} +- + /* + * Validate target profile against allowed profiles and return true if it's OK. + * Otherwise print the error message and return false. +@@ -4289,6 +4281,7 @@ int btrfs_balance(struct btrfs_fs_info * + u64 num_devices; + unsigned seq; + bool reducing_redundancy; ++ bool paused = false; + int i; + + if (btrfs_fs_closing(fs_info) || +@@ -4419,6 +4412,7 @@ int btrfs_balance(struct btrfs_fs_info * + if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) { + btrfs_info(fs_info, "balance: paused"); + btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED); ++ paused = true; + } + /* + * Balance can be canceled by: +@@ -4447,8 +4441,8 @@ int btrfs_balance(struct btrfs_fs_info * + btrfs_update_ioctl_balance_args(fs_info, bargs); + } + +- if ((ret && ret != -ECANCELED && ret != -ENOSPC) || +- balance_need_close(fs_info)) { ++ /* We didn't pause, we can clean everything up. */ ++ if (!paused) { + reset_balance_state(fs_info); + btrfs_exclop_finish(fs_info); + } diff --git a/tmp-6.1/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch b/tmp-6.1/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch new file mode 100644 index 00000000000..e7d032f0c09 --- /dev/null +++ b/tmp-6.1/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch @@ -0,0 +1,89 @@ +From aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 14 Jul 2023 13:42:06 +0100 +Subject: btrfs: fix warning when putting transaction with qgroups enabled after abort + +From: Filipe Manana + +commit aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 upstream. + +If we have a transaction abort with qgroups enabled we get a warning +triggered when doing the final put on the transaction, like this: + + [552.6789] ------------[ cut here ]------------ + [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6817] Modules linked in: btrfs blake2b_generic xor (...) + [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6821] Code: bd a0 01 00 (...) + [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 + [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 + [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 + [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 + [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 + [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 + [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 + [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 + [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [552.6822] Call Trace: + [552.6822] + [552.6822] ? __warn+0x80/0x130 + [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6824] ? report_bug+0x1f4/0x200 + [552.6824] ? handle_bug+0x42/0x70 + [552.6824] ? exc_invalid_op+0x14/0x70 + [552.6824] ? asm_exc_invalid_op+0x16/0x20 + [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] + [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 + [552.6828] ? try_to_wake_up+0x94/0x5e0 + [552.6828] ? __pfx_process_timeout+0x10/0x10 + [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] + [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] + [552.6832] kthread+0xee/0x120 + [552.6832] ? __pfx_kthread+0x10/0x10 + [552.6832] ret_from_fork+0x29/0x50 + [552.6832] + [552.6832] ---[ end trace 0000000000000000 ]--- + +This corresponds to this line of code: + + void btrfs_put_transaction(struct btrfs_transaction *transaction) + { + (...) + WARN_ON(!RB_EMPTY_ROOT( + &transaction->delayed_refs.dirty_extent_root)); + (...) + } + +The warning happens because btrfs_qgroup_destroy_extent_records(), called +in the transaction abort path, we free all entries from the rbtree +"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we +don't actually empty the rbtree - it's still pointing to nodes that were +freed. + +So set the rbtree's root node to NULL to avoid this warning (assign +RB_ROOT). + +Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Josef Bacik +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -4410,4 +4410,5 @@ void btrfs_qgroup_destroy_extent_records + ulist_free(entry->old_roots); + kfree(entry); + } ++ *root = RB_ROOT; + } diff --git a/tmp-6.1/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch b/tmp-6.1/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch new file mode 100644 index 00000000000..73ba6f451c7 --- /dev/null +++ b/tmp-6.1/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch @@ -0,0 +1,98 @@ +From 17b17fcd6d446b95904a6929c40012ee7f0afc0c Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 12 Jul 2023 12:44:12 -0400 +Subject: btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand + +From: Josef Bacik + +commit 17b17fcd6d446b95904a6929c40012ee7f0afc0c upstream. + +While trying to get the subpage blocksize tests running, I hit the +following panic on generic/476 + + assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 + kernel BUG at fs/btrfs/subpage.c:229! + Internal error: Oops - BUG: 00000000f2000800 [#1] SMP + CPU: 1 PID: 1453 Comm: fsstress Not tainted 6.4.0-rc7+ #12 + Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20230301gitf80f052277c8-26.fc38 03/01/2023 + pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) + pc : btrfs_subpage_assert+0xbc/0xf0 + lr : btrfs_subpage_assert+0xbc/0xf0 + Call trace: + btrfs_subpage_assert+0xbc/0xf0 + btrfs_subpage_clear_checked+0x38/0xc0 + btrfs_page_clear_checked+0x48/0x98 + btrfs_truncate_block+0x5d0/0x6a8 + btrfs_cont_expand+0x5c/0x528 + btrfs_write_check.isra.0+0xf8/0x150 + btrfs_buffered_write+0xb4/0x760 + btrfs_do_write_iter+0x2f8/0x4b0 + btrfs_file_write_iter+0x1c/0x30 + do_iter_readv_writev+0xc8/0x158 + do_iter_write+0x9c/0x210 + vfs_iter_write+0x24/0x40 + iter_file_splice_write+0x224/0x390 + direct_splice_actor+0x38/0x68 + splice_direct_to_actor+0x12c/0x260 + do_splice_direct+0x90/0xe8 + generic_copy_file_range+0x50/0x90 + vfs_copy_file_range+0x29c/0x470 + __arm64_sys_copy_file_range+0xcc/0x498 + invoke_syscall.constprop.0+0x80/0xd8 + do_el0_svc+0x6c/0x168 + el0_svc+0x50/0x1b0 + el0t_64_sync_handler+0x114/0x120 + el0t_64_sync+0x194/0x198 + +This happens because during btrfs_cont_expand we'll get a page, set it +as mapped, and if it's not Uptodate we'll read it. However between the +read and re-locking the page we could have called release_folio() on the +page, but left the page in the file mapping. release_folio() can clear +the page private, and thus further down we blow up when we go to modify +the subpage bits. + +Fix this by putting the set_page_extent_mapped() after the read. This +is safe because read_folio() will call set_page_extent_mapped() before +it does the read, and then if we clear page private but leave it on the +mapping we're completely safe re-setting set_page_extent_mapped(). With +this patch I can now run generic/476 without panicing. + +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Christoph Hellwig +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4913,9 +4913,6 @@ again: + ret = -ENOMEM; + goto out; + } +- ret = set_page_extent_mapped(page); +- if (ret < 0) +- goto out_unlock; + + if (!PageUptodate(page)) { + ret = btrfs_read_folio(NULL, page_folio(page)); +@@ -4930,6 +4927,17 @@ again: + goto out_unlock; + } + } ++ ++ /* ++ * We unlock the page after the io is completed and then re-lock it ++ * above. release_folio() could have come in between that and cleared ++ * PagePrivate(), but left the page in the mapping. Set the page mapped ++ * here to make sure it's properly set for the subpage stuff. ++ */ ++ ret = set_page_extent_mapped(page); ++ if (ret < 0) ++ goto out_unlock; ++ + wait_on_page_writeback(page); + + lock_extent(io_tree, block_start, block_end, &cached_state); diff --git a/tmp-6.1/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch b/tmp-6.1/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch new file mode 100644 index 00000000000..e720c66d9df --- /dev/null +++ b/tmp-6.1/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch @@ -0,0 +1,38 @@ +From f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 3 Jul 2023 12:03:21 +0100 +Subject: btrfs: zoned: fix memory leak after finding block group with super blocks + +From: Filipe Manana + +commit f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 upstream. + +At exclude_super_stripes(), if we happen to find a block group that has +super blocks mapped to it and we are on a zoned filesystem, we error out +as this is not supposed to happen, indicating either a bug or maybe some +memory corruption for example. However we are exiting the function without +freeing the memory allocated for the logical address of the super blocks. +Fix this by freeing the logical address. + +Fixes: 12659251ca5d ("btrfs: implement log-structured superblock for ZONED mode") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Johannes Thumshirn +Reviewed-by: Anand Jain +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -1894,6 +1894,7 @@ static int exclude_super_stripes(struct + + /* Shouldn't have super stripes in sequential zones */ + if (zoned && nr) { ++ kfree(logical); + btrfs_err(fs_info, + "zoned: block group %llu must not contain super block", + cache->start); diff --git a/tmp-6.1/can-bcm-fix-uaf-in-bcm_proc_show.patch b/tmp-6.1/can-bcm-fix-uaf-in-bcm_proc_show.patch new file mode 100644 index 00000000000..5aad27d3ae2 --- /dev/null +++ b/tmp-6.1/can-bcm-fix-uaf-in-bcm_proc_show.patch @@ -0,0 +1,92 @@ +From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 15 Jul 2023 17:25:43 +0800 +Subject: can: bcm: Fix UAF in bcm_proc_show() + +From: YueHaibing + +commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream. + +BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 +Read of size 8 at addr ffff888155846230 by task cat/7862 + +CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0xd5/0x150 + print_report+0xc1/0x5e0 + kasan_report+0xba/0xf0 + bcm_proc_show+0x969/0xa80 + seq_read_iter+0x4f6/0x1260 + seq_read+0x165/0x210 + proc_reg_read+0x227/0x300 + vfs_read+0x1d5/0x8d0 + ksys_read+0x11e/0x240 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Allocated by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x9e/0xa0 + bcm_sendmsg+0x264b/0x44e0 + sock_sendmsg+0xda/0x180 + ____sys_sendmsg+0x735/0x920 + ___sys_sendmsg+0x11d/0x1b0 + __sys_sendmsg+0xfa/0x1d0 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x27/0x40 + ____kasan_slab_free+0x161/0x1c0 + slab_free_freelist_hook+0x119/0x220 + __kmem_cache_free+0xb4/0x2e0 + rcu_core+0x809/0x1bd0 + +bcm_op is freed before procfs entry be removed in bcm_release(), +this lead to bcm_proc_show() may read the freed bcm_op. + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Signed-off-by: YueHaibing +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1526,6 +1526,12 @@ static int bcm_release(struct socket *so + + lock_sock(sk); + ++#if IS_ENABLED(CONFIG_PROC_FS) ++ /* remove procfs entry */ ++ if (net->can.bcmproc_dir && bo->bcm_proc_read) ++ remove_proc_entry(bo->procname, net->can.bcmproc_dir); ++#endif /* CONFIG_PROC_FS */ ++ + list_for_each_entry_safe(op, next, &bo->tx_ops, list) + bcm_remove_op(op); + +@@ -1561,12 +1567,6 @@ static int bcm_release(struct socket *so + list_for_each_entry_safe(op, next, &bo->rx_ops, list) + bcm_remove_op(op); + +-#if IS_ENABLED(CONFIG_PROC_FS) +- /* remove procfs entry */ +- if (net->can.bcmproc_dir && bo->bcm_proc_read) +- remove_proc_entry(bo->procname, net->can.bcmproc_dir); +-#endif /* CONFIG_PROC_FS */ +- + /* remove device reference */ + if (bo->bound) { + bo->bound = 0; diff --git a/tmp-6.1/can-gs_usb-gs_can_open-improve-error-handling.patch b/tmp-6.1/can-gs_usb-gs_can_open-improve-error-handling.patch new file mode 100644 index 00000000000..81c130c4563 --- /dev/null +++ b/tmp-6.1/can-gs_usb-gs_can_open-improve-error-handling.patch @@ -0,0 +1,117 @@ +From 2603be9e8167ddc7bea95dcfab9ffc33414215aa Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 7 Jul 2023 13:43:10 +0200 +Subject: can: gs_usb: gs_can_open(): improve error handling + +From: Marc Kleine-Budde + +commit 2603be9e8167ddc7bea95dcfab9ffc33414215aa upstream. + +The gs_usb driver handles USB devices with more than 1 CAN channel. +The RX path for all channels share the same bulk endpoint (the +transmitted bulk data encodes the channel number). These per-device +resources are allocated and submitted by the first opened channel. + +During this allocation, the resources are either released immediately +in case of a failure or the URBs are anchored. All anchored URBs are +finally killed with gs_usb_disconnect(). + +Currently, gs_can_open() returns with an error if the allocation of a +URB or a buffer fails. However, if usb_submit_urb() fails, the driver +continues with the URBs submitted so far, even if no URBs were +successfully submitted. + +Treat every error as fatal and free all allocated resources +immediately. + +Switch to goto-style error handling, to prepare the driver for more +per-device resource allocation. + +Cc: stable@vger.kernel.org +Cc: John Whittington +Link: https://lore.kernel.org/all/20230716-gs_usb-fix-time-stamp-counter-v1-1-9017cefcd9d5@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 31 ++++++++++++++++++++++--------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -833,6 +833,7 @@ static int gs_can_open(struct net_device + .mode = cpu_to_le32(GS_CAN_MODE_START), + }; + struct gs_host_frame *hf; ++ struct urb *urb = NULL; + u32 ctrlmode; + u32 flags = 0; + int rc, i; +@@ -858,13 +859,14 @@ static int gs_can_open(struct net_device + + if (!parent->active_channels) { + for (i = 0; i < GS_MAX_RX_URBS; i++) { +- struct urb *urb; + u8 *buf; + + /* alloc rx urb */ + urb = usb_alloc_urb(0, GFP_KERNEL); +- if (!urb) +- return -ENOMEM; ++ if (!urb) { ++ rc = -ENOMEM; ++ goto out_usb_kill_anchored_urbs; ++ } + + /* alloc rx buffer */ + buf = kmalloc(dev->parent->hf_size_rx, +@@ -872,8 +874,8 @@ static int gs_can_open(struct net_device + if (!buf) { + netdev_err(netdev, + "No memory left for USB buffer\n"); +- usb_free_urb(urb); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto out_usb_free_urb; + } + + /* fill, anchor, and submit rx urb */ +@@ -896,9 +898,7 @@ static int gs_can_open(struct net_device + netdev_err(netdev, + "usb_submit failed (err=%d)\n", rc); + +- usb_unanchor_urb(urb); +- usb_free_urb(urb); +- break; ++ goto out_usb_unanchor_urb; + } + + /* Drop reference, +@@ -944,7 +944,8 @@ static int gs_can_open(struct net_device + if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) + gs_usb_timestamp_stop(dev); + dev->can.state = CAN_STATE_STOPPED; +- return rc; ++ ++ goto out_usb_kill_anchored_urbs; + } + + parent->active_channels++; +@@ -952,6 +953,18 @@ static int gs_can_open(struct net_device + netif_start_queue(netdev); + + return 0; ++ ++out_usb_unanchor_urb: ++ usb_unanchor_urb(urb); ++out_usb_free_urb: ++ usb_free_urb(urb); ++out_usb_kill_anchored_urbs: ++ if (!parent->active_channels) ++ usb_kill_anchored_urbs(&dev->tx_submitted); ++ ++ close_candev(netdev); ++ ++ return rc; + } + + static int gs_can_close(struct net_device *netdev) diff --git a/tmp-6.1/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch b/tmp-6.1/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch new file mode 100644 index 00000000000..e554d4718c6 --- /dev/null +++ b/tmp-6.1/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch @@ -0,0 +1,87 @@ +From 9efa1a5407e81265ea502cab83be4de503decc49 Mon Sep 17 00:00:00 2001 +From: Fedor Ross +Date: Thu, 4 May 2023 21:50:59 +0200 +Subject: can: mcp251xfd: __mcp251xfd_chip_set_mode(): increase poll timeout + +From: Fedor Ross + +commit 9efa1a5407e81265ea502cab83be4de503decc49 upstream. + +The mcp251xfd controller needs an idle bus to enter 'Normal CAN 2.0 +mode' or . The maximum length of a CAN frame is 736 bits (64 data +bytes, CAN-FD, EFF mode, worst case bit stuffing and interframe +spacing). For low bit rates like 10 kbit/s the arbitrarily chosen +MCP251XFD_POLL_TIMEOUT_US of 1 ms is too small. + +Otherwise during polling for the CAN controller to enter 'Normal CAN +2.0 mode' the timeout limit is exceeded and the configuration fails +with: + +| $ ip link set dev can1 up type can bitrate 10000 +| [ 731.911072] mcp251xfd spi2.1 can1: Controller failed to enter mode CAN 2.0 Mode (6) and stays in Configuration Mode (4) (con=0x068b0760, osc=0x00000468). +| [ 731.927192] mcp251xfd spi2.1 can1: CRC read error at address 0x0e0c (length=4, data=00 00 00 00, CRC=0x0000) retrying. +| [ 731.938101] A link change request failed with some changes committed already. Interface can1 may have been left with an inconsistent configuration, please check. +| RTNETLINK answers: Connection timed out + +Make MCP251XFD_POLL_TIMEOUT_US timeout calculation dynamic. Use +maximum of 1ms and bit time of 1 full 64 data bytes CAN-FD frame in +EFF mode, worst case bit stuffing and interframe spacing at the +current bit rate. + +For easier backporting define the macro MCP251XFD_FRAME_LEN_MAX_BITS +that holds the max frame length in bits, which is 736. This can be +replaced by can_frame_bits(true, true, true, true, CANFD_MAX_DLEN) in +a cleanup patch later. + +Fixes: 55e5b97f003e8 ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") +Signed-off-by: Fedor Ross +Signed-off-by: Marek Vasut +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20230717-mcp251xfd-fix-increase-poll-timeout-v5-1-06600f34c684@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 10 ++++++++-- + drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 1 + + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +@@ -227,6 +227,8 @@ static int + __mcp251xfd_chip_set_mode(const struct mcp251xfd_priv *priv, + const u8 mode_req, bool nowait) + { ++ const struct can_bittiming *bt = &priv->can.bittiming; ++ unsigned long timeout_us = MCP251XFD_POLL_TIMEOUT_US; + u32 con = 0, con_reqop, osc = 0; + u8 mode; + int err; +@@ -246,12 +248,16 @@ __mcp251xfd_chip_set_mode(const struct m + if (mode_req == MCP251XFD_REG_CON_MODE_SLEEP || nowait) + return 0; + ++ if (bt->bitrate) ++ timeout_us = max_t(unsigned long, timeout_us, ++ MCP251XFD_FRAME_LEN_MAX_BITS * USEC_PER_SEC / ++ bt->bitrate); ++ + err = regmap_read_poll_timeout(priv->map_reg, MCP251XFD_REG_CON, con, + !mcp251xfd_reg_invalid(con) && + FIELD_GET(MCP251XFD_REG_CON_OPMOD_MASK, + con) == mode_req, +- MCP251XFD_POLL_SLEEP_US, +- MCP251XFD_POLL_TIMEOUT_US); ++ MCP251XFD_POLL_SLEEP_US, timeout_us); + if (err != -ETIMEDOUT && err != -EBADMSG) + return err; + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h +@@ -387,6 +387,7 @@ static_assert(MCP251XFD_TIMESTAMP_WORK_D + #define MCP251XFD_OSC_STAB_TIMEOUT_US (10 * MCP251XFD_OSC_STAB_SLEEP_US) + #define MCP251XFD_POLL_SLEEP_US (10) + #define MCP251XFD_POLL_TIMEOUT_US (USEC_PER_MSEC) ++#define MCP251XFD_FRAME_LEN_MAX_BITS (736) + + /* Misc */ + #define MCP251XFD_NAPI_WEIGHT 32 diff --git a/tmp-6.1/can-raw-fix-receiver-memory-leak.patch b/tmp-6.1/can-raw-fix-receiver-memory-leak.patch new file mode 100644 index 00000000000..26a08c5711e --- /dev/null +++ b/tmp-6.1/can-raw-fix-receiver-memory-leak.patch @@ -0,0 +1,233 @@ +From ee8b94c8510ce64afe0b87ef548d23e00915fb10 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Tue, 11 Jul 2023 09:17:37 +0800 +Subject: can: raw: fix receiver memory leak + +From: Ziyang Xuan + +commit ee8b94c8510ce64afe0b87ef548d23e00915fb10 upstream. + +Got kmemleak errors with the following ltp can_filter testcase: + +for ((i=1; i<=100; i++)) +do + ./can_filter & + sleep 0.1 +done + +============================================================== +[<00000000db4a4943>] can_rx_register+0x147/0x360 [can] +[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw] +[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0 +[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70 +[<00000000fd468496>] do_syscall_64+0x33/0x40 +[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +It's a bug in the concurrent scenario of unregister_netdevice_many() +and raw_release() as following: + + cpu0 cpu1 +unregister_netdevice_many(can_dev) + unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this + net_set_todo(can_dev) + raw_release(can_socket) + dev = dev_get_by_index(, ro->ifindex); // dev == NULL + if (dev) { // receivers in dev_rcv_lists not free because dev is NULL + raw_disable_allfilters(, dev, ); + dev_put(dev); + } + ... + ro->bound = 0; + ... + +call_netdevice_notifiers(NETDEV_UNREGISTER, ) + raw_notify(, NETDEV_UNREGISTER, ) + if (ro->bound) // invalid because ro->bound has been set 0 + raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed + +Add a net_device pointer member in struct raw_sock to record bound +can_dev, and use rtnl_lock to serialize raw_socket members between +raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use +ro->dev to decide whether to free receivers in dev_rcv_lists. + +Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier") +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/raw.c | 57 ++++++++++++++++++++++++--------------------------------- + 1 file changed, 24 insertions(+), 33 deletions(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -84,6 +84,7 @@ struct raw_sock { + struct sock sk; + int bound; + int ifindex; ++ struct net_device *dev; + struct list_head notifier; + int loopback; + int recv_own_msgs; +@@ -277,7 +278,7 @@ static void raw_notify(struct raw_sock * + if (!net_eq(dev_net(dev), sock_net(sk))) + return; + +- if (ro->ifindex != dev->ifindex) ++ if (ro->dev != dev) + return; + + switch (msg) { +@@ -292,6 +293,7 @@ static void raw_notify(struct raw_sock * + + ro->ifindex = 0; + ro->bound = 0; ++ ro->dev = NULL; + ro->count = 0; + release_sock(sk); + +@@ -337,6 +339,7 @@ static int raw_init(struct sock *sk) + + ro->bound = 0; + ro->ifindex = 0; ++ ro->dev = NULL; + + /* set default filter to single entry dfilter */ + ro->dfilter.can_id = 0; +@@ -385,19 +388,13 @@ static int raw_release(struct socket *so + + lock_sock(sk); + ++ rtnl_lock(); + /* remove current filters & unregister */ + if (ro->bound) { +- if (ro->ifindex) { +- struct net_device *dev; +- +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (dev) { +- raw_disable_allfilters(dev_net(dev), dev, sk); +- dev_put(dev); +- } +- } else { ++ if (ro->dev) ++ raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); ++ else + raw_disable_allfilters(sock_net(sk), NULL, sk); +- } + } + + if (ro->count > 1) +@@ -405,8 +402,10 @@ static int raw_release(struct socket *so + + ro->ifindex = 0; + ro->bound = 0; ++ ro->dev = NULL; + ro->count = 0; + free_percpu(ro->uniq); ++ rtnl_unlock(); + + sock_orphan(sk); + sock->sk = NULL; +@@ -422,6 +421,7 @@ static int raw_bind(struct socket *sock, + struct sockaddr_can *addr = (struct sockaddr_can *)uaddr; + struct sock *sk = sock->sk; + struct raw_sock *ro = raw_sk(sk); ++ struct net_device *dev = NULL; + int ifindex; + int err = 0; + int notify_enetdown = 0; +@@ -431,14 +431,13 @@ static int raw_bind(struct socket *sock, + if (addr->can_family != AF_CAN) + return -EINVAL; + ++ rtnl_lock(); + lock_sock(sk); + + if (ro->bound && addr->can_ifindex == ro->ifindex) + goto out; + + if (addr->can_ifindex) { +- struct net_device *dev; +- + dev = dev_get_by_index(sock_net(sk), addr->can_ifindex); + if (!dev) { + err = -ENODEV; +@@ -467,26 +466,20 @@ static int raw_bind(struct socket *sock, + if (!err) { + if (ro->bound) { + /* unregister old filters */ +- if (ro->ifindex) { +- struct net_device *dev; +- +- dev = dev_get_by_index(sock_net(sk), +- ro->ifindex); +- if (dev) { +- raw_disable_allfilters(dev_net(dev), +- dev, sk); +- dev_put(dev); +- } +- } else { ++ if (ro->dev) ++ raw_disable_allfilters(dev_net(ro->dev), ++ ro->dev, sk); ++ else + raw_disable_allfilters(sock_net(sk), NULL, sk); +- } + } + ro->ifindex = ifindex; + ro->bound = 1; ++ ro->dev = dev; + } + + out: + release_sock(sk); ++ rtnl_unlock(); + + if (notify_enetdown) { + sk->sk_err = ENETDOWN; +@@ -552,9 +545,9 @@ static int raw_setsockopt(struct socket + rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) { +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (!dev) { ++ dev = ro->dev; ++ if (ro->bound && dev) { ++ if (dev->reg_state != NETREG_REGISTERED) { + if (count > 1) + kfree(filter); + err = -ENODEV; +@@ -595,7 +588,6 @@ static int raw_setsockopt(struct socket + ro->count = count; + + out_fil: +- dev_put(dev); + release_sock(sk); + rtnl_unlock(); + +@@ -613,9 +605,9 @@ static int raw_setsockopt(struct socket + rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) { +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (!dev) { ++ dev = ro->dev; ++ if (ro->bound && dev) { ++ if (dev->reg_state != NETREG_REGISTERED) { + err = -ENODEV; + goto out_err; + } +@@ -639,7 +631,6 @@ static int raw_setsockopt(struct socket + ro->err_mask = err_mask; + + out_err: +- dev_put(dev); + release_sock(sk); + rtnl_unlock(); + diff --git a/tmp-6.1/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch b/tmp-6.1/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch new file mode 100644 index 00000000000..7a2c897f51d --- /dev/null +++ b/tmp-6.1/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch @@ -0,0 +1,100 @@ +From 7a8eaa17077746c57f6fa160701348e82e480ae9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jul 2023 08:56:33 +0000 +Subject: cifs: fix mid leak during reconnection after timeout threshold + +From: Shyam Prasad N + +[ Upstream commit 69cba9d3c1284e0838ae408830a02c4a063104bc ] + +When the number of responses with status of STATUS_IO_TIMEOUT +exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect +the connection. But we do not return the mid, or the credits +returned for the mid, or reduce the number of in-flight requests. + +This bug could result in the server->in_flight count to go bad, +and also cause a leak in the mids. + +This change moves the check to a few lines below where the +response is decrypted, even of the response is read from the +transform header. This way, the code for returning the mids +can be reused. + +Also, the cifs_reconnect was reconnecting just the transport +connection before. In case of multi-channel, this may not be +what we want to do after several timeouts. Changed that to +reconnect the session and the tree too. + +Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name +MAX_STATUS_IO_TIMEOUT. + +Fixes: 8e670f77c4a5 ("Handle STATUS_IO_TIMEOUT gracefully") +Signed-off-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/connect.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c +index 935fe198a4baf..cbe08948baf4a 100644 +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -59,7 +59,7 @@ extern bool disable_legacy_dialects; + #define TLINK_IDLE_EXPIRE (600 * HZ) + + /* Drop the connection to not overload the server */ +-#define NUM_STATUS_IO_TIMEOUT 5 ++#define MAX_STATUS_IO_TIMEOUT 5 + + struct mount_ctx { + struct cifs_sb_info *cifs_sb; +@@ -1162,6 +1162,7 @@ cifs_demultiplex_thread(void *p) + struct mid_q_entry *mids[MAX_COMPOUND]; + char *bufs[MAX_COMPOUND]; + unsigned int noreclaim_flag, num_io_timeout = 0; ++ bool pending_reconnect = false; + + noreclaim_flag = memalloc_noreclaim_save(); + cifs_dbg(FYI, "Demultiplex PID: %d\n", task_pid_nr(current)); +@@ -1201,6 +1202,8 @@ cifs_demultiplex_thread(void *p) + cifs_dbg(FYI, "RFC1002 header 0x%x\n", pdu_length); + if (!is_smb_response(server, buf[0])) + continue; ++ ++ pending_reconnect = false; + next_pdu: + server->pdu_size = pdu_length; + +@@ -1258,10 +1261,13 @@ cifs_demultiplex_thread(void *p) + if (server->ops->is_status_io_timeout && + server->ops->is_status_io_timeout(buf)) { + num_io_timeout++; +- if (num_io_timeout > NUM_STATUS_IO_TIMEOUT) { +- cifs_reconnect(server, false); ++ if (num_io_timeout > MAX_STATUS_IO_TIMEOUT) { ++ cifs_server_dbg(VFS, ++ "Number of request timeouts exceeded %d. Reconnecting", ++ MAX_STATUS_IO_TIMEOUT); ++ ++ pending_reconnect = true; + num_io_timeout = 0; +- continue; + } + } + +@@ -1308,6 +1314,11 @@ cifs_demultiplex_thread(void *p) + buf = server->smallbuf; + goto next_pdu; + } ++ ++ /* do this reconnect at the very end after processing all MIDs */ ++ if (pending_reconnect) ++ cifs_reconnect(server, true); ++ + } /* end while !EXITING */ + + /* buffer usually freed in free_mid - need to free it here on exit */ +-- +2.39.2 + diff --git a/tmp-6.1/devlink-report-devlink_port_type_warn-source-device.patch b/tmp-6.1/devlink-report-devlink_port_type_warn-source-device.patch new file mode 100644 index 00000000000..d6552021503 --- /dev/null +++ b/tmp-6.1/devlink-report-devlink_port_type_warn-source-device.patch @@ -0,0 +1,77 @@ +From 4aca3a9686777cc7cbeeafbea29e9349e546bc92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:54:47 +0200 +Subject: devlink: report devlink_port_type_warn source device + +From: Petr Oros + +[ Upstream commit a52305a81d6bb74b90b400dfa56455d37872fe4b ] + +devlink_port_type_warn is scheduled for port devlink and warning +when the port type is not set. But from this warning it is not easy +found out which device (driver) has no devlink port set. + +[ 3709.975552] Type was not set for devlink port. +[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 +[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm +[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse +[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 +[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 +[ 3710.108437] Workqueue: events devlink_port_type_warn +[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 +[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 +[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 +[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 +[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 +[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 +[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 +[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 +[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 +[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 +[ 3710.108456] PKRU: 55555554 +[ 3710.108457] Call Trace: +[ 3710.108458] +[ 3710.108459] process_one_work+0x1e2/0x3b0 +[ 3710.108466] ? rescuer_thread+0x390/0x390 +[ 3710.108468] worker_thread+0x50/0x3a0 +[ 3710.108471] ? rescuer_thread+0x390/0x390 +[ 3710.108473] kthread+0xdd/0x100 +[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 +[ 3710.108479] ret_from_fork+0x1f/0x30 +[ 3710.108485] +[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]--- + +After patch: +[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. +[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. + +Signed-off-by: Petr Oros +Reviewed-by: Pavan Chebbi +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20230615095447.8259-1-poros@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/devlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/core/devlink.c b/net/core/devlink.c +index 2aa77d4b80d0a..5a4a4b34ac15c 100644 +--- a/net/core/devlink.c ++++ b/net/core/devlink.c +@@ -9826,7 +9826,10 @@ EXPORT_SYMBOL_GPL(devlink_free); + + static void devlink_port_type_warn(struct work_struct *work) + { +- WARN(true, "Type was not set for devlink port."); ++ struct devlink_port *port = container_of(to_delayed_work(work), ++ struct devlink_port, ++ type_warn_dw); ++ dev_warn(port->devlink->dev, "Type was not set for devlink port."); + } + + static bool devlink_port_type_should_warn(struct devlink_port *devlink_port) +-- +2.39.2 + diff --git a/tmp-6.1/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch b/tmp-6.1/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch new file mode 100644 index 00000000000..2fa44ff85d9 --- /dev/null +++ b/tmp-6.1/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch @@ -0,0 +1,71 @@ +From 05abb3be91d8788328231ee02973ab3d47f5e3d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 13 Jul 2023 22:47:45 +0300 +Subject: dma-buf/dma-resv: Stop leaking on krealloc() failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 05abb3be91d8788328231ee02973ab3d47f5e3d2 upstream. + +Currently dma_resv_get_fences() will leak the previously +allocated array if the fence iteration got restarted and +the krealloc_array() fails. + +Free the old array by hand, and make sure we still clear +the returned *fences so the caller won't end up accessing +freed memory. Some (but not all) of the callers of +dma_resv_get_fences() seem to still trawl through the +array even when dma_resv_get_fences() failed. And let's +zero out *num_fences as well for good measure. + +Cc: Sumit Semwal +Cc: Christian König +Cc: linux-media@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: linaro-mm-sig@lists.linaro.org +Fixes: d3c80698c9f5 ("dma-buf: use new iterator in dma_resv_get_fences v3") +Signed-off-by: Ville Syrjälä +Reviewed-by: Christian König +Cc: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20230713194745.1751-1-ville.syrjala@linux.intel.com +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-resv.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/dma-buf/dma-resv.c ++++ b/drivers/dma-buf/dma-resv.c +@@ -566,6 +566,7 @@ int dma_resv_get_fences(struct dma_resv + dma_resv_for_each_fence_unlocked(&cursor, fence) { + + if (dma_resv_iter_is_restarted(&cursor)) { ++ struct dma_fence **new_fences; + unsigned int count; + + while (*num_fences) +@@ -574,13 +575,17 @@ int dma_resv_get_fences(struct dma_resv + count = cursor.num_fences + 1; + + /* Eventually re-allocate the array */ +- *fences = krealloc_array(*fences, count, +- sizeof(void *), +- GFP_KERNEL); +- if (count && !*fences) { ++ new_fences = krealloc_array(*fences, count, ++ sizeof(void *), ++ GFP_KERNEL); ++ if (count && !new_fences) { ++ kfree(*fences); ++ *fences = NULL; ++ *num_fences = 0; + dma_resv_iter_end(&cursor); + return -ENOMEM; + } ++ *fences = new_fences; + } + + (*fences)[(*num_fences)++] = dma_fence_get(fence); diff --git a/tmp-6.1/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch b/tmp-6.1/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch new file mode 100644 index 00000000000..b1ab441d828 --- /dev/null +++ b/tmp-6.1/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch @@ -0,0 +1,38 @@ +From 5a25cefc0920088bb9afafeb80ad3dcd84fe278b Mon Sep 17 00:00:00 2001 +From: Taimur Hassan +Date: Tue, 20 Jun 2023 17:00:28 -0400 +Subject: drm/amd/display: check TG is non-null before checking if enabled + +From: Taimur Hassan + +commit 5a25cefc0920088bb9afafeb80ad3dcd84fe278b upstream. + +[Why & How] +If there is no TG allocation we can dereference a NULL pointer when +checking if the TG is enabled. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Nicholas Kazlauskas +Acked-by: Alan Liu +Signed-off-by: Taimur Hassan +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -3293,7 +3293,8 @@ void dcn10_wait_for_mpcc_disconnect( + if (pipe_ctx->stream_res.opp->mpcc_disconnect_pending[mpcc_inst]) { + struct hubp *hubp = get_hubp_by_inst(res_pool, mpcc_inst); + +- if (pipe_ctx->stream_res.tg->funcs->is_tg_enabled(pipe_ctx->stream_res.tg)) ++ if (pipe_ctx->stream_res.tg && ++ pipe_ctx->stream_res.tg->funcs->is_tg_enabled(pipe_ctx->stream_res.tg)) + res_pool->mpc->funcs->wait_for_idle(res_pool->mpc, mpcc_inst); + pipe_ctx->stream_res.opp->mpcc_disconnect_pending[mpcc_inst] = false; + hubp->funcs->set_blank(hubp, true); diff --git a/tmp-6.1/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch b/tmp-6.1/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch new file mode 100644 index 00000000000..6b589736210 --- /dev/null +++ b/tmp-6.1/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch @@ -0,0 +1,42 @@ +From a460beefe77d780ac48f19d39333852a7f93ffc1 Mon Sep 17 00:00:00 2001 +From: Zhikai Zhai +Date: Fri, 30 Jun 2023 11:35:14 +0800 +Subject: drm/amd/display: Disable MPC split by default on special asic + +From: Zhikai Zhai + +commit a460beefe77d780ac48f19d39333852a7f93ffc1 upstream. + +[WHY] +All of pipes will be used when the MPC split enable on the dcn +which just has 2 pipes. Then MPO enter will trigger the minimal +transition which need programe dcn from 2 pipes MPC split to 2 +pipes MPO. This action will cause lag if happen frequently. + +[HOW] +Disable the MPC split for the platform which dcn resource is limited + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Alvin Lee +Acked-by: Alan Liu +Signed-off-by: Zhikai Zhai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c +@@ -65,7 +65,7 @@ static const struct dc_debug_options deb + .timing_trace = false, + .clock_trace = true, + .disable_pplib_clock_request = true, +- .pipe_split_policy = MPC_SPLIT_DYNAMIC, ++ .pipe_split_policy = MPC_SPLIT_AVOID, + .force_single_disp_pipe_split = false, + .disable_dcc = DCC_ENABLE, + .vsr_support = true, diff --git a/tmp-6.1/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch b/tmp-6.1/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch new file mode 100644 index 00000000000..587a6956896 --- /dev/null +++ b/tmp-6.1/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch @@ -0,0 +1,42 @@ +From 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Thu, 29 Jun 2023 10:35:59 -0400 +Subject: drm/amd/display: Keep PHY active for DP displays on DCN31 + +From: Nicholas Kazlauskas + +commit 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 upstream. + +[Why & How] +Port of a change that went into DCN314 to keep the PHY enabled +when we have a connected and active DP display. + +The PHY can hang if PHY refclk is disabled inadvertently. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Josip Pavic +Acked-by: Alan Liu +Signed-off-by: Nicholas Kazlauskas +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c +@@ -86,6 +86,11 @@ static int dcn31_get_active_display_cnt_ + stream->signal == SIGNAL_TYPE_DVI_SINGLE_LINK || + stream->signal == SIGNAL_TYPE_DVI_DUAL_LINK) + tmds_present = true; ++ ++ /* Checking stream / link detection ensuring that PHY is active*/ ++ if (dc_is_dp_signal(stream->signal) && !stream->dpms_off) ++ display_count++; ++ + } + + for (i = 0; i < dc->link_count; i++) { diff --git a/tmp-6.1/drm-amd-display-only-accept-async-flips-for-fast-updates.patch b/tmp-6.1/drm-amd-display-only-accept-async-flips-for-fast-updates.patch new file mode 100644 index 00000000000..b66e30d5918 --- /dev/null +++ b/tmp-6.1/drm-amd-display-only-accept-async-flips-for-fast-updates.patch @@ -0,0 +1,82 @@ +From 1ca67aba8d11c2849d395013e1fdce02918d5657 Mon Sep 17 00:00:00 2001 +From: Simon Ser +Date: Wed, 21 Jun 2023 17:24:59 -0300 +Subject: drm/amd/display: only accept async flips for fast updates +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon Ser + +commit 1ca67aba8d11c2849d395013e1fdce02918d5657 upstream. + +Up until now, amdgpu was silently degrading to vsync when +user-space requested an async flip but the hardware didn't support +it. + +The hardware doesn't support immediate flips when the update changes +the FB pitch, the DCC state, the rotation, enables or disables CRTCs +or planes, etc. This is reflected in the dm_crtc_state.update_type +field: UPDATE_TYPE_FAST means that immediate flip is supported. + +Silently degrading async flips to vsync is not the expected behavior +from a uAPI point-of-view. Xorg expects async flips to fail if +unsupported, to be able to fall back to a blit. i915 already behaves +this way. + +This patch aligns amdgpu with uAPI expectations and returns a failure +when an async flip is not possible. + +Signed-off-by: Simon Ser +Reviewed-by: André Almeida +Reviewed-by: Alex Deucher +Reviewed-by: Harry Wentland +Signed-off-by: André Almeida +Signed-off-by: Hamza Mahfooz +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++++++ + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 12 ++++++++++++ + 2 files changed, 20 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -7757,7 +7757,15 @@ static void amdgpu_dm_commit_planes(stru + * Only allow immediate flips for fast updates that don't + * change memory domain, FB pitch, DCC state, rotation or + * mirroring. ++ * ++ * dm_crtc_helper_atomic_check() only accepts async flips with ++ * fast updates. + */ ++ if (crtc->state->async_flip && ++ acrtc_state->update_type != UPDATE_TYPE_FAST) ++ drm_warn_once(state->dev, ++ "[PLANE:%d:%s] async flip with non-fast update\n", ++ plane->base.id, plane->name); + bundle->flip_addrs[planes_count].flip_immediate = + crtc->state->async_flip && + acrtc_state->update_type == UPDATE_TYPE_FAST && +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c +@@ -406,6 +406,18 @@ static int dm_crtc_helper_atomic_check(s + return -EINVAL; + } + ++ /* ++ * Only allow async flips for fast updates that don't change the FB ++ * pitch, the DCC state, rotation, etc. ++ */ ++ if (crtc_state->async_flip && ++ dm_crtc_state->update_type != UPDATE_TYPE_FAST) { ++ drm_dbg_atomic(crtc->dev, ++ "[CRTC:%d:%s] async flips are only supported for fast updates\n", ++ crtc->base.id, crtc->name); ++ return -EINVAL; ++ } ++ + /* In some use cases, like reset, no stream is attached */ + if (!dm_crtc_state->stream) + return 0; diff --git a/tmp-6.1/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch b/tmp-6.1/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch new file mode 100644 index 00000000000..b8fd75b4f0b --- /dev/null +++ b/tmp-6.1/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch @@ -0,0 +1,45 @@ +From a4eb11824170d742531998f4ebd1c6a18b63db47 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 13 Jun 2023 12:15:38 -0400 +Subject: drm/amdgpu/pm: make gfxclock consistent for sienna cichlid + +From: Alex Deucher + +commit a4eb11824170d742531998f4ebd1c6a18b63db47 upstream. + +Use average gfxclock for consistency with other dGPUs. + +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +index f6599c00a6fd..0cda3b276f61 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +@@ -1927,12 +1927,16 @@ static int sienna_cichlid_read_sensor(struct smu_context *smu, + *size = 4; + break; + case AMDGPU_PP_SENSOR_GFX_MCLK: +- ret = sienna_cichlid_get_current_clk_freq_by_table(smu, SMU_UCLK, (uint32_t *)data); ++ ret = sienna_cichlid_get_smu_metrics_data(smu, ++ METRICS_CURR_UCLK, ++ (uint32_t *)data); + *(uint32_t *)data *= 100; + *size = 4; + break; + case AMDGPU_PP_SENSOR_GFX_SCLK: +- ret = sienna_cichlid_get_current_clk_freq_by_table(smu, SMU_GFXCLK, (uint32_t *)data); ++ ret = sienna_cichlid_get_smu_metrics_data(smu, ++ METRICS_AVERAGE_GFXCLK, ++ (uint32_t *)data); + *(uint32_t *)data *= 100; + *size = 4; + break; +-- +2.41.0 + diff --git a/tmp-6.1/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch b/tmp-6.1/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch new file mode 100644 index 00000000000..27426d1dce5 --- /dev/null +++ b/tmp-6.1/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch @@ -0,0 +1,30 @@ +From 068c8bb10f37bb84824625dbbda053a3a3e0d6e1 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 13 Jun 2023 12:36:17 -0400 +Subject: drm/amdgpu/pm: make mclk consistent for smu 13.0.7 + +From: Alex Deucher + +commit 068c8bb10f37bb84824625dbbda053a3a3e0d6e1 upstream. + +Use current uclk to be consistent with other dGPUs. + +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +@@ -940,7 +940,7 @@ static int smu_v13_0_7_read_sensor(struc + break; + case AMDGPU_PP_SENSOR_GFX_MCLK: + ret = smu_v13_0_7_get_smu_metrics_data(smu, +- METRICS_AVERAGE_UCLK, ++ METRICS_CURR_UCLK, + (uint32_t *)data); + *(uint32_t *)data *= 100; + *size = 4; diff --git a/tmp-6.1/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch b/tmp-6.1/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch new file mode 100644 index 00000000000..d26cdf175ba --- /dev/null +++ b/tmp-6.1/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch @@ -0,0 +1,101 @@ +From b42ae87a7b3878afaf4c3852ca66c025a5b996e0 Mon Sep 17 00:00:00 2001 +From: Guchun Chen +Date: Thu, 6 Jul 2023 15:57:21 +0800 +Subject: drm/amdgpu/vkms: relax timer deactivation by hrtimer_try_to_cancel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guchun Chen + +commit b42ae87a7b3878afaf4c3852ca66c025a5b996e0 upstream. + +In below thousands of screen rotation loop tests with virtual display +enabled, a CPU hard lockup issue may happen, leading system to unresponsive +and crash. + +do { + xrandr --output Virtual --rotate inverted + xrandr --output Virtual --rotate right + xrandr --output Virtual --rotate left + xrandr --output Virtual --rotate normal +} while (1); + +NMI watchdog: Watchdog detected hard LOCKUP on cpu 1 + +? hrtimer_run_softirq+0x140/0x140 +? store_vblank+0xe0/0xe0 [drm] +hrtimer_cancel+0x15/0x30 +amdgpu_vkms_disable_vblank+0x15/0x30 [amdgpu] +drm_vblank_disable_and_save+0x185/0x1f0 [drm] +drm_crtc_vblank_off+0x159/0x4c0 [drm] +? record_print_text.cold+0x11/0x11 +? wait_for_completion_timeout+0x232/0x280 +? drm_crtc_wait_one_vblank+0x40/0x40 [drm] +? bit_wait_io_timeout+0xe0/0xe0 +? wait_for_completion_interruptible+0x1d7/0x320 +? mutex_unlock+0x81/0xd0 +amdgpu_vkms_crtc_atomic_disable + +It's caused by a stuck in lock dependency in such scenario on different +CPUs. + +CPU1 CPU2 +drm_crtc_vblank_off hrtimer_interrupt + grab event_lock (irq disabled) __hrtimer_run_queues + grab vbl_lock/vblank_time_block amdgpu_vkms_vblank_simulate + amdgpu_vkms_disable_vblank drm_handle_vblank + hrtimer_cancel grab dev->event_lock + +So CPU1 stucks in hrtimer_cancel as timer callback is running endless on +current clock base, as that timer queue on CPU2 has no chance to finish it +because of failing to hold the lock. So NMI watchdog will throw the errors +after its threshold, and all later CPUs are impacted/blocked. + +So use hrtimer_try_to_cancel to fix this, as disable_vblank callback +does not need to wait the handler to finish. And also it's not necessary +to check the return value of hrtimer_try_to_cancel, because even if it's +-1 which means current timer callback is running, it will be reprogrammed +in hrtimer_start with calling enable_vblank to make it works. + +v2: only re-arm timer when vblank is enabled (Christian) and add a Fixes +tag as well + +v3: drop warn printing (Christian) + +v4: drop superfluous check of blank->enabled in timer function, as it's +guaranteed in drm_handle_vblank (Christian) + +Fixes: 84ec374bd580 ("drm/amdgpu: create amdgpu_vkms (v4)") +Cc: stable@vger.kernel.org +Suggested-by: Christian König +Signed-off-by: Guchun Chen +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c +@@ -55,8 +55,9 @@ static enum hrtimer_restart amdgpu_vkms_ + DRM_WARN("%s: vblank timer overrun\n", __func__); + + ret = drm_crtc_handle_vblank(crtc); ++ /* Don't queue timer again when vblank is disabled. */ + if (!ret) +- DRM_ERROR("amdgpu_vkms failure on handling vblank"); ++ return HRTIMER_NORESTART; + + return HRTIMER_RESTART; + } +@@ -81,7 +82,7 @@ static void amdgpu_vkms_disable_vblank(s + { + struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc); + +- hrtimer_cancel(&amdgpu_crtc->vblank_timer); ++ hrtimer_try_to_cancel(&amdgpu_crtc->vblank_timer); + } + + static bool amdgpu_vkms_get_vblank_timestamp(struct drm_crtc *crtc, diff --git a/tmp-6.1/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch b/tmp-6.1/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch new file mode 100644 index 00000000000..d3db537579d --- /dev/null +++ b/tmp-6.1/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch @@ -0,0 +1,46 @@ +From 2329cc7a101af1a844fbf706c0724c0baea38365 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:44 +0200 +Subject: drm/client: Fix memory leak in drm_client_modeset_probe + +From: Jocelyn Falempe + +commit 2329cc7a101af1a844fbf706c0724c0baea38365 upstream. + +When a new mode is set to modeset->mode, the previous mode should be freed. +This fixes the following kmemleak report: + +drm_mode_duplicate+0x45/0x220 [drm] +drm_client_modeset_probe+0x944/0xf50 [drm] +__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] +drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] +drm_client_register+0x169/0x240 [drm] +ast_pci_probe+0x142/0x190 [ast] +local_pci_probe+0xdc/0x180 +work_for_cpu_fn+0x4e/0xa0 +process_one_work+0x8b7/0x1540 +worker_thread+0x70a/0xed0 +kthread+0x29f/0x340 +ret_from_fork+0x1f/0x30 + +cc: +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-3-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -871,6 +871,7 @@ int drm_client_modeset_probe(struct drm_ + break; + } + ++ kfree(modeset->mode); + modeset->mode = drm_mode_duplicate(dev, mode); + drm_connector_get(connector); + modeset->connectors[modeset->num_connectors++] = connector; diff --git a/tmp-6.1/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch b/tmp-6.1/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch new file mode 100644 index 00000000000..5e8d014937f --- /dev/null +++ b/tmp-6.1/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch @@ -0,0 +1,68 @@ +From c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:43 +0200 +Subject: drm/client: Fix memory leak in drm_client_target_cloned + +From: Jocelyn Falempe + +commit c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 upstream. + +dmt_mode is allocated and never freed in this function. +It was found with the ast driver, but most drivers using generic fbdev +setup are probably affected. + +This fixes the following kmemleak report: + backtrace: + [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] + [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] + [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] + [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] + [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] + [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] + [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] + [<00000000987f19bb>] local_pci_probe+0xdc/0x180 + [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 + [<0000000000b85301>] process_one_work+0x8b7/0x1540 + [<000000003375b17c>] worker_thread+0x70a/0xed0 + [<00000000b0d43cd9>] kthread+0x29f/0x340 + [<000000008d770833>] ret_from_fork+0x1f/0x30 +unreferenced object 0xff11000333089a00 (size 128): + +cc: +Fixes: 1d42bbc8f7f9 ("drm/fbdev: fix cloning on fbcon") +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-2-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -315,6 +315,9 @@ static bool drm_client_target_cloned(str + can_clone = true; + dmt_mode = drm_mode_find_dmt(dev, 1024, 768, 60, false); + ++ if (!dmt_mode) ++ goto fail; ++ + for (i = 0; i < connector_count; i++) { + if (!enabled[i]) + continue; +@@ -330,11 +333,13 @@ static bool drm_client_target_cloned(str + if (!modes[i]) + can_clone = false; + } ++ kfree(dmt_mode); + + if (can_clone) { + DRM_DEBUG_KMS("can clone using 1024x768\n"); + return true; + } ++fail: + DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); + return false; + } diff --git a/tmp-6.1/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch b/tmp-6.1/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch new file mode 100644 index 00000000000..0ff32277d59 --- /dev/null +++ b/tmp-6.1/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch @@ -0,0 +1,38 @@ +From 20d5e3268aeb5cd2827f61521d33a0203f680509 Mon Sep 17 00:00:00 2001 +From: hackyzh002 +Date: Wed, 19 Apr 2023 20:20:58 +0800 +Subject: [PATCH AUTOSEL 4.19 01/11] drm/radeon: Fix integer overflow in + radeon_cs_parser_init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit f828b681d0cd566f86351c0b913e6cb6ed8c7b9c ] + +The type of size is unsigned, if size is 0x40000000, there will be an +integer overflow, size will be zero after size *= sizeof(uint32_t), +will cause uninitialized memory to be referenced later + +Reviewed-by: Christian König +Signed-off-by: hackyzh002 +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -270,7 +270,8 @@ int radeon_cs_parser_init(struct radeon_ + { + struct drm_radeon_cs *cs = data; + uint64_t *chunk_array_ptr; +- unsigned size, i; ++ u64 size; ++ unsigned i; + u32 ring = RADEON_CS_RING_GFX; + s32 priority = 0; + diff --git a/tmp-6.1/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch b/tmp-6.1/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch new file mode 100644 index 00000000000..af369b38cef --- /dev/null +++ b/tmp-6.1/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch @@ -0,0 +1,49 @@ +From 4481913607e58196c48a4fef5e6f45350684ec3c Mon Sep 17 00:00:00 2001 +From: Yunxiang Li +Date: Thu, 22 Jun 2023 10:18:03 -0400 +Subject: drm/ttm: fix bulk_move corruption when adding a entry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunxiang Li + +commit 4481913607e58196c48a4fef5e6f45350684ec3c upstream. + +When the resource is the first in the bulk_move range, adding it again +(thus moving it to the tail) will corrupt the list since the first +pointer is not moved. This eventually lead to null pointer deref in +ttm_lru_bulk_move_del() + +Fixes: fee2ede15542 ("drm/ttm: rework bulk move handling v5") +Signed-off-by: Yunxiang Li +Reviewed-by: Christian König +CC: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20230622141902.28718-3-Yunxiang.Li@amd.com +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ttm/ttm_resource.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ttm/ttm_resource.c ++++ b/drivers/gpu/drm/ttm/ttm_resource.c +@@ -85,6 +85,8 @@ static void ttm_lru_bulk_move_pos_tail(s + struct ttm_resource *res) + { + if (pos->last != res) { ++ if (pos->first == res) ++ pos->first = list_next_entry(res, lru); + list_move(&res->lru, &pos->last->lru); + pos->last = res; + } +@@ -110,7 +112,8 @@ static void ttm_lru_bulk_move_del(struct + { + struct ttm_lru_bulk_move_pos *pos = ttm_lru_bulk_move_pos(bulk, res); + +- if (unlikely(pos->first == res && pos->last == res)) { ++ if (unlikely(WARN_ON(!pos->first || !pos->last) || ++ (pos->first == res && pos->last == res))) { + pos->first = NULL; + pos->last = NULL; + } else if (pos->first == res) { diff --git a/tmp-6.1/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch b/tmp-6.1/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch new file mode 100644 index 00000000000..70d64a56f2e --- /dev/null +++ b/tmp-6.1/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch @@ -0,0 +1,69 @@ +From 9bbaa84ecaeca40ae4d2d1cd4ab363546113da7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 00:34:05 +0200 +Subject: dsa: mv88e6xxx: Do a final check before timing out + +From: Linus Walleij + +[ Upstream commit 95ce158b6c93b28842b54b42ad1cb221b9844062 ] + +I get sporadic timeouts from the driver when using the +MV88E6352. Reading the status again after the loop fixes the +problem: the operation is successful but goes undetected. + +Some added prints show things like this: + +[ 58.356209] mv88e6085 mdio_mux-0.1:00: Timeout while waiting + for switch, addr 1b reg 0b, mask 8000, val 0000, data c000 +[ 58.367487] mv88e6085 mdio_mux-0.1:00: Timeout waiting for + ATU op 4000, fid 0001 +(...) +[ 61.826293] mv88e6085 mdio_mux-0.1:00: Timeout while waiting + for switch, addr 1c reg 18, mask 8000, val 0000, data 9860 +[ 61.837560] mv88e6085 mdio_mux-0.1:00: Timeout waiting + for PHY command 1860 to complete + +The reason is probably not the commands: I think those are +mostly fine with the 50+50ms timeout, but the problem +appears when OpenWrt brings up several interfaces in +parallel on a system with 7 populated ports: if one of +them take more than 50 ms and waits one or more of the +others can get stuck on the mutex for the switch and then +this can easily multiply. + +As we sleep and wait, the function loop needs a final +check after exiting the loop if we were successful. + +Suggested-by: Andrew Lunn +Cc: Tobias Waldekranz +Fixes: 35da1dfd9484 ("net: dsa: mv88e6xxx: Improve performance of busy bit polling") +Signed-off-by: Linus Walleij +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230712223405.861899-1-linus.walleij@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 4db1652015d1d..b69bd44ada1f2 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -109,6 +109,13 @@ int mv88e6xxx_wait_mask(struct mv88e6xxx_chip *chip, int addr, int reg, + usleep_range(1000, 2000); + } + ++ err = mv88e6xxx_read(chip, addr, reg, &data); ++ if (err) ++ return err; ++ ++ if ((data & mask) == val) ++ return 0; ++ + dev_err(chip->dev, "Timeout while waiting for switch\n"); + return -ETIMEDOUT; + } +-- +2.39.2 + diff --git a/tmp-6.1/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch b/tmp-6.1/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch new file mode 100644 index 00000000000..ba80a2d73bc --- /dev/null +++ b/tmp-6.1/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch @@ -0,0 +1,54 @@ +From 6909cf5c4101214f4305a62d582a5b93c7e1eb9a Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Mon, 22 May 2023 14:15:20 -0400 +Subject: ext4: correct inline offset when handling xattrs in inode body + +From: Eric Whitney + +commit 6909cf5c4101214f4305a62d582a5b93c7e1eb9a upstream. + +When run on a file system where the inline_data feature has been +enabled, xfstests generic/269, generic/270, and generic/476 cause ext4 +to emit error messages indicating that inline directory entries are +corrupted. This occurs because the inline offset used to locate +inline directory entries in the inode body is not updated when an +xattr in that shared region is deleted and the region is shifted in +memory to recover the space it occupied. If the deleted xattr precedes +the system.data attribute, which points to the inline directory entries, +that attribute will be moved further up in the region. The inline +offset continues to point to whatever is located in system.data's former +location, with unfortunate effects when used to access directory entries +or (presumably) inline data in the inode body. + +Cc: stable@kernel.org +Signed-off-by: Eric Whitney +Link: https://lore.kernel.org/r/20230522181520.1570360-1-enwlinux@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1732,6 +1732,20 @@ static int ext4_xattr_set_entry(struct e + memmove(here, (void *)here + size, + (void *)last - (void *)here + sizeof(__u32)); + memset(last, 0, size); ++ ++ /* ++ * Update i_inline_off - moved ibody region might contain ++ * system.data attribute. Handling a failure here won't ++ * cause other complications for setting an xattr. ++ */ ++ if (!is_block && ext4_has_inline_data(inode)) { ++ ret = ext4_find_inline_data_nolock(inode); ++ if (ret) { ++ ext4_warning_inode(inode, ++ "unable to update i_inline_off"); ++ goto out; ++ } ++ } + } else if (s->not_found) { + /* Insert new name. */ + size_t size = EXT4_XATTR_LEN(name_len); diff --git a/tmp-6.1/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/tmp-6.1/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch new file mode 100644 index 00000000000..0e0a727fd33 --- /dev/null +++ b/tmp-6.1/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch @@ -0,0 +1,40 @@ +From 3f351b5e8558e6d06eb00f3a0b3ce2ac4d1bd613 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 16:16:56 +0800 +Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe + +From: Zhang Shurong + +[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] + +This func misses checking for platform_get_irq()'s call and may passes the +negative error codes to request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. + +Fix this by stop calling request_irq() with invalid IRQ #s. + +Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") +Signed-off-by: Zhang Shurong +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index b6b22fa4a8a01..fd3ff398d234a 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1732,6 +1732,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) + + /* Now hook interrupt too */ + irq = platform_get_irq(dev, 0); ++ if (irq < 0) ++ return irq; ++ + ret = request_irq(irq, au1200fb_handle_irq, + IRQF_SHARED, "lcd", (void *)dev); + if (ret) { +-- +2.39.2 + diff --git a/tmp-6.1/fbdev-imxfb-removed-unneeded-release_mem_region.patch b/tmp-6.1/fbdev-imxfb-removed-unneeded-release_mem_region.patch new file mode 100644 index 00000000000..4ced25e8975 --- /dev/null +++ b/tmp-6.1/fbdev-imxfb-removed-unneeded-release_mem_region.patch @@ -0,0 +1,36 @@ +From 37392063869cec1e0f260e3d3edc86270b958c95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 21:19:58 +0800 +Subject: fbdev: imxfb: Removed unneeded release_mem_region + +From: Yangtao Li + +[ Upstream commit 45fcc058a75bf5d65cf4c32da44a252fbe873cd4 ] + +Remove unnecessary release_mem_region from the error path to prevent +mem region from being released twice, which could avoid resource leak +or other unexpected issues. + +Fixes: b083c22d5114 ("video: fbdev: imxfb: Convert request_mem_region + ioremap to devm_ioremap_resource") +Signed-off-by: Yangtao Li +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index 61731921011d5..36ada87b49a49 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -1043,7 +1043,6 @@ static int imxfb_probe(struct platform_device *pdev) + failed_map: + failed_ioremap: + failed_getclock: +- release_mem_region(res->start, resource_size(res)); + failed_of_parse: + kfree(info->pseudo_palette); + failed_init: +-- +2.39.2 + diff --git a/tmp-6.1/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/tmp-6.1/fbdev-imxfb-warn-about-invalid-left-right-margin.patch new file mode 100644 index 00000000000..5efab428be1 --- /dev/null +++ b/tmp-6.1/fbdev-imxfb-warn-about-invalid-left-right-margin.patch @@ -0,0 +1,43 @@ +From c6e2909b7334117823ea14b1738ea3584813e756 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 15:24:37 +0200 +Subject: fbdev: imxfb: warn about invalid left/right margin + +From: Martin Kaiser + +[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] + +Warn about invalid var->left_margin or var->right_margin. Their values +are read from the device tree. + +We store var->left_margin-3 and var->right_margin-1 in register +fields. These fields should be >= 0. + +Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") +Signed-off-by: Martin Kaiser +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index 51fde1b2a7938..61731921011d5 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -613,10 +613,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf + if (var->hsync_len < 1 || var->hsync_len > 64) + printk(KERN_ERR "%s: invalid hsync_len %d\n", + info->fix.id, var->hsync_len); +- if (var->left_margin > 255) ++ if (var->left_margin < 3 || var->left_margin > 255) + printk(KERN_ERR "%s: invalid left_margin %d\n", + info->fix.id, var->left_margin); +- if (var->right_margin > 255) ++ if (var->right_margin < 1 || var->right_margin > 255) + printk(KERN_ERR "%s: invalid right_margin %d\n", + info->fix.id, var->right_margin); + if (var->yres < 1 || var->yres > ymax_mask) +-- +2.39.2 + diff --git a/tmp-6.1/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch b/tmp-6.1/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch new file mode 100644 index 00000000000..15831506415 --- /dev/null +++ b/tmp-6.1/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch @@ -0,0 +1,36 @@ +From ffb509c36e5b36da98c9fb1f8f539f0cbf606665 Mon Sep 17 00:00:00 2001 +From: Immad Mir +Date: Fri, 23 Jun 2023 19:17:08 +0530 +Subject: [PATCH AUTOSEL 4.19 11/11] FS: JFS: Check for read-only mounted + filesystem in txBegin +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit 95e2b352c03b0a86c5717ba1d24ea20969abcacc ] + + This patch adds a check for read-only mounted filesystem + in txBegin before starting a transaction potentially saving + from NULL pointer deref. + +Signed-off-by: Immad Mir +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_txnmgr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/jfs/jfs_txnmgr.c ++++ b/fs/jfs/jfs_txnmgr.c +@@ -354,6 +354,11 @@ tid_t txBegin(struct super_block *sb, in + jfs_info("txBegin: flag = 0x%x", flag); + log = JFS_SBI(sb)->log; + ++ if (!log) { ++ jfs_error(sb, "read-only filesystem\n"); ++ return 0; ++ } ++ + TXN_LOCK(); + + INCREMENT(TxStat.txBegin); diff --git a/tmp-6.1/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch b/tmp-6.1/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch new file mode 100644 index 00000000000..e3aeaa1be9e --- /dev/null +++ b/tmp-6.1/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch @@ -0,0 +1,41 @@ +From ced92b3b30ff868a14d5763842e5299bdad70edb Mon Sep 17 00:00:00 2001 +From: Immad Mir +Date: Fri, 23 Jun 2023 19:14:01 +0530 +Subject: [PATCH AUTOSEL 4.19 10/11] FS: JFS: Fix null-ptr-deref Read in + txBegin +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit 47cfdc338d674d38f4b2f22b7612cc6a2763ba27 ] + + Syzkaller reported an issue where txBegin may be called + on a superblock in a read-only mounted filesystem which leads + to NULL pointer deref. This could be solved by checking if + the filesystem is read-only before calling txBegin, and returning + with appropiate error code. + +Reported-By: syzbot+f1faa20eec55e0c8644c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=be7e52c50c5182cc09a09ea6fc456446b2039de3 + +Signed-off-by: Immad Mir +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/namei.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/jfs/namei.c ++++ b/fs/jfs/namei.c +@@ -799,6 +799,11 @@ static int jfs_link(struct dentry *old_d + if (rc) + goto out; + ++ if (isReadOnly(ip)) { ++ jfs_error(ip->i_sb, "read-only filesystem\n"); ++ return -EROFS; ++ } ++ + tid = txBegin(ip->i_sb, 0); + + mutex_lock_nested(&JFS_IP(dir)->commit_mutex, COMMIT_MUTEX_PARENT); diff --git a/tmp-6.1/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch b/tmp-6.1/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch new file mode 100644 index 00000000000..bc29fa87225 --- /dev/null +++ b/tmp-6.1/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch @@ -0,0 +1,83 @@ +From 35a29fcb694a5f3ee27d66f57f19795b367fd883 Mon Sep 17 00:00:00 2001 +From: Yogesh +Date: Thu, 22 Jun 2023 00:07:03 +0530 +Subject: [PATCH AUTOSEL 4.19 08/11] fs: jfs: Fix UBSAN: + array-index-out-of-bounds in dbAllocDmapLev +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit 4e302336d5ca1767a06beee7596a72d3bdc8d983 ] + +Syzkaller reported the following issue: + +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6 +index -84 is out of range for type 's8[341]' (aka 'signed char[341]') +CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 + dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965 + dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809 + dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350 + dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874 + dtSplitUp fs/jfs/jfs_dtree.c:974 [inline] + dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863 + jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137 + lookup_open fs/namei.c:3492 [inline] + open_last_lookups fs/namei.c:3560 [inline] + path_openat+0x13df/0x3170 fs/namei.c:3788 + do_filp_open+0x234/0x490 fs/namei.c:3818 + do_sys_openat2+0x13f/0x500 fs/open.c:1356 + do_sys_open fs/open.c:1372 [inline] + __do_sys_openat fs/open.c:1388 [inline] + __se_sys_openat fs/open.c:1383 [inline] + __x64_sys_openat+0x247/0x290 fs/open.c:1383 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f1f4e33f7e9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9 +RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c +RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The bug occurs when the dbAllocDmapLev()function attempts to access +dp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative. + +To rectify this, the patch introduces a safeguard within the +dbAllocDmapLev() function. A check has been added to verify if leafidx is +negative. If it is, the function immediately returns an I/O error, preventing +any further execution that could potentially cause harm. + +Tested via syzbot. + +Reported-by: syzbot+853a6f4dfa3cf37d3aea@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=ae2f5a27a07ae44b0f17 +Signed-off-by: Yogesh +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1959,6 +1959,9 @@ dbAllocDmapLev(struct bmap * bmp, + if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx)) + return -ENOSPC; + ++ if (leafidx < 0) ++ return -EIO; ++ + /* determine the block number within the file system corresponding + * to the leaf at which free space was found. + */ diff --git a/tmp-6.1/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch b/tmp-6.1/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch new file mode 100644 index 00000000000..a4291d7d271 --- /dev/null +++ b/tmp-6.1/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch @@ -0,0 +1,45 @@ +From 3066ff93476c35679cb07a97cce37d9bb07632ff Mon Sep 17 00:00:00 2001 +From: Bernd Schubert +Date: Fri, 15 Apr 2022 13:53:56 +0200 +Subject: fuse: Apply flags2 only when userspace set the FUSE_INIT_EXT + +From: Bernd Schubert + +commit 3066ff93476c35679cb07a97cce37d9bb07632ff upstream. + +This is just a safety precaution to avoid checking flags on memory that was +initialized on the user space side. libfuse zeroes struct fuse_init_out +outarg, but this is not guranteed to be done in all implementations. +Better is to act on flags and to only apply flags2 when FUSE_INIT_EXT is +set. + +There is a risk with this change, though - it might break existing user +space libraries, which are already using flags2 without setting +FUSE_INIT_EXT. + +The corresponding libfuse patch is here +https://github.com/libfuse/libfuse/pull/662 + +Signed-off-by: Bernd Schubert +Fixes: 53db28933e95 ("fuse: extend init flags") +Cc: # v5.17 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -1127,7 +1127,10 @@ static void process_init_reply(struct fu + process_init_limits(fc, arg); + + if (arg->minor >= 6) { +- u64 flags = arg->flags | (u64) arg->flags2 << 32; ++ u64 flags = arg->flags; ++ ++ if (flags & FUSE_INIT_EXT) ++ flags |= (u64) arg->flags2 << 32; + + ra_pages = arg->max_readahead / PAGE_SIZE; + if (flags & FUSE_ASYNC_READ) diff --git a/tmp-6.1/fuse-ioctl-translate-enosys-in-outarg.patch b/tmp-6.1/fuse-ioctl-translate-enosys-in-outarg.patch new file mode 100644 index 00000000000..ffa3f307976 --- /dev/null +++ b/tmp-6.1/fuse-ioctl-translate-enosys-in-outarg.patch @@ -0,0 +1,88 @@ +From 6a567e920fd0451bf29abc418df96c3365925770 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:21 +0200 +Subject: fuse: ioctl: translate ENOSYS in outarg + +From: Miklos Szeredi + +commit 6a567e920fd0451bf29abc418df96c3365925770 upstream. + +Fuse shouldn't return ENOSYS from its ioctl implementation. If userspace +responds with ENOSYS it should be translated to ENOTTY. + +There are two ways to return an error from the IOCTL request: + + - fuse_out_header.error + - fuse_ioctl_out.result + +Commit 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") already fixed this +issue for the first case, but missed the second case. This patch fixes the +second case. + +Reported-by: Jonathan Katz +Closes: https://lore.kernel.org/all/CALKgVmcC1VUV_gJVq70n--omMJZUb4HSh_FqvLTHgNBc+HCLFQ@mail.gmail.com/ +Fixes: 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/ioctl.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/fs/fuse/ioctl.c ++++ b/fs/fuse/ioctl.c +@@ -9,14 +9,23 @@ + #include + #include + +-static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args) ++static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args, ++ struct fuse_ioctl_out *outarg) + { +- ssize_t ret = fuse_simple_request(fm, args); ++ ssize_t ret; ++ ++ args->out_args[0].size = sizeof(*outarg); ++ args->out_args[0].value = outarg; ++ ++ ret = fuse_simple_request(fm, args); + + /* Translate ENOSYS, which shouldn't be returned from fs */ + if (ret == -ENOSYS) + ret = -ENOTTY; + ++ if (ret >= 0 && outarg->result == -ENOSYS) ++ outarg->result = -ENOTTY; ++ + return ret; + } + +@@ -264,13 +273,11 @@ long fuse_do_ioctl(struct file *file, un + } + + ap.args.out_numargs = 2; +- ap.args.out_args[0].size = sizeof(outarg); +- ap.args.out_args[0].value = &outarg; + ap.args.out_args[1].size = out_size; + ap.args.out_pages = true; + ap.args.out_argvar = true; + +- transferred = fuse_send_ioctl(fm, &ap.args); ++ transferred = fuse_send_ioctl(fm, &ap.args, &outarg); + err = transferred; + if (transferred < 0) + goto out; +@@ -399,12 +406,10 @@ static int fuse_priv_ioctl(struct inode + args.in_args[1].size = inarg.in_size; + args.in_args[1].value = ptr; + args.out_numargs = 2; +- args.out_args[0].size = sizeof(outarg); +- args.out_args[0].value = &outarg; + args.out_args[1].size = inarg.out_size; + args.out_args[1].value = ptr; + +- err = fuse_send_ioctl(fm, &args); ++ err = fuse_send_ioctl(fm, &args, &outarg); + if (!err) { + if (outarg.result < 0) + err = outarg.result; diff --git a/tmp-6.1/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/tmp-6.1/fuse-revalidate-don-t-invalidate-if-interrupted.patch new file mode 100644 index 00000000000..46e5be8f3be --- /dev/null +++ b/tmp-6.1/fuse-revalidate-don-t-invalidate-if-interrupted.patch @@ -0,0 +1,34 @@ +From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:20 +0200 +Subject: fuse: revalidate: don't invalidate if interrupted + +From: Miklos Szeredi + +commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream. + +If the LOOKUP request triggered from fuse_dentry_revalidate() is +interrupted, then the dentry will be invalidated, possibly resulting in +submounts being unmounted. + +Reported-by: Xu Rongbo +Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/ +Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -258,7 +258,7 @@ static int fuse_dentry_revalidate(struct + spin_unlock(&fi->lock); + } + kfree(forget); +- if (ret == -ENOMEM) ++ if (ret == -ENOMEM || ret == -EINTR) + goto out; + if (ret || fuse_invalid_attr(&outarg.attr) || + fuse_stale_inode(inode, outarg.generation, &outarg.attr)) diff --git a/tmp-6.1/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch b/tmp-6.1/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch new file mode 100644 index 00000000000..ca1753e2552 --- /dev/null +++ b/tmp-6.1/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch @@ -0,0 +1,49 @@ +From dc3ca84683c4bb50761998adaf575f383748ba73 Mon Sep 17 00:00:00 2001 +From: Marco Morandini +Date: Tue, 30 May 2023 15:40:08 +0200 +Subject: [PATCH AUTOSEL 4.19 05/11] HID: add quirk for 03f0:464a HP Elite + Presenter Mouse +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit 0db117359e47750d8bd310d19f13e1c4ef7fc26a ] + +HP Elite Presenter Mouse HID Record Descriptor shows +two mouses (Repord ID 0x1 and 0x2), one keypad (Report ID 0x5), +two Consumer Controls (Report IDs 0x6 and 0x3). +Previous to this commit it registers one mouse, one keypad +and one Consumer Control, and it was usable only as a +digitl laser pointer (one of the two mouses). This patch defines +the 464a USB device ID and enables the HID_QUIRK_MULTI_INPUT +quirk for it, allowing to use the device both as a mouse +and a digital laser pointer. + +Signed-off-by: Marco Morandini +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -614,6 +614,7 @@ + #define USB_DEVICE_ID_UGCI_FIGHTING 0x0030 + + #define USB_VENDOR_ID_HP 0x03f0 ++#define USB_PRODUCT_ID_HP_ELITE_PRESENTER_MOUSE_464A 0x464a + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A 0x0a4a + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A 0x0b4a + #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -96,6 +96,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A096), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A293), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A), HID_QUIRK_ALWAYS_POLL }, ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_ELITE_PRESENTER_MOUSE_464A), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A), HID_QUIRK_ALWAYS_POLL }, diff --git a/tmp-6.1/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch b/tmp-6.1/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch new file mode 100644 index 00000000000..85904bae1b5 --- /dev/null +++ b/tmp-6.1/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch @@ -0,0 +1,342 @@ +From d67f7140ec52c786fa3e1e17d5a41330d5965e52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 10:52:25 -0400 +Subject: iavf: fix a deadlock caused by rtnl and driver's lock circular + dependencies + +From: Ahmed Zaki + +[ Upstream commit d1639a17319ba78a018280cd2df6577a7e5d9fab ] + +A driver's lock (crit_lock) is used to serialize all the driver's tasks. +Lockdep, however, shows a circular dependency between rtnl and +crit_lock. This happens when an ndo that already holds the rtnl requests +the driver to reset, since the reset task (in some paths) tries to grab +rtnl to either change real number of queues of update netdev features. + + [566.241851] ====================================================== + [566.241893] WARNING: possible circular locking dependency detected + [566.241936] 6.2.14-100.fc36.x86_64+debug #1 Tainted: G OE + [566.241984] ------------------------------------------------------ + [566.242025] repro.sh/2604 is trying to acquire lock: + [566.242061] ffff9280fc5ceee8 (&adapter->crit_lock){+.+.}-{3:3}, at: iavf_close+0x3c/0x240 [iavf] + [566.242167] + but task is already holding lock: + [566.242209] ffffffff9976d350 (rtnl_mutex){+.+.}-{3:3}, at: iavf_remove+0x6b5/0x730 [iavf] + [566.242300] + which lock already depends on the new lock. + + [566.242353] + the existing dependency chain (in reverse order) is: + [566.242401] + -> #1 (rtnl_mutex){+.+.}-{3:3}: + [566.242451] __mutex_lock+0xc1/0xbb0 + [566.242489] iavf_init_interrupt_scheme+0x179/0x440 [iavf] + [566.242560] iavf_watchdog_task+0x80b/0x1400 [iavf] + [566.242627] process_one_work+0x2b3/0x560 + [566.242663] worker_thread+0x4f/0x3a0 + [566.242696] kthread+0xf2/0x120 + [566.242730] ret_from_fork+0x29/0x50 + [566.242763] + -> #0 (&adapter->crit_lock){+.+.}-{3:3}: + [566.242815] __lock_acquire+0x15ff/0x22b0 + [566.242869] lock_acquire+0xd2/0x2c0 + [566.242901] __mutex_lock+0xc1/0xbb0 + [566.242934] iavf_close+0x3c/0x240 [iavf] + [566.242997] __dev_close_many+0xac/0x120 + [566.243036] dev_close_many+0x8b/0x140 + [566.243071] unregister_netdevice_many_notify+0x165/0x7c0 + [566.243116] unregister_netdevice_queue+0xd3/0x110 + [566.243157] iavf_remove+0x6c1/0x730 [iavf] + [566.243217] pci_device_remove+0x33/0xa0 + [566.243257] device_release_driver_internal+0x1bc/0x240 + [566.243299] pci_stop_bus_device+0x6c/0x90 + [566.243338] pci_stop_and_remove_bus_device+0xe/0x20 + [566.243380] pci_iov_remove_virtfn+0xd1/0x130 + [566.243417] sriov_disable+0x34/0xe0 + [566.243448] ice_free_vfs+0x2da/0x330 [ice] + [566.244383] ice_sriov_configure+0x88/0xad0 [ice] + [566.245353] sriov_numvfs_store+0xde/0x1d0 + [566.246156] kernfs_fop_write_iter+0x15e/0x210 + [566.246921] vfs_write+0x288/0x530 + [566.247671] ksys_write+0x74/0xf0 + [566.248408] do_syscall_64+0x58/0x80 + [566.249145] entry_SYSCALL_64_after_hwframe+0x72/0xdc + [566.249886] + other info that might help us debug this: + + [566.252014] Possible unsafe locking scenario: + + [566.253432] CPU0 CPU1 + [566.254118] ---- ---- + [566.254800] lock(rtnl_mutex); + [566.255514] lock(&adapter->crit_lock); + [566.256233] lock(rtnl_mutex); + [566.256897] lock(&adapter->crit_lock); + [566.257388] + *** DEADLOCK *** + +The deadlock can be triggered by a script that is continuously resetting +the VF adapter while doing other operations requiring RTNL, e.g: + + while :; do + ip link set $VF up + ethtool --set-channels $VF combined 2 + ip link set $VF down + ip link set $VF up + ethtool --set-channels $VF combined 4 + ip link set $VF down + done + +Any operation that triggers a reset can substitute "ethtool --set-channles" + +As a fix, add a new task "finish_config" that do all the work which +needs rtnl lock. With the exception of iavf_remove(), all work that +require rtnl should be called from this task. + +As for iavf_remove(), at the point where we need to call +unregister_netdevice() (and grab rtnl_lock), we make sure the finish_config +task is not running (cancel_work_sync()) to safely grab rtnl. Subsequent +finish_config work cannot restart after that since the task is guarded +by the __IAVF_IN_REMOVE_TASK bit in iavf_schedule_finish_config(). + +Fixes: 5ac49f3c2702 ("iavf: use mutexes for locking of critical sections") +Signed-off-by: Ahmed Zaki +Signed-off-by: Mateusz Palczewski +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 + + drivers/net/ethernet/intel/iavf/iavf_main.c | 114 +++++++++++++----- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 + + 3 files changed, 85 insertions(+), 32 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index 2fe44e865d0a2..305675042fe55 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -255,6 +255,7 @@ struct iavf_adapter { + struct workqueue_struct *wq; + struct work_struct reset_task; + struct work_struct adminq_task; ++ struct work_struct finish_config; + struct delayed_work client_task; + wait_queue_head_t down_waitqueue; + wait_queue_head_t reset_waitqueue; +@@ -521,6 +522,7 @@ int iavf_process_config(struct iavf_adapter *adapter); + int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); + void iavf_schedule_reset(struct iavf_adapter *adapter); + void iavf_schedule_request_stats(struct iavf_adapter *adapter); ++void iavf_schedule_finish_config(struct iavf_adapter *adapter); + void iavf_reset(struct iavf_adapter *adapter); + void iavf_set_ethtool_ops(struct net_device *netdev); + void iavf_update_stats(struct iavf_adapter *adapter); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index c2739071149de..0e201d690f0dd 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1702,10 +1702,10 @@ static int iavf_set_interrupt_capability(struct iavf_adapter *adapter) + adapter->msix_entries[vector].entry = vector; + + err = iavf_acquire_msix_vectors(adapter, v_budget); ++ if (!err) ++ iavf_schedule_finish_config(adapter); + + out: +- netif_set_real_num_rx_queues(adapter->netdev, pairs); +- netif_set_real_num_tx_queues(adapter->netdev, pairs); + return err; + } + +@@ -1925,9 +1925,7 @@ static int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) + goto err_alloc_queues; + } + +- rtnl_lock(); + err = iavf_set_interrupt_capability(adapter); +- rtnl_unlock(); + if (err) { + dev_err(&adapter->pdev->dev, + "Unable to setup interrupt capabilities\n"); +@@ -2013,6 +2011,78 @@ static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter, bool runni + return err; + } + ++/** ++ * iavf_finish_config - do all netdev work that needs RTNL ++ * @work: our work_struct ++ * ++ * Do work that needs both RTNL and crit_lock. ++ **/ ++static void iavf_finish_config(struct work_struct *work) ++{ ++ struct iavf_adapter *adapter; ++ int pairs, err; ++ ++ adapter = container_of(work, struct iavf_adapter, finish_config); ++ ++ /* Always take RTNL first to prevent circular lock dependency */ ++ rtnl_lock(); ++ mutex_lock(&adapter->crit_lock); ++ ++ if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && ++ adapter->netdev_registered && ++ !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) { ++ netdev_update_features(adapter->netdev); ++ adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; ++ } ++ ++ switch (adapter->state) { ++ case __IAVF_DOWN: ++ if (!adapter->netdev_registered) { ++ err = register_netdevice(adapter->netdev); ++ if (err) { ++ dev_err(&adapter->pdev->dev, "Unable to register netdev (%d)\n", ++ err); ++ ++ /* go back and try again.*/ ++ iavf_free_rss(adapter); ++ iavf_free_misc_irq(adapter); ++ iavf_reset_interrupt_capability(adapter); ++ iavf_change_state(adapter, ++ __IAVF_INIT_CONFIG_ADAPTER); ++ goto out; ++ } ++ adapter->netdev_registered = true; ++ } ++ ++ /* Set the real number of queues when reset occurs while ++ * state == __IAVF_DOWN ++ */ ++ fallthrough; ++ case __IAVF_RUNNING: ++ pairs = adapter->num_active_queues; ++ netif_set_real_num_rx_queues(adapter->netdev, pairs); ++ netif_set_real_num_tx_queues(adapter->netdev, pairs); ++ break; ++ ++ default: ++ break; ++ } ++ ++out: ++ mutex_unlock(&adapter->crit_lock); ++ rtnl_unlock(); ++} ++ ++/** ++ * iavf_schedule_finish_config - Set the flags and schedule a reset event ++ * @adapter: board private structure ++ **/ ++void iavf_schedule_finish_config(struct iavf_adapter *adapter) ++{ ++ if (!test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) ++ queue_work(adapter->wq, &adapter->finish_config); ++} ++ + /** + * iavf_process_aq_command - process aq_required flags + * and sends aq command +@@ -2650,22 +2720,8 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) + + netif_carrier_off(netdev); + adapter->link_up = false; +- +- /* set the semaphore to prevent any callbacks after device registration +- * up to time when state of driver will be set to __IAVF_DOWN +- */ +- rtnl_lock(); +- if (!adapter->netdev_registered) { +- err = register_netdevice(netdev); +- if (err) { +- rtnl_unlock(); +- goto err_register; +- } +- } +- +- adapter->netdev_registered = true; +- + netif_tx_stop_all_queues(netdev); ++ + if (CLIENT_ALLOWED(adapter)) { + err = iavf_lan_add_device(adapter); + if (err) +@@ -2678,7 +2734,6 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) + + iavf_change_state(adapter, __IAVF_DOWN); + set_bit(__IAVF_VSI_DOWN, adapter->vsi.state); +- rtnl_unlock(); + + iavf_misc_irq_enable(adapter); + wake_up(&adapter->down_waitqueue); +@@ -2698,10 +2753,11 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) + /* request initial VLAN offload settings */ + iavf_set_vlan_offload_features(adapter, 0, netdev->features); + ++ iavf_schedule_finish_config(adapter); + return; ++ + err_mem: + iavf_free_rss(adapter); +-err_register: + iavf_free_misc_irq(adapter); + err_sw_init: + iavf_reset_interrupt_capability(adapter); +@@ -2728,15 +2784,6 @@ static void iavf_watchdog_task(struct work_struct *work) + goto restart_watchdog; + } + +- if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && +- adapter->netdev_registered && +- !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && +- rtnl_trylock()) { +- netdev_update_features(adapter->netdev); +- rtnl_unlock(); +- adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; +- } +- + if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) + iavf_change_state(adapter, __IAVF_COMM_FAILED); + +@@ -4980,6 +5027,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + INIT_WORK(&adapter->reset_task, iavf_reset_task); + INIT_WORK(&adapter->adminq_task, iavf_adminq_task); ++ INIT_WORK(&adapter->finish_config, iavf_finish_config); + INIT_DELAYED_WORK(&adapter->watchdog_task, iavf_watchdog_task); + INIT_DELAYED_WORK(&adapter->client_task, iavf_client_task); + queue_delayed_work(adapter->wq, &adapter->watchdog_task, +@@ -5123,13 +5171,15 @@ static void iavf_remove(struct pci_dev *pdev) + usleep_range(500, 1000); + } + cancel_delayed_work_sync(&adapter->watchdog_task); ++ cancel_work_sync(&adapter->finish_config); + ++ rtnl_lock(); + if (adapter->netdev_registered) { +- rtnl_lock(); + unregister_netdevice(netdev); + adapter->netdev_registered = false; +- rtnl_unlock(); + } ++ rtnl_unlock(); ++ + if (CLIENT_ALLOWED(adapter)) { + err = iavf_lan_del_device(adapter); + if (err) +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index eec7ac3b7f6ee..35419673b6987 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2237,6 +2237,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + + iavf_process_config(adapter); + adapter->flags |= IAVF_FLAG_SETUP_NETDEV_FEATURES; ++ iavf_schedule_finish_config(adapter); + + iavf_set_queue_vlan_tag_loc(adapter); + +-- +2.39.2 + diff --git a/tmp-6.1/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch b/tmp-6.1/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch new file mode 100644 index 00000000000..ce0bd2c31df --- /dev/null +++ b/tmp-6.1/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch @@ -0,0 +1,160 @@ +From cc55115bcb0aa7ee5bb38c780a6de7795ff2f2b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:48 +0800 +Subject: iavf: Fix out-of-bounds when setting channels on remove + +From: Ding Hui + +[ Upstream commit 7c4bced3caa749ce468b0c5de711c98476b23a52 ] + +If we set channels greater during iavf_remove(), and waiting reset done +would be timeout, then returned with error but changed num_active_queues +directly, that will lead to OOB like the following logs. Because the +num_active_queues is greater than tx/rx_rings[] allocated actually. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 3506.152887] iavf 0000:41:02.0: Removing device +[ 3510.400799] ================================================================== +[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536 +[ 3510.400823] +[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 3510.400835] Call Trace: +[ 3510.400851] dump_stack+0x71/0xab +[ 3510.400860] print_address_description+0x6b/0x290 +[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400868] kasan_report+0x14a/0x2b0 +[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf] +[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf] +[ 3510.400891] ? wait_woken+0x1d0/0x1d0 +[ 3510.400895] ? notifier_call_chain+0xc1/0x130 +[ 3510.400903] pci_device_remove+0xa8/0x1f0 +[ 3510.400910] device_release_driver_internal+0x1c6/0x460 +[ 3510.400916] pci_stop_bus_device+0x101/0x150 +[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20 +[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420 +[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 3510.400929] ? pci_get_subsys+0x90/0x90 +[ 3510.400932] sriov_disable+0xed/0x3e0 +[ 3510.400936] ? bus_find_device+0x12d/0x1a0 +[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e] +[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 3510.400968] ? pci_get_device+0x7c/0x90 +[ 3510.400970] ? pci_get_subsys+0x90/0x90 +[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 3510.401001] sriov_numvfs_store+0x214/0x290 +[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30 +[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.401011] ? __check_object_size+0x15a/0x350 +[ 3510.401018] kernfs_fop_write+0x280/0x3f0 +[ 3510.401022] vfs_write+0x145/0x440 +[ 3510.401025] ksys_write+0xab/0x160 +[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0 +[ 3510.401031] ? fput_many+0x1a/0x120 +[ 3510.401032] ? filp_close+0xf0/0x130 +[ 3510.401038] do_syscall_64+0xa0/0x370 +[ 3510.401041] ? page_fault+0x8/0x30 +[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 3510.401073] RIP: 0033:0x7f3a9bb842c0 +[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 3510.401080] RSP: 002b:00007ffc05f1fe18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 3510.401083] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f3a9bb842c0 +[ 3510.401085] RDX: 0000000000000002 RSI: 0000000002327408 RDI: 0000000000000001 +[ 3510.401086] RBP: 0000000002327408 R08: 00007f3a9be53780 R09: 00007f3a9c8a4700 +[ 3510.401086] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 3510.401087] R13: 0000000000000001 R14: 00007f3a9be52620 R15: 0000000000000001 +[ 3510.401090] +[ 3510.401093] Allocated by task 76795: +[ 3510.401098] kasan_kmalloc+0xa6/0xd0 +[ 3510.401099] __kmalloc+0xfb/0x200 +[ 3510.401104] iavf_init_interrupt_scheme+0x26f/0x1310 [iavf] +[ 3510.401108] iavf_watchdog_task+0x1d58/0x4050 [iavf] +[ 3510.401114] process_one_work+0x56a/0x11f0 +[ 3510.401115] worker_thread+0x8f/0xf40 +[ 3510.401117] kthread+0x2a0/0x390 +[ 3510.401119] ret_from_fork+0x1f/0x40 +[ 3510.401122] 0xffffffffffffffff +[ 3510.401123] + +In timeout handling, we should keep the original num_active_queues +and reset num_req_queues to 0. + +Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 83cfc54a47062..4746ee517c75a 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -1863,7 +1863,7 @@ static int iavf_set_channels(struct net_device *netdev, + } + if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; +- adapter->num_active_queues = num_req; ++ adapter->num_req_queues = 0; + return -EOPNOTSUPP; + } + +-- +2.39.2 + diff --git a/tmp-6.1/iavf-fix-reset-task-race-with-iavf_remove.patch b/tmp-6.1/iavf-fix-reset-task-race-with-iavf_remove.patch new file mode 100644 index 00000000000..0e837151f9f --- /dev/null +++ b/tmp-6.1/iavf-fix-reset-task-race-with-iavf_remove.patch @@ -0,0 +1,190 @@ +From 045d5f68bcd8b2284e19c86bfd77bc8ae236d467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 10:52:26 -0400 +Subject: iavf: fix reset task race with iavf_remove() + +From: Ahmed Zaki + +[ Upstream commit c34743daca0eb1dc855831a5210f0800a850088e ] + +The reset task is currently scheduled from the watchdog or adminq tasks. +First, all direct calls to schedule the reset task are replaced with the +iavf_schedule_reset(), which is modified to accept the flag showing the +type of reset. + +To prevent the reset task from starting once iavf_remove() starts, we need +to check the __IAVF_IN_REMOVE_TASK bit before we schedule it. This is now +easily added to iavf_schedule_reset(). + +Finally, remove the check for IAVF_FLAG_RESET_NEEDED in the watchdog task. +It is redundant since all callers who set the flag immediately schedules +the reset task. + +Fixes: 3ccd54ef44eb ("iavf: Fix init state closure on remove") +Fixes: 14756b2ae265 ("iavf: Fix __IAVF_RESETTING state usage") +Signed-off-by: Ahmed Zaki +Signed-off-by: Mateusz Palczewski +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 +- + .../net/ethernet/intel/iavf/iavf_ethtool.c | 8 ++--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 32 +++++++------------ + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 3 +- + 4 files changed, 16 insertions(+), 29 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index 305675042fe55..543931c06bb17 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -520,7 +520,7 @@ int iavf_up(struct iavf_adapter *adapter); + void iavf_down(struct iavf_adapter *adapter); + int iavf_process_config(struct iavf_adapter *adapter); + int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); +-void iavf_schedule_reset(struct iavf_adapter *adapter); ++void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags); + void iavf_schedule_request_stats(struct iavf_adapter *adapter); + void iavf_schedule_finish_config(struct iavf_adapter *adapter); + void iavf_reset(struct iavf_adapter *adapter); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 73219c5069290..fd6d6f6263f66 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -532,8 +532,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) + /* issue a reset to force legacy-rx change to take effect */ + if (changed_flags & IAVF_FLAG_LEGACY_RX) { + if (netif_running(netdev)) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + ret = iavf_wait_for_reset(adapter); + if (ret) + netdev_warn(netdev, "Changing private flags timeout or interrupted waiting for reset"); +@@ -676,8 +675,7 @@ static int iavf_set_ringparam(struct net_device *netdev, + } + + if (netif_running(netdev)) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + ret = iavf_wait_for_reset(adapter); + if (ret) + netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); +@@ -1860,7 +1858,7 @@ static int iavf_set_channels(struct net_device *netdev, + + adapter->num_req_queues = num_req; + adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; +- iavf_schedule_reset(adapter); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + + ret = iavf_wait_for_reset(adapter); + if (ret) +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 0e201d690f0dd..c1f91c55e1ca7 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -309,12 +309,14 @@ static int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) + /** + * iavf_schedule_reset - Set the flags and schedule a reset event + * @adapter: board private structure ++ * @flags: IAVF_FLAG_RESET_PENDING or IAVF_FLAG_RESET_NEEDED + **/ +-void iavf_schedule_reset(struct iavf_adapter *adapter) ++void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags) + { +- if (!(adapter->flags & +- (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; ++ if (!test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && ++ !(adapter->flags & ++ (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { ++ adapter->flags |= flags; + queue_work(adapter->wq, &adapter->reset_task); + } + } +@@ -342,7 +344,7 @@ static void iavf_tx_timeout(struct net_device *netdev, unsigned int txqueue) + struct iavf_adapter *adapter = netdev_priv(netdev); + + adapter->tx_timeout_count++; +- iavf_schedule_reset(adapter); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + } + + /** +@@ -2490,7 +2492,7 @@ int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter) + adapter->vsi_res->num_queue_pairs); + adapter->flags |= IAVF_FLAG_REINIT_MSIX_NEEDED; + adapter->num_req_queues = adapter->vsi_res->num_queue_pairs; +- iavf_schedule_reset(adapter); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + + return -EAGAIN; + } +@@ -2787,14 +2789,6 @@ static void iavf_watchdog_task(struct work_struct *work) + if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) + iavf_change_state(adapter, __IAVF_COMM_FAILED); + +- if (adapter->flags & IAVF_FLAG_RESET_NEEDED) { +- adapter->aq_required = 0; +- adapter->current_op = VIRTCHNL_OP_UNKNOWN; +- mutex_unlock(&adapter->crit_lock); +- queue_work(adapter->wq, &adapter->reset_task); +- return; +- } +- + switch (adapter->state) { + case __IAVF_STARTUP: + iavf_startup(adapter); +@@ -2922,11 +2916,10 @@ static void iavf_watchdog_task(struct work_struct *work) + /* check for hw reset */ + reg_val = rd32(hw, IAVF_VF_ARQLEN1) & IAVF_VF_ARQLEN1_ARQENABLE_MASK; + if (!reg_val) { +- adapter->flags |= IAVF_FLAG_RESET_PENDING; + adapter->aq_required = 0; + adapter->current_op = VIRTCHNL_OP_UNKNOWN; + dev_err(&adapter->pdev->dev, "Hardware reset detected\n"); +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_PENDING); + mutex_unlock(&adapter->crit_lock); + queue_delayed_work(adapter->wq, + &adapter->watchdog_task, HZ * 2); +@@ -3324,9 +3317,7 @@ static void iavf_adminq_task(struct work_struct *work) + } while (pending); + mutex_unlock(&adapter->crit_lock); + +- if ((adapter->flags & +- (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED)) || +- adapter->state == __IAVF_RESETTING) ++ if (iavf_is_reset_in_progress(adapter)) + goto freedom; + + /* check for error indications */ +@@ -4423,8 +4414,7 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + } + + if (netif_running(netdev)) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + ret = iavf_wait_for_reset(adapter); + if (ret < 0) + netdev_warn(netdev, "MTU change interrupted waiting for reset"); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 35419673b6987..2fc8e60ef6afb 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -1961,9 +1961,8 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + case VIRTCHNL_EVENT_RESET_IMPENDING: + dev_info(&adapter->pdev->dev, "Reset indication received from the PF\n"); + if (!(adapter->flags & IAVF_FLAG_RESET_PENDING)) { +- adapter->flags |= IAVF_FLAG_RESET_PENDING; + dev_info(&adapter->pdev->dev, "Scheduling reset task\n"); +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_PENDING); + } + break; + default: +-- +2.39.2 + diff --git a/tmp-6.1/iavf-fix-use-after-free-in-free_netdev.patch b/tmp-6.1/iavf-fix-use-after-free-in-free_netdev.patch new file mode 100644 index 00000000000..4191b7d0987 --- /dev/null +++ b/tmp-6.1/iavf-fix-use-after-free-in-free_netdev.patch @@ -0,0 +1,215 @@ +From 65df986e4dd0e7534d9caca118a4603cfb45336b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:47 +0800 +Subject: iavf: Fix use-after-free in free_netdev + +From: Ding Hui + +[ Upstream commit 5f4fa1672d98fe99d2297b03add35346f1685d6b ] + +We do netif_napi_add() for all allocated q_vectors[], but potentially +do netif_napi_del() for part of them, then kfree q_vectors and leave +invalid pointers at dev->napi_list. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 4093.900222] ================================================================== +[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390 +[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 +[ 4093.900233] +[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 4093.900239] Call Trace: +[ 4093.900244] dump_stack+0x71/0xab +[ 4093.900249] print_address_description+0x6b/0x290 +[ 4093.900251] ? free_netdev+0x308/0x390 +[ 4093.900252] kasan_report+0x14a/0x2b0 +[ 4093.900254] free_netdev+0x308/0x390 +[ 4093.900261] iavf_remove+0x825/0xd20 [iavf] +[ 4093.900265] pci_device_remove+0xa8/0x1f0 +[ 4093.900268] device_release_driver_internal+0x1c6/0x460 +[ 4093.900271] pci_stop_bus_device+0x101/0x150 +[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 4093.900278] ? pci_get_subsys+0x90/0x90 +[ 4093.900280] sriov_disable+0xed/0x3e0 +[ 4093.900282] ? bus_find_device+0x12d/0x1a0 +[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 4093.900299] ? pci_get_device+0x7c/0x90 +[ 4093.900300] ? pci_get_subsys+0x90/0x90 +[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900318] sriov_numvfs_store+0x214/0x290 +[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30 +[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900323] ? __check_object_size+0x15a/0x350 +[ 4093.900326] kernfs_fop_write+0x280/0x3f0 +[ 4093.900329] vfs_write+0x145/0x440 +[ 4093.900330] ksys_write+0xab/0x160 +[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0 +[ 4093.900334] ? fput_many+0x1a/0x120 +[ 4093.900335] ? filp_close+0xf0/0x130 +[ 4093.900338] do_syscall_64+0xa0/0x370 +[ 4093.900339] ? page_fault+0x8/0x30 +[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900357] RIP: 0033:0x7f16ad4d22c0 +[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 +[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 +[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 +[ 4093.900364] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 4093.900365] R13: 0000000000000001 R14: 00007f16ad7a0620 R15: 0000000000000001 +[ 4093.900367] +[ 4093.900368] Allocated by task 820: +[ 4093.900371] kasan_kmalloc+0xa6/0xd0 +[ 4093.900373] __kmalloc+0xfb/0x200 +[ 4093.900376] iavf_init_interrupt_scheme+0x63b/0x1320 [iavf] +[ 4093.900380] iavf_watchdog_task+0x3d51/0x52c0 [iavf] +[ 4093.900382] process_one_work+0x56a/0x11f0 +[ 4093.900383] worker_thread+0x8f/0xf40 +[ 4093.900384] kthread+0x2a0/0x390 +[ 4093.900385] ret_from_fork+0x1f/0x40 +[ 4093.900387] 0xffffffffffffffff +[ 4093.900387] +[ 4093.900388] Freed by task 6699: +[ 4093.900390] __kasan_slab_free+0x137/0x190 +[ 4093.900391] kfree+0x8b/0x1b0 +[ 4093.900394] iavf_free_q_vectors+0x11d/0x1a0 [iavf] +[ 4093.900397] iavf_remove+0x35a/0xd20 [iavf] +[ 4093.900399] pci_device_remove+0xa8/0x1f0 +[ 4093.900400] device_release_driver_internal+0x1c6/0x460 +[ 4093.900401] pci_stop_bus_device+0x101/0x150 +[ 4093.900402] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900403] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900404] sriov_disable+0xed/0x3e0 +[ 4093.900409] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900415] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900416] sriov_numvfs_store+0x214/0x290 +[ 4093.900417] kernfs_fop_write+0x280/0x3f0 +[ 4093.900418] vfs_write+0x145/0x440 +[ 4093.900419] ksys_write+0xab/0x160 +[ 4093.900420] do_syscall_64+0xa0/0x370 +[ 4093.900421] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900422] 0xffffffffffffffff +[ 4093.900422] +[ 4093.900424] The buggy address belongs to the object at ffff88b4dc144200 + which belongs to the cache kmalloc-8k of size 8192 +[ 4093.900425] The buggy address is located 5184 bytes inside of + 8192-byte region [ffff88b4dc144200, ffff88b4dc146200) +[ 4093.900425] The buggy address belongs to the page: +[ 4093.900427] page:ffffea00d3705000 refcount:1 mapcount:0 mapping:ffff88bf04415c80 index:0x0 compound_mapcount: 0 +[ 4093.900430] flags: 0x10000000008100(slab|head) +[ 4093.900433] raw: 0010000000008100 dead000000000100 dead000000000200 ffff88bf04415c80 +[ 4093.900434] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 +[ 4093.900434] page dumped because: kasan: bad access detected +[ 4093.900435] +[ 4093.900435] Memory state around the buggy address: +[ 4093.900436] ffff88b4dc145500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900437] ffff88b4dc145580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] >ffff88b4dc145600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] ^ +[ 4093.900439] ffff88b4dc145680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ffff88b4dc145700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ================================================================== + +Although the patch #2 (of 2) can avoid the issue triggered by this +repro.sh, there still are other potential risks that if num_active_queues +is changed to less than allocated q_vectors[] by unexpected, the +mismatched netif_napi_add/del() can also cause UAF. + +Since we actually call netif_napi_add() for all allocated q_vectors +unconditionally in iavf_alloc_q_vectors(), so we should fix it by +letting netif_napi_del() match to netif_napi_add(). + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Simon Horman +Reviewed-by: Madhu Chittim +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 965d02d7ff80f..81676c3af4b36 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1840,19 +1840,16 @@ static int iavf_alloc_q_vectors(struct iavf_adapter *adapter) + static void iavf_free_q_vectors(struct iavf_adapter *adapter) + { + int q_idx, num_q_vectors; +- int napi_vectors; + + if (!adapter->q_vectors) + return; + + num_q_vectors = adapter->num_msix_vectors - NONQ_VECS; +- napi_vectors = adapter->num_active_queues; + + for (q_idx = 0; q_idx < num_q_vectors; q_idx++) { + struct iavf_q_vector *q_vector = &adapter->q_vectors[q_idx]; + +- if (q_idx < napi_vectors) +- netif_napi_del(&q_vector->napi); ++ netif_napi_del(&q_vector->napi); + } + kfree(adapter->q_vectors); + adapter->q_vectors = NULL; +-- +2.39.2 + diff --git a/tmp-6.1/iavf-make-functions-static-where-possible.patch b/tmp-6.1/iavf-make-functions-static-where-possible.patch new file mode 100644 index 00000000000..4105b0d4bab --- /dev/null +++ b/tmp-6.1/iavf-make-functions-static-where-possible.patch @@ -0,0 +1,223 @@ +From 97d8a9e529256a00151bc682e79efba868de17a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 08:54:05 -0700 +Subject: iavf: make functions static where possible + +From: Przemek Kitszel + +[ Upstream commit a4aadf0f5905661cd25c366b96cc1c840f05b756 ] + +Make all possible functions static. + +Move iavf_force_wb() up to avoid forward declaration. + +Suggested-by: Maciej Fijalkowski +Reviewed-by: Maciej Fijalkowski +Signed-off-by: Przemek Kitszel +Signed-off-by: Tony Nguyen +Stable-dep-of: c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger it") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 10 ----- + drivers/net/ethernet/intel/iavf/iavf_main.c | 14 +++---- + drivers/net/ethernet/intel/iavf/iavf_txrx.c | 43 ++++++++++----------- + drivers/net/ethernet/intel/iavf/iavf_txrx.h | 4 -- + 4 files changed, 28 insertions(+), 43 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index 6625625f91e47..a716ed6bb787d 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -523,9 +523,6 @@ void iavf_schedule_request_stats(struct iavf_adapter *adapter); + void iavf_reset(struct iavf_adapter *adapter); + void iavf_set_ethtool_ops(struct net_device *netdev); + void iavf_update_stats(struct iavf_adapter *adapter); +-void iavf_reset_interrupt_capability(struct iavf_adapter *adapter); +-int iavf_init_interrupt_scheme(struct iavf_adapter *adapter); +-void iavf_irq_enable_queues(struct iavf_adapter *adapter); + void iavf_free_all_tx_resources(struct iavf_adapter *adapter); + void iavf_free_all_rx_resources(struct iavf_adapter *adapter); + +@@ -579,17 +576,10 @@ void iavf_enable_vlan_stripping_v2(struct iavf_adapter *adapter, u16 tpid); + void iavf_disable_vlan_stripping_v2(struct iavf_adapter *adapter, u16 tpid); + void iavf_enable_vlan_insertion_v2(struct iavf_adapter *adapter, u16 tpid); + void iavf_disable_vlan_insertion_v2(struct iavf_adapter *adapter, u16 tpid); +-int iavf_replace_primary_mac(struct iavf_adapter *adapter, +- const u8 *new_mac); +-void +-iavf_set_vlan_offload_features(struct iavf_adapter *adapter, +- netdev_features_t prev_features, +- netdev_features_t features); + void iavf_add_fdir_filter(struct iavf_adapter *adapter); + void iavf_del_fdir_filter(struct iavf_adapter *adapter); + void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); + void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); + struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + const u8 *macaddr); +-int iavf_lock_timeout(struct mutex *lock, unsigned int msecs); + #endif /* _IAVF_H_ */ +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 68e951fe5e210..d5b1dcfe0ccdd 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -253,7 +253,7 @@ enum iavf_status iavf_free_virt_mem_d(struct iavf_hw *hw, + * + * Returns 0 on success, negative on failure + **/ +-int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) ++static int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) + { + unsigned int wait, delay = 10; + +@@ -362,7 +362,7 @@ static void iavf_irq_disable(struct iavf_adapter *adapter) + * iavf_irq_enable_queues - Enable interrupt for all queues + * @adapter: board private structure + **/ +-void iavf_irq_enable_queues(struct iavf_adapter *adapter) ++static void iavf_irq_enable_queues(struct iavf_adapter *adapter) + { + struct iavf_hw *hw = &adapter->hw; + int i; +@@ -1003,8 +1003,8 @@ struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + * + * Do not call this with mac_vlan_list_lock! + **/ +-int iavf_replace_primary_mac(struct iavf_adapter *adapter, +- const u8 *new_mac) ++static int iavf_replace_primary_mac(struct iavf_adapter *adapter, ++ const u8 *new_mac) + { + struct iavf_hw *hw = &adapter->hw; + struct iavf_mac_filter *f; +@@ -1860,7 +1860,7 @@ static void iavf_free_q_vectors(struct iavf_adapter *adapter) + * @adapter: board private structure + * + **/ +-void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) ++static void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) + { + if (!adapter->msix_entries) + return; +@@ -1875,7 +1875,7 @@ void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) + * @adapter: board private structure to initialize + * + **/ +-int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) ++static int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) + { + int err; + +@@ -2174,7 +2174,7 @@ static int iavf_process_aq_command(struct iavf_adapter *adapter) + * the watchdog if any changes are requested to expedite the request via + * virtchnl. + **/ +-void ++static void + iavf_set_vlan_offload_features(struct iavf_adapter *adapter, + netdev_features_t prev_features, + netdev_features_t features) +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +index e989feda133c1..8c5f6096b0022 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +@@ -54,7 +54,7 @@ static void iavf_unmap_and_free_tx_resource(struct iavf_ring *ring, + * iavf_clean_tx_ring - Free any empty Tx buffers + * @tx_ring: ring to be cleaned + **/ +-void iavf_clean_tx_ring(struct iavf_ring *tx_ring) ++static void iavf_clean_tx_ring(struct iavf_ring *tx_ring) + { + unsigned long bi_size; + u16 i; +@@ -110,7 +110,7 @@ void iavf_free_tx_resources(struct iavf_ring *tx_ring) + * Since there is no access to the ring head register + * in XL710, we need to use our local copies + **/ +-u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) ++static u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) + { + u32 head, tail; + +@@ -127,6 +127,24 @@ u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) + return 0; + } + ++/** ++ * iavf_force_wb - Issue SW Interrupt so HW does a wb ++ * @vsi: the VSI we care about ++ * @q_vector: the vector on which to force writeback ++ **/ ++static void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector) ++{ ++ u32 val = IAVF_VFINT_DYN_CTLN1_INTENA_MASK | ++ IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK | /* set noitr */ ++ IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_MASK | ++ IAVF_VFINT_DYN_CTLN1_SW_ITR_INDX_ENA_MASK ++ /* allow 00 to be written to the index */; ++ ++ wr32(&vsi->back->hw, ++ IAVF_VFINT_DYN_CTLN1(q_vector->reg_idx), ++ val); ++} ++ + /** + * iavf_detect_recover_hung - Function to detect and recover hung_queues + * @vsi: pointer to vsi struct with tx queues +@@ -352,25 +370,6 @@ static void iavf_enable_wb_on_itr(struct iavf_vsi *vsi, + q_vector->arm_wb_state = true; + } + +-/** +- * iavf_force_wb - Issue SW Interrupt so HW does a wb +- * @vsi: the VSI we care about +- * @q_vector: the vector on which to force writeback +- * +- **/ +-void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector) +-{ +- u32 val = IAVF_VFINT_DYN_CTLN1_INTENA_MASK | +- IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK | /* set noitr */ +- IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_MASK | +- IAVF_VFINT_DYN_CTLN1_SW_ITR_INDX_ENA_MASK +- /* allow 00 to be written to the index */; +- +- wr32(&vsi->back->hw, +- IAVF_VFINT_DYN_CTLN1(q_vector->reg_idx), +- val); +-} +- + static inline bool iavf_container_is_rx(struct iavf_q_vector *q_vector, + struct iavf_ring_container *rc) + { +@@ -687,7 +686,7 @@ int iavf_setup_tx_descriptors(struct iavf_ring *tx_ring) + * iavf_clean_rx_ring - Free Rx buffers + * @rx_ring: ring to be cleaned + **/ +-void iavf_clean_rx_ring(struct iavf_ring *rx_ring) ++static void iavf_clean_rx_ring(struct iavf_ring *rx_ring) + { + unsigned long bi_size; + u16 i; +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.h b/drivers/net/ethernet/intel/iavf/iavf_txrx.h +index 2624bf6d009e3..7e6ee32d19b69 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.h ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.h +@@ -442,15 +442,11 @@ static inline unsigned int iavf_rx_pg_order(struct iavf_ring *ring) + + bool iavf_alloc_rx_buffers(struct iavf_ring *rxr, u16 cleaned_count); + netdev_tx_t iavf_xmit_frame(struct sk_buff *skb, struct net_device *netdev); +-void iavf_clean_tx_ring(struct iavf_ring *tx_ring); +-void iavf_clean_rx_ring(struct iavf_ring *rx_ring); + int iavf_setup_tx_descriptors(struct iavf_ring *tx_ring); + int iavf_setup_rx_descriptors(struct iavf_ring *rx_ring); + void iavf_free_tx_resources(struct iavf_ring *tx_ring); + void iavf_free_rx_resources(struct iavf_ring *rx_ring); + int iavf_napi_poll(struct napi_struct *napi, int budget); +-void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector); +-u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw); + void iavf_detect_recover_hung(struct iavf_vsi *vsi); + int __iavf_maybe_stop_tx(struct iavf_ring *tx_ring, int size); + bool __iavf_chk_linearize(struct sk_buff *skb); +-- +2.39.2 + diff --git a/tmp-6.1/iavf-move-netdev_update_features-into-watchdog-task.patch b/tmp-6.1/iavf-move-netdev_update_features-into-watchdog-task.patch new file mode 100644 index 00000000000..8927af5c4e9 --- /dev/null +++ b/tmp-6.1/iavf-move-netdev_update_features-into-watchdog-task.patch @@ -0,0 +1,95 @@ +From 5491562d5578b2fc118790482f43fbde751e023f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jan 2023 17:42:27 +0100 +Subject: iavf: Move netdev_update_features() into watchdog task + +From: Marcin Szycik + +[ Upstream commit 7598f4b40bd60e4a4280de645eb2893eea80b59d ] + +Remove netdev_update_features() from iavf_adminq_task(), as it can cause +deadlocks due to needing rtnl_lock. Instead use the +IAVF_FLAG_SETUP_NETDEV_FEATURES flag to indicate that netdev features need +to be updated in the watchdog task. iavf_set_vlan_offload_features() +and iavf_set_queue_vlan_tag_loc() can be called directly from +iavf_virtchnl_completion(). + +Suggested-by: Phani Burra +Signed-off-by: Marcin Szycik +Reviewed-by: Alexander Lobakin +Tested-by: Marek Szlosek +Signed-off-by: Tony Nguyen +Stable-dep-of: c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger it") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 27 +++++++------------ + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 8 ++++++ + 2 files changed, 17 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 104de9a071449..68e951fe5e210 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -2689,6 +2689,15 @@ static void iavf_watchdog_task(struct work_struct *work) + goto restart_watchdog; + } + ++ if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && ++ adapter->netdev_registered && ++ !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && ++ rtnl_trylock()) { ++ netdev_update_features(adapter->netdev); ++ rtnl_unlock(); ++ adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; ++ } ++ + if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) + iavf_change_state(adapter, __IAVF_COMM_FAILED); + +@@ -3228,24 +3237,6 @@ static void iavf_adminq_task(struct work_struct *work) + } while (pending); + mutex_unlock(&adapter->crit_lock); + +- if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES)) { +- if (adapter->netdev_registered || +- !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) { +- struct net_device *netdev = adapter->netdev; +- +- rtnl_lock(); +- netdev_update_features(netdev); +- rtnl_unlock(); +- /* Request VLAN offload settings */ +- if (VLAN_V2_ALLOWED(adapter)) +- iavf_set_vlan_offload_features +- (adapter, 0, netdev->features); +- +- iavf_set_queue_vlan_tag_loc(adapter); +- } +- +- adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; +- } + if ((adapter->flags & + (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED)) || + adapter->state == __IAVF_RESETTING) +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 00dccdd290dce..07d37402a0df5 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2237,6 +2237,14 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + + iavf_process_config(adapter); + adapter->flags |= IAVF_FLAG_SETUP_NETDEV_FEATURES; ++ ++ /* Request VLAN offload settings */ ++ if (VLAN_V2_ALLOWED(adapter)) ++ iavf_set_vlan_offload_features(adapter, 0, ++ netdev->features); ++ ++ iavf_set_queue_vlan_tag_loc(adapter); ++ + was_mac_changed = !ether_addr_equal(netdev->dev_addr, + adapter->hw.mac.addr); + +-- +2.39.2 + diff --git a/tmp-6.1/iavf-send-vlan-offloading-caps-once-after-vfr.patch b/tmp-6.1/iavf-send-vlan-offloading-caps-once-after-vfr.patch new file mode 100644 index 00000000000..1ee405d4c13 --- /dev/null +++ b/tmp-6.1/iavf-send-vlan-offloading-caps-once-after-vfr.patch @@ -0,0 +1,66 @@ +From c45878593282d7f12a92cae3b219aeb3889e32f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 12:09:39 -0600 +Subject: iavf: send VLAN offloading caps once after VFR + +From: Ahmed Zaki + +[ Upstream commit 7dcbdf29282fbcdb646dc785e8a57ed2c2fec8ba ] + +When the user disables rxvlan offloading and then changes the number of +channels, all VLAN ports are unable to receive traffic. + +Changing the number of channels triggers a VFR reset. During re-init, when +VIRTCHNL_OP_GET_OFFLOAD_VLAN_V2_CAPS is received, we do: +1 - set the IAVF_FLAG_SETUP_NETDEV_FEATURES flag +2 - call + iavf_set_vlan_offload_features(adapter, 0, netdev->features); + +The second step sends to the PF the __default__ features, in this case +aq_required |= IAVF_FLAG_AQ_ENABLE_CTAG_VLAN_STRIPPING + +While the first step forces the watchdog task to call +netdev_update_features() -> iavf_set_features() -> +iavf_set_vlan_offload_features(adapter, netdev->features, features). +Since the user disabled the "rxvlan", this sets: +aq_required |= IAVF_FLAG_AQ_DISABLE_CTAG_VLAN_STRIPPING + +When we start processing the AQ commands, both flags are enabled. Since we +process DISABLE_XTAG first then ENABLE_XTAG, this results in the PF +enabling the rxvlan offload. This breaks all communications on the VLAN +net devices. + +Fix by removing the call to iavf_set_vlan_offload_features() (second +step). Calling netdev_update_features() from watchdog task is enough for +both init and reset paths. + +Fixes: 7598f4b40bd6 ("iavf: Move netdev_update_features() into watchdog task") +Signed-off-by: Ahmed Zaki +Tested-by: Rafal Romanowski +Reviewed-by: Leon Romanovsky +Signed-off-by: Tony Nguyen +Stable-dep-of: c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger it") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_virtchnl.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 07d37402a0df5..7b34111fd4eb1 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2238,11 +2238,6 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + iavf_process_config(adapter); + adapter->flags |= IAVF_FLAG_SETUP_NETDEV_FEATURES; + +- /* Request VLAN offload settings */ +- if (VLAN_V2_ALLOWED(adapter)) +- iavf_set_vlan_offload_features(adapter, 0, +- netdev->features); +- + iavf_set_queue_vlan_tag_loc(adapter); + + was_mac_changed = !ether_addr_equal(netdev->dev_addr, +-- +2.39.2 + diff --git a/tmp-6.1/iavf-use-internal-state-to-free-traffic-irqs.patch b/tmp-6.1/iavf-use-internal-state-to-free-traffic-irqs.patch new file mode 100644 index 00000000000..a24bcc616ba --- /dev/null +++ b/tmp-6.1/iavf-use-internal-state-to-free-traffic-irqs.patch @@ -0,0 +1,65 @@ +From 7af6ff049c18a0c4e3e4a80b523c331617b48a6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:46:02 -0600 +Subject: iavf: use internal state to free traffic IRQs + +From: Ahmed Zaki + +[ Upstream commit a77ed5c5b768e9649be240a2d864e5cd9c6a2015 ] + +If the system tries to close the netdev while iavf_reset_task() is +running, __LINK_STATE_START will be cleared and netif_running() will +return false in iavf_reinit_interrupt_scheme(). This will result in +iavf_free_traffic_irqs() not being called and a leak as follows: + + [7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0' + [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0 + +is shown when pci_disable_msix() is later called. Fix by using the +internal adapter state. The traffic IRQs will always exist if +state == __IAVF_RUNNING. + +Fixes: 5b36e8d04b44 ("i40evf: Enable VF to request an alternate queue allocation") +Signed-off-by: Ahmed Zaki +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 81676c3af4b36..104de9a071449 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1941,15 +1941,16 @@ static void iavf_free_rss(struct iavf_adapter *adapter) + /** + * iavf_reinit_interrupt_scheme - Reallocate queues and vectors + * @adapter: board private structure ++ * @running: true if adapter->state == __IAVF_RUNNING + * + * Returns 0 on success, negative on failure + **/ +-static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter) ++static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter, bool running) + { + struct net_device *netdev = adapter->netdev; + int err; + +- if (netif_running(netdev)) ++ if (running) + iavf_free_traffic_irqs(adapter); + iavf_free_misc_irq(adapter); + iavf_reset_interrupt_capability(adapter); +@@ -3056,7 +3057,7 @@ static void iavf_reset_task(struct work_struct *work) + + if ((adapter->flags & IAVF_FLAG_REINIT_MSIX_NEEDED) || + (adapter->flags & IAVF_FLAG_REINIT_ITR_NEEDED)) { +- err = iavf_reinit_interrupt_scheme(adapter); ++ err = iavf_reinit_interrupt_scheme(adapter, running); + if (err) + goto reset_err; + } +-- +2.39.2 + diff --git a/tmp-6.1/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch b/tmp-6.1/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch new file mode 100644 index 00000000000..4ff53643af2 --- /dev/null +++ b/tmp-6.1/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch @@ -0,0 +1,253 @@ +From 666e6a1e4dfcf28dffd3be1e4128f2dde21ee8cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 10:52:22 -0400 +Subject: iavf: Wait for reset in callbacks which trigger it + +From: Marcin Szycik + +[ Upstream commit c2ed2403f12c74a74a0091ed5d830e72c58406e8 ] + +There was a fail when trying to add the interface to bonding +right after changing the MTU on the interface. It was caused +by bonding interface unable to open the interface due to +interface being in __RESETTING state because of MTU change. + +Add new reset_waitqueue to indicate that reset has finished. + +Add waiting for reset to finish in callbacks which trigger hw reset: +iavf_set_priv_flags(), iavf_change_mtu() and iavf_set_ringparam(). +We use a 5000ms timeout period because on Hyper-V based systems, +this operation takes around 3000-4000ms. In normal circumstances, +it doesn't take more than 500ms to complete. + +Add a function iavf_wait_for_reset() to reuse waiting for reset code and +use it also in iavf_set_channels(), which already waits for reset. +We don't use error handling in iavf_set_channels() as this could +cause the device to be in incorrect state if the reset was scheduled +but hit timeout or the waitng function was interrupted by a signal. + +Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") +Signed-off-by: Marcin Szycik +Co-developed-by: Dawid Wesierski +Signed-off-by: Dawid Wesierski +Signed-off-by: Sylwester Dziedziuch +Signed-off-by: Kamil Maziarz +Signed-off-by: Mateusz Palczewski +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 + + .../net/ethernet/intel/iavf/iavf_ethtool.c | 31 ++++++----- + drivers/net/ethernet/intel/iavf/iavf_main.c | 51 ++++++++++++++++++- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 + + 4 files changed, 68 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index a716ed6bb787d..2fe44e865d0a2 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -257,6 +257,7 @@ struct iavf_adapter { + struct work_struct adminq_task; + struct delayed_work client_task; + wait_queue_head_t down_waitqueue; ++ wait_queue_head_t reset_waitqueue; + wait_queue_head_t vc_waitqueue; + struct iavf_q_vector *q_vectors; + struct list_head vlan_filter_list; +@@ -582,4 +583,5 @@ void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); + void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); + struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + const u8 *macaddr); ++int iavf_wait_for_reset(struct iavf_adapter *adapter); + #endif /* _IAVF_H_ */ +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 4746ee517c75a..73219c5069290 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -484,6 +484,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 orig_flags, new_flags, changed_flags; ++ int ret = 0; + u32 i; + + orig_flags = READ_ONCE(adapter->flags); +@@ -533,10 +534,13 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; + queue_work(adapter->wq, &adapter->reset_task); ++ ret = iavf_wait_for_reset(adapter); ++ if (ret) ++ netdev_warn(netdev, "Changing private flags timeout or interrupted waiting for reset"); + } + } + +- return 0; ++ return ret; + } + + /** +@@ -627,6 +631,7 @@ static int iavf_set_ringparam(struct net_device *netdev, + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 new_rx_count, new_tx_count; ++ int ret = 0; + + if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending)) + return -EINVAL; +@@ -673,9 +678,12 @@ static int iavf_set_ringparam(struct net_device *netdev, + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; + queue_work(adapter->wq, &adapter->reset_task); ++ ret = iavf_wait_for_reset(adapter); ++ if (ret) ++ netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); + } + +- return 0; ++ return ret; + } + + /** +@@ -1830,7 +1838,7 @@ static int iavf_set_channels(struct net_device *netdev, + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 num_req = ch->combined_count; +- int i; ++ int ret = 0; + + if ((adapter->vf_res->vf_cap_flags & VIRTCHNL_VF_OFFLOAD_ADQ) && + adapter->num_tc) { +@@ -1854,20 +1862,11 @@ static int iavf_set_channels(struct net_device *netdev, + adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; + iavf_schedule_reset(adapter); + +- /* wait for the reset is done */ +- for (i = 0; i < IAVF_RESET_WAIT_COMPLETE_COUNT; i++) { +- msleep(IAVF_RESET_WAIT_MS); +- if (adapter->flags & IAVF_FLAG_RESET_PENDING) +- continue; +- break; +- } +- if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { +- adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; +- adapter->num_req_queues = 0; +- return -EOPNOTSUPP; +- } ++ ret = iavf_wait_for_reset(adapter); ++ if (ret) ++ netdev_warn(netdev, "Changing channel count timeout or interrupted waiting for reset"); + +- return 0; ++ return ret; + } + + /** +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index d5b1dcfe0ccdd..c2739071149de 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -166,6 +166,45 @@ static struct iavf_adapter *iavf_pdev_to_adapter(struct pci_dev *pdev) + return netdev_priv(pci_get_drvdata(pdev)); + } + ++/** ++ * iavf_is_reset_in_progress - Check if a reset is in progress ++ * @adapter: board private structure ++ */ ++static bool iavf_is_reset_in_progress(struct iavf_adapter *adapter) ++{ ++ if (adapter->state == __IAVF_RESETTING || ++ adapter->flags & (IAVF_FLAG_RESET_PENDING | ++ IAVF_FLAG_RESET_NEEDED)) ++ return true; ++ ++ return false; ++} ++ ++/** ++ * iavf_wait_for_reset - Wait for reset to finish. ++ * @adapter: board private structure ++ * ++ * Returns 0 if reset finished successfully, negative on timeout or interrupt. ++ */ ++int iavf_wait_for_reset(struct iavf_adapter *adapter) ++{ ++ int ret = wait_event_interruptible_timeout(adapter->reset_waitqueue, ++ !iavf_is_reset_in_progress(adapter), ++ msecs_to_jiffies(5000)); ++ ++ /* If ret < 0 then it means wait was interrupted. ++ * If ret == 0 then it means we got a timeout while waiting ++ * for reset to finish. ++ * If ret > 0 it means reset has finished. ++ */ ++ if (ret > 0) ++ return 0; ++ else if (ret < 0) ++ return -EINTR; ++ else ++ return -EBUSY; ++} ++ + /** + * iavf_allocate_dma_mem_d - OS specific memory alloc for shared code + * @hw: pointer to the HW structure +@@ -3161,6 +3200,7 @@ static void iavf_reset_task(struct work_struct *work) + + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; + ++ wake_up(&adapter->reset_waitqueue); + mutex_unlock(&adapter->client_lock); + mutex_unlock(&adapter->crit_lock); + +@@ -4325,6 +4365,7 @@ static int iavf_close(struct net_device *netdev) + static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + { + struct iavf_adapter *adapter = netdev_priv(netdev); ++ int ret = 0; + + netdev_dbg(netdev, "changing MTU from %d to %d\n", + netdev->mtu, new_mtu); +@@ -4337,9 +4378,14 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; + queue_work(adapter->wq, &adapter->reset_task); ++ ret = iavf_wait_for_reset(adapter); ++ if (ret < 0) ++ netdev_warn(netdev, "MTU change interrupted waiting for reset"); ++ else if (ret) ++ netdev_warn(netdev, "MTU change timed out waiting for reset"); + } + +- return 0; ++ return ret; + } + + #define NETIF_VLAN_OFFLOAD_FEATURES (NETIF_F_HW_VLAN_CTAG_RX | \ +@@ -4942,6 +4988,9 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + /* Setup the wait queue for indicating transition to down status */ + init_waitqueue_head(&adapter->down_waitqueue); + ++ /* Setup the wait queue for indicating transition to running state */ ++ init_waitqueue_head(&adapter->reset_waitqueue); ++ + /* Setup the wait queue for indicating virtchannel events */ + init_waitqueue_head(&adapter->vc_waitqueue); + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 7b34111fd4eb1..eec7ac3b7f6ee 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2285,6 +2285,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + case VIRTCHNL_OP_ENABLE_QUEUES: + /* enable transmits */ + iavf_irq_enable(adapter, true); ++ wake_up(&adapter->reset_waitqueue); + adapter->flags &= ~IAVF_FLAG_QUEUES_DISABLED; + break; + case VIRTCHNL_OP_DISABLE_QUEUES: +-- +2.39.2 + diff --git a/tmp-6.1/igb-fix-igb_down-hung-on-surprise-removal.patch b/tmp-6.1/igb-fix-igb_down-hung-on-surprise-removal.patch new file mode 100644 index 00000000000..0017c58f975 --- /dev/null +++ b/tmp-6.1/igb-fix-igb_down-hung-on-surprise-removal.patch @@ -0,0 +1,89 @@ +From 1fce30757b3c297f96e47f71e0c036d447f63664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 10:47:32 -0700 +Subject: igb: Fix igb_down hung on surprise removal + +From: Ying Hsu + +[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] + +In a setup where a Thunderbolt hub connects to Ethernet and a display +through USB Type-C, users may experience a hung task timeout when they +remove the cable between the PC and the Thunderbolt hub. +This is because the igb_down function is called multiple times when +the Thunderbolt hub is unplugged. For example, the igb_io_error_detected +triggers the first call, and the igb_remove triggers the second call. +The second call to igb_down will block at napi_synchronize. +Here's the call trace: + __schedule+0x3b0/0xddb + ? __mod_timer+0x164/0x5d3 + schedule+0x44/0xa8 + schedule_timeout+0xb2/0x2a4 + ? run_local_timers+0x4e/0x4e + msleep+0x31/0x38 + igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] + __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] + igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] + __dev_close_many+0x95/0xec + dev_close_many+0x6e/0x103 + unregister_netdevice_many+0x105/0x5b1 + unregister_netdevice_queue+0xc2/0x10d + unregister_netdev+0x1c/0x23 + igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] + pci_device_remove+0x3f/0x9c + device_release_driver_internal+0xfe/0x1b4 + pci_stop_bus_device+0x5b/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_and_remove_bus_device+0x12/0x19 + pciehp_unconfigure_device+0x76/0xe9 + pciehp_disable_slot+0x6e/0x131 + pciehp_handle_presence_or_link_change+0x7a/0x3f7 + pciehp_ist+0xbe/0x194 + irq_thread_fn+0x22/0x4d + ? irq_thread+0x1fd/0x1fd + irq_thread+0x17b/0x1fd + ? irq_forced_thread_fn+0x5f/0x5f + kthread+0x142/0x153 + ? __irq_get_irqchip_state+0x46/0x46 + ? kthread_associate_blkcg+0x71/0x71 + ret_from_fork+0x1f/0x30 + +In this case, igb_io_error_detected detaches the network interface +and requests a PCIE slot reset, however, the PCIE reset callback is +not being invoked and thus the Ethernet connection breaks down. +As the PCIE error in this case is a non-fatal one, requesting a +slot reset can be avoided. +This patch fixes the task hung issue and preserves Ethernet +connection by ignoring non-fatal PCIE errors. + +Signed-off-by: Ying Hsu +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 18ffbc892f86c..3e0444354632d 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9585,6 +9585,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, + struct net_device *netdev = pci_get_drvdata(pdev); + struct igb_adapter *adapter = netdev_priv(netdev); + ++ if (state == pci_channel_io_normal) { ++ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); ++ return PCI_ERS_RESULT_CAN_RECOVER; ++ } ++ + netif_device_detach(netdev); + + if (state == pci_channel_io_perm_failure) +-- +2.39.2 + diff --git a/tmp-6.1/igc-avoid-transmit-queue-timeout-for-xdp.patch b/tmp-6.1/igc-avoid-transmit-queue-timeout-for-xdp.patch new file mode 100644 index 00000000000..5aadd1a85b6 --- /dev/null +++ b/tmp-6.1/igc-avoid-transmit-queue-timeout-for-xdp.patch @@ -0,0 +1,61 @@ +From c01002df2d8dadbc072d6f4a641153969ae81dc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 09:36:11 +0200 +Subject: igc: Avoid transmit queue timeout for XDP + +From: Kurt Kanzenbach + +[ Upstream commit 95b681485563c64585de78662ee52d06b7fa47d9 ] + +High XDP load triggers the netdev watchdog: + +|NETDEV WATCHDOG: enp3s0 (igc): transmit queue 2 timed out + +The reason is the Tx queue transmission start (txq->trans_start) is not updated +in XDP code path. Therefore, add it for all XDP transmission functions. + +Signed-off-by: Kurt Kanzenbach +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Stable-dep-of: 78adb4bcf99e ("igc: Prevent garbled TX queue with XDP ZEROCOPY") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 273941f90f066..ade4bde47c65a 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -2402,6 +2402,8 @@ static int igc_xdp_xmit_back(struct igc_adapter *adapter, struct xdp_buff *xdp) + nq = txring_txq(ring); + + __netif_tx_lock(nq, cpu); ++ /* Avoid transmit queue timeout since we share it with the slow path */ ++ txq_trans_cond_update(nq); + res = igc_xdp_init_tx_descriptor(ring, xdpf); + __netif_tx_unlock(nq); + return res; +@@ -2804,6 +2806,9 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) + + __netif_tx_lock(nq, cpu); + ++ /* Avoid transmit queue timeout since we share it with the slow path */ ++ txq_trans_cond_update(nq); ++ + budget = igc_desc_unused(ring); + + while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { +@@ -6297,6 +6302,9 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames, + + __netif_tx_lock(nq, cpu); + ++ /* Avoid transmit queue timeout since we share it with the slow path */ ++ txq_trans_cond_update(nq); ++ + drops = 0; + for (i = 0; i < num_frames; i++) { + int err; +-- +2.39.2 + diff --git a/tmp-6.1/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch b/tmp-6.1/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch new file mode 100644 index 00000000000..4254f230b5d --- /dev/null +++ b/tmp-6.1/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch @@ -0,0 +1,79 @@ +From d6a3517285a333ba4076b9e7721da2053a4d7dd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 10:54:44 -0700 +Subject: igc: Prevent garbled TX queue with XDP ZEROCOPY + +From: Florian Kauer + +[ Upstream commit 78adb4bcf99effbb960c5f9091e2e062509d1030 ] + +In normal operation, each populated queue item has +next_to_watch pointing to the last TX desc of the packet, +while each cleaned item has it set to 0. In particular, +next_to_use that points to the next (necessarily clean) +item to use has next_to_watch set to 0. + +When the TX queue is used both by an application using +AF_XDP with ZEROCOPY as well as a second non-XDP application +generating high traffic, the queue pointers can get in +an invalid state where next_to_use points to an item +where next_to_watch is NOT set to 0. + +However, the implementation assumes at several places +that this is never the case, so if it does hold, +bad things happen. In particular, within the loop inside +of igc_clean_tx_irq(), next_to_clean can overtake next_to_use. +Finally, this prevents any further transmission via +this queue and it never gets unblocked or signaled. +Secondly, if the queue is in this garbled state, +the inner loop of igc_clean_tx_ring() will never terminate, +completely hogging a CPU core. + +The reason is that igc_xdp_xmit_zc() reads next_to_use +before acquiring the lock, and writing it back +(potentially unmodified) later. If it got modified +before locking, the outdated next_to_use is written +pointing to an item that was already used elsewhere +(and thus next_to_watch got written). + +Fixes: 9acf59a752d4 ("igc: Enable TX via AF_XDP zero-copy") +Signed-off-by: Florian Kauer +Reviewed-by: Kurt Kanzenbach +Tested-by: Kurt Kanzenbach +Acked-by: Vinicius Costa Gomes +Reviewed-by: Simon Horman +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230717175444.3217831-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index ade4bde47c65a..2e091a4a065e7 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -2797,9 +2797,8 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) + struct netdev_queue *nq = txring_txq(ring); + union igc_adv_tx_desc *tx_desc = NULL; + int cpu = smp_processor_id(); +- u16 ntu = ring->next_to_use; + struct xdp_desc xdp_desc; +- u16 budget; ++ u16 budget, ntu; + + if (!netif_carrier_ok(ring->netdev)) + return; +@@ -2809,6 +2808,7 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) + /* Avoid transmit queue timeout since we share it with the slow path */ + txq_trans_cond_update(nq); + ++ ntu = ring->next_to_use; + budget = igc_desc_unused(ring); + + while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { +-- +2.39.2 + diff --git a/tmp-6.1/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch b/tmp-6.1/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch new file mode 100644 index 00000000000..c6b43d83427 --- /dev/null +++ b/tmp-6.1/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch @@ -0,0 +1,39 @@ +From a9be202269580ca611c6cebac90eaf1795497800 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 20 Jul 2023 13:16:53 -0600 +Subject: io_uring: treat -EAGAIN for REQ_F_NOWAIT as final for io-wq + +From: Jens Axboe + +commit a9be202269580ca611c6cebac90eaf1795497800 upstream. + +io-wq assumes that an issue is blocking, but it may not be if the +request type has asked for a non-blocking attempt. If we get +-EAGAIN for that case, then we need to treat it as a final result +and not retry or arm poll for it. + +Cc: stable@vger.kernel.org # 5.10+ +Link: https://github.com/axboe/liburing/issues/897 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1803,6 +1803,14 @@ fail: + ret = io_issue_sqe(req, issue_flags); + if (ret != -EAGAIN) + break; ++ ++ /* ++ * If REQ_F_NOWAIT is set, then don't wait or retry with ++ * poll. -EAGAIN is final for that case. ++ */ ++ if (req->flags & REQ_F_NOWAIT) ++ break; ++ + /* + * We can get EAGAIN for iopolled IO even though we're + * forcing a sync submission from here, since we can't diff --git a/tmp-6.1/jbd2-recheck-chechpointing-non-dirty-buffer.patch b/tmp-6.1/jbd2-recheck-chechpointing-non-dirty-buffer.patch new file mode 100644 index 00000000000..2cd2baafb78 --- /dev/null +++ b/tmp-6.1/jbd2-recheck-chechpointing-non-dirty-buffer.patch @@ -0,0 +1,191 @@ +From c2d6fd9d6f35079f1669f0100f05b46708c74b7f Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Tue, 6 Jun 2023 21:59:23 +0800 +Subject: jbd2: recheck chechpointing non-dirty buffer + +From: Zhang Yi + +commit c2d6fd9d6f35079f1669f0100f05b46708c74b7f upstream. + +There is a long-standing metadata corruption issue that happens from +time to time, but it's very difficult to reproduce and analyse, benefit +from the JBD2_CYCLE_RECORD option, we found out that the problem is the +checkpointing process miss to write out some buffers which are raced by +another do_get_write_access(). Looks below for detail. + +jbd2_log_do_checkpoint() //transaction X + //buffer A is dirty and not belones to any transaction + __buffer_relink_io() //move it to the IO list + __flush_batch() + write_dirty_buffer() + do_get_write_access() + clear_buffer_dirty + __jbd2_journal_file_buffer() + //add buffer A to a new transaction Y + lock_buffer(bh) + //doesn't write out + __jbd2_journal_remove_checkpoint() + //finish checkpoint except buffer A + //filesystem corrupt if the new transaction Y isn't fully write out. + +Due to the t_checkpoint_list walking loop in jbd2_log_do_checkpoint() +have already handles waiting for buffers under IO and re-added new +transaction to complete commit, and it also removing cleaned buffers, +this makes sure the list will eventually get empty. So it's fine to +leave buffers on the t_checkpoint_list while flushing out and completely +stop using the t_checkpoint_io_list. + +Cc: stable@vger.kernel.org +Suggested-by: Jan Kara +Signed-off-by: Zhang Yi +Tested-by: Zhihao Cheng +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230606135928.434610-2-yi.zhang@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/checkpoint.c | 102 ++++++++++++++------------------------------------- + 1 file changed, 29 insertions(+), 73 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -58,28 +58,6 @@ static inline void __buffer_unlink(struc + } + + /* +- * Move a buffer from the checkpoint list to the checkpoint io list +- * +- * Called with j_list_lock held +- */ +-static inline void __buffer_relink_io(struct journal_head *jh) +-{ +- transaction_t *transaction = jh->b_cp_transaction; +- +- __buffer_unlink_first(jh); +- +- if (!transaction->t_checkpoint_io_list) { +- jh->b_cpnext = jh->b_cpprev = jh; +- } else { +- jh->b_cpnext = transaction->t_checkpoint_io_list; +- jh->b_cpprev = transaction->t_checkpoint_io_list->b_cpprev; +- jh->b_cpprev->b_cpnext = jh; +- jh->b_cpnext->b_cpprev = jh; +- } +- transaction->t_checkpoint_io_list = jh; +-} +- +-/* + * Check a checkpoint buffer could be release or not. + * + * Requires j_list_lock +@@ -183,6 +161,7 @@ __flush_batch(journal_t *journal, int *b + struct buffer_head *bh = journal->j_chkpt_bhs[i]; + BUFFER_TRACE(bh, "brelse"); + __brelse(bh); ++ journal->j_chkpt_bhs[i] = NULL; + } + *batch_count = 0; + } +@@ -242,6 +221,11 @@ restart: + jh = transaction->t_checkpoint_list; + bh = jh2bh(jh); + ++ /* ++ * The buffer may be writing back, or flushing out in the ++ * last couple of cycles, or re-adding into a new transaction, ++ * need to check it again until it's unlocked. ++ */ + if (buffer_locked(bh)) { + get_bh(bh); + spin_unlock(&journal->j_list_lock); +@@ -287,28 +271,32 @@ restart: + } + if (!buffer_dirty(bh)) { + BUFFER_TRACE(bh, "remove from checkpoint"); +- if (__jbd2_journal_remove_checkpoint(jh)) +- /* The transaction was released; we're done */ ++ /* ++ * If the transaction was released or the checkpoint ++ * list was empty, we're done. ++ */ ++ if (__jbd2_journal_remove_checkpoint(jh) || ++ !transaction->t_checkpoint_list) + goto out; +- continue; ++ } else { ++ /* ++ * We are about to write the buffer, it could be ++ * raced by some other transaction shrink or buffer ++ * re-log logic once we release the j_list_lock, ++ * leave it on the checkpoint list and check status ++ * again to make sure it's clean. ++ */ ++ BUFFER_TRACE(bh, "queue"); ++ get_bh(bh); ++ J_ASSERT_BH(bh, !buffer_jwrite(bh)); ++ journal->j_chkpt_bhs[batch_count++] = bh; ++ transaction->t_chp_stats.cs_written++; ++ transaction->t_checkpoint_list = jh->b_cpnext; + } +- /* +- * Important: we are about to write the buffer, and +- * possibly block, while still holding the journal +- * lock. We cannot afford to let the transaction +- * logic start messing around with this buffer before +- * we write it to disk, as that would break +- * recoverability. +- */ +- BUFFER_TRACE(bh, "queue"); +- get_bh(bh); +- J_ASSERT_BH(bh, !buffer_jwrite(bh)); +- journal->j_chkpt_bhs[batch_count++] = bh; +- __buffer_relink_io(jh); +- transaction->t_chp_stats.cs_written++; ++ + if ((batch_count == JBD2_NR_BATCH) || +- need_resched() || +- spin_needbreak(&journal->j_list_lock)) ++ need_resched() || spin_needbreak(&journal->j_list_lock) || ++ jh2bh(transaction->t_checkpoint_list) == journal->j_chkpt_bhs[0]) + goto unlock_and_flush; + } + +@@ -322,38 +310,6 @@ restart: + goto restart; + } + +- /* +- * Now we issued all of the transaction's buffers, let's deal +- * with the buffers that are out for I/O. +- */ +-restart2: +- /* Did somebody clean up the transaction in the meanwhile? */ +- if (journal->j_checkpoint_transactions != transaction || +- transaction->t_tid != this_tid) +- goto out; +- +- while (transaction->t_checkpoint_io_list) { +- jh = transaction->t_checkpoint_io_list; +- bh = jh2bh(jh); +- if (buffer_locked(bh)) { +- get_bh(bh); +- spin_unlock(&journal->j_list_lock); +- wait_on_buffer(bh); +- /* the journal_head may have gone by now */ +- BUFFER_TRACE(bh, "brelse"); +- __brelse(bh); +- spin_lock(&journal->j_list_lock); +- goto restart2; +- } +- +- /* +- * Now in whatever state the buffer currently is, we +- * know that it has been written out and so we can +- * drop it from the list +- */ +- if (__jbd2_journal_remove_checkpoint(jh)) +- break; +- } + out: + spin_unlock(&journal->j_list_lock); + result = jbd2_cleanup_journal_tail(journal); diff --git a/tmp-6.1/kallsyms-add-kallsyms_seqs_of_names-to-list-of-special-symbols.patch b/tmp-6.1/kallsyms-add-kallsyms_seqs_of_names-to-list-of-special-symbols.patch new file mode 100644 index 00000000000..9d63e2e6348 --- /dev/null +++ b/tmp-6.1/kallsyms-add-kallsyms_seqs_of_names-to-list-of-special-symbols.patch @@ -0,0 +1,41 @@ +From ced0f245ed951e2b8bd68f79c15238d7dd253662 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 6 Mar 2023 11:14:50 +0100 +Subject: kallsyms: add kallsyms_seqs_of_names to list of special symbols + +From: Arnd Bergmann + +commit ced0f245ed951e2b8bd68f79c15238d7dd253662 upstream. + +My randconfig build setup ran into another kallsyms warning: + +Inconsistent kallsyms data +Try make KALLSYMS_EXTRA_PASS=1 as a workaround + +After adding some debugging code to kallsyms.c, I saw that the recently +added kallsyms_seqs_of_names symbol can sometimes cause the second stage +table to be slightly longer than the first stage, which makes the +build inconsistent. + +Add it to the exception table that contains all other kallsyms-generated +symbols. + +Fixes: 60443c88f3a8 ("kallsyms: Improve the performance of kallsyms_lookup_name()") +Signed-off-by: Arnd Bergmann +Reviewed-by: Zhen Lei +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/kallsyms.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -118,6 +118,7 @@ static bool is_ignored_symbol(const char + "kallsyms_markers", + "kallsyms_token_table", + "kallsyms_token_index", ++ "kallsyms_seqs_of_names", + /* Exclude linker generated symbols which vary between passes */ + "_SDA_BASE_", /* ppc */ + "_SDA2_BASE_", /* ppc */ diff --git a/tmp-6.1/kallsyms-correctly-sequence-symbols-when-config_lto_.patch b/tmp-6.1/kallsyms-correctly-sequence-symbols-when-config_lto_.patch new file mode 100644 index 00000000000..5ee0e2c26ff --- /dev/null +++ b/tmp-6.1/kallsyms-correctly-sequence-symbols-when-config_lto_.patch @@ -0,0 +1,151 @@ +From 84ac2024e94e7308d618a49933dee91acc662e7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 16:49:15 +0800 +Subject: kallsyms: Correctly sequence symbols when CONFIG_LTO_CLANG=y + +From: Zhen Lei + +[ Upstream commit 010a0aad39fccceba4a07d30d163158a39c704f3 ] + +LLVM appends various suffixes for local functions and variables, suffixes +observed: + - foo.llvm.[0-9a-f]+ + - foo.[0-9a-f]+ + +Therefore, when CONFIG_LTO_CLANG=y, kallsyms_lookup_name() needs to +truncate the suffix of the symbol name before comparing the local function +or variable name. + +Old implementation code: +- if (strcmp(namebuf, name) == 0) +- return kallsyms_sym_address(i); +- if (cleanup_symbol_name(namebuf) && strcmp(namebuf, name) == 0) +- return kallsyms_sym_address(i); + +The preceding process is traversed by address from low to high. That is, +for those with the same name after the suffix is removed, the one with +the smallest address is returned first. Therefore, when sorting in the +tool, if the raw names are the same, they should be sorted by address in +ascending order. + +ASCII[.] = 2e +ASCII[0-9] = 30,39 +ASCII[A-Z] = 41,5a +ASCII[_] = 5f +ASCII[a-z] = 61,7a + +According to the preceding ASCII code values, the following sorting result +is strictly followed. + --------------------------------- +| main-key | sub-key | +|---------------------------------| +| | addr_lowest | +| | ... | +| . | ... | +| | addr_highest | +|---------------------------------| +| ? | | //? is [_A-Za-z0-9] + --------------------------------- + +Signed-off-by: Zhen Lei +Signed-off-by: Luis Chamberlain +Stable-dep-of: 8cc32a9bbf29 ("kallsyms: strip LTO-only suffixes from promoted global functions") +Signed-off-by: Sasha Levin +--- + scripts/kallsyms.c | 36 ++++++++++++++++++++++++++++++++++-- + scripts/link-vmlinux.sh | 4 ++++ + 2 files changed, 38 insertions(+), 2 deletions(-) + +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index dcb744a067e5e..67ef9aa14a770 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -78,6 +78,7 @@ static unsigned int table_size, table_cnt; + static int all_symbols; + static int absolute_percpu; + static int base_relative; ++static int lto_clang; + + static int token_profit[0x10000]; + +@@ -89,7 +90,7 @@ static unsigned char best_table_len[256]; + static void usage(void) + { + fprintf(stderr, "Usage: kallsyms [--all-symbols] [--absolute-percpu] " +- "[--base-relative] in.map > out.S\n"); ++ "[--base-relative] [--lto-clang] in.map > out.S\n"); + exit(1); + } + +@@ -411,6 +412,34 @@ static int symbol_absolute(const struct sym_entry *s) + return s->percpu_absolute; + } + ++static char * s_name(char *buf) ++{ ++ /* Skip the symbol type */ ++ return buf + 1; ++} ++ ++static void cleanup_symbol_name(char *s) ++{ ++ char *p; ++ ++ if (!lto_clang) ++ return; ++ ++ /* ++ * ASCII[.] = 2e ++ * ASCII[0-9] = 30,39 ++ * ASCII[A-Z] = 41,5a ++ * ASCII[_] = 5f ++ * ASCII[a-z] = 61,7a ++ * ++ * As above, replacing '.' with '\0' does not affect the main sorting, ++ * but it helps us with subsorting. ++ */ ++ p = strchr(s, '.'); ++ if (p) ++ *p = '\0'; ++} ++ + static int compare_names(const void *a, const void *b) + { + int ret; +@@ -421,7 +450,9 @@ static int compare_names(const void *a, const void *b) + + expand_symbol(sa->sym, sa->len, sa_namebuf); + expand_symbol(sb->sym, sb->len, sb_namebuf); +- ret = strcmp(&sa_namebuf[1], &sb_namebuf[1]); ++ cleanup_symbol_name(s_name(sa_namebuf)); ++ cleanup_symbol_name(s_name(sb_namebuf)); ++ ret = strcmp(s_name(sa_namebuf), s_name(sb_namebuf)); + if (!ret) { + if (sa->addr > sb->addr) + return 1; +@@ -855,6 +886,7 @@ int main(int argc, char **argv) + {"all-symbols", no_argument, &all_symbols, 1}, + {"absolute-percpu", no_argument, &absolute_percpu, 1}, + {"base-relative", no_argument, &base_relative, 1}, ++ {"lto-clang", no_argument, <o_clang, 1}, + {}, + }; + +diff --git a/scripts/link-vmlinux.sh b/scripts/link-vmlinux.sh +index 918470d768e9c..32e573943cf03 100755 +--- a/scripts/link-vmlinux.sh ++++ b/scripts/link-vmlinux.sh +@@ -156,6 +156,10 @@ kallsyms() + kallsymopt="${kallsymopt} --base-relative" + fi + ++ if is_enabled CONFIG_LTO_CLANG; then ++ kallsymopt="${kallsymopt} --lto-clang" ++ fi ++ + info KSYMS ${2} + scripts/kallsyms ${kallsymopt} ${1} > ${2} + } +-- +2.39.2 + diff --git a/tmp-6.1/kallsyms-improve-the-performance-of-kallsyms_lookup_.patch b/tmp-6.1/kallsyms-improve-the-performance-of-kallsyms_lookup_.patch new file mode 100644 index 00000000000..9b63380a315 --- /dev/null +++ b/tmp-6.1/kallsyms-improve-the-performance-of-kallsyms_lookup_.patch @@ -0,0 +1,241 @@ +From 0abbf42237e70e5ca1bdbcd75de6eed8c1bd4077 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 16:49:14 +0800 +Subject: kallsyms: Improve the performance of kallsyms_lookup_name() + +From: Zhen Lei + +[ Upstream commit 60443c88f3a89fd303a9e8c0e84895910675c316 ] + +Currently, to search for a symbol, we need to expand the symbols in +'kallsyms_names' one by one, and then use the expanded string for +comparison. It's O(n). + +If we sort names in ascending order like addresses, we can also use +binary search. It's O(log(n)). + +In order not to change the implementation of "/proc/kallsyms", the table +kallsyms_names[] is still stored in a one-to-one correspondence with the +address in ascending order. + +Add array kallsyms_seqs_of_names[], it's indexed by the sequence number +of the sorted names, and the corresponding content is the sequence number +of the sorted addresses. For example: +Assume that the index of NameX in array kallsyms_seqs_of_names[] is 'i', +the content of kallsyms_seqs_of_names[i] is 'k', then the corresponding +address of NameX is kallsyms_addresses[k]. The offset in kallsyms_names[] +is get_symbol_offset(k). + +Note that the memory usage will increase by (4 * kallsyms_num_syms) +bytes, the next two patches will reduce (1 * kallsyms_num_syms) bytes +and properly handle the case CONFIG_LTO_CLANG=y. + +Performance test results: (x86) +Before: +min=234, max=10364402, avg=5206926 +min=267, max=11168517, avg=5207587 +After: +min=1016, max=90894, avg=7272 +min=1014, max=93470, avg=7293 + +The average lookup performance of kallsyms_lookup_name() improved 715x. + +Signed-off-by: Zhen Lei +Signed-off-by: Luis Chamberlain +Stable-dep-of: 8cc32a9bbf29 ("kallsyms: strip LTO-only suffixes from promoted global functions") +Signed-off-by: Sasha Levin +--- + kernel/kallsyms.c | 86 +++++++++++++++++++++++++++++++++----- + kernel/kallsyms_internal.h | 1 + + scripts/kallsyms.c | 37 ++++++++++++++++ + 3 files changed, 113 insertions(+), 11 deletions(-) + +diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c +index 60c20f301a6ba..ba351dfa109b6 100644 +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -187,26 +187,90 @@ static bool cleanup_symbol_name(char *s) + return false; + } + ++static int compare_symbol_name(const char *name, char *namebuf) ++{ ++ int ret; ++ ++ ret = strcmp(name, namebuf); ++ if (!ret) ++ return ret; ++ ++ if (cleanup_symbol_name(namebuf) && !strcmp(name, namebuf)) ++ return 0; ++ ++ return ret; ++} ++ ++static int kallsyms_lookup_names(const char *name, ++ unsigned int *start, ++ unsigned int *end) ++{ ++ int ret; ++ int low, mid, high; ++ unsigned int seq, off; ++ char namebuf[KSYM_NAME_LEN]; ++ ++ low = 0; ++ high = kallsyms_num_syms - 1; ++ ++ while (low <= high) { ++ mid = low + (high - low) / 2; ++ seq = kallsyms_seqs_of_names[mid]; ++ off = get_symbol_offset(seq); ++ kallsyms_expand_symbol(off, namebuf, ARRAY_SIZE(namebuf)); ++ ret = compare_symbol_name(name, namebuf); ++ if (ret > 0) ++ low = mid + 1; ++ else if (ret < 0) ++ high = mid - 1; ++ else ++ break; ++ } ++ ++ if (low > high) ++ return -ESRCH; ++ ++ low = mid; ++ while (low) { ++ seq = kallsyms_seqs_of_names[low - 1]; ++ off = get_symbol_offset(seq); ++ kallsyms_expand_symbol(off, namebuf, ARRAY_SIZE(namebuf)); ++ if (compare_symbol_name(name, namebuf)) ++ break; ++ low--; ++ } ++ *start = low; ++ ++ if (end) { ++ high = mid; ++ while (high < kallsyms_num_syms - 1) { ++ seq = kallsyms_seqs_of_names[high + 1]; ++ off = get_symbol_offset(seq); ++ kallsyms_expand_symbol(off, namebuf, ARRAY_SIZE(namebuf)); ++ if (compare_symbol_name(name, namebuf)) ++ break; ++ high++; ++ } ++ *end = high; ++ } ++ ++ return 0; ++} ++ + /* Lookup the address for this symbol. Returns 0 if not found. */ + unsigned long kallsyms_lookup_name(const char *name) + { +- char namebuf[KSYM_NAME_LEN]; +- unsigned long i; +- unsigned int off; ++ int ret; ++ unsigned int i; + + /* Skip the search for empty string. */ + if (!*name) + return 0; + +- for (i = 0, off = 0; i < kallsyms_num_syms; i++) { +- off = kallsyms_expand_symbol(off, namebuf, ARRAY_SIZE(namebuf)); +- +- if (strcmp(namebuf, name) == 0) +- return kallsyms_sym_address(i); ++ ret = kallsyms_lookup_names(name, &i, NULL); ++ if (!ret) ++ return kallsyms_sym_address(kallsyms_seqs_of_names[i]); + +- if (cleanup_symbol_name(namebuf) && strcmp(namebuf, name) == 0) +- return kallsyms_sym_address(i); +- } + return module_kallsyms_lookup_name(name); + } + +diff --git a/kernel/kallsyms_internal.h b/kernel/kallsyms_internal.h +index 2d0c6f2f0243a..a04b7a5cb1e3e 100644 +--- a/kernel/kallsyms_internal.h ++++ b/kernel/kallsyms_internal.h +@@ -26,5 +26,6 @@ extern const char kallsyms_token_table[] __weak; + extern const u16 kallsyms_token_index[] __weak; + + extern const unsigned int kallsyms_markers[] __weak; ++extern const unsigned int kallsyms_seqs_of_names[] __weak; + + #endif // LINUX_KALLSYMS_INTERNAL_H_ +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index 03fa07ad45d95..dcb744a067e5e 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -49,6 +49,7 @@ _Static_assert( + struct sym_entry { + unsigned long long addr; + unsigned int len; ++ unsigned int seq; + unsigned int start_pos; + unsigned int percpu_absolute; + unsigned char sym[]; +@@ -410,6 +411,35 @@ static int symbol_absolute(const struct sym_entry *s) + return s->percpu_absolute; + } + ++static int compare_names(const void *a, const void *b) ++{ ++ int ret; ++ char sa_namebuf[KSYM_NAME_LEN]; ++ char sb_namebuf[KSYM_NAME_LEN]; ++ const struct sym_entry *sa = *(const struct sym_entry **)a; ++ const struct sym_entry *sb = *(const struct sym_entry **)b; ++ ++ expand_symbol(sa->sym, sa->len, sa_namebuf); ++ expand_symbol(sb->sym, sb->len, sb_namebuf); ++ ret = strcmp(&sa_namebuf[1], &sb_namebuf[1]); ++ if (!ret) { ++ if (sa->addr > sb->addr) ++ return 1; ++ else if (sa->addr < sb->addr) ++ return -1; ++ ++ /* keep old order */ ++ return (int)(sa->seq - sb->seq); ++ } ++ ++ return ret; ++} ++ ++static void sort_symbols_by_name(void) ++{ ++ qsort(table, table_cnt, sizeof(table[0]), compare_names); ++} ++ + static void write_src(void) + { + unsigned int i, k, off; +@@ -495,6 +525,7 @@ static void write_src(void) + for (i = 0; i < table_cnt; i++) { + if ((i & 0xFF) == 0) + markers[i >> 8] = off; ++ table[i]->seq = i; + + /* There cannot be any symbol of length zero. */ + if (table[i]->len == 0) { +@@ -535,6 +566,12 @@ static void write_src(void) + + free(markers); + ++ sort_symbols_by_name(); ++ output_label("kallsyms_seqs_of_names"); ++ for (i = 0; i < table_cnt; i++) ++ printf("\t.long\t%u\n", table[i]->seq); ++ printf("\n"); ++ + output_label("kallsyms_token_table"); + off = 0; + for (i = 0; i < 256; i++) { +-- +2.39.2 + diff --git a/tmp-6.1/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch b/tmp-6.1/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch new file mode 100644 index 00000000000..e74c07b91eb --- /dev/null +++ b/tmp-6.1/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch @@ -0,0 +1,104 @@ +From 8ed9d429c7185d4b3fe9ef6360e3f9e6f63265c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 11:19:26 -0700 +Subject: kallsyms: strip LTO-only suffixes from promoted global functions + +From: Yonghong Song + +[ Upstream commit 8cc32a9bbf2934d90762d9de0187adcb5ad46a11 ] + +Commit 6eb4bd92c1ce ("kallsyms: strip LTO suffixes from static functions") +stripped all function/variable suffixes started with '.' regardless +of whether those suffixes are generated at LTO mode or not. In fact, +as far as I know, in LTO mode, when a static function/variable is +promoted to the global scope, '.llvm.<...>' suffix is added. + +The existing mechanism breaks live patch for a LTO kernel even if +no .llvm.<...> symbols are involved. For example, for the following +kernel symbols: + $ grep bpf_verifier_vlog /proc/kallsyms + ffffffff81549f60 t bpf_verifier_vlog + ffffffff8268b430 d bpf_verifier_vlog._entry + ffffffff8282a958 d bpf_verifier_vlog._entry_ptr + ffffffff82e12a1f d bpf_verifier_vlog.__already_done +'bpf_verifier_vlog' is a static function. '_entry', '_entry_ptr' and +'__already_done' are static variables used inside 'bpf_verifier_vlog', +so llvm promotes them to file-level static with prefix 'bpf_verifier_vlog.'. +Note that the func-level to file-level static function promotion also +happens without LTO. + +Given a symbol name 'bpf_verifier_vlog', with LTO kernel, current mechanism will +return 4 symbols to live patch subsystem which current live patching +subsystem cannot handle it. With non-LTO kernel, only one symbol +is returned. + +In [1], we have a lengthy discussion, the suggestion is to separate two +cases: + (1). new symbols with suffix which are generated regardless of whether + LTO is enabled or not, and + (2). new symbols with suffix generated only when LTO is enabled. + +The cleanup_symbol_name() should only remove suffixes for case (2). +Case (1) should not be changed so it can work uniformly with or without LTO. + +This patch removed LTO-only suffix '.llvm.<...>' so live patching and +tracing should work the same way for non-LTO kernel. +The cleanup_symbol_name() in scripts/kallsyms.c is also changed to have the same +filtering pattern so both kernel and kallsyms tool have the same +expectation on the order of symbols. + + [1] https://lore.kernel.org/live-patching/20230615170048.2382735-1-song@kernel.org/T/#u + +Fixes: 6eb4bd92c1ce ("kallsyms: strip LTO suffixes from static functions") +Reported-by: Song Liu +Signed-off-by: Yonghong Song +Reviewed-by: Zhen Lei +Reviewed-by: Nick Desaulniers +Acked-by: Song Liu +Link: https://lore.kernel.org/r/20230628181926.4102448-1-yhs@fb.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + kernel/kallsyms.c | 5 ++--- + scripts/kallsyms.c | 6 +++--- + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c +index ba351dfa109b6..676328a7c8c75 100644 +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -174,11 +174,10 @@ static bool cleanup_symbol_name(char *s) + * LLVM appends various suffixes for local functions and variables that + * must be promoted to global scope as part of LTO. This can break + * hooking of static functions with kprobes. '.' is not a valid +- * character in an identifier in C. Suffixes observed: ++ * character in an identifier in C. Suffixes only in LLVM LTO observed: + * - foo.llvm.[0-9a-f]+ +- * - foo.[0-9a-f]+ + */ +- res = strchr(s, '.'); ++ res = strstr(s, ".llvm."); + if (res) { + *res = '\0'; + return true; +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index 67ef9aa14a770..51edc73e2ebf8 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -432,10 +432,10 @@ static void cleanup_symbol_name(char *s) + * ASCII[_] = 5f + * ASCII[a-z] = 61,7a + * +- * As above, replacing '.' with '\0' does not affect the main sorting, +- * but it helps us with subsorting. ++ * As above, replacing the first '.' in ".llvm." with '\0' does not ++ * affect the main sorting, but it helps us with subsorting. + */ +- p = strchr(s, '.'); ++ p = strstr(s, ".llvm."); + if (p) + *p = '\0'; + } +-- +2.39.2 + diff --git a/tmp-6.1/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch b/tmp-6.1/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch new file mode 100644 index 00000000000..75ed3459f73 --- /dev/null +++ b/tmp-6.1/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch @@ -0,0 +1,177 @@ +From d55901522f96082a43b9842d34867363c0cdbac5 Mon Sep 17 00:00:00 2001 +From: Petr Pavlu +Date: Thu, 23 Mar 2023 14:04:12 +0100 +Subject: keys: Fix linking a duplicate key to a keyring's assoc_array + +From: Petr Pavlu + +commit d55901522f96082a43b9842d34867363c0cdbac5 upstream. + +When making a DNS query inside the kernel using dns_query(), the request +code can in rare cases end up creating a duplicate index key in the +assoc_array of the destination keyring. It is eventually found by +a BUG_ON() check in the assoc_array implementation and results in +a crash. + +Example report: +[2158499.700025] kernel BUG at ../lib/assoc_array.c:652! +[2158499.700039] invalid opcode: 0000 [#1] SMP PTI +[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 +[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] +[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 +[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f +[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 +[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 +[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 +[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 +[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 +[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 +[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 +[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 +[2158499.700702] Call Trace: +[2158499.700741] ? key_alloc+0x447/0x4b0 +[2158499.700768] ? __key_link_begin+0x43/0xa0 +[2158499.700790] __key_link_begin+0x43/0xa0 +[2158499.700814] request_key_and_link+0x2c7/0x730 +[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] +[2158499.700873] ? key_default_cmp+0x20/0x20 +[2158499.700898] request_key_tag+0x43/0xa0 +[2158499.700926] dns_query+0x114/0x2ca [dns_resolver] +[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] +[2158499.701164] ? scnprintf+0x49/0x90 +[2158499.701190] ? __switch_to_asm+0x40/0x70 +[2158499.701211] ? __switch_to_asm+0x34/0x70 +[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] +[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] +[2158499.701632] process_one_work+0x1f8/0x3e0 +[2158499.701658] worker_thread+0x2d/0x3f0 +[2158499.701682] ? process_one_work+0x3e0/0x3e0 +[2158499.701703] kthread+0x10d/0x130 +[2158499.701723] ? kthread_park+0xb0/0xb0 +[2158499.701746] ret_from_fork+0x1f/0x40 + +The situation occurs as follows: +* Some kernel facility invokes dns_query() to resolve a hostname, for + example, "abcdef". The function registers its global DNS resolver + cache as current->cred.thread_keyring and passes the query to + request_key_net() -> request_key_tag() -> request_key_and_link(). +* Function request_key_and_link() creates a keyring_search_context + object. Its match_data.cmp method gets set via a call to + type->match_preparse() (resolves to dns_resolver_match_preparse()) to + dns_resolver_cmp(). +* Function request_key_and_link() continues and invokes + search_process_keyrings_rcu() which returns that a given key was not + found. The control is then passed to request_key_and_link() -> + construct_alloc_key(). +* Concurrently to that, a second task similarly makes a DNS query for + "abcdef." and its result gets inserted into the DNS resolver cache. +* Back on the first task, function construct_alloc_key() first runs + __key_link_begin() to determine an assoc_array_edit operation to + insert a new key. Index keys in the array are compared exactly as-is, + using keyring_compare_object(). The operation finds that "abcdef" is + not yet present in the destination keyring. +* Function construct_alloc_key() continues and checks if a given key is + already present on some keyring by again calling + search_process_keyrings_rcu(). This search is done using + dns_resolver_cmp() and "abcdef" gets matched with now present key + "abcdef.". +* The found key is linked on the destination keyring by calling + __key_link() and using the previously calculated assoc_array_edit + operation. This inserts the "abcdef." key in the array but creates + a duplicity because the same index key is already present. + +Fix the problem by postponing __key_link_begin() in +construct_alloc_key() until an actual key which should be linked into +the destination keyring is determined. + +[jarkko@kernel.org: added a fixes tag and cc to stable] +Cc: stable@vger.kernel.org # v5.3+ +Fixes: df593ee23e05 ("keys: Hoist locking out of __key_link_begin()") +Signed-off-by: Petr Pavlu +Reviewed-by: Joey Lee +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/request_key.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -401,17 +401,21 @@ static int construct_alloc_key(struct ke + set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); + + if (dest_keyring) { +- ret = __key_link_lock(dest_keyring, &ctx->index_key); ++ ret = __key_link_lock(dest_keyring, &key->index_key); + if (ret < 0) + goto link_lock_failed; +- ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit); +- if (ret < 0) +- goto link_prealloc_failed; + } + +- /* attach the key to the destination keyring under lock, but we do need ++ /* ++ * Attach the key to the destination keyring under lock, but we do need + * to do another check just in case someone beat us to it whilst we +- * waited for locks */ ++ * waited for locks. ++ * ++ * The caller might specify a comparison function which looks for keys ++ * that do not exactly match but are still equivalent from the caller's ++ * perspective. The __key_link_begin() operation must be done only after ++ * an actual key is determined. ++ */ + mutex_lock(&key_construction_mutex); + + rcu_read_lock(); +@@ -420,12 +424,16 @@ static int construct_alloc_key(struct ke + if (!IS_ERR(key_ref)) + goto key_already_present; + +- if (dest_keyring) ++ if (dest_keyring) { ++ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); ++ if (ret < 0) ++ goto link_alloc_failed; + __key_link(dest_keyring, key, &edit); ++ } + + mutex_unlock(&key_construction_mutex); + if (dest_keyring) +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++ __key_link_end(dest_keyring, &key->index_key, edit); + mutex_unlock(&user->cons_lock); + *_key = key; + kleave(" = 0 [%d]", key_serial(key)); +@@ -438,10 +446,13 @@ key_already_present: + mutex_unlock(&key_construction_mutex); + key = key_ref_to_ptr(key_ref); + if (dest_keyring) { ++ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); ++ if (ret < 0) ++ goto link_alloc_failed_unlocked; + ret = __key_link_check_live_key(dest_keyring, key); + if (ret == 0) + __key_link(dest_keyring, key, &edit); +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++ __key_link_end(dest_keyring, &key->index_key, edit); + if (ret < 0) + goto link_check_failed; + } +@@ -456,8 +467,10 @@ link_check_failed: + kleave(" = %d [linkcheck]", ret); + return ret; + +-link_prealloc_failed: +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++link_alloc_failed: ++ mutex_unlock(&key_construction_mutex); ++link_alloc_failed_unlocked: ++ __key_link_end(dest_keyring, &key->index_key, edit); + link_lock_failed: + mutex_unlock(&user->cons_lock); + key_put(key); diff --git a/tmp-6.1/llc-don-t-drop-packet-from-non-root-netns.patch b/tmp-6.1/llc-don-t-drop-packet-from-non-root-netns.patch new file mode 100644 index 00000000000..f12f3fb002b --- /dev/null +++ b/tmp-6.1/llc-don-t-drop-packet-from-non-root-netns.patch @@ -0,0 +1,50 @@ +From e9fa3eef2ea63154cf4655e320d9deee9b91fb21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:41:51 -0700 +Subject: llc: Don't drop packet from non-root netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] + +Now these upper layer protocol handlers can be called from llc_rcv() +as sap->rcv_func(), which is registered by llc_sap_open(). + + * function which is passed to register_8022_client() + -> no in-kernel user calls register_8022_client(). + + * snap_rcv() + `- proto->rcvfunc() : registered by register_snap_client() + -> aarp_rcv() and atalk_rcv() drop packets from non-root netns + + * stp_pdu_rcv() + `- garp_protos[]->rcv() : registered by stp_proto_register() + -> garp_pdu_rcv() and br_stp_rcv() are netns-aware + +So, we can safely remove the netns restriction in llc_rcv(). + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index c309b72a58779..7cac441862e21 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -163,9 +163,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, + void (*sta_handler)(struct sk_buff *skb); + void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); + +- if (!net_eq(dev_net(dev), &init_net)) +- goto drop; +- + /* + * When the interface is in promisc. mode, drop all the crap that it + * receives, do not try to analyse it. +-- +2.39.2 + diff --git a/tmp-6.1/maple_tree-fix-node-allocation-testing-on-32-bit.patch b/tmp-6.1/maple_tree-fix-node-allocation-testing-on-32-bit.patch new file mode 100644 index 00000000000..3ca068f24d3 --- /dev/null +++ b/tmp-6.1/maple_tree-fix-node-allocation-testing-on-32-bit.patch @@ -0,0 +1,40 @@ +From ef5c3de5211b5a3a8102b25aa83eb4cde65ac2fd Mon Sep 17 00:00:00 2001 +From: "Liam R. Howlett" +Date: Wed, 12 Jul 2023 13:39:16 -0400 +Subject: maple_tree: fix node allocation testing on 32 bit + +From: Liam R. Howlett + +commit ef5c3de5211b5a3a8102b25aa83eb4cde65ac2fd upstream. + +Internal node counting was altered and the 64 bit test was updated, +however the 32bit test was missed. + +Restore the 32bit test to a functional state. + +Link: https://lore.kernel.org/linux-mm/CAMuHMdV4T53fOw7VPoBgPR7fP6RYqf=CBhD_y_vOg53zZX_DnA@mail.gmail.com/ +Link: https://lkml.kernel.org/r/20230712173916.168805-2-Liam.Howlett@oracle.com +Fixes: 541e06b772c1 ("maple_tree: remove GFP_ZERO from kmem_cache_alloc() and kmem_cache_alloc_bulk()") +Signed-off-by: Liam R. Howlett +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/radix-tree/maple.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/testing/radix-tree/maple.c ++++ b/tools/testing/radix-tree/maple.c +@@ -181,9 +181,9 @@ static noinline void check_new_node(stru + e = i - 1; + } else { + if (i >= 4) +- e = i - 4; +- else if (i == 3) +- e = i - 2; ++ e = i - 3; ++ else if (i >= 1) ++ e = i - 1; + else + e = 0; + } diff --git a/tmp-6.1/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch b/tmp-6.1/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch new file mode 100644 index 00000000000..b8ab8e3199a --- /dev/null +++ b/tmp-6.1/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch @@ -0,0 +1,44 @@ +From 3c769fd88b9742954763a968e84de09f7ad78cfe Mon Sep 17 00:00:00 2001 +From: Peng Zhang +Date: Tue, 11 Jul 2023 11:54:37 +0800 +Subject: maple_tree: set the node limit when creating a new root node + +From: Peng Zhang + +commit 3c769fd88b9742954763a968e84de09f7ad78cfe upstream. + +Set the node limit of the root node so that the last pivot of all nodes is +the node limit (if the node is not full). + +This patch also fixes a bug in mas_rev_awalk(). Effectively, always +setting a maximum makes mas_logical_pivot() behave as mas_safe_pivot(). +Without this fix, it is possible that very small tasks would fail to find +the correct gap. Although this has not been observed with real tasks, it +has been reported to happen in m68k nommu running the maple tree tests. + +Link: https://lkml.kernel.org/r/20230711035444.526-1-zhangpeng.00@bytedance.com +Link: https://lore.kernel.org/linux-mm/CAMuHMdV4T53fOw7VPoBgPR7fP6RYqf=CBhD_y_vOg53zZX_DnA@mail.gmail.com/ +Link: https://lkml.kernel.org/r/20230711035444.526-2-zhangpeng.00@bytedance.com +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Peng Zhang +Reviewed-by: Liam R. Howlett +Tested-by: Geert Uytterhoeven +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/maple_tree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -3711,7 +3711,8 @@ static inline int mas_root_expand(struct + mas->offset = slot; + pivots[slot] = mas->last; + if (mas->last != ULONG_MAX) +- slot++; ++ pivots[++slot] = ULONG_MAX; ++ + mas->depth = 1; + mas_set_height(mas); + ma_set_meta(node, maple_leaf_64, 0, slot); diff --git a/tmp-6.1/mips-dec-prom-address-warray-bounds-warning.patch b/tmp-6.1/mips-dec-prom-address-warray-bounds-warning.patch new file mode 100644 index 00000000000..1231ca4bcc6 --- /dev/null +++ b/tmp-6.1/mips-dec-prom-address-warray-bounds-warning.patch @@ -0,0 +1,51 @@ +From ef01382e1c734299b56bde7f6a5678e14939f8a4 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 22 Jun 2023 17:43:57 -0600 +Subject: [PATCH AUTOSEL 4.19 09/11] MIPS: dec: prom: Address -Warray-bounds + warning +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit 7b191b9b55df2a844bd32d1d380f47a7df1c2896 ] + +Zero-length arrays are deprecated, and we are replacing them with flexible +array members instead. So, replace zero-length array with flexible-array +member in struct memmap. + +Address the following warning found after building (with GCC-13) mips64 +with decstation_64_defconfig: +In function 'rex_setup_memory_region', + inlined from 'prom_meminit' at arch/mips/dec/prom/memory.c:91:3: +arch/mips/dec/prom/memory.c:72:31: error: array subscript i is outside array bounds of 'unsigned char[0]' [-Werror=array-bounds=] + 72 | if (bm->bitmap[i] == 0xff) + | ~~~~~~~~~~^~~ +In file included from arch/mips/dec/prom/memory.c:16: +./arch/mips/include/asm/dec/prom.h: In function 'prom_meminit': +./arch/mips/include/asm/dec/prom.h:73:23: note: while referencing 'bitmap' + 73 | unsigned char bitmap[0]; + +This helps with the ongoing efforts to globally enable -Warray-bounds. + +This results in no differences in binary output. + +Link: https://github.com/KSPP/linux/issues/79 +Link: https://github.com/KSPP/linux/issues/323 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/dec/prom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/dec/prom.h ++++ b/arch/mips/include/asm/dec/prom.h +@@ -70,7 +70,7 @@ static inline bool prom_is_rex(u32 magic + */ + typedef struct { + int pagesize; +- unsigned char bitmap[0]; ++ unsigned char bitmap[]; + } memmap; + + diff --git a/tmp-6.1/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch b/tmp-6.1/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch new file mode 100644 index 00000000000..a4550bdb088 --- /dev/null +++ b/tmp-6.1/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch @@ -0,0 +1,94 @@ +From 2ad98a4006851a288ac932c2345ea6a91933390c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:46:22 -0700 +Subject: net: dsa: microchip: correct KSZ8795 static MAC table access + +From: Tristram Ha + +[ Upstream commit 4bdf79d686b49ac49373b36466acfb93972c7d7c ] + +The KSZ8795 driver code was modified to use on KSZ8863/73, which has +different register definitions. Some of the new KSZ8795 register +information are wrong compared to previous code. + +KSZ8795 also behaves differently in that the STATIC_MAC_TABLE_USE_FID +and STATIC_MAC_TABLE_FID bits are off by 1 when doing MAC table reading +than writing. To compensate that a special code was added to shift the +register value by 1 before applying those bits. This is wrong when the +code is running on KSZ8863, so this special code is only executed when +KSZ8795 is detected. + +Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips") +Signed-off-by: Tristram Ha +Reviewed-by: Horatiu Vultur +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8795.c | 8 +++++++- + drivers/net/dsa/microchip/ksz_common.c | 8 ++++---- + drivers/net/dsa/microchip/ksz_common.h | 7 +++++++ + 3 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c +index 6639fae56da7f..c63e082dc57dc 100644 +--- a/drivers/net/dsa/microchip/ksz8795.c ++++ b/drivers/net/dsa/microchip/ksz8795.c +@@ -437,7 +437,13 @@ static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, + (data_hi & masks[STATIC_MAC_TABLE_FWD_PORTS]) >> + shifts[STATIC_MAC_FWD_PORTS]; + alu->is_override = (data_hi & masks[STATIC_MAC_TABLE_OVERRIDE]) ? 1 : 0; +- data_hi >>= 1; ++ ++ /* KSZ8795 family switches have STATIC_MAC_TABLE_USE_FID and ++ * STATIC_MAC_TABLE_FID definitions off by 1 when doing read on the ++ * static MAC table compared to doing write. ++ */ ++ if (ksz_is_ksz87xx(dev)) ++ data_hi >>= 1; + alu->is_static = true; + alu->is_use_fid = (data_hi & masks[STATIC_MAC_TABLE_USE_FID]) ? 1 : 0; + alu->fid = (data_hi & masks[STATIC_MAC_TABLE_FID]) >> +diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c +index 3d59298eaa5cf..8c492d56d2c36 100644 +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -286,13 +286,13 @@ static const u32 ksz8795_masks[] = { + [STATIC_MAC_TABLE_VALID] = BIT(21), + [STATIC_MAC_TABLE_USE_FID] = BIT(23), + [STATIC_MAC_TABLE_FID] = GENMASK(30, 24), +- [STATIC_MAC_TABLE_OVERRIDE] = BIT(26), +- [STATIC_MAC_TABLE_FWD_PORTS] = GENMASK(24, 20), ++ [STATIC_MAC_TABLE_OVERRIDE] = BIT(22), ++ [STATIC_MAC_TABLE_FWD_PORTS] = GENMASK(20, 16), + [DYNAMIC_MAC_TABLE_ENTRIES_H] = GENMASK(6, 0), +- [DYNAMIC_MAC_TABLE_MAC_EMPTY] = BIT(8), ++ [DYNAMIC_MAC_TABLE_MAC_EMPTY] = BIT(7), + [DYNAMIC_MAC_TABLE_NOT_READY] = BIT(7), + [DYNAMIC_MAC_TABLE_ENTRIES] = GENMASK(31, 29), +- [DYNAMIC_MAC_TABLE_FID] = GENMASK(26, 20), ++ [DYNAMIC_MAC_TABLE_FID] = GENMASK(22, 16), + [DYNAMIC_MAC_TABLE_SRC_PORT] = GENMASK(26, 24), + [DYNAMIC_MAC_TABLE_TIMESTAMP] = GENMASK(28, 27), + [P_MII_TX_FLOW_CTRL] = BIT(5), +diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h +index 9cfa179575ce8..d1b2db8e65331 100644 +--- a/drivers/net/dsa/microchip/ksz_common.h ++++ b/drivers/net/dsa/microchip/ksz_common.h +@@ -512,6 +512,13 @@ static inline void ksz_regmap_unlock(void *__mtx) + mutex_unlock(mtx); + } + ++static inline bool ksz_is_ksz87xx(struct ksz_device *dev) ++{ ++ return dev->chip_id == KSZ8795_CHIP_ID || ++ dev->chip_id == KSZ8794_CHIP_ID || ++ dev->chip_id == KSZ8765_CHIP_ID; ++} ++ + static inline bool ksz_is_ksz88x3(struct ksz_device *dev) + { + return dev->chip_id == KSZ8830_CHIP_ID; +-- +2.39.2 + diff --git a/tmp-6.1/net-dsa-microchip-ksz8-make-ksz8_r_sta_mac_table-sta.patch b/tmp-6.1/net-dsa-microchip-ksz8-make-ksz8_r_sta_mac_table-sta.patch new file mode 100644 index 00000000000..394b25198f6 --- /dev/null +++ b/tmp-6.1/net-dsa-microchip-ksz8-make-ksz8_r_sta_mac_table-sta.patch @@ -0,0 +1,54 @@ +From 25ba53cf4a6b0cb809c74f265b2e1cd0d00ea850 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 12:18:38 +0200 +Subject: net: dsa: microchip: ksz8: Make ksz8_r_sta_mac_table() static + +From: Oleksij Rempel + +[ Upstream commit b5751cdd7dbe618a03951bdd4c982a71ba448b1b ] + +As ksz8_r_sta_mac_table() is only used within ksz8795.c, there is no need +to export it. Make the function static for better encapsulation. + +Signed-off-by: Oleksij Rempel +Reviewed-by: Vladimir Oltean +Acked-by: Arun Ramadoss +Signed-off-by: Paolo Abeni +Stable-dep-of: 4bdf79d686b4 ("net: dsa: microchip: correct KSZ8795 static MAC table access") +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8.h | 2 -- + drivers/net/dsa/microchip/ksz8795.c | 4 ++-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz8.h b/drivers/net/dsa/microchip/ksz8.h +index 8582b4b67d989..28137c4bf2928 100644 +--- a/drivers/net/dsa/microchip/ksz8.h ++++ b/drivers/net/dsa/microchip/ksz8.h +@@ -21,8 +21,6 @@ int ksz8_r_phy(struct ksz_device *dev, u16 phy, u16 reg, u16 *val); + int ksz8_w_phy(struct ksz_device *dev, u16 phy, u16 reg, u16 val); + int ksz8_r_dyn_mac_table(struct ksz_device *dev, u16 addr, u8 *mac_addr, + u8 *fid, u8 *src_port, u8 *timestamp, u16 *entries); +-int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, +- struct alu_struct *alu); + void ksz8_w_sta_mac_table(struct ksz_device *dev, u16 addr, + struct alu_struct *alu); + void ksz8_r_mib_cnt(struct ksz_device *dev, int port, u16 addr, u64 *cnt); +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c +index 38fd9b8e0287a..a2f67be66b97d 100644 +--- a/drivers/net/dsa/microchip/ksz8795.c ++++ b/drivers/net/dsa/microchip/ksz8795.c +@@ -406,8 +406,8 @@ int ksz8_r_dyn_mac_table(struct ksz_device *dev, u16 addr, u8 *mac_addr, + return rc; + } + +-int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, +- struct alu_struct *alu) ++static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, ++ struct alu_struct *alu) + { + u32 data_hi, data_lo; + const u8 *shifts; +-- +2.39.2 + diff --git a/tmp-6.1/net-dsa-microchip-ksz8-separate-static-mac-table-ope.patch b/tmp-6.1/net-dsa-microchip-ksz8-separate-static-mac-table-ope.patch new file mode 100644 index 00000000000..61558ee997e --- /dev/null +++ b/tmp-6.1/net-dsa-microchip-ksz8-separate-static-mac-table-ope.patch @@ -0,0 +1,111 @@ +From 07866a478229526bd65ea5676f89ffc143c3e040 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 12:18:36 +0200 +Subject: net: dsa: microchip: ksz8: Separate static MAC table operations for + code reuse + +From: Oleksij Rempel + +[ Upstream commit f6636ff69ec4f2c94a5ee1d032b21cfe1e0a5678 ] + +Move static MAC table operations to separate functions in order to reuse +the code for add/del_fdb. This is needed to address kernel warnings +caused by the lack of fdb add function support in the current driver. + +Signed-off-by: Oleksij Rempel +Reviewed-by: Vladimir Oltean +Signed-off-by: Paolo Abeni +Stable-dep-of: 4bdf79d686b4 ("net: dsa: microchip: correct KSZ8795 static MAC table access") +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8795.c | 34 +++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c +index 22250ae222b5b..38fd9b8e0287a 100644 +--- a/drivers/net/dsa/microchip/ksz8795.c ++++ b/drivers/net/dsa/microchip/ksz8795.c +@@ -926,8 +926,8 @@ int ksz8_fdb_dump(struct ksz_device *dev, int port, + return ret; + } + +-int ksz8_mdb_add(struct ksz_device *dev, int port, +- const struct switchdev_obj_port_mdb *mdb, struct dsa_db db) ++static int ksz8_add_sta_mac(struct ksz_device *dev, int port, ++ const unsigned char *addr, u16 vid) + { + struct alu_struct alu; + int index; +@@ -937,8 +937,8 @@ int ksz8_mdb_add(struct ksz_device *dev, int port, + for (index = 0; index < dev->info->num_statics; index++) { + if (!ksz8_r_sta_mac_table(dev, index, &alu)) { + /* Found one already in static MAC table. */ +- if (!memcmp(alu.mac, mdb->addr, ETH_ALEN) && +- alu.fid == mdb->vid) ++ if (!memcmp(alu.mac, addr, ETH_ALEN) && ++ alu.fid == vid) + break; + /* Remember the first empty entry. */ + } else if (!empty) { +@@ -954,23 +954,23 @@ int ksz8_mdb_add(struct ksz_device *dev, int port, + if (index == dev->info->num_statics) { + index = empty - 1; + memset(&alu, 0, sizeof(alu)); +- memcpy(alu.mac, mdb->addr, ETH_ALEN); ++ memcpy(alu.mac, addr, ETH_ALEN); + alu.is_static = true; + } + alu.port_forward |= BIT(port); +- if (mdb->vid) { ++ if (vid) { + alu.is_use_fid = true; + + /* Need a way to map VID to FID. */ +- alu.fid = mdb->vid; ++ alu.fid = vid; + } + ksz8_w_sta_mac_table(dev, index, &alu); + + return 0; + } + +-int ksz8_mdb_del(struct ksz_device *dev, int port, +- const struct switchdev_obj_port_mdb *mdb, struct dsa_db db) ++static int ksz8_del_sta_mac(struct ksz_device *dev, int port, ++ const unsigned char *addr, u16 vid) + { + struct alu_struct alu; + int index; +@@ -978,8 +978,8 @@ int ksz8_mdb_del(struct ksz_device *dev, int port, + for (index = 0; index < dev->info->num_statics; index++) { + if (!ksz8_r_sta_mac_table(dev, index, &alu)) { + /* Found one already in static MAC table. */ +- if (!memcmp(alu.mac, mdb->addr, ETH_ALEN) && +- alu.fid == mdb->vid) ++ if (!memcmp(alu.mac, addr, ETH_ALEN) && ++ alu.fid == vid) + break; + } + } +@@ -998,6 +998,18 @@ int ksz8_mdb_del(struct ksz_device *dev, int port, + return 0; + } + ++int ksz8_mdb_add(struct ksz_device *dev, int port, ++ const struct switchdev_obj_port_mdb *mdb, struct dsa_db db) ++{ ++ return ksz8_add_sta_mac(dev, port, mdb->addr, mdb->vid); ++} ++ ++int ksz8_mdb_del(struct ksz_device *dev, int port, ++ const struct switchdev_obj_port_mdb *mdb, struct dsa_db db) ++{ ++ return ksz8_del_sta_mac(dev, port, mdb->addr, mdb->vid); ++} ++ + int ksz8_port_vlan_filtering(struct ksz_device *dev, int port, bool flag, + struct netlink_ext_ack *extack) + { +-- +2.39.2 + diff --git a/tmp-6.1/net-dsa-microchip-ksz8_r_sta_mac_table-avoid-using-e.patch b/tmp-6.1/net-dsa-microchip-ksz8_r_sta_mac_table-avoid-using-e.patch new file mode 100644 index 00000000000..7ffbd3f1702 --- /dev/null +++ b/tmp-6.1/net-dsa-microchip-ksz8_r_sta_mac_table-avoid-using-e.patch @@ -0,0 +1,154 @@ +From fe300e7a9fd658eb7004931d40d174aea1c803a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 12:18:39 +0200 +Subject: net: dsa: microchip: ksz8_r_sta_mac_table(): Avoid using error code + for empty entries + +From: Oleksij Rempel + +[ Upstream commit 559901b46810e82ba5321a5e789f994b65d3bc3d ] + +Prepare for the next patch by ensuring that ksz8_r_sta_mac_table() does +not use error codes for empty entries. This change will enable better +handling of read/write errors in the upcoming patch. + +Signed-off-by: Oleksij Rempel +Reviewed-by: Vladimir Oltean +Signed-off-by: Paolo Abeni +Stable-dep-of: 4bdf79d686b4 ("net: dsa: microchip: correct KSZ8795 static MAC table access") +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8795.c | 87 +++++++++++++++++------------ + 1 file changed, 50 insertions(+), 37 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c +index a2f67be66b97d..6639fae56da7f 100644 +--- a/drivers/net/dsa/microchip/ksz8795.c ++++ b/drivers/net/dsa/microchip/ksz8795.c +@@ -407,7 +407,7 @@ int ksz8_r_dyn_mac_table(struct ksz_device *dev, u16 addr, u8 *mac_addr, + } + + static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, +- struct alu_struct *alu) ++ struct alu_struct *alu, bool *valid) + { + u32 data_hi, data_lo; + const u8 *shifts; +@@ -420,28 +420,32 @@ static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, + ksz8_r_table(dev, TABLE_STATIC_MAC, addr, &data); + data_hi = data >> 32; + data_lo = (u32)data; +- if (data_hi & (masks[STATIC_MAC_TABLE_VALID] | +- masks[STATIC_MAC_TABLE_OVERRIDE])) { +- alu->mac[5] = (u8)data_lo; +- alu->mac[4] = (u8)(data_lo >> 8); +- alu->mac[3] = (u8)(data_lo >> 16); +- alu->mac[2] = (u8)(data_lo >> 24); +- alu->mac[1] = (u8)data_hi; +- alu->mac[0] = (u8)(data_hi >> 8); +- alu->port_forward = +- (data_hi & masks[STATIC_MAC_TABLE_FWD_PORTS]) >> +- shifts[STATIC_MAC_FWD_PORTS]; +- alu->is_override = +- (data_hi & masks[STATIC_MAC_TABLE_OVERRIDE]) ? 1 : 0; +- data_hi >>= 1; +- alu->is_static = true; +- alu->is_use_fid = +- (data_hi & masks[STATIC_MAC_TABLE_USE_FID]) ? 1 : 0; +- alu->fid = (data_hi & masks[STATIC_MAC_TABLE_FID]) >> +- shifts[STATIC_MAC_FID]; ++ ++ if (!(data_hi & (masks[STATIC_MAC_TABLE_VALID] | ++ masks[STATIC_MAC_TABLE_OVERRIDE]))) { ++ *valid = false; + return 0; + } +- return -ENXIO; ++ ++ alu->mac[5] = (u8)data_lo; ++ alu->mac[4] = (u8)(data_lo >> 8); ++ alu->mac[3] = (u8)(data_lo >> 16); ++ alu->mac[2] = (u8)(data_lo >> 24); ++ alu->mac[1] = (u8)data_hi; ++ alu->mac[0] = (u8)(data_hi >> 8); ++ alu->port_forward = ++ (data_hi & masks[STATIC_MAC_TABLE_FWD_PORTS]) >> ++ shifts[STATIC_MAC_FWD_PORTS]; ++ alu->is_override = (data_hi & masks[STATIC_MAC_TABLE_OVERRIDE]) ? 1 : 0; ++ data_hi >>= 1; ++ alu->is_static = true; ++ alu->is_use_fid = (data_hi & masks[STATIC_MAC_TABLE_USE_FID]) ? 1 : 0; ++ alu->fid = (data_hi & masks[STATIC_MAC_TABLE_FID]) >> ++ shifts[STATIC_MAC_FID]; ++ ++ *valid = true; ++ ++ return 0; + } + + void ksz8_w_sta_mac_table(struct ksz_device *dev, u16 addr, +@@ -930,20 +934,25 @@ static int ksz8_add_sta_mac(struct ksz_device *dev, int port, + const unsigned char *addr, u16 vid) + { + struct alu_struct alu; +- int index; ++ int index, ret; + int empty = 0; + + alu.port_forward = 0; + for (index = 0; index < dev->info->num_statics; index++) { +- if (!ksz8_r_sta_mac_table(dev, index, &alu)) { +- /* Found one already in static MAC table. */ +- if (!memcmp(alu.mac, addr, ETH_ALEN) && +- alu.fid == vid) +- break; +- /* Remember the first empty entry. */ +- } else if (!empty) { +- empty = index + 1; ++ bool valid; ++ ++ ret = ksz8_r_sta_mac_table(dev, index, &alu, &valid); ++ if (ret) ++ return ret; ++ if (!valid) { ++ /* Remember the first empty entry. */ ++ if (!empty) ++ empty = index + 1; ++ continue; + } ++ ++ if (!memcmp(alu.mac, addr, ETH_ALEN) && alu.fid == vid) ++ break; + } + + /* no available entry */ +@@ -973,15 +982,19 @@ static int ksz8_del_sta_mac(struct ksz_device *dev, int port, + const unsigned char *addr, u16 vid) + { + struct alu_struct alu; +- int index; ++ int index, ret; + + for (index = 0; index < dev->info->num_statics; index++) { +- if (!ksz8_r_sta_mac_table(dev, index, &alu)) { +- /* Found one already in static MAC table. */ +- if (!memcmp(alu.mac, addr, ETH_ALEN) && +- alu.fid == vid) +- break; +- } ++ bool valid; ++ ++ ret = ksz8_r_sta_mac_table(dev, index, &alu, &valid); ++ if (ret) ++ return ret; ++ if (!valid) ++ continue; ++ ++ if (!memcmp(alu.mac, addr, ETH_ALEN) && alu.fid == vid) ++ break; + } + + /* no available entry */ +-- +2.39.2 + diff --git a/tmp-6.1/net-ethernet-litex-add-support-for-64-bit-stats.patch b/tmp-6.1/net-ethernet-litex-add-support-for-64-bit-stats.patch new file mode 100644 index 00000000000..a4b0da3e2df --- /dev/null +++ b/tmp-6.1/net-ethernet-litex-add-support-for-64-bit-stats.patch @@ -0,0 +1,82 @@ +From d4038c95e83f7d2c42f76634c0bd1e407d38b652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 00:20:35 +0800 +Subject: net: ethernet: litex: add support for 64 bit stats + +From: Jisheng Zhang + +[ Upstream commit 18da174d865a87d47d2f33f5b0a322efcf067728 ] + +Implement 64 bit per cpu stats to fix the overflow of netdev->stats +on 32 bit platforms. To simplify the code, we use net core +pcpu_sw_netstats infrastructure. One small drawback is some memory +overhead because litex uses just one queue, but we allocate the +counters per cpu. + +Signed-off-by: Jisheng Zhang +Reviewed-by: Simon Horman +Acked-by: Gabriel Somlo +Link: https://lore.kernel.org/r/20230614162035.300-1-jszhang@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/litex/litex_liteeth.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/litex/litex_liteeth.c b/drivers/net/ethernet/litex/litex_liteeth.c +index 35f24e0f09349..ffa96059079c6 100644 +--- a/drivers/net/ethernet/litex/litex_liteeth.c ++++ b/drivers/net/ethernet/litex/litex_liteeth.c +@@ -78,8 +78,7 @@ static int liteeth_rx(struct net_device *netdev) + memcpy_fromio(data, priv->rx_base + rx_slot * priv->slot_size, len); + skb->protocol = eth_type_trans(skb, netdev); + +- netdev->stats.rx_packets++; +- netdev->stats.rx_bytes += len; ++ dev_sw_netstats_rx_add(netdev, len); + + return netif_rx(skb); + +@@ -185,8 +184,7 @@ static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, + litex_write16(priv->base + LITEETH_READER_LENGTH, skb->len); + litex_write8(priv->base + LITEETH_READER_START, 1); + +- netdev->stats.tx_bytes += skb->len; +- netdev->stats.tx_packets++; ++ dev_sw_netstats_tx_add(netdev, 1, skb->len); + + priv->tx_slot = (priv->tx_slot + 1) % priv->num_tx_slots; + dev_kfree_skb_any(skb); +@@ -194,9 +192,17 @@ static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, + return NETDEV_TX_OK; + } + ++static void ++liteeth_get_stats64(struct net_device *netdev, struct rtnl_link_stats64 *stats) ++{ ++ netdev_stats_to_stats64(stats, &netdev->stats); ++ dev_fetch_sw_netstats(stats, netdev->tstats); ++} ++ + static const struct net_device_ops liteeth_netdev_ops = { + .ndo_open = liteeth_open, + .ndo_stop = liteeth_stop, ++ .ndo_get_stats64 = liteeth_get_stats64, + .ndo_start_xmit = liteeth_start_xmit, + }; + +@@ -242,6 +248,11 @@ static int liteeth_probe(struct platform_device *pdev) + priv->netdev = netdev; + priv->dev = &pdev->dev; + ++ netdev->tstats = devm_netdev_alloc_pcpu_stats(&pdev->dev, ++ struct pcpu_sw_netstats); ++ if (!netdev->tstats) ++ return -ENOMEM; ++ + irq = platform_get_irq(pdev, 0); + if (irq < 0) + return irq; +-- +2.39.2 + diff --git a/tmp-6.1/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch b/tmp-6.1/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch new file mode 100644 index 00000000000..418095fc532 --- /dev/null +++ b/tmp-6.1/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch @@ -0,0 +1,86 @@ +From c3465911da1e9d1a7b64a1ed1f446f1ef9666ff2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 03:42:29 +0100 +Subject: net: ethernet: mtk_eth_soc: handle probe deferral + +From: Daniel Golle + +[ Upstream commit 1d6d537dc55d1f42d16290f00157ac387985b95b ] + +Move the call to of_get_ethdev_address to mtk_add_mac which is part of +the probe function and can hence itself return -EPROBE_DEFER should +of_get_ethdev_address return -EPROBE_DEFER. This allows us to entirely +get rid of the mtk_init function. + +The problem of of_get_ethdev_address returning -EPROBE_DEFER surfaced +in situations in which the NVMEM provider holding the MAC address has +not yet be loaded at the time mtk_eth_soc is initially probed. In this +case probing of mtk_eth_soc should be deferred instead of falling back +to use a random MAC address, so once the NVMEM provider becomes +available probing can be repeated. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Signed-off-by: Daniel Golle +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 29 ++++++++------------- + 1 file changed, 11 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 49975924e2426..7e318133423a9 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -3425,23 +3425,6 @@ static int mtk_hw_deinit(struct mtk_eth *eth) + return 0; + } + +-static int __init mtk_init(struct net_device *dev) +-{ +- struct mtk_mac *mac = netdev_priv(dev); +- struct mtk_eth *eth = mac->hw; +- int ret; +- +- ret = of_get_ethdev_address(mac->of_node, dev); +- if (ret) { +- /* If the mac address is invalid, use random mac address */ +- eth_hw_addr_random(dev); +- dev_err(eth->dev, "generated random MAC address %pM\n", +- dev->dev_addr); +- } +- +- return 0; +-} +- + static void mtk_uninit(struct net_device *dev) + { + struct mtk_mac *mac = netdev_priv(dev); +@@ -3789,7 +3772,6 @@ static const struct ethtool_ops mtk_ethtool_ops = { + }; + + static const struct net_device_ops mtk_netdev_ops = { +- .ndo_init = mtk_init, + .ndo_uninit = mtk_uninit, + .ndo_open = mtk_open, + .ndo_stop = mtk_stop, +@@ -3845,6 +3827,17 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np) + mac->hw = eth; + mac->of_node = np; + ++ err = of_get_ethdev_address(mac->of_node, eth->netdev[id]); ++ if (err == -EPROBE_DEFER) ++ return err; ++ ++ if (err) { ++ /* If the mac address is invalid, use random mac address */ ++ eth_hw_addr_random(eth->netdev[id]); ++ dev_err(eth->dev, "generated random MAC address %pM\n", ++ eth->netdev[id]->dev_addr); ++ } ++ + memset(mac->hwlro_ip, 0, sizeof(mac->hwlro_ip)); + mac->hwlro_ip_cnt = 0; + +-- +2.39.2 + diff --git a/tmp-6.1/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/tmp-6.1/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch new file mode 100644 index 00000000000..52f517cfd5f --- /dev/null +++ b/tmp-6.1/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch @@ -0,0 +1,78 @@ +From c809a11a4b6d3cfd988c7fb48576f8544d3b1d7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 16:36:57 +0530 +Subject: net: ethernet: ti: cpsw_ale: Fix + cpsw_ale_get_field()/cpsw_ale_set_field() + +From: Tanmay Patil + +[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] + +CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. +The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the +field will be strictly contained within one word. However, this is not +guaranteed to be the case and it is possible for ALE field entries to span +across up to two words at the most. + +Fix the methods to handle getting/setting fields spanning up to two words. + +Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") +Signed-off-by: Tanmay Patil +[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] +Signed-off-by: Siddharth Vadapalli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index 231370e9a8017..2647c18d40d95 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -106,23 +106,37 @@ struct cpsw_ale_dev_id { + + static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + { +- int idx; ++ int idx, idx2; ++ u32 hi_val = 0; + + idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be fetched exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); ++ } + start -= idx * 32; + idx = 2 - idx; /* flip */ +- return (ale_entry[idx] >> start) & BITMASK(bits); ++ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); + } + + static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, + u32 value) + { +- int idx; ++ int idx, idx2; + + value &= BITMASK(bits); +- idx = start / 32; ++ idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be set exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); ++ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); ++ } + start -= idx * 32; +- idx = 2 - idx; /* flip */ ++ idx = 2 - idx; /* flip */ + ale_entry[idx] &= ~(BITMASK(bits) << start); + ale_entry[idx] |= (value << start); + } +-- +2.39.2 + diff --git a/tmp-6.1/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch b/tmp-6.1/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch new file mode 100644 index 00000000000..1779fb5be73 --- /dev/null +++ b/tmp-6.1/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch @@ -0,0 +1,140 @@ +From c7bac058c0b91ef65d58a3020117d8bad2853616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 20:33:08 +0800 +Subject: net: hns3: fix strncpy() not using dest-buf length as length issue + +From: Hao Chen + +[ Upstream commit 1cf3d5567f273a8746d1bade00633a93204f80f0 ] + +Now, strncpy() in hns3_dbg_fill_content() use src-length as copy-length, +it may result in dest-buf overflow. + +This patch is to fix intel compile warning for csky-linux-gcc (GCC) 12.1.0 +compiler. + +The warning reports as below: + +hclge_debugfs.c:92:25: warning: 'strncpy' specified bound depends on +the length of the source argument [-Wstringop-truncation] + +strncpy(pos, items[i].name, strlen(items[i].name)); + +hclge_debugfs.c:90:25: warning: 'strncpy' output truncated before +terminating nul copying as many bytes from a string as its length +[-Wstringop-truncation] + +strncpy(pos, result[i], strlen(result[i])); + +strncpy() use src-length as copy-length, it may result in +dest-buf overflow. + +So,this patch add some values check to avoid this issue. + +Signed-off-by: Hao Chen +Reported-by: kernel test robot +Closes: https://lore.kernel.org/lkml/202207170606.7WtHs9yS-lkp@intel.com/T/ +Signed-off-by: Hao Lan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3_debugfs.c | 31 ++++++++++++++----- + .../hisilicon/hns3/hns3pf/hclge_debugfs.c | 29 ++++++++++++++--- + 2 files changed, 48 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index bcccd82a2620f..f6ededec5a4fa 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -435,19 +435,36 @@ static void hns3_dbg_fill_content(char *content, u16 len, + const struct hns3_dbg_item *items, + const char **result, u16 size) + { ++#define HNS3_DBG_LINE_END_LEN 2 + char *pos = content; ++ u16 item_len; + u16 i; + ++ if (!len) { ++ return; ++ } else if (len <= HNS3_DBG_LINE_END_LEN) { ++ *pos++ = '\0'; ++ return; ++ } ++ + memset(content, ' ', len); +- for (i = 0; i < size; i++) { +- if (result) +- strncpy(pos, result[i], strlen(result[i])); +- else +- strncpy(pos, items[i].name, strlen(items[i].name)); ++ len -= HNS3_DBG_LINE_END_LEN; + +- pos += strlen(items[i].name) + items[i].interval; ++ for (i = 0; i < size; i++) { ++ item_len = strlen(items[i].name) + items[i].interval; ++ if (len < item_len) ++ break; ++ ++ if (result) { ++ if (item_len < strlen(result[i])) ++ break; ++ strscpy(pos, result[i], strlen(result[i])); ++ } else { ++ strscpy(pos, items[i].name, strlen(items[i].name)); ++ } ++ pos += item_len; ++ len -= item_len; + } +- + *pos++ = '\n'; + *pos++ = '\0'; + } +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c +index 142415c84c6b2..0ebc21401b7c2 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c +@@ -87,16 +87,35 @@ static void hclge_dbg_fill_content(char *content, u16 len, + const struct hclge_dbg_item *items, + const char **result, u16 size) + { ++#define HCLGE_DBG_LINE_END_LEN 2 + char *pos = content; ++ u16 item_len; + u16 i; + ++ if (!len) { ++ return; ++ } else if (len <= HCLGE_DBG_LINE_END_LEN) { ++ *pos++ = '\0'; ++ return; ++ } ++ + memset(content, ' ', len); ++ len -= HCLGE_DBG_LINE_END_LEN; ++ + for (i = 0; i < size; i++) { +- if (result) +- strncpy(pos, result[i], strlen(result[i])); +- else +- strncpy(pos, items[i].name, strlen(items[i].name)); +- pos += strlen(items[i].name) + items[i].interval; ++ item_len = strlen(items[i].name) + items[i].interval; ++ if (len < item_len) ++ break; ++ ++ if (result) { ++ if (item_len < strlen(result[i])) ++ break; ++ strscpy(pos, result[i], strlen(result[i])); ++ } else { ++ strscpy(pos, items[i].name, strlen(items[i].name)); ++ } ++ pos += item_len; ++ len -= item_len; + } + *pos++ = '\n'; + *pos++ = '\0'; +-- +2.39.2 + diff --git a/tmp-6.1/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch b/tmp-6.1/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch new file mode 100644 index 00000000000..3645eb7a502 --- /dev/null +++ b/tmp-6.1/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch @@ -0,0 +1,134 @@ +From d2d9a97443c3d363ac55a22c42cc9e677b12faa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 18:14:52 +0200 +Subject: net: ipv4: use consistent txhash in TIME_WAIT and SYN_RECV + +From: Antoine Tenart + +[ Upstream commit c0a8966e2bc7d31f77a7246947ebc09c1ff06066 ] + +When using IPv4/TCP, skb->hash comes from sk->sk_txhash except in +TIME_WAIT and SYN_RECV where it's not set in the reply skb from +ip_send_unicast_reply. Those packets will have a mismatched hash with +others from the same flow as their hashes will be 0. IPv6 does not have +the same issue as the hash is set from the socket txhash in those cases. + +This commits sets the hash in the reply skb from ip_send_unicast_reply, +which makes the IPv4 code behaving like IPv6. + +Signed-off-by: Antoine Tenart +Reviewed-by: Eric Dumazet +Signed-off-by: Paolo Abeni +Stable-dep-of: 5e5265522a9a ("tcp: annotate data-races around tcp_rsk(req)->txhash") +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 2 +- + net/ipv4/ip_output.c | 4 +++- + net/ipv4/tcp_ipv4.c | 14 +++++++++----- + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index acec504c469a0..83a1a9bc3ceb1 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -282,7 +282,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + const struct ip_options *sopt, + __be32 daddr, __be32 saddr, + const struct ip_reply_arg *arg, +- unsigned int len, u64 transmit_time); ++ unsigned int len, u64 transmit_time, u32 txhash); + + #define IP_INC_STATS(net, field) SNMP_INC_STATS64((net)->mib.ip_statistics, field) + #define __IP_INC_STATS(net, field) __SNMP_INC_STATS64((net)->mib.ip_statistics, field) +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 2a07588265c70..7b4ab545c06e0 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1691,7 +1691,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + const struct ip_options *sopt, + __be32 daddr, __be32 saddr, + const struct ip_reply_arg *arg, +- unsigned int len, u64 transmit_time) ++ unsigned int len, u64 transmit_time, u32 txhash) + { + struct ip_options_data replyopts; + struct ipcm_cookie ipc; +@@ -1754,6 +1754,8 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + arg->csum)); + nskb->ip_summed = CHECKSUM_NONE; + nskb->mono_delivery_time = !!transmit_time; ++ if (txhash) ++ skb_set_hash(nskb, txhash, PKT_HASH_TYPE_L4); + ip_push_pending_frames(sk, &fl4); + } + out: +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index a7de5ba74e7f7..ef740983a1222 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -692,6 +692,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + u64 transmit_time = 0; + struct sock *ctl_sk; + struct net *net; ++ u32 txhash = 0; + + /* Never send a reset in response to a reset. */ + if (th->rst) +@@ -829,6 +830,8 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); + xfrm_sk_clone_policy(ctl_sk, sk); ++ txhash = (sk->sk_state == TCP_TIME_WAIT) ? ++ inet_twsk(sk)->tw_txhash : sk->sk_txhash; + } else { + ctl_sk->sk_mark = 0; + ctl_sk->sk_priority = 0; +@@ -837,7 +840,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + skb, &TCP_SKB_CB(skb)->header.h4.opt, + ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, + &arg, arg.iov[0].iov_len, +- transmit_time); ++ transmit_time, txhash); + + xfrm_sk_free_policy(ctl_sk); + sock_net_set(ctl_sk, &init_net); +@@ -859,7 +862,7 @@ static void tcp_v4_send_ack(const struct sock *sk, + struct sk_buff *skb, u32 seq, u32 ack, + u32 win, u32 tsval, u32 tsecr, int oif, + struct tcp_md5sig_key *key, +- int reply_flags, u8 tos) ++ int reply_flags, u8 tos, u32 txhash) + { + const struct tcphdr *th = tcp_hdr(skb); + struct { +@@ -935,7 +938,7 @@ static void tcp_v4_send_ack(const struct sock *sk, + skb, &TCP_SKB_CB(skb)->header.h4.opt, + ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, + &arg, arg.iov[0].iov_len, +- transmit_time); ++ transmit_time, txhash); + + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); +@@ -955,7 +958,8 @@ static void tcp_v4_timewait_ack(struct sock *sk, struct sk_buff *skb) + tw->tw_bound_dev_if, + tcp_twsk_md5_key(tcptw), + tw->tw_transparent ? IP_REPLY_ARG_NOSRCCHECK : 0, +- tw->tw_tos ++ tw->tw_tos, ++ tw->tw_txhash + ); + + inet_twsk_put(tw); +@@ -988,7 +992,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +- ip_hdr(skb)->tos); ++ ip_hdr(skb)->tos, tcp_rsk(req)->txhash); + } + + /* +-- +2.39.2 + diff --git a/tmp-6.1/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch b/tmp-6.1/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch new file mode 100644 index 00000000000..db0b541de2a --- /dev/null +++ b/tmp-6.1/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch @@ -0,0 +1,38 @@ +From 9ba17b30e66744d6805871a41ff330f6594f1806 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:59:19 +0800 +Subject: net: ipv4: Use kfree_sensitive instead of kfree + +From: Wang Ming + +[ Upstream commit daa751444fd9d4184270b1479d8af49aaf1a1ee6 ] + +key might contain private part of the key, so better use +kfree_sensitive to free it. + +Fixes: 38320c70d282 ("[IPSEC]: Use crypto_aead and authenc in ESP") +Signed-off-by: Wang Ming +Reviewed-by: Tariq Toukan +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index 52c8047efedbb..2d094d417ecae 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -1132,7 +1132,7 @@ static int esp_init_authenc(struct xfrm_state *x, + err = crypto_aead_setkey(aead, key, keylen); + + free_key: +- kfree(key); ++ kfree_sensitive(key); + + error: + return err; +-- +2.39.2 + diff --git a/tmp-6.1/net-ipv6-check-return-value-of-pskb_trim.patch b/tmp-6.1/net-ipv6-check-return-value-of-pskb_trim.patch new file mode 100644 index 00000000000..21fad0bb8fb --- /dev/null +++ b/tmp-6.1/net-ipv6-check-return-value-of-pskb_trim.patch @@ -0,0 +1,39 @@ +From d40157f8faa30cf97d32dde6d80704d5d0898f75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 22:45:19 +0800 +Subject: net:ipv6: check return value of pskb_trim() + +From: Yuanjun Gong + +[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] + +goto tx_err if an unexpected result is returned by pskb_tirm() +in ip6erspan_tunnel_xmit(). + +Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") +Signed-off-by: Yuanjun Gong +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 216b40ccadae0..d3fba7d8dec4e 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -977,7 +977,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + goto tx_err; + + if (skb->len > dev->mtu + dev->hard_header_len) { +- pskb_trim(skb, dev->mtu + dev->hard_header_len); ++ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) ++ goto tx_err; + truncate = true; + } + +-- +2.39.2 + diff --git a/tmp-6.1/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch b/tmp-6.1/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch new file mode 100644 index 00000000000..45e4500a7d9 --- /dev/null +++ b/tmp-6.1/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch @@ -0,0 +1,74 @@ +From 5cd4f073ef92600361ab34604f85b132f284a528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 03:02:31 +0300 +Subject: net: phy: prevent stale pointer dereference in phy_init() + +From: Vladimir Oltean + +[ Upstream commit 1c613beaf877c0c0d755853dc62687e2013e55c4 ] + +mdio_bus_init() and phy_driver_register() both have error paths, and if +those are ever hit, ethtool will have a stale pointer to the +phy_ethtool_phy_ops stub structure, which references memory from a +module that failed to load (phylib). + +It is probably hard to force an error in this code path even manually, +but the error teardown path of phy_init() should be the same as +phy_exit(), which is now simply not the case. + +Fixes: 55d8f053ce1b ("net: phy: Register ethtool PHY operations") +Link: https://lore.kernel.org/netdev/ZLaiJ4G6TaJYGJyU@shell.armlinux.org.uk/ +Suggested-by: Russell King (Oracle) +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20230720000231.1939689-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 7fbb0904b3c0f..82f74f96eba29 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -3252,23 +3252,30 @@ static int __init phy_init(void) + { + int rc; + ++ ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); ++ + rc = mdio_bus_init(); + if (rc) +- return rc; ++ goto err_ethtool_phy_ops; + +- ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); + features_init(); + + rc = phy_driver_register(&genphy_c45_driver, THIS_MODULE); + if (rc) +- goto err_c45; ++ goto err_mdio_bus; + + rc = phy_driver_register(&genphy_driver, THIS_MODULE); +- if (rc) { +- phy_driver_unregister(&genphy_c45_driver); ++ if (rc) ++ goto err_c45; ++ ++ return 0; ++ + err_c45: +- mdio_bus_exit(); +- } ++ phy_driver_unregister(&genphy_c45_driver); ++err_mdio_bus: ++ mdio_bus_exit(); ++err_ethtool_phy_ops: ++ ethtool_set_ethtool_phy_ops(NULL); + + return rc; + } +-- +2.39.2 + diff --git a/tmp-6.1/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch b/tmp-6.1/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch new file mode 100644 index 00000000000..fca333f2ee6 --- /dev/null +++ b/tmp-6.1/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch @@ -0,0 +1,165 @@ +From 80ba7d3f04c1dd00e5a8cdab662fc9acf1a3b2b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:13 -0300 +Subject: net: sched: cls_bpf: Undo tcf_bind_filter in case of an error + +From: Victor Nogueira + +[ Upstream commit 26a22194927e8521e304ed75c2f38d8068d55fc7 ] + +If cls_bpf_offload errors out, we must also undo tcf_bind_filter that +was done before the error. + +Fix that by calling tcf_unbind_filter in errout_parms. + +Fixes: eadb41489fd2 ("net: cls_bpf: add support for marking filters as hardware-only") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_bpf.c | 99 +++++++++++++++++++++------------------------ + 1 file changed, 47 insertions(+), 52 deletions(-) + +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index bc317b3eac124..0320e11eb248b 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -404,56 +404,6 @@ static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog, + return 0; + } + +-static int cls_bpf_set_parms(struct net *net, struct tcf_proto *tp, +- struct cls_bpf_prog *prog, unsigned long base, +- struct nlattr **tb, struct nlattr *est, u32 flags, +- struct netlink_ext_ack *extack) +-{ +- bool is_bpf, is_ebpf, have_exts = false; +- u32 gen_flags = 0; +- int ret; +- +- is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; +- is_ebpf = tb[TCA_BPF_FD]; +- if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) +- return -EINVAL; +- +- ret = tcf_exts_validate(net, tp, tb, est, &prog->exts, flags, +- extack); +- if (ret < 0) +- return ret; +- +- if (tb[TCA_BPF_FLAGS]) { +- u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); +- +- if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) +- return -EINVAL; +- +- have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; +- } +- if (tb[TCA_BPF_FLAGS_GEN]) { +- gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); +- if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || +- !tc_flags_valid(gen_flags)) +- return -EINVAL; +- } +- +- prog->exts_integrated = have_exts; +- prog->gen_flags = gen_flags; +- +- ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : +- cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); +- if (ret < 0) +- return ret; +- +- if (tb[TCA_BPF_CLASSID]) { +- prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); +- tcf_bind_filter(tp, &prog->res, base); +- } +- +- return 0; +-} +- + static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + struct tcf_proto *tp, unsigned long base, + u32 handle, struct nlattr **tca, +@@ -461,9 +411,12 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + struct netlink_ext_ack *extack) + { + struct cls_bpf_head *head = rtnl_dereference(tp->root); ++ bool is_bpf, is_ebpf, have_exts = false; + struct cls_bpf_prog *oldprog = *arg; + struct nlattr *tb[TCA_BPF_MAX + 1]; ++ bool bound_to_filter = false; + struct cls_bpf_prog *prog; ++ u32 gen_flags = 0; + int ret; + + if (tca[TCA_OPTIONS] == NULL) +@@ -502,11 +455,51 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + goto errout; + prog->handle = handle; + +- ret = cls_bpf_set_parms(net, tp, prog, base, tb, tca[TCA_RATE], flags, +- extack); ++ is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; ++ is_ebpf = tb[TCA_BPF_FD]; ++ if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ ++ ret = tcf_exts_validate(net, tp, tb, tca[TCA_RATE], &prog->exts, ++ flags, extack); ++ if (ret < 0) ++ goto errout_idr; ++ ++ if (tb[TCA_BPF_FLAGS]) { ++ u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); ++ ++ if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ ++ have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; ++ } ++ if (tb[TCA_BPF_FLAGS_GEN]) { ++ gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); ++ if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || ++ !tc_flags_valid(gen_flags)) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ } ++ ++ prog->exts_integrated = have_exts; ++ prog->gen_flags = gen_flags; ++ ++ ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : ++ cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); + if (ret < 0) + goto errout_idr; + ++ if (tb[TCA_BPF_CLASSID]) { ++ prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); ++ tcf_bind_filter(tp, &prog->res, base); ++ bound_to_filter = true; ++ } ++ + ret = cls_bpf_offload(tp, prog, oldprog, extack); + if (ret) + goto errout_parms; +@@ -528,6 +521,8 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + return 0; + + errout_parms: ++ if (bound_to_filter) ++ tcf_unbind_filter(tp, &prog->res); + cls_bpf_free_parms(prog); + errout_idr: + if (!oldprog) +-- +2.39.2 + diff --git a/tmp-6.1/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch b/tmp-6.1/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch new file mode 100644 index 00000000000..892c64519e3 --- /dev/null +++ b/tmp-6.1/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch @@ -0,0 +1,98 @@ +From df17b2737c98c54588b1108cd709109a4a053d7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:10 -0300 +Subject: net: sched: cls_matchall: Undo tcf_bind_filter in case of failure + after mall_set_parms + +From: Victor Nogueira + +[ Upstream commit b3d0e0489430735e2e7626aa37e6462cdd136e9d ] + +In case an error occurred after mall_set_parms executed successfully, we +must undo the tcf_bind_filter call it issues. + +Fix that by calling tcf_unbind_filter in err_replace_hw_filter label. + +Fixes: ec2507d2a306 ("net/sched: cls_matchall: Fix error path") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_matchall.c | 35 ++++++++++++----------------------- + 1 file changed, 12 insertions(+), 23 deletions(-) + +diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c +index 39a5d9c170def..43f8df5847414 100644 +--- a/net/sched/cls_matchall.c ++++ b/net/sched/cls_matchall.c +@@ -157,26 +157,6 @@ static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = { + [TCA_MATCHALL_FLAGS] = { .type = NLA_U32 }, + }; + +-static int mall_set_parms(struct net *net, struct tcf_proto *tp, +- struct cls_mall_head *head, +- unsigned long base, struct nlattr **tb, +- struct nlattr *est, u32 flags, u32 fl_flags, +- struct netlink_ext_ack *extack) +-{ +- int err; +- +- err = tcf_exts_validate_ex(net, tp, tb, est, &head->exts, flags, +- fl_flags, extack); +- if (err < 0) +- return err; +- +- if (tb[TCA_MATCHALL_CLASSID]) { +- head->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); +- tcf_bind_filter(tp, &head->res, base); +- } +- return 0; +-} +- + static int mall_change(struct net *net, struct sk_buff *in_skb, + struct tcf_proto *tp, unsigned long base, + u32 handle, struct nlattr **tca, +@@ -185,6 +165,7 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + { + struct cls_mall_head *head = rtnl_dereference(tp->root); + struct nlattr *tb[TCA_MATCHALL_MAX + 1]; ++ bool bound_to_filter = false; + struct cls_mall_head *new; + u32 userflags = 0; + int err; +@@ -224,11 +205,17 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + goto err_alloc_percpu; + } + +- err = mall_set_parms(net, tp, new, base, tb, tca[TCA_RATE], +- flags, new->flags, extack); +- if (err) ++ err = tcf_exts_validate_ex(net, tp, tb, tca[TCA_RATE], ++ &new->exts, flags, new->flags, extack); ++ if (err < 0) + goto err_set_parms; + ++ if (tb[TCA_MATCHALL_CLASSID]) { ++ new->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); ++ tcf_bind_filter(tp, &new->res, base); ++ bound_to_filter = true; ++ } ++ + if (!tc_skip_hw(new->flags)) { + err = mall_replace_hw_filter(tp, new, (unsigned long)new, + extack); +@@ -244,6 +231,8 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + return 0; + + err_replace_hw_filter: ++ if (bound_to_filter) ++ tcf_unbind_filter(tp, &new->res); + err_set_parms: + free_percpu(new->pf); + err_alloc_percpu: +-- +2.39.2 + diff --git a/tmp-6.1/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch b/tmp-6.1/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch new file mode 100644 index 00000000000..644fb9b107b --- /dev/null +++ b/tmp-6.1/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch @@ -0,0 +1,49 @@ +From 2565a1a811821f66ba1cd9a3bb9496fbecdc80e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:12 -0300 +Subject: net: sched: cls_u32: Undo refcount decrement in case update failed + +From: Victor Nogueira + +[ Upstream commit e8d3d78c19be0264a5692bed477c303523aead31 ] + +In the case of an update, when TCA_U32_LINK is set, u32_set_parms will +decrement the refcount of the ht_down (struct tc_u_hnode) pointer +present in the older u32 filter which we are replacing. However, if +u32_replace_hw_knode errors out, the update command fails and that +ht_down pointer continues decremented. To fix that, when +u32_replace_hw_knode fails, check if ht_down's refcount was decremented +and undo the decrement. + +Fixes: d34e3e181395 ("net: cls_u32: Add support for skip-sw flag to tc u32 classifier.") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 7cfbcd5180841..1280736a7b92e 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -926,6 +926,13 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + if (err) { + u32_unbind_filter(tp, new, tb); + ++ if (tb[TCA_U32_LINK]) { ++ struct tc_u_hnode *ht_old; ++ ++ ht_old = rtnl_dereference(n->ht_down); ++ if (ht_old) ++ ht_old->refcnt++; ++ } + __u32_destroy_key(new); + return err; + } +-- +2.39.2 + diff --git a/tmp-6.1/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch b/tmp-6.1/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch new file mode 100644 index 00000000000..b118e643cf0 --- /dev/null +++ b/tmp-6.1/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch @@ -0,0 +1,122 @@ +From 66d4c485e832ee7c6d50709763bfdf4c14e821d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:11 -0300 +Subject: net: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knode + +From: Victor Nogueira + +[ Upstream commit 9cb36faedeafb9720ac236aeae2ea57091d90a09 ] + +When u32_replace_hw_knode fails, we need to undo the tcf_bind_filter +operation done at u32_set_parms. + +Fixes: d34e3e181395 ("net: cls_u32: Add support for skip-sw flag to tc u32 classifier.") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 41 ++++++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index a3477537c102b..7cfbcd5180841 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -710,8 +710,23 @@ static const struct nla_policy u32_policy[TCA_U32_MAX + 1] = { + [TCA_U32_FLAGS] = { .type = NLA_U32 }, + }; + ++static void u32_unbind_filter(struct tcf_proto *tp, struct tc_u_knode *n, ++ struct nlattr **tb) ++{ ++ if (tb[TCA_U32_CLASSID]) ++ tcf_unbind_filter(tp, &n->res); ++} ++ ++static void u32_bind_filter(struct tcf_proto *tp, struct tc_u_knode *n, ++ unsigned long base, struct nlattr **tb) ++{ ++ if (tb[TCA_U32_CLASSID]) { ++ n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]); ++ tcf_bind_filter(tp, &n->res, base); ++ } ++} ++ + static int u32_set_parms(struct net *net, struct tcf_proto *tp, +- unsigned long base, + struct tc_u_knode *n, struct nlattr **tb, + struct nlattr *est, u32 flags, u32 fl_flags, + struct netlink_ext_ack *extack) +@@ -758,10 +773,6 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, + if (ht_old) + ht_old->refcnt--; + } +- if (tb[TCA_U32_CLASSID]) { +- n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]); +- tcf_bind_filter(tp, &n->res, base); +- } + + if (ifindex >= 0) + n->ifindex = ifindex; +@@ -901,17 +912,20 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + if (!new) + return -ENOMEM; + +- err = u32_set_parms(net, tp, base, new, tb, +- tca[TCA_RATE], flags, new->flags, +- extack); ++ err = u32_set_parms(net, tp, new, tb, tca[TCA_RATE], ++ flags, new->flags, extack); + + if (err) { + __u32_destroy_key(new); + return err; + } + ++ u32_bind_filter(tp, new, base, tb); ++ + err = u32_replace_hw_knode(tp, new, flags, extack); + if (err) { ++ u32_unbind_filter(tp, new, tb); ++ + __u32_destroy_key(new); + return err; + } +@@ -1072,15 +1086,18 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + } + #endif + +- err = u32_set_parms(net, tp, base, n, tb, tca[TCA_RATE], ++ err = u32_set_parms(net, tp, n, tb, tca[TCA_RATE], + flags, n->flags, extack); ++ ++ u32_bind_filter(tp, n, base, tb); ++ + if (err == 0) { + struct tc_u_knode __rcu **ins; + struct tc_u_knode *pins; + + err = u32_replace_hw_knode(tp, n, flags, extack); + if (err) +- goto errhw; ++ goto errunbind; + + if (!tc_in_hw(n->flags)) + n->flags |= TCA_CLS_FLAGS_NOT_IN_HW; +@@ -1098,7 +1115,9 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + return 0; + } + +-errhw: ++errunbind: ++ u32_unbind_filter(tp, n, tb); ++ + #ifdef CONFIG_CLS_U32_MARK + free_percpu(n->pcpu_success); + #endif +-- +2.39.2 + diff --git a/tmp-6.1/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/tmp-6.1/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch new file mode 100644 index 00000000000..e9e644e643b --- /dev/null +++ b/tmp-6.1/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch @@ -0,0 +1,64 @@ +From 93023625146793635d96beb87c81594cb326e47c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 01:30:33 +0200 +Subject: netfilter: nf_tables: can't schedule in nft_chain_validate + +From: Florian Westphal + +[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] + +Can be called via nft set element list iteration, which may acquire +rcu and/or bh read lock (depends on set type). + +BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 +in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft +preempt_count: 0, expected: 0 +RCU nest depth: 1, expected: 0 +2 locks held by nft/1232: + #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid + #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire +Call Trace: + nft_chain_validate + nft_lookup_validate_setelem + nft_pipapo_walk + nft_lookup_validate + nft_chain_validate + nft_immediate_validate + nft_chain_validate + nf_tables_validate + nf_tables_abort + +No choice but to move it to nf_tables_validate(). + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 58f14e4ef63d4..0bb1cc7ed5e99 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3500,8 +3500,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) + if (err < 0) + return err; + } +- +- cond_resched(); + } + + return 0; +@@ -3525,6 +3523,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) + err = nft_chain_validate(&ctx, chain); + if (err < 0) + return err; ++ ++ cond_resched(); + } + + return 0; +-- +2.39.2 + diff --git a/tmp-6.1/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/tmp-6.1/netfilter-nf_tables-fix-spurious-set-element-inserti.patch new file mode 100644 index 00000000000..d9dbd340acc --- /dev/null +++ b/tmp-6.1/netfilter-nf_tables-fix-spurious-set-element-inserti.patch @@ -0,0 +1,49 @@ +From 447b7e2bbc060e4f8293f9e084a379b95e8bf78b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 00:29:58 +0200 +Subject: netfilter: nf_tables: fix spurious set element insertion failure + +From: Florian Westphal + +[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] + +On some platforms there is a padding hole in the nft_verdict +structure, between the verdict code and the chain pointer. + +On element insertion, if the new element clashes with an existing one and +NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as +the data associated with duplicated element is the same as the existing +one. The data equality check uses memcmp. + +For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT +padding area leads to spurious failure even if the verdict data is the +same. + +This then makes the insertion fail with 'already exists' error, even +though the new "key : data" matches an existing entry and userspace +told the kernel that it doesn't want to receive an error indication. + +Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 938cfa9a3adb6..58f14e4ef63d4 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10114,6 +10114,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + + if (!tb[NFTA_VERDICT_CODE]) + return -EINVAL; ++ ++ /* zero padding hole for memcmp */ ++ memset(data, 0, sizeof(*data)); + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +-- +2.39.2 + diff --git a/tmp-6.1/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch b/tmp-6.1/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch new file mode 100644 index 00000000000..240214ec93d --- /dev/null +++ b/tmp-6.1/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch @@ -0,0 +1,37 @@ +From 2de006dd895fa8e0d71406e0293e4e0caa40e552 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 20:19:43 +0200 +Subject: netfilter: nf_tables: skip bound chain in netns release path + +From: Pablo Neira Ayuso + +[ Upstream commit 751d460ccff3137212f47d876221534bf0490996 ] + +Skip bound chain from netns release path, the rule that owns this chain +releases these objects. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 0bb1cc7ed5e99..f621c5e48747b 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10398,6 +10398,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table) + ctx.family = table->family; + ctx.table = table; + list_for_each_entry(chain, &table->chains, list) { ++ if (nft_chain_is_bound(chain)) ++ continue; ++ + ctx.chain = chain; + list_for_each_entry_safe(rule, nr, &chain->rules, list) { + list_del(&rule->list); +-- +2.39.2 + diff --git a/tmp-6.1/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch b/tmp-6.1/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch new file mode 100644 index 00000000000..9aff1bc6b86 --- /dev/null +++ b/tmp-6.1/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch @@ -0,0 +1,43 @@ +From 00af5d0ed7436d8d334b78b70165969fd0c0dde3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:17:21 +0200 +Subject: netfilter: nf_tables: skip bound chain on rule flush + +From: Pablo Neira Ayuso + +[ Upstream commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 ] + +Skip bound chain when flushing table rules, the rule that owns this +chain releases these objects. + +Otherwise, the following warning is triggered: + + WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 + RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Reported-by: Kevin Rich +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f621c5e48747b..ecde497368ec4 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3892,6 +3892,8 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, + list_for_each_entry(chain, &table->chains, list) { + if (!nft_is_active_next(net, chain)) + continue; ++ if (nft_chain_is_bound(chain)) ++ continue; + + ctx.chain = chain; + err = nft_delrule_by_chain(&ctx); +-- +2.39.2 + diff --git a/tmp-6.1/netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/tmp-6.1/netfilter-nft_set_pipapo-fix-improper-element-remova.patch new file mode 100644 index 00000000000..91dcec1dda0 --- /dev/null +++ b/tmp-6.1/netfilter-nft_set_pipapo-fix-improper-element-remova.patch @@ -0,0 +1,63 @@ +From 83c0d8d2e1df2dea06f0b2bf34a73af311411a76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:08:21 +0200 +Subject: netfilter: nft_set_pipapo: fix improper element removal + +From: Florian Westphal + +[ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ] + +end key should be equal to start unless NFT_SET_EXT_KEY_END is present. + +Its possible to add elements that only have a start key +("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. + +Insertion treats this via: + +if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) + end = (const u8 *)nft_set_ext_key_end(ext)->data; +else + end = start; + +but removal side always uses nft_set_ext_key_end(). +This is wrong and leads to garbage remaining in the set after removal +next lookup/insert attempt will give: + +BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 +Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 +Call Trace: + kasan_report+0x105/0x140 + pipapo_get+0x8eb/0xb90 + nft_pipapo_insert+0x1dc/0x1710 + nf_tables_newsetelem+0x31f5/0x4e00 + .. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: lonial con +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 0452ee586c1cc..a81829c10feab 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1930,7 +1930,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + int i, start, rules_fx; + + match_start = data; +- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ ++ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) ++ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ else ++ match_end = data; + + start = first_rule; + rules_fx = rules_f0; +-- +2.39.2 + diff --git a/tmp-6.1/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch b/tmp-6.1/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch new file mode 100644 index 00000000000..27c97b9ed07 --- /dev/null +++ b/tmp-6.1/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch @@ -0,0 +1,43 @@ +From b8bfbeb43ba95b6189f76448167e05a0545f9706 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jul 2023 15:07:41 +0530 +Subject: octeontx2-pf: Dont allocate BPIDs for LBK interfaces + +From: Geetha sowjanya + +[ Upstream commit 8fcd7c7b3a38ab5e452f542fda8f7940e77e479a ] + +Current driver enables backpressure for LBK interfaces. +But these interfaces do not support this feature. +Hence, this patch fixes the issue by skipping the +backpressure configuration for these interfaces. + +Fixes: 75f36270990c ("octeontx2-pf: Support to enable/disable pause frames via ethtool"). +Signed-off-by: Geetha sowjanya +Signed-off-by: Sunil Goutham +Link: https://lore.kernel.org/r/20230716093741.28063-1-gakula@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index ed911d9946277..c236dba80ff1a 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1452,8 +1452,9 @@ static int otx2_init_hw_resources(struct otx2_nic *pf) + if (err) + goto err_free_npa_lf; + +- /* Enable backpressure */ +- otx2_nix_config_bp(pf, true); ++ /* Enable backpressure for CGX mapped PF/VFs */ ++ if (!is_otx2_lbkvf(pf->pdev)) ++ otx2_nix_config_bp(pf, true); + + /* Init Auras and pools used by NIX RQ, for free buffer ptrs */ + err = otx2_rq_aura_pool_init(pf); +-- +2.39.2 + diff --git a/tmp-6.1/of-preserve-of-display-device-name-for-compatibility.patch b/tmp-6.1/of-preserve-of-display-device-name-for-compatibility.patch new file mode 100644 index 00000000000..825e32fdd09 --- /dev/null +++ b/tmp-6.1/of-preserve-of-display-device-name-for-compatibility.patch @@ -0,0 +1,51 @@ +From 0bb8f49cd2cc8cb32ac51189ff9fcbe7ec3d9d65 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Mon, 10 Jul 2023 11:40:07 -0600 +Subject: of: Preserve "of-display" device name for compatibility +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rob Herring + +commit 0bb8f49cd2cc8cb32ac51189ff9fcbe7ec3d9d65 upstream. + +Since commit 241d2fb56a18 ("of: Make OF framebuffer device names unique"), +as spotted by Frédéric Bonnard, the historical "of-display" device is +gone: the updated logic creates "of-display.0" instead, then as many +"of-display.N" as required. + +This means that offb no longer finds the expected device, which prevents +the Debian Installer from setting up its interface, at least on ppc64el. + +Fix this by keeping "of-display" for the first device and "of-display.N" +for subsequent devices. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217328 +Link: https://bugs.debian.org/1033058 +Fixes: 241d2fb56a18 ("of: Make OF framebuffer device names unique") +Cc: stable@vger.kernel.org +Cc: Cyril Brulebois +Cc: Thomas Zimmermann +Cc: Helge Deller +Acked-by: Helge Deller +Acked-by: Thomas Zimmermann +Reviewed-by: Michal Suchánek +Link: https://lore.kernel.org/r/20230710174007.2291013-1-robh@kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/platform.c ++++ b/drivers/of/platform.c +@@ -557,7 +557,7 @@ static int __init of_platform_default_po + if (!of_get_property(node, "linux,opened", NULL) || + !of_get_property(node, "linux,boot-display", NULL)) + continue; +- dev = of_platform_device_create(node, "of-display.0", NULL); ++ dev = of_platform_device_create(node, "of-display", NULL); + of_node_put(node); + if (WARN_ON(!dev)) + return -ENOMEM; diff --git a/tmp-6.1/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch b/tmp-6.1/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch new file mode 100644 index 00000000000..298e882552a --- /dev/null +++ b/tmp-6.1/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch @@ -0,0 +1,58 @@ +From 2c90078841a0854ee8bf4c7fa749f54fbd044f83 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 13 Jun 2023 10:13:37 +0200 +Subject: [PATCH AUTOSEL 4.19 06/11] ovl: check type and offset of struct + vfsmount in ovl_entry +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit f723edb8a532cd26e1ff0a2b271d73762d48f762 ] + +Porting overlayfs to the new amount api I started experiencing random +crashes that couldn't be explained easily. So after much debugging and +reasoning it became clear that struct ovl_entry requires the point to +struct vfsmount to be the first member and of type struct vfsmount. + +During the port I added a new member at the beginning of struct +ovl_entry which broke all over the place in the form of random crashes +and cache corruptions. While there's a comment in ovl_free_fs() to the +effect of "Hack! Reuse ofs->layers as a vfsmount array before freeing +it" there's no such comment on struct ovl_entry which makes this easy to +trip over. + +Add a comment and two static asserts for both the offset and the type of +pointer in struct ovl_entry. + +Signed-off-by: Christian Brauner +Signed-off-by: Amir Goldstein +Signed-off-by: Sasha Levin +--- + fs/overlayfs/ovl_entry.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/overlayfs/ovl_entry.h ++++ b/fs/overlayfs/ovl_entry.h +@@ -32,6 +32,7 @@ struct ovl_sb { + }; + + struct ovl_layer { ++ /* ovl_free_fs() relies on @mnt being the first member! */ + struct vfsmount *mnt; + /* Trap in ovl inode cache */ + struct inode *trap; +@@ -42,6 +43,14 @@ struct ovl_layer { + int fsid; + }; + ++/* ++ * ovl_free_fs() relies on @mnt being the first member when unmounting ++ * the private mounts created for each layer. Let's check both the ++ * offset and type. ++ */ ++static_assert(offsetof(struct ovl_layer, mnt) == 0); ++static_assert(__same_type(typeof_member(struct ovl_layer, mnt), struct vfsmount *)); ++ + struct ovl_path { + const struct ovl_layer *layer; + struct dentry *dentry; diff --git a/tmp-6.1/perf-build-fix-library-not-found-error-when-using-cs.patch b/tmp-6.1/perf-build-fix-library-not-found-error-when-using-cs.patch new file mode 100644 index 00000000000..985a8b231b1 --- /dev/null +++ b/tmp-6.1/perf-build-fix-library-not-found-error-when-using-cs.patch @@ -0,0 +1,94 @@ +From 680f36a4f5e7d831b67c91dafe4f6c7797e53475 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 16:45:46 +0100 +Subject: perf build: Fix library not found error when using CSLIBS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Clark + +[ Upstream commit 1feece2780ac2f8de45177fe53979726cee4b3d1 ] + +-L only specifies the search path for libraries directly provided in the +link line with -l. Because -lopencsd isn't specified, it's only linked +because it's a dependency of -lopencsd_c_api. Dependencies like this are +resolved using the default system search paths or -rpath-link=... rather +than -L. This means that compilation only works if OpenCSD is installed +to the system rather than provided with the CSLIBS (-L) option. + +This could be fixed by adding -Wl,-rpath-link=$(CSLIBS) but that is less +conventional than just adding -lopencsd to the link line so that it uses +-L. -lopencsd seems to have been removed in commit ed17b1914978eddb +("perf tools: Drop requirement for libstdc++.so for libopencsd check") +because it was thought that there was a chance compilation would work +even if it didn't exist, but I think that only applies to libstdc++ so +there is no harm to add it back. libopencsd.so and libopencsd_c_api.so +would always exist together. + +Testing +======= + +The following scenarios now all work: + + * Cross build with OpenCSD installed + * Cross build using CSLIBS=... + * Native build with OpenCSD installed + * Native build using CSLIBS=... + * Static cross build with OpenCSD installed + * Static cross build with CSLIBS=... + +Committer testing: + + ⬢[acme@toolbox perf-tools]$ alias m + alias m='make -k BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools -C tools/perf install-bin && git status && perf test python ; perf record -o /dev/null sleep 0.01 ; perf stat --null sleep 0.01' + ⬢[acme@toolbox perf-tools]$ ldd ~/bin/perf | grep csd + libopencsd_c_api.so.1 => /lib64/libopencsd_c_api.so.1 (0x00007fd49c44e000) + libopencsd.so.1 => /lib64/libopencsd.so.1 (0x00007fd49bd56000) + ⬢[acme@toolbox perf-tools]$ cat /etc/redhat-release + Fedora release 36 (Thirty Six) + ⬢[acme@toolbox perf-tools]$ + +Fixes: ed17b1914978eddb ("perf tools: Drop requirement for libstdc++.so for libopencsd check") +Reported-by: Radhey Shyam Pandey +Signed-off-by: James Clark +Tested-by: Arnaldo Carvalho de Melo +Tested-by: Radhey Shyam Pandey +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Uwe Kleine-König +Cc: coresight@lists.linaro.org +Closes: https://lore.kernel.org/linux-arm-kernel/56905d7a-a91e-883a-b707-9d5f686ba5f1@arm.com/ +Link: https://lore.kernel.org/all/36cc4dc6-bf4b-1093-1c0a-876e368af183@kleine-koenig.org/ +Link: https://lore.kernel.org/r/20230707154546.456720-1-james.clark@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index 898226ea8cadc..fac6ba07eacdb 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -149,9 +149,9 @@ FEATURE_CHECK_LDFLAGS-libcrypto = -lcrypto + ifdef CSINCLUDES + LIBOPENCSD_CFLAGS := -I$(CSINCLUDES) + endif +-OPENCSDLIBS := -lopencsd_c_api ++OPENCSDLIBS := -lopencsd_c_api -lopencsd + ifeq ($(findstring -static,${LDFLAGS}),-static) +- OPENCSDLIBS += -lopencsd -lstdc++ ++ OPENCSDLIBS += -lstdc++ + endif + ifdef CSLIBS + LIBOPENCSD_LDFLAGS := -L$(CSLIBS) +-- +2.39.2 + diff --git a/tmp-6.1/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/tmp-6.1/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch new file mode 100644 index 00000000000..ac282bd2634 --- /dev/null +++ b/tmp-6.1/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch @@ -0,0 +1,115 @@ +From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Georg=20M=C3=BCller?= +Date: Wed, 28 Jun 2023 10:45:50 +0200 +Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Georg Müller + +commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream. + +This patch adds a test to validate that 'perf probe' works for binaries +where DWARF info is split into multiple CUs + +Signed-off-by: Georg Müller +Acked-by: Masami Hiramatsu (Google) +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: regressions@lists.linux.dev +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++ + 1 file changed, 77 insertions(+) + create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh + +--- /dev/null ++++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +@@ -0,0 +1,77 @@ ++#!/bin/bash ++# test perf probe of function from different CU ++# SPDX-License-Identifier: GPL-2.0 ++ ++set -e ++ ++temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) ++ ++cleanup() ++{ ++ trap - EXIT TERM INT ++ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then ++ echo "--- Cleaning up ---" ++ perf probe -x ${temp_dir}/testfile -d foo ++ rm -f "${temp_dir}/"* ++ rmdir "${temp_dir}" ++ fi ++} ++ ++trap_cleanup() ++{ ++ cleanup ++ exit 1 ++} ++ ++trap trap_cleanup EXIT TERM INT ++ ++cat > ${temp_dir}/testfile-foo.h << EOF ++struct t ++{ ++ int *p; ++ int c; ++}; ++ ++extern int foo (int i, struct t *t); ++EOF ++ ++cat > ${temp_dir}/testfile-foo.c << EOF ++#include "testfile-foo.h" ++ ++int ++foo (int i, struct t *t) ++{ ++ int j, res = 0; ++ for (j = 0; j < i && j < t->c; j++) ++ res += t->p[j]; ++ ++ return res; ++} ++EOF ++ ++cat > ${temp_dir}/testfile-main.c << EOF ++#include "testfile-foo.h" ++ ++static struct t g; ++ ++int ++main (int argc, char **argv) ++{ ++ int i; ++ int j[argc]; ++ g.c = argc; ++ g.p = j; ++ for (i = 0; i < argc; i++) ++ j[i] = (int) argv[i][0]; ++ return foo (3, &g); ++} ++EOF ++ ++gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o ++gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o ++gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o ++ ++perf probe -x ${temp_dir}/testfile --funcs foo ++perf probe -x ${temp_dir}/testfile foo ++ ++cleanup diff --git a/tmp-6.1/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch b/tmp-6.1/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch new file mode 100644 index 00000000000..51b77397bbf --- /dev/null +++ b/tmp-6.1/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch @@ -0,0 +1,118 @@ +From 726cf612acdfe280e96ebb1977b1ec50b8c6ec28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 12:18:58 +0100 +Subject: pinctrl: renesas: rzg2l: Handle non-unique subnode names + +From: Biju Das + +[ Upstream commit bfc374a145ae133613e05b9b89be561f169cb58d ] + +Currently, sd1 and sd0 have unique subnode names 'sd1_mux' and 'sd0_mux'. +If we change these to non-unique subnode names such as 'mux' this can +lead to the below conflict as the RZ/G2L pin control driver considers +only the names of the subnodes. + + pinctrl-rzg2l 11030000.pinctrl: pin P47_0 already requested by 11c00000.mmc; cannot claim for 11c10000.mmc + pinctrl-rzg2l 11030000.pinctrl: pin-376 (11c10000.mmc) status -22 + pinctrl-rzg2l 11030000.pinctrl: could not request pin 376 (P47_0) from group mux on device pinctrl-rzg2l + renesas_sdhi_internal_dmac 11c10000.mmc: Error applying setting, reverse things back + +Fix this by constructing unique names from the node names of both the +pin control configuration node and its child node, where appropriate. + +Based on the work done by Geert for the RZ/V2M pinctrl driver. + +Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230704111858.215278-1-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzg2l.c | 28 ++++++++++++++++++------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +index ca6303fc41f98..fd11d28e5a1e4 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +@@ -246,6 +246,7 @@ static int rzg2l_map_add_config(struct pinctrl_map *map, + + static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct device_node *np, ++ struct device_node *parent, + struct pinctrl_map **map, + unsigned int *num_maps, + unsigned int *index) +@@ -263,6 +264,7 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct property *prop; + int ret, gsel, fsel; + const char **pin_fn; ++ const char *name; + const char *pin; + + pinmux = of_find_property(np, "pinmux", NULL); +@@ -346,8 +348,19 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + psel_val[i] = MUX_FUNC(value); + } + ++ if (parent) { ++ name = devm_kasprintf(pctrl->dev, GFP_KERNEL, "%pOFn.%pOFn", ++ parent, np); ++ if (!name) { ++ ret = -ENOMEM; ++ goto done; ++ } ++ } else { ++ name = np->name; ++ } ++ + /* Register a single pin group listing all the pins we read from DT */ +- gsel = pinctrl_generic_add_group(pctldev, np->name, pins, num_pinmux, NULL); ++ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); + if (gsel < 0) { + ret = gsel; + goto done; +@@ -357,17 +370,16 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + * Register a single group function where the 'data' is an array PSEL + * register values read from DT. + */ +- pin_fn[0] = np->name; +- fsel = pinmux_generic_add_function(pctldev, np->name, pin_fn, 1, +- psel_val); ++ pin_fn[0] = name; ++ fsel = pinmux_generic_add_function(pctldev, name, pin_fn, 1, psel_val); + if (fsel < 0) { + ret = fsel; + goto remove_group; + } + + maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; +- maps[idx].data.mux.group = np->name; +- maps[idx].data.mux.function = np->name; ++ maps[idx].data.mux.group = name; ++ maps[idx].data.mux.function = name; + idx++; + + dev_dbg(pctrl->dev, "Parsed %pOF with %d pins\n", np, num_pinmux); +@@ -414,7 +426,7 @@ static int rzg2l_dt_node_to_map(struct pinctrl_dev *pctldev, + index = 0; + + for_each_child_of_node(np, child) { +- ret = rzg2l_dt_subnode_to_map(pctldev, child, map, ++ ret = rzg2l_dt_subnode_to_map(pctldev, child, np, map, + num_maps, &index); + if (ret < 0) { + of_node_put(child); +@@ -423,7 +435,7 @@ static int rzg2l_dt_node_to_map(struct pinctrl_dev *pctldev, + } + + if (*num_maps == 0) { +- ret = rzg2l_dt_subnode_to_map(pctldev, np, map, ++ ret = rzg2l_dt_subnode_to_map(pctldev, np, NULL, map, + num_maps, &index); + if (ret < 0) + goto done; +-- +2.39.2 + diff --git a/tmp-6.1/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch b/tmp-6.1/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch new file mode 100644 index 00000000000..b84aa528fc0 --- /dev/null +++ b/tmp-6.1/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch @@ -0,0 +1,116 @@ +From 825d0cfe089333f10e47c7657c16035ce33865d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 17:07:06 +0200 +Subject: pinctrl: renesas: rzv2m: Handle non-unique subnode names + +From: Geert Uytterhoeven + +[ Upstream commit f46a0b47cc0829acd050213194c5a77351e619b2 ] + +The eMMC and SDHI pin control configuration nodes in DT have subnodes +with the same names ("data" and "ctrl"). As the RZ/V2M pin control +driver considers only the names of the subnodes, this leads to +conflicts: + + pinctrl-rzv2m b6250000.pinctrl: pin P8_2 already requested by 85000000.mmc; cannot claim for 85020000.mmc + pinctrl-rzv2m b6250000.pinctrl: pin-130 (85020000.mmc) status -22 + renesas_sdhi_internal_dmac 85020000.mmc: Error applying setting, reverse things back + +Fix this by constructing unique names from the node names of both the +pin control configuration node and its child node, where appropriate. + +Reported by: Fabrizio Castro + +Fixes: 92a9b825257614af ("pinctrl: renesas: Add RZ/V2M pin and gpio controller driver") +Signed-off-by: Geert Uytterhoeven +Tested-by: Fabrizio Castro +Link: https://lore.kernel.org/r/607bd6ab4905b0b1b119a06ef953fa1184505777.1688396717.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzv2m.c | 28 ++++++++++++++++++------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzv2m.c b/drivers/pinctrl/renesas/pinctrl-rzv2m.c +index e8c18198bebd2..35f382b055e83 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzv2m.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzv2m.c +@@ -207,6 +207,7 @@ static int rzv2m_map_add_config(struct pinctrl_map *map, + + static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct device_node *np, ++ struct device_node *parent, + struct pinctrl_map **map, + unsigned int *num_maps, + unsigned int *index) +@@ -224,6 +225,7 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct property *prop; + int ret, gsel, fsel; + const char **pin_fn; ++ const char *name; + const char *pin; + + pinmux = of_find_property(np, "pinmux", NULL); +@@ -307,8 +309,19 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + psel_val[i] = MUX_FUNC(value); + } + ++ if (parent) { ++ name = devm_kasprintf(pctrl->dev, GFP_KERNEL, "%pOFn.%pOFn", ++ parent, np); ++ if (!name) { ++ ret = -ENOMEM; ++ goto done; ++ } ++ } else { ++ name = np->name; ++ } ++ + /* Register a single pin group listing all the pins we read from DT */ +- gsel = pinctrl_generic_add_group(pctldev, np->name, pins, num_pinmux, NULL); ++ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); + if (gsel < 0) { + ret = gsel; + goto done; +@@ -318,17 +331,16 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + * Register a single group function where the 'data' is an array PSEL + * register values read from DT. + */ +- pin_fn[0] = np->name; +- fsel = pinmux_generic_add_function(pctldev, np->name, pin_fn, 1, +- psel_val); ++ pin_fn[0] = name; ++ fsel = pinmux_generic_add_function(pctldev, name, pin_fn, 1, psel_val); + if (fsel < 0) { + ret = fsel; + goto remove_group; + } + + maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; +- maps[idx].data.mux.group = np->name; +- maps[idx].data.mux.function = np->name; ++ maps[idx].data.mux.group = name; ++ maps[idx].data.mux.function = name; + idx++; + + dev_dbg(pctrl->dev, "Parsed %pOF with %d pins\n", np, num_pinmux); +@@ -375,7 +387,7 @@ static int rzv2m_dt_node_to_map(struct pinctrl_dev *pctldev, + index = 0; + + for_each_child_of_node(np, child) { +- ret = rzv2m_dt_subnode_to_map(pctldev, child, map, ++ ret = rzv2m_dt_subnode_to_map(pctldev, child, np, map, + num_maps, &index); + if (ret < 0) { + of_node_put(child); +@@ -384,7 +396,7 @@ static int rzv2m_dt_node_to_map(struct pinctrl_dev *pctldev, + } + + if (*num_maps == 0) { +- ret = rzv2m_dt_subnode_to_map(pctldev, np, map, ++ ret = rzv2m_dt_subnode_to_map(pctldev, np, NULL, map, + num_maps, &index); + if (ret < 0) + goto done; +-- +2.39.2 + diff --git a/tmp-6.1/quota-fix-warning-in-dqgrab.patch b/tmp-6.1/quota-fix-warning-in-dqgrab.patch new file mode 100644 index 00000000000..b0a2273830e --- /dev/null +++ b/tmp-6.1/quota-fix-warning-in-dqgrab.patch @@ -0,0 +1,100 @@ +From 1da38321c1da0aea4122e574000e2a97ee3d2378 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Mon, 5 Jun 2023 22:07:31 +0800 +Subject: [PATCH AUTOSEL 4.19 04/11] quota: fix warning in dqgrab() +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit d6a95db3c7ad160bc16b89e36449705309b52bcb ] + +There's issue as follows when do fault injection: +WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 +Modules linked in: +CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 +RIP: 0010:dquot_disable+0x13b7/0x18c0 +RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 +RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 +RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 +R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 +R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 +FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + dquot_load_quota_sb+0xd53/0x1060 + dquot_resume+0x172/0x230 + ext4_reconfigure+0x1dc6/0x27b0 + reconfigure_super+0x515/0xa90 + __x64_sys_fsconfig+0xb19/0xd20 + do_syscall_64+0x39/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Above issue may happens as follows: +ProcessA ProcessB ProcessC +sys_fsconfig + vfs_fsconfig_locked + reconfigure_super + ext4_remount + dquot_suspend -> suspend all type quota + + sys_fsconfig + vfs_fsconfig_locked + reconfigure_super + ext4_remount + dquot_resume + ret = dquot_load_quota_sb + add_dquot_ref + do_open -> open file O_RDWR + vfs_open + do_dentry_open + get_write_access + atomic_inc_unless_negative(&inode->i_writecount) + ext4_file_open + dquot_file_open + dquot_initialize + __dquot_initialize + dqget + atomic_inc(&dquot->dq_count); + + __dquot_initialize + __dquot_initialize + dqget + if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + ext4_acquire_dquot + -> Return error DQ_ACTIVE_B flag isn't set + dquot_disable + invalidate_dquots + if (atomic_read(&dquot->dq_count)) + dqgrab + WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + -> Trigger warning + +In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when +dqgrab(). +To solve above issue just replace the dqgrab() use in invalidate_dquots() with +atomic_inc(&dquot->dq_count). + +Signed-off-by: Ye Bin +Signed-off-by: Jan Kara +Message-Id: <20230605140731.2427629-3-yebin10@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -555,7 +555,7 @@ restart: + continue; + /* Wait for dquot users */ + if (atomic_read(&dquot->dq_count)) { +- dqgrab(dquot); ++ atomic_inc(&dquot->dq_count); + spin_unlock(&dq_list_lock); + /* + * Once dqput() wakes us up, we know it's time to free diff --git a/tmp-6.1/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch b/tmp-6.1/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch new file mode 100644 index 00000000000..1bd0a1ec80a --- /dev/null +++ b/tmp-6.1/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch @@ -0,0 +1,40 @@ +From 3e9e30aa708b3b8cb0485725964206a7b72d1f9b Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 5 Jun 2023 22:07:30 +0800 +Subject: [PATCH AUTOSEL 4.19 03/11] quota: Properly disable quotas when + add_dquot_ref() fails +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit 6a4e3363792e30177cc3965697e34ddcea8b900b ] + +When add_dquot_ref() fails (usually due to IO error or ENOMEM), we want +to disable quotas we are trying to enable. However dquot_disable() call +was passed just the flags we are enabling so in case flags == +DQUOT_USAGE_ENABLED dquot_disable() call will just fail with EINVAL +instead of properly disabling quotas. Fix the problem by always passing +DQUOT_LIMITS_ENABLED | DQUOT_USAGE_ENABLED to dquot_disable() in this +case. + +Reported-and-tested-by: Ye Bin +Reported-by: syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Message-Id: <20230605140731.2427629-2-yebin10@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2420,7 +2420,8 @@ int dquot_load_quota_sb(struct super_blo + + error = add_dquot_ref(sb, type); + if (error) +- dquot_disable(sb, type, flags); ++ dquot_disable(sb, type, ++ DQUOT_USAGE_ENABLED | DQUOT_LIMITS_ENABLED); + + return error; + out_fmt: diff --git a/tmp-6.1/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch b/tmp-6.1/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch new file mode 100644 index 00000000000..7735a7471ff --- /dev/null +++ b/tmp-6.1/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch @@ -0,0 +1,76 @@ +From 4d3360fe4eb403c4add5725291d2c102bad4db73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Apr 2023 16:05:38 -0700 +Subject: rcu: Mark additional concurrent load from ->cpu_no_qs.b.exp + +From: Paul E. McKenney + +[ Upstream commit 9146eb25495ea8bfb5010192e61e3ed5805ce9ef ] + +The per-CPU rcu_data structure's ->cpu_no_qs.b.exp field is updated +only on the instance corresponding to the current CPU, but can be read +more widely. Unmarked accesses are OK from the corresponding CPU, but +only if interrupts are disabled, given that interrupt handlers can and +do modify this field. + +Unfortunately, although the load from rcu_preempt_deferred_qs() is always +carried out from the corresponding CPU, interrupts are not necessarily +disabled. This commit therefore upgrades this load to READ_ONCE. + +Similarly, the diagnostic access from synchronize_rcu_expedited_wait() +might run with interrupts disabled and from some other CPU. This commit +therefore marks this load with data_race(). + +Finally, the C-language access in rcu_preempt_ctxt_queue() is OK as +is because interrupts are disabled and this load is always from the +corresponding CPU. This commit adds a comment giving the rationale for +this access being safe. + +This data race was reported by KCSAN. Not appropriate for backporting +due to failure being unlikely. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_exp.h | 2 +- + kernel/rcu/tree_plugin.h | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h +index e25321dbb068e..aa3ec3c3b9f75 100644 +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -641,7 +641,7 @@ static void synchronize_rcu_expedited_wait(void) + "O."[!!cpu_online(cpu)], + "o."[!!(rdp->grpmask & rnp->expmaskinit)], + "N."[!!(rdp->grpmask & rnp->expmaskinitnext)], +- "D."[!!(rdp->cpu_no_qs.b.exp)]); ++ "D."[!!data_race(rdp->cpu_no_qs.b.exp)]); + } + } + pr_cont(" } %lu jiffies s: %lu root: %#lx/%c\n", +diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h +index e3142ee35fc6a..044026abfdd7f 100644 +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -257,6 +257,8 @@ static void rcu_preempt_ctxt_queue(struct rcu_node *rnp, struct rcu_data *rdp) + * GP should not be able to end until we report, so there should be + * no need to check for a subsequent expedited GP. (Though we are + * still in a quiescent state in any case.) ++ * ++ * Interrupts are disabled, so ->cpu_no_qs.b.exp cannot change. + */ + if (blkd_state & RCU_EXP_BLKD && rdp->cpu_no_qs.b.exp) + rcu_report_exp_rdp(rdp); +@@ -941,7 +943,7 @@ notrace void rcu_preempt_deferred_qs(struct task_struct *t) + { + struct rcu_data *rdp = this_cpu_ptr(&rcu_data); + +- if (rdp->cpu_no_qs.b.exp) ++ if (READ_ONCE(rdp->cpu_no_qs.b.exp)) + rcu_report_exp_rdp(rdp); + } + +-- +2.39.2 + diff --git a/tmp-6.1/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch b/tmp-6.1/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch new file mode 100644 index 00000000000..a6c062917c4 --- /dev/null +++ b/tmp-6.1/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch @@ -0,0 +1,91 @@ +From aef95e1bb3b2e697dd8a92a4b03466862cd224fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 01:22:05 +0900 +Subject: rcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic() + +From: Shigeru Yoshida + +[ Upstream commit 5fc8cbe4cf0fd34ded8045c385790c3bf04f6785 ] + +pr_info() is called with rtp->cbs_gbl_lock spin lock locked. Because +pr_info() calls printk() that might sleep, this will result in BUG +like below: + +[ 0.206455] cblist_init_generic: Setting adjustable number of callback queues. +[ 0.206463] +[ 0.206464] ============================= +[ 0.206464] [ BUG: Invalid wait context ] +[ 0.206465] 5.19.0-00428-g9de1f9c8ca51 #5 Not tainted +[ 0.206466] ----------------------------- +[ 0.206466] swapper/0/1 is trying to lock: +[ 0.206467] ffffffffa0167a58 (&port_lock_key){....}-{3:3}, at: serial8250_console_write+0x327/0x4a0 +[ 0.206473] other info that might help us debug this: +[ 0.206473] context-{5:5} +[ 0.206474] 3 locks held by swapper/0/1: +[ 0.206474] #0: ffffffff9eb597e0 (rcu_tasks.cbs_gbl_lock){....}-{2:2}, at: cblist_init_generic.constprop.0+0x14/0x1f0 +[ 0.206478] #1: ffffffff9eb579c0 (console_lock){+.+.}-{0:0}, at: _printk+0x63/0x7e +[ 0.206482] #2: ffffffff9ea77780 (console_owner){....}-{0:0}, at: console_emit_next_record.constprop.0+0x111/0x330 +[ 0.206485] stack backtrace: +[ 0.206486] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-00428-g9de1f9c8ca51 #5 +[ 0.206488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 +[ 0.206489] Call Trace: +[ 0.206490] +[ 0.206491] dump_stack_lvl+0x6a/0x9f +[ 0.206493] __lock_acquire.cold+0x2d7/0x2fe +[ 0.206496] ? stack_trace_save+0x46/0x70 +[ 0.206497] lock_acquire+0xd1/0x2f0 +[ 0.206499] ? serial8250_console_write+0x327/0x4a0 +[ 0.206500] ? __lock_acquire+0x5c7/0x2720 +[ 0.206502] _raw_spin_lock_irqsave+0x3d/0x90 +[ 0.206504] ? serial8250_console_write+0x327/0x4a0 +[ 0.206506] serial8250_console_write+0x327/0x4a0 +[ 0.206508] console_emit_next_record.constprop.0+0x180/0x330 +[ 0.206511] console_unlock+0xf7/0x1f0 +[ 0.206512] vprintk_emit+0xf7/0x330 +[ 0.206514] _printk+0x63/0x7e +[ 0.206516] cblist_init_generic.constprop.0.cold+0x24/0x32 +[ 0.206518] rcu_init_tasks_generic+0x5/0xd9 +[ 0.206522] kernel_init_freeable+0x15b/0x2a2 +[ 0.206523] ? rest_init+0x160/0x160 +[ 0.206526] kernel_init+0x11/0x120 +[ 0.206527] ret_from_fork+0x1f/0x30 +[ 0.206530] +[ 0.207018] cblist_init_generic: Setting shift to 1 and lim to 1. + +This patch moves pr_info() so that it is called without +rtp->cbs_gbl_lock locked. + +Signed-off-by: Shigeru Yoshida +Tested-by: "Zhang, Qiang1" +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tasks.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h +index df968321feada..c1f18c63b9b14 100644 +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -233,7 +233,6 @@ static void cblist_init_generic(struct rcu_tasks *rtp) + if (rcu_task_enqueue_lim < 0) { + rcu_task_enqueue_lim = 1; + rcu_task_cb_adjust = true; +- pr_info("%s: Setting adjustable number of callback queues.\n", __func__); + } else if (rcu_task_enqueue_lim == 0) { + rcu_task_enqueue_lim = 1; + } +@@ -264,6 +263,10 @@ static void cblist_init_generic(struct rcu_tasks *rtp) + raw_spin_unlock_rcu_node(rtpcp); // irqs remain disabled. + } + raw_spin_unlock_irqrestore(&rtp->cbs_gbl_lock, flags); ++ ++ if (rcu_task_cb_adjust) ++ pr_info("%s: Setting adjustable number of callback queues.\n", __func__); ++ + pr_info("%s: Setting shift to %d and lim to %d.\n", __func__, data_race(rtp->percpu_enqueue_shift), data_race(rtp->percpu_enqueue_lim)); + } + +-- +2.39.2 + diff --git a/tmp-6.1/regmap-account-for-register-length-in-smbus-i-o-limits.patch b/tmp-6.1/regmap-account-for-register-length-in-smbus-i-o-limits.patch new file mode 100644 index 00000000000..b920fc52b6d --- /dev/null +++ b/tmp-6.1/regmap-account-for-register-length-in-smbus-i-o-limits.patch @@ -0,0 +1,54 @@ +From 0c9d2eb5e94792fe64019008a04d4df5e57625af Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 12 Jul 2023 12:16:40 +0100 +Subject: regmap: Account for register length in SMBus I/O limits + +From: Mark Brown + +commit 0c9d2eb5e94792fe64019008a04d4df5e57625af upstream. + +The SMBus I2C buses have limits on the size of transfers they can do but +do not factor in the register length meaning we may try to do a transfer +longer than our length limit, the core will not take care of this. +Future changes will factor this out into the core but there are a number +of users that assume current behaviour so let's just do something +conservative here. + +This does not take account padding bits but practically speaking these +are very rarely if ever used on I2C buses given that they generally run +slowly enough to mean there's no issue. + +Cc: stable@kernel.org +Signed-off-by: Mark Brown +Reviewed-by: Xu Yilun +Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-2-80e2aed22e83@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-i2c.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/base/regmap/regmap-i2c.c ++++ b/drivers/base/regmap/regmap-i2c.c +@@ -242,8 +242,8 @@ static int regmap_i2c_smbus_i2c_read(voi + static const struct regmap_bus regmap_i2c_smbus_i2c_block = { + .write = regmap_i2c_smbus_i2c_write, + .read = regmap_i2c_smbus_i2c_read, +- .max_raw_read = I2C_SMBUS_BLOCK_MAX, +- .max_raw_write = I2C_SMBUS_BLOCK_MAX, ++ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 1, ++ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 1, + }; + + static int regmap_i2c_smbus_i2c_write_reg16(void *context, const void *data, +@@ -299,8 +299,8 @@ static int regmap_i2c_smbus_i2c_read_reg + static const struct regmap_bus regmap_i2c_smbus_i2c_block_reg16 = { + .write = regmap_i2c_smbus_i2c_write_reg16, + .read = regmap_i2c_smbus_i2c_read_reg16, +- .max_raw_read = I2C_SMBUS_BLOCK_MAX, +- .max_raw_write = I2C_SMBUS_BLOCK_MAX, ++ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 2, ++ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 2, + }; + + static const struct regmap_bus *regmap_get_i2c_bus(struct i2c_client *i2c, diff --git a/tmp-6.1/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch b/tmp-6.1/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch new file mode 100644 index 00000000000..c84dadbe2f9 --- /dev/null +++ b/tmp-6.1/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch @@ -0,0 +1,64 @@ +From bc64734825c59e18a27ac266b07e14944c111fd8 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 12 Jul 2023 12:16:39 +0100 +Subject: regmap: Drop initial version of maximum transfer length fixes + +From: Mark Brown + +commit bc64734825c59e18a27ac266b07e14944c111fd8 upstream. + +When problems were noticed with the register address not being taken +into account when limiting raw transfers with I2C devices we fixed this +in the core. Unfortunately it has subsequently been realised that a lot +of buses were relying on the prior behaviour, partly due to unclear +documentation not making it obvious what was intended in the core. This +is all more involved to fix than is sensible for a fix commit so let's +just drop the original fixes, a separate commit will fix the originally +observed problem in an I2C specific way + +Fixes: 3981514180c9 ("regmap: Account for register length when chunking") +Fixes: c8e796895e23 ("regmap: spi-avmm: Fix regmap_bus max_raw_write") +Signed-off-by: Mark Brown +Reviewed-by: Xu Yilun +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-1-80e2aed22e83@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-spi-avmm.c | 2 +- + drivers/base/regmap/regmap.c | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/base/regmap/regmap-spi-avmm.c ++++ b/drivers/base/regmap/regmap-spi-avmm.c +@@ -660,7 +660,7 @@ static const struct regmap_bus regmap_sp + .reg_format_endian_default = REGMAP_ENDIAN_NATIVE, + .val_format_endian_default = REGMAP_ENDIAN_NATIVE, + .max_raw_read = SPI_AVMM_VAL_SIZE * MAX_READ_CNT, +- .max_raw_write = SPI_AVMM_REG_SIZE + SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, ++ .max_raw_write = SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, + .free_context = spi_avmm_bridge_ctx_free, + }; + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -2064,8 +2064,6 @@ int _regmap_raw_write(struct regmap *map + size_t val_count = val_len / val_bytes; + size_t chunk_count, chunk_bytes; + size_t chunk_regs = val_count; +- size_t max_data = map->max_raw_write - map->format.reg_bytes - +- map->format.pad_bytes; + int ret, i; + + if (!val_count) +@@ -2073,8 +2071,8 @@ int _regmap_raw_write(struct regmap *map + + if (map->use_single_write) + chunk_regs = 1; +- else if (map->max_raw_write && val_len > max_data) +- chunk_regs = max_data / val_bytes; ++ else if (map->max_raw_write && val_len > map->max_raw_write) ++ chunk_regs = map->max_raw_write / val_bytes; + + chunk_count = val_count / chunk_regs; + chunk_bytes = chunk_regs * val_bytes; diff --git a/tmp-6.1/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/tmp-6.1/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch new file mode 100644 index 00000000000..8812a74d9c6 --- /dev/null +++ b/tmp-6.1/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch @@ -0,0 +1,113 @@ +From 242c82c4047048b1d67da8284935b57fc6abaa12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:59:18 -0700 +Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash + table" + +From: Kuniyuki Iwashima + +[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] + +This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. + +Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in +ehash table") reversed the order in how a socket is inserted into ehash +to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are +swapped. However, it introduced another lookup failure. + +The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU +and does not have SOCK_RCU_FREE, so the socket could be reused even while +it is being referenced on another CPU doing RCU lookup. + +Let's say a socket is reused and inserted into the same hash bucket during +lookup. After the blamed commit, a new socket is inserted at the end of +the list. If that happens, we will skip sockets placed after the previous +position of the reused socket, resulting in ehash lookup failure. + +As described in Documentation/RCU/rculist_nulls.rst, we should insert a +new socket at the head of the list to avoid such an issue. + +This issue, the swap-lookup-failure, and another variant reported in [0] +can all be handled properly by adding a locked ehash lookup suggested by +Eric Dumazet [1]. + +However, this issue could occur for every packet, thus more likely than +the other two races, so let's revert the change for now. + +Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] +Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] +Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 ++--------------- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 6 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index e8734ffca85a8..c19b462662ad0 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -650,20 +650,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_hashed(osk); +- if (ret) { +- /* Before deleting the node, we insert a new one to make +- * sure that the look-up-sk process would not miss either +- * of them and that at least one node would exist in ehash +- * table all the time. Otherwise there's a tiny chance +- * that lookup process could find nothing in ehash table. +- */ +- __sk_nulls_add_node_tail_rcu(sk, list); +- sk_nulls_del_node_init_rcu(osk); +- } +- goto unlock; +- } +- if (found_dup_sk) { ++ ret = sk_nulls_del_node_init_rcu(osk); ++ } else if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -672,7 +660,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + +-unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index beed32fff4841..1d77d992e6e77 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -91,10 +91,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_tail_rcu(&tw->tw_node, list); ++ hlist_nulls_add_head_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -147,7 +147,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.2 + diff --git a/tmp-6.1/sched-fair-don-t-balance-task-to-its-current-running.patch b/tmp-6.1/sched-fair-don-t-balance-task-to-its-current-running.patch new file mode 100644 index 00000000000..7ea3c58721b --- /dev/null +++ b/tmp-6.1/sched-fair-don-t-balance-task-to-its-current-running.patch @@ -0,0 +1,96 @@ +From 8455627afba0715ac09ca4e31fd0ca55986494f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 16:25:07 +0800 +Subject: sched/fair: Don't balance task to its current running CPU + +From: Yicong Yang + +[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] + +We've run into the case that the balancer tries to balance a migration +disabled task and trigger the warning in set_task_cpu() like below: + + ------------[ cut here ]------------ + WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 + Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> + CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 + Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 + pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : set_task_cpu+0x188/0x240 + lr : load_balance+0x5d0/0xc60 + sp : ffff80000803bc70 + x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 + x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 + x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 + x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 + x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 + x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 + x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e + x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a + x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 + Call trace: + set_task_cpu+0x188/0x240 + load_balance+0x5d0/0xc60 + rebalance_domains+0x26c/0x380 + _nohz_idle_balance.isra.0+0x1e0/0x370 + run_rebalance_domains+0x6c/0x80 + __do_softirq+0x128/0x3d8 + ____do_softirq+0x18/0x24 + call_on_irq_stack+0x2c/0x38 + do_softirq_own_stack+0x24/0x3c + __irq_exit_rcu+0xcc/0xf4 + irq_exit_rcu+0x18/0x24 + el1_interrupt+0x4c/0xe4 + el1h_64_irq_handler+0x18/0x2c + el1h_64_irq+0x74/0x78 + arch_cpu_idle+0x18/0x4c + default_idle_call+0x58/0x194 + do_idle+0x244/0x2b0 + cpu_startup_entry+0x30/0x3c + secondary_start_kernel+0x14c/0x190 + __secondary_switched+0xb0/0xb4 + ---[ end trace 0000000000000000 ]--- + +Further investigation shows that the warning is superfluous, the migration +disabled task is just going to be migrated to its current running CPU. +This is because that on load balance if the dst_cpu is not allowed by the +task, we'll re-select a new_dst_cpu as a candidate. If no task can be +balanced to dst_cpu we'll try to balance the task to the new_dst_cpu +instead. In this case when the migration disabled task is not on CPU it +only allows to run on its current CPU, load balance will select its +current CPU as new_dst_cpu and later triggers the warning above. + +The new_dst_cpu is chosen from the env->dst_grpmask. Currently it +contains CPUs in sched_group_span() and if we have overlapped groups it's +possible to run into this case. This patch makes env->dst_grpmask of +group_balance_mask() which exclude any CPUs from the busiest group and +solve the issue. For balancing in a domain with no overlapped groups +the behaviour keeps same as before. + +Suggested-by: Vincent Guittot +Signed-off-by: Yicong Yang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index fa33c441ae867..57d39de0962d7 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10556,7 +10556,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, + .sd = sd, + .dst_cpu = this_cpu, + .dst_rq = this_rq, +- .dst_grpmask = sched_group_span(sd->groups), ++ .dst_grpmask = group_balance_mask(sd->groups), + .idle = idle, + .loop_break = SCHED_NR_MIGRATE_BREAK, + .cpus = cpus, +-- +2.39.2 + diff --git a/tmp-6.1/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch b/tmp-6.1/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch new file mode 100644 index 00000000000..9b8cfc75250 --- /dev/null +++ b/tmp-6.1/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch @@ -0,0 +1,41 @@ +From 87c0b2894b5bff97a3b231e21a5467e96e6ba324 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 16:07:47 +0800 +Subject: sched/fair: Use recent_used_cpu to test p->cpus_ptr + +From: Miaohe Lin + +[ Upstream commit ae2ad293d6be143ad223f5f947cca07bcbe42595 ] + +When checking whether a recently used CPU can be a potential idle +candidate, recent_used_cpu should be used to test p->cpus_ptr as +p->recent_used_cpu is not equal to recent_used_cpu and candidate +decision is made based on recent_used_cpu here. + +Fixes: 89aafd67f28c ("sched/fair: Use prev instead of new target as recent_used_cpu") +Signed-off-by: Miaohe Lin +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Phil Auld +Acked-by: Mel Gorman +Link: https://lore.kernel.org/r/20230620080747.359122-1-linmiaohe@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 57d39de0962d7..5e5aea2360a87 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -6935,7 +6935,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target) + recent_used_cpu != target && + cpus_share_cache(recent_used_cpu, target) && + (available_idle_cpu(recent_used_cpu) || sched_idle_cpu(recent_used_cpu)) && +- cpumask_test_cpu(p->recent_used_cpu, p->cpus_ptr) && ++ cpumask_test_cpu(recent_used_cpu, p->cpus_ptr) && + asym_fits_cpu(task_util, util_min, util_max, recent_used_cpu)) { + return recent_used_cpu; + } +-- +2.39.2 + diff --git a/tmp-6.1/sched-psi-allow-unprivileged-polling-of-n-2s-period.patch b/tmp-6.1/sched-psi-allow-unprivileged-polling-of-n-2s-period.patch new file mode 100644 index 00000000000..71bccffd238 --- /dev/null +++ b/tmp-6.1/sched-psi-allow-unprivileged-polling-of-n-2s-period.patch @@ -0,0 +1,434 @@ +From 24ad138c2ace2a7a5bc0ceccb0055be994ccc3ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 12:54:18 +0200 +Subject: sched/psi: Allow unprivileged polling of N*2s period + +From: Domenico Cerasuolo + +[ Upstream commit d82caa273565b45fcf103148950549af76c314b0 ] + +PSI offers 2 mechanisms to get information about a specific resource +pressure. One is reading from /proc/pressure/, which gives +average pressures aggregated every 2s. The other is creating a pollable +fd for a specific resource and cgroup. + +The trigger creation requires CAP_SYS_RESOURCE, and gives the +possibility to pick specific time window and threshold, spawing an RT +thread to aggregate the data. + +Systemd would like to provide containers the option to monitor pressure +on their own cgroup and sub-cgroups. For example, if systemd launches a +container that itself then launches services, the container should have +the ability to poll() for pressure in individual services. But neither +the container nor the services are privileged. + +This patch implements a mechanism to allow unprivileged users to create +pressure triggers. The difference with privileged triggers creation is +that unprivileged ones must have a time window that's a multiple of 2s. +This is so that we can avoid unrestricted spawning of rt threads, and +use instead the same aggregation mechanism done for the averages, which +runs independently of any triggers. + +Suggested-by: Johannes Weiner +Signed-off-by: Domenico Cerasuolo +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Johannes Weiner +Link: https://lore.kernel.org/r/20230330105418.77061-5-cerasuolodomenico@gmail.com +Stable-dep-of: aff037078eca ("sched/psi: use kernfs polling functions for PSI trigger polling") +Signed-off-by: Sasha Levin +--- + Documentation/accounting/psi.rst | 4 + + include/linux/psi.h | 2 +- + include/linux/psi_types.h | 7 ++ + kernel/cgroup/cgroup.c | 2 +- + kernel/sched/psi.c | 175 +++++++++++++++++++------------ + 5 files changed, 121 insertions(+), 69 deletions(-) + +diff --git a/Documentation/accounting/psi.rst b/Documentation/accounting/psi.rst +index 5e40b3f437f90..df6062eb3abbc 100644 +--- a/Documentation/accounting/psi.rst ++++ b/Documentation/accounting/psi.rst +@@ -105,6 +105,10 @@ prevent overly frequent polling. Max limit is chosen as a high enough number + after which monitors are most likely not needed and psi averages can be used + instead. + ++Unprivileged users can also create monitors, with the only limitation that the ++window size must be a multiple of 2s, in order to prevent excessive resource ++usage. ++ + When activated, psi monitor stays active for at least the duration of one + tracking window to avoid repeated activations/deactivations when system is + bouncing in and out of the stall state. +diff --git a/include/linux/psi.h b/include/linux/psi.h +index b029a847def1e..ab26200c28033 100644 +--- a/include/linux/psi.h ++++ b/include/linux/psi.h +@@ -24,7 +24,7 @@ void psi_memstall_leave(unsigned long *flags); + + int psi_show(struct seq_file *s, struct psi_group *group, enum psi_res res); + struct psi_trigger *psi_trigger_create(struct psi_group *group, +- char *buf, enum psi_res res); ++ char *buf, enum psi_res res, struct file *file); + void psi_trigger_destroy(struct psi_trigger *t); + + __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file, +diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h +index 1819afa8b1987..040c089581c6c 100644 +--- a/include/linux/psi_types.h ++++ b/include/linux/psi_types.h +@@ -151,6 +151,9 @@ struct psi_trigger { + + /* Deferred event(s) from previous ratelimit window */ + bool pending_event; ++ ++ /* Trigger type - PSI_AVGS for unprivileged, PSI_POLL for RT */ ++ enum psi_aggregators aggregator; + }; + + struct psi_group { +@@ -171,6 +174,10 @@ struct psi_group { + /* Aggregator work control */ + struct delayed_work avgs_work; + ++ /* Unprivileged triggers against N*PSI_FREQ windows */ ++ struct list_head avg_triggers; ++ u32 avg_nr_triggers[NR_PSI_STATES - 1]; ++ + /* Total stall times and sampled pressure averages */ + u64 total[NR_PSI_AGGREGATORS][NR_PSI_STATES - 1]; + unsigned long avg[NR_PSI_STATES - 1][3]; +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 2380c4daef33d..c35efae566a4b 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3771,7 +3771,7 @@ static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, + } + + psi = cgroup_psi(cgrp); +- new = psi_trigger_create(psi, buf, res); ++ new = psi_trigger_create(psi, buf, res, of->file); + if (IS_ERR(new)) { + cgroup_put(cgrp); + return PTR_ERR(new); +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index f3df6a8ff493c..e072f6b31bf30 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -186,9 +186,14 @@ static void group_init(struct psi_group *group) + seqcount_init(&per_cpu_ptr(group->pcpu, cpu)->seq); + group->avg_last_update = sched_clock(); + group->avg_next_update = group->avg_last_update + psi_period; +- INIT_DELAYED_WORK(&group->avgs_work, psi_avgs_work); + mutex_init(&group->avgs_lock); +- /* Init trigger-related members */ ++ ++ /* Init avg trigger-related members */ ++ INIT_LIST_HEAD(&group->avg_triggers); ++ memset(group->avg_nr_triggers, 0, sizeof(group->avg_nr_triggers)); ++ INIT_DELAYED_WORK(&group->avgs_work, psi_avgs_work); ++ ++ /* Init rtpoll trigger-related members */ + atomic_set(&group->rtpoll_scheduled, 0); + mutex_init(&group->rtpoll_trigger_lock); + INIT_LIST_HEAD(&group->rtpoll_triggers); +@@ -430,21 +435,32 @@ static u64 window_update(struct psi_window *win, u64 now, u64 value) + return growth; + } + +-static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total) ++static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total, ++ enum psi_aggregators aggregator) + { + struct psi_trigger *t; +- u64 *total = group->total[PSI_POLL]; ++ u64 *total = group->total[aggregator]; ++ struct list_head *triggers; ++ u64 *aggregator_total; + *update_total = false; + ++ if (aggregator == PSI_AVGS) { ++ triggers = &group->avg_triggers; ++ aggregator_total = group->avg_total; ++ } else { ++ triggers = &group->rtpoll_triggers; ++ aggregator_total = group->rtpoll_total; ++ } ++ + /* + * On subsequent updates, calculate growth deltas and let + * watchers know when their specified thresholds are exceeded. + */ +- list_for_each_entry(t, &group->rtpoll_triggers, node) { ++ list_for_each_entry(t, triggers, node) { + u64 growth; + bool new_stall; + +- new_stall = group->rtpoll_total[t->state] != total[t->state]; ++ new_stall = aggregator_total[t->state] != total[t->state]; + + /* Check for stall activity or a previous threshold breach */ + if (!new_stall && !t->pending_event) +@@ -546,6 +562,7 @@ static void psi_avgs_work(struct work_struct *work) + struct delayed_work *dwork; + struct psi_group *group; + u32 changed_states; ++ bool update_total; + u64 now; + + dwork = to_delayed_work(work); +@@ -563,8 +580,10 @@ static void psi_avgs_work(struct work_struct *work) + * Once restarted, we'll catch up the running averages in one + * go - see calc_avgs() and missed_periods. + */ +- if (now >= group->avg_next_update) ++ if (now >= group->avg_next_update) { ++ update_triggers(group, now, &update_total, PSI_AVGS); + group->avg_next_update = update_averages(group, now); ++ } + + if (changed_states & PSI_STATE_RESCHEDULE) { + schedule_delayed_work(dwork, nsecs_to_jiffies( +@@ -574,7 +593,7 @@ static void psi_avgs_work(struct work_struct *work) + mutex_unlock(&group->avgs_lock); + } + +-static void init_triggers(struct psi_group *group, u64 now) ++static void init_rtpoll_triggers(struct psi_group *group, u64 now) + { + struct psi_trigger *t; + +@@ -667,7 +686,7 @@ static void psi_rtpoll_work(struct psi_group *group) + if (changed_states & group->rtpoll_states) { + /* Initialize trigger windows when entering polling mode */ + if (now > group->rtpoll_until) +- init_triggers(group, now); ++ init_rtpoll_triggers(group, now); + + /* + * Keep the monitor active for at least the duration of the +@@ -684,7 +703,7 @@ static void psi_rtpoll_work(struct psi_group *group) + } + + if (now >= group->rtpoll_next_update) { +- group->rtpoll_next_update = update_triggers(group, now, &update_total); ++ group->rtpoll_next_update = update_triggers(group, now, &update_total, PSI_POLL); + if (update_total) + memcpy(group->rtpoll_total, group->total[PSI_POLL], + sizeof(group->rtpoll_total)); +@@ -1254,16 +1273,23 @@ int psi_show(struct seq_file *m, struct psi_group *group, enum psi_res res) + } + + struct psi_trigger *psi_trigger_create(struct psi_group *group, +- char *buf, enum psi_res res) ++ char *buf, enum psi_res res, struct file *file) + { + struct psi_trigger *t; + enum psi_states state; + u32 threshold_us; ++ bool privileged; + u32 window_us; + + if (static_branch_likely(&psi_disabled)) + return ERR_PTR(-EOPNOTSUPP); + ++ /* ++ * Checking the privilege here on file->f_cred implies that a privileged user ++ * could open the file and delegate the write to an unprivileged one. ++ */ ++ privileged = cap_raised(file->f_cred->cap_effective, CAP_SYS_RESOURCE); ++ + if (sscanf(buf, "some %u %u", &threshold_us, &window_us) == 2) + state = PSI_IO_SOME + res * 2; + else if (sscanf(buf, "full %u %u", &threshold_us, &window_us) == 2) +@@ -1283,6 +1309,13 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, + window_us > WINDOW_MAX_US) + return ERR_PTR(-EINVAL); + ++ /* ++ * Unprivileged users can only use 2s windows so that averages aggregation ++ * work is used, and no RT threads need to be spawned. ++ */ ++ if (!privileged && window_us % 2000000) ++ return ERR_PTR(-EINVAL); ++ + /* Check threshold */ + if (threshold_us == 0 || threshold_us > window_us) + return ERR_PTR(-EINVAL); +@@ -1302,31 +1335,40 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, + t->last_event_time = 0; + init_waitqueue_head(&t->event_wait); + t->pending_event = false; ++ t->aggregator = privileged ? PSI_POLL : PSI_AVGS; + +- mutex_lock(&group->rtpoll_trigger_lock); ++ if (privileged) { ++ mutex_lock(&group->rtpoll_trigger_lock); + +- if (!rcu_access_pointer(group->rtpoll_task)) { +- struct task_struct *task; ++ if (!rcu_access_pointer(group->rtpoll_task)) { ++ struct task_struct *task; + +- task = kthread_create(psi_rtpoll_worker, group, "psimon"); +- if (IS_ERR(task)) { +- kfree(t); +- mutex_unlock(&group->rtpoll_trigger_lock); +- return ERR_CAST(task); ++ task = kthread_create(psi_rtpoll_worker, group, "psimon"); ++ if (IS_ERR(task)) { ++ kfree(t); ++ mutex_unlock(&group->rtpoll_trigger_lock); ++ return ERR_CAST(task); ++ } ++ atomic_set(&group->rtpoll_wakeup, 0); ++ wake_up_process(task); ++ rcu_assign_pointer(group->rtpoll_task, task); + } +- atomic_set(&group->rtpoll_wakeup, 0); +- wake_up_process(task); +- rcu_assign_pointer(group->rtpoll_task, task); +- } + +- list_add(&t->node, &group->rtpoll_triggers); +- group->rtpoll_min_period = min(group->rtpoll_min_period, +- div_u64(t->win.size, UPDATES_PER_WINDOW)); +- group->rtpoll_nr_triggers[t->state]++; +- group->rtpoll_states |= (1 << t->state); ++ list_add(&t->node, &group->rtpoll_triggers); ++ group->rtpoll_min_period = min(group->rtpoll_min_period, ++ div_u64(t->win.size, UPDATES_PER_WINDOW)); ++ group->rtpoll_nr_triggers[t->state]++; ++ group->rtpoll_states |= (1 << t->state); + +- mutex_unlock(&group->rtpoll_trigger_lock); ++ mutex_unlock(&group->rtpoll_trigger_lock); ++ } else { ++ mutex_lock(&group->avgs_lock); ++ ++ list_add(&t->node, &group->avg_triggers); ++ group->avg_nr_triggers[t->state]++; + ++ mutex_unlock(&group->avgs_lock); ++ } + return t; + } + +@@ -1350,34 +1392,41 @@ void psi_trigger_destroy(struct psi_trigger *t) + */ + wake_up_pollfree(&t->event_wait); + +- mutex_lock(&group->rtpoll_trigger_lock); +- +- if (!list_empty(&t->node)) { +- struct psi_trigger *tmp; +- u64 period = ULLONG_MAX; +- +- list_del(&t->node); +- group->rtpoll_nr_triggers[t->state]--; +- if (!group->rtpoll_nr_triggers[t->state]) +- group->rtpoll_states &= ~(1 << t->state); +- /* reset min update period for the remaining triggers */ +- list_for_each_entry(tmp, &group->rtpoll_triggers, node) +- period = min(period, div_u64(tmp->win.size, +- UPDATES_PER_WINDOW)); +- group->rtpoll_min_period = period; +- /* Destroy rtpoll_task when the last trigger is destroyed */ +- if (group->rtpoll_states == 0) { +- group->rtpoll_until = 0; +- task_to_destroy = rcu_dereference_protected( +- group->rtpoll_task, +- lockdep_is_held(&group->rtpoll_trigger_lock)); +- rcu_assign_pointer(group->rtpoll_task, NULL); +- del_timer(&group->rtpoll_timer); ++ if (t->aggregator == PSI_AVGS) { ++ mutex_lock(&group->avgs_lock); ++ if (!list_empty(&t->node)) { ++ list_del(&t->node); ++ group->avg_nr_triggers[t->state]--; + } ++ mutex_unlock(&group->avgs_lock); ++ } else { ++ mutex_lock(&group->rtpoll_trigger_lock); ++ if (!list_empty(&t->node)) { ++ struct psi_trigger *tmp; ++ u64 period = ULLONG_MAX; ++ ++ list_del(&t->node); ++ group->rtpoll_nr_triggers[t->state]--; ++ if (!group->rtpoll_nr_triggers[t->state]) ++ group->rtpoll_states &= ~(1 << t->state); ++ /* reset min update period for the remaining triggers */ ++ list_for_each_entry(tmp, &group->rtpoll_triggers, node) ++ period = min(period, div_u64(tmp->win.size, ++ UPDATES_PER_WINDOW)); ++ group->rtpoll_min_period = period; ++ /* Destroy rtpoll_task when the last trigger is destroyed */ ++ if (group->rtpoll_states == 0) { ++ group->rtpoll_until = 0; ++ task_to_destroy = rcu_dereference_protected( ++ group->rtpoll_task, ++ lockdep_is_held(&group->rtpoll_trigger_lock)); ++ rcu_assign_pointer(group->rtpoll_task, NULL); ++ del_timer(&group->rtpoll_timer); ++ } ++ } ++ mutex_unlock(&group->rtpoll_trigger_lock); + } + +- mutex_unlock(&group->rtpoll_trigger_lock); +- + /* + * Wait for psi_schedule_rtpoll_work RCU to complete its read-side + * critical section before destroying the trigger and optionally the +@@ -1437,27 +1486,19 @@ static int psi_cpu_show(struct seq_file *m, void *v) + return psi_show(m, &psi_system, PSI_CPU); + } + +-static int psi_open(struct file *file, int (*psi_show)(struct seq_file *, void *)) +-{ +- if (file->f_mode & FMODE_WRITE && !capable(CAP_SYS_RESOURCE)) +- return -EPERM; +- +- return single_open(file, psi_show, NULL); +-} +- + static int psi_io_open(struct inode *inode, struct file *file) + { +- return psi_open(file, psi_io_show); ++ return single_open(file, psi_io_show, NULL); + } + + static int psi_memory_open(struct inode *inode, struct file *file) + { +- return psi_open(file, psi_memory_show); ++ return single_open(file, psi_memory_show, NULL); + } + + static int psi_cpu_open(struct inode *inode, struct file *file) + { +- return psi_open(file, psi_cpu_show); ++ return single_open(file, psi_cpu_show, NULL); + } + + static ssize_t psi_write(struct file *file, const char __user *user_buf, +@@ -1491,7 +1532,7 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf, + return -EBUSY; + } + +- new = psi_trigger_create(&psi_system, buf, res); ++ new = psi_trigger_create(&psi_system, buf, res, file); + if (IS_ERR(new)) { + mutex_unlock(&seq->lock); + return PTR_ERR(new); +@@ -1571,7 +1612,7 @@ static int psi_irq_show(struct seq_file *m, void *v) + + static int psi_irq_open(struct inode *inode, struct file *file) + { +- return psi_open(file, psi_irq_show); ++ return single_open(file, psi_irq_show, NULL); + } + + static ssize_t psi_irq_write(struct file *file, const char __user *user_buf, +-- +2.39.2 + diff --git a/tmp-6.1/sched-psi-extract-update_triggers-side-effect.patch b/tmp-6.1/sched-psi-extract-update_triggers-side-effect.patch new file mode 100644 index 00000000000..8244dd63ad8 --- /dev/null +++ b/tmp-6.1/sched-psi-extract-update_triggers-side-effect.patch @@ -0,0 +1,91 @@ +From 3d78ff2fdc7f963507676dadc4a58e7433f61819 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 12:54:17 +0200 +Subject: sched/psi: Extract update_triggers side effect + +From: Domenico Cerasuolo + +[ Upstream commit 4468fcae49f08e88fbbffe05b29496192df89991 ] + +This change moves update_total flag out of update_triggers function, +currently called only in psi_poll_work. +In the next patch, update_triggers will be called also in psi_avgs_work, +but the total update information is specific to psi_poll_work. +Returning update_total value to the caller let us avoid differentiating +the implementation of update_triggers for different aggregators. + +Suggested-by: Johannes Weiner +Signed-off-by: Domenico Cerasuolo +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Johannes Weiner +Link: https://lore.kernel.org/r/20230330105418.77061-4-cerasuolodomenico@gmail.com +Stable-dep-of: aff037078eca ("sched/psi: use kernfs polling functions for PSI trigger polling") +Signed-off-by: Sasha Levin +--- + kernel/sched/psi.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index a3d0b5cf797ab..f3df6a8ff493c 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -430,11 +430,11 @@ static u64 window_update(struct psi_window *win, u64 now, u64 value) + return growth; + } + +-static u64 update_triggers(struct psi_group *group, u64 now) ++static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total) + { + struct psi_trigger *t; +- bool update_total = false; + u64 *total = group->total[PSI_POLL]; ++ *update_total = false; + + /* + * On subsequent updates, calculate growth deltas and let +@@ -462,7 +462,7 @@ static u64 update_triggers(struct psi_group *group, u64 now) + * been through all of them. Also remember to extend the + * polling time if we see new stall activity. + */ +- update_total = true; ++ *update_total = true; + + /* Calculate growth since last update */ + growth = window_update(&t->win, now, total[t->state]); +@@ -485,10 +485,6 @@ static u64 update_triggers(struct psi_group *group, u64 now) + t->pending_event = false; + } + +- if (update_total) +- memcpy(group->rtpoll_total, total, +- sizeof(group->rtpoll_total)); +- + return now + group->rtpoll_min_period; + } + +@@ -622,6 +618,7 @@ static void psi_rtpoll_work(struct psi_group *group) + { + bool force_reschedule = false; + u32 changed_states; ++ bool update_total; + u64 now; + + mutex_lock(&group->rtpoll_trigger_lock); +@@ -686,8 +683,12 @@ static void psi_rtpoll_work(struct psi_group *group) + goto out; + } + +- if (now >= group->rtpoll_next_update) +- group->rtpoll_next_update = update_triggers(group, now); ++ if (now >= group->rtpoll_next_update) { ++ group->rtpoll_next_update = update_triggers(group, now, &update_total); ++ if (update_total) ++ memcpy(group->rtpoll_total, group->total[PSI_POLL], ++ sizeof(group->rtpoll_total)); ++ } + + psi_schedule_rtpoll_work(group, + nsecs_to_jiffies(group->rtpoll_next_update - now) + 1, +-- +2.39.2 + diff --git a/tmp-6.1/sched-psi-fix-avgs_work-re-arm-in-psi_avgs_work.patch b/tmp-6.1/sched-psi-fix-avgs_work-re-arm-in-psi_avgs_work.patch new file mode 100644 index 00000000000..811894df2de --- /dev/null +++ b/tmp-6.1/sched-psi-fix-avgs_work-re-arm-in-psi_avgs_work.patch @@ -0,0 +1,141 @@ +From cd6a5ae395de7987446d45c2944bc8de4a8917f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Oct 2022 19:05:51 +0800 +Subject: sched/psi: Fix avgs_work re-arm in psi_avgs_work() + +From: Chengming Zhou + +[ Upstream commit 2fcd7bbae90a6d844da8660a9d27079281dfbba2 ] + +Pavan reported a problem that PSI avgs_work idle shutoff is not +working at all. Because PSI_NONIDLE condition would be observed in +psi_avgs_work()->collect_percpu_times()->get_recent_times() even if +only the kworker running avgs_work on the CPU. + +Although commit 1b69ac6b40eb ("psi: fix aggregation idle shut-off") +avoided the ping-pong wake problem when the worker sleep, psi_avgs_work() +still will always re-arm the avgs_work, so shutoff is not working. + +This patch changes to use PSI_STATE_RESCHEDULE to flag whether to +re-arm avgs_work in get_recent_times(). For the current CPU, we re-arm +avgs_work only when (NR_RUNNING > 1 || NR_IOWAIT > 0 || NR_MEMSTALL > 0), +for other CPUs we can just check PSI_NONIDLE delta. The new flag +is only used in psi_avgs_work(), so we check in get_recent_times() +that current_work() is avgs_work. + +One potential problem is that the brief period of non-idle time +incurred between the aggregation run and the kworker's dequeue will +be stranded in the per-cpu buckets until avgs_work run next time. +The buckets can hold 4s worth of time, and future activity will wake +the avgs_work with a 2s delay, giving us 2s worth of data we can leave +behind when shut off the avgs_work. If the kworker run other works after +avgs_work shut off and doesn't have any scheduler activities for 2s, +this maybe a problem. + +Reported-by: Pavan Kondeti +Signed-off-by: Chengming Zhou +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Johannes Weiner +Acked-by: Suren Baghdasaryan +Tested-by: Chengming Zhou +Link: https://lore.kernel.org/r/20221014110551.22695-1-zhouchengming@bytedance.com +Stable-dep-of: aff037078eca ("sched/psi: use kernfs polling functions for PSI trigger polling") +Signed-off-by: Sasha Levin +--- + include/linux/psi_types.h | 3 +++ + kernel/sched/psi.c | 30 +++++++++++++++++++++++++++--- + 2 files changed, 30 insertions(+), 3 deletions(-) + +diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h +index 14a1ebb74e11f..1e0a0d7ace3af 100644 +--- a/include/linux/psi_types.h ++++ b/include/linux/psi_types.h +@@ -72,6 +72,9 @@ enum psi_states { + /* Use one bit in the state mask to track TSK_ONCPU */ + #define PSI_ONCPU (1 << NR_PSI_STATES) + ++/* Flag whether to re-arm avgs_work, see details in get_recent_times() */ ++#define PSI_STATE_RESCHEDULE (1 << (NR_PSI_STATES + 1)) ++ + enum psi_aggregators { + PSI_AVGS = 0, + PSI_POLL, +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index e83c321461cf4..02e011cabe917 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -243,6 +243,8 @@ static void get_recent_times(struct psi_group *group, int cpu, + u32 *pchanged_states) + { + struct psi_group_cpu *groupc = per_cpu_ptr(group->pcpu, cpu); ++ int current_cpu = raw_smp_processor_id(); ++ unsigned int tasks[NR_PSI_TASK_COUNTS]; + u64 now, state_start; + enum psi_states s; + unsigned int seq; +@@ -257,6 +259,8 @@ static void get_recent_times(struct psi_group *group, int cpu, + memcpy(times, groupc->times, sizeof(groupc->times)); + state_mask = groupc->state_mask; + state_start = groupc->state_start; ++ if (cpu == current_cpu) ++ memcpy(tasks, groupc->tasks, sizeof(groupc->tasks)); + } while (read_seqcount_retry(&groupc->seq, seq)); + + /* Calculate state time deltas against the previous snapshot */ +@@ -281,6 +285,28 @@ static void get_recent_times(struct psi_group *group, int cpu, + if (delta) + *pchanged_states |= (1 << s); + } ++ ++ /* ++ * When collect_percpu_times() from the avgs_work, we don't want to ++ * re-arm avgs_work when all CPUs are IDLE. But the current CPU running ++ * this avgs_work is never IDLE, cause avgs_work can't be shut off. ++ * So for the current CPU, we need to re-arm avgs_work only when ++ * (NR_RUNNING > 1 || NR_IOWAIT > 0 || NR_MEMSTALL > 0), for other CPUs ++ * we can just check PSI_NONIDLE delta. ++ */ ++ if (current_work() == &group->avgs_work.work) { ++ bool reschedule; ++ ++ if (cpu == current_cpu) ++ reschedule = tasks[NR_RUNNING] + ++ tasks[NR_IOWAIT] + ++ tasks[NR_MEMSTALL] > 1; ++ else ++ reschedule = *pchanged_states & (1 << PSI_NONIDLE); ++ ++ if (reschedule) ++ *pchanged_states |= PSI_STATE_RESCHEDULE; ++ } + } + + static void calc_avgs(unsigned long avg[3], int missed_periods, +@@ -416,7 +442,6 @@ static void psi_avgs_work(struct work_struct *work) + struct delayed_work *dwork; + struct psi_group *group; + u32 changed_states; +- bool nonidle; + u64 now; + + dwork = to_delayed_work(work); +@@ -427,7 +452,6 @@ static void psi_avgs_work(struct work_struct *work) + now = sched_clock(); + + collect_percpu_times(group, PSI_AVGS, &changed_states); +- nonidle = changed_states & (1 << PSI_NONIDLE); + /* + * If there is task activity, periodically fold the per-cpu + * times and feed samples into the running averages. If things +@@ -438,7 +462,7 @@ static void psi_avgs_work(struct work_struct *work) + if (now >= group->avg_next_update) + group->avg_next_update = update_averages(group, now); + +- if (nonidle) { ++ if (changed_states & PSI_STATE_RESCHEDULE) { + schedule_delayed_work(dwork, nsecs_to_jiffies( + group->avg_next_update - now) + 1); + } +-- +2.39.2 + diff --git a/tmp-6.1/sched-psi-rearrange-polling-code-in-preparation.patch b/tmp-6.1/sched-psi-rearrange-polling-code-in-preparation.patch new file mode 100644 index 00000000000..2763aad0412 --- /dev/null +++ b/tmp-6.1/sched-psi-rearrange-polling-code-in-preparation.patch @@ -0,0 +1,247 @@ +From c64ea43f91987426ad1c79576bec5a3f7421d28d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 12:54:15 +0200 +Subject: sched/psi: Rearrange polling code in preparation + +From: Domenico Cerasuolo + +[ Upstream commit 7fab21fa0d000a0ea32d73ce8eec68557c6c268b ] + +Move a few functions up in the file to avoid forward declaration needed +in the patch implementing unprivileged PSI triggers. + +Suggested-by: Johannes Weiner +Signed-off-by: Domenico Cerasuolo +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Johannes Weiner +Link: https://lore.kernel.org/r/20230330105418.77061-2-cerasuolodomenico@gmail.com +Stable-dep-of: aff037078eca ("sched/psi: use kernfs polling functions for PSI trigger polling") +Signed-off-by: Sasha Levin +--- + kernel/sched/psi.c | 196 ++++++++++++++++++++++----------------------- + 1 file changed, 98 insertions(+), 98 deletions(-) + +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index 02e011cabe917..fe9269f1d2a46 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -384,92 +384,6 @@ static void collect_percpu_times(struct psi_group *group, + *pchanged_states = changed_states; + } + +-static u64 update_averages(struct psi_group *group, u64 now) +-{ +- unsigned long missed_periods = 0; +- u64 expires, period; +- u64 avg_next_update; +- int s; +- +- /* avgX= */ +- expires = group->avg_next_update; +- if (now - expires >= psi_period) +- missed_periods = div_u64(now - expires, psi_period); +- +- /* +- * The periodic clock tick can get delayed for various +- * reasons, especially on loaded systems. To avoid clock +- * drift, we schedule the clock in fixed psi_period intervals. +- * But the deltas we sample out of the per-cpu buckets above +- * are based on the actual time elapsing between clock ticks. +- */ +- avg_next_update = expires + ((1 + missed_periods) * psi_period); +- period = now - (group->avg_last_update + (missed_periods * psi_period)); +- group->avg_last_update = now; +- +- for (s = 0; s < NR_PSI_STATES - 1; s++) { +- u32 sample; +- +- sample = group->total[PSI_AVGS][s] - group->avg_total[s]; +- /* +- * Due to the lockless sampling of the time buckets, +- * recorded time deltas can slip into the next period, +- * which under full pressure can result in samples in +- * excess of the period length. +- * +- * We don't want to report non-sensical pressures in +- * excess of 100%, nor do we want to drop such events +- * on the floor. Instead we punt any overage into the +- * future until pressure subsides. By doing this we +- * don't underreport the occurring pressure curve, we +- * just report it delayed by one period length. +- * +- * The error isn't cumulative. As soon as another +- * delta slips from a period P to P+1, by definition +- * it frees up its time T in P. +- */ +- if (sample > period) +- sample = period; +- group->avg_total[s] += sample; +- calc_avgs(group->avg[s], missed_periods, sample, period); +- } +- +- return avg_next_update; +-} +- +-static void psi_avgs_work(struct work_struct *work) +-{ +- struct delayed_work *dwork; +- struct psi_group *group; +- u32 changed_states; +- u64 now; +- +- dwork = to_delayed_work(work); +- group = container_of(dwork, struct psi_group, avgs_work); +- +- mutex_lock(&group->avgs_lock); +- +- now = sched_clock(); +- +- collect_percpu_times(group, PSI_AVGS, &changed_states); +- /* +- * If there is task activity, periodically fold the per-cpu +- * times and feed samples into the running averages. If things +- * are idle and there is no data to process, stop the clock. +- * Once restarted, we'll catch up the running averages in one +- * go - see calc_avgs() and missed_periods. +- */ +- if (now >= group->avg_next_update) +- group->avg_next_update = update_averages(group, now); +- +- if (changed_states & PSI_STATE_RESCHEDULE) { +- schedule_delayed_work(dwork, nsecs_to_jiffies( +- group->avg_next_update - now) + 1); +- } +- +- mutex_unlock(&group->avgs_lock); +-} +- + /* Trigger tracking window manipulations */ + static void window_reset(struct psi_window *win, u64 now, u64 value, + u64 prev_growth) +@@ -516,18 +430,6 @@ static u64 window_update(struct psi_window *win, u64 now, u64 value) + return growth; + } + +-static void init_triggers(struct psi_group *group, u64 now) +-{ +- struct psi_trigger *t; +- +- list_for_each_entry(t, &group->triggers, node) +- window_reset(&t->win, now, +- group->total[PSI_POLL][t->state], 0); +- memcpy(group->polling_total, group->total[PSI_POLL], +- sizeof(group->polling_total)); +- group->polling_next_update = now + group->poll_min_period; +-} +- + static u64 update_triggers(struct psi_group *group, u64 now) + { + struct psi_trigger *t; +@@ -590,6 +492,104 @@ static u64 update_triggers(struct psi_group *group, u64 now) + return now + group->poll_min_period; + } + ++static u64 update_averages(struct psi_group *group, u64 now) ++{ ++ unsigned long missed_periods = 0; ++ u64 expires, period; ++ u64 avg_next_update; ++ int s; ++ ++ /* avgX= */ ++ expires = group->avg_next_update; ++ if (now - expires >= psi_period) ++ missed_periods = div_u64(now - expires, psi_period); ++ ++ /* ++ * The periodic clock tick can get delayed for various ++ * reasons, especially on loaded systems. To avoid clock ++ * drift, we schedule the clock in fixed psi_period intervals. ++ * But the deltas we sample out of the per-cpu buckets above ++ * are based on the actual time elapsing between clock ticks. ++ */ ++ avg_next_update = expires + ((1 + missed_periods) * psi_period); ++ period = now - (group->avg_last_update + (missed_periods * psi_period)); ++ group->avg_last_update = now; ++ ++ for (s = 0; s < NR_PSI_STATES - 1; s++) { ++ u32 sample; ++ ++ sample = group->total[PSI_AVGS][s] - group->avg_total[s]; ++ /* ++ * Due to the lockless sampling of the time buckets, ++ * recorded time deltas can slip into the next period, ++ * which under full pressure can result in samples in ++ * excess of the period length. ++ * ++ * We don't want to report non-sensical pressures in ++ * excess of 100%, nor do we want to drop such events ++ * on the floor. Instead we punt any overage into the ++ * future until pressure subsides. By doing this we ++ * don't underreport the occurring pressure curve, we ++ * just report it delayed by one period length. ++ * ++ * The error isn't cumulative. As soon as another ++ * delta slips from a period P to P+1, by definition ++ * it frees up its time T in P. ++ */ ++ if (sample > period) ++ sample = period; ++ group->avg_total[s] += sample; ++ calc_avgs(group->avg[s], missed_periods, sample, period); ++ } ++ ++ return avg_next_update; ++} ++ ++static void psi_avgs_work(struct work_struct *work) ++{ ++ struct delayed_work *dwork; ++ struct psi_group *group; ++ u32 changed_states; ++ u64 now; ++ ++ dwork = to_delayed_work(work); ++ group = container_of(dwork, struct psi_group, avgs_work); ++ ++ mutex_lock(&group->avgs_lock); ++ ++ now = sched_clock(); ++ ++ collect_percpu_times(group, PSI_AVGS, &changed_states); ++ /* ++ * If there is task activity, periodically fold the per-cpu ++ * times and feed samples into the running averages. If things ++ * are idle and there is no data to process, stop the clock. ++ * Once restarted, we'll catch up the running averages in one ++ * go - see calc_avgs() and missed_periods. ++ */ ++ if (now >= group->avg_next_update) ++ group->avg_next_update = update_averages(group, now); ++ ++ if (changed_states & PSI_STATE_RESCHEDULE) { ++ schedule_delayed_work(dwork, nsecs_to_jiffies( ++ group->avg_next_update - now) + 1); ++ } ++ ++ mutex_unlock(&group->avgs_lock); ++} ++ ++static void init_triggers(struct psi_group *group, u64 now) ++{ ++ struct psi_trigger *t; ++ ++ list_for_each_entry(t, &group->triggers, node) ++ window_reset(&t->win, now, ++ group->total[PSI_POLL][t->state], 0); ++ memcpy(group->polling_total, group->total[PSI_POLL], ++ sizeof(group->polling_total)); ++ group->polling_next_update = now + group->poll_min_period; ++} ++ + /* Schedule polling if it's not already scheduled or forced. */ + static void psi_schedule_poll_work(struct psi_group *group, unsigned long delay, + bool force) +-- +2.39.2 + diff --git a/tmp-6.1/sched-psi-rename-existing-poll-members-in-preparatio.patch b/tmp-6.1/sched-psi-rename-existing-poll-members-in-preparatio.patch new file mode 100644 index 00000000000..63cf15f6166 --- /dev/null +++ b/tmp-6.1/sched-psi-rename-existing-poll-members-in-preparatio.patch @@ -0,0 +1,432 @@ +From 0970d615d9b33fac51e3ce6bebe313abcf75dfe9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 12:54:16 +0200 +Subject: sched/psi: Rename existing poll members in preparation + +From: Domenico Cerasuolo + +[ Upstream commit 65457b74aa9437418e552e8d52d7112d4f9901a6 ] + +Renaming in PSI implementation to make a clear distinction between +privileged and unprivileged triggers code to be implemented in the +next patch. + +Suggested-by: Johannes Weiner +Signed-off-by: Domenico Cerasuolo +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Johannes Weiner +Link: https://lore.kernel.org/r/20230330105418.77061-3-cerasuolodomenico@gmail.com +Stable-dep-of: aff037078eca ("sched/psi: use kernfs polling functions for PSI trigger polling") +Signed-off-by: Sasha Levin +--- + include/linux/psi_types.h | 36 ++++----- + kernel/sched/psi.c | 163 +++++++++++++++++++------------------- + 2 files changed, 100 insertions(+), 99 deletions(-) + +diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h +index 1e0a0d7ace3af..1819afa8b1987 100644 +--- a/include/linux/psi_types.h ++++ b/include/linux/psi_types.h +@@ -175,26 +175,26 @@ struct psi_group { + u64 total[NR_PSI_AGGREGATORS][NR_PSI_STATES - 1]; + unsigned long avg[NR_PSI_STATES - 1][3]; + +- /* Monitor work control */ +- struct task_struct __rcu *poll_task; +- struct timer_list poll_timer; +- wait_queue_head_t poll_wait; +- atomic_t poll_wakeup; +- atomic_t poll_scheduled; ++ /* Monitor RT polling work control */ ++ struct task_struct __rcu *rtpoll_task; ++ struct timer_list rtpoll_timer; ++ wait_queue_head_t rtpoll_wait; ++ atomic_t rtpoll_wakeup; ++ atomic_t rtpoll_scheduled; + + /* Protects data used by the monitor */ +- struct mutex trigger_lock; +- +- /* Configured polling triggers */ +- struct list_head triggers; +- u32 nr_triggers[NR_PSI_STATES - 1]; +- u32 poll_states; +- u64 poll_min_period; +- +- /* Total stall times at the start of monitor activation */ +- u64 polling_total[NR_PSI_STATES - 1]; +- u64 polling_next_update; +- u64 polling_until; ++ struct mutex rtpoll_trigger_lock; ++ ++ /* Configured RT polling triggers */ ++ struct list_head rtpoll_triggers; ++ u32 rtpoll_nr_triggers[NR_PSI_STATES - 1]; ++ u32 rtpoll_states; ++ u64 rtpoll_min_period; ++ ++ /* Total stall times at the start of RT polling monitor activation */ ++ u64 rtpoll_total[NR_PSI_STATES - 1]; ++ u64 rtpoll_next_update; ++ u64 rtpoll_until; + }; + + #else /* CONFIG_PSI */ +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index fe9269f1d2a46..a3d0b5cf797ab 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -189,14 +189,14 @@ static void group_init(struct psi_group *group) + INIT_DELAYED_WORK(&group->avgs_work, psi_avgs_work); + mutex_init(&group->avgs_lock); + /* Init trigger-related members */ +- atomic_set(&group->poll_scheduled, 0); +- mutex_init(&group->trigger_lock); +- INIT_LIST_HEAD(&group->triggers); +- group->poll_min_period = U32_MAX; +- group->polling_next_update = ULLONG_MAX; +- init_waitqueue_head(&group->poll_wait); +- timer_setup(&group->poll_timer, poll_timer_fn, 0); +- rcu_assign_pointer(group->poll_task, NULL); ++ atomic_set(&group->rtpoll_scheduled, 0); ++ mutex_init(&group->rtpoll_trigger_lock); ++ INIT_LIST_HEAD(&group->rtpoll_triggers); ++ group->rtpoll_min_period = U32_MAX; ++ group->rtpoll_next_update = ULLONG_MAX; ++ init_waitqueue_head(&group->rtpoll_wait); ++ timer_setup(&group->rtpoll_timer, poll_timer_fn, 0); ++ rcu_assign_pointer(group->rtpoll_task, NULL); + } + + void __init psi_init(void) +@@ -440,11 +440,11 @@ static u64 update_triggers(struct psi_group *group, u64 now) + * On subsequent updates, calculate growth deltas and let + * watchers know when their specified thresholds are exceeded. + */ +- list_for_each_entry(t, &group->triggers, node) { ++ list_for_each_entry(t, &group->rtpoll_triggers, node) { + u64 growth; + bool new_stall; + +- new_stall = group->polling_total[t->state] != total[t->state]; ++ new_stall = group->rtpoll_total[t->state] != total[t->state]; + + /* Check for stall activity or a previous threshold breach */ + if (!new_stall && !t->pending_event) +@@ -486,10 +486,10 @@ static u64 update_triggers(struct psi_group *group, u64 now) + } + + if (update_total) +- memcpy(group->polling_total, total, +- sizeof(group->polling_total)); ++ memcpy(group->rtpoll_total, total, ++ sizeof(group->rtpoll_total)); + +- return now + group->poll_min_period; ++ return now + group->rtpoll_min_period; + } + + static u64 update_averages(struct psi_group *group, u64 now) +@@ -582,53 +582,53 @@ static void init_triggers(struct psi_group *group, u64 now) + { + struct psi_trigger *t; + +- list_for_each_entry(t, &group->triggers, node) ++ list_for_each_entry(t, &group->rtpoll_triggers, node) + window_reset(&t->win, now, + group->total[PSI_POLL][t->state], 0); +- memcpy(group->polling_total, group->total[PSI_POLL], +- sizeof(group->polling_total)); +- group->polling_next_update = now + group->poll_min_period; ++ memcpy(group->rtpoll_total, group->total[PSI_POLL], ++ sizeof(group->rtpoll_total)); ++ group->rtpoll_next_update = now + group->rtpoll_min_period; + } + + /* Schedule polling if it's not already scheduled or forced. */ +-static void psi_schedule_poll_work(struct psi_group *group, unsigned long delay, ++static void psi_schedule_rtpoll_work(struct psi_group *group, unsigned long delay, + bool force) + { + struct task_struct *task; + + /* + * atomic_xchg should be called even when !force to provide a +- * full memory barrier (see the comment inside psi_poll_work). ++ * full memory barrier (see the comment inside psi_rtpoll_work). + */ +- if (atomic_xchg(&group->poll_scheduled, 1) && !force) ++ if (atomic_xchg(&group->rtpoll_scheduled, 1) && !force) + return; + + rcu_read_lock(); + +- task = rcu_dereference(group->poll_task); ++ task = rcu_dereference(group->rtpoll_task); + /* + * kworker might be NULL in case psi_trigger_destroy races with + * psi_task_change (hotpath) which can't use locks + */ + if (likely(task)) +- mod_timer(&group->poll_timer, jiffies + delay); ++ mod_timer(&group->rtpoll_timer, jiffies + delay); + else +- atomic_set(&group->poll_scheduled, 0); ++ atomic_set(&group->rtpoll_scheduled, 0); + + rcu_read_unlock(); + } + +-static void psi_poll_work(struct psi_group *group) ++static void psi_rtpoll_work(struct psi_group *group) + { + bool force_reschedule = false; + u32 changed_states; + u64 now; + +- mutex_lock(&group->trigger_lock); ++ mutex_lock(&group->rtpoll_trigger_lock); + + now = sched_clock(); + +- if (now > group->polling_until) { ++ if (now > group->rtpoll_until) { + /* + * We are either about to start or might stop polling if no + * state change was recorded. Resetting poll_scheduled leaves +@@ -638,7 +638,7 @@ static void psi_poll_work(struct psi_group *group) + * should be negligible and polling_next_update still keeps + * updates correctly on schedule. + */ +- atomic_set(&group->poll_scheduled, 0); ++ atomic_set(&group->rtpoll_scheduled, 0); + /* + * A task change can race with the poll worker that is supposed to + * report on it. To avoid missing events, ensure ordering between +@@ -667,9 +667,9 @@ static void psi_poll_work(struct psi_group *group) + + collect_percpu_times(group, PSI_POLL, &changed_states); + +- if (changed_states & group->poll_states) { ++ if (changed_states & group->rtpoll_states) { + /* Initialize trigger windows when entering polling mode */ +- if (now > group->polling_until) ++ if (now > group->rtpoll_until) + init_triggers(group, now); + + /* +@@ -677,50 +677,50 @@ static void psi_poll_work(struct psi_group *group) + * minimum tracking window as long as monitor states are + * changing. + */ +- group->polling_until = now + +- group->poll_min_period * UPDATES_PER_WINDOW; ++ group->rtpoll_until = now + ++ group->rtpoll_min_period * UPDATES_PER_WINDOW; + } + +- if (now > group->polling_until) { +- group->polling_next_update = ULLONG_MAX; ++ if (now > group->rtpoll_until) { ++ group->rtpoll_next_update = ULLONG_MAX; + goto out; + } + +- if (now >= group->polling_next_update) +- group->polling_next_update = update_triggers(group, now); ++ if (now >= group->rtpoll_next_update) ++ group->rtpoll_next_update = update_triggers(group, now); + +- psi_schedule_poll_work(group, +- nsecs_to_jiffies(group->polling_next_update - now) + 1, ++ psi_schedule_rtpoll_work(group, ++ nsecs_to_jiffies(group->rtpoll_next_update - now) + 1, + force_reschedule); + + out: +- mutex_unlock(&group->trigger_lock); ++ mutex_unlock(&group->rtpoll_trigger_lock); + } + +-static int psi_poll_worker(void *data) ++static int psi_rtpoll_worker(void *data) + { + struct psi_group *group = (struct psi_group *)data; + + sched_set_fifo_low(current); + + while (true) { +- wait_event_interruptible(group->poll_wait, +- atomic_cmpxchg(&group->poll_wakeup, 1, 0) || ++ wait_event_interruptible(group->rtpoll_wait, ++ atomic_cmpxchg(&group->rtpoll_wakeup, 1, 0) || + kthread_should_stop()); + if (kthread_should_stop()) + break; + +- psi_poll_work(group); ++ psi_rtpoll_work(group); + } + return 0; + } + + static void poll_timer_fn(struct timer_list *t) + { +- struct psi_group *group = from_timer(group, t, poll_timer); ++ struct psi_group *group = from_timer(group, t, rtpoll_timer); + +- atomic_set(&group->poll_wakeup, 1); +- wake_up_interruptible(&group->poll_wait); ++ atomic_set(&group->rtpoll_wakeup, 1); ++ wake_up_interruptible(&group->rtpoll_wait); + } + + static void record_times(struct psi_group_cpu *groupc, u64 now) +@@ -851,8 +851,8 @@ static void psi_group_change(struct psi_group *group, int cpu, + + write_seqcount_end(&groupc->seq); + +- if (state_mask & group->poll_states) +- psi_schedule_poll_work(group, 1, false); ++ if (state_mask & group->rtpoll_states) ++ psi_schedule_rtpoll_work(group, 1, false); + + if (wake_clock && !delayed_work_pending(&group->avgs_work)) + schedule_delayed_work(&group->avgs_work, PSI_FREQ); +@@ -1005,8 +1005,8 @@ void psi_account_irqtime(struct task_struct *task, u32 delta) + + write_seqcount_end(&groupc->seq); + +- if (group->poll_states & (1 << PSI_IRQ_FULL)) +- psi_schedule_poll_work(group, 1, false); ++ if (group->rtpoll_states & (1 << PSI_IRQ_FULL)) ++ psi_schedule_rtpoll_work(group, 1, false); + } while ((group = group->parent)); + } + #endif +@@ -1101,7 +1101,7 @@ void psi_cgroup_free(struct cgroup *cgroup) + cancel_delayed_work_sync(&cgroup->psi->avgs_work); + free_percpu(cgroup->psi->pcpu); + /* All triggers must be removed by now */ +- WARN_ONCE(cgroup->psi->poll_states, "psi: trigger leak\n"); ++ WARN_ONCE(cgroup->psi->rtpoll_states, "psi: trigger leak\n"); + kfree(cgroup->psi); + } + +@@ -1302,29 +1302,29 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, + init_waitqueue_head(&t->event_wait); + t->pending_event = false; + +- mutex_lock(&group->trigger_lock); ++ mutex_lock(&group->rtpoll_trigger_lock); + +- if (!rcu_access_pointer(group->poll_task)) { ++ if (!rcu_access_pointer(group->rtpoll_task)) { + struct task_struct *task; + +- task = kthread_create(psi_poll_worker, group, "psimon"); ++ task = kthread_create(psi_rtpoll_worker, group, "psimon"); + if (IS_ERR(task)) { + kfree(t); +- mutex_unlock(&group->trigger_lock); ++ mutex_unlock(&group->rtpoll_trigger_lock); + return ERR_CAST(task); + } +- atomic_set(&group->poll_wakeup, 0); ++ atomic_set(&group->rtpoll_wakeup, 0); + wake_up_process(task); +- rcu_assign_pointer(group->poll_task, task); ++ rcu_assign_pointer(group->rtpoll_task, task); + } + +- list_add(&t->node, &group->triggers); +- group->poll_min_period = min(group->poll_min_period, ++ list_add(&t->node, &group->rtpoll_triggers); ++ group->rtpoll_min_period = min(group->rtpoll_min_period, + div_u64(t->win.size, UPDATES_PER_WINDOW)); +- group->nr_triggers[t->state]++; +- group->poll_states |= (1 << t->state); ++ group->rtpoll_nr_triggers[t->state]++; ++ group->rtpoll_states |= (1 << t->state); + +- mutex_unlock(&group->trigger_lock); ++ mutex_unlock(&group->rtpoll_trigger_lock); + + return t; + } +@@ -1349,51 +1349,52 @@ void psi_trigger_destroy(struct psi_trigger *t) + */ + wake_up_pollfree(&t->event_wait); + +- mutex_lock(&group->trigger_lock); ++ mutex_lock(&group->rtpoll_trigger_lock); + + if (!list_empty(&t->node)) { + struct psi_trigger *tmp; + u64 period = ULLONG_MAX; + + list_del(&t->node); +- group->nr_triggers[t->state]--; +- if (!group->nr_triggers[t->state]) +- group->poll_states &= ~(1 << t->state); ++ group->rtpoll_nr_triggers[t->state]--; ++ if (!group->rtpoll_nr_triggers[t->state]) ++ group->rtpoll_states &= ~(1 << t->state); + /* reset min update period for the remaining triggers */ +- list_for_each_entry(tmp, &group->triggers, node) ++ list_for_each_entry(tmp, &group->rtpoll_triggers, node) + period = min(period, div_u64(tmp->win.size, + UPDATES_PER_WINDOW)); +- group->poll_min_period = period; +- /* Destroy poll_task when the last trigger is destroyed */ +- if (group->poll_states == 0) { +- group->polling_until = 0; ++ group->rtpoll_min_period = period; ++ /* Destroy rtpoll_task when the last trigger is destroyed */ ++ if (group->rtpoll_states == 0) { ++ group->rtpoll_until = 0; + task_to_destroy = rcu_dereference_protected( +- group->poll_task, +- lockdep_is_held(&group->trigger_lock)); +- rcu_assign_pointer(group->poll_task, NULL); +- del_timer(&group->poll_timer); ++ group->rtpoll_task, ++ lockdep_is_held(&group->rtpoll_trigger_lock)); ++ rcu_assign_pointer(group->rtpoll_task, NULL); ++ del_timer(&group->rtpoll_timer); + } + } + +- mutex_unlock(&group->trigger_lock); ++ mutex_unlock(&group->rtpoll_trigger_lock); + + /* +- * Wait for psi_schedule_poll_work RCU to complete its read-side ++ * Wait for psi_schedule_rtpoll_work RCU to complete its read-side + * critical section before destroying the trigger and optionally the +- * poll_task. ++ * rtpoll_task. + */ + synchronize_rcu(); + /* +- * Stop kthread 'psimon' after releasing trigger_lock to prevent a +- * deadlock while waiting for psi_poll_work to acquire trigger_lock ++ * Stop kthread 'psimon' after releasing rtpoll_trigger_lock to prevent ++ * a deadlock while waiting for psi_rtpoll_work to acquire ++ * rtpoll_trigger_lock + */ + if (task_to_destroy) { + /* + * After the RCU grace period has expired, the worker +- * can no longer be found through group->poll_task. ++ * can no longer be found through group->rtpoll_task. + */ + kthread_stop(task_to_destroy); +- atomic_set(&group->poll_scheduled, 0); ++ atomic_set(&group->rtpoll_scheduled, 0); + } + kfree(t); + } +-- +2.39.2 + diff --git a/tmp-6.1/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch b/tmp-6.1/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch new file mode 100644 index 00000000000..2f9c6baea91 --- /dev/null +++ b/tmp-6.1/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch @@ -0,0 +1,176 @@ +From cc4a5d27580aad5472ec624bab19f12d4556982c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 17:56:12 -0700 +Subject: sched/psi: use kernfs polling functions for PSI trigger polling + +From: Suren Baghdasaryan + +[ Upstream commit aff037078ecaecf34a7c2afab1341815f90fba5e ] + +Destroying psi trigger in cgroup_file_release causes UAF issues when +a cgroup is removed from under a polling process. This is happening +because cgroup removal causes a call to cgroup_file_release while the +actual file is still alive. Destroying the trigger at this point would +also destroy its waitqueue head and if there is still a polling process +on that file accessing the waitqueue, it will step on the freed pointer: + +do_select + vfs_poll + do_rmdir + cgroup_rmdir + kernfs_drain_open_files + cgroup_file_release + cgroup_pressure_release + psi_trigger_destroy + wake_up_pollfree(&t->event_wait) +// vfs_poll is unblocked + synchronize_rcu + kfree(t) + poll_freewait -> UAF access to the trigger's waitqueue head + +Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), +however the same issue exists for synchronous poll() case. +The root cause of this issue is that the lifecycles of the psi trigger's +waitqueue and of the file associated with the trigger are different. Fix +this by using kernfs_generic_poll function when polling on cgroup-specific +psi triggers. It internally uses kernfs_open_node->poll waitqueue head +with its lifecycle tied to the file's lifecycle. This also renders the +fix in [1] obsolete, so revert it. + +[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()") + +Fixes: 0e94682b73bf ("psi: introduce psi monitor") +Closes: https://lore.kernel.org/all/20230613062306.101831-1-lujialin4@huawei.com/ +Reported-by: Lu Jialin +Signed-off-by: Suren Baghdasaryan +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20230630005612.1014540-1-surenb@google.com +Signed-off-by: Sasha Levin +--- + include/linux/psi.h | 5 +++-- + include/linux/psi_types.h | 3 +++ + kernel/cgroup/cgroup.c | 2 +- + kernel/sched/psi.c | 29 +++++++++++++++++++++-------- + 4 files changed, 28 insertions(+), 11 deletions(-) + +diff --git a/include/linux/psi.h b/include/linux/psi.h +index ab26200c28033..e0745873e3f26 100644 +--- a/include/linux/psi.h ++++ b/include/linux/psi.h +@@ -23,8 +23,9 @@ void psi_memstall_enter(unsigned long *flags); + void psi_memstall_leave(unsigned long *flags); + + int psi_show(struct seq_file *s, struct psi_group *group, enum psi_res res); +-struct psi_trigger *psi_trigger_create(struct psi_group *group, +- char *buf, enum psi_res res, struct file *file); ++struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, ++ enum psi_res res, struct file *file, ++ struct kernfs_open_file *of); + void psi_trigger_destroy(struct psi_trigger *t); + + __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file, +diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h +index 040c089581c6c..f1fd3a8044e0e 100644 +--- a/include/linux/psi_types.h ++++ b/include/linux/psi_types.h +@@ -137,6 +137,9 @@ struct psi_trigger { + /* Wait queue for polling */ + wait_queue_head_t event_wait; + ++ /* Kernfs file for cgroup triggers */ ++ struct kernfs_open_file *of; ++ + /* Pending event flag */ + int event; + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index c35efae566a4b..73f11e4db3a4d 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3771,7 +3771,7 @@ static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, + } + + psi = cgroup_psi(cgrp); +- new = psi_trigger_create(psi, buf, res, of->file); ++ new = psi_trigger_create(psi, buf, res, of->file, of); + if (IS_ERR(new)) { + cgroup_put(cgrp); + return PTR_ERR(new); +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index e072f6b31bf30..80d8c10e93638 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -494,8 +494,12 @@ static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total, + continue; + + /* Generate an event */ +- if (cmpxchg(&t->event, 0, 1) == 0) +- wake_up_interruptible(&t->event_wait); ++ if (cmpxchg(&t->event, 0, 1) == 0) { ++ if (t->of) ++ kernfs_notify(t->of->kn); ++ else ++ wake_up_interruptible(&t->event_wait); ++ } + t->last_event_time = now; + /* Reset threshold breach flag once event got generated */ + t->pending_event = false; +@@ -1272,8 +1276,9 @@ int psi_show(struct seq_file *m, struct psi_group *group, enum psi_res res) + return 0; + } + +-struct psi_trigger *psi_trigger_create(struct psi_group *group, +- char *buf, enum psi_res res, struct file *file) ++struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, ++ enum psi_res res, struct file *file, ++ struct kernfs_open_file *of) + { + struct psi_trigger *t; + enum psi_states state; +@@ -1333,7 +1338,9 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, + + t->event = 0; + t->last_event_time = 0; +- init_waitqueue_head(&t->event_wait); ++ t->of = of; ++ if (!of) ++ init_waitqueue_head(&t->event_wait); + t->pending_event = false; + t->aggregator = privileged ? PSI_POLL : PSI_AVGS; + +@@ -1390,7 +1397,10 @@ void psi_trigger_destroy(struct psi_trigger *t) + * being accessed later. Can happen if cgroup is deleted from under a + * polling process. + */ +- wake_up_pollfree(&t->event_wait); ++ if (t->of) ++ kernfs_notify(t->of->kn); ++ else ++ wake_up_interruptible(&t->event_wait); + + if (t->aggregator == PSI_AVGS) { + mutex_lock(&group->avgs_lock); +@@ -1462,7 +1472,10 @@ __poll_t psi_trigger_poll(void **trigger_ptr, + if (!t) + return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI; + +- poll_wait(file, &t->event_wait, wait); ++ if (t->of) ++ kernfs_generic_poll(t->of, wait); ++ else ++ poll_wait(file, &t->event_wait, wait); + + if (cmpxchg(&t->event, 1, 0) == 1) + ret |= EPOLLPRI; +@@ -1532,7 +1545,7 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf, + return -EBUSY; + } + +- new = psi_trigger_create(&psi_system, buf, res, file); ++ new = psi_trigger_create(&psi_system, buf, res, file, NULL); + if (IS_ERR(new)) { + mutex_unlock(&seq->lock); + return PTR_ERR(new); +-- +2.39.2 + diff --git a/tmp-6.1/scripts-kallsyms-update-the-usage-in-the-comment-block.patch b/tmp-6.1/scripts-kallsyms-update-the-usage-in-the-comment-block.patch new file mode 100644 index 00000000000..73a6e73e44a --- /dev/null +++ b/tmp-6.1/scripts-kallsyms-update-the-usage-in-the-comment-block.patch @@ -0,0 +1,31 @@ +From 79549da691edd4874c19d99c578a134471817c47 Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Wed, 8 Mar 2023 20:52:43 +0900 +Subject: scripts/kallsyms: update the usage in the comment block + +From: Masahiro Yamada + +commit 79549da691edd4874c19d99c578a134471817c47 upstream. + +Commit 010a0aad39fc ("kallsyms: Correctly sequence symbols when +CONFIG_LTO_CLANG=y") added --lto-clang, and updated the usage() +function, but not the comment. Update it in the same way. + +Signed-off-by: Masahiro Yamada +Reviewed-by: Nick Desaulniers +Signed-off-by: Greg Kroah-Hartman +--- + scripts/kallsyms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -6,7 +6,7 @@ + * of the GNU General Public License, incorporated herein by reference. + * + * Usage: kallsyms [--all-symbols] [--absolute-percpu] +- * [--base-relative] in.map > out.S ++ * [--base-relative] [--lto-clang] in.map > out.S + * + * Table compression uses all the unused char codes on the symbols and + * maps these to the most used substrings (tokens). For instance, it might diff --git a/tmp-6.1/scripts-kallsyms.c-make-the-comment-up-to-date-with-current-implementation.patch b/tmp-6.1/scripts-kallsyms.c-make-the-comment-up-to-date-with-current-implementation.patch new file mode 100644 index 00000000000..c80419e2947 --- /dev/null +++ b/tmp-6.1/scripts-kallsyms.c-make-the-comment-up-to-date-with-current-implementation.patch @@ -0,0 +1,34 @@ +From adc40221bf676f3e722d135889a7b913b4162dc2 Mon Sep 17 00:00:00 2001 +From: Yuma Ueda +Date: Fri, 18 Nov 2022 22:36:31 +0900 +Subject: scripts/kallsyms.c Make the comment up-to-date with current implementation + +From: Yuma Ueda + +commit adc40221bf676f3e722d135889a7b913b4162dc2 upstream. + +The comment in scripts/kallsyms.c describing the usage of +scripts/kallsyms does not reflect the latest implementation. +Fix the comment to be equivalent to what the usage() function prints. + +Signed-off-by: Yuma Ueda +Reviewed-by: Miguel Ojeda +Link: https://lore.kernel.org/r/20221118133631.4554-1-cyan@0x00a1e9.dev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + scripts/kallsyms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -5,7 +5,8 @@ + * This software may be used and distributed according to the terms + * of the GNU General Public License, incorporated herein by reference. + * +- * Usage: nm -n vmlinux | scripts/kallsyms [--all-symbols] > symbols.S ++ * Usage: kallsyms [--all-symbols] [--absolute-percpu] ++ * [--base-relative] in.map > out.S + * + * Table compression uses all the unused char codes on the symbols and + * maps these to the most used substrings (tokens). For instance, it might diff --git a/tmp-6.1/security-keys-modify-mismatched-function-name.patch b/tmp-6.1/security-keys-modify-mismatched-function-name.patch new file mode 100644 index 00000000000..964df76e0b9 --- /dev/null +++ b/tmp-6.1/security-keys-modify-mismatched-function-name.patch @@ -0,0 +1,40 @@ +From d5bcc1aba8ad5267a2fd8d1da3794a97630d9c16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 10:18:25 +0800 +Subject: security: keys: Modify mismatched function name + +From: Jiapeng Chong + +[ Upstream commit 2a4152742025c5f21482e8cebc581702a0fa5b01 ] + +No functional modification involved. + +security/keys/trusted-keys/trusted_tpm2.c:203: warning: expecting prototype for tpm_buf_append_auth(). Prototype was for tpm2_buf_append_auth() instead. + +Fixes: 2e19e10131a0 ("KEYS: trusted: Move TPM2 trusted keys code") +Reported-by: Abaci Robot +Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=5524 +Signed-off-by: Jiapeng Chong +Reviewed-by: Paul Moore +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + security/keys/trusted-keys/trusted_tpm2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c +index 2b2c8eb258d5b..bc700f85f80be 100644 +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -186,7 +186,7 @@ int tpm2_key_priv(void *context, size_t hdrlen, + } + + /** +- * tpm_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. ++ * tpm2_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. + * + * @buf: an allocated tpm_buf instance + * @session_handle: session handle +-- +2.39.2 + diff --git a/tmp-6.1/selftests-bpf-fix-sk_assign-on-s390x.patch b/tmp-6.1/selftests-bpf-fix-sk_assign-on-s390x.patch new file mode 100644 index 00000000000..2fe7e9f37a4 --- /dev/null +++ b/tmp-6.1/selftests-bpf-fix-sk_assign-on-s390x.patch @@ -0,0 +1,123 @@ +From stable-owner@vger.kernel.org Mon Jul 24 14:42:47 2023 +From: Eduard Zingerman +Date: Mon, 24 Jul 2023 15:42:23 +0300 +Subject: selftests/bpf: Fix sk_assign on s390x +To: stable@vger.kernel.org, ast@kernel.org +Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Ilya Leoshkevich , Eduard Zingerman +Message-ID: <20230724124223.1176479-7-eddyz87@gmail.com> + +From: Ilya Leoshkevich + +[ Upstream commit 7ce878ca81bca7811e669db4c394b86780e0dbe4 ] + +sk_assign is failing on an s390x machine running Debian "bookworm" for +2 reasons: legacy server_map definition and uninitialized addrlen in +recvfrom() call. + +Fix by adding a new-style server_map definition and dropping addrlen +(recvfrom() allows NULL values for src_addr and addrlen). + +Since the test should support tc built without libbpf, build the prog +twice: with the old-style definition and with the new-style definition, +then select the right one at runtime. This could be done at compile +time too, but this would not be cross-compilation friendly. + +Signed-off-by: Ilya Leoshkevich +Link: https://lore.kernel.org/r/20230129190501.1624747-2-iii@linux.ibm.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Eduard Zingerman +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/prog_tests/sk_assign.c | 25 ++++++++++---- + tools/testing/selftests/bpf/progs/test_sk_assign.c | 11 ++++++ + tools/testing/selftests/bpf/progs/test_sk_assign_libbpf.c | 3 + + 3 files changed, 33 insertions(+), 6 deletions(-) + create mode 100644 tools/testing/selftests/bpf/progs/test_sk_assign_libbpf.c + +--- a/tools/testing/selftests/bpf/prog_tests/sk_assign.c ++++ b/tools/testing/selftests/bpf/prog_tests/sk_assign.c +@@ -29,7 +29,23 @@ static int stop, duration; + static bool + configure_stack(void) + { ++ char tc_version[128]; + char tc_cmd[BUFSIZ]; ++ char *prog; ++ FILE *tc; ++ ++ /* Check whether tc is built with libbpf. */ ++ tc = popen("tc -V", "r"); ++ if (CHECK_FAIL(!tc)) ++ return false; ++ if (CHECK_FAIL(!fgets(tc_version, sizeof(tc_version), tc))) ++ return false; ++ if (strstr(tc_version, ", libbpf ")) ++ prog = "test_sk_assign_libbpf.bpf.o"; ++ else ++ prog = "test_sk_assign.bpf.o"; ++ if (CHECK_FAIL(pclose(tc))) ++ return false; + + /* Move to a new networking namespace */ + if (CHECK_FAIL(unshare(CLONE_NEWNET))) +@@ -46,8 +62,8 @@ configure_stack(void) + /* Load qdisc, BPF program */ + if (CHECK_FAIL(system("tc qdisc add dev lo clsact"))) + return false; +- sprintf(tc_cmd, "%s %s %s %s", "tc filter add dev lo ingress bpf", +- "direct-action object-file ./test_sk_assign.bpf.o", ++ sprintf(tc_cmd, "%s %s %s %s %s", "tc filter add dev lo ingress bpf", ++ "direct-action object-file", prog, + "section tc", + (env.verbosity < VERBOSE_VERY) ? " 2>/dev/null" : "verbose"); + if (CHECK(system(tc_cmd), "BPF load failed;", +@@ -129,15 +145,12 @@ get_port(int fd) + static ssize_t + rcv_msg(int srv_client, int type) + { +- struct sockaddr_storage ss; + char buf[BUFSIZ]; +- socklen_t slen; + + if (type == SOCK_STREAM) + return read(srv_client, &buf, sizeof(buf)); + else +- return recvfrom(srv_client, &buf, sizeof(buf), 0, +- (struct sockaddr *)&ss, &slen); ++ return recvfrom(srv_client, &buf, sizeof(buf), 0, NULL, NULL); + } + + static int +--- a/tools/testing/selftests/bpf/progs/test_sk_assign.c ++++ b/tools/testing/selftests/bpf/progs/test_sk_assign.c +@@ -16,6 +16,16 @@ + #include + #include + ++#if defined(IPROUTE2_HAVE_LIBBPF) ++/* Use a new-style map definition. */ ++struct { ++ __uint(type, BPF_MAP_TYPE_SOCKMAP); ++ __type(key, int); ++ __type(value, __u64); ++ __uint(pinning, LIBBPF_PIN_BY_NAME); ++ __uint(max_entries, 1); ++} server_map SEC(".maps"); ++#else + /* Pin map under /sys/fs/bpf/tc/globals/ */ + #define PIN_GLOBAL_NS 2 + +@@ -35,6 +45,7 @@ struct { + .max_elem = 1, + .pinning = PIN_GLOBAL_NS, + }; ++#endif + + char _license[] SEC("license") = "GPL"; + +--- /dev/null ++++ b/tools/testing/selftests/bpf/progs/test_sk_assign_libbpf.c +@@ -0,0 +1,3 @@ ++// SPDX-License-Identifier: GPL-2.0 ++#define IPROUTE2_HAVE_LIBBPF ++#include "test_sk_assign.c" diff --git a/tmp-6.1/selftests-bpf-make-test_align-selftest-more-robust.patch b/tmp-6.1/selftests-bpf-make-test_align-selftest-more-robust.patch new file mode 100644 index 00000000000..44b87fce809 --- /dev/null +++ b/tmp-6.1/selftests-bpf-make-test_align-selftest-more-robust.patch @@ -0,0 +1,134 @@ +From stable-owner@vger.kernel.org Mon Jul 24 14:42:45 2023 +From: Eduard Zingerman +Date: Mon, 24 Jul 2023 15:42:21 +0300 +Subject: selftests/bpf: make test_align selftest more robust +To: stable@vger.kernel.org, ast@kernel.org +Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Eduard Zingerman +Message-ID: <20230724124223.1176479-5-eddyz87@gmail.com> + +From: Andrii Nakryiko + +[ Upstream commit 4f999b767769b76378c3616c624afd6f4bb0d99f ] + +test_align selftest relies on BPF verifier log emitting register states +for specific instructions in expected format. Unfortunately, BPF +verifier precision backtracking log interferes with such expectations. +And instruction on which precision propagation happens sometimes don't +output full expected register states. This does indeed look like +something to be improved in BPF verifier, but is beyond the scope of +this patch set. + +So to make test_align a bit more robust, inject few dummy R4 = R5 +instructions which capture desired state of R5 and won't have precision +tracking logs on them. This fixes tests until we can improve BPF +verifier output in the presence of precision tracking. + +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20221104163649.121784-7-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Eduard Zingerman +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/prog_tests/align.c | 38 +++++++++++++++---------- + 1 file changed, 24 insertions(+), 14 deletions(-) + +--- a/tools/testing/selftests/bpf/prog_tests/align.c ++++ b/tools/testing/selftests/bpf/prog_tests/align.c +@@ -2,7 +2,7 @@ + #include + + #define MAX_INSNS 512 +-#define MAX_MATCHES 16 ++#define MAX_MATCHES 24 + + struct bpf_reg_match { + unsigned int line; +@@ -267,6 +267,7 @@ static struct bpf_align_test tests[] = { + */ + BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), + BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6), ++ BPF_MOV64_REG(BPF_REG_4, BPF_REG_5), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), + BPF_MOV64_REG(BPF_REG_4, BPF_REG_5), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), +@@ -280,6 +281,7 @@ static struct bpf_align_test tests[] = { + BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), + BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6), ++ BPF_MOV64_REG(BPF_REG_4, BPF_REG_5), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 4), + BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6), + BPF_MOV64_REG(BPF_REG_4, BPF_REG_5), +@@ -311,44 +313,52 @@ static struct bpf_align_test tests[] = { + {15, "R4=pkt(id=1,off=18,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, + {15, "R5=pkt(id=1,off=14,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, + /* Variable offset is added to R5 packet pointer, +- * resulting in auxiliary alignment of 4. ++ * resulting in auxiliary alignment of 4. To avoid BPF ++ * verifier's precision backtracking logging ++ * interfering we also have a no-op R4 = R5 ++ * instruction to validate R5 state. We also check ++ * that R4 is what it should be in such case. + */ +- {17, "R5_w=pkt(id=2,off=0,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, ++ {18, "R4_w=pkt(id=2,off=0,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, ++ {18, "R5_w=pkt(id=2,off=0,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, + /* Constant offset is added to R5, resulting in + * reg->off of 14. + */ +- {18, "R5_w=pkt(id=2,off=14,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, ++ {19, "R5_w=pkt(id=2,off=14,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, + /* At the time the word size load is performed from R5, + * its total fixed offset is NET_IP_ALIGN + reg->off + * (14) which is 16. Then the variable offset is 4-byte + * aligned, so the total offset is 4-byte aligned and + * meets the load's requirements. + */ +- {23, "R4=pkt(id=2,off=18,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, +- {23, "R5=pkt(id=2,off=14,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, ++ {24, "R4=pkt(id=2,off=18,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, ++ {24, "R5=pkt(id=2,off=14,r=18,umax=1020,var_off=(0x0; 0x3fc))"}, + /* Constant offset is added to R5 packet pointer, + * resulting in reg->off value of 14. + */ +- {25, "R5_w=pkt(off=14,r=8"}, ++ {26, "R5_w=pkt(off=14,r=8"}, + /* Variable offset is added to R5, resulting in a +- * variable offset of (4n). ++ * variable offset of (4n). See comment for insn #18 ++ * for R4 = R5 trick. + */ +- {26, "R5_w=pkt(id=3,off=14,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, ++ {28, "R4_w=pkt(id=3,off=14,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, ++ {28, "R5_w=pkt(id=3,off=14,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, + /* Constant is added to R5 again, setting reg->off to 18. */ +- {27, "R5_w=pkt(id=3,off=18,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, ++ {29, "R5_w=pkt(id=3,off=18,r=0,umax=1020,var_off=(0x0; 0x3fc))"}, + /* And once more we add a variable; resulting var_off + * is still (4n), fixed offset is not changed. + * Also, we create a new reg->id. + */ +- {28, "R5_w=pkt(id=4,off=18,r=0,umax=2040,var_off=(0x0; 0x7fc)"}, ++ {31, "R4_w=pkt(id=4,off=18,r=0,umax=2040,var_off=(0x0; 0x7fc)"}, ++ {31, "R5_w=pkt(id=4,off=18,r=0,umax=2040,var_off=(0x0; 0x7fc)"}, + /* At the time the word size load is performed from R5, + * its total fixed offset is NET_IP_ALIGN + reg->off (18) + * which is 20. Then the variable offset is (4n), so + * the total offset is 4-byte aligned and meets the + * load's requirements. + */ +- {33, "R4=pkt(id=4,off=22,r=22,umax=2040,var_off=(0x0; 0x7fc)"}, +- {33, "R5=pkt(id=4,off=18,r=22,umax=2040,var_off=(0x0; 0x7fc)"}, ++ {35, "R4=pkt(id=4,off=22,r=22,umax=2040,var_off=(0x0; 0x7fc)"}, ++ {35, "R5=pkt(id=4,off=18,r=22,umax=2040,var_off=(0x0; 0x7fc)"}, + }, + }, + { +@@ -681,6 +691,6 @@ void test_align(void) + if (!test__start_subtest(test->descr)) + continue; + +- CHECK_FAIL(do_test_single(test)); ++ ASSERT_OK(do_test_single(test), test->descr); + } + } diff --git a/tmp-6.1/selftests-bpf-workaround-verification-failure-for-fexit_bpf2bpf-func_replace_return_code.patch b/tmp-6.1/selftests-bpf-workaround-verification-failure-for-fexit_bpf2bpf-func_replace_return_code.patch new file mode 100644 index 00000000000..ebb5dddeacc --- /dev/null +++ b/tmp-6.1/selftests-bpf-workaround-verification-failure-for-fexit_bpf2bpf-func_replace_return_code.patch @@ -0,0 +1,95 @@ +From stable-owner@vger.kernel.org Mon Jul 24 14:42:44 2023 +From: Eduard Zingerman +Date: Mon, 24 Jul 2023 15:42:22 +0300 +Subject: selftests/bpf: Workaround verification failure for fexit_bpf2bpf/func_replace_return_code +To: stable@vger.kernel.org, ast@kernel.org +Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, yhs@fb.com, mykolal@fb.com, luizcap@amazon.com, Eduard Zingerman +Message-ID: <20230724124223.1176479-6-eddyz87@gmail.com> + +From: Yonghong Song + +[ Upstream commit 63d78b7e8ca2d0eb8c687a355fa19d01b6fcc723 ] + +With latest llvm17, selftest fexit_bpf2bpf/func_replace_return_code +has the following verification failure: + + 0: R1=ctx(off=0,imm=0) R10=fp0 + ; int connect_v4_prog(struct bpf_sock_addr *ctx) + 0: (bf) r7 = r1 ; R1=ctx(off=0,imm=0) R7_w=ctx(off=0,imm=0) + 1: (b4) w6 = 0 ; R6_w=0 + ; memset(&tuple.ipv4.saddr, 0, sizeof(tuple.ipv4.saddr)); + ... + ; return do_bind(ctx) ? 1 : 0; + 179: (bf) r1 = r7 ; R1=ctx(off=0,imm=0) R7=ctx(off=0,imm=0) + 180: (85) call pc+147 + Func#3 is global and valid. Skipping. + 181: R0_w=scalar() + 181: (bc) w6 = w0 ; R0_w=scalar() R6_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) + 182: (05) goto pc-129 + ; } + 54: (bc) w0 = w6 ; R0_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R6_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) + 55: (95) exit + At program exit the register R0 has value (0x0; 0xffffffff) should have been in (0x0; 0x1) + processed 281 insns (limit 1000000) max_states_per_insn 1 total_states 26 peak_states 26 mark_read 13 + -- END PROG LOAD LOG -- + libbpf: prog 'connect_v4_prog': failed to load: -22 + +The corresponding source code: + + __attribute__ ((noinline)) + int do_bind(struct bpf_sock_addr *ctx) + { + struct sockaddr_in sa = {}; + + sa.sin_family = AF_INET; + sa.sin_port = bpf_htons(0); + sa.sin_addr.s_addr = bpf_htonl(SRC_REWRITE_IP4); + + if (bpf_bind(ctx, (struct sockaddr *)&sa, sizeof(sa)) != 0) + return 0; + + return 1; + } + ... + SEC("cgroup/connect4") + int connect_v4_prog(struct bpf_sock_addr *ctx) + { + ... + return do_bind(ctx) ? 1 : 0; + } + +Insn 180 is a call to 'do_bind'. The call's return value is also the return value +for the program. Since do_bind() returns 0/1, so it is legitimate for compiler to +optimize 'return do_bind(ctx) ? 1 : 0' to 'return do_bind(ctx)'. However, such +optimization breaks verifier as the return value of 'do_bind()' is marked as any +scalar which violates the requirement of prog return value 0/1. + +There are two ways to fix this problem, (1) changing 'return 1' in do_bind() to +e.g. 'return 10' so the compiler has to do 'do_bind(ctx) ? 1 :0', or (2) +suggested by Andrii, marking do_bind() with __weak attribute so the compiler +cannot make any assumption on do_bind() return value. + +This patch adopted adding __weak approach which is simpler and more resistant +to potential compiler optimizations. + +Suggested-by: Andrii Nakryiko +Signed-off-by: Yonghong Song +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20230310012410.2920570-1-yhs@fb.com +Signed-off-by: Eduard Zingerman +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/progs/connect4_prog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/bpf/progs/connect4_prog.c ++++ b/tools/testing/selftests/bpf/progs/connect4_prog.c +@@ -32,7 +32,7 @@ + #define IFNAMSIZ 16 + #endif + +-__attribute__ ((noinline)) ++__attribute__ ((noinline)) __weak + int do_bind(struct bpf_sock_addr *ctx) + { + struct sockaddr_in sa = {}; diff --git a/tmp-6.1/selftests-tc-add-conntrack-procfs-kconfig.patch b/tmp-6.1/selftests-tc-add-conntrack-procfs-kconfig.patch new file mode 100644 index 00000000000..cdab180886e --- /dev/null +++ b/tmp-6.1/selftests-tc-add-conntrack-procfs-kconfig.patch @@ -0,0 +1,42 @@ +From 031c99e71fedcce93b6785d38b7d287bf59e3952 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:46 +0200 +Subject: selftests: tc: add ConnTrack procfs kconfig + +From: Matthieu Baerts + +commit 031c99e71fedcce93b6785d38b7d287bf59e3952 upstream. + +When looking at the TC selftest reports, I noticed one test was failing +because /proc/net/nf_conntrack was not available. + + not ok 373 3992 - Add ct action triggering DNAT tuple conflict + Could not match regex pattern. Verify command output: + cat: /proc/net/nf_conntrack: No such file or directory + +It is only available if NF_CONNTRACK_PROCFS kconfig is set. So the issue +can be fixed simply by adding it to the list of required kconfig. + +Fixes: e46905641316 ("tc-testing: add test for ct DNAT tuple collision") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [1] +Signed-off-by: Matthieu Baerts +Tested-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-3-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/tc-testing/config ++++ b/tools/testing/selftests/tc-testing/config +@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m + CONFIG_NF_CONNTRACK_MARK=y + CONFIG_NF_CONNTRACK_ZONES=y + CONFIG_NF_CONNTRACK_LABELS=y ++CONFIG_NF_CONNTRACK_PROCFS=y + CONFIG_NF_FLOW_TABLE=m + CONFIG_NF_NAT=m + CONFIG_NETFILTER_XT_TARGET_LOG=m diff --git a/tmp-6.1/selftests-tc-add-ct-action-kconfig-dep.patch b/tmp-6.1/selftests-tc-add-ct-action-kconfig-dep.patch new file mode 100644 index 00000000000..07859eec8d1 --- /dev/null +++ b/tmp-6.1/selftests-tc-add-ct-action-kconfig-dep.patch @@ -0,0 +1,43 @@ +From 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:45 +0200 +Subject: selftests: tc: add 'ct' action kconfig dep + +From: Matthieu Baerts + +commit 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 upstream. + +When looking for something else in LKFT reports [1], I noticed most of +the tests were skipped because the "teardown stage" did not complete +successfully. + +Pedro found out this is due to the fact CONFIG_NF_FLOW_TABLE is required +but not listed in the 'config' file. Adding it to the list fixes the +issues on LKFT side. CONFIG_NET_ACT_CT is now set to 'm' in the final +kconfig. + +Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Tested-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-2-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/tc-testing/config ++++ b/tools/testing/selftests/tc-testing/config +@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m + CONFIG_NF_CONNTRACK_MARK=y + CONFIG_NF_CONNTRACK_ZONES=y + CONFIG_NF_CONNTRACK_LABELS=y ++CONFIG_NF_FLOW_TABLE=m + CONFIG_NF_NAT=m + CONFIG_NETFILTER_XT_TARGET_LOG=m + diff --git a/tmp-6.1/selftests-tc-set-timeout-to-15-minutes.patch b/tmp-6.1/selftests-tc-set-timeout-to-15-minutes.patch new file mode 100644 index 00000000000..ea00bbfff7d --- /dev/null +++ b/tmp-6.1/selftests-tc-set-timeout-to-15-minutes.patch @@ -0,0 +1,43 @@ +From fda05798c22a354efde09a76bdfc276b2d591829 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:44 +0200 +Subject: selftests: tc: set timeout to 15 minutes + +From: Matthieu Baerts + +commit fda05798c22a354efde09a76bdfc276b2d591829 upstream. + +When looking for something else in LKFT reports [1], I noticed that the +TC selftest ended with a timeout error: + + not ok 1 selftests: tc-testing: tdc.sh # TIMEOUT 45 seconds + +The timeout had been introduced 3 years ago, see the Fixes commit below. + +This timeout is only in place when executing the selftests via the +kselftests runner scripts. I guess this is not what most TC devs are +using and nobody noticed the issue before. + +The new timeout is set to 15 minutes as suggested by Pedro [2]. It looks +like it is plenty more time than what it takes in "normal" conditions. + +Fixes: 852c8cbf34d3 ("selftests/kselftest/runner.sh: Add 45 second timeout per test") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Reviewed-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-1-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/settings | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tools/testing/selftests/tc-testing/settings + +--- /dev/null ++++ b/tools/testing/selftests/tc-testing/settings +@@ -0,0 +1 @@ ++timeout=900 diff --git a/tmp-6.1/series b/tmp-6.1/series new file mode 100644 index 00000000000..7fc065207a5 --- /dev/null +++ b/tmp-6.1/series @@ -0,0 +1,179 @@ +io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch +alsa-hda-realtek-remove-3k-pull-low-procedure.patch +alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch +alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch +maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch +maple_tree-fix-node-allocation-testing-on-32-bit.patch +keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch +perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch +btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch +fuse-revalidate-don-t-invalidate-if-interrupted.patch +fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch +btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch +btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch +fuse-ioctl-translate-enosys-in-outarg.patch +btrfs-fix-race-between-balance-and-cancel-pause.patch +selftests-tc-set-timeout-to-15-minutes.patch +selftests-tc-add-ct-action-kconfig-dep.patch +regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch +of-preserve-of-display-device-name-for-compatibility.patch +regmap-account-for-register-length-in-smbus-i-o-limits.patch +arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch +can-raw-fix-receiver-memory-leak.patch +can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch +can-bcm-fix-uaf-in-bcm_proc_show.patch +can-gs_usb-gs_can_open-improve-error-handling.patch +selftests-tc-add-conntrack-procfs-kconfig.patch +dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch +drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch +drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch +drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch +drm-client-fix-memory-leak-in-drm_client_target_cloned.patch +drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch +drm-amd-display-only-accept-async-flips-for-fast-updates.patch +drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch +drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch +drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch +asoc-fsl_sai-disable-bit-clock-with-transmitter.patch +asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch +asoc-tegra-fix-adx-byte-map.patch +asoc-rt5640-fix-sleep-in-atomic-context.patch +asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch +asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch +asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch +asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch +asoc-tegra-fix-amx-byte-map.patch +asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch +asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch +asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch +asoc-codecs-wcd938x-fix-codec-initialisation-race.patch +asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch +ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch +alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch +quota-properly-disable-quotas-when-add_dquot_ref-fai.patch +quota-fix-warning-in-dqgrab.patch +hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch +ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch +udf-fix-uninitialized-array-access-for-some-pathname.patch +fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch +mips-dec-prom-address-warray-bounds-warning.patch +fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch +fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch +acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch +rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch +rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch +sched-fair-don-t-balance-task-to-its-current-running.patch +wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch +bpf-print-a-warning-only-if-writing-to-unprivileged_.patch +bpf-address-kcsan-report-on-bpf_lru_list.patch +bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch +wifi-ath11k-add-support-default-regdb-while-searchin.patch +wifi-mac80211_hwsim-fix-possible-null-dereference.patch +spi-dw-add-compatible-for-intel-mount-evans-soc.patch +wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch +net-ethernet-litex-add-support-for-64-bit-stats.patch +devlink-report-devlink_port_type_warn-source-device.patch +wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +wifi-iwlwifi-add-support-for-new-pci-id.patch +wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch +igb-fix-igb_down-hung-on-surprise-removal.patch +net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch +asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch +asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch +asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch +asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch +sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch +sched-psi-fix-avgs_work-re-arm-in-psi_avgs_work.patch +sched-psi-rearrange-polling-code-in-preparation.patch +sched-psi-rename-existing-poll-members-in-preparatio.patch +sched-psi-extract-update_triggers-side-effect.patch +sched-psi-allow-unprivileged-polling-of-n-2s-period.patch +sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch +pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch +pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch +spi-bcm63xx-fix-max-prepend-length.patch +fbdev-imxfb-warn-about-invalid-left-right-margin.patch +fbdev-imxfb-removed-unneeded-release_mem_region.patch +perf-build-fix-library-not-found-error-when-using-cs.patch +btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch +spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch +kallsyms-improve-the-performance-of-kallsyms_lookup_.patch +kallsyms-correctly-sequence-symbols-when-config_lto_.patch +kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch +dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch +net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +bridge-add-extack-warning-when-enabling-stp-in-netns.patch +net-ethernet-mtk_eth_soc-handle-probe-deferral.patch +cifs-fix-mid-leak-during-reconnection-after-timeout-.patch +asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch +net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch +net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch +net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch +net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch +net-dsa-microchip-ksz8-separate-static-mac-table-ope.patch +net-dsa-microchip-ksz8-make-ksz8_r_sta_mac_table-sta.patch +net-dsa-microchip-ksz8_r_sta_mac_table-avoid-using-e.patch +net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch +iavf-fix-use-after-free-in-free_netdev.patch +iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch +iavf-use-internal-state-to-free-traffic-irqs.patch +iavf-move-netdev_update_features-into-watchdog-task.patch +iavf-send-vlan-offloading-caps-once-after-vfr.patch +iavf-make-functions-static-where-possible.patch +iavf-wait-for-reset-in-callbacks-which-trigger-it.patch +iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch +iavf-fix-reset-task-race-with-iavf_remove.patch +security-keys-modify-mismatched-function-name.patch +octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch +bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch +bpf-repeat-check_max_stack_depth-for-async-callbacks.patch +bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch +igc-avoid-transmit-queue-timeout-for-xdp.patch +igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch +net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch +tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch +tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch +net-ipv4-use-kfree_sensitive-instead-of-kfree.patch +net-ipv6-check-return-value-of-pskb_trim.patch +revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +llc-don-t-drop-packet-from-non-root-netns.patch +alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch +netfilter-nf_tables-fix-spurious-set-element-inserti.patch +netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +netfilter-nft_set_pipapo-fix-improper-element-remova.patch +netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch +netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch +bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch +bluetooth-hci_event-call-disconnect-callback-before-.patch +bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch +bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch +tcp-annotate-data-races-around-tp-tcp_tx_delay.patch +tcp-annotate-data-races-around-tp-tsoffset.patch +tcp-annotate-data-races-around-tp-keepalive_time.patch +tcp-annotate-data-races-around-tp-keepalive_intvl.patch +tcp-annotate-data-races-around-tp-keepalive_probes.patch +tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch +tcp-annotate-data-races-around-tp-linger2.patch +tcp-annotate-data-races-around-rskq_defer_accept.patch +tcp-annotate-data-races-around-tp-notsent_lowat.patch +tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch +tcp-annotate-data-races-around-fastopenq.max_qlen.patch +net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch +jbd2-recheck-chechpointing-non-dirty-buffer.patch +tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch +drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch +spi-dw-remove-misleading-comment-for-mount-evans-soc.patch +kallsyms-add-kallsyms_seqs_of_names-to-list-of-special-symbols.patch +scripts-kallsyms.c-make-the-comment-up-to-date-with-current-implementation.patch +scripts-kallsyms-update-the-usage-in-the-comment-block.patch +bpf-allow-precision-tracking-for-programs-with-subprogs.patch +bpf-stop-setting-precise-in-current-state.patch +bpf-aggressively-forget-precise-markings-during-state-checkpointing.patch +selftests-bpf-make-test_align-selftest-more-robust.patch +selftests-bpf-workaround-verification-failure-for-fexit_bpf2bpf-func_replace_return_code.patch +selftests-bpf-fix-sk_assign-on-s390x.patch +x86-cpu-amd-move-the-errata-checking-functionality-up.patch +x86-cpu-amd-add-a-zenbleed-fix.patch diff --git a/tmp-6.1/spi-bcm63xx-fix-max-prepend-length.patch b/tmp-6.1/spi-bcm63xx-fix-max-prepend-length.patch new file mode 100644 index 00000000000..378e34a46b9 --- /dev/null +++ b/tmp-6.1/spi-bcm63xx-fix-max-prepend-length.patch @@ -0,0 +1,47 @@ +From cf5e36388cb882c6653cd3159ae15b19b12d882e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:14:52 +0200 +Subject: spi: bcm63xx: fix max prepend length + +From: Jonas Gorski + +[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] + +The command word is defined as following: + + /* Command */ + #define SPI_CMD_COMMAND_SHIFT 0 + #define SPI_CMD_DEVICE_ID_SHIFT 4 + #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 + #define SPI_CMD_ONE_BYTE_SHIFT 11 + #define SPI_CMD_ONE_WIRE_SHIFT 12 + +If the prepend byte count field starts at bit 8, and the next defined +bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and +thus the max value is 7, not 15. + +Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") +Signed-off-by: Jonas Gorski +Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index 80fa0ef8909ca..147199002df1e 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -126,7 +126,7 @@ enum bcm63xx_regs_spi { + SPI_MSG_DATA_SIZE, + }; + +-#define BCM63XX_SPI_MAX_PREPEND 15 ++#define BCM63XX_SPI_MAX_PREPEND 7 + + #define BCM63XX_SPI_MAX_CS 8 + #define BCM63XX_SPI_BUS_NUM 0 +-- +2.39.2 + diff --git a/tmp-6.1/spi-dw-add-compatible-for-intel-mount-evans-soc.patch b/tmp-6.1/spi-dw-add-compatible-for-intel-mount-evans-soc.patch new file mode 100644 index 00000000000..26ebd33b46c --- /dev/null +++ b/tmp-6.1/spi-dw-add-compatible-for-intel-mount-evans-soc.patch @@ -0,0 +1,81 @@ +From a47a909fedf766372d2d6e58a2e2e2694d9e1dfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 07:54:01 -0700 +Subject: spi: dw: Add compatible for Intel Mount Evans SoC + +From: Abe Kohandel + +[ Upstream commit 0760d5d0e9f0c0e2200a0323a61d1995bb745dee ] + +The Intel Mount Evans SoC's Integrated Management Complex uses the SPI +controller for access to a NOR SPI FLASH. However, the SoC doesn't +provide a mechanism to override the native chip select signal. + +This driver doesn't use DMA for memory operations when a chip select +override is not provided due to the native chip select timing behavior. +As a result no DMA configuration is done for the controller and this +configuration is not tested. + +The controller also has an errata where a full TX FIFO can result in +data corruption. The suggested workaround is to never completely fill +the FIFO. The TX FIFO has a size of 32 so the fifo_len is set to 31. + +Signed-off-by: Abe Kohandel +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230606145402.474866-2-abe.kohandel@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-mmio.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/drivers/spi/spi-dw-mmio.c b/drivers/spi/spi-dw-mmio.c +index 26c40ea6dd129..7e8478ad74e55 100644 +--- a/drivers/spi/spi-dw-mmio.c ++++ b/drivers/spi/spi-dw-mmio.c +@@ -222,6 +222,31 @@ static int dw_spi_intel_init(struct platform_device *pdev, + return 0; + } + ++/* ++ * The Intel Mount Evans SoC's Integrated Management Complex uses the ++ * SPI controller for access to a NOR SPI FLASH. However, the SoC doesn't ++ * provide a mechanism to override the native chip select signal. ++ * ++ * This driver doesn't use DMA for memory operations when a chip select ++ * override is not provided due to the native chip select timing behavior. ++ * As a result no DMA configuration is done for the controller and this ++ * configuration is not tested. ++ */ ++static int dw_spi_mountevans_imc_init(struct platform_device *pdev, ++ struct dw_spi_mmio *dwsmmio) ++{ ++ /* ++ * The Intel Mount Evans SoC's Integrated Management Complex DW ++ * apb_ssi_v4.02a controller has an errata where a full TX FIFO can ++ * result in data corruption. The suggested workaround is to never ++ * completely fill the FIFO. The TX FIFO has a size of 32 so the ++ * fifo_len is set to 31. ++ */ ++ dwsmmio->dws.fifo_len = 31; ++ ++ return 0; ++} ++ + static int dw_spi_canaan_k210_init(struct platform_device *pdev, + struct dw_spi_mmio *dwsmmio) + { +@@ -350,6 +375,10 @@ static const struct of_device_id dw_spi_mmio_of_match[] = { + { .compatible = "snps,dwc-ssi-1.01a", .data = dw_spi_hssi_init}, + { .compatible = "intel,keembay-ssi", .data = dw_spi_intel_init}, + { .compatible = "intel,thunderbay-ssi", .data = dw_spi_intel_init}, ++ { ++ .compatible = "intel,mountevans-imc-ssi", ++ .data = dw_spi_mountevans_imc_init, ++ }, + { .compatible = "microchip,sparx5-spi", dw_spi_mscc_sparx5_init}, + { .compatible = "canaan,k210-spi", dw_spi_canaan_k210_init}, + { /* end of table */} +-- +2.39.2 + diff --git a/tmp-6.1/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch b/tmp-6.1/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch new file mode 100644 index 00000000000..1d70675f708 --- /dev/null +++ b/tmp-6.1/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch @@ -0,0 +1,41 @@ +From 5b6d0b91f84cff3f28724076f93f6f9e2ef8d775 Mon Sep 17 00:00:00 2001 +From: Abe Kohandel +Date: Tue, 6 Jun 2023 16:18:44 -0700 +Subject: spi: dw: Remove misleading comment for Mount Evans SoC + +From: Abe Kohandel + +commit 5b6d0b91f84cff3f28724076f93f6f9e2ef8d775 upstream. + +Remove a misleading comment about the DMA operations of the Intel Mount +Evans SoC's SPI Controller as requested by Serge. + +Signed-off-by: Abe Kohandel +Link: https://lore.kernel.org/linux-spi/20230606191333.247ucbf7h3tlooxf@mobilestation/ +Fixes: 0760d5d0e9f0 ("spi: dw: Add compatible for Intel Mount Evans SoC") +Reviewed-by: Serge Semin +Link: https://lore.kernel.org/r/20230606231844.726272-1-abe.kohandel@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-dw-mmio.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/spi/spi-dw-mmio.c ++++ b/drivers/spi/spi-dw-mmio.c +@@ -223,14 +223,7 @@ static int dw_spi_intel_init(struct plat + } + + /* +- * The Intel Mount Evans SoC's Integrated Management Complex uses the +- * SPI controller for access to a NOR SPI FLASH. However, the SoC doesn't +- * provide a mechanism to override the native chip select signal. +- * +- * This driver doesn't use DMA for memory operations when a chip select +- * override is not provided due to the native chip select timing behavior. +- * As a result no DMA configuration is done for the controller and this +- * configuration is not tested. ++ * DMA-based mem ops are not configured for this device and are not tested. + */ + static int dw_spi_mountevans_imc_init(struct platform_device *pdev, + struct dw_spi_mmio *dwsmmio) diff --git a/tmp-6.1/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch b/tmp-6.1/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch new file mode 100644 index 00000000000..8843429f8cc --- /dev/null +++ b/tmp-6.1/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch @@ -0,0 +1,40 @@ +From f832b5453eead49443949271d5828c464703455b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 17:20:20 +0900 +Subject: spi: s3c64xx: clear loopback bit after loopback test + +From: Jaewon Kim + +[ Upstream commit 9ec3c5517e22a12d2ff1b71e844f7913641460c6 ] + +When SPI loopback transfer is performed, S3C64XX_SPI_MODE_SELF_LOOPBACK +bit still remained. It works as loopback even if the next transfer is +not spi loopback mode. +If not SPI_LOOP, needs to clear S3C64XX_SPI_MODE_SELF_LOOPBACK bit. + +Signed-off-by: Jaewon Kim +Fixes: ffb7bcd3b27e ("spi: s3c64xx: support loopback mode") +Reviewed-by: Chanho Park +Link: https://lore.kernel.org/r/20230711082020.138165-1-jaewon02.kim@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 71d324ec9a70a..1480df7b43b3f 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -668,6 +668,8 @@ static int s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + + if ((sdd->cur_mode & SPI_LOOP) && sdd->port_conf->has_loopback) + val |= S3C64XX_SPI_MODE_SELF_LOOPBACK; ++ else ++ val &= ~S3C64XX_SPI_MODE_SELF_LOOPBACK; + + writel(val, regs + S3C64XX_SPI_MODE_CFG); + +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/tmp-6.1/tcp-annotate-data-races-around-fastopenq.max_qlen.patch new file mode 100644 index 00000000000..8d091d79b80 --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-fastopenq.max_qlen.patch @@ -0,0 +1,77 @@ +From 7035bedf31a88876c025d69b93d6ebb0256f36f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:57 +0000 +Subject: tcp: annotate data-races around fastopenq.max_qlen + +From: Eric Dumazet + +[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] + +This field can be read locklessly. + +Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_fastopen.c | 6 ++++-- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index 41b1da621a458..9cd289ad3f5b5 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -510,7 +510,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) + struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; + int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); + +- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); ++ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); + } + + static inline void tcp_move_syn(struct tcp_sock *tp, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index b3a5ff311567b..fab25d4f3a6f1 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -4247,7 +4247,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_FASTOPEN: +- val = icsk->icsk_accept_queue.fastopenq.max_qlen; ++ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); + break; + + case TCP_FASTOPEN_CONNECT: +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 45cc7f1ca2961..85e4953f11821 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -296,6 +296,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, + static bool tcp_fastopen_queue_check(struct sock *sk) + { + struct fastopen_queue *fastopenq; ++ int max_qlen; + + /* Make sure the listener has enabled fastopen, and we don't + * exceed the max # of pending TFO requests allowed before trying +@@ -308,10 +309,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) + * temporarily vs a server not supporting Fast Open at all. + */ + fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; +- if (fastopenq->max_qlen == 0) ++ max_qlen = READ_ONCE(fastopenq->max_qlen); ++ if (max_qlen == 0) + return false; + +- if (fastopenq->qlen >= fastopenq->max_qlen) { ++ if (fastopenq->qlen >= max_qlen) { + struct request_sock *req1; + spin_lock(&fastopenq->lock); + req1 = fastopenq->rskq_rst_head; +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch b/tmp-6.1/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch new file mode 100644 index 00000000000..abaaf2ef0ca --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch @@ -0,0 +1,69 @@ +From ae744dd736807b48f042d785128b2d771387f69c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:52 +0000 +Subject: tcp: annotate data-races around icsk->icsk_syn_retries + +From: Eric Dumazet + +[ Upstream commit 3a037f0f3c4bfe44518f2fbb478aa2f99a9cd8bb ] + +do_tcp_getsockopt() and reqsk_timer_handler() read +icsk->icsk_syn_retries while another cpu might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/tcp.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 8e35ea66d930a..62a3b103f258a 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -1016,7 +1016,7 @@ static void reqsk_timer_handler(struct timer_list *t) + + icsk = inet_csk(sk_listener); + net = sock_net(sk_listener); +- max_syn_ack_retries = icsk->icsk_syn_retries ? : ++ max_syn_ack_retries = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_synack_retries); + /* Normally all the openreqs are young and become mature + * (i.e. converted to established socket) for first timeout. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 7d75928ea0f9c..ffa9717293358 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3397,7 +3397,7 @@ int tcp_sock_set_syncnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- inet_csk(sk)->icsk_syn_retries = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_syn_retries, val); + release_sock(sk); + return 0; + } +@@ -3678,7 +3678,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_SYNCNT) + err = -EINVAL; + else +- icsk->icsk_syn_retries = val; ++ WRITE_ONCE(icsk->icsk_syn_retries, val); + break; + + case TCP_SAVE_SYN: +@@ -4095,7 +4095,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + val = keepalive_probes(tp); + break; + case TCP_SYNCNT: +- val = icsk->icsk_syn_retries ? : ++ val = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch b/tmp-6.1/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch new file mode 100644 index 00000000000..1840f3aa1b1 --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch @@ -0,0 +1,54 @@ +From 7efbdf0a8a4d26103224e8eb9779b4b5c48a11c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:56 +0000 +Subject: tcp: annotate data-races around icsk->icsk_user_timeout + +From: Eric Dumazet + +[ Upstream commit 26023e91e12c68669db416b97234328a03d8e499 ] + +This field can be read locklessly from do_tcp_getsockopt() + +Fixes: dca43c75e7e5 ("tcp: Add TCP_USER_TIMEOUT socket option.") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-11-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 6f3a494b965ae..b3a5ff311567b 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3406,7 +3406,7 @@ EXPORT_SYMBOL(tcp_sock_set_syncnt); + void tcp_sock_set_user_timeout(struct sock *sk, u32 val) + { + lock_sock(sk); +- inet_csk(sk)->icsk_user_timeout = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_user_timeout, val); + release_sock(sk); + } + EXPORT_SYMBOL(tcp_sock_set_user_timeout); +@@ -3726,7 +3726,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 0) + err = -EINVAL; + else +- icsk->icsk_user_timeout = val; ++ WRITE_ONCE(icsk->icsk_user_timeout, val); + break; + + case TCP_FASTOPEN: +@@ -4243,7 +4243,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_USER_TIMEOUT: +- val = icsk->icsk_user_timeout; ++ val = READ_ONCE(icsk->icsk_user_timeout); + break; + + case TCP_FASTOPEN: +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-rskq_defer_accept.patch b/tmp-6.1/tcp-annotate-data-races-around-rskq_defer_accept.patch new file mode 100644 index 00000000000..11e7afc0472 --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-rskq_defer_accept.patch @@ -0,0 +1,53 @@ +From 7cb1fa4e8fc2528b3c95ebf4367b85eaf269c0e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:54 +0000 +Subject: tcp: annotate data-races around rskq_defer_accept + +From: Eric Dumazet + +[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] + +do_tcp_getsockopt() reads rskq_defer_accept while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 363535b6ece83..bc3ad48f92389 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3700,9 +3700,9 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_DEFER_ACCEPT: + /* Translate value in seconds to number of retransmits */ +- icsk->icsk_accept_queue.rskq_defer_accept = +- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, +- TCP_RTO_MAX / HZ); ++ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, ++ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ)); + break; + + case TCP_WINDOW_CLAMP: +@@ -4104,8 +4104,9 @@ int do_tcp_getsockopt(struct sock *sk, int level, + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; + case TCP_DEFER_ACCEPT: +- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, +- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); ++ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); ++ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ); + break; + case TCP_WINDOW_CLAMP: + val = tp->window_clamp; +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch b/tmp-6.1/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch new file mode 100644 index 00000000000..ec6abdae945 --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch @@ -0,0 +1,184 @@ +From 2a19bb80f620e9115ee081f89944c9fc3882cceb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:44:45 +0000 +Subject: tcp: annotate data-races around tcp_rsk(req)->ts_recent + +From: Eric Dumazet + +[ Upstream commit eba20811f32652bc1a52d5e7cc403859b86390d9 ] + +TCP request sockets are lockless, tcp_rsk(req)->ts_recent +can change while being read by another cpu as syzbot noticed. + +This is harmless, but we should annotate the known races. + +Note that tcp_check_req() changes req->ts_recent a bit early, +we might change this in the future. + +BUG: KCSAN: data-race in tcp_check_req / tcp_check_req + +write to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 1: +tcp_check_req+0x694/0xc70 net/ipv4/tcp_minisocks.c:762 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +do_softirq+0x7e/0xb0 kernel/softirq.c:472 +__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:396 +local_bh_enable+0x1f/0x20 include/linux/bottom_half.h:33 +rcu_read_unlock_bh include/linux/rcupdate.h:843 [inline] +__dev_queue_xmit+0xabb/0x1d10 net/core/dev.c:4271 +dev_queue_xmit include/linux/netdevice.h:3088 [inline] +neigh_hh_output include/net/neighbour.h:528 [inline] +neigh_output include/net/neighbour.h:542 [inline] +ip_finish_output2+0x700/0x840 net/ipv4/ip_output.c:229 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:317 +NF_HOOK_COND include/linux/netfilter.h:292 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:431 +dst_output include/net/dst.h:458 [inline] +ip_local_out net/ipv4/ip_output.c:126 [inline] +__ip_queue_xmit+0xa4d/0xa70 net/ipv4/ip_output.c:533 +ip_queue_xmit+0x38/0x40 net/ipv4/ip_output.c:547 +__tcp_transmit_skb+0x1194/0x16e0 net/ipv4/tcp_output.c:1399 +tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] +tcp_write_xmit+0x13ff/0x2fd0 net/ipv4/tcp_output.c:2693 +__tcp_push_pending_frames+0x6a/0x1a0 net/ipv4/tcp_output.c:2877 +tcp_push_pending_frames include/net/tcp.h:1952 [inline] +__tcp_sock_set_cork net/ipv4/tcp.c:3336 [inline] +tcp_sock_set_cork+0xe8/0x100 net/ipv4/tcp.c:3343 +rds_tcp_xmit_path_complete+0x3b/0x40 net/rds/tcp_send.c:52 +rds_send_xmit+0xf8d/0x1420 net/rds/send.c:422 +rds_send_worker+0x42/0x1d0 net/rds/threads.c:200 +process_one_work+0x3e6/0x750 kernel/workqueue.c:2408 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2555 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +read to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 0: +tcp_check_req+0x32a/0xc70 net/ipv4/tcp_minisocks.c:622 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x1cd237f1 -> 0x1cd237f2 + +Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717144445.653164-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 2 +- + net/ipv4/tcp_minisocks.c | 9 ++++++--- + net/ipv4/tcp_output.c | 2 +- + net/ipv6/tcp_ipv6.c | 2 +- + 4 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index e5df50b3e23a0..d49a66b271d52 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -988,7 +988,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, ++ READ_ONCE(req->ts_recent), + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index f281eab7fd125..42844d20da020 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -537,7 +537,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, + newtp->max_window = newtp->snd_wnd; + + if (newtp->rx_opt.tstamp_ok) { +- newtp->rx_opt.ts_recent = req->ts_recent; ++ newtp->rx_opt.ts_recent = READ_ONCE(req->ts_recent); + newtp->rx_opt.ts_recent_stamp = ktime_get_seconds(); + newtp->tcp_header_len = sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED; + } else { +@@ -601,7 +601,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + tcp_parse_options(sock_net(sk), skb, &tmp_opt, 0, NULL); + + if (tmp_opt.saw_tstamp) { +- tmp_opt.ts_recent = req->ts_recent; ++ tmp_opt.ts_recent = READ_ONCE(req->ts_recent); + if (tmp_opt.rcv_tsecr) + tmp_opt.rcv_tsecr -= tcp_rsk(req)->ts_off; + /* We do not store true stamp, but it is not required, +@@ -740,8 +740,11 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + + /* In sequence, PAWS is OK. */ + ++ /* TODO: We probably should defer ts_recent change once ++ * we take ownership of @req. ++ */ + if (tmp_opt.saw_tstamp && !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt)) +- req->ts_recent = tmp_opt.rcv_tsval; ++ WRITE_ONCE(req->ts_recent, tmp_opt.rcv_tsval); + + if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn) { + /* Truncate SYN, it is out of window starting +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 693a29d3f43bd..26bd039f9296f 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -876,7 +876,7 @@ static unsigned int tcp_synack_options(const struct sock *sk, + if (likely(ireq->tstamp_ok)) { + opts->options |= OPTION_TS; + opts->tsval = tcp_skb_timestamp(skb) + tcp_rsk(req)->ts_off; +- opts->tsecr = req->ts_recent; ++ opts->tsecr = READ_ONCE(req->ts_recent); + remaining -= TCPOLEN_TSTAMP_ALIGNED; + } + if (likely(ireq->sack_ok)) { +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 0dcb06a1fe044..d9253aa764fae 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1130,7 +1130,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, sk->sk_bound_dev_if, ++ READ_ONCE(req->ts_recent), sk->sk_bound_dev_if, + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), + ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, + READ_ONCE(tcp_rsk(req)->txhash)); +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch b/tmp-6.1/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch new file mode 100644 index 00000000000..7cee347686d --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch @@ -0,0 +1,170 @@ +From d29e41820d443947afb2314e6e9891e047903726 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:44:44 +0000 +Subject: tcp: annotate data-races around tcp_rsk(req)->txhash + +From: Eric Dumazet + +[ Upstream commit 5e5265522a9a7f91d1b0bd411d634bdaf16c80cd ] + +TCP request sockets are lockless, some of their fields +can change while being read by another cpu as syzbot noticed. + +This is usually harmless, but we should annotate the known +races. + +This patch takes care of tcp_rsk(req)->txhash, +a separate one is needed for tcp_rsk(req)->ts_recent. + +BUG: KCSAN: data-race in tcp_make_synack / tcp_rtx_synack + +write to 0xffff8881362304bc of 4 bytes by task 32083 on cpu 1: +tcp_rtx_synack+0x9d/0x2a0 net/ipv4/tcp_output.c:4213 +inet_rtx_syn_ack+0x38/0x80 net/ipv4/inet_connection_sock.c:880 +tcp_check_req+0x379/0xc70 net/ipv4/tcp_minisocks.c:665 +tcp_v6_rcv+0x125b/0x1b20 net/ipv6/tcp_ipv6.c:1673 +ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 +ip6_input_finish net/ipv6/ip6_input.c:482 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 +dst_input include/net/dst.h:468 [inline] +ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 +NF_HOOK include/linux/netfilter.h:303 [inline] +ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 +__netif_receive_skb_one_core net/core/dev.c:5452 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 +netif_receive_skb_internal net/core/dev.c:5652 [inline] +netif_receive_skb+0x4a/0x310 net/core/dev.c:5711 +tun_rx_batched+0x3bf/0x400 +tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997 +tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043 +call_write_iter include/linux/fs.h:1871 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x4ab/0x7d0 fs/read_write.c:584 +ksys_write+0xeb/0x1a0 fs/read_write.c:637 +__do_sys_write fs/read_write.c:649 [inline] +__se_sys_write fs/read_write.c:646 [inline] +__x64_sys_write+0x42/0x50 fs/read_write.c:646 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff8881362304bc of 4 bytes by task 32078 on cpu 0: +tcp_make_synack+0x367/0xb40 net/ipv4/tcp_output.c:3663 +tcp_v6_send_synack+0x72/0x420 net/ipv6/tcp_ipv6.c:544 +tcp_conn_request+0x11a8/0x1560 net/ipv4/tcp_input.c:7059 +tcp_v6_conn_request+0x13f/0x180 net/ipv6/tcp_ipv6.c:1175 +tcp_rcv_state_process+0x156/0x1de0 net/ipv4/tcp_input.c:6494 +tcp_v6_do_rcv+0x98a/0xb70 net/ipv6/tcp_ipv6.c:1509 +tcp_v6_rcv+0x17b8/0x1b20 net/ipv6/tcp_ipv6.c:1735 +ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 +ip6_input_finish net/ipv6/ip6_input.c:482 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 +dst_input include/net/dst.h:468 [inline] +ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 +NF_HOOK include/linux/netfilter.h:303 [inline] +ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 +__netif_receive_skb_one_core net/core/dev.c:5452 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 +netif_receive_skb_internal net/core/dev.c:5652 [inline] +netif_receive_skb+0x4a/0x310 net/core/dev.c:5711 +tun_rx_batched+0x3bf/0x400 +tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997 +tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043 +call_write_iter include/linux/fs.h:1871 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x4ab/0x7d0 fs/read_write.c:584 +ksys_write+0xeb/0x1a0 fs/read_write.c:637 +__do_sys_write fs/read_write.c:649 [inline] +__se_sys_write fs/read_write.c:646 [inline] +__x64_sys_write+0x42/0x50 fs/read_write.c:646 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x91d25731 -> 0xe79325cd + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 32078 Comm: syz-executor.4 Not tainted 6.5.0-rc1-syzkaller-00033-geb26cbb1a754 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 + +Fixes: 58d607d3e52f ("tcp: provide skb->hash to synack packets") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717144445.653164-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 3 ++- + net/ipv4/tcp_minisocks.c | 2 +- + net/ipv4/tcp_output.c | 4 ++-- + net/ipv6/tcp_ipv6.c | 2 +- + 4 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index ef740983a1222..e5df50b3e23a0 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -992,7 +992,8 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +- ip_hdr(skb)->tos, tcp_rsk(req)->txhash); ++ ip_hdr(skb)->tos, ++ READ_ONCE(tcp_rsk(req)->txhash)); + } + + /* +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index 7f37e7da64671..f281eab7fd125 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -510,7 +510,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, + newicsk->icsk_ack.lrcvtime = tcp_jiffies32; + + newtp->lsndtime = tcp_jiffies32; +- newsk->sk_txhash = treq->txhash; ++ newsk->sk_txhash = READ_ONCE(treq->txhash); + newtp->total_retrans = req->num_retrans; + + tcp_init_xmit_timers(newsk); +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 925594dbeb929..693a29d3f43bd 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3581,7 +3581,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, + rcu_read_lock(); + md5 = tcp_rsk(req)->af_specific->req_md5_lookup(sk, req_to_sk(req)); + #endif +- skb_set_hash(skb, tcp_rsk(req)->txhash, PKT_HASH_TYPE_L4); ++ skb_set_hash(skb, READ_ONCE(tcp_rsk(req)->txhash), PKT_HASH_TYPE_L4); + /* bpf program will be interested in the tcp_flags */ + TCP_SKB_CB(skb)->tcp_flags = TCPHDR_SYN | TCPHDR_ACK; + tcp_header_size = tcp_synack_options(sk, req, mss, skb, &opts, md5, +@@ -4124,7 +4124,7 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req) + + /* Paired with WRITE_ONCE() in sock_setsockopt() */ + if (READ_ONCE(sk->sk_txrehash) == SOCK_TXREHASH_ENABLED) +- tcp_rsk(req)->txhash = net_tx_rndhash(); ++ WRITE_ONCE(tcp_rsk(req)->txhash, net_tx_rndhash()); + res = af_ops->send_synack(sk, NULL, &fl, req, NULL, TCP_SYNACK_NORMAL, + NULL); + if (!res) { +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 8d61efeab9c99..0dcb06a1fe044 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1133,7 +1133,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + req->ts_recent, sk->sk_bound_dev_if, + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), + ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, +- tcp_rsk(req)->txhash); ++ READ_ONCE(tcp_rsk(req)->txhash)); + } + + +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_intvl.patch b/tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_intvl.patch new file mode 100644 index 00000000000..5dfc88a4ed2 --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_intvl.patch @@ -0,0 +1,68 @@ +From 078902bb3940caf45e1f58470e88e8184a16486d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:50 +0000 +Subject: tcp: annotate data-races around tp->keepalive_intvl + +From: Eric Dumazet + +[ Upstream commit 5ecf9d4f52ff2f1d4d44c9b68bc75688e82f13b4 ] + +do_tcp_getsockopt() reads tp->keepalive_intvl while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-5-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 397c248102415..f39c44cbdfe62 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1511,9 +1511,14 @@ void tcp_leave_memory_pressure(struct sock *sk); + static inline int keepalive_intvl_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepintvl() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_intvl); + +- return tp->keepalive_intvl ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); + } + + static inline int keepalive_time_when(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c0d7b226bca1a..d19cfeb78392d 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3451,7 +3451,7 @@ int tcp_sock_set_keepintvl(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tcp_sk(sk)->keepalive_intvl, val * HZ); + release_sock(sk); + return 0; + } +@@ -3665,7 +3665,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPINTVL) + err = -EINVAL; + else +- tp->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tp->keepalive_intvl, val * HZ); + break; + case TCP_KEEPCNT: + if (val < 1 || val > MAX_TCP_KEEPCNT) +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_probes.patch b/tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_probes.patch new file mode 100644 index 00000000000..8df99735c91 --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_probes.patch @@ -0,0 +1,69 @@ +From 8b50db4f550c9b4fa395cb961dd7c9ab6b4ac010 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:51 +0000 +Subject: tcp: annotate data-races around tp->keepalive_probes + +From: Eric Dumazet + +[ Upstream commit 6e5e1de616bf5f3df1769abc9292191dfad9110a ] + +do_tcp_getsockopt() reads tp->keepalive_probes while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 5 +++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index f39c44cbdfe62..9733d8e4f10af 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1535,9 +1535,14 @@ static inline int keepalive_time_when(const struct tcp_sock *tp) + static inline int keepalive_probes(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepcnt() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_probes); + +- return tp->keepalive_probes ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); + } + + static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index d19cfeb78392d..7d75928ea0f9c 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3463,7 +3463,8 @@ int tcp_sock_set_keepcnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_probes = val; ++ /* Paired with READ_ONCE() in keepalive_probes() */ ++ WRITE_ONCE(tcp_sk(sk)->keepalive_probes, val); + release_sock(sk); + return 0; + } +@@ -3671,7 +3672,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPCNT) + err = -EINVAL; + else +- tp->keepalive_probes = val; ++ WRITE_ONCE(tp->keepalive_probes, val); + break; + case TCP_SYNCNT: + if (val < 1 || val > MAX_TCP_SYNCNT) +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_time.patch b/tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_time.patch new file mode 100644 index 00000000000..5c5aa55e06b --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-tp-keepalive_time.patch @@ -0,0 +1,58 @@ +From 9121aedbe1355d93c6f3ab514d0878a9099021f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:49 +0000 +Subject: tcp: annotate data-races around tp->keepalive_time + +From: Eric Dumazet + +[ Upstream commit 4164245c76ff906c9086758e1c3f87082a7f5ef5 ] + +do_tcp_getsockopt() reads tp->keepalive_time while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 7 +++++-- + net/ipv4/tcp.c | 3 ++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 5eedd476a38d7..397c248102415 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1519,9 +1519,12 @@ static inline int keepalive_intvl_when(const struct tcp_sock *tp) + static inline int keepalive_time_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; + +- return tp->keepalive_time ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepidle_locked() */ ++ val = READ_ONCE(tp->keepalive_time); ++ ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); + } + + static inline int keepalive_probes(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 3edf7a1c5cbd2..c0d7b226bca1a 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3418,7 +3418,8 @@ int tcp_sock_set_keepidle_locked(struct sock *sk, int val) + if (val < 1 || val > MAX_TCP_KEEPIDLE) + return -EINVAL; + +- tp->keepalive_time = val * HZ; ++ /* Paired with WRITE_ONCE() in keepalive_time_when() */ ++ WRITE_ONCE(tp->keepalive_time, val * HZ); + if (sock_flag(sk, SOCK_KEEPOPEN) && + !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) { + u32 elapsed = keepalive_time_elapsed(tp); +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-tp-linger2.patch b/tmp-6.1/tcp-annotate-data-races-around-tp-linger2.patch new file mode 100644 index 00000000000..4c9751d2f34 --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-tp-linger2.patch @@ -0,0 +1,52 @@ +From 3d98c816d1920605a924d0ead6bf2be144e81749 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:53 +0000 +Subject: tcp: annotate data-races around tp->linger2 + +From: Eric Dumazet + +[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] + +do_tcp_getsockopt() reads tp->linger2 while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index ffa9717293358..363535b6ece83 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3691,11 +3691,11 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_LINGER2: + if (val < 0) +- tp->linger2 = -1; ++ WRITE_ONCE(tp->linger2, -1); + else if (val > TCP_FIN_TIMEOUT_MAX / HZ) +- tp->linger2 = TCP_FIN_TIMEOUT_MAX; ++ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); + else +- tp->linger2 = val * HZ; ++ WRITE_ONCE(tp->linger2, val * HZ); + break; + + case TCP_DEFER_ACCEPT: +@@ -4099,7 +4099,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +- val = tp->linger2; ++ val = READ_ONCE(tp->linger2); + if (val >= 0) + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/tmp-6.1/tcp-annotate-data-races-around-tp-notsent_lowat.patch new file mode 100644 index 00000000000..76a913e6334 --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-tp-notsent_lowat.patch @@ -0,0 +1,64 @@ +From e13aeaa389758176f64c75eeb7dd1bf6ebee1871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:55 +0000 +Subject: tcp: annotate data-races around tp->notsent_lowat + +From: Eric Dumazet + +[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] + +tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() +and tcp_poll(). + +Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 6 +++++- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 9733d8e4f10af..e9c8f88f47696 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -2059,7 +2059,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); +- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); ++ u32 val; ++ ++ val = READ_ONCE(tp->notsent_lowat); ++ ++ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); + } + + bool tcp_stream_memory_free(const struct sock *sk, int wake); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index bc3ad48f92389..6f3a494b965ae 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3770,7 +3770,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + err = tcp_repair_set_window(tp, optval, optlen); + break; + case TCP_NOTSENT_LOWAT: +- tp->notsent_lowat = val; ++ WRITE_ONCE(tp->notsent_lowat, val); + sk->sk_write_space(sk); + break; + case TCP_INQ: +@@ -4266,7 +4266,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + val = tcp_time_stamp_raw() + READ_ONCE(tp->tsoffset); + break; + case TCP_NOTSENT_LOWAT: +- val = tp->notsent_lowat; ++ val = READ_ONCE(tp->notsent_lowat); + break; + case TCP_INQ: + val = tp->recvmsg_inq; +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch b/tmp-6.1/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch new file mode 100644 index 00000000000..89755e23176 --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch @@ -0,0 +1,46 @@ +From acc05127977764c50f101313e03fed5dd0b7728e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:47 +0000 +Subject: tcp: annotate data-races around tp->tcp_tx_delay + +From: Eric Dumazet + +[ Upstream commit 348b81b68b13ebd489a3e6a46aa1c384c731c919 ] + +do_tcp_getsockopt() reads tp->tcp_tx_delay while another cpu +might change its value. + +Fixes: a842fe1425cb ("tcp: add optional per socket transmit delay") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 0bd0be3c63d22..5e4bc80dc0ae5 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3780,7 +3780,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + case TCP_TX_DELAY: + if (val) + tcp_enable_tx_delay(); +- tp->tcp_tx_delay = val; ++ WRITE_ONCE(tp->tcp_tx_delay, val); + break; + default: + err = -ENOPROTOOPT; +@@ -4256,7 +4256,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_TX_DELAY: +- val = tp->tcp_tx_delay; ++ val = READ_ONCE(tp->tcp_tx_delay); + break; + + case TCP_TIMESTAMP: +-- +2.39.2 + diff --git a/tmp-6.1/tcp-annotate-data-races-around-tp-tsoffset.patch b/tmp-6.1/tcp-annotate-data-races-around-tp-tsoffset.patch new file mode 100644 index 00000000000..b1de5b67a70 --- /dev/null +++ b/tmp-6.1/tcp-annotate-data-races-around-tp-tsoffset.patch @@ -0,0 +1,63 @@ +From 5cb5df7c5c218e8bc062747711555eb97a17ceb0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:48 +0000 +Subject: tcp: annotate data-races around tp->tsoffset + +From: Eric Dumazet + +[ Upstream commit dd23c9f1e8d5c1d2e3d29393412385ccb9c7a948 ] + +do_tcp_getsockopt() reads tp->tsoffset while another cpu +might change its value. + +Fixes: 93be6ce0e91b ("tcp: set and get per-socket timestamp") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + net/ipv4/tcp_ipv4.c | 5 +++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 5e4bc80dc0ae5..3edf7a1c5cbd2 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3762,7 +3762,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (!tp->repair) + err = -EPERM; + else +- tp->tsoffset = val - tcp_time_stamp_raw(); ++ WRITE_ONCE(tp->tsoffset, val - tcp_time_stamp_raw()); + break; + case TCP_REPAIR_WINDOW: + err = tcp_repair_set_window(tp, optval, optlen); +@@ -4260,7 +4260,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_TIMESTAMP: +- val = tcp_time_stamp_raw() + tp->tsoffset; ++ val = tcp_time_stamp_raw() + READ_ONCE(tp->tsoffset); + break; + case TCP_NOTSENT_LOWAT: + val = tp->notsent_lowat; +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index d49a66b271d52..9a8d59e9303a0 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -307,8 +307,9 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + inet->inet_daddr, + inet->inet_sport, + usin->sin_port)); +- tp->tsoffset = secure_tcp_ts_off(net, inet->inet_saddr, +- inet->inet_daddr); ++ WRITE_ONCE(tp->tsoffset, ++ secure_tcp_ts_off(net, inet->inet_saddr, ++ inet->inet_daddr)); + } + + inet->inet_id = get_random_u16(); +-- +2.39.2 + diff --git a/tmp-6.1/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch b/tmp-6.1/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch new file mode 100644 index 00000000000..59cc678e6f6 --- /dev/null +++ b/tmp-6.1/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch @@ -0,0 +1,38 @@ +From 4b8b3905165ef98386a3c06f196c85d21292d029 Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Fri, 14 Jul 2023 20:33:41 +0000 +Subject: tracing/histograms: Return an error if we fail to add histogram to hist_vars list + +From: Mohamed Khalfella + +commit 4b8b3905165ef98386a3c06f196c85d21292d029 upstream. + +Commit 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if +they have referenced variables") added a check to fail histogram creation +if save_hist_vars() failed to add histogram to hist_vars list. But the +commit failed to set ret to failed return code before jumping to +unregister histogram, fix it. + +Link: https://lore.kernel.org/linux-trace-kernel/20230714203341.51396-1-mkhalfella@purestorage.com + +Cc: stable@vger.kernel.org +Fixes: 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if they have referenced variables") +Signed-off-by: Mohamed Khalfella +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -6560,7 +6560,8 @@ static int event_hist_trigger_parse(stru + goto out_unreg; + + if (has_hist_vars(hist_data) || hist_data->n_var_refs) { +- if (save_hist_vars(hist_data)) ++ ret = save_hist_vars(hist_data); ++ if (ret) + goto out_unreg; + } + diff --git a/tmp-6.1/udf-fix-uninitialized-array-access-for-some-pathname.patch b/tmp-6.1/udf-fix-uninitialized-array-access-for-some-pathname.patch new file mode 100644 index 00000000000..c51ebdbd8e4 --- /dev/null +++ b/tmp-6.1/udf-fix-uninitialized-array-access-for-some-pathname.patch @@ -0,0 +1,41 @@ +From 3af33ea1ad72a1fc6ed5074f0ce9e16cc52c818e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 21 Jun 2023 11:32:35 +0200 +Subject: [PATCH AUTOSEL 4.19 07/11] udf: Fix uninitialized array access for + some pathnames +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 4.19.288 + +[ Upstream commit 028f6055c912588e6f72722d89c30b401bbcf013 ] + +For filenames that begin with . and are between 2 and 5 characters long, +UDF charset conversion code would read uninitialized memory in the +output buffer. The only practical impact is that the name may be prepended a +"unification hash" when it is not actually needed but still it is good +to fix this. + +Reported-by: syzbot+cd311b1e43cc25f90d18@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000e2638a05fe9dc8f9@google.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/unicode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c +index 5fcfa96463ebb..85521d6b02370 100644 +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -247,7 +247,7 @@ static int udf_name_from_CS0(struct super_block *sb, + } + + if (translate) { +- if (str_o_len <= 2 && str_o[0] == '.' && ++ if (str_o_len > 0 && str_o_len <= 2 && str_o[0] == '.' && + (str_o_len == 1 || str_o[1] == '.')) + needsCRC = 1; + if (needsCRC) { +-- +2.39.2 + diff --git a/tmp-6.1/wifi-ath11k-add-support-default-regdb-while-searchin.patch b/tmp-6.1/wifi-ath11k-add-support-default-regdb-while-searchin.patch new file mode 100644 index 00000000000..0a2b80985d3 --- /dev/null +++ b/tmp-6.1/wifi-ath11k-add-support-default-regdb-while-searchin.patch @@ -0,0 +1,137 @@ +From 1c0a043a5b5d55b841bdb8e72a4e7dbded64e33b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 12:41:06 +0300 +Subject: wifi: ath11k: add support default regdb while searching board-2.bin + for WCN6855 + +From: Wen Gong + +[ Upstream commit 88ca89202f8e8afb5225eb5244d79cd67c15d744 ] + +Sometimes board-2.bin does not have the regdb data which matched the +parameters such as vendor, device, subsystem-vendor, subsystem-device +and etc. Add default regdb data with 'bus=%s' into board-2.bin for +WCN6855, then ath11k use 'bus=pci' to search regdb data in board-2.bin +for WCN6855. + +kernel: [ 122.515808] ath11k_pci 0000:03:00.0: boot using board name 'bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=262' +kernel: [ 122.517240] ath11k_pci 0000:03:00.0: boot firmware request ath11k/WCN6855/hw2.0/board-2.bin size 6179564 +kernel: [ 122.517280] ath11k_pci 0000:03:00.0: failed to fetch regdb data for bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=262 from ath11k/WCN6855/hw2.0/board-2.bin +kernel: [ 122.517464] ath11k_pci 0000:03:00.0: boot using board name 'bus=pci' +kernel: [ 122.518901] ath11k_pci 0000:03:00.0: boot firmware request ath11k/WCN6855/hw2.0/board-2.bin size 6179564 +kernel: [ 122.518915] ath11k_pci 0000:03:00.0: board name +kernel: [ 122.518917] ath11k_pci 0000:03:00.0: 00000000: 62 75 73 3d 70 63 69 bus=pci +kernel: [ 122.518918] ath11k_pci 0000:03:00.0: boot found match regdb data for name 'bus=pci' +kernel: [ 122.518920] ath11k_pci 0000:03:00.0: boot found regdb data for 'bus=pci' +kernel: [ 122.518921] ath11k_pci 0000:03:00.0: fetched regdb + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230517133959.8224-1-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.c | 53 +++++++++++++++++++------- + 1 file changed, 40 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index b99180bc81723..893fefadbba96 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -870,7 +870,8 @@ int ath11k_core_check_dt(struct ath11k_base *ab) + } + + static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, +- size_t name_len, bool with_variant) ++ size_t name_len, bool with_variant, ++ bool bus_type_mode) + { + /* strlen(',variant=') + strlen(ab->qmi.target.bdf_ext) */ + char variant[9 + ATH11K_QMI_BDF_EXT_STR_LENGTH] = { 0 }; +@@ -881,15 +882,20 @@ static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, + + switch (ab->id.bdf_search) { + case ATH11K_BDF_SEARCH_BUS_AND_BOARD: +- scnprintf(name, name_len, +- "bus=%s,vendor=%04x,device=%04x,subsystem-vendor=%04x,subsystem-device=%04x,qmi-chip-id=%d,qmi-board-id=%d%s", +- ath11k_bus_str(ab->hif.bus), +- ab->id.vendor, ab->id.device, +- ab->id.subsystem_vendor, +- ab->id.subsystem_device, +- ab->qmi.target.chip_id, +- ab->qmi.target.board_id, +- variant); ++ if (bus_type_mode) ++ scnprintf(name, name_len, ++ "bus=%s", ++ ath11k_bus_str(ab->hif.bus)); ++ else ++ scnprintf(name, name_len, ++ "bus=%s,vendor=%04x,device=%04x,subsystem-vendor=%04x,subsystem-device=%04x,qmi-chip-id=%d,qmi-board-id=%d%s", ++ ath11k_bus_str(ab->hif.bus), ++ ab->id.vendor, ab->id.device, ++ ab->id.subsystem_vendor, ++ ab->id.subsystem_device, ++ ab->qmi.target.chip_id, ++ ab->qmi.target.board_id, ++ variant); + break; + default: + scnprintf(name, name_len, +@@ -908,13 +914,19 @@ static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, + static int ath11k_core_create_board_name(struct ath11k_base *ab, char *name, + size_t name_len) + { +- return __ath11k_core_create_board_name(ab, name, name_len, true); ++ return __ath11k_core_create_board_name(ab, name, name_len, true, false); + } + + static int ath11k_core_create_fallback_board_name(struct ath11k_base *ab, char *name, + size_t name_len) + { +- return __ath11k_core_create_board_name(ab, name, name_len, false); ++ return __ath11k_core_create_board_name(ab, name, name_len, false, false); ++} ++ ++static int ath11k_core_create_bus_type_board_name(struct ath11k_base *ab, char *name, ++ size_t name_len) ++{ ++ return __ath11k_core_create_board_name(ab, name, name_len, false, true); + } + + const struct firmware *ath11k_core_firmware_request(struct ath11k_base *ab, +@@ -1218,7 +1230,7 @@ int ath11k_core_fetch_bdf(struct ath11k_base *ab, struct ath11k_board_data *bd) + + int ath11k_core_fetch_regdb(struct ath11k_base *ab, struct ath11k_board_data *bd) + { +- char boardname[BOARD_NAME_SIZE]; ++ char boardname[BOARD_NAME_SIZE], default_boardname[BOARD_NAME_SIZE]; + int ret; + + ret = ath11k_core_create_board_name(ab, boardname, BOARD_NAME_SIZE); +@@ -1235,6 +1247,21 @@ int ath11k_core_fetch_regdb(struct ath11k_base *ab, struct ath11k_board_data *bd + if (!ret) + goto exit; + ++ ret = ath11k_core_create_bus_type_board_name(ab, default_boardname, ++ BOARD_NAME_SIZE); ++ if (ret) { ++ ath11k_dbg(ab, ATH11K_DBG_BOOT, ++ "failed to create default board name for regdb: %d", ret); ++ goto exit; ++ } ++ ++ ret = ath11k_core_fetch_board_data_api_n(ab, bd, default_boardname, ++ ATH11K_BD_IE_REGDB, ++ ATH11K_BD_IE_REGDB_NAME, ++ ATH11K_BD_IE_REGDB_DATA); ++ if (!ret) ++ goto exit; ++ + ret = ath11k_core_fetch_board_data_api_1(ab, bd, ATH11K_REGDB_FILE_NAME); + if (ret) + ath11k_dbg(ab, ATH11K_DBG_BOOT, "failed to fetch %s from %s\n", +-- +2.39.2 + diff --git a/tmp-6.1/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch b/tmp-6.1/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch new file mode 100644 index 00000000000..94851f54743 --- /dev/null +++ b/tmp-6.1/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch @@ -0,0 +1,63 @@ +From d4bcf71d3c456ca0656ec111454eda83581a3d2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 14:41:28 +0530 +Subject: wifi: ath11k: fix memory leak in WMI firmware stats + +From: P Praneesh + +[ Upstream commit 6aafa1c2d3e3fea2ebe84c018003f2a91722e607 ] + +Memory allocated for firmware pdev, vdev and beacon statistics +are not released during rmmod. + +Fix it by calling ath11k_fw_stats_free() function before hardware +unregister. + +While at it, avoid calling ath11k_fw_stats_free() while processing +the firmware stats received in the WMI event because the local list +is getting spliced and reinitialised and hence there are no elements +in the list after splicing. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: P Praneesh +Signed-off-by: Aditya Kumar Singh +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230606091128.14202-1-quic_adisi@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 1 + + drivers/net/wireless/ath/ath11k/wmi.c | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index b19d44b3f5dfb..cb77dd6ce9665 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -9279,6 +9279,7 @@ void ath11k_mac_destroy(struct ath11k_base *ab) + if (!ar) + continue; + ++ ath11k_fw_stats_free(&ar->fw_stats); + ieee80211_free_hw(ar->hw); + pdev->ar = NULL; + } +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index fad9f8d308a20..3e0a47f4a3ebd 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -7590,6 +7590,11 @@ static void ath11k_update_stats_event(struct ath11k_base *ab, struct sk_buff *sk + rcu_read_unlock(); + spin_unlock_bh(&ar->data_lock); + ++ /* Since the stats's pdev, vdev and beacon list are spliced and reinitialised ++ * at this point, no need to free the individual list. ++ */ ++ return; ++ + free: + ath11k_fw_stats_free(&stats); + } +-- +2.39.2 + diff --git a/tmp-6.1/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch b/tmp-6.1/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch new file mode 100644 index 00000000000..38a06246e6d --- /dev/null +++ b/tmp-6.1/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch @@ -0,0 +1,71 @@ +From 885bcbfa0c9659fa068668223c2f45c63640b4c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 16:54:45 +0200 +Subject: wifi: ath11k: fix registration of 6Ghz-only phy without the full + channel range + +From: Maxime Bizon + +[ Upstream commit e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14 ] + +Because of what seems to be a typo, a 6Ghz-only phy for which the BDF +does not allow the 7115Mhz channel will fail to register: + + WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 + Modules linked in: ath11k_pci sbsa_gwdt + CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 + Hardware name: Freebox V7R Board (DT) + Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : wiphy_register+0x914/0x954 + lr : ieee80211_register_hw+0x67c/0xc10 + sp : ffffff800b123aa0 + x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 + x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 + x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 + x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f + x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd + x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 + x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 + x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 + x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 + Call trace: + wiphy_register+0x914/0x954 + ieee80211_register_hw+0x67c/0xc10 + ath11k_mac_register+0x7c4/0xe10 + ath11k_core_qmi_firmware_ready+0x1f4/0x570 + ath11k_qmi_driver_event_work+0x198/0x590 + process_one_work+0x1b8/0x328 + worker_thread+0x6c/0x414 + kthread+0x100/0x104 + ret_from_fork+0x10/0x20 + ---[ end trace 0000000000000000 ]--- + ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 + ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 + ath11k_pci 0002:01:00.0: failed to create pdev core: -22 + +Signed-off-by: Maxime Bizon +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230421145445.2612280-1-mbizon@freebox.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index ef7617802491e..b19d44b3f5dfb 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -8715,7 +8715,7 @@ static int ath11k_mac_setup_channels_rates(struct ath11k *ar, + } + + if (supported_bands & WMI_HOST_WLAN_5G_CAP) { +- if (reg_cap->high_5ghz_chan >= ATH11K_MAX_6G_FREQ) { ++ if (reg_cap->high_5ghz_chan >= ATH11K_MIN_6G_FREQ) { + channels = kmemdup(ath11k_6ghz_channels, + sizeof(ath11k_6ghz_channels), GFP_KERNEL); + if (!channels) { +-- +2.39.2 + diff --git a/tmp-6.1/wifi-iwlwifi-add-support-for-new-pci-id.patch b/tmp-6.1/wifi-iwlwifi-add-support-for-new-pci-id.patch new file mode 100644 index 00000000000..f23938ad5d1 --- /dev/null +++ b/tmp-6.1/wifi-iwlwifi-add-support-for-new-pci-id.patch @@ -0,0 +1,43 @@ +From 1a37162f09f199864048ac62ae05cc6310aef58f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:03:59 +0300 +Subject: wifi: iwlwifi: Add support for new PCI Id + +From: Mukesh Sisodiya + +[ Upstream commit 35bd6f1d043d089fcb60450e1287cc65f0095787 ] + +Add support for the PCI Id 51F1 without IMR support. + +Signed-off-by: Mukesh Sisodiya +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.9800e652e789.Ic06a085832ac3f988c8ef07d856c8e281563295d@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index f6872b2a0d9d0..d5bd869086458 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -495,6 +495,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x7AF0, PCI_ANY_ID, iwl_so_trans_cfg)}, + {IWL_PCI_DEVICE(0x51F0, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, + {IWL_PCI_DEVICE(0x51F1, PCI_ANY_ID, iwl_so_long_latency_imr_trans_cfg)}, ++ {IWL_PCI_DEVICE(0x51F1, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, + {IWL_PCI_DEVICE(0x54F0, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, + {IWL_PCI_DEVICE(0x7F70, PCI_ANY_ID, iwl_so_trans_cfg)}, + +@@ -543,6 +544,7 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { + IWL_DEV_INFO(0x51F0, 0x1551, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_160_name), + IWL_DEV_INFO(0x51F0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), + IWL_DEV_INFO(0x51F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), ++ IWL_DEV_INFO(0x51F1, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), + IWL_DEV_INFO(0x54F0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), + IWL_DEV_INFO(0x54F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), + IWL_DEV_INFO(0x7A70, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), +-- +2.39.2 + diff --git a/tmp-6.1/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/tmp-6.1/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch new file mode 100644 index 00000000000..bbc97894d10 --- /dev/null +++ b/tmp-6.1/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch @@ -0,0 +1,47 @@ +From dd01d6d149a5c58b8f2f7d9e9211ce28c8befd64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:04:02 +0300 +Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow + +From: Johannes Berg + +[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] + +Roee reported various hard-to-debug crashes with pings in +EHT aggregation scenarios. Enabling KASAN showed that we +access the BAID allocation out of bounds, and looking at +the code a bit shows that since the reorder buffer entry +(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug +such as lockdep is enabled, then staring from an agg size +512 we overflow the size calculation, and allocate a much +smaller structure than we should, causing slab corruption +once we initialize this. + +Fix this by simply using u32 instead of u16. + +Reported-by: Roee Goldfiner +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index 013aca70c3d3b..6b52afcf02721 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2738,7 +2738,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + } + + if (iwl_mvm_has_new_rx_api(mvm) && start) { +- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); ++ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); + + /* sparse doesn't like the __align() so don't check */ + #ifndef __CHECKER__ +-- +2.39.2 + diff --git a/tmp-6.1/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch b/tmp-6.1/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch new file mode 100644 index 00000000000..5b4e16636a3 --- /dev/null +++ b/tmp-6.1/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch @@ -0,0 +1,38 @@ +From 80c181a4bc2b86eb00ab6e09dcbcdda26aa6fc13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 13:12:20 +0300 +Subject: wifi: iwlwifi: pcie: add device id 51F1 for killer 1675 + +From: Yi Kuo + +[ Upstream commit f4daceae4087bbb3e9a56044b44601d520d009d2 ] + +Intel Killer AX1675i/s with device id 51f1 would show +"No config found for PCI dev 51f1/1672" in dmesg and refuse to work. +Add the new device id 51F1 for 1675i/s to fix the issue. + +Signed-off-by: Yi Kuo +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230621130444.ee224675380b.I921c905e21e8d041ad808def8f454f27b5ebcd8b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index d5bd869086458..4d4db5f6836be 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -683,6 +683,8 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { + IWL_DEV_INFO(0x2726, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), + IWL_DEV_INFO(0x51F0, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), + IWL_DEV_INFO(0x51F0, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), ++ IWL_DEV_INFO(0x51F1, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), ++ IWL_DEV_INFO(0x51F1, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), + IWL_DEV_INFO(0x54F0, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), + IWL_DEV_INFO(0x54F0, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), + IWL_DEV_INFO(0x7A70, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), +-- +2.39.2 + diff --git a/tmp-6.1/wifi-mac80211_hwsim-fix-possible-null-dereference.patch b/tmp-6.1/wifi-mac80211_hwsim-fix-possible-null-dereference.patch new file mode 100644 index 00000000000..3a94dfeda97 --- /dev/null +++ b/tmp-6.1/wifi-mac80211_hwsim-fix-possible-null-dereference.patch @@ -0,0 +1,46 @@ +From a7163d690f5af8b426d97da0807e07b334cb5bdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 12:11:27 +0300 +Subject: wifi: mac80211_hwsim: Fix possible NULL dereference + +From: Ilan Peer + +[ Upstream commit 0cc80943ef518a1c51a1111e9346d1daf11dd545 ] + +In a call to mac80211_hwsim_select_tx_link() the sta pointer might +be NULL, thus need to check that it is not NULL before accessing it. + +Signed-off-by: Ilan Peer +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230604120651.f4d889fc98c4.Iae85f527ed245a37637a874bb8b8c83d79812512@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 0d81098c7b45c..da5c355405f68 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -4,7 +4,7 @@ + * Copyright (c) 2008, Jouni Malinen + * Copyright (c) 2011, Javier Lopez + * Copyright (c) 2016 - 2017 Intel Deutschland GmbH +- * Copyright (C) 2018 - 2022 Intel Corporation ++ * Copyright (C) 2018 - 2023 Intel Corporation + */ + + /* +@@ -1753,7 +1753,7 @@ mac80211_hwsim_select_tx_link(struct mac80211_hwsim_data *data, + + WARN_ON(is_multicast_ether_addr(hdr->addr1)); + +- if (WARN_ON_ONCE(!sta->valid_links)) ++ if (WARN_ON_ONCE(!sta || !sta->valid_links)) + return &vif->bss_conf; + + for (i = 0; i < ARRAY_SIZE(vif->link_conf); i++) { +-- +2.39.2 + diff --git a/tmp-6.1/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/tmp-6.1/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch new file mode 100644 index 00000000000..2ed2e2602ab --- /dev/null +++ b/tmp-6.1/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch @@ -0,0 +1,71 @@ +From 683ebdf526ff6b7d1a58030e79ed32ee6779a0ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:04:07 -0600 +Subject: wifi: wext-core: Fix -Wstringop-overflow warning in + ioctl_standard_iw_point() + +From: Gustavo A. R. Silva + +[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] + +-Wstringop-overflow is legitimately warning us about extra_size +pontentially being zero at some point, hence potenially ending +up _allocating_ zero bytes of memory for extra pointer and then +trying to access such object in a call to copy_from_user(). + +Fix this by adding a sanity check to ensure we never end up +trying to allocate zero bytes of data for extra pointer, before +continue executing the rest of the code in the function. + +Address the following -Wstringop-overflow warning seen when built +m68k architecture with allyesconfig configuration: + from net/wireless/wext-core.c:11: +In function '_copy_from_user', + inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: +arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] + 48 | #define memset(d, c, n) __builtin_memset(d, c, n) + | ^~~~~~~~~~~~~~~~~~~~~~~~~ +include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' + 153 | memset(to + (n - res), 0, res); + | ^~~~~~ +In function 'kmalloc', + inlined from 'kzalloc' at include/linux/slab.h:694:9, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: +include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' + 577 | return __kmalloc(size, flags); + | ^~~~~~~~~~~~~~~~~~~~~~ + +This help with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/315 +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/wext-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index fe8765c4075d3..8a4b85f96a13a 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -799,6 +799,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, + } + } + ++ /* Sanity-check to ensure we never end up _allocating_ zero ++ * bytes of data for extra. ++ */ ++ if (extra_size <= 0) ++ return -EFAULT; ++ + /* kzalloc() ensures NULL-termination for essid_compat. */ + extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) +-- +2.39.2 + diff --git a/tmp-6.1/x86-cpu-amd-add-a-zenbleed-fix.patch b/tmp-6.1/x86-cpu-amd-add-a-zenbleed-fix.patch new file mode 100644 index 00000000000..ed032cd09c6 --- /dev/null +++ b/tmp-6.1/x86-cpu-amd-add-a-zenbleed-fix.patch @@ -0,0 +1,161 @@ +From b2d362e150f1a48e95b4224e6ad860948f48c158 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:41:28 +0200 +Subject: x86/cpu/amd: Add a Zenbleed fix + +From: "Borislav Petkov (AMD)" + +Upstream commit: 522b1d69219d8f083173819fde04f994aa051a98 + +Add a fix for the Zen2 VZEROUPPER data corruption bug where under +certain circumstances executing VZEROUPPER can cause register +corruption or leak data. + +The optimal fix is through microcode but in the case the proper +microcode revision has not been applied, enable a fallback fix using +a chicken bit. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/microcode.h | 1 + arch/x86/include/asm/microcode_amd.h | 2 + + arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 60 +++++++++++++++++++++++++++++++++++ + arch/x86/kernel/cpu/common.c | 2 + + 5 files changed, 66 insertions(+) + +--- a/arch/x86/include/asm/microcode.h ++++ b/arch/x86/include/asm/microcode.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + struct ucode_patch { + struct list_head plist; +--- a/arch/x86/include/asm/microcode_amd.h ++++ b/arch/x86/include/asm/microcode_amd.h +@@ -48,11 +48,13 @@ extern void __init load_ucode_amd_bsp(un + extern void load_ucode_amd_ap(unsigned int family); + extern int __init save_microcode_in_initrd_amd(unsigned int family); + void reload_ucode_amd(unsigned int cpu); ++extern void amd_check_microcode(void); + #else + static inline void __init load_ucode_amd_bsp(unsigned int family) {} + static inline void load_ucode_amd_ap(unsigned int family) {} + static inline int __init + save_microcode_in_initrd_amd(unsigned int family) { return -EINVAL; } + static inline void reload_ucode_amd(unsigned int cpu) {} ++static inline void amd_check_microcode(void) {} + #endif + #endif /* _ASM_X86_MICROCODE_AMD_H */ +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -543,6 +543,7 @@ + #define MSR_AMD64_DE_CFG 0xc0011029 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT 1 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE BIT_ULL(MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT) ++#define MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT 9 + + #define MSR_AMD64_BU_CFG2 0xc001102a + #define MSR_AMD64_IBSFETCHCTL 0xc0011030 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -70,6 +70,11 @@ static const int amd_erratum_383[] = + static const int amd_erratum_1054[] = + AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); + ++static const int amd_zenbleed[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x30, 0x0, 0x4f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0x60, 0x0, 0x7f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0xa0, 0x0, 0xaf, 0xf)); ++ + static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) + { + int osvw_id = *erratum++; +@@ -978,6 +983,47 @@ static void init_amd_zn(struct cpuinfo_x + } + } + ++static bool cpu_has_zenbleed_microcode(void) ++{ ++ u32 good_rev = 0; ++ ++ switch (boot_cpu_data.x86_model) { ++ case 0x30 ... 0x3f: good_rev = 0x0830107a; break; ++ case 0x60 ... 0x67: good_rev = 0x0860010b; break; ++ case 0x68 ... 0x6f: good_rev = 0x08608105; break; ++ case 0x70 ... 0x7f: good_rev = 0x08701032; break; ++ case 0xa0 ... 0xaf: good_rev = 0x08a00008; break; ++ ++ default: ++ return false; ++ break; ++ } ++ ++ if (boot_cpu_data.microcode < good_rev) ++ return false; ++ ++ return true; ++} ++ ++static void zenbleed_check(struct cpuinfo_x86 *c) ++{ ++ if (!cpu_has_amd_erratum(c, amd_zenbleed)) ++ return; ++ ++ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ return; ++ ++ if (!cpu_has(c, X86_FEATURE_AVX)) ++ return; ++ ++ if (!cpu_has_zenbleed_microcode()) { ++ pr_notice_once("Zenbleed: please update your microcode for the most optimal fix\n"); ++ msr_set_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } else { ++ msr_clear_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + early_init_amd(c); +@@ -1067,6 +1113,8 @@ static void init_amd(struct cpuinfo_x86 + msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT); + + check_null_seg_clears_base(c); ++ ++ zenbleed_check(c); + } + + #ifdef CONFIG_X86_32 +@@ -1196,3 +1244,15 @@ u32 amd_get_highest_perf(void) + return 255; + } + EXPORT_SYMBOL_GPL(amd_get_highest_perf); ++ ++static void zenbleed_check_cpu(void *unused) ++{ ++ struct cpuinfo_x86 *c = &cpu_data(smp_processor_id()); ++ ++ zenbleed_check(c); ++} ++ ++void amd_check_microcode(void) ++{ ++ on_each_cpu(zenbleed_check_cpu, NULL, 1); ++} +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -2346,6 +2346,8 @@ void microcode_check(struct cpuinfo_x86 + + perf_check_microcode(); + ++ amd_check_microcode(); ++ + store_cpu_caps(&curr_info); + + if (!memcmp(&prev_info->x86_capability, &curr_info.x86_capability, diff --git a/tmp-6.1/x86-cpu-amd-move-the-errata-checking-functionality-up.patch b/tmp-6.1/x86-cpu-amd-move-the-errata-checking-functionality-up.patch new file mode 100644 index 00000000000..a760fd54216 --- /dev/null +++ b/tmp-6.1/x86-cpu-amd-move-the-errata-checking-functionality-up.patch @@ -0,0 +1,181 @@ +From 334baad709246598bfd30587a0e98b0d90f3f596 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:31:32 +0200 +Subject: x86/cpu/amd: Move the errata checking functionality up + +From: "Borislav Petkov (AMD)" + +Upstream commit: 8b6f687743dacce83dbb0c7cfacf88bab00f808a + +Avoid new and remove old forward declarations. + +No functional changes. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 139 ++++++++++++++++++++++------------------------ + 1 file changed, 67 insertions(+), 72 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -27,11 +27,6 @@ + + #include "cpu.h" + +-static const int amd_erratum_383[]; +-static const int amd_erratum_400[]; +-static const int amd_erratum_1054[]; +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); +- + /* + * nodes_per_socket: Stores the number of nodes per socket. + * Refer to Fam15h Models 00-0fh BKDG - CPUID Fn8000_001E_ECX +@@ -39,6 +34,73 @@ static bool cpu_has_amd_erratum(struct c + */ + static u32 nodes_per_socket = 1; + ++/* ++ * AMD errata checking ++ * ++ * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or ++ * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that ++ * have an OSVW id assigned, which it takes as first argument. Both take a ++ * variable number of family-specific model-stepping ranges created by ++ * AMD_MODEL_RANGE(). ++ * ++ * Example: ++ * ++ * const int amd_erratum_319[] = ++ * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), ++ * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), ++ * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); ++ */ ++ ++#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } ++#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } ++#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ ++ ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) ++#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) ++#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) ++#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) ++ ++static const int amd_erratum_400[] = ++ AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), ++ AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); ++ ++static const int amd_erratum_383[] = ++ AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); ++ ++/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ ++static const int amd_erratum_1054[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); ++ ++static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) ++{ ++ int osvw_id = *erratum++; ++ u32 range; ++ u32 ms; ++ ++ if (osvw_id >= 0 && osvw_id < 65536 && ++ cpu_has(cpu, X86_FEATURE_OSVW)) { ++ u64 osvw_len; ++ ++ rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); ++ if (osvw_id < osvw_len) { ++ u64 osvw_bits; ++ ++ rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), ++ osvw_bits); ++ return osvw_bits & (1ULL << (osvw_id & 0x3f)); ++ } ++ } ++ ++ /* OSVW unavailable or ID unknown, match family-model-stepping range */ ++ ms = (cpu->x86_model << 4) | cpu->x86_stepping; ++ while ((range = *erratum++)) ++ if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && ++ (ms >= AMD_MODEL_RANGE_START(range)) && ++ (ms <= AMD_MODEL_RANGE_END(range))) ++ return true; ++ ++ return false; ++} ++ + static inline int rdmsrl_amd_safe(unsigned msr, unsigned long long *p) + { + u32 gprs[8] = { 0 }; +@@ -1100,73 +1162,6 @@ static const struct cpu_dev amd_cpu_dev + + cpu_dev_register(amd_cpu_dev); + +-/* +- * AMD errata checking +- * +- * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or +- * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that +- * have an OSVW id assigned, which it takes as first argument. Both take a +- * variable number of family-specific model-stepping ranges created by +- * AMD_MODEL_RANGE(). +- * +- * Example: +- * +- * const int amd_erratum_319[] = +- * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), +- * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), +- * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); +- */ +- +-#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } +-#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } +-#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ +- ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) +-#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) +-#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) +-#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) +- +-static const int amd_erratum_400[] = +- AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), +- AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); +- +-static const int amd_erratum_383[] = +- AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); +- +-/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ +-static const int amd_erratum_1054[] = +- AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); +- +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) +-{ +- int osvw_id = *erratum++; +- u32 range; +- u32 ms; +- +- if (osvw_id >= 0 && osvw_id < 65536 && +- cpu_has(cpu, X86_FEATURE_OSVW)) { +- u64 osvw_len; +- +- rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); +- if (osvw_id < osvw_len) { +- u64 osvw_bits; +- +- rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), +- osvw_bits); +- return osvw_bits & (1ULL << (osvw_id & 0x3f)); +- } +- } +- +- /* OSVW unavailable or ID unknown, match family-model-stepping range */ +- ms = (cpu->x86_model << 4) | cpu->x86_stepping; +- while ((range = *erratum++)) +- if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && +- (ms >= AMD_MODEL_RANGE_START(range)) && +- (ms <= AMD_MODEL_RANGE_END(range))) +- return true; +- +- return false; +-} +- + void set_dr_addr_mask(unsigned long mask, int dr) + { + if (!boot_cpu_has(X86_FEATURE_BPEXT)) diff --git a/tmp-6.4/accel-qaic-add-consistent-integer-overflow-checks.patch b/tmp-6.4/accel-qaic-add-consistent-integer-overflow-checks.patch new file mode 100644 index 00000000000..c18b81f7fbd --- /dev/null +++ b/tmp-6.4/accel-qaic-add-consistent-integer-overflow-checks.patch @@ -0,0 +1,70 @@ +From 47d87f71d00b7091b43a56f608f7151b33e5772e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 11 Jul 2023 11:21:00 +0300 +Subject: accel/qaic: Add consistent integer overflow checks + +From: Dan Carpenter + +commit 47d87f71d00b7091b43a56f608f7151b33e5772e upstream. + +The encode_dma() function has integer overflow checks. The +encode_passthrough(), encode_activate() and encode_status() functions +did not. I added integer overflow checking everywhere. I also +updated the integer overflow checking in encode_dma() to use size_add() +so everything is consistent. + +Fixes: 129776ac2e38 ("accel/qaic: Add control path") +Signed-off-by: Dan Carpenter +Reviewed-by: Pranjal Ramajor Asha Kanojiya +Reviewed-by: Jeffrey Hugo +Cc: stable@vger.kernel.org # 6.4.x +[jhugo: tweak if in encode_dma() to match existing style] +Signed-off-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q7IsPkj6WSCcL@moroto +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/qaic/qaic_control.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/drivers/accel/qaic/qaic_control.c ++++ b/drivers/accel/qaic/qaic_control.c +@@ -367,7 +367,7 @@ static int encode_passthrough(struct qai + if (in_trans->hdr.len % 8 != 0) + return -EINVAL; + +- if (msg_hdr_len + in_trans->hdr.len > QAIC_MANAGE_EXT_MSG_LENGTH) ++ if (size_add(msg_hdr_len, in_trans->hdr.len) > QAIC_MANAGE_EXT_MSG_LENGTH) + return -ENOSPC; + + trans_wrapper = add_wrapper(wrappers, +@@ -561,11 +561,8 @@ static int encode_dma(struct qaic_device + msg = &wrapper->msg; + msg_hdr_len = le32_to_cpu(msg->hdr.len); + +- if (msg_hdr_len > (UINT_MAX - QAIC_MANAGE_EXT_MSG_LENGTH)) +- return -EINVAL; +- + /* There should be enough space to hold at least one ASP entry. */ +- if (msg_hdr_len + sizeof(*out_trans) + sizeof(struct wire_addr_size_pair) > ++ if (size_add(msg_hdr_len, sizeof(*out_trans) + sizeof(struct wire_addr_size_pair)) > + QAIC_MANAGE_EXT_MSG_LENGTH) + return -ENOMEM; + +@@ -638,7 +635,7 @@ static int encode_activate(struct qaic_d + msg = &wrapper->msg; + msg_hdr_len = le32_to_cpu(msg->hdr.len); + +- if (msg_hdr_len + sizeof(*out_trans) > QAIC_MANAGE_MAX_MSG_LENGTH) ++ if (size_add(msg_hdr_len, sizeof(*out_trans)) > QAIC_MANAGE_MAX_MSG_LENGTH) + return -ENOSPC; + + if (!in_trans->queue_size) +@@ -722,7 +719,7 @@ static int encode_status(struct qaic_dev + msg = &wrapper->msg; + msg_hdr_len = le32_to_cpu(msg->hdr.len); + +- if (msg_hdr_len + in_trans->hdr.len > QAIC_MANAGE_MAX_MSG_LENGTH) ++ if (size_add(msg_hdr_len, in_trans->hdr.len) > QAIC_MANAGE_MAX_MSG_LENGTH) + return -ENOSPC; + + trans_wrapper = add_wrapper(wrappers, sizeof(*trans_wrapper)); diff --git a/tmp-6.4/accel-qaic-fix-a-leak-in-map_user_pages.patch b/tmp-6.4/accel-qaic-fix-a-leak-in-map_user_pages.patch new file mode 100644 index 00000000000..0c67f9f16c0 --- /dev/null +++ b/tmp-6.4/accel-qaic-fix-a-leak-in-map_user_pages.patch @@ -0,0 +1,43 @@ +From 73274c33d961f4aa0f968f763e2c9f4210b4f4a3 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 11 Jul 2023 11:21:13 +0300 +Subject: accel/qaic: Fix a leak in map_user_pages() + +From: Dan Carpenter + +commit 73274c33d961f4aa0f968f763e2c9f4210b4f4a3 upstream. + +If get_user_pages_fast() allocates some pages but not as many as we +wanted, then the current code leaks those pages. Call put_page() on +the pages before returning. + +Fixes: 129776ac2e38 ("accel/qaic: Add control path") +Signed-off-by: Dan Carpenter +Reviewed-by: Pranjal Ramajor Asha Kanojiya +Reviewed-by: Jeffrey Hugo +Reviewed-by: Dafna Hirschfeld +Cc: stable@vger.kernel.org # 6.4.x +Signed-off-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q+ZuONTsBG+1T@moroto +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/qaic/qaic_control.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/accel/qaic/qaic_control.c ++++ b/drivers/accel/qaic/qaic_control.c +@@ -418,9 +418,12 @@ static int find_and_map_user_pages(struc + } + + ret = get_user_pages_fast(xfer_start_addr, nr_pages, 0, page_list); +- if (ret < 0 || ret != nr_pages) { +- ret = -EFAULT; ++ if (ret < 0) + goto free_page_list; ++ if (ret != nr_pages) { ++ nr_pages = ret; ++ ret = -EFAULT; ++ goto put_pages; + } + + sgt = kmalloc(sizeof(*sgt), GFP_KERNEL); diff --git a/tmp-6.4/accel-qaic-tighten-bounds-checking-in-decode_message.patch b/tmp-6.4/accel-qaic-tighten-bounds-checking-in-decode_message.patch new file mode 100644 index 00000000000..430e82f4685 --- /dev/null +++ b/tmp-6.4/accel-qaic-tighten-bounds-checking-in-decode_message.patch @@ -0,0 +1,76 @@ +From 51b56382ed2a2b03347372272362b3baa623ed1e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 11 Jul 2023 11:20:54 +0300 +Subject: accel/qaic: tighten bounds checking in decode_message() + +From: Dan Carpenter + +commit 51b56382ed2a2b03347372272362b3baa623ed1e upstream. + +Copy the bounds checking from encode_message() to decode_message(). + +This patch addresses the following concerns. Ensure that there is +enough space for at least one header so that we don't have a negative +size later. + + if (msg_hdr_len < sizeof(*trans_hdr)) + +Ensure that we have enough space to read the next header from the +msg->data. + + if (msg_len > msg_hdr_len - sizeof(*trans_hdr)) + return -EINVAL; + +Check that the trans_hdr->len is not below the minimum size: + + if (hdr_len < sizeof(*trans_hdr)) + +This minimum check ensures that we don't corrupt memory in +decode_passthrough() when we do. + + memcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr)); + +And finally, use size_add() to prevent an integer overflow: + + if (size_add(msg_len, hdr_len) > msg_hdr_len) + +Fixes: 129776ac2e38 ("accel/qaic: Add control path") +Signed-off-by: Dan Carpenter +Reviewed-by: Pranjal Ramajor Asha Kanojiya +Reviewed-by: Jeffrey Hugo +Cc: stable@vger.kernel.org # 6.4.x +Signed-off-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q5nbLyDO7kJa+@moroto +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/qaic/qaic_control.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/accel/qaic/qaic_control.c ++++ b/drivers/accel/qaic/qaic_control.c +@@ -959,15 +959,23 @@ static int decode_message(struct qaic_de + int ret; + int i; + +- if (msg_hdr_len > QAIC_MANAGE_MAX_MSG_LENGTH) ++ if (msg_hdr_len < sizeof(*trans_hdr) || ++ msg_hdr_len > QAIC_MANAGE_MAX_MSG_LENGTH) + return -EINVAL; + + user_msg->len = 0; + user_msg->count = le32_to_cpu(msg->hdr.count); + + for (i = 0; i < user_msg->count; ++i) { ++ u32 hdr_len; ++ ++ if (msg_len > msg_hdr_len - sizeof(*trans_hdr)) ++ return -EINVAL; ++ + trans_hdr = (struct wire_trans_hdr *)(msg->data + msg_len); +- if (msg_len + le32_to_cpu(trans_hdr->len) > msg_hdr_len) ++ hdr_len = le32_to_cpu(trans_hdr->len); ++ if (hdr_len < sizeof(*trans_hdr) || ++ size_add(msg_len, hdr_len) > msg_hdr_len) + return -EINVAL; + + switch (le32_to_cpu(trans_hdr->type)) { diff --git a/tmp-6.4/accel-qaic-tighten-bounds-checking-in-encode_message.patch b/tmp-6.4/accel-qaic-tighten-bounds-checking-in-encode_message.patch new file mode 100644 index 00000000000..5c73af354f4 --- /dev/null +++ b/tmp-6.4/accel-qaic-tighten-bounds-checking-in-encode_message.patch @@ -0,0 +1,88 @@ +From ea33cb6fc2788f9fe248d49e1c0b2553a58436ef Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 11 Jul 2023 11:20:44 +0300 +Subject: accel/qaic: tighten bounds checking in encode_message() + +From: Dan Carpenter + +commit ea33cb6fc2788f9fe248d49e1c0b2553a58436ef upstream. + +There are several issues in this code. The check at the start of the +loop: + + if (user_len >= user_msg->len) { + +This check does not ensure that we have enough space for the trans_hdr +(8 bytes). Instead the check needs to be: + + if (user_len > user_msg->len - sizeof(*trans_hdr)) { + +That subtraction is done as an unsigned long we want to avoid +negatives. Add a lower bound to the start of the function. + + if (user_msg->len < sizeof(*trans_hdr)) + +There is a second integer underflow which can happen if +trans_hdr->len is zero inside the encode_passthrough() function. + + memcpy(out_trans->data, in_trans->data, in_trans->hdr.len - sizeof(in_trans->hdr)); + +Instead of adding a check to encode_passthrough() it's better to check +in this central place. Add that check: + + if (trans_hdr->len < sizeof(trans_hdr) + +The final concern is that the "user_len + trans_hdr->len" might have an +integer overflow bug. Use size_add() to prevent that. + +- if (user_len + trans_hdr->len > user_msg->len) { ++ if (size_add(user_len, trans_hdr->len) > user_msg->len) { + +Fixes: 129776ac2e38 ("accel/qaic: Add control path") +Signed-off-by: Dan Carpenter +Reviewed-by: Pranjal Ramajor Asha Kanojiya +Reviewed-by: Jeffrey Hugo +Cc: stable@vger.kernel.org # 6.4.x +Signed-off-by: Jeffrey Hugo +Link: https://patchwork.freedesktop.org/patch/msgid/9a0cb0c1-a974-4f10-bc8d-94437983639a@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/qaic/qaic_control.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/accel/qaic/qaic_control.c ++++ b/drivers/accel/qaic/qaic_control.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -751,7 +752,8 @@ static int encode_message(struct qaic_de + int ret; + int i; + +- if (!user_msg->count) { ++ if (!user_msg->count || ++ user_msg->len < sizeof(*trans_hdr)) { + ret = -EINVAL; + goto out; + } +@@ -768,12 +770,13 @@ static int encode_message(struct qaic_de + } + + for (i = 0; i < user_msg->count; ++i) { +- if (user_len >= user_msg->len) { ++ if (user_len > user_msg->len - sizeof(*trans_hdr)) { + ret = -EINVAL; + break; + } + trans_hdr = (struct qaic_manage_trans_hdr *)(user_msg->data + user_len); +- if (user_len + trans_hdr->len > user_msg->len) { ++ if (trans_hdr->len < sizeof(trans_hdr) || ++ size_add(user_len, trans_hdr->len) > user_msg->len) { + ret = -EINVAL; + break; + } diff --git a/tmp-6.4/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch b/tmp-6.4/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch new file mode 100644 index 00000000000..69ae7db9737 --- /dev/null +++ b/tmp-6.4/acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch @@ -0,0 +1,45 @@ +From e1d24d33287f1adda81c70da6e6f8e45fd5a44f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 12:38:41 +0200 +Subject: ACPI: button: Add lid disable DMI quirk for Nextbook Ares 8A + +From: Hans de Goede + +[ Upstream commit 4fd5556608bfa9c2bf276fc115ef04288331aded ] + +The LID0 device on the Nextbook Ares 8A tablet always reports lid +closed causing userspace to suspend the device as soon as booting +is complete. + +Add a DMI quirk to disable the broken lid functionality. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/button.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/acpi/button.c b/drivers/acpi/button.c +index 475e1eddfa3b4..ef77c14c72a92 100644 +--- a/drivers/acpi/button.c ++++ b/drivers/acpi/button.c +@@ -77,6 +77,15 @@ static const struct dmi_system_id dmi_lid_quirks[] = { + }, + .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_DISABLED, + }, ++ { ++ /* Nextbook Ares 8A tablet, _LID device always reports lid closed */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"), ++ DMI_MATCH(DMI_BIOS_VERSION, "M882"), ++ }, ++ .driver_data = (void *)(long)ACPI_BUTTON_LID_INIT_DISABLED, ++ }, + { + /* + * Lenovo Yoga 9 14ITL5, initial notification of the LID device +-- +2.39.2 + diff --git a/tmp-6.4/acpi-resource-remove-zen-specific-match-and-quirks.patch b/tmp-6.4/acpi-resource-remove-zen-specific-match-and-quirks.patch new file mode 100644 index 00000000000..b5aac4c0b74 --- /dev/null +++ b/tmp-6.4/acpi-resource-remove-zen-specific-match-and-quirks.patch @@ -0,0 +1,132 @@ +From 6654fc24fbbfdc2d4d6c7ea35340711638cc5280 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 17:11:51 -0500 +Subject: ACPI: resource: Remove "Zen" specific match and quirks + +From: Mario Limonciello + +[ Upstream commit a9c4a912b7dc7ff922d4b9261160c001558f9755 ] + +commit 9946e39fe8d0 ("ACPI: resource: skip IRQ override on +AMD Zen platforms") attempted to overhaul the override logic so it +didn't apply on X86 AMD Zen systems. This was intentional so that +systems would prefer DSDT values instead of default MADT value for +IRQ 1 on Ryzen 6000 systems which typically uses ActiveLow for IRQ1. + +This turned out to be a bad assumption because several vendors +add Interrupt Source Override but don't fix the DSDT. A pile of +quirks was collecting that proved this wasn't sustaintable. + +Furthermore some vendors have used ActiveHigh for IRQ1. +To solve this problem revert the following commits: +* commit 17bb7046e7ce ("ACPI: resource: Do IRQ override on all TongFang +GMxRGxx") +* commit f3cb9b740869 ("ACPI: resource: do IRQ override on Lenovo 14ALC7") +* commit bfcdf58380b1 ("ACPI: resource: do IRQ override on LENOVO IdeaPad") +* commit 7592b79ba4a9 ("ACPI: resource: do IRQ override on XMG Core 15") +* commit 9946e39fe8d0 ("ACPI: resource: skip IRQ override on AMD Zen +platforms") + +Reported-by: evilsnoo@proton.me +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217394 +Reported-by: ruinairas1992@gmail.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217406 +Reported-by: nmschulte@gmail.com +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217336 +Signed-off-by: Mario Limonciello +Tested-by: Werner Sembach +Tested-by: Chuanhong Guo +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 60 ----------------------------------------- + 1 file changed, 60 deletions(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 0800a9d775580..1dd8d5aebf678 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -470,52 +470,6 @@ static const struct dmi_system_id asus_laptop[] = { + { } + }; + +-static const struct dmi_system_id lenovo_laptop[] = { +- { +- .ident = "LENOVO IdeaPad Flex 5 14ALC7", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "82R9"), +- }, +- }, +- { +- .ident = "LENOVO IdeaPad Flex 5 16ALC7", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "82RA"), +- }, +- }, +- { } +-}; +- +-static const struct dmi_system_id tongfang_gm_rg[] = { +- { +- .ident = "TongFang GMxRGxx/XMG CORE 15 (M22)/TUXEDO Stellaris 15 Gen4 AMD", +- .matches = { +- DMI_MATCH(DMI_BOARD_NAME, "GMxRGxx"), +- }, +- }, +- { } +-}; +- +-static const struct dmi_system_id maingear_laptop[] = { +- { +- .ident = "MAINGEAR Vector Pro 2 15", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Micro Electronics Inc"), +- DMI_MATCH(DMI_PRODUCT_NAME, "MG-VCP2-15A3070T"), +- } +- }, +- { +- .ident = "MAINGEAR Vector Pro 2 17", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Micro Electronics Inc"), +- DMI_MATCH(DMI_PRODUCT_NAME, "MG-VCP2-17A3070T"), +- }, +- }, +- { } +-}; +- + static const struct dmi_system_id lg_laptop[] = { + { + .ident = "LG Electronics 17U70P", +@@ -539,10 +493,6 @@ struct irq_override_cmp { + static const struct irq_override_cmp override_table[] = { + { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, + { asus_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, +- { lenovo_laptop, 6, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, +- { lenovo_laptop, 10, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, true }, +- { tongfang_gm_rg, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, +- { maingear_laptop, 1, ACPI_EDGE_SENSITIVE, ACPI_ACTIVE_LOW, 1, true }, + { lg_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0, false }, + }; + +@@ -562,16 +512,6 @@ static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, + return entry->override; + } + +-#ifdef CONFIG_X86 +- /* +- * IRQ override isn't needed on modern AMD Zen systems and +- * this override breaks active low IRQs on AMD Ryzen 6000 and +- * newer systems. Skip it. +- */ +- if (boot_cpu_has(X86_FEATURE_ZEN)) +- return false; +-#endif +- + return true; + } + +-- +2.39.2 + diff --git a/tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch b/tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch new file mode 100644 index 00000000000..07f521f00dc --- /dev/null +++ b/tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch @@ -0,0 +1,43 @@ +From 8b6923caebc9b56559f29a510d3eff108ca92f30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 11:23:58 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Apple iMac11,3 + +From: Hans de Goede + +[ Upstream commit 48436f2e9834b46b47b038b605c8142a1c07bc85 ] + +Linux defaults to picking the non-working ACPI video backlight interface +on the Apple iMac11,3 . + +Add a DMI quirk to pick the working native radeon_bl0 interface instead. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index bcc25d457581d..61586caebb01b 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -470,6 +470,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Apple iMac11,3 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac11,3"), ++ }, ++ }, + { + /* https://bugzilla.redhat.com/show_bug.cgi?id=1217249 */ + .callback = video_detect_force_native, +-- +2.39.2 + diff --git a/tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch b/tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch new file mode 100644 index 00000000000..9a6b9740eb4 --- /dev/null +++ b/tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch @@ -0,0 +1,46 @@ +From 1a7dbae44c18d67dbeb0322fe85f0807b54971c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 20:45:04 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Dell Studio 1569 + +From: Hans de Goede + +[ Upstream commit 23d28cc0444be3f694eb986cd653b6888b78431d ] + +The Dell Studio 1569 predates Windows 8, so it defaults to using +acpi_video# for backlight control, but this is non functional on +this model. + +Add a DMI quirk to use the native intel_backlight interface which +does work properly. + +Reported-by: raycekarneal +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index b87783c5872dd..e7d04ab864a16 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -528,6 +528,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Precision 7510"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Dell Studio 1569 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Studio 1569"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* Acer Aspire 3830TG */ +-- +2.39.2 + diff --git a/tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch b/tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch new file mode 100644 index 00000000000..b0083e9d84b --- /dev/null +++ b/tmp-6.4/acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch @@ -0,0 +1,44 @@ +From b98db95eaf63bbc74bbfc6f5b4fb9e491f4beeba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 May 2023 11:23:59 +0200 +Subject: ACPI: video: Add backlight=native DMI quirk for Lenovo ThinkPad X131e + (3371 AMD version) + +From: Hans de Goede + +[ Upstream commit bd5d93df86a7ddf98a2a37e9c3751e3cb334a66c ] + +Linux defaults to picking the non-working ACPI video backlight interface +on the Lenovo ThinkPad X131e (3371 AMD version). + +Add a DMI quirk to pick the working native radeon_bl0 interface instead. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 61586caebb01b..b87783c5872dd 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -470,6 +470,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "82BK"), + }, + }, ++ { ++ .callback = video_detect_force_native, ++ /* Lenovo ThinkPad X131e (3371 AMD version) */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "3371"), ++ }, ++ }, + { + .callback = video_detect_force_native, + /* Apple iMac11,3 */ +-- +2.39.2 + diff --git a/tmp-6.4/acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch b/tmp-6.4/acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch new file mode 100644 index 00000000000..970e0160842 --- /dev/null +++ b/tmp-6.4/acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch @@ -0,0 +1,79 @@ +From d9933c3669189d43374498be603032780fa8f7ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 18:34:58 +0200 +Subject: ACPI: x86: Add ACPI_QUIRK_UART1_SKIP for Lenovo Yoga Book yb1-x90f/l + +From: Hans de Goede + +[ Upstream commit f91280f35895d6dcb53f504968fafd1da0b00397 ] + +The Lenovo Yoga Book yb1-x90f/l 2-in-1 which ships with Android as +Factory OS has (another) bug in its DSDT where the UART resource for +the BTH0 ACPI device contains "\\_SB.PCIO.URT1" as path to the UART. + +Note that is with a letter 'O' instead of the number '0' which is wrong. + +This causes Linux to instantiate a standard /dev/ttyS? device for +the UART instead of a /sys/bus/serial device, which in turn causes +bluetooth to not work. + +Similar DSDT bugs have been encountered before and to work around those +the acpi_quirk_skip_serdev_enumeration() helper exists. + +Previous devices had the broken resource pointing to the first UART, while +the BT HCI was on the second UART, which ACPI_QUIRK_UART1_TTY_UART2_SKIP +deals with. Add a new ACPI_QUIRK_UART1_SKIP quirk for skipping enumeration +of UART1 instead for the Yoga Book case and add this quirk to the +existing DMI quirk table entry for the yb1-x90f/l . + +This leaves the UART1 controller unbound allowing the x86-android-tablets +module to manually instantiate a serdev for it fixing bluetooth. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/utils.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index 4cfee2da06756..c2b925f8cd4e4 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -259,10 +259,11 @@ bool force_storage_d3(void) + * drivers/platform/x86/x86-android-tablets.c kernel module. + */ + #define ACPI_QUIRK_SKIP_I2C_CLIENTS BIT(0) +-#define ACPI_QUIRK_UART1_TTY_UART2_SKIP BIT(1) +-#define ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY BIT(2) +-#define ACPI_QUIRK_USE_ACPI_AC_AND_BATTERY BIT(3) +-#define ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS BIT(4) ++#define ACPI_QUIRK_UART1_SKIP BIT(1) ++#define ACPI_QUIRK_UART1_TTY_UART2_SKIP BIT(2) ++#define ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY BIT(3) ++#define ACPI_QUIRK_USE_ACPI_AC_AND_BATTERY BIT(4) ++#define ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS BIT(5) + + static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + /* +@@ -319,6 +320,7 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"), + }, + .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS | ++ ACPI_QUIRK_UART1_SKIP | + ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY | + ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS), + }, +@@ -449,6 +451,9 @@ int acpi_quirk_skip_serdev_enumeration(struct device *controller_parent, bool *s + if (dmi_id) + quirks = (unsigned long)dmi_id->driver_data; + ++ if ((quirks & ACPI_QUIRK_UART1_SKIP) && uid == 1) ++ *skip = true; ++ + if (quirks & ACPI_QUIRK_UART1_TTY_UART2_SKIP) { + if (uid == 1) + return -ENODEV; /* Create tty cdev instead of serdev */ +-- +2.39.2 + diff --git a/tmp-6.4/acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch b/tmp-6.4/acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch new file mode 100644 index 00000000000..d6ae42af596 --- /dev/null +++ b/tmp-6.4/acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch @@ -0,0 +1,76 @@ +From 062a6ebd2cfb57009d32e38904579308537f3b03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Apr 2023 12:38:40 +0200 +Subject: ACPI: x86: Add skip i2c clients quirk for Nextbook Ares 8A + +From: Hans de Goede + +[ Upstream commit 69d6b37695c1f2320cfa330e1e1636d50dd5040a ] + +The Nextbook Ares 8A is a x86 ACPI tablet which ships with Android x86 +as factory OS. Its DSDT contains a bunch of I2C devices which are not +actually there (the Android x86 kernel fork ignores I2C devices described +in the DSDT). + +On this specific model this just not cause resource conflicts, one of +the probe() calls for the non existing i2c_clients actually ends up +toggling a GPIO or executing a _PS3 after a failed probe which turns +the tablet off. + +Add a ACPI_QUIRK_SKIP_I2C_CLIENTS for the Nextbook Ares 8 to the +acpi_quirk_skip_dmi_ids table to avoid the bogus i2c_clients and +to fix the tablet turning off during boot because of this. + +Also add the "10EC5651" HID for the RealTek ALC5651 codec used +in this tablet to the list of HIDs for which not to skipi2c_client +instantiation, since the Intel SST sound driver relies on +the codec being instantiated through ACPI. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/utils.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index 9c2d6f35f88a0..4cfee2da06756 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -365,7 +365,7 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY), + }, + { +- /* Nextbook Ares 8 */ ++ /* Nextbook Ares 8 (BYT version)*/ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), + DMI_MATCH(DMI_PRODUCT_NAME, "M890BAP"), +@@ -374,6 +374,16 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY | + ACPI_QUIRK_SKIP_GPIO_EVENT_HANDLERS), + }, ++ { ++ /* Nextbook Ares 8A (CHT version)*/ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"), ++ DMI_MATCH(DMI_BIOS_VERSION, "M882"), ++ }, ++ .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS | ++ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY), ++ }, + { + /* Whitelabel (sold as various brands) TM800A550L */ + .matches = { +@@ -392,6 +402,7 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = { + #if IS_ENABLED(CONFIG_X86_ANDROID_TABLETS) + static const struct acpi_device_id i2c_acpi_known_good_ids[] = { + { "10EC5640", 0 }, /* RealTek ALC5640 audio codec */ ++ { "10EC5651", 0 }, /* RealTek ALC5651 audio codec */ + { "INT33F4", 0 }, /* X-Powers AXP288 PMIC */ + { "INT33FD", 0 }, /* Intel Crystal Cove PMIC */ + { "INT34D3", 0 }, /* Intel Whiskey Cove PMIC */ +-- +2.39.2 + diff --git a/tmp-6.4/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch b/tmp-6.4/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch new file mode 100644 index 00000000000..2de6a82aaab --- /dev/null +++ b/tmp-6.4/alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch @@ -0,0 +1,150 @@ +From 46f526e1c50701c973165f628afa55ea934c6c78 Mon Sep 17 00:00:00 2001 +From: Oswald Buddenhagen +Date: Wed, 10 May 2023 19:39:05 +0200 +Subject: [PATCH AUTOSEL 5.4 02/12] ALSA: emu10k1: roll up loops in DSP setup + code for Audigy +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 8cabf83c7aa54530e699be56249fb44f9505c4f3 ] + +There is no apparent reason for the massive code duplication. + +Signed-off-by: Oswald Buddenhagen +Link: https://lore.kernel.org/r/20230510173917.3073107-3-oswald.buddenhagen@gmx.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/emu10k1/emufx.c | 112 +++------------------------------------------- + 1 file changed, 9 insertions(+), 103 deletions(-) + +--- a/sound/pci/emu10k1/emufx.c ++++ b/sound/pci/emu10k1/emufx.c +@@ -1559,14 +1559,8 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_G + gpr += 2; + + /* Master volume (will be renamed later) */ +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+0+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+1+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+2+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+3+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+4+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+5+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+6+SND_EMU10K1_PLAYBACK_CHANNELS)); +- A_OP(icode, &ptr, iMAC0, A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+7+SND_EMU10K1_PLAYBACK_CHANNELS)); ++ for (z = 0; z < 8; z++) ++ A_OP(icode, &ptr, iMAC0, A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS), A_C_00000000, A_GPR(gpr), A_GPR(playback+z+SND_EMU10K1_PLAYBACK_CHANNELS)); + snd_emu10k1_init_mono_control(&controls[nctl++], "Wave Master Playback Volume", gpr, 0); + gpr += 2; + +@@ -1653,102 +1647,14 @@ A_OP(icode, &ptr, iMAC0, A_GPR(var), A_G + dev_dbg(emu->card->dev, "emufx.c: gpr=0x%x, tmp=0x%x\n", + gpr, tmp); + */ +- /* For the EMU1010: How to get 32bit values from the DSP. High 16bits into L, low 16bits into R. */ +- /* A_P16VIN(0) is delayed by one sample, +- * so all other A_P16VIN channels will need to also be delayed +- */ +- /* Left ADC in. 1 of 2 */ + snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_P16VIN(0x0), A_FXBUS2(0) ); +- /* Right ADC in 1 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- /* Delaying by one sample: instead of copying the input +- * value A_P16VIN to output A_FXBUS2 as in the first channel, +- * we use an auxiliary register, delaying the value by one +- * sample +- */ +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(2) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x1), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(4) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x2), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(6) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x3), A_C_00000000, A_C_00000000); +- /* For 96kHz mode */ +- /* Left ADC in. 2 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0x8) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x4), A_C_00000000, A_C_00000000); +- /* Right ADC in 2 of 2 */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xa) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x5), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xc) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x6), A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr - 1), A_FXBUS2(0xe) ); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x7), A_C_00000000, A_C_00000000); +- /* Pavel Hofman - we still have voices, A_FXBUS2s, and +- * A_P16VINs available - +- * let's add 8 more capture channels - total of 16 +- */ +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x10)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x8), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x12)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0x9), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x14)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xa), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x16)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xb), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x18)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xc), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1a)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xd), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1c)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xe), +- A_C_00000000, A_C_00000000); +- gpr_map[gpr++] = 0x00000000; +- snd_emu10k1_audigy_dsp_convert_32_to_2x16(icode, &ptr, tmp, +- bit_shifter16, +- A_GPR(gpr - 1), +- A_FXBUS2(0x1e)); +- A_OP(icode, &ptr, iACC3, A_GPR(gpr - 1), A_P16VIN(0xf), +- A_C_00000000, A_C_00000000); ++ /* A_P16VIN(0) is delayed by one sample, so all other A_P16VIN channels ++ * will need to also be delayed; we use an auxiliary register for that. */ ++ for (z = 1; z < 0x10; z++) { ++ snd_emu10k1_audigy_dsp_convert_32_to_2x16( icode, &ptr, tmp, bit_shifter16, A_GPR(gpr), A_FXBUS2(z * 2) ); ++ A_OP(icode, &ptr, iACC3, A_GPR(gpr), A_P16VIN(z), A_C_00000000, A_C_00000000); ++ gpr_map[gpr++] = 0x00000000; ++ } + } + + #if 0 diff --git a/tmp-6.4/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch b/tmp-6.4/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch new file mode 100644 index 00000000000..0eeb168cc86 --- /dev/null +++ b/tmp-6.4/alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch @@ -0,0 +1,32 @@ +From c250ef8954eda2024c8861c36e9fc1b589481fe7 Mon Sep 17 00:00:00 2001 +From: Christoffer Sandberg +Date: Tue, 18 Jul 2023 16:57:22 +0200 +Subject: ALSA: hda/realtek: Add quirk for Clevo NS70AU + +From: Christoffer Sandberg + +commit c250ef8954eda2024c8861c36e9fc1b589481fe7 upstream. + +Fixes headset detection on Clevo NS70AU. + +Co-developed-by: Werner Sembach +Signed-off-by: Werner Sembach +Signed-off-by: Christoffer Sandberg +Cc: +Link: https://lore.kernel.org/r/20230718145722.10592-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9647,6 +9647,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1558, 0x5157, "Clevo W517GU1", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x51a1, "Clevo NS50MU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x51b1, "Clevo NS50AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1558, 0x51b3, "Clevo NS70AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x5630, "Clevo NP50RNJS", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70a1, "Clevo NB70T[HJK]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1558, 0x70b3, "Clevo NK70SB", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE), diff --git a/tmp-6.4/alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch b/tmp-6.4/alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch new file mode 100644 index 00000000000..cb6bbf38727 --- /dev/null +++ b/tmp-6.4/alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch @@ -0,0 +1,93 @@ +From 3596f6ed73f677798fb279436169502cb7306491 Mon Sep 17 00:00:00 2001 +From: Matthew Anderson +Date: Wed, 21 Jun 2023 11:17:14 -0500 +Subject: [PATCH AUTOSEL 5.4 08/12] ALSA: hda/realtek: Add quirks for ROG ALLY + CS35l41 audio +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 724418b84e6248cd27599607b7e5fac365b8e3f5 ] + +This requires a patched ACPI table or a firmware from ASUS to work because +the system does not come with the _DSD field for the CSC3551. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217550 +Signed-off-by: Matthew Anderson +Tested-by: Philip Mueller +Link: https://lore.kernel.org/r/20230621161714.9442-1-ruinairas1992@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 46 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7136,6 +7136,10 @@ enum { + ALC294_FIXUP_ASUS_DUAL_SPK, + ALC285_FIXUP_THINKPAD_X1_GEN7, + ALC285_FIXUP_THINKPAD_HEADSET_JACK, ++ ALC294_FIXUP_ASUS_ALLY, ++ ALC294_FIXUP_ASUS_ALLY_PINS, ++ ALC294_FIXUP_ASUS_ALLY_VERBS, ++ ALC294_FIXUP_ASUS_ALLY_SPEAKER, + ALC294_FIXUP_ASUS_HPE, + ALC294_FIXUP_ASUS_COEF_1B, + ALC294_FIXUP_ASUS_GX502_HP, +@@ -8449,6 +8453,47 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC294_FIXUP_SPK2_TO_DAC1 + }, ++ [ALC294_FIXUP_ASUS_ALLY] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = cs35l41_fixup_i2c_two, ++ .chained = true, ++ .chain_id = ALC294_FIXUP_ASUS_ALLY_PINS ++ }, ++ [ALC294_FIXUP_ASUS_ALLY_PINS] = { ++ .type = HDA_FIXUP_PINS, ++ .v.pins = (const struct hda_pintbl[]) { ++ { 0x19, 0x03a11050 }, ++ { 0x1a, 0x03a11c30 }, ++ { 0x21, 0x03211420 }, ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC294_FIXUP_ASUS_ALLY_VERBS ++ }, ++ [ALC294_FIXUP_ASUS_ALLY_VERBS] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x45 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x5089 }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x46 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x0004 }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x47 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0xa47a }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x49 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x0049}, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x4a }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x201b }, ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x6b }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x4278}, ++ { } ++ }, ++ .chained = true, ++ .chain_id = ALC294_FIXUP_ASUS_ALLY_SPEAKER ++ }, ++ [ALC294_FIXUP_ASUS_ALLY_SPEAKER] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_speaker2_to_dac1, ++ }, + [ALC285_FIXUP_THINKPAD_X1_GEN7] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_thinkpad_x1_gen7, +@@ -9557,6 +9602,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC), + SND_PCI_QUIRK(0x1043, 0x1740, "ASUS UX430UA", ALC295_FIXUP_ASUS_DACS), + SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_DUAL_SPK), ++ SND_PCI_QUIRK(0x1043, 0x17f3, "ROG Ally RC71L_RC71L", ALC294_FIXUP_ASUS_ALLY), + SND_PCI_QUIRK(0x1043, 0x1881, "ASUS Zephyrus S/M", ALC294_FIXUP_ASUS_GX502_PINS), + SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC), + SND_PCI_QUIRK(0x1043, 0x18f1, "Asus FX505DT", ALC256_FIXUP_ASUS_HEADSET_MIC), diff --git a/tmp-6.4/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch b/tmp-6.4/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch new file mode 100644 index 00000000000..d6ee0323806 --- /dev/null +++ b/tmp-6.4/alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch @@ -0,0 +1,73 @@ +From 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 Mon Sep 17 00:00:00 2001 +From: Luka Guzenko +Date: Tue, 18 Jul 2023 18:12:41 +0200 +Subject: ALSA: hda/realtek: Enable Mute LED on HP Laptop 15s-eq2xxx + +From: Luka Guzenko + +commit 0659400f18c0e6c0c69d74fe5d09e7f6fbbd52a2 upstream. + +The HP Laptop 15s-eq2xxx uses ALC236 codec and controls the mute LED using +COEF 0x07 index 1. No existing quirk covers this configuration. +Adds a new quirk and enables it for the device. + +Signed-off-by: Luka Guzenko +Cc: +Link: https://lore.kernel.org/r/20230718161241.393181-1-l.guzenko@web.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4624,6 +4624,21 @@ static void alc236_fixup_hp_mute_led_coe + } + } + ++static void alc236_fixup_hp_mute_led_coefbit2(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ spec->mute_led_polarity = 0; ++ spec->mute_led_coef.idx = 0x07; ++ spec->mute_led_coef.mask = 1; ++ spec->mute_led_coef.on = 1; ++ spec->mute_led_coef.off = 0; ++ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set); ++ } ++} ++ + /* turn on/off mic-mute LED per capture hook by coef bit */ + static int coef_micmute_led_set(struct led_classdev *led_cdev, + enum led_brightness brightness) +@@ -7134,6 +7149,7 @@ enum { + ALC285_FIXUP_HP_GPIO_LED, + ALC285_FIXUP_HP_MUTE_LED, + ALC285_FIXUP_HP_SPECTRE_X360_MUTE_LED, ++ ALC236_FIXUP_HP_MUTE_LED_COEFBIT2, + ALC236_FIXUP_HP_GPIO_LED, + ALC236_FIXUP_HP_MUTE_LED, + ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF, +@@ -8557,6 +8573,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc285_fixup_hp_spectre_x360_mute_led, + }, ++ [ALC236_FIXUP_HP_MUTE_LED_COEFBIT2] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc236_fixup_hp_mute_led_coefbit2, ++ }, + [ALC236_FIXUP_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc236_fixup_hp_gpio_led, +@@ -9441,6 +9461,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT), ++ SND_PCI_QUIRK(0x103c, 0x887a, "HP Laptop 15s-eq2xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2), + SND_PCI_QUIRK(0x103c, 0x888d, "HP ZBook Power 15.6 inch G8 Mobile Workstation PC", ALC236_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8895, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED), diff --git a/tmp-6.4/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch b/tmp-6.4/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch new file mode 100644 index 00000000000..3a3d716a368 --- /dev/null +++ b/tmp-6.4/alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch @@ -0,0 +1,77 @@ +From e259b1a010e4ccaf284d9f7ae2bb75d19a1c05e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:20:21 +0100 +Subject: ALSA: hda/realtek: Fix generic fixup definition for cs35l41 amp + +From: Vitaly Rodionov + +[ Upstream commit f7b069cf08816252f494d193b9ecdff172bf9aa1 ] + +Generic fixup for CS35L41 amplifies should not have vendor specific +chained fixup. For ThinkPad laptops with led issue, we can just add +specific fixup. + +Fixes: a6ac60b36dade (ALSA: hda/realtek: Fix mute led issue on thinkpad with cs35l41 s-codec) +Signed-off-by: Vitaly Rodionov +Link: https://lore.kernel.org/r/20230720082022.13033-1-vitalyr@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7224,6 +7224,7 @@ enum { + ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN, + ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS, + ALC236_FIXUP_DELL_DUAL_CODECS, ++ ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI, + }; + + /* A special fixup for Lenovo C940 and Yoga Duet 7; +@@ -9135,8 +9136,6 @@ static const struct hda_fixup alc269_fix + [ALC287_FIXUP_CS35L41_I2C_2] = { + .type = HDA_FIXUP_FUNC, + .v.func = cs35l41_fixup_i2c_two, +- .chained = true, +- .chain_id = ALC269_FIXUP_THINKPAD_ACPI, + }, + [ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, +@@ -9273,6 +9272,12 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + }, ++ [ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = cs35l41_fixup_i2c_two, ++ .chained = true, ++ .chain_id = ALC269_FIXUP_THINKPAD_ACPI, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -9798,14 +9803,14 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x22be, "Thinkpad X1 Carbon 8th", ALC285_FIXUP_THINKPAD_HEADSET_JACK), + SND_PCI_QUIRK(0x17aa, 0x22c1, "Thinkpad P1 Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK), + SND_PCI_QUIRK(0x17aa, 0x22c2, "Thinkpad X1 Extreme Gen 3", ALC285_FIXUP_THINKPAD_NO_BASS_SPK_HEADSET_JACK), +- SND_PCI_QUIRK(0x17aa, 0x22f1, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x22f2, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x22f3, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2316, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2317, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2318, "Thinkpad Z13 Gen2", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x2319, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2), +- SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x17aa, 0x22f1, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x22f2, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x22f3, "Thinkpad", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2316, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2317, "Thinkpad P1 Gen 6", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2318, "Thinkpad Z13 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x2319, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), ++ SND_PCI_QUIRK(0x17aa, 0x231a, "Thinkpad Z16 Gen2", ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI), + SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY), + SND_PCI_QUIRK(0x17aa, 0x310c, "ThinkCentre Station", ALC294_FIXUP_LENOVO_MIC_LOCATION), diff --git a/tmp-6.4/alsa-hda-realtek-remove-3k-pull-low-procedure.patch b/tmp-6.4/alsa-hda-realtek-remove-3k-pull-low-procedure.patch new file mode 100644 index 00000000000..3eb0d006519 --- /dev/null +++ b/tmp-6.4/alsa-hda-realtek-remove-3k-pull-low-procedure.patch @@ -0,0 +1,66 @@ +From 69ea4c9d02b7947cdd612335a61cc1a02e544ccd Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Thu, 13 Jul 2023 15:57:13 +0800 +Subject: ALSA: hda/realtek - remove 3k pull low procedure + +From: Kailang Yang + +commit 69ea4c9d02b7947cdd612335a61cc1a02e544ccd upstream. + +This was the ALC283 depop procedure. +Maybe this procedure wasn't suitable with new codec. +So, let us remove it. But HP 15z-fc000 must do 3k pull low. If it +reboot with plugged headset, +it will have errors show don't find codec error messages. Run 3k pull +low will solve issues. +So, let AMD chipset will run this for workarround. + +Fixes: 5aec98913095 ("ALSA: hda/realtek - ALC236 headset MIC recording issue") +Signed-off-by: Kailang Yang +Cc: +Reported-by: Joseph C. Sible +Closes: https://lore.kernel.org/r/CABpewhE4REgn9RJZduuEU6Z_ijXNeQWnrxO1tg70Gkw=F8qNYg@mail.gmail.com/ +Link: https://lore.kernel.org/r/4678992299664babac4403d9978e7ba7@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -122,6 +122,7 @@ struct alc_spec { + unsigned int ultra_low_power:1; + unsigned int has_hs_key:1; + unsigned int no_internal_mic_pin:1; ++ unsigned int en_3kpull_low:1; + + /* for PLL fix */ + hda_nid_t pll_nid; +@@ -3622,6 +3623,7 @@ static void alc256_shutup(struct hda_cod + if (!hp_pin) + hp_pin = 0x21; + ++ alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */ + hp_pin_sense = snd_hda_jack_detect(codec, hp_pin); + + if (hp_pin_sense) +@@ -3638,8 +3640,7 @@ static void alc256_shutup(struct hda_cod + /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly + * when booting with headset plugged. So skip setting it for the codec alc257 + */ +- if (codec->core.vendor_id != 0x10ec0236 && +- codec->core.vendor_id != 0x10ec0257) ++ if (spec->en_3kpull_low) + alc_update_coef_idx(codec, 0x46, 0, 3 << 12); + + if (!spec->no_shutup_pins) +@@ -10601,6 +10602,8 @@ static int patch_alc269(struct hda_codec + spec->shutup = alc256_shutup; + spec->init_hook = alc256_init; + spec->gen.mixer_nid = 0; /* ALC256 does not have any loopback mixer path */ ++ if (codec->bus->pci->vendor == PCI_VENDOR_ID_AMD) ++ spec->en_3kpull_low = true; + break; + case 0x10ec0257: + spec->codec_variant = ALC269_TYPE_ALC257; diff --git a/tmp-6.4/arm64-fix-hfgxtr_el2-field-naming.patch b/tmp-6.4/arm64-fix-hfgxtr_el2-field-naming.patch new file mode 100644 index 00000000000..7a19b485c5d --- /dev/null +++ b/tmp-6.4/arm64-fix-hfgxtr_el2-field-naming.patch @@ -0,0 +1,70 @@ +From 667906b10bb674bbc572a57580f37bf28ae76808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 14:04:16 +0100 +Subject: arm64: Fix HFGxTR_EL2 field naming + +From: Marc Zyngier + +[ Upstream commit 55b87b74996383230586f4f9f801ae304c70e649 ] + +The HFGxTR_EL2 fields do not always follow the naming described +in the spec, nor do they match the name of the register they trap +in the rest of the kernel. + +It is a bit sad that they were written by hand despite the availability +of a machine readable version... + +Fixes: cc077e7facbe ("arm64/sysreg: Convert HFG[RW]TR_EL2 to automatic generation") +Signed-off-by: Marc Zyngier +Cc: Mark Brown +Cc: Will Deacon +Cc: Catalin Marinas +Cc: Mark Rutland +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/r/20230703130416.1495307-1-maz@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/tools/sysreg | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/tools/sysreg b/arch/arm64/tools/sysreg +index c9a0d1fa32090..930c8cc0812fc 100644 +--- a/arch/arm64/tools/sysreg ++++ b/arch/arm64/tools/sysreg +@@ -1890,7 +1890,7 @@ Field 0 SM + EndSysreg + + SysregFields HFGxTR_EL2 +-Field 63 nAMIAIR2_EL1 ++Field 63 nAMAIR2_EL1 + Field 62 nMAIR2_EL1 + Field 61 nS2POR_EL1 + Field 60 nPOR_EL1 +@@ -1905,9 +1905,9 @@ Field 52 nGCS_EL0 + Res0 51 + Field 50 nACCDATA_EL1 + Field 49 ERXADDR_EL1 +-Field 48 EXRPFGCDN_EL1 +-Field 47 EXPFGCTL_EL1 +-Field 46 EXPFGF_EL1 ++Field 48 ERXPFGCDN_EL1 ++Field 47 ERXPFGCTL_EL1 ++Field 46 ERXPFGF_EL1 + Field 45 ERXMISCn_EL1 + Field 44 ERXSTATUS_EL1 + Field 43 ERXCTLR_EL1 +@@ -1922,8 +1922,8 @@ Field 35 TPIDR_EL0 + Field 34 TPIDRRO_EL0 + Field 33 TPIDR_EL1 + Field 32 TCR_EL1 +-Field 31 SCTXNUM_EL0 +-Field 30 SCTXNUM_EL1 ++Field 31 SCXTNUM_EL0 ++Field 30 SCXTNUM_EL1 + Field 29 SCTLR_EL1 + Field 28 REVIDR_EL1 + Field 27 PAR_EL1 +-- +2.39.2 + diff --git a/tmp-6.4/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch b/tmp-6.4/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch new file mode 100644 index 00000000000..0287ad8628b --- /dev/null +++ b/tmp-6.4/arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch @@ -0,0 +1,93 @@ +From d4d5be94a87872421ea2569044092535aff0b886 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 20 Jul 2023 19:38:58 +0100 +Subject: arm64/fpsimd: Ensure SME storage is allocated after SVE VL changes + +From: Mark Brown + +commit d4d5be94a87872421ea2569044092535aff0b886 upstream. + +When we reconfigure the SVE vector length we discard the backing storage +for the SVE vectors and then reallocate on next SVE use, leaving the SME +specific state alone. This means that we do not enable SME traps if they +were already disabled. That means that userspace code can enter streaming +mode without trapping, putting the task in a state where if we try to save +the state of the task we will fault. + +Since the ABI does not specify that changing the SVE vector length disturbs +SME state, and since SVE code may not be aware of SME code in the process, +we shouldn't simply discard any ZA state. Instead immediately reallocate +the storage for SVE, and disable SME if we change the SVE vector length +while there is no SME state active. + +Disabling SME traps on SVE vector length changes would make the overall +code more complex since we would have a state where we have valid SME state +stored but might get a SME trap. + +Fixes: 9e4ab6c89109 ("arm64/sme: Implement vector length configuration prctl()s") +Reported-by: David Spickett +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230720-arm64-fix-sve-sme-vl-change-v2-1-8eea06b82d57@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/fpsimd.c | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +--- a/arch/arm64/kernel/fpsimd.c ++++ b/arch/arm64/kernel/fpsimd.c +@@ -847,6 +847,8 @@ void sve_sync_from_fpsimd_zeropad(struct + int vec_set_vector_length(struct task_struct *task, enum vec_type type, + unsigned long vl, unsigned long flags) + { ++ bool free_sme = false; ++ + if (flags & ~(unsigned long)(PR_SVE_VL_INHERIT | + PR_SVE_SET_VL_ONEXEC)) + return -EINVAL; +@@ -897,21 +899,36 @@ int vec_set_vector_length(struct task_st + task->thread.fp_type = FP_STATE_FPSIMD; + } + +- if (system_supports_sme() && type == ARM64_VEC_SME) { +- task->thread.svcr &= ~(SVCR_SM_MASK | +- SVCR_ZA_MASK); +- clear_thread_flag(TIF_SME); ++ if (system_supports_sme()) { ++ if (type == ARM64_VEC_SME || ++ !(task->thread.svcr & (SVCR_SM_MASK | SVCR_ZA_MASK))) { ++ /* ++ * We are changing the SME VL or weren't using ++ * SME anyway, discard the state and force a ++ * reallocation. ++ */ ++ task->thread.svcr &= ~(SVCR_SM_MASK | ++ SVCR_ZA_MASK); ++ clear_thread_flag(TIF_SME); ++ free_sme = true; ++ } + } + + if (task == current) + put_cpu_fpsimd_context(); + + /* +- * Force reallocation of task SVE and SME state to the correct +- * size on next use: ++ * Free the changed states if they are not in use, SME will be ++ * reallocated to the correct size on next use and we just ++ * allocate SVE now in case it is needed for use in streaming ++ * mode. + */ +- sve_free(task); +- if (system_supports_sme() && type == ARM64_VEC_SME) ++ if (system_supports_sve()) { ++ sve_free(task); ++ sve_alloc(task, true); ++ } ++ ++ if (free_sme) + sme_free(task); + + task_set_vl(task, type, vl); diff --git a/tmp-6.4/arm64-mm-fix-va-range-sanity-check.patch b/tmp-6.4/arm64-mm-fix-va-range-sanity-check.patch new file mode 100644 index 00000000000..16f8dba9c8c --- /dev/null +++ b/tmp-6.4/arm64-mm-fix-va-range-sanity-check.patch @@ -0,0 +1,106 @@ +From 0cd9b6e992630a33f8c353758f2c3ff22b1c97cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:26:28 +0100 +Subject: arm64: mm: fix VA-range sanity check + +From: Mark Rutland + +[ Upstream commit ab9b4008092c86dc12497af155a0901cc1156999 ] + +Both create_mapping_noalloc() and update_mapping_prot() sanity-check +their 'virt' parameter, but the check itself doesn't make much sense. +The condition used today appears to be a historical accident. + +The sanity-check condition: + + if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +... can only be true for the KASAN shadow region or the module region, +and there's no reason to exclude these specifically for creating and +updateing mappings. + +When arm64 support was first upstreamed in commit: + + c1cc1552616d0f35 ("arm64: MMU initialisation") + +... the condition was: + + if (virt < VMALLOC_START) { + [ ... warning here ... ] + return; + } + +At the time, VMALLOC_START was the lowest kernel address, and this was +checking whether 'virt' would be translated via TTBR1. + +Subsequently in commit: + + 14c127c957c1c607 ("arm64: mm: Flip kernel VA space") + +... the condition was changed to: + + if ((virt >= VA_START) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +This appear to have been a thinko. The commit moved the linear map to +the bottom of the kernel address space, with VMALLOC_START being at the +halfway point. The old condition would warn for changes to the linear +map below this, and at the time VA_START was the end of the linear map. + +Subsequently we cleaned up the naming of VA_START in commit: + + 77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END") + +... keeping the erroneous condition as: + + if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { + [ ... warning here ... ] + return; + } + +Correct the condition to check against the start of the TTBR1 address +space, which is currently PAGE_OFFSET. This simplifies the logic, and +more clearly matches the "outside kernel range" message in the warning. + +Signed-off-by: Mark Rutland +Cc: Russell King +Cc: Steve Capper +Cc: Will Deacon +Reviewed-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/20230615102628.1052103-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index af6bc8403ee46..72b3c21820b96 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -451,7 +451,7 @@ static phys_addr_t pgd_pgtable_alloc(int shift) + void __init create_mapping_noalloc(phys_addr_t phys, unsigned long virt, + phys_addr_t size, pgprot_t prot) + { +- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { ++ if (virt < PAGE_OFFSET) { + pr_warn("BUG: not creating mapping for %pa at 0x%016lx - outside kernel range\n", + &phys, virt); + return; +@@ -478,7 +478,7 @@ void __init create_pgd_mapping(struct mm_struct *mm, phys_addr_t phys, + static void update_mapping_prot(phys_addr_t phys, unsigned long virt, + phys_addr_t size, pgprot_t prot) + { +- if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { ++ if (virt < PAGE_OFFSET) { + pr_warn("BUG: not updating mapping for %pa at 0x%016lx - outside kernel range\n", + &phys, virt); + return; +-- +2.39.2 + diff --git a/tmp-6.4/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch b/tmp-6.4/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch new file mode 100644 index 00000000000..759d221f4c0 --- /dev/null +++ b/tmp-6.4/arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch @@ -0,0 +1,166 @@ +From 9df981ec0bf465d0a6cb8bc5909b0f4cb31b2887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 10:04:36 +0900 +Subject: arm64: set __exception_irq_entry with __irq_entry as a default + +From: Youngmin Nam + +[ Upstream commit f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3 ] + +filter_irq_stacks() is supposed to cut entries which are related irq entries +from its call stack. +And in_irqentry_text() which is called by filter_irq_stacks() +uses __irqentry_text_start/end symbol to find irq entries in callstack. + +But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER", +arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq +between __irqentry_text_start and __irqentry_text_end as we discussed in below link. +https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t + +This problem can makes unintentional deep call stack entries especially +in KASAN enabled situation as below. + +[ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity +[ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c +[ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) +[ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c +[ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c +[ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0 +[ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000 +[ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd +[ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040 +[ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000 +[ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20 +[ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8 +[ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800 +[ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8 +[ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c +[ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022 +[ 2479.386231]I[0:launcher-loader: 1719] Call trace: +[ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c +[ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70 +[ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138 +[ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24 +[ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170 +[ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20 +[ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c +[ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28 +[ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0 +[ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80 +[ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98 +[ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c +[ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0 +[ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 +[ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c +[ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4 +[ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0 +[ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 +[ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c +[ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304 +[ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160 +[ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194 +[ 2479.386833]I[0:launcher-loader: 1719] scsi_complete+0xcc/0x158 +[ 2479.386859]I[0:launcher-loader: 1719] blk_mq_complete_request+0x4c/0x5c +[ 2479.386885]I[0:launcher-loader: 1719] scsi_done_internal+0xf4/0x1e0 +[ 2479.386910]I[0:launcher-loader: 1719] scsi_done+0x14/0x20 +[ 2479.386935]I[0:launcher-loader: 1719] ufshcd_compl_one_cqe+0x578/0x71c +[ 2479.386963]I[0:launcher-loader: 1719] ufshcd_mcq_poll_cqe_nolock+0xc8/0x150 +[ 2479.386991]I[0:launcher-loader: 1719] ufshcd_intr+0x868/0xc0c +[ 2479.387017]I[0:launcher-loader: 1719] __handle_irq_event_percpu+0xd0/0x348 +[ 2479.387044]I[0:launcher-loader: 1719] handle_irq_event_percpu+0x24/0x74 +[ 2479.387068]I[0:launcher-loader: 1719] handle_irq_event+0x74/0xe0 +[ 2479.387091]I[0:launcher-loader: 1719] handle_fasteoi_irq+0x174/0x240 +[ 2479.387118]I[0:launcher-loader: 1719] handle_irq_desc+0x7c/0x2c0 +[ 2479.387147]I[0:launcher-loader: 1719] generic_handle_domain_irq+0x1c/0x28 +[ 2479.387174]I[0:launcher-loader: 1719] gic_handle_irq+0x64/0x158 +[ 2479.387204]I[0:launcher-loader: 1719] call_on_irq_stack+0x2c/0x54 +[ 2479.387231]I[0:launcher-loader: 1719] do_interrupt_handler+0x70/0xa0 +[ 2479.387258]I[0:launcher-loader: 1719] el1_interrupt+0x34/0x68 +[ 2479.387283]I[0:launcher-loader: 1719] el1h_64_irq_handler+0x18/0x24 +[ 2479.387308]I[0:launcher-loader: 1719] el1h_64_irq+0x68/0x6c +[ 2479.387332]I[0:launcher-loader: 1719] blk_attempt_bio_merge+0x8/0x170 +[ 2479.387356]I[0:launcher-loader: 1719] blk_mq_attempt_bio_merge+0x78/0x98 +[ 2479.387383]I[0:launcher-loader: 1719] blk_mq_submit_bio+0x324/0xa40 +[ 2479.387409]I[0:launcher-loader: 1719] __submit_bio+0x104/0x138 +[ 2479.387436]I[0:launcher-loader: 1719] submit_bio_noacct_nocheck+0x1d0/0x4a0 +[ 2479.387462]I[0:launcher-loader: 1719] submit_bio_noacct+0x618/0x804 +[ 2479.387487]I[0:launcher-loader: 1719] submit_bio+0x164/0x180 +[ 2479.387511]I[0:launcher-loader: 1719] f2fs_submit_read_bio+0xe4/0x1c4 +[ 2479.387537]I[0:launcher-loader: 1719] f2fs_mpage_readpages+0x888/0xa4c +[ 2479.387563]I[0:launcher-loader: 1719] f2fs_readahead+0xd4/0x19c +[ 2479.387587]I[0:launcher-loader: 1719] read_pages+0xb0/0x4ac +[ 2479.387614]I[0:launcher-loader: 1719] page_cache_ra_unbounded+0x238/0x288 +[ 2479.387642]I[0:launcher-loader: 1719] do_page_cache_ra+0x60/0x6c +[ 2479.387669]I[0:launcher-loader: 1719] page_cache_ra_order+0x318/0x364 +[ 2479.387695]I[0:launcher-loader: 1719] ondemand_readahead+0x30c/0x3d8 +[ 2479.387722]I[0:launcher-loader: 1719] page_cache_sync_ra+0xb4/0xc8 +[ 2479.387749]I[0:launcher-loader: 1719] filemap_read+0x268/0xd24 +[ 2479.387777]I[0:launcher-loader: 1719] f2fs_file_read_iter+0x1a0/0x62c +[ 2479.387806]I[0:launcher-loader: 1719] vfs_read+0x258/0x34c +[ 2479.387831]I[0:launcher-loader: 1719] ksys_pread64+0x8c/0xd0 +[ 2479.387857]I[0:launcher-loader: 1719] __arm64_sys_pread64+0x48/0x54 +[ 2479.387881]I[0:launcher-loader: 1719] invoke_syscall+0x58/0x158 +[ 2479.387909]I[0:launcher-loader: 1719] el0_svc_common+0xf0/0x134 +[ 2479.387935]I[0:launcher-loader: 1719] do_el0_svc+0x44/0x114 +[ 2479.387961]I[0:launcher-loader: 1719] el0_svc+0x2c/0x80 +[ 2479.387985]I[0:launcher-loader: 1719] el0t_64_sync_handler+0x48/0x114 +[ 2479.388010]I[0:launcher-loader: 1719] el0t_64_sync+0x190/0x194 +[ 2479.388038]I[0:launcher-loader: 1719] Kernel panic - not syncing: kernel: panic_on_warn set ... + +So let's set __exception_irq_entry with __irq_entry as a default. +Applying this patch, we can see gic_hande_irq is included in Systemp.map as below. + +* Before +ffffffc008010000 T __do_softirq +ffffffc008010000 T __irqentry_text_end +ffffffc008010000 T __irqentry_text_start +ffffffc008010000 T __softirqentry_text_start +ffffffc008010000 T _stext +ffffffc00801066c T __softirqentry_text_end +ffffffc008010670 T __entry_text_start + +* After +ffffffc008010000 T __irqentry_text_start +ffffffc008010000 T _stext +ffffffc008010000 t gic_handle_irq +ffffffc00801013c t gic_handle_irq +ffffffc008010294 T __irqentry_text_end +ffffffc008010298 T __do_softirq +ffffffc008010298 T __softirqentry_text_start +ffffffc008010904 T __softirqentry_text_end +ffffffc008010908 T __entry_text_start + +Signed-off-by: Youngmin Nam +Signed-off-by: SEO HOYOUNG +Reviewed-by: Mark Rutland +Link: https://lore.kernel.org/r/20230424010436.779733-1-youngmin.nam@samsung.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/exception.h | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/arm64/include/asm/exception.h b/arch/arm64/include/asm/exception.h +index e73af709cb7ad..88d8dfeed0db6 100644 +--- a/arch/arm64/include/asm/exception.h ++++ b/arch/arm64/include/asm/exception.h +@@ -8,16 +8,11 @@ + #define __ASM_EXCEPTION_H + + #include +-#include + #include + + #include + +-#ifdef CONFIG_FUNCTION_GRAPH_TRACER + #define __exception_irq_entry __irq_entry +-#else +-#define __exception_irq_entry __kprobes +-#endif + + static inline unsigned long disr_to_esr(u64 disr) + { +-- +2.39.2 + diff --git a/tmp-6.4/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch b/tmp-6.4/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch new file mode 100644 index 00000000000..6befb371d5b --- /dev/null +++ b/tmp-6.4/asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch @@ -0,0 +1,63 @@ +From edd80e3e2cea3bed041663831aa8125704b574db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jun 2023 16:23:54 +0530 +Subject: ASoC: amd: acp: fix for invalid dai id handling in + acp_get_byte_count() + +From: Vijendar Mukunda + +[ Upstream commit 85aeab362201cf52c34cd429e4f6c75a0b42f9a3 ] + +For invalid dai id, instead of returning -EINVAL +return bytes count as zero in acp_get_byte_count() function. + +Fixes: 623621a9f9e1 ("ASoC: amd: Add common framework to support I2S on ACP SOC") + +Signed-off-by: Vijendar Mukunda +Link: https://lore.kernel.org/r/20230626105356.2580125-6-Vijendar.Mukunda@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/amd.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/amd/acp/amd.h b/sound/soc/amd/acp/amd.h +index 5f2119f422715..12a176a50fd6e 100644 +--- a/sound/soc/amd/acp/amd.h ++++ b/sound/soc/amd/acp/amd.h +@@ -173,7 +173,7 @@ int snd_amd_acp_find_config(struct pci_dev *pci); + + static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int direction) + { +- u64 byte_count, low = 0, high = 0; ++ u64 byte_count = 0, low = 0, high = 0; + + if (direction == SNDRV_PCM_STREAM_PLAYBACK) { + switch (dai_id) { +@@ -191,7 +191,7 @@ static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int + break; + default: + dev_err(adata->dev, "Invalid dai id %x\n", dai_id); +- return -EINVAL; ++ goto POINTER_RETURN_BYTES; + } + } else { + switch (dai_id) { +@@ -213,12 +213,13 @@ static inline u64 acp_get_byte_count(struct acp_dev_data *adata, int dai_id, int + break; + default: + dev_err(adata->dev, "Invalid dai id %x\n", dai_id); +- return -EINVAL; ++ goto POINTER_RETURN_BYTES; + } + } + /* Get 64 bit value from two 32 bit registers */ + byte_count = (high << 32) | low; + ++POINTER_RETURN_BYTES: + return byte_count; + } + +-- +2.39.2 + diff --git a/tmp-6.4/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch b/tmp-6.4/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..aabe42628e5 --- /dev/null +++ b/tmp-6.4/asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,157 @@ +From a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:16 +0200 +Subject: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove + +From: Johan Hovold + +commit a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 upstream. + +The MBHC resources must be released on component probe failure and +removal so can not be tied to the lifetime of the component device. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component: + + snd-sc8280xp sound: ASoC: failed to instantiate card -517 + genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) + wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 + wcd938x_codec audio-codec: mbhc initialization failed + wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16 + snd-sc8280xp sound: ASoC: failed to instantiate card -16 + +Fixes: 0e5c9e7ff899 ("ASoC: codecs: wcd: add multi button Headset detection support") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-7-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd-mbhc-v2.c | 57 +++++++++++++++++++++++++++++------------ + 1 file changed, 41 insertions(+), 16 deletions(-) + +--- a/sound/soc/codecs/wcd-mbhc-v2.c ++++ b/sound/soc/codecs/wcd-mbhc-v2.c +@@ -1454,7 +1454,7 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn + return ERR_PTR(-EINVAL); + } + +- mbhc = devm_kzalloc(dev, sizeof(*mbhc), GFP_KERNEL); ++ mbhc = kzalloc(sizeof(*mbhc), GFP_KERNEL); + if (!mbhc) + return ERR_PTR(-ENOMEM); + +@@ -1474,61 +1474,76 @@ struct wcd_mbhc *wcd_mbhc_init(struct sn + + INIT_WORK(&mbhc->correct_plug_swch, wcd_correct_swch_plug); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_sw_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_sw_intr, NULL, + wcd_mbhc_mech_plug_detect_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "mbhc sw intr", mbhc); + if (ret) +- goto err; ++ goto err_free_mbhc; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_press_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_press_intr, NULL, + wcd_mbhc_btn_press_handler, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Button Press detect", mbhc); + if (ret) +- goto err; ++ goto err_free_sw_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_btn_release_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_btn_release_intr, NULL, + wcd_mbhc_btn_release_handler, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Button Release detect", mbhc); + if (ret) +- goto err; ++ goto err_free_btn_press_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_ins_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_ins_intr, NULL, + wcd_mbhc_adc_hs_ins_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Elect Insert", mbhc); + if (ret) +- goto err; ++ goto err_free_btn_release_intr; + + disable_irq_nosync(mbhc->intr_ids->mbhc_hs_ins_intr); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->mbhc_hs_rem_intr, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->mbhc_hs_rem_intr, NULL, + wcd_mbhc_adc_hs_rem_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "Elect Remove", mbhc); + if (ret) +- goto err; ++ goto err_free_hs_ins_intr; + + disable_irq_nosync(mbhc->intr_ids->mbhc_hs_rem_intr); + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_left_ocp, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->hph_left_ocp, NULL, + wcd_mbhc_hphl_ocp_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPH_L OCP detect", mbhc); + if (ret) +- goto err; ++ goto err_free_hs_rem_intr; + +- ret = devm_request_threaded_irq(dev, mbhc->intr_ids->hph_right_ocp, NULL, ++ ret = request_threaded_irq(mbhc->intr_ids->hph_right_ocp, NULL, + wcd_mbhc_hphr_ocp_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPH_R OCP detect", mbhc); + if (ret) +- goto err; ++ goto err_free_hph_left_ocp; + + return mbhc; +-err: ++ ++err_free_hph_left_ocp: ++ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); ++err_free_hs_rem_intr: ++ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); ++err_free_hs_ins_intr: ++ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); ++err_free_btn_release_intr: ++ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); ++err_free_btn_press_intr: ++ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); ++err_free_sw_intr: ++ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); ++err_free_mbhc: ++ kfree(mbhc); ++ + dev_err(dev, "Failed to request mbhc interrupts %d\n", ret); + + return ERR_PTR(ret); +@@ -1537,9 +1552,19 @@ EXPORT_SYMBOL(wcd_mbhc_init); + + void wcd_mbhc_deinit(struct wcd_mbhc *mbhc) + { ++ free_irq(mbhc->intr_ids->hph_right_ocp, mbhc); ++ free_irq(mbhc->intr_ids->hph_left_ocp, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_hs_rem_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_hs_ins_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_btn_release_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_btn_press_intr, mbhc); ++ free_irq(mbhc->intr_ids->mbhc_sw_intr, mbhc); ++ + mutex_lock(&mbhc->lock); + wcd_cancel_hs_detect_plug(mbhc, &mbhc->correct_plug_swch); + mutex_unlock(&mbhc->lock); ++ ++ kfree(mbhc); + } + EXPORT_SYMBOL(wcd_mbhc_deinit); + diff --git a/tmp-6.4/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch b/tmp-6.4/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..c86cf2752f1 --- /dev/null +++ b/tmp-6.4/asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,54 @@ +From 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:15 +0200 +Subject: ASoC: codecs: wcd934x: fix resource leaks on component remove + +From: Johan Hovold + +commit 798590cc7d3c2b5f3a7548d96dd4d8a081c1bc39 upstream. + +Make sure to release allocated MBHC resources also on component remove. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component. + +Fixes: 9fb9b1690f0b ("ASoC: codecs: wcd934x: add mbhc support") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-6-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd934x.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -3044,6 +3044,17 @@ static int wcd934x_mbhc_init(struct snd_ + + return 0; + } ++ ++static void wcd934x_mbhc_deinit(struct snd_soc_component *component) ++{ ++ struct wcd934x_codec *wcd = snd_soc_component_get_drvdata(component); ++ ++ if (!wcd->mbhc) ++ return; ++ ++ wcd_mbhc_deinit(wcd->mbhc); ++} ++ + static int wcd934x_comp_probe(struct snd_soc_component *component) + { + struct wcd934x_codec *wcd = dev_get_drvdata(component->dev); +@@ -3077,6 +3088,7 @@ static void wcd934x_comp_remove(struct s + { + struct wcd934x_codec *wcd = dev_get_drvdata(comp->dev); + ++ wcd934x_mbhc_deinit(comp); + wcd_clsh_ctrl_free(wcd->clsh_ctrl); + } + diff --git a/tmp-6.4/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch b/tmp-6.4/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch new file mode 100644 index 00000000000..3e47419b85b --- /dev/null +++ b/tmp-6.4/asoc-codecs-wcd938x-fix-codec-initialisation-race.patch @@ -0,0 +1,54 @@ +From 85a61b1ce461a3f62f1019e5e6423c393c542bff Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 30 Jun 2023 14:03:18 +0200 +Subject: ASoC: codecs: wcd938x: fix codec initialisation race + +From: Johan Hovold + +commit 85a61b1ce461a3f62f1019e5e6423c393c542bff upstream. + +Make sure to resume the codec and soundwire device before trying to read +the codec variant and configure the device during component probe. + +This specifically avoids interpreting (a masked and shifted) -EBUSY +errno as the variant: + + wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 + +when the soundwire device happens to be suspended, which in turn +prevents some headphone controls from being registered. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Reported-by: Steev Klimaszewski +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230630120318.6571-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3095,6 +3095,10 @@ static int wcd938x_soc_codec_probe(struc + + snd_soc_component_init_regmap(component, wcd938x->regmap); + ++ ret = pm_runtime_resume_and_get(dev); ++ if (ret < 0) ++ return ret; ++ + wcd938x->variant = snd_soc_component_read_field(component, + WCD938X_DIGITAL_EFUSE_REG_0, + WCD938X_ID_MASK); +@@ -3112,6 +3116,8 @@ static int wcd938x_soc_codec_probe(struc + (WCD938X_DIGITAL_INTR_LEVEL_0 + i), 0); + } + ++ pm_runtime_put(dev); ++ + wcd938x->hphr_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, + WCD938X_IRQ_HPHR_PDM_WD_INT); + wcd938x->hphl_pdm_wd_int = regmap_irq_get_virq(wcd938x->irq_chip, diff --git a/tmp-6.4/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch b/tmp-6.4/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch new file mode 100644 index 00000000000..40da9bf5384 --- /dev/null +++ b/tmp-6.4/asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch @@ -0,0 +1,51 @@ +From d0035014b8bfd8c7e5845573b7e9f5b4db95cb74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 13:57:23 +0100 +Subject: ASoC: codecs: wcd938x: fix dB range for HPHL and HPHR + +From: Srinivas Kandagatla + +[ Upstream commit c03226ba15fe3c42d13907ec7d8536396602557b ] + +dB range for HPHL and HPHR gains are from +6dB to -30dB in steps of +1.5dB with register values range from 0 to 24. + +Current code maps these dB ranges incorrectly, fix them to allow proper +volume setting. + +Fixes: e8ba1e05bdc0 ("ASoC: codecs: wcd938x: add basic controls") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705125723.40464-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd938x.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/wcd938x.c b/sound/soc/codecs/wcd938x.c +index 8bb6a5ff7b0f6..4a0b990f56e12 100644 +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -210,7 +210,7 @@ struct wcd938x_priv { + }; + + static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(ear_pa_gain, 600, -1800); +-static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(line_gain, 600, -3000); ++static const DECLARE_TLV_DB_SCALE(line_gain, -3000, 150, -3000); + static const SNDRV_CTL_TLVD_DECLARE_DB_MINMAX(analog_gain, 0, 3000); + + struct wcd938x_mbhc_zdet_param { +@@ -2662,8 +2662,8 @@ static const struct snd_kcontrol_new wcd938x_snd_controls[] = { + wcd938x_get_swr_port, wcd938x_set_swr_port), + SOC_SINGLE_EXT("DSD_R Switch", WCD938X_DSD_R, 0, 1, 0, + wcd938x_get_swr_port, wcd938x_set_swr_port), +- SOC_SINGLE_TLV("HPHL Volume", WCD938X_HPH_L_EN, 0, 0x18, 0, line_gain), +- SOC_SINGLE_TLV("HPHR Volume", WCD938X_HPH_R_EN, 0, 0x18, 0, line_gain), ++ SOC_SINGLE_TLV("HPHL Volume", WCD938X_HPH_L_EN, 0, 0x18, 1, line_gain), ++ SOC_SINGLE_TLV("HPHR Volume", WCD938X_HPH_R_EN, 0, 0x18, 1, line_gain), + WCD938X_EAR_PA_GAIN_TLV("EAR_PA Volume", WCD938X_ANA_EAR_COMPANDER_CTL, + 2, 0x10, 0, ear_pa_gain), + SOC_SINGLE_EXT("ADC1 Switch", WCD938X_ADC1, 1, 1, 0, +-- +2.39.2 + diff --git a/tmp-6.4/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch b/tmp-6.4/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch new file mode 100644 index 00000000000..4830220c4a0 --- /dev/null +++ b/tmp-6.4/asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch @@ -0,0 +1,43 @@ +From 272677a7d51d5f30b931b0981c50a2b2cff55289 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 16:27:13 +0200 +Subject: ASoC: codecs: wcd938x: fix mbhc impedance loglevel + +From: Johan Hovold + +[ Upstream commit e5ce198bd5c6923b6a51e1493b1401f84c24b26d ] + +Demote the MBHC impedance measurement printk, which is not an error +message, from error to debug level. + +While at it, fix the capitalisation of "ohm" and add the missing space +before the opening parenthesis. + +Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230630142717.5314-2-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd938x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/wcd938x.c b/sound/soc/codecs/wcd938x.c +index 0ff8f784b5eca..8bb6a5ff7b0f6 100644 +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -2165,8 +2165,8 @@ static inline void wcd938x_mbhc_get_result_params(struct wcd938x_priv *wcd938x, + else if (x1 < minCode_param[noff]) + *zdet = WCD938X_ZDET_FLOATING_IMPEDANCE; + +- pr_err("%s: d1=%d, c1=%d, x1=0x%x, z_val=%d(milliOhm)\n", +- __func__, d1, c1, x1, *zdet); ++ pr_debug("%s: d1=%d, c1=%d, x1=0x%x, z_val=%d (milliohm)\n", ++ __func__, d1, c1, x1, *zdet); + ramp_down: + i = 0; + while (x1) { +-- +2.39.2 + diff --git a/tmp-6.4/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch b/tmp-6.4/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch new file mode 100644 index 00000000000..a2e1b76ba60 --- /dev/null +++ b/tmp-6.4/asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch @@ -0,0 +1,37 @@ +From ed0dd9205bf69593edb495cb4b086dbae96a3f05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:13 +0200 +Subject: ASoC: codecs: wcd938x: fix missing clsh ctrl error handling + +From: Johan Hovold + +commit ed0dd9205bf69593edb495cb4b086dbae96a3f05 upstream. + +Allocation of the clash control structure may fail so add the missing +error handling to avoid dereferencing an error pointer. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-4-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3090,6 +3090,10 @@ static int wcd938x_soc_codec_probe(struc + WCD938X_ID_MASK); + + wcd938x->clsh_info = wcd_clsh_ctrl_alloc(component, WCD938X); ++ if (IS_ERR(wcd938x->clsh_info)) { ++ pm_runtime_put(dev); ++ return PTR_ERR(wcd938x->clsh_info); ++ } + + wcd938x_io_init(wcd938x); + /* Set all interrupts as edge triggered */ diff --git a/tmp-6.4/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch b/tmp-6.4/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch new file mode 100644 index 00000000000..a98d816a471 --- /dev/null +++ b/tmp-6.4/asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch @@ -0,0 +1,51 @@ +From 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 3 Jul 2023 14:47:01 +0200 +Subject: ASoC: codecs: wcd938x: fix missing mbhc init error handling + +From: Johan Hovold + +commit 7dfae2631bfbdebecd35fe7b472ab3cc95c9ed66 upstream. + +MBHC initialisation can fail so add the missing error handling to avoid +dereferencing an error pointer when later configuring the jack: + + Unable to handle kernel paging request at virtual address fffffffffffffff8 + + pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] + lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] + + Call trace: + wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] + wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] + snd_soc_component_set_jack+0x28/0x8c [snd_soc_core] + qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common] + sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp] + snd_soc_link_init+0x28/0x90 [snd_soc_core] + snd_soc_bind_card+0x628/0xbfc [snd_soc_core] + snd_soc_register_card+0xec/0x104 [snd_soc_core] + devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core] + sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp] + +Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") +Cc: stable@vger.kernel.org # 5.15 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20230703124701.11734-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -2625,6 +2625,8 @@ static int wcd938x_mbhc_init(struct snd_ + WCD938X_IRQ_HPHR_OCP_INT); + + wcd938x->wcd_mbhc = wcd_mbhc_init(component, &mbhc_cb, intr_ids, wcd_mbhc_fields, true); ++ if (IS_ERR(wcd938x->wcd_mbhc)) ++ return PTR_ERR(wcd938x->wcd_mbhc); + + snd_soc_add_component_controls(component, impedance_detect_controls, + ARRAY_SIZE(impedance_detect_controls)); diff --git a/tmp-6.4/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch b/tmp-6.4/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch new file mode 100644 index 00000000000..40f70a75c04 --- /dev/null +++ b/tmp-6.4/asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch @@ -0,0 +1,151 @@ +From a3406f87775fee986876e03f93a84385f54d5999 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:14 +0200 +Subject: ASoC: codecs: wcd938x: fix resource leaks on component remove + +From: Johan Hovold + +commit a3406f87775fee986876e03f93a84385f54d5999 upstream. + +Make sure to release allocated resources on component probe failure and +on remove. + +This is specifically needed to allow probe deferrals of the sound card +which otherwise fails when reprobing the codec component: + + snd-sc8280xp sound: ASoC: failed to instantiate card -517 + genirq: Flags mismatch irq 289. 00002001 (HPHR PDM WD INT) vs. 00002001 (HPHR PDM WD INT) + wcd938x_codec audio-codec: Failed to request HPHR WD interrupt (-16) + genirq: Flags mismatch irq 290. 00002001 (HPHL PDM WD INT) vs. 00002001 (HPHL PDM WD INT) + wcd938x_codec audio-codec: Failed to request HPHL WD interrupt (-16) + genirq: Flags mismatch irq 291. 00002001 (AUX PDM WD INT) vs. 00002001 (AUX PDM WD INT) + wcd938x_codec audio-codec: Failed to request Aux WD interrupt (-16) + genirq: Flags mismatch irq 292. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) + wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-5-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 55 +++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 48 insertions(+), 7 deletions(-) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -2633,6 +2633,14 @@ static int wcd938x_mbhc_init(struct snd_ + + return 0; + } ++ ++static void wcd938x_mbhc_deinit(struct snd_soc_component *component) ++{ ++ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ ++ wcd_mbhc_deinit(wcd938x->wcd_mbhc); ++} ++ + /* END MBHC */ + + static const struct snd_kcontrol_new wcd938x_snd_controls[] = { +@@ -3113,20 +3121,26 @@ static int wcd938x_soc_codec_probe(struc + ret = request_threaded_irq(wcd938x->hphr_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPHR PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request HPHR WD interrupt (%d)\n", ret); ++ goto err_free_clsh_ctrl; ++ } + + ret = request_threaded_irq(wcd938x->hphl_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "HPHL PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request HPHL WD interrupt (%d)\n", ret); ++ goto err_free_hphr_pdm_wd_int; ++ } + + ret = request_threaded_irq(wcd938x->aux_pdm_wd_int, NULL, wcd938x_wd_handle_irq, + IRQF_ONESHOT | IRQF_TRIGGER_RISING, + "AUX PDM WD INT", wcd938x); +- if (ret) ++ if (ret) { + dev_err(dev, "Failed to request Aux WD interrupt (%d)\n", ret); ++ goto err_free_hphl_pdm_wd_int; ++ } + + /* Disable watchdog interrupt for HPH and AUX */ + disable_irq_nosync(wcd938x->hphr_pdm_wd_int); +@@ -3141,7 +3155,7 @@ static int wcd938x_soc_codec_probe(struc + dev_err(component->dev, + "%s: Failed to add snd ctrls for variant: %d\n", + __func__, wcd938x->variant); +- goto err; ++ goto err_free_aux_pdm_wd_int; + } + break; + case WCD9385: +@@ -3151,7 +3165,7 @@ static int wcd938x_soc_codec_probe(struc + dev_err(component->dev, + "%s: Failed to add snd ctrls for variant: %d\n", + __func__, wcd938x->variant); +- goto err; ++ goto err_free_aux_pdm_wd_int; + } + break; + default: +@@ -3159,12 +3173,38 @@ static int wcd938x_soc_codec_probe(struc + } + + ret = wcd938x_mbhc_init(component); +- if (ret) ++ if (ret) { + dev_err(component->dev, "mbhc initialization failed\n"); +-err: ++ goto err_free_aux_pdm_wd_int; ++ } ++ ++ return 0; ++ ++err_free_aux_pdm_wd_int: ++ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); ++err_free_hphl_pdm_wd_int: ++ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); ++err_free_hphr_pdm_wd_int: ++ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); ++err_free_clsh_ctrl: ++ wcd_clsh_ctrl_free(wcd938x->clsh_info); ++ + return ret; + } + ++static void wcd938x_soc_codec_remove(struct snd_soc_component *component) ++{ ++ struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ ++ wcd938x_mbhc_deinit(component); ++ ++ free_irq(wcd938x->aux_pdm_wd_int, wcd938x); ++ free_irq(wcd938x->hphl_pdm_wd_int, wcd938x); ++ free_irq(wcd938x->hphr_pdm_wd_int, wcd938x); ++ ++ wcd_clsh_ctrl_free(wcd938x->clsh_info); ++} ++ + static int wcd938x_codec_set_jack(struct snd_soc_component *comp, + struct snd_soc_jack *jack, void *data) + { +@@ -3181,6 +3221,7 @@ static int wcd938x_codec_set_jack(struct + static const struct snd_soc_component_driver soc_codec_dev_wcd938x = { + .name = "wcd938x_codec", + .probe = wcd938x_soc_codec_probe, ++ .remove = wcd938x_soc_codec_remove, + .controls = wcd938x_snd_controls, + .num_controls = ARRAY_SIZE(wcd938x_snd_controls), + .dapm_widgets = wcd938x_dapm_widgets, diff --git a/tmp-6.4/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch b/tmp-6.4/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch new file mode 100644 index 00000000000..b36252e567d --- /dev/null +++ b/tmp-6.4/asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch @@ -0,0 +1,55 @@ +From 6f49256897083848ce9a59651f6b53fc80462397 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sat, 1 Jul 2023 11:47:23 +0200 +Subject: ASoC: codecs: wcd938x: fix soundwire initialisation race + +From: Johan Hovold + +commit 6f49256897083848ce9a59651f6b53fc80462397 upstream. + +Make sure that the soundwire device used for register accesses has been +enumerated and initialised before trying to read the codec variant +during component probe. + +This specifically avoids interpreting (a masked and shifted) -EBUSY +errno as the variant: + + wcd938x_codec audio-codec: ASoC: error at soc_component_read_no_lock on audio-codec for register: [0x000034b0] -16 + +in case the soundwire device has not yet been initialised, which in turn +prevents some headphone controls from being registered. + +Fixes: 8d78602aa87a ("ASoC: codecs: wcd938x: add basic driver") +Cc: stable@vger.kernel.org # 5.14 +Cc: Srinivas Kandagatla +Reported-by: Steev Klimaszewski +Signed-off-by: Johan Hovold +Tested-by: Steev Klimaszewski +Link: https://lore.kernel.org/r/20230701094723.29379-1-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd938x.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/soc/codecs/wcd938x.c ++++ b/sound/soc/codecs/wcd938x.c +@@ -3090,9 +3090,18 @@ static int wcd938x_irq_init(struct wcd93 + static int wcd938x_soc_codec_probe(struct snd_soc_component *component) + { + struct wcd938x_priv *wcd938x = snd_soc_component_get_drvdata(component); ++ struct sdw_slave *tx_sdw_dev = wcd938x->tx_sdw_dev; + struct device *dev = component->dev; ++ unsigned long time_left; + int ret, i; + ++ time_left = wait_for_completion_timeout(&tx_sdw_dev->initialization_complete, ++ msecs_to_jiffies(2000)); ++ if (!time_left) { ++ dev_err(dev, "soundwire device init timeout\n"); ++ return -ETIMEDOUT; ++ } ++ + snd_soc_component_init_regmap(component, wcd938x->regmap); + + ret = pm_runtime_resume_and_get(dev); diff --git a/tmp-6.4/asoc-cs35l45-select-regmap_irq.patch b/tmp-6.4/asoc-cs35l45-select-regmap_irq.patch new file mode 100644 index 00000000000..160366ec5f8 --- /dev/null +++ b/tmp-6.4/asoc-cs35l45-select-regmap_irq.patch @@ -0,0 +1,41 @@ +From d9ba2975e98a4bec0a9f8d4be4c1de8883fccb71 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 3 Jul 2023 14:43:15 -0700 +Subject: ASoC: cs35l45: Select REGMAP_IRQ + +From: Nathan Chancellor + +commit d9ba2975e98a4bec0a9f8d4be4c1de8883fccb71 upstream. + +After commit 6085f9e6dc19 ("ASoC: cs35l45: IRQ support"), without any +other configuration that selects CONFIG_REGMAP_IRQ, modpost errors out +with: + + ERROR: modpost: "regmap_irq_get_virq" [sound/soc/codecs/snd-soc-cs35l45.ko] undefined! + ERROR: modpost: "devm_regmap_add_irq_chip" [sound/soc/codecs/snd-soc-cs35l45.ko] undefined! + +Add the Kconfig selection to ensure these functions get built and +included, which resolves the build failure. + +Cc: stable@vger.kernel.org +Fixes: 6085f9e6dc19 ("ASoC: cs35l45: IRQ support") +Reported-by: Marcus Seyfarth +Closes: https://github.com/ClangBuiltLinux/linux/issues/1882 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20230703-cs35l45-select-regmap_irq-v1-1-37d7e838b614@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/codecs/Kconfig ++++ b/sound/soc/codecs/Kconfig +@@ -701,6 +701,7 @@ config SND_SOC_CS35L41_I2C + + config SND_SOC_CS35L45 + tristate ++ select REGMAP_IRQ + + config SND_SOC_CS35L45_SPI + tristate "Cirrus Logic CS35L45 CODEC (SPI)" diff --git a/tmp-6.4/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch b/tmp-6.4/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch new file mode 100644 index 00000000000..6729b149d1e --- /dev/null +++ b/tmp-6.4/asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch @@ -0,0 +1,86 @@ +From e51df4f81b02bcdd828a04de7c1eb6a92988b61e Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Thu, 13 Jul 2023 13:21:12 +0200 +Subject: ASoC: cs42l51: fix driver to properly autoload with automatic module loading + +From: Thomas Petazzoni + +commit e51df4f81b02bcdd828a04de7c1eb6a92988b61e upstream. + +In commit 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table +pointer"), 9 years ago, some random guy fixed the cs42l51 after it was +split into a core part and an I2C part to properly match based on a +Device Tree compatible string. + +However, the fix in this commit is wrong: the MODULE_DEVICE_TABLE(of, +....) is in the core part of the driver, not the I2C part. Therefore, +automatic module loading based on module.alias, based on matching with +the DT compatible string, loads the core part of the driver, but not +the I2C part. And threfore, the i2c_driver is not registered, and the +codec is not known to the system, nor matched with a DT node with the +corresponding compatible string. + +In order to fix that, we move the MODULE_DEVICE_TABLE(of, ...) into +the I2C part of the driver. The cs42l51_of_match[] array is also moved +as well, as it is not possible to have this definition in one file, +and the MODULE_DEVICE_TABLE(of, ...) invocation in another file, due +to how MODULE_DEVICE_TABLE works. + +Thanks to this commit, the I2C part of the driver now properly +autoloads, and thanks to its dependency on the core part, the core +part gets autoloaded as well, resulting in a functional sound card +without having to manually load kernel modules. + +Fixes: 2cb1e0259f50 ("ASoC: cs42l51: re-hook of_match_table pointer") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Petazzoni +Link: https://lore.kernel.org/r/20230713112112.778576-1-thomas.petazzoni@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/cs42l51-i2c.c | 6 ++++++ + sound/soc/codecs/cs42l51.c | 7 ------- + sound/soc/codecs/cs42l51.h | 1 - + 3 files changed, 6 insertions(+), 8 deletions(-) + +--- a/sound/soc/codecs/cs42l51-i2c.c ++++ b/sound/soc/codecs/cs42l51-i2c.c +@@ -19,6 +19,12 @@ static struct i2c_device_id cs42l51_i2c_ + }; + MODULE_DEVICE_TABLE(i2c, cs42l51_i2c_id); + ++const struct of_device_id cs42l51_of_match[] = { ++ { .compatible = "cirrus,cs42l51", }, ++ { } ++}; ++MODULE_DEVICE_TABLE(of, cs42l51_of_match); ++ + static int cs42l51_i2c_probe(struct i2c_client *i2c) + { + struct regmap_config config; +--- a/sound/soc/codecs/cs42l51.c ++++ b/sound/soc/codecs/cs42l51.c +@@ -826,13 +826,6 @@ int __maybe_unused cs42l51_resume(struct + } + EXPORT_SYMBOL_GPL(cs42l51_resume); + +-const struct of_device_id cs42l51_of_match[] = { +- { .compatible = "cirrus,cs42l51", }, +- { } +-}; +-MODULE_DEVICE_TABLE(of, cs42l51_of_match); +-EXPORT_SYMBOL_GPL(cs42l51_of_match); +- + MODULE_AUTHOR("Arnaud Patard "); + MODULE_DESCRIPTION("Cirrus Logic CS42L51 ALSA SoC Codec Driver"); + MODULE_LICENSE("GPL"); +--- a/sound/soc/codecs/cs42l51.h ++++ b/sound/soc/codecs/cs42l51.h +@@ -16,7 +16,6 @@ int cs42l51_probe(struct device *dev, st + void cs42l51_remove(struct device *dev); + int __maybe_unused cs42l51_suspend(struct device *dev); + int __maybe_unused cs42l51_resume(struct device *dev); +-extern const struct of_device_id cs42l51_of_match[]; + + #define CS42L51_CHIP_ID 0x1B + #define CS42L51_CHIP_REV_A 0x00 diff --git a/tmp-6.4/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch b/tmp-6.4/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch new file mode 100644 index 00000000000..6e550a45412 --- /dev/null +++ b/tmp-6.4/asoc-fsl_sai-disable-bit-clock-with-transmitter.patch @@ -0,0 +1,43 @@ +From 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 Mon Sep 17 00:00:00 2001 +From: Matus Gajdos +Date: Wed, 12 Jul 2023 14:49:33 +0200 +Subject: ASoC: fsl_sai: Disable bit clock with transmitter + +From: Matus Gajdos + +commit 269f399dc19f0e5c51711c3ba3bd06e0ef6ef403 upstream. + +Otherwise bit clock remains running writing invalid data to the DAC. + +Signed-off-by: Matus Gajdos +Acked-by: Shengjiu Wang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230712124934.32232-1-matuszpd@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_sai.c | 2 +- + sound/soc/fsl/fsl_sai.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -719,7 +719,7 @@ static void fsl_sai_config_disable(struc + u32 xcsr, count = 100; + + regmap_update_bits(sai->regmap, FSL_SAI_xCSR(tx, ofs), +- FSL_SAI_CSR_TERE, 0); ++ FSL_SAI_CSR_TERE | FSL_SAI_CSR_BCE, 0); + + /* TERE will remain set till the end of current frame */ + do { +--- a/sound/soc/fsl/fsl_sai.h ++++ b/sound/soc/fsl/fsl_sai.h +@@ -91,6 +91,7 @@ + /* SAI Transmit/Receive Control Register */ + #define FSL_SAI_CSR_TERE BIT(31) + #define FSL_SAI_CSR_SE BIT(30) ++#define FSL_SAI_CSR_BCE BIT(28) + #define FSL_SAI_CSR_FR BIT(25) + #define FSL_SAI_CSR_SR BIT(24) + #define FSL_SAI_CSR_xF_SHIFT 16 diff --git a/tmp-6.4/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch b/tmp-6.4/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch new file mode 100644 index 00000000000..63bc90993fa --- /dev/null +++ b/tmp-6.4/asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch @@ -0,0 +1,53 @@ +From 86867aca7330e4fbcfa2a117e20b48bbb6c758a9 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 6 Jul 2023 19:18:27 -0300 +Subject: ASoC: fsl_sai: Revert "ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode" + +From: Fabio Estevam + +commit 86867aca7330e4fbcfa2a117e20b48bbb6c758a9 upstream. + +This reverts commit ff87d619ac180444db297f043962a5c325ded47b. + +Andreas reports that on an i.MX8MP-based system where MCLK needs to be +used as an input, the MCLK pin is actually an output, despite not having +the 'fsl,sai-mclk-direction-output' property present in the devicetree. + +This is caused by commit ff87d619ac18 ("ASoC: fsl_sai: Enable +MCTL_MCLK_EN bit for master mode") that sets FSL_SAI_MCTL_MCLK_EN +unconditionally for imx8mm/8mn/8mp/93, causing the MCLK to always +be configured as output. + +FSL_SAI_MCTL_MCLK_EN corresponds to the MOE (MCLK Output Enable) bit +of register MCR and the drivers sets it when the +'fsl,sai-mclk-direction-output' devicetree property is present. + +Revert the commit to allow SAI to use MCLK as input as well. + +Cc: stable@vger.kernel.org +Fixes: ff87d619ac18 ("ASoC: fsl_sai: Enable MCTL_MCLK_EN bit for master mode") +Reported-by: Andreas Henriksson +Signed-off-by: Fabio Estevam +Acked-by: Shengjiu Wang +Link: https://lore.kernel.org/r/20230706221827.1938990-1-festevam@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_sai.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -507,12 +507,6 @@ static int fsl_sai_set_bclk(struct snd_s + savediv / 2 - 1); + } + +- if (sai->soc_data->max_register >= FSL_SAI_MCTL) { +- /* SAI is in master mode at this point, so enable MCLK */ +- regmap_update_bits(sai->regmap, FSL_SAI_MCTL, +- FSL_SAI_MCTL_MCLK_EN, FSL_SAI_MCTL_MCLK_EN); +- } +- + return 0; + } + diff --git a/tmp-6.4/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch b/tmp-6.4/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch new file mode 100644 index 00000000000..91e7129bc73 --- /dev/null +++ b/tmp-6.4/asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch @@ -0,0 +1,60 @@ +From 922473de77853fe08b1fd0ab538d820d97b554dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jul 2023 14:18:42 +0100 +Subject: ASoC: qcom: q6apm: do not close GPR port before closing graph + +From: Srinivas Kandagatla + +[ Upstream commit c1be62923d4d86e7c06b1224626e27eb8d9ab32e ] + +Closing GPR port before graph close can result in un handled notifications +from DSP, this results in spam of errors from GPR driver as there is no +one to handle these notification at that point in time. + +Fix this by closing GPR port after graph close is finished. + +Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705131842.41584-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/qcom/qdsp6/q6apm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/qcom/qdsp6/q6apm.c b/sound/soc/qcom/qdsp6/q6apm.c +index a7a3f973eb6d5..cdebf209c8a55 100644 +--- a/sound/soc/qcom/qdsp6/q6apm.c ++++ b/sound/soc/qcom/qdsp6/q6apm.c +@@ -446,6 +446,8 @@ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) + + switch (hdr->opcode) { + case DATA_CMD_RSP_WR_SH_MEM_EP_DATA_BUFFER_DONE_V2: ++ if (!graph->ar_graph) ++ break; + client_event = APM_CLIENT_EVENT_DATA_WRITE_DONE; + mutex_lock(&graph->lock); + token = hdr->token & APM_WRITE_TOKEN_MASK; +@@ -479,6 +481,8 @@ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) + wake_up(&graph->cmd_wait); + break; + case DATA_CMD_RSP_RD_SH_MEM_EP_DATA_BUFFER_V2: ++ if (!graph->ar_graph) ++ break; + client_event = APM_CLIENT_EVENT_DATA_READ_DONE; + mutex_lock(&graph->lock); + rd_done = data->payload; +@@ -581,8 +585,9 @@ int q6apm_graph_close(struct q6apm_graph *graph) + { + struct audioreach_graph *ar_graph = graph->ar_graph; + +- gpr_free_port(graph->port); ++ graph->ar_graph = NULL; + kref_put(&ar_graph->refcount, q6apm_put_audioreach_graph); ++ gpr_free_port(graph->port); + kfree(graph); + + return 0; +-- +2.39.2 + diff --git a/tmp-6.4/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch b/tmp-6.4/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch new file mode 100644 index 00000000000..8ccedcb8812 --- /dev/null +++ b/tmp-6.4/asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch @@ -0,0 +1,37 @@ +From 46ec420573cefa1fc98025e7e6841bdafd6f1e20 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 5 Jul 2023 14:30:12 +0200 +Subject: ASoC: qdsp6: audioreach: fix topology probe deferral + +From: Johan Hovold + +commit 46ec420573cefa1fc98025e7e6841bdafd6f1e20 upstream. + +Propagate errors when failing to load the topology component so that +probe deferrals can be handled. + +Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support") +Cc: stable@vger.kernel.org # 5.17 +Cc: Srinivas Kandagatla +Signed-off-by: Johan Hovold +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230705123018.30903-3-johan+linaro@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/topology.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/qdsp6/topology.c ++++ b/sound/soc/qcom/qdsp6/topology.c +@@ -1277,8 +1277,8 @@ int audioreach_tplg_init(struct snd_soc_ + + ret = snd_soc_tplg_component_load(component, &audioreach_tplg_ops, fw); + if (ret < 0) { +- dev_err(dev, "tplg component load failed%d\n", ret); +- ret = -EINVAL; ++ if (ret != -EPROBE_DEFER) ++ dev_err(dev, "tplg component load failed: %d\n", ret); + } + + release_firmware(fw); diff --git a/tmp-6.4/asoc-rt5640-fix-sleep-in-atomic-context.patch b/tmp-6.4/asoc-rt5640-fix-sleep-in-atomic-context.patch new file mode 100644 index 00000000000..6098e4ece7e --- /dev/null +++ b/tmp-6.4/asoc-rt5640-fix-sleep-in-atomic-context.patch @@ -0,0 +1,65 @@ +From 70a6404ff610aa4889d98977da131c37f9ff9d1f Mon Sep 17 00:00:00 2001 +From: Sameer Pujar +Date: Thu, 29 Jun 2023 10:42:15 +0530 +Subject: ASoC: rt5640: Fix sleep in atomic context + +From: Sameer Pujar + +commit 70a6404ff610aa4889d98977da131c37f9ff9d1f upstream. + +Following prints are observed while testing audio on Jetson AGX Orin which +has onboard RT5640 audio codec: + + BUG: sleeping function called from invalid context at kernel/workqueue.c:3027 + in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/0 + preempt_count: 10001, expected: 0 + RCU nest depth: 0, expected: 0 + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x1e0/0x270 + ---[ end trace ad1c64905aac14a6 ]- + +The IRQ handler rt5640_irq() runs in interrupt context and can sleep +during cancel_delayed_work_sync(). + +Fix this by running IRQ handler, rt5640_irq(), in thread context. +Hence replace request_irq() calls with devm_request_threaded_irq(). + +Fixes: 051dade34695 ("ASoC: rt5640: Fix the wrong state of JD1 and JD2") +Cc: stable@vger.kernel.org +Cc: Oder Chiou +Signed-off-by: Sameer Pujar +Link: https://lore.kernel.org/r/1688015537-31682-4-git-send-email-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5640.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/sound/soc/codecs/rt5640.c ++++ b/sound/soc/codecs/rt5640.c +@@ -2567,9 +2567,10 @@ static void rt5640_enable_jack_detect(st + if (jack_data && jack_data->use_platform_clock) + rt5640->use_platform_clock = jack_data->use_platform_clock; + +- ret = request_irq(rt5640->irq, rt5640_irq, +- IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, +- "rt5640", rt5640); ++ ret = devm_request_threaded_irq(component->dev, rt5640->irq, ++ NULL, rt5640_irq, ++ IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, ++ "rt5640", rt5640); + if (ret) { + dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); + rt5640_disable_jack_detect(component); +@@ -2622,8 +2623,9 @@ static void rt5640_enable_hda_jack_detec + + rt5640->jack = jack; + +- ret = request_irq(rt5640->irq, rt5640_irq, +- IRQF_TRIGGER_RISING | IRQF_ONESHOT, "rt5640", rt5640); ++ ret = devm_request_threaded_irq(component->dev, rt5640->irq, ++ NULL, rt5640_irq, IRQF_TRIGGER_RISING | IRQF_ONESHOT, ++ "rt5640", rt5640); + if (ret) { + dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret); + rt5640->irq = -ENXIO; diff --git a/tmp-6.4/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch b/tmp-6.4/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch new file mode 100644 index 00000000000..835740abdb0 --- /dev/null +++ b/tmp-6.4/asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch @@ -0,0 +1,60 @@ +From 4d081eb7ade047c783eff167d9362c5a23f905d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 14:25:23 +0300 +Subject: ASoC: SOF: ipc3-dtrace: uninitialized data in + dfsentry_trace_filter_write() + +From: Dan Carpenter + +[ Upstream commit 469e2f28c2cbee2430058c1c9bb6d1675d7195fb ] + +This doesn't check how many bytes the simple_write_to_buffer() writes to +the buffer. The only thing that we know is that the first byte is +initialized and the last byte of the buffer is set to NUL. However +the middle bytes could be uninitialized. + +There is no need to use simple_write_to_buffer(). This code does not +support partial writes but instead passes "pos = 0" as the starting +offset regardless of what the user passed as "*ppos". Just use the +copy_from_user() function and initialize the whole buffer. + +Fixes: 671e0b90051e ("ASoC: SOF: Clone the trace code to ipc3-dtrace as fw_tracing implementation") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/74148292-ce4d-4e01-a1a7-921e6767da14@moroto.mountain +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc3-dtrace.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/sof/ipc3-dtrace.c b/sound/soc/sof/ipc3-dtrace.c +index 1d3bca2d28dd6..35da85a45a9ae 100644 +--- a/sound/soc/sof/ipc3-dtrace.c ++++ b/sound/soc/sof/ipc3-dtrace.c +@@ -186,7 +186,6 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user + struct snd_sof_dfsentry *dfse = file->private_data; + struct sof_ipc_trace_filter_elem *elems = NULL; + struct snd_sof_dev *sdev = dfse->sdev; +- loff_t pos = 0; + int num_elems; + char *string; + int ret; +@@ -201,11 +200,11 @@ static ssize_t dfsentry_trace_filter_write(struct file *file, const char __user + if (!string) + return -ENOMEM; + +- /* assert null termination */ +- string[count] = 0; +- ret = simple_write_to_buffer(string, count, &pos, from, count); +- if (ret < 0) ++ if (copy_from_user(string, from, count)) { ++ ret = -EFAULT; + goto error; ++ } ++ string[count] = '\0'; + + ret = trace_filter_parse(sdev, string, &num_elems, &elems); + if (ret < 0) +-- +2.39.2 + diff --git a/tmp-6.4/asoc-tegra-fix-adx-byte-map.patch b/tmp-6.4/asoc-tegra-fix-adx-byte-map.patch new file mode 100644 index 00000000000..a047668f933 --- /dev/null +++ b/tmp-6.4/asoc-tegra-fix-adx-byte-map.patch @@ -0,0 +1,119 @@ +From 6dfe70be0b0dec0f9297811501bec26c05fd96ad Mon Sep 17 00:00:00 2001 +From: Sheetal +Date: Thu, 29 Jun 2023 10:42:14 +0530 +Subject: ASoC: tegra: Fix ADX byte map + +From: Sheetal + +commit 6dfe70be0b0dec0f9297811501bec26c05fd96ad upstream. + +Byte mask for channel-1 of stream-1 is not getting enabled and this +causes failures during ADX use cases. This happens because the byte +map value 0 matches the byte map array and put() callback returns +without enabling the corresponding bits in the byte mask. + +ADX supports 4 output streams and each stream can have a maximum of +16 channels. Each byte in the input frame is uniquely mapped to a +byte in one of these 4 outputs. This mapping is done with the help of +byte map array via user space control setting. The byte map array +size in the driver is 16 and each array element is of size 4 bytes. +This corresponds to 64 byte map values. + +Each byte in the byte map array can have any value between 0 to 255 +to enable the corresponding bits in the byte mask. The value 256 is +used as a way to disable the byte map. However the byte map array +element cannot store this value. The put() callback disables the byte +mask for 256 value and byte map value is reset to 0 for this case. +This causes problems during subsequent runs since put() callback, +for value of 0, just returns without enabling the byte mask. In short, +the problem is coming because 0 and 256 control values are stored as +0 in the byte map array. + +Right now fix the put() callback by actually looking at the byte mask +array state to identify if any change is needed and update the fields +accordingly. The get() callback needs an update as well to return the +correct control value that user has set before. Note that when user +set 256, the value is stored as 0 and byte mask is disabled. So byte +mask state is used to either return 256 or the value from byte map +array. + +Given above, this looks bit complicated and all this happens because +the byte map array is tightly packed and cannot actually store the 256 +value. Right now the priority is to fix the existing failure and a TODO +item is put to improve this logic. + +Fixes: 3c97881b8c8a ("ASoC: tegra: Fix kcontrol put callback in ADX") +Cc: stable@vger.kernel.org +Signed-off-by: Sheetal +Reviewed-by: Mohan Kumar D +Reviewed-by: Sameer Pujar +Link: https://lore.kernel.org/r/1688015537-31682-3-git-send-email-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/tegra/tegra210_adx.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +--- a/sound/soc/tegra/tegra210_adx.c ++++ b/sound/soc/tegra/tegra210_adx.c +@@ -2,7 +2,7 @@ + // + // tegra210_adx.c - Tegra210 ADX driver + // +-// Copyright (c) 2021 NVIDIA CORPORATION. All rights reserved. ++// Copyright (c) 2021-2023 NVIDIA CORPORATION. All rights reserved. + + #include + #include +@@ -175,10 +175,20 @@ static int tegra210_adx_get_byte_map(str + mc = (struct soc_mixer_control *)kcontrol->private_value; + enabled = adx->byte_mask[mc->reg / 32] & (1 << (mc->reg % 32)); + ++ /* ++ * TODO: Simplify this logic to just return from bytes_map[] ++ * ++ * Presently below is required since bytes_map[] is ++ * tightly packed and cannot store the control value of 256. ++ * Byte mask state is used to know if 256 needs to be returned. ++ * Note that for control value of 256, the put() call stores 0 ++ * in the bytes_map[] and disables the corresponding bit in ++ * byte_mask[]. ++ */ + if (enabled) + ucontrol->value.integer.value[0] = bytes_map[mc->reg]; + else +- ucontrol->value.integer.value[0] = 0; ++ ucontrol->value.integer.value[0] = 256; + + return 0; + } +@@ -192,19 +202,19 @@ static int tegra210_adx_put_byte_map(str + int value = ucontrol->value.integer.value[0]; + struct soc_mixer_control *mc = + (struct soc_mixer_control *)kcontrol->private_value; ++ unsigned int mask_val = adx->byte_mask[mc->reg / 32]; + +- if (value == bytes_map[mc->reg]) ++ if (value >= 0 && value <= 255) ++ mask_val |= (1 << (mc->reg % 32)); ++ else ++ mask_val &= ~(1 << (mc->reg % 32)); ++ ++ if (mask_val == adx->byte_mask[mc->reg / 32]) + return 0; + +- if (value >= 0 && value <= 255) { +- /* update byte map and enable slot */ +- bytes_map[mc->reg] = value; +- adx->byte_mask[mc->reg / 32] |= (1 << (mc->reg % 32)); +- } else { +- /* reset byte map and disable slot */ +- bytes_map[mc->reg] = 0; +- adx->byte_mask[mc->reg / 32] &= ~(1 << (mc->reg % 32)); +- } ++ /* Update byte map and slot */ ++ bytes_map[mc->reg] = value % 256; ++ adx->byte_mask[mc->reg / 32] = mask_val; + + return 1; + } diff --git a/tmp-6.4/asoc-tegra-fix-amx-byte-map.patch b/tmp-6.4/asoc-tegra-fix-amx-byte-map.patch new file mode 100644 index 00000000000..c707318c8b8 --- /dev/null +++ b/tmp-6.4/asoc-tegra-fix-amx-byte-map.patch @@ -0,0 +1,125 @@ +From 49bd7b08149417a30aa7d92c8c85b3518de44a76 Mon Sep 17 00:00:00 2001 +From: Sheetal +Date: Thu, 29 Jun 2023 10:42:13 +0530 +Subject: ASoC: tegra: Fix AMX byte map + +From: Sheetal + +commit 49bd7b08149417a30aa7d92c8c85b3518de44a76 upstream. + +Byte mask for channel-1 of stream-1 is not getting enabled and this +causes failures during AMX use cases. This happens because the byte +map value 0 matches the byte map array and put() callback returns +without enabling the corresponding bits in the byte mask. + +AMX supports 4 input streams and each stream can take a maximum of +16 channels. Each byte in the output frame is uniquely mapped to a +byte in one of these 4 inputs. This mapping is done with the help of +byte map array via user space control setting. The byte map array +size in the driver is 16 and each array element is of size 4 bytes. +This corresponds to 64 byte map values. + +Each byte in the byte map array can have any value between 0 to 255 +to enable the corresponding bits in the byte mask. The value 256 is +used as a way to disable the byte map. However the byte map array +element cannot store this value. The put() callback disables the byte +mask for 256 value and byte map value is reset to 0 for this case. +This causes problems during subsequent runs since put() callback, +for value of 0, just returns without enabling the byte mask. In short, +the problem is coming because 0 and 256 control values are stored as +0 in the byte map array. + +Right now fix the put() callback by actually looking at the byte mask +array state to identify if any change is needed and update the fields +accordingly. The get() callback needs an update as well to return the +correct control value that user has set before. Note that when user +sets 256, the value is stored as 0 and byte mask is disabled. So byte +mask state is used to either return 256 or the value from byte map +array. + +Given above, this looks bit complicated and all this happens because +the byte map array is tightly packed and cannot actually store the 256 +value. Right now the priority is to fix the existing failure and a TODO +item is put to improve this logic. + +Fixes: 8db78ace1ba8 ("ASoC: tegra: Fix kcontrol put callback in AMX") +Cc: stable@vger.kernel.org +Signed-off-by: Sheetal +Reviewed-by: Mohan Kumar D +Reviewed-by: Sameer Pujar +Link: https://lore.kernel.org/r/1688015537-31682-2-git-send-email-spujar@nvidia.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/tegra/tegra210_amx.c | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +--- a/sound/soc/tegra/tegra210_amx.c ++++ b/sound/soc/tegra/tegra210_amx.c +@@ -2,7 +2,7 @@ + // + // tegra210_amx.c - Tegra210 AMX driver + // +-// Copyright (c) 2021 NVIDIA CORPORATION. All rights reserved. ++// Copyright (c) 2021-2023 NVIDIA CORPORATION. All rights reserved. + + #include + #include +@@ -203,10 +203,20 @@ static int tegra210_amx_get_byte_map(str + else + enabled = amx->byte_mask[0] & (1 << reg); + ++ /* ++ * TODO: Simplify this logic to just return from bytes_map[] ++ * ++ * Presently below is required since bytes_map[] is ++ * tightly packed and cannot store the control value of 256. ++ * Byte mask state is used to know if 256 needs to be returned. ++ * Note that for control value of 256, the put() call stores 0 ++ * in the bytes_map[] and disables the corresponding bit in ++ * byte_mask[]. ++ */ + if (enabled) + ucontrol->value.integer.value[0] = bytes_map[reg]; + else +- ucontrol->value.integer.value[0] = 0; ++ ucontrol->value.integer.value[0] = 256; + + return 0; + } +@@ -221,25 +231,19 @@ static int tegra210_amx_put_byte_map(str + unsigned char *bytes_map = (unsigned char *)&amx->map; + int reg = mc->reg; + int value = ucontrol->value.integer.value[0]; ++ unsigned int mask_val = amx->byte_mask[reg / 32]; + +- if (value == bytes_map[reg]) ++ if (value >= 0 && value <= 255) ++ mask_val |= (1 << (reg % 32)); ++ else ++ mask_val &= ~(1 << (reg % 32)); ++ ++ if (mask_val == amx->byte_mask[reg / 32]) + return 0; + +- if (value >= 0 && value <= 255) { +- /* Update byte map and enable slot */ +- bytes_map[reg] = value; +- if (reg > 31) +- amx->byte_mask[1] |= (1 << (reg - 32)); +- else +- amx->byte_mask[0] |= (1 << reg); +- } else { +- /* Reset byte map and disable slot */ +- bytes_map[reg] = 0; +- if (reg > 31) +- amx->byte_mask[1] &= ~(1 << (reg - 32)); +- else +- amx->byte_mask[0] &= ~(1 << reg); +- } ++ /* Update byte map and slot */ ++ bytes_map[reg] = value % 256; ++ amx->byte_mask[reg / 32] = mask_val; + + return 1; + } diff --git a/tmp-6.4/blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch b/tmp-6.4/blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch new file mode 100644 index 00000000000..293e66b3be4 --- /dev/null +++ b/tmp-6.4/blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch @@ -0,0 +1,61 @@ +From 2985cb1c3caeaa23909dc76b3608d8f5ffa0034c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 21:23:54 +0800 +Subject: blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none + +From: Ming Lei + +[ Upstream commit 245165658e1c9f95c0fecfe02b9b1ebd30a1198a ] + +After grabbing q->sysfs_lock, q->elevator may become NULL because of +elevator switch. + +Fix the NULL dereference on q->elevator by checking it with lock. + +Reported-by: Guangwu Zhang +Signed-off-by: Ming Lei +Link: https://lore.kernel.org/r/20230616132354.415109-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index b9f4546139894..73ed8ccb09ce8 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -4617,9 +4617,6 @@ static bool blk_mq_elv_switch_none(struct list_head *head, + { + struct blk_mq_qe_pair *qe; + +- if (!q->elevator) +- return true; +- + qe = kmalloc(sizeof(*qe), GFP_NOIO | __GFP_NOWARN | __GFP_NORETRY); + if (!qe) + return false; +@@ -4627,6 +4624,12 @@ static bool blk_mq_elv_switch_none(struct list_head *head, + /* q->elevator needs protection from ->sysfs_lock */ + mutex_lock(&q->sysfs_lock); + ++ /* the check has to be done with holding sysfs_lock */ ++ if (!q->elevator) { ++ kfree(qe); ++ goto unlock; ++ } ++ + INIT_LIST_HEAD(&qe->node); + qe->q = q; + qe->type = q->elevator->type; +@@ -4634,6 +4637,7 @@ static bool blk_mq_elv_switch_none(struct list_head *head, + __elevator_get(qe->type); + list_add(&qe->node, head); + elevator_disable(q); ++unlock: + mutex_unlock(&q->sysfs_lock); + + return true; +-- +2.39.2 + diff --git a/tmp-6.4/bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch b/tmp-6.4/bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch new file mode 100644 index 00000000000..732ea3bb10b --- /dev/null +++ b/tmp-6.4/bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch @@ -0,0 +1,47 @@ +From 0f3d353a227d27998efc4598cfdfc74d33fb522b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 12:25:14 +0200 +Subject: Bluetooth: btusb: Fix bluetooth on Intel Macbook 2014 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomasz Moń + +[ Upstream commit 95b7015433053cd5f648ad2a7b8f43b2c99c949a ] + +Commit c13380a55522 ("Bluetooth: btusb: Do not require hardcoded +interface numbers") inadvertedly broke bluetooth on Intel Macbook 2014. +The intention was to keep behavior intact when BTUSB_IFNUM_2 is set and +otherwise allow any interface numbers. The problem is that the new logic +condition omits the case where bInterfaceNumber is 0. + +Fix BTUSB_IFNUM_2 handling by allowing both interface number 0 and 2 +when the flag is set. + +Fixes: c13380a55522 ("Bluetooth: btusb: Do not require hardcoded interface numbers") +Reported-by: John Holland +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217651 +Signed-off-by: Tomasz Moń +Tested-by: John Holland +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 2a8e2bb038f58..50e23762ec5e9 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -4099,6 +4099,7 @@ static int btusb_probe(struct usb_interface *intf, + BT_DBG("intf %p id %p", intf, id); + + if ((id->driver_info & BTUSB_IFNUM_2) && ++ (intf->cur_altsetting->desc.bInterfaceNumber != 0) && + (intf->cur_altsetting->desc.bInterfaceNumber != 2)) + return -ENODEV; + +-- +2.39.2 + diff --git a/tmp-6.4/bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch b/tmp-6.4/bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch new file mode 100644 index 00000000000..4a05013c5c3 --- /dev/null +++ b/tmp-6.4/bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch @@ -0,0 +1,58 @@ +From 84ceed6bd7bd6b85f52b80362cae4ce3f2f0daf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 18:43:53 +0530 +Subject: Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no + link + +From: Siddh Raman Pant + +[ Upstream commit b4066eb04bb67e7ff66e5aaab0db4a753f37eaad ] + +hci_connect_sco currently returns NULL when there is no link (i.e. when +hci_conn_link() returns NULL). + +sco_connect() expects an ERR_PTR in case of any error (see line 266 in +sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which +tries to get hcon->hdev, resulting in dereferencing a NULL pointer as +reported by syzkaller. + +The same issue exists for iso_connect_cis() calling hci_connect_cis(). + +Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR +instead of NULL. + +Reported-and-tested-by: syzbot+37acd5d80d00d609d233@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=37acd5d80d00d609d233 +Fixes: 06149746e720 ("Bluetooth: hci_conn: Add support for linking multiple hcon") +Signed-off-by: Siddh Raman Pant +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_conn.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 7b0c74ef93296..31c115b225e7e 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1684,7 +1684,7 @@ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst, + if (!link) { + hci_conn_drop(acl); + hci_conn_drop(sco); +- return NULL; ++ return ERR_PTR(-ENOLINK); + } + + sco->setting = setting; +@@ -2256,7 +2256,7 @@ struct hci_conn *hci_connect_cis(struct hci_dev *hdev, bdaddr_t *dst, + if (!link) { + hci_conn_drop(le); + hci_conn_drop(cis); +- return NULL; ++ return ERR_PTR(-ENOLINK); + } + + /* If LE is already connected and CIS handle is already set proceed to +-- +2.39.2 + diff --git a/tmp-6.4/bluetooth-hci_event-call-disconnect-callback-before-.patch b/tmp-6.4/bluetooth-hci_event-call-disconnect-callback-before-.patch new file mode 100644 index 00000000000..8c4865a7c6c --- /dev/null +++ b/tmp-6.4/bluetooth-hci_event-call-disconnect-callback-before-.patch @@ -0,0 +1,168 @@ +From 1c0a105690e7ae4ffc1b2c44181d834089aea545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 01:04:32 +0300 +Subject: Bluetooth: hci_event: call disconnect callback before deleting conn + +From: Pauli Virtanen + +[ Upstream commit 7f7cfcb6f0825652973b780f248603e23f16ee90 ] + +In hci_cs_disconnect, we do hci_conn_del even if disconnection failed. + +ISO, L2CAP and SCO connections refer to the hci_conn without +hci_conn_get, so disconn_cfm must be called so they can clean up their +conn, otherwise use-after-free occurs. + +ISO: +========================================================== +iso_sock_connect:880: sk 00000000eabd6557 +iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +... +iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073 +hci_dev_put:1487: hci0 orig refcnt 17 +__iso_chan_add:214: conn 00000000b6251073 +iso_sock_clear_timer:117: sock 00000000eabd6557 state 3 +... +hci_rx_work:4085: hci0 Event packet +hci_event_packet:7601: hci0: event 0x0f +hci_cmd_status_evt:4346: hci0: opcode 0x0406 +hci_cs_disconnect:2760: hci0: status 0x0c +hci_sent_cmd_data:3107: hci0 opcode 0x0406 +hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560 +hci_conn_unlink:1102: hci0: hcon 000000001696f1fd +hci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2 +hci_chan_list_flush:2780: hcon 000000001696f1fd +hci_dev_put:1487: hci0 orig refcnt 21 +hci_dev_put:1487: hci0 orig refcnt 20 +hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c +... ... +iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557 +BUG: kernel NULL pointer dereference, address: 0000000000000668 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth +========================================================== + +L2CAP: +================================================================== +hci_cmd_status_evt:4359: hci0: opcode 0x0406 +hci_cs_disconnect:2760: hci0: status 0x0c +hci_sent_cmd_data:3085: hci0 opcode 0x0406 +hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585 +hci_conn_unlink:1102: hci0: hcon ffff88800c999000 +hci_chan_list_flush:2780: hcon ffff88800c999000 +hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280 +... +BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth] +Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175 + +CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +Call Trace: + + dump_stack_lvl+0x5b/0x90 + print_report+0xcf/0x670 + ? __virt_addr_valid+0xf8/0x180 + ? hci_send_acl+0x2d/0x540 [bluetooth] + kasan_report+0xa8/0xe0 + ? hci_send_acl+0x2d/0x540 [bluetooth] + hci_send_acl+0x2d/0x540 [bluetooth] + ? __pfx___lock_acquire+0x10/0x10 + l2cap_chan_send+0x1fd/0x1300 [bluetooth] + ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth] + ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth] + ? lock_release+0x1d5/0x3c0 + ? mark_held_locks+0x1a/0x90 + l2cap_sock_sendmsg+0x100/0x170 [bluetooth] + sock_write_iter+0x275/0x280 + ? __pfx_sock_write_iter+0x10/0x10 + ? __pfx___lock_acquire+0x10/0x10 + do_iter_readv_writev+0x176/0x220 + ? __pfx_do_iter_readv_writev+0x10/0x10 + ? find_held_lock+0x83/0xa0 + ? selinux_file_permission+0x13e/0x210 + do_iter_write+0xda/0x340 + vfs_writev+0x1b4/0x400 + ? __pfx_vfs_writev+0x10/0x10 + ? __seccomp_filter+0x112/0x750 + ? populate_seccomp_data+0x182/0x220 + ? __fget_light+0xdf/0x100 + ? do_writev+0x19d/0x210 + do_writev+0x19d/0x210 + ? __pfx_do_writev+0x10/0x10 + ? mark_held_locks+0x1a/0x90 + do_syscall_64+0x60/0x90 + ? lockdep_hardirqs_on_prepare+0x149/0x210 + ? do_syscall_64+0x6c/0x90 + ? lockdep_hardirqs_on_prepare+0x149/0x210 + entry_SYSCALL_64_after_hwframe+0x72/0xdc +RIP: 0033:0x7ff45cb23e64 +Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89 +RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014 +RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff45cb23e64 +RDX: 0000000000000001 RSI: 00007fff21ae0aa0 RDI: 0000000000000017 +RBP: 00007fff21ae0aa0 R08: 000000000095a8a0 R09: 0000607000053f40 +R10: 0000000000000001 R11: 0000000000000202 R12: 00007fff21ae0ac0 +R13: 00000fffe435c150 R14: 00007fff21ae0a80 R15: 000060f000000040 + + +Allocated by task 771: + kasan_save_stack+0x33/0x60 + kasan_set_track+0x25/0x30 + __kasan_kmalloc+0xaa/0xb0 + hci_chan_create+0x67/0x1b0 [bluetooth] + l2cap_conn_add.part.0+0x17/0x590 [bluetooth] + l2cap_connect_cfm+0x266/0x6b0 [bluetooth] + hci_le_remote_feat_complete_evt+0x167/0x310 [bluetooth] + hci_event_packet+0x38d/0x800 [bluetooth] + hci_rx_work+0x287/0xb20 [bluetooth] + process_one_work+0x4f7/0x970 + worker_thread+0x8f/0x620 + kthread+0x17f/0x1c0 + ret_from_fork+0x2c/0x50 + +Freed by task 771: + kasan_save_stack+0x33/0x60 + kasan_set_track+0x25/0x30 + kasan_save_free_info+0x2e/0x50 + ____kasan_slab_free+0x169/0x1c0 + slab_free_freelist_hook+0x9e/0x1c0 + __kmem_cache_free+0xc0/0x310 + hci_chan_list_flush+0x46/0x90 [bluetooth] + hci_conn_cleanup+0x7d/0x330 [bluetooth] + hci_cs_disconnect+0x35d/0x530 [bluetooth] + hci_cmd_status_evt+0xef/0x2b0 [bluetooth] + hci_event_packet+0x38d/0x800 [bluetooth] + hci_rx_work+0x287/0xb20 [bluetooth] + process_one_work+0x4f7/0x970 + worker_thread+0x8f/0x620 + kthread+0x17f/0x1c0 + ret_from_fork+0x2c/0x50 +================================================================== + +Fixes: b8d290525e39 ("Bluetooth: clean up connection in hci_cs_disconnect") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 72b6d189d3de2..cb0b5fe7a6f8c 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -2784,6 +2784,9 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) + hci_enable_advertising(hdev); + } + ++ /* Inform sockets conn is gone before we delete it */ ++ hci_disconn_cfm(conn, HCI_ERROR_UNSPECIFIED); ++ + goto done; + } + +-- +2.39.2 + diff --git a/tmp-6.4/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch b/tmp-6.4/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch new file mode 100644 index 00000000000..8af4b293be5 --- /dev/null +++ b/tmp-6.4/bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch @@ -0,0 +1,60 @@ +From a1ee2560c82046e851ecf0268f802f2e15a138aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jun 2023 15:33:14 -0700 +Subject: Bluetooth: hci_sync: Avoid use-after-free in dbg for + hci_remove_adv_monitor() + +From: Douglas Anderson + +[ Upstream commit de6dfcefd107667ce2dbedf4d9337f5ed557a4a1 ] + +KASAN reports that there's a use-after-free in +hci_remove_adv_monitor(). Trawling through the disassembly, you can +see that the complaint is from the access in bt_dev_dbg() under the +HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because +msft_remove_monitor() can end up freeing the monitor +structure. Specifically: + hci_remove_adv_monitor() -> + msft_remove_monitor() -> + msft_remove_monitor_sync() -> + msft_le_cancel_monitor_advertisement_cb() -> + hci_free_adv_monitor() + +Let's fix the problem by just stashing the relevant data when it's +still valid. + +Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor") +Signed-off-by: Douglas Anderson +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index b421e196f60c3..1ec83985f1ab0 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1972,6 +1972,7 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev, + struct adv_monitor *monitor) + { + int status = 0; ++ int handle; + + switch (hci_get_adv_monitor_offload_ext(hdev)) { + case HCI_ADV_MONITOR_EXT_NONE: /* also goes here when powered off */ +@@ -1980,9 +1981,10 @@ static int hci_remove_adv_monitor(struct hci_dev *hdev, + goto free_monitor; + + case HCI_ADV_MONITOR_EXT_MSFT: ++ handle = monitor->handle; + status = msft_remove_monitor(hdev, monitor); + bt_dev_dbg(hdev, "%s remove monitor %d msft status %d", +- hdev->name, monitor->handle, status); ++ hdev->name, handle, status); + break; + } + +-- +2.39.2 + diff --git a/tmp-6.4/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch b/tmp-6.4/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch new file mode 100644 index 00000000000..e802b39b9fc --- /dev/null +++ b/tmp-6.4/bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch @@ -0,0 +1,292 @@ +From 38c1cad8787d706dea39d17a633b391863b8e3a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 01:04:33 +0300 +Subject: Bluetooth: ISO: fix iso_conn related locking and validity issues + +From: Pauli Virtanen + +[ Upstream commit d40ae85ee62e3666f45bc61864b22121346f88ef ] + +sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations +that check/update sk_state and access conn should hold lock_sock, +otherwise they can race. + +The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock, +which is how it is in connect/disconnect_cfm -> iso_conn_del -> +iso_chan_del. + +Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock +around updating sk_state and conn. + +iso_conn_del must not occur during iso_connect_cis/bis, as it frees the +iso_conn. Hold hdev->lock longer to prevent that. + +This should not reintroduce the issue fixed in commit 241f51931c35 +("Bluetooth: ISO: Avoid circular locking dependency"), since the we +acquire locks in order. We retain the fix in iso_sock_connect to release +lock_sock before iso_connect_* acquires hdev->lock. + +Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible +circular locking dependency"). We retain the fix in iso_conn_ready to +not acquire iso_conn_lock before lock_sock. + +iso_conn_add shall return iso_conn with valid hcon. Make it so also when +reusing an old CIS connection waiting for disconnect timeout (see +__iso_sock_close where conn->hcon is set to NULL). + +Trace with iso_conn_del after iso_chan_add in iso_connect_cis: +=============================================================== +iso_sock_create:771: sock 00000000be9b69b7 +iso_sock_init:693: sk 000000004dff667e +iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1 +iso_sock_setsockopt:1289: sk 000000004dff667e +iso_sock_setsockopt:1289: sk 000000004dff667e +iso_sock_setsockopt:1289: sk 000000004dff667e +iso_sock_connect:875: sk 000000004dff667e +iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da +iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e +__iso_chan_add:214: conn 00000000daf8625e +iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12 +iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16 +iso_sock_clear_timer:117: sock 000000004dff667e state 3 + +iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16 +hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535 +hci_conn_unlink:1102: hci0: hcon 000000007b65d182 +hci_chan_list_flush:2780: hcon 000000007b65d182 +iso_sock_getsockopt:1376: sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_getsockopt:1376: sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e +iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1 +__iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7 + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP PTI +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth +=============================================================== + +Trace with iso_conn_del before iso_chan_add in iso_connect_cis: +=============================================================== +iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da +... +iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504 +hci_dev_put:1487: hci0 orig refcnt 21 +hci_event_packet:7607: hci0: event 0x0e +hci_cmd_complete_evt:4231: hci0: opcode 0x2062 +hci_cc_le_set_cig_params:3846: hci0: status 0x07 +hci_sent_cmd_data:3107: hci0 opcode 0x2062 +iso_connect_cfm:1703: hcon 0000000093bc551f bdaddr 28:3d:c2:4a:7e:da status 7 +iso_conn_del:187: hcon 0000000093bc551f conn 00000000768ae504, err 12 +hci_conn_del:1151: hci0 hcon 0000000093bc551f handle 65535 +hci_conn_unlink:1102: hci0: hcon 0000000093bc551f +hci_chan_list_flush:2780: hcon 0000000093bc551f +__iso_chan_add:214: conn 00000000768ae504 + +iso_sock_clear_timer:117: sock 0000000098323f95 state 3 +general protection fault, probably for non-canonical address 0x30b29c630930aec8: 0000 [#1] PREEMPT SMP PTI +CPU: 1 PID: 1920 Comm: bluetoothd Tainted: G E 6.3.0-rc7+ #4 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:detach_if_pending+0x28/0xd0 +Code: 90 90 0f 1f 44 00 00 48 8b 47 08 48 85 c0 0f 84 ad 00 00 00 55 89 d5 53 48 83 3f 00 48 89 fb 74 7d 66 90 48 8b 03 48 8b 53 08 <> +RSP: 0018:ffffb90841a67d08 EFLAGS: 00010007 +RAX: 0000000000000000 RBX: ffff9141bd5061b8 RCX: 0000000000000000 +RDX: 30b29c630930aec8 RSI: ffff9141fdd21e80 RDI: ffff9141bd5061b8 +RBP: 0000000000000001 R08: 0000000000000000 R09: ffffb90841a67b88 +R10: 0000000000000003 R11: ffffffff8613f558 R12: ffff9141fdd21e80 +R13: 0000000000000000 R14: ffff9141b5976010 R15: ffff914185755338 +FS: 00007f45768bd840(0000) GS:ffff9141fdd00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000619000424074 CR3: 0000000009f5e005 CR4: 0000000000170ee0 +Call Trace: + + timer_delete+0x48/0x80 + try_to_grab_pending+0xdf/0x170 + __cancel_work+0x37/0xb0 + iso_connect_cis+0x141/0x400 [bluetooth] +=============================================================== + +Trace with NULL conn->hcon in state BT_CONNECT: +=============================================================== +__iso_sock_close:619: sk 00000000f7c71fc5 state 1 socket 00000000d90c5fe5 +... +__iso_sock_close:619: sk 00000000f7c71fc5 state 8 socket 00000000d90c5fe5 +iso_chan_del:153: sk 00000000f7c71fc5, conn 0000000022c03a7e, err 104 +... +iso_sock_connect:862: sk 00000000129b56c3 +iso_connect_cis:348: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a +hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7d:2a +hci_dev_hold:1495: hci0 orig refcnt 19 +__iso_chan_add:214: conn 0000000022c03a7e + +iso_sock_clear_timer:117: sock 00000000129b56c3 state 3 +... +iso_sock_ready:1485: sk 00000000129b56c3 +... +iso_sock_sendmsg:1077: sock 00000000e5013966, sk 00000000129b56c3 +BUG: kernel NULL pointer dereference, address: 00000000000006a8 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 1 PID: 1403 Comm: wireplumber Tainted: G E 6.3.0-rc7+ #4 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +RIP: 0010:iso_sock_sendmsg+0x63/0x2a0 [bluetooth] +=============================================================== + +Fixes: 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency") +Fixes: 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/iso.c | 53 ++++++++++++++++++++++++++------------------- + 1 file changed, 31 insertions(+), 22 deletions(-) + +diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c +index 34d55a85d8f6f..94d5bc104fede 100644 +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -123,8 +123,11 @@ static struct iso_conn *iso_conn_add(struct hci_conn *hcon) + { + struct iso_conn *conn = hcon->iso_data; + +- if (conn) ++ if (conn) { ++ if (!conn->hcon) ++ conn->hcon = hcon; + return conn; ++ } + + conn = kzalloc(sizeof(*conn), GFP_KERNEL); + if (!conn) +@@ -300,14 +303,13 @@ static int iso_connect_bis(struct sock *sk) + goto unlock; + } + +- hci_dev_unlock(hdev); +- hci_dev_put(hdev); ++ lock_sock(sk); + + err = iso_chan_add(conn, sk, NULL); +- if (err) +- return err; +- +- lock_sock(sk); ++ if (err) { ++ release_sock(sk); ++ goto unlock; ++ } + + /* Update source addr of the socket */ + bacpy(&iso_pi(sk)->src, &hcon->src); +@@ -321,7 +323,6 @@ static int iso_connect_bis(struct sock *sk) + } + + release_sock(sk); +- return err; + + unlock: + hci_dev_unlock(hdev); +@@ -389,14 +390,13 @@ static int iso_connect_cis(struct sock *sk) + goto unlock; + } + +- hci_dev_unlock(hdev); +- hci_dev_put(hdev); ++ lock_sock(sk); + + err = iso_chan_add(conn, sk, NULL); +- if (err) +- return err; +- +- lock_sock(sk); ++ if (err) { ++ release_sock(sk); ++ goto unlock; ++ } + + /* Update source addr of the socket */ + bacpy(&iso_pi(sk)->src, &hcon->src); +@@ -413,7 +413,6 @@ static int iso_connect_cis(struct sock *sk) + } + + release_sock(sk); +- return err; + + unlock: + hci_dev_unlock(hdev); +@@ -1072,8 +1071,8 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, + size_t len) + { + struct sock *sk = sock->sk; +- struct iso_conn *conn = iso_pi(sk)->conn; + struct sk_buff *skb, **frag; ++ size_t mtu; + int err; + + BT_DBG("sock %p, sk %p", sock, sk); +@@ -1085,11 +1084,18 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, + if (msg->msg_flags & MSG_OOB) + return -EOPNOTSUPP; + +- if (sk->sk_state != BT_CONNECTED) ++ lock_sock(sk); ++ ++ if (sk->sk_state != BT_CONNECTED) { ++ release_sock(sk); + return -ENOTCONN; ++ } ++ ++ mtu = iso_pi(sk)->conn->hcon->hdev->iso_mtu; ++ ++ release_sock(sk); + +- skb = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu, +- HCI_ISO_DATA_HDR_SIZE, 0); ++ skb = bt_skb_sendmsg(sk, msg, len, mtu, HCI_ISO_DATA_HDR_SIZE, 0); + if (IS_ERR(skb)) + return PTR_ERR(skb); + +@@ -1102,8 +1108,7 @@ static int iso_sock_sendmsg(struct socket *sock, struct msghdr *msg, + while (len) { + struct sk_buff *tmp; + +- tmp = bt_skb_sendmsg(sk, msg, len, conn->hcon->hdev->iso_mtu, +- 0, 0); ++ tmp = bt_skb_sendmsg(sk, msg, len, mtu, 0, 0); + if (IS_ERR(tmp)) { + kfree_skb(skb); + return PTR_ERR(tmp); +@@ -1158,15 +1163,19 @@ static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg, + BT_DBG("sk %p", sk); + + if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { ++ lock_sock(sk); + switch (sk->sk_state) { + case BT_CONNECT2: +- lock_sock(sk); + iso_conn_defer_accept(pi->conn->hcon); + sk->sk_state = BT_CONFIG; + release_sock(sk); + return 0; + case BT_CONNECT: ++ release_sock(sk); + return iso_connect_cis(sk); ++ default: ++ release_sock(sk); ++ break; + } + } + +-- +2.39.2 + diff --git a/tmp-6.4/bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch b/tmp-6.4/bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch new file mode 100644 index 00000000000..84761ceda9b --- /dev/null +++ b/tmp-6.4/bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch @@ -0,0 +1,100 @@ +From cc9d54b74879a34272695218fd49e9ba6687e670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 19:48:19 +0300 +Subject: Bluetooth: SCO: fix sco_conn related locking and validity issues + +From: Pauli Virtanen + +[ Upstream commit 3dcaa192ac2159193bc6ab57bc5369dcb84edd8e ] + +Operations that check/update sk_state and access conn should hold +lock_sock, otherwise they can race. + +The order of taking locks is hci_dev_lock > lock_sock > sco_conn_lock, +which is how it is in connect/disconnect_cfm -> sco_conn_del -> +sco_chan_del. + +Fix locking in sco_connect to take lock_sock around updating sk_state +and conn. + +sco_conn_del must not occur during sco_connect, as it frees the +sco_conn. Hold hdev->lock longer to prevent that. + +sco_conn_add shall return sco_conn with valid hcon. Make it so also when +reusing an old SCO connection waiting for disconnect timeout (see +__sco_sock_close where conn->hcon is set to NULL). + +This should not reintroduce the issue fixed in the earlier +commit 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking +dependency on sco_connect_cfm"), the relevant fix of releasing lock_sock +in sco_sock_connect before acquiring hdev->lock is retained. + +These changes mirror similar fixes earlier in ISO sockets. + +Fixes: 9a8ec9e8ebb5 ("Bluetooth: SCO: Fix possible circular locking dependency on sco_connect_cfm") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index cd1a27ac555d0..7762604ddfc05 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -126,8 +126,11 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon) + struct hci_dev *hdev = hcon->hdev; + struct sco_conn *conn = hcon->sco_data; + +- if (conn) ++ if (conn) { ++ if (!conn->hcon) ++ conn->hcon = hcon; + return conn; ++ } + + conn = kzalloc(sizeof(struct sco_conn), GFP_KERNEL); + if (!conn) +@@ -268,21 +271,21 @@ static int sco_connect(struct sock *sk) + goto unlock; + } + +- hci_dev_unlock(hdev); +- hci_dev_put(hdev); +- + conn = sco_conn_add(hcon); + if (!conn) { + hci_conn_drop(hcon); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto unlock; + } + +- err = sco_chan_add(conn, sk, NULL); +- if (err) +- return err; +- + lock_sock(sk); + ++ err = sco_chan_add(conn, sk, NULL); ++ if (err) { ++ release_sock(sk); ++ goto unlock; ++ } ++ + /* Update source addr of the socket */ + bacpy(&sco_pi(sk)->src, &hcon->src); + +@@ -296,8 +299,6 @@ static int sco_connect(struct sock *sk) + + release_sock(sk); + +- return err; +- + unlock: + hci_dev_unlock(hdev); + hci_dev_put(hdev); +-- +2.39.2 + diff --git a/tmp-6.4/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch b/tmp-6.4/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch new file mode 100644 index 00000000000..bad87f05068 --- /dev/null +++ b/tmp-6.4/bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch @@ -0,0 +1,594 @@ +From bb40a24b1a5fe8604c76ab2a9447b7b69940a3ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 01:04:31 +0300 +Subject: Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync + +From: Pauli Virtanen + +[ Upstream commit 195ef75e19287b4bc413da3e3e3722b030ac881e ] + +hci_update_accept_list_sync iterates over hdev->pend_le_conns and +hdev->pend_le_reports, and waits for controller events in the loop body, +without holding hdev lock. + +Meanwhile, these lists and the items may be modified e.g. by +le_scan_cleanup. This can invalidate the list cursor or any other item +in the list, resulting to invalid behavior (eg use-after-free). + +Use RCU for the hci_conn_params action lists. Since the loop bodies in +hci_sync block and we cannot use RCU or hdev->lock for the whole loop, +copy list items first and then iterate on the copy. Only the flags field +is written from elsewhere, so READ_ONCE/WRITE_ONCE should guarantee we +read valid values. + +Free params everywhere with hci_conn_params_free so the cleanup is +guaranteed to be done properly. + +This fixes the following, which can be triggered e.g. by BlueZ new +mgmt-tester case "Add + Remove Device Nowait - Success", or by changing +hci_le_set_cig_params to always return false, and running iso-tester: + +================================================================== +BUG: KASAN: slab-use-after-free in hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +Read of size 8 at addr ffff888001265018 by task kworker/u3:0/32 + +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 +Workqueue: hci0 hci_cmd_sync_work +Call Trace: + +dump_stack_lvl (./arch/x86/include/asm/irqflags.h:134 lib/dump_stack.c:107) +print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) +? __virt_addr_valid (./include/linux/mmzone.h:1915 ./include/linux/mmzone.h:2011 arch/x86/mm/physaddr.c:65) +? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +kasan_report (mm/kasan/report.c:538) +? hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2536 net/bluetooth/hci_sync.c:2723 net/bluetooth/hci_sync.c:2841) +? __pfx_hci_update_passive_scan_sync (net/bluetooth/hci_sync.c:2780) +? mutex_lock (kernel/locking/mutex.c:282) +? __pfx_mutex_lock (kernel/locking/mutex.c:282) +? __pfx_mutex_unlock (kernel/locking/mutex.c:538) +? __pfx_update_passive_scan_sync (net/bluetooth/hci_sync.c:2861) +hci_cmd_sync_work (net/bluetooth/hci_sync.c:306) +process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) +worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) +? __pfx_worker_thread (kernel/workqueue.c:2480) +kthread (kernel/kthread.c:376) +? __pfx_kthread (kernel/kthread.c:331) +ret_from_fork (arch/x86/entry/entry_64.S:314) + + +Allocated by task 31: +kasan_save_stack (mm/kasan/common.c:46) +kasan_set_track (mm/kasan/common.c:52) +__kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383) +hci_conn_params_add (./include/linux/slab.h:580 ./include/linux/slab.h:720 net/bluetooth/hci_core.c:2277) +hci_connect_le_scan (net/bluetooth/hci_conn.c:1419 net/bluetooth/hci_conn.c:1589) +hci_connect_cis (net/bluetooth/hci_conn.c:2266) +iso_connect_cis (net/bluetooth/iso.c:390) +iso_sock_connect (net/bluetooth/iso.c:899) +__sys_connect (net/socket.c:2003 net/socket.c:2020) +__x64_sys_connect (net/socket.c:2027) +do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + +Freed by task 15: +kasan_save_stack (mm/kasan/common.c:46) +kasan_set_track (mm/kasan/common.c:52) +kasan_save_free_info (mm/kasan/generic.c:523) +__kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) +__kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800) +hci_conn_params_del (net/bluetooth/hci_core.c:2323) +le_scan_cleanup (net/bluetooth/hci_conn.c:202) +process_one_work (./arch/x86/include/asm/preempt.h:27 kernel/workqueue.c:2399) +worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2538) +kthread (kernel/kthread.c:376) +ret_from_fork (arch/x86/entry/entry_64.S:314) +================================================================== + +Fixes: e8907f76544f ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 3") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 5 ++ + net/bluetooth/hci_conn.c | 10 +-- + net/bluetooth/hci_core.c | 38 ++++++++-- + net/bluetooth/hci_event.c | 12 ++-- + net/bluetooth/hci_sync.c | 117 ++++++++++++++++++++++++++++--- + net/bluetooth/mgmt.c | 26 +++---- + 6 files changed, 164 insertions(+), 44 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 9654567cfae37..870b6d3c5146b 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -822,6 +822,7 @@ struct hci_conn_params { + + struct hci_conn *conn; + bool explicit_connect; ++ /* Accessed without hdev->lock: */ + hci_conn_flags_t flags; + u8 privacy_mode; + }; +@@ -1573,7 +1574,11 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, + bdaddr_t *addr, u8 addr_type); + void hci_conn_params_del(struct hci_dev *hdev, bdaddr_t *addr, u8 addr_type); + void hci_conn_params_clear_disabled(struct hci_dev *hdev); ++void hci_conn_params_free(struct hci_conn_params *param); + ++void hci_pend_le_list_del_init(struct hci_conn_params *param); ++void hci_pend_le_list_add(struct hci_conn_params *param, ++ struct list_head *list); + struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, + bdaddr_t *addr, + u8 addr_type); +diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c +index 2275e0d9f8419..7b0c74ef93296 100644 +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -118,7 +118,7 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) + */ + params->explicit_connect = false; + +- list_del_init(¶ms->action); ++ hci_pend_le_list_del_init(params); + + switch (params->auto_connect) { + case HCI_AUTO_CONN_EXPLICIT: +@@ -127,10 +127,10 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status) + return; + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + case HCI_AUTO_CONN_REPORT: +- list_add(¶ms->action, &hdev->pend_le_reports); ++ hci_pend_le_list_add(params, &hdev->pend_le_reports); + break; + default: + break; +@@ -1426,8 +1426,8 @@ static int hci_explicit_conn_params_set(struct hci_dev *hdev, + if (params->auto_connect == HCI_AUTO_CONN_DISABLED || + params->auto_connect == HCI_AUTO_CONN_REPORT || + params->auto_connect == HCI_AUTO_CONN_EXPLICIT) { +- list_del_init(¶ms->action); +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_del_init(params); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + } + + params->explicit_connect = true; +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 48917c68358de..b421e196f60c3 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2249,21 +2249,45 @@ struct hci_conn_params *hci_conn_params_lookup(struct hci_dev *hdev, + return NULL; + } + +-/* This function requires the caller holds hdev->lock */ ++/* This function requires the caller holds hdev->lock or rcu_read_lock */ + struct hci_conn_params *hci_pend_le_action_lookup(struct list_head *list, + bdaddr_t *addr, u8 addr_type) + { + struct hci_conn_params *param; + +- list_for_each_entry(param, list, action) { ++ rcu_read_lock(); ++ ++ list_for_each_entry_rcu(param, list, action) { + if (bacmp(¶m->addr, addr) == 0 && +- param->addr_type == addr_type) ++ param->addr_type == addr_type) { ++ rcu_read_unlock(); + return param; ++ } + } + ++ rcu_read_unlock(); ++ + return NULL; + } + ++/* This function requires the caller holds hdev->lock */ ++void hci_pend_le_list_del_init(struct hci_conn_params *param) ++{ ++ if (list_empty(¶m->action)) ++ return; ++ ++ list_del_rcu(¶m->action); ++ synchronize_rcu(); ++ INIT_LIST_HEAD(¶m->action); ++} ++ ++/* This function requires the caller holds hdev->lock */ ++void hci_pend_le_list_add(struct hci_conn_params *param, ++ struct list_head *list) ++{ ++ list_add_rcu(¶m->action, list); ++} ++ + /* This function requires the caller holds hdev->lock */ + struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, + bdaddr_t *addr, u8 addr_type) +@@ -2297,14 +2321,15 @@ struct hci_conn_params *hci_conn_params_add(struct hci_dev *hdev, + return params; + } + +-static void hci_conn_params_free(struct hci_conn_params *params) ++void hci_conn_params_free(struct hci_conn_params *params) + { ++ hci_pend_le_list_del_init(params); ++ + if (params->conn) { + hci_conn_drop(params->conn); + hci_conn_put(params->conn); + } + +- list_del(¶ms->action); + list_del(¶ms->list); + kfree(params); + } +@@ -2342,8 +2367,7 @@ void hci_conn_params_clear_disabled(struct hci_dev *hdev) + continue; + } + +- list_del(¶ms->list); +- kfree(params); ++ hci_conn_params_free(params); + } + + BT_DBG("All LE disabled connection parameters were removed"); +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 21e26d3b286cc..72b6d189d3de2 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1564,7 +1564,7 @@ static u8 hci_cc_le_set_privacy_mode(struct hci_dev *hdev, void *data, + + params = hci_conn_params_lookup(hdev, &cp->bdaddr, cp->bdaddr_type); + if (params) +- params->privacy_mode = cp->mode; ++ WRITE_ONCE(params->privacy_mode, cp->mode); + + hci_dev_unlock(hdev); + +@@ -2804,8 +2804,8 @@ static void hci_cs_disconnect(struct hci_dev *hdev, u8 status) + + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_del_init(¶ms->action); +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_del_init(params); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + + default: +@@ -3423,8 +3423,8 @@ static void hci_disconn_complete_evt(struct hci_dev *hdev, void *data, + + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_del_init(¶ms->action); +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_del_init(params); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + hci_update_passive_scan(hdev); + break; + +@@ -5961,7 +5961,7 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status, + params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst, + conn->dst_type); + if (params) { +- list_del_init(¶ms->action); ++ hci_pend_le_list_del_init(params); + if (params->conn) { + hci_conn_drop(params->conn); + hci_conn_put(params->conn); +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index b5b1b610df335..1bcb54272dc67 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2160,15 +2160,23 @@ static int hci_le_del_accept_list_sync(struct hci_dev *hdev, + return 0; + } + ++struct conn_params { ++ bdaddr_t addr; ++ u8 addr_type; ++ hci_conn_flags_t flags; ++ u8 privacy_mode; ++}; ++ + /* Adds connection to resolve list if needed. + * Setting params to NULL programs local hdev->irk + */ + static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, +- struct hci_conn_params *params) ++ struct conn_params *params) + { + struct hci_cp_le_add_to_resolv_list cp; + struct smp_irk *irk; + struct bdaddr_list_with_irk *entry; ++ struct hci_conn_params *p; + + if (!use_ll_privacy(hdev)) + return 0; +@@ -2203,6 +2211,16 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, + /* Default privacy mode is always Network */ + params->privacy_mode = HCI_NETWORK_PRIVACY; + ++ rcu_read_lock(); ++ p = hci_pend_le_action_lookup(&hdev->pend_le_conns, ++ ¶ms->addr, params->addr_type); ++ if (!p) ++ p = hci_pend_le_action_lookup(&hdev->pend_le_reports, ++ ¶ms->addr, params->addr_type); ++ if (p) ++ WRITE_ONCE(p->privacy_mode, HCI_NETWORK_PRIVACY); ++ rcu_read_unlock(); ++ + done: + if (hci_dev_test_flag(hdev, HCI_PRIVACY)) + memcpy(cp.local_irk, hdev->irk, 16); +@@ -2215,7 +2233,7 @@ static int hci_le_add_resolve_list_sync(struct hci_dev *hdev, + + /* Set Device Privacy Mode. */ + static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, +- struct hci_conn_params *params) ++ struct conn_params *params) + { + struct hci_cp_le_set_privacy_mode cp; + struct smp_irk *irk; +@@ -2240,6 +2258,8 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, + bacpy(&cp.bdaddr, &irk->bdaddr); + cp.mode = HCI_DEVICE_PRIVACY; + ++ /* Note: params->privacy_mode is not updated since it is a copy */ ++ + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_PRIVACY_MODE, + sizeof(cp), &cp, HCI_CMD_TIMEOUT); + } +@@ -2249,7 +2269,7 @@ static int hci_le_set_privacy_mode_sync(struct hci_dev *hdev, + * properly set the privacy mode. + */ + static int hci_le_add_accept_list_sync(struct hci_dev *hdev, +- struct hci_conn_params *params, ++ struct conn_params *params, + u8 *num_entries) + { + struct hci_cp_le_add_to_accept_list cp; +@@ -2447,6 +2467,52 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev, + return __hci_cmd_sync_sk(hdev, opcode, 0, NULL, 0, HCI_CMD_TIMEOUT, sk); + } + ++static struct conn_params *conn_params_copy(struct list_head *list, size_t *n) ++{ ++ struct hci_conn_params *params; ++ struct conn_params *p; ++ size_t i; ++ ++ rcu_read_lock(); ++ ++ i = 0; ++ list_for_each_entry_rcu(params, list, action) ++ ++i; ++ *n = i; ++ ++ rcu_read_unlock(); ++ ++ p = kvcalloc(*n, sizeof(struct conn_params), GFP_KERNEL); ++ if (!p) ++ return NULL; ++ ++ rcu_read_lock(); ++ ++ i = 0; ++ list_for_each_entry_rcu(params, list, action) { ++ /* Racing adds are handled in next scan update */ ++ if (i >= *n) ++ break; ++ ++ /* No hdev->lock, but: addr, addr_type are immutable. ++ * privacy_mode is only written by us or in ++ * hci_cc_le_set_privacy_mode that we wait for. ++ * We should be idempotent so MGMT updating flags ++ * while we are processing is OK. ++ */ ++ bacpy(&p[i].addr, ¶ms->addr); ++ p[i].addr_type = params->addr_type; ++ p[i].flags = READ_ONCE(params->flags); ++ p[i].privacy_mode = READ_ONCE(params->privacy_mode); ++ ++i; ++ } ++ ++ rcu_read_unlock(); ++ ++ *n = i; ++ return p; ++} ++ + /* Device must not be scanning when updating the accept list. + * + * Update is done using the following sequence: +@@ -2466,11 +2532,12 @@ struct sk_buff *hci_read_local_oob_data_sync(struct hci_dev *hdev, + */ + static u8 hci_update_accept_list_sync(struct hci_dev *hdev) + { +- struct hci_conn_params *params; ++ struct conn_params *params; + struct bdaddr_list *b, *t; + u8 num_entries = 0; + bool pend_conn, pend_report; + u8 filter_policy; ++ size_t i, n; + int err; + + /* Pause advertising if resolving list can be used as controllers +@@ -2504,6 +2571,7 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) + if (hci_conn_hash_lookup_le(hdev, &b->bdaddr, b->bdaddr_type)) + continue; + ++ /* Pointers not dereferenced, no locks needed */ + pend_conn = hci_pend_le_action_lookup(&hdev->pend_le_conns, + &b->bdaddr, + b->bdaddr_type); +@@ -2532,23 +2600,50 @@ static u8 hci_update_accept_list_sync(struct hci_dev *hdev) + * available accept list entries in the controller, then + * just abort and return filer policy value to not use the + * accept list. ++ * ++ * The list and params may be mutated while we wait for events, ++ * so make a copy and iterate it. + */ +- list_for_each_entry(params, &hdev->pend_le_conns, action) { +- err = hci_le_add_accept_list_sync(hdev, params, &num_entries); +- if (err) ++ ++ params = conn_params_copy(&hdev->pend_le_conns, &n); ++ if (!params) { ++ err = -ENOMEM; ++ goto done; ++ } ++ ++ for (i = 0; i < n; ++i) { ++ err = hci_le_add_accept_list_sync(hdev, ¶ms[i], ++ &num_entries); ++ if (err) { ++ kvfree(params); + goto done; ++ } + } + ++ kvfree(params); ++ + /* After adding all new pending connections, walk through + * the list of pending reports and also add these to the + * accept list if there is still space. Abort if space runs out. + */ +- list_for_each_entry(params, &hdev->pend_le_reports, action) { +- err = hci_le_add_accept_list_sync(hdev, params, &num_entries); +- if (err) ++ ++ params = conn_params_copy(&hdev->pend_le_reports, &n); ++ if (!params) { ++ err = -ENOMEM; ++ goto done; ++ } ++ ++ for (i = 0; i < n; ++i) { ++ err = hci_le_add_accept_list_sync(hdev, ¶ms[i], ++ &num_entries); ++ if (err) { ++ kvfree(params); + goto done; ++ } + } + ++ kvfree(params); ++ + /* Use the allowlist unless the following conditions are all true: + * - We are not currently suspending + * - There are 1 or more ADV monitors registered and it's not offloaded +@@ -4839,12 +4934,12 @@ static void hci_pend_le_actions_clear(struct hci_dev *hdev) + struct hci_conn_params *p; + + list_for_each_entry(p, &hdev->le_conn_params, list) { ++ hci_pend_le_list_del_init(p); + if (p->conn) { + hci_conn_drop(p->conn); + hci_conn_put(p->conn); + p->conn = NULL; + } +- list_del_init(&p->action); + } + + BT_DBG("All LE pending actions cleared"); +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index f7b2d0971f240..1e07d0f289723 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1297,15 +1297,15 @@ static void restart_le_actions(struct hci_dev *hdev) + /* Needed for AUTO_OFF case where might not "really" + * have been powered off. + */ +- list_del_init(&p->action); ++ hci_pend_le_list_del_init(p); + + switch (p->auto_connect) { + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: +- list_add(&p->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(p, &hdev->pend_le_conns); + break; + case HCI_AUTO_CONN_REPORT: +- list_add(&p->action, &hdev->pend_le_reports); ++ hci_pend_le_list_add(p, &hdev->pend_le_reports); + break; + default: + break; +@@ -5169,7 +5169,7 @@ static int set_device_flags(struct sock *sk, struct hci_dev *hdev, void *data, + goto unlock; + } + +- params->flags = current_flags; ++ WRITE_ONCE(params->flags, current_flags); + status = MGMT_STATUS_SUCCESS; + + /* Update passive scan if HCI_CONN_FLAG_DEVICE_PRIVACY +@@ -7580,7 +7580,7 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr, + if (params->auto_connect == auto_connect) + return 0; + +- list_del_init(¶ms->action); ++ hci_pend_le_list_del_init(params); + + switch (auto_connect) { + case HCI_AUTO_CONN_DISABLED: +@@ -7589,18 +7589,18 @@ static int hci_conn_params_set(struct hci_dev *hdev, bdaddr_t *addr, + * connect to device, keep connecting. + */ + if (params->explicit_connect) +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + case HCI_AUTO_CONN_REPORT: + if (params->explicit_connect) +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + else +- list_add(¶ms->action, &hdev->pend_le_reports); ++ hci_pend_le_list_add(params, &hdev->pend_le_reports); + break; + case HCI_AUTO_CONN_DIRECT: + case HCI_AUTO_CONN_ALWAYS: + if (!is_connected(hdev, addr, addr_type)) +- list_add(¶ms->action, &hdev->pend_le_conns); ++ hci_pend_le_list_add(params, &hdev->pend_le_conns); + break; + } + +@@ -7823,9 +7823,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev, + goto unlock; + } + +- list_del(¶ms->action); +- list_del(¶ms->list); +- kfree(params); ++ hci_conn_params_free(params); + + device_removed(sk, hdev, &cp->addr.bdaddr, cp->addr.type); + } else { +@@ -7856,9 +7854,7 @@ static int remove_device(struct sock *sk, struct hci_dev *hdev, + p->auto_connect = HCI_AUTO_CONN_EXPLICIT; + continue; + } +- list_del(&p->action); +- list_del(&p->list); +- kfree(p); ++ hci_conn_params_free(p); + } + + bt_dev_dbg(hdev, "All LE connection parameters were removed"); +-- +2.39.2 + diff --git a/tmp-6.4/bpf-address-kcsan-report-on-bpf_lru_list.patch b/tmp-6.4/bpf-address-kcsan-report-on-bpf_lru_list.patch new file mode 100644 index 00000000000..400e32122e8 --- /dev/null +++ b/tmp-6.4/bpf-address-kcsan-report-on-bpf_lru_list.patch @@ -0,0 +1,177 @@ +From 57221d8fa06c7bb4348592a89fa64f6d815f8518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 May 2023 21:37:48 -0700 +Subject: bpf: Address KCSAN report on bpf_lru_list + +From: Martin KaFai Lau + +[ Upstream commit ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 ] + +KCSAN reported a data-race when accessing node->ref. +Although node->ref does not have to be accurate, +take this chance to use a more common READ_ONCE() and WRITE_ONCE() +pattern instead of data_race(). + +There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). +This patch also adds bpf_lru_node_clear_ref() to do the +WRITE_ONCE(node->ref, 0) also. + +================================================================== +BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem + +write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: +__bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] +__bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] +__bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 +bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] +bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] +bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 +prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] +__htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: +bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] +__htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 +bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 +bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 +generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 +bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 +__sys_bpf+0x338/0x810 +__do_sys_bpf kernel/bpf/syscall.c:5096 [inline] +__se_sys_bpf kernel/bpf/syscall.c:5094 [inline] +__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x01 -> 0x00 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 +================================================================== + +Reported-by: syzbot+ebe648a84e8784763f82@syzkaller.appspotmail.com +Signed-off-by: Martin KaFai Lau +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20230511043748.1384166-1-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_lru_list.c | 21 +++++++++++++-------- + kernel/bpf/bpf_lru_list.h | 7 ++----- + 2 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/kernel/bpf/bpf_lru_list.c b/kernel/bpf/bpf_lru_list.c +index d99e89f113c43..3dabdd137d102 100644 +--- a/kernel/bpf/bpf_lru_list.c ++++ b/kernel/bpf/bpf_lru_list.c +@@ -41,7 +41,12 @@ static struct list_head *local_pending_list(struct bpf_lru_locallist *loc_l) + /* bpf_lru_node helpers */ + static bool bpf_lru_node_is_ref(const struct bpf_lru_node *node) + { +- return node->ref; ++ return READ_ONCE(node->ref); ++} ++ ++static void bpf_lru_node_clear_ref(struct bpf_lru_node *node) ++{ ++ WRITE_ONCE(node->ref, 0); + } + + static void bpf_lru_list_count_inc(struct bpf_lru_list *l, +@@ -89,7 +94,7 @@ static void __bpf_lru_node_move_in(struct bpf_lru_list *l, + + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, &l->lists[tgt_type]); + } + +@@ -110,7 +115,7 @@ static void __bpf_lru_node_move(struct bpf_lru_list *l, + bpf_lru_list_count_inc(l, tgt_type); + node->type = tgt_type; + } +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + + /* If the moving node is the next_inactive_rotation candidate, + * move the next_inactive_rotation pointer also. +@@ -353,7 +358,7 @@ static void __local_list_add_pending(struct bpf_lru *lru, + *(u32 *)((void *)node + lru->hash_offset) = hash; + node->cpu = cpu; + node->type = BPF_LRU_LOCAL_LIST_T_PENDING; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, local_pending_list(loc_l)); + } + +@@ -419,7 +424,7 @@ static struct bpf_lru_node *bpf_percpu_lru_pop_free(struct bpf_lru *lru, + if (!list_empty(free_list)) { + node = list_first_entry(free_list, struct bpf_lru_node, list); + *(u32 *)((void *)node + lru->hash_offset) = hash; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + __bpf_lru_node_move(l, node, BPF_LRU_LIST_T_INACTIVE); + } + +@@ -522,7 +527,7 @@ static void bpf_common_lru_push_free(struct bpf_lru *lru, + } + + node->type = BPF_LRU_LOCAL_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_move(&node->list, local_free_list(loc_l)); + + raw_spin_unlock_irqrestore(&loc_l->lock, flags); +@@ -568,7 +573,7 @@ static void bpf_common_lru_populate(struct bpf_lru *lru, void *buf, + + node = (struct bpf_lru_node *)(buf + node_offset); + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + buf += elem_size; + } +@@ -594,7 +599,7 @@ static void bpf_percpu_lru_populate(struct bpf_lru *lru, void *buf, + node = (struct bpf_lru_node *)(buf + node_offset); + node->cpu = cpu; + node->type = BPF_LRU_LIST_T_FREE; +- node->ref = 0; ++ bpf_lru_node_clear_ref(node); + list_add(&node->list, &l->lists[BPF_LRU_LIST_T_FREE]); + i++; + buf += elem_size; +diff --git a/kernel/bpf/bpf_lru_list.h b/kernel/bpf/bpf_lru_list.h +index 4ea227c9c1ade..8f3c8b2b4490e 100644 +--- a/kernel/bpf/bpf_lru_list.h ++++ b/kernel/bpf/bpf_lru_list.h +@@ -64,11 +64,8 @@ struct bpf_lru { + + static inline void bpf_lru_node_set_ref(struct bpf_lru_node *node) + { +- /* ref is an approximation on access frequency. It does not +- * have to be very accurate. Hence, no protection is used. +- */ +- if (!node->ref) +- node->ref = 1; ++ if (!READ_ONCE(node->ref)) ++ WRITE_ONCE(node->ref, 1); + } + + int bpf_lru_init(struct bpf_lru *lru, bool percpu, u32 hash_offset, +-- +2.39.2 + diff --git a/tmp-6.4/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch b/tmp-6.4/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch new file mode 100644 index 00000000000..69d1570961b --- /dev/null +++ b/tmp-6.4/bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch @@ -0,0 +1,55 @@ +From 69e2c18524955cd8fb89335a4ddf8186f4aab6ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 09:49:31 -0700 +Subject: bpf, arm64: Fix BTI type used for freplace attached functions + +From: Alexander Duyck + +[ Upstream commit a3f25d614bc73b45e8f02adc6769876dfd16ca84 ] + +When running an freplace attached bpf program on an arm64 system w were +seeing the following issue: + Unhandled 64-bit el1h sync exception on CPU47, ESR 0x0000000036000003 -- BTI + +After a bit of work to track it down I determined that what appeared to be +happening is that the 'bti c' at the start of the program was somehow being +reached after a 'br' instruction. Further digging pointed me toward the +fact that the function was attached via freplace. This in turn led me to +build_plt which I believe is invoking the long jump which is triggering +this error. + +To resolve it we can replace the 'bti c' with 'bti jc' and add a comment +explaining why this has to be modified as such. + +Fixes: b2ad54e1533e ("bpf, arm64: Implement bpf_arch_text_poke() for arm64") +Signed-off-by: Alexander Duyck +Acked-by: Xu Kuohai +Link: https://lore.kernel.org/r/168926677665.316237.9953845318337455525.stgit@ahduyck-xeon-server.home.arpa +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/arm64/net/bpf_jit_comp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c +index b26da8efa616e..0ce5f13eabb1b 100644 +--- a/arch/arm64/net/bpf_jit_comp.c ++++ b/arch/arm64/net/bpf_jit_comp.c +@@ -322,7 +322,13 @@ static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf) + * + */ + +- emit_bti(A64_BTI_C, ctx); ++ /* bpf function may be invoked by 3 instruction types: ++ * 1. bl, attached via freplace to bpf prog via short jump ++ * 2. br, attached via freplace to bpf prog via long jump ++ * 3. blr, working as a function pointer, used by emit_call. ++ * So BTI_JC should used here to support both br and blr. ++ */ ++ emit_bti(A64_BTI_JC, ctx); + + emit(A64_MOV(1, A64_R(9), A64_LR), ctx); + emit(A64_NOP, ctx); +-- +2.39.2 + diff --git a/tmp-6.4/bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch b/tmp-6.4/bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch new file mode 100644 index 00000000000..e198a2a3887 --- /dev/null +++ b/tmp-6.4/bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch @@ -0,0 +1,47 @@ +From 4350e2f0eea4178f3bb70baa675e31ad71759a97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 May 2023 11:04:09 -0700 +Subject: bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log + +From: Andrii Nakryiko + +[ Upstream commit cff36398bd4c7d322d424433db437f3c3391c491 ] + +It's trivial for user to trigger "verifier log line truncated" warning, +as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at +least two pieces of user-provided information that can be output through +this buffer, and both can be arbitrarily sized by user: + - BTF names; + - BTF.ext source code lines strings. + +Verifier log buffer should be properly sized for typical verifier state +output. But it's sort-of expected that this buffer won't be long enough +in some circumstances. So let's drop the check. In any case code will +work correctly, at worst truncating a part of a single line output. + +Reported-by: syzbot+8b2a08dfbd25fd933d75@syzkaller.appspotmail.com +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20230516180409.3549088-1-andrii@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/log.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c +index 046ddff37a76d..850494423530e 100644 +--- a/kernel/bpf/log.c ++++ b/kernel/bpf/log.c +@@ -62,9 +62,6 @@ void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt, + + n = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args); + +- WARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1, +- "verifier log line truncated - local buffer too short\n"); +- + if (log->level == BPF_LOG_KERNEL) { + bool newline = n > 0 && log->kbuf[n - 1] == '\n'; + +-- +2.39.2 + diff --git a/tmp-6.4/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch b/tmp-6.4/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch new file mode 100644 index 00000000000..40c497a072a --- /dev/null +++ b/tmp-6.4/bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch @@ -0,0 +1,75 @@ +From 0903ef6dae667052bd2e2b5f70fd8d93583fd8fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 21:45:28 +0530 +Subject: bpf: Fix subprog idx logic in check_max_stack_depth + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit ba7b3e7d5f9014be65879ede8fd599cb222901c9 ] + +The assignment to idx in check_max_stack_depth happens once we see a +bpf_pseudo_call or bpf_pseudo_func. This is not an issue as the rest of +the code performs a few checks and then pushes the frame to the frame +stack, except the case of async callbacks. If the async callback case +causes the loop iteration to be skipped, the idx assignment will be +incorrect on the next iteration of the loop. The value stored in the +frame stack (as the subprogno of the current subprog) will be incorrect. + +This leads to incorrect checks and incorrect tail_call_reachable +marking. Save the target subprog in a new variable and only assign to +idx once we are done with the is_async_cb check which may skip pushing +of frame to the frame stack and subsequent stack depth checks and tail +call markings. + +Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230717161530.1238-2-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index aac31e33323bb..e95bfe45fd890 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5429,7 +5429,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + continue_func: + subprog_end = subprog[idx + 1].start; + for (; i < subprog_end; i++) { +- int next_insn; ++ int next_insn, sidx; + + if (!bpf_pseudo_call(insn + i) && !bpf_pseudo_func(insn + i)) + continue; +@@ -5439,14 +5439,14 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + + /* find the callee */ + next_insn = i + insn[i].imm + 1; +- idx = find_subprog(env, next_insn); +- if (idx < 0) { ++ sidx = find_subprog(env, next_insn); ++ if (sidx < 0) { + WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", + next_insn); + return -EFAULT; + } +- if (subprog[idx].is_async_cb) { +- if (subprog[idx].has_tail_call) { ++ if (subprog[sidx].is_async_cb) { ++ if (subprog[sidx].has_tail_call) { + verbose(env, "verifier bug. subprog has tail_call and async cb\n"); + return -EFAULT; + } +@@ -5455,6 +5455,7 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + continue; + } + i = next_insn; ++ idx = sidx; + + if (subprog[idx].has_tail_call) + tail_call_reachable = true; +-- +2.39.2 + diff --git a/tmp-6.4/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch b/tmp-6.4/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch new file mode 100644 index 00000000000..3badce6a052 --- /dev/null +++ b/tmp-6.4/bpf-print-a-warning-only-if-writing-to-unprivileged_.patch @@ -0,0 +1,47 @@ +From 5546963a3ee78475dff4b222fafb27b5ad6d2de2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 May 2023 11:14:18 -0700 +Subject: bpf: Print a warning only if writing to unprivileged_bpf_disabled. + +From: Kui-Feng Lee + +[ Upstream commit fedf99200ab086c42a572fca1d7266b06cdc3e3f ] + +Only print the warning message if you are writing to +"/proc/sys/kernel/unprivileged_bpf_disabled". + +The kernel may print an annoying warning when you read +"/proc/sys/kernel/unprivileged_bpf_disabled" saying + + WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible + via Spectre v2 BHB attacks! + +However, this message is only meaningful when the feature is +disabled or enabled. + +Signed-off-by: Kui-Feng Lee +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20230502181418.308479-1-kuifeng@meta.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index f1c8733f76b83..5524fcf6fb2a4 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -5394,7 +5394,8 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write, + *(int *)table->data = unpriv_enable; + } + +- unpriv_ebpf_notify(unpriv_enable); ++ if (write) ++ unpriv_ebpf_notify(unpriv_enable); + + return ret; + } +-- +2.39.2 + diff --git a/tmp-6.4/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch b/tmp-6.4/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch new file mode 100644 index 00000000000..ed94042d578 --- /dev/null +++ b/tmp-6.4/bpf-repeat-check_max_stack_depth-for-async-callbacks.patch @@ -0,0 +1,102 @@ +From 618abe8dabe1ad1d0d66135467202aca5f3881c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 21:45:29 +0530 +Subject: bpf: Repeat check_max_stack_depth for async callbacks + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit b5e9ad522c4ccd32d322877515cff8d47ed731b9 ] + +While the check_max_stack_depth function explores call chains emanating +from the main prog, which is typically enough to cover all possible call +chains, it doesn't explore those rooted at async callbacks unless the +async callback will have been directly called, since unlike non-async +callbacks it skips their instruction exploration as they don't +contribute to stack depth. + +It could be the case that the async callback leads to a callchain which +exceeds the stack depth, but this is never reachable while only +exploring the entry point from main subprog. Hence, repeat the check for +the main subprog *and* all async callbacks marked by the symbolic +execution pass of the verifier, as execution of the program may begin at +any of them. + +Consider functions with following stack depths: +main: 256 +async: 256 +foo: 256 + +main: + rX = async + bpf_timer_set_callback(...) + +async: + foo() + +Here, async is not descended as it does not contribute to stack depth of +main (since it is referenced using bpf_pseudo_func and not +bpf_pseudo_call). However, when async is invoked asynchronously, it will +end up breaching the MAX_BPF_STACK limit by calling foo. + +Hence, in addition to main, we also need to explore call chains +beginning at all async callback subprogs in a program. + +Fixes: 7ddc80a476c2 ("bpf: Teach stack depth check about async callbacks.") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20230717161530.1238-3-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index e95bfe45fd890..4fbfe1d086467 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5381,16 +5381,17 @@ static int update_stack_depth(struct bpf_verifier_env *env, + * Since recursion is prevented by check_cfg() this algorithm + * only needs a local stack of MAX_CALL_FRAMES to remember callsites + */ +-static int check_max_stack_depth(struct bpf_verifier_env *env) ++static int check_max_stack_depth_subprog(struct bpf_verifier_env *env, int idx) + { +- int depth = 0, frame = 0, idx = 0, i = 0, subprog_end; + struct bpf_subprog_info *subprog = env->subprog_info; + struct bpf_insn *insn = env->prog->insnsi; ++ int depth = 0, frame = 0, i, subprog_end; + bool tail_call_reachable = false; + int ret_insn[MAX_CALL_FRAMES]; + int ret_prog[MAX_CALL_FRAMES]; + int j; + ++ i = subprog[idx].start; + process_func: + /* protect against potential stack overflow that might happen when + * bpf2bpf calls get combined with tailcalls. Limit the caller's stack +@@ -5491,6 +5492,22 @@ static int check_max_stack_depth(struct bpf_verifier_env *env) + goto continue_func; + } + ++static int check_max_stack_depth(struct bpf_verifier_env *env) ++{ ++ struct bpf_subprog_info *si = env->subprog_info; ++ int ret; ++ ++ for (int i = 0; i < env->subprog_cnt; i++) { ++ if (!i || si[i].is_async_cb) { ++ ret = check_max_stack_depth_subprog(env, i); ++ if (ret < 0) ++ return ret; ++ } ++ continue; ++ } ++ return 0; ++} ++ + #ifndef CONFIG_BPF_JIT_ALWAYS_ON + static int get_callee_stack_depth(struct bpf_verifier_env *env, + const struct bpf_insn *insn, int idx) +-- +2.39.2 + diff --git a/tmp-6.4/bpf-silence-a-warning-in-btf_type_id_size.patch b/tmp-6.4/bpf-silence-a-warning-in-btf_type_id_size.patch new file mode 100644 index 00000000000..54e4c3386d8 --- /dev/null +++ b/tmp-6.4/bpf-silence-a-warning-in-btf_type_id_size.patch @@ -0,0 +1,100 @@ +From dbcb5e3b6449240c0366bfcc88051b4ac795a114 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 13:50:29 -0700 +Subject: bpf: Silence a warning in btf_type_id_size() + +From: Yonghong Song + +[ Upstream commit e6c2f594ed961273479505b42040782820190305 ] + +syzbot reported a warning in [1] with the following stacktrace: + WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 + ... + RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 + ... + Call Trace: + + map_check_btf kernel/bpf/syscall.c:1024 [inline] + map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198 + __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040 + __do_sys_bpf kernel/bpf/syscall.c:5162 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5160 [inline] + __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +With the following btf + [1] DECL_TAG 'a' type_id=4 component_idx=-1 + [2] PTR '(anon)' type_id=0 + [3] TYPE_TAG 'a' type_id=2 + [4] VAR 'a' type_id=3, linkage=static +and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG), +the following WARN_ON_ONCE in btf_type_id_size() is triggered: + if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) && + !btf_type_is_var(size_type))) + return NULL; + +Note that 'return NULL' is the correct behavior as we don't want +a DECL_TAG type to be used as a btf_{key,value}_type_id even +for the case like 'DECL_TAG -> STRUCT'. So there +is no correctness issue here, we just want to silence warning. + +To silence the warning, I added DECL_TAG as one of kinds in +btf_type_nosize() which will cause btf_type_id_size() returning +NULL earlier without the warning. + + [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/ + +Reported-by: syzbot+958967f249155967d42a@syzkaller.appspotmail.com +Signed-off-by: Yonghong Song +Link: https://lore.kernel.org/r/20230530205029.264910-1-yhs@fb.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index 25ca17a8e1964..8b4e92439d1d6 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -485,25 +485,26 @@ static bool btf_type_is_fwd(const struct btf_type *t) + return BTF_INFO_KIND(t->info) == BTF_KIND_FWD; + } + +-static bool btf_type_nosize(const struct btf_type *t) ++static bool btf_type_is_datasec(const struct btf_type *t) + { +- return btf_type_is_void(t) || btf_type_is_fwd(t) || +- btf_type_is_func(t) || btf_type_is_func_proto(t); ++ return BTF_INFO_KIND(t->info) == BTF_KIND_DATASEC; + } + +-static bool btf_type_nosize_or_null(const struct btf_type *t) ++static bool btf_type_is_decl_tag(const struct btf_type *t) + { +- return !t || btf_type_nosize(t); ++ return BTF_INFO_KIND(t->info) == BTF_KIND_DECL_TAG; + } + +-static bool btf_type_is_datasec(const struct btf_type *t) ++static bool btf_type_nosize(const struct btf_type *t) + { +- return BTF_INFO_KIND(t->info) == BTF_KIND_DATASEC; ++ return btf_type_is_void(t) || btf_type_is_fwd(t) || ++ btf_type_is_func(t) || btf_type_is_func_proto(t) || ++ btf_type_is_decl_tag(t); + } + +-static bool btf_type_is_decl_tag(const struct btf_type *t) ++static bool btf_type_nosize_or_null(const struct btf_type *t) + { +- return BTF_INFO_KIND(t->info) == BTF_KIND_DECL_TAG; ++ return !t || btf_type_nosize(t); + } + + static bool btf_type_is_decl_tag_target(const struct btf_type *t) +-- +2.39.2 + diff --git a/tmp-6.4/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch b/tmp-6.4/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch new file mode 100644 index 00000000000..1f77203606d --- /dev/null +++ b/tmp-6.4/bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch @@ -0,0 +1,152 @@ +From ab66d5336cd3fa2f5a2196a042f23a408d2e29e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 22:51:49 +0000 +Subject: bpf: tcp: Avoid taking fast sock lock in iterator + +From: Aditi Ghag + +[ Upstream commit 9378096e8a656fb5c4099b26b1370c56f056eab9 ] + +This is a preparatory commit to replace `lock_sock_fast` with +`lock_sock`,and facilitate BPF programs executed from the TCP sockets +iterator to be able to destroy TCP sockets using the bpf_sock_destroy +kfunc (implemented in follow-up commits). + +Previously, BPF TCP iterator was acquiring the sock lock with BH +disabled. This led to scenarios where the sockets hash table bucket lock +can be acquired with BH enabled in some path versus disabled in other. +In such situation, kernel issued a warning since it thinks that in the +BH enabled path the same bucket lock *might* be acquired again in the +softirq context (BH disabled), which will lead to a potential dead lock. +Since bpf_sock_destroy also happens in a process context, the potential +deadlock warning is likely a false alarm. + +Here is a snippet of annotated stack trace that motivated this change: + +``` + +Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&h->lhash2[i].lock); + local_bh_disable(); + lock(&h->lhash2[i].lock); +kernel imagined possible scenario: + local_bh_disable(); /* Possible softirq */ + lock(&h->lhash2[i].lock); +*** Potential Deadlock *** + +process context: + +lock_acquire+0xcd/0x330 +_raw_spin_lock+0x33/0x40 +------> Acquire (bucket) lhash2.lock with BH enabled +__inet_hash+0x4b/0x210 +inet_csk_listen_start+0xe6/0x100 +inet_listen+0x95/0x1d0 +__sys_listen+0x69/0xb0 +__x64_sys_listen+0x14/0x20 +do_syscall_64+0x3c/0x90 +entry_SYSCALL_64_after_hwframe+0x72/0xdc + +bpf_sock_destroy run from iterator: + +lock_acquire+0xcd/0x330 +_raw_spin_lock+0x33/0x40 +------> Acquire (bucket) lhash2.lock with BH disabled +inet_unhash+0x9a/0x110 +tcp_set_state+0x6a/0x210 +tcp_abort+0x10d/0x200 +bpf_prog_6793c5ca50c43c0d_iter_tcp6_server+0xa4/0xa9 +bpf_iter_run_prog+0x1ff/0x340 +------> lock_sock_fast that acquires sock lock with BH disabled +bpf_iter_tcp_seq_show+0xca/0x190 +bpf_seq_read+0x177/0x450 + +``` + +Also, Yonghong reported a deadlock for non-listening TCP sockets that +this change resolves. Previously, `lock_sock_fast` held the sock spin +lock with BH which was again being acquired in `tcp_abort`: + +``` +watchdog: BUG: soft lockup - CPU#0 stuck for 86s! [test_progs:2331] +RIP: 0010:queued_spin_lock_slowpath+0xd8/0x500 +Call Trace: + + _raw_spin_lock+0x84/0x90 + tcp_abort+0x13c/0x1f0 + bpf_prog_88539c5453a9dd47_iter_tcp6_client+0x82/0x89 + bpf_iter_run_prog+0x1aa/0x2c0 + ? preempt_count_sub+0x1c/0xd0 + ? from_kuid_munged+0x1c8/0x210 + bpf_iter_tcp_seq_show+0x14e/0x1b0 + bpf_seq_read+0x36c/0x6a0 + +bpf_iter_tcp_seq_show + lock_sock_fast + __lock_sock_fast + spin_lock_bh(&sk->sk_lock.slock); + /* * Fast path return with bottom halves disabled and * sock::sk_lock.slock held.* */ + + ... + tcp_abort + local_bh_disable(); + spin_lock(&((sk)->sk_lock.slock)); // from bh_lock_sock(sk) + +``` + +With the switch to `lock_sock`, it calls `spin_unlock_bh` before returning: + +``` +lock_sock + lock_sock_nested + spin_lock_bh(&sk->sk_lock.slock); + : + spin_unlock_bh(&sk->sk_lock.slock); +``` + +Acked-by: Yonghong Song +Acked-by: Stanislav Fomichev +Signed-off-by: Aditi Ghag +Link: https://lore.kernel.org/r/20230519225157.760788-2-aditi.ghag@isovalent.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 06d2573685ca9..434e5f0c8b99d 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2963,7 +2963,6 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) + struct bpf_iter_meta meta; + struct bpf_prog *prog; + struct sock *sk = v; +- bool slow; + uid_t uid; + int ret; + +@@ -2971,7 +2970,7 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) + return 0; + + if (sk_fullsock(sk)) +- slow = lock_sock_fast(sk); ++ lock_sock(sk); + + if (unlikely(sk_unhashed(sk))) { + ret = SEQ_SKIP; +@@ -2995,7 +2994,7 @@ static int bpf_iter_tcp_seq_show(struct seq_file *seq, void *v) + + unlock: + if (sk_fullsock(sk)) +- unlock_sock_fast(sk, slow); ++ release_sock(sk); + return ret; + + } +-- +2.39.2 + diff --git a/tmp-6.4/bridge-add-extack-warning-when-enabling-stp-in-netns.patch b/tmp-6.4/bridge-add-extack-warning-when-enabling-stp-in-netns.patch new file mode 100644 index 00000000000..dbdfb4293d0 --- /dev/null +++ b/tmp-6.4/bridge-add-extack-warning-when-enabling-stp-in-netns.patch @@ -0,0 +1,71 @@ +From 68931bfc8cda6272ea843dde9ba493d4a311b2a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 08:44:49 -0700 +Subject: bridge: Add extack warning when enabling STP in netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 56a16035bb6effb37177867cea94c13a8382f745 ] + +When we create an L2 loop on a bridge in netns, we will see packets storm +even if STP is enabled. + + # unshare -n + # ip link add br0 type bridge + # ip link add veth0 type veth peer name veth1 + # ip link set veth0 master br0 up + # ip link set veth1 master br0 up + # ip link set br0 type bridge stp_state 1 + # ip link set br0 up + # sleep 30 + # ip -s link show br0 + 2: br0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 + link/ether b6:61:98:1c:1c:b5 brd ff:ff:ff:ff:ff:ff + RX: bytes packets errors dropped missed mcast + 956553768 12861249 0 0 0 12861249 <-. Keep + TX: bytes packets errors dropped carrier collsns | increasing + 1027834 11951 0 0 0 0 <-' rapidly + +This is because llc_rcv() drops all packets in non-root netns and BPDU +is dropped. + +Let's add extack warning when enabling STP in netns. + + # unshare -n + # ip link add br0 type bridge + # ip link set br0 type bridge stp_state 1 + Warning: bridge: STP does not work in non-root netns. + +Note this commit will be reverted later when we namespacify the whole LLC +infra. + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Suggested-by: Harry Coin +Link: https://lore.kernel.org/netdev/0f531295-e289-022d-5add-5ceffa0df9bc@quietfountain.com/ +Suggested-by: Ido Schimmel +Signed-off-by: Kuniyuki Iwashima +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_stp_if.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index 75204d36d7f90..b65962682771f 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -201,6 +201,9 @@ int br_stp_set_enabled(struct net_bridge *br, unsigned long val, + { + ASSERT_RTNL(); + ++ if (!net_eq(dev_net(br->dev), &init_net)) ++ NL_SET_ERR_MSG_MOD(extack, "STP does not work in non-root netns"); ++ + if (br_mrp_enabled(br)) { + NL_SET_ERR_MSG_MOD(extack, + "STP can't be enabled if MRP is already enabled"); +-- +2.39.2 + diff --git a/tmp-6.4/btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch b/tmp-6.4/btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch new file mode 100644 index 00000000000..de7fca554bc --- /dev/null +++ b/tmp-6.4/btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch @@ -0,0 +1,54 @@ +From c753b330c41c8f311cd03dc8b18fcad6f947bf9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jun 2023 11:27:45 +0100 +Subject: btrfs: abort transaction at update_ref_for_cow() when ref count is + zero + +From: Filipe Manana + +[ Upstream commit eced687e224eb3cc5a501cf53ad9291337c8dbc5 ] + +At update_ref_for_cow() we are calling btrfs_handle_fs_error() if we find +that the extent buffer has an unexpected ref count of zero, however we can +simply use btrfs_abort_transaction(), which achieves the same purposes: to +turn the fs to error state, abort the current transaction and turn the fs +to RO mode as well. Besides that, btrfs_abort_transaction() also prints a +stack trace which makes it more useful. + +Also, as this is a very unexpected situation, indicating a serious +corruption/inconsistency, tag the if branch as 'unlikely', set the error +code to -EUCLEAN instead of -EROFS, and log an explicit message. + +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index 4912d624ca3d3..886e661a218fc 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -417,9 +417,13 @@ static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans, + &refs, &flags); + if (ret) + return ret; +- if (refs == 0) { +- ret = -EROFS; +- btrfs_handle_fs_error(fs_info, ret, NULL); ++ if (unlikely(refs == 0)) { ++ btrfs_crit(fs_info, ++ "found 0 references for tree block at bytenr %llu level %d root %llu", ++ buf->start, btrfs_header_level(buf), ++ btrfs_root_id(root)); ++ ret = -EUCLEAN; ++ btrfs_abort_transaction(trans, ret); + return ret; + } + } else { +-- +2.39.2 + diff --git a/tmp-6.4/btrfs-add-xxhash-to-fast-checksum-implementations.patch b/tmp-6.4/btrfs-add-xxhash-to-fast-checksum-implementations.patch new file mode 100644 index 00000000000..c885698bfa6 --- /dev/null +++ b/tmp-6.4/btrfs-add-xxhash-to-fast-checksum-implementations.patch @@ -0,0 +1,59 @@ +From 93a51f01a3ca362a5bc53e99086d6fb0fc922e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 00:06:02 +0200 +Subject: btrfs: add xxhash to fast checksum implementations + +From: David Sterba + +[ Upstream commit efcfcbc6a36195c42d98e0ee697baba36da94dc8 ] + +The implementation of XXHASH is now CPU only but still fast enough to be +considered for the synchronous checksumming, like non-generic crc32c. + +A userspace benchmark comparing it to various implementations (patched +hash-speedtest from btrfs-progs): + + Block size: 4096 + Iterations: 1000000 + Implementation: builtin + Units: CPU cycles + + NULL-NOP: cycles: 73384294, cycles/i 73 + NULL-MEMCPY: cycles: 228033868, cycles/i 228, 61664.320 MiB/s + CRC32C-ref: cycles: 24758559416, cycles/i 24758, 567.950 MiB/s + CRC32C-NI: cycles: 1194350470, cycles/i 1194, 11773.433 MiB/s + CRC32C-ADLERSW: cycles: 6150186216, cycles/i 6150, 2286.372 MiB/s + CRC32C-ADLERHW: cycles: 626979180, cycles/i 626, 22427.453 MiB/s + CRC32C-PCL: cycles: 466746732, cycles/i 466, 30126.699 MiB/s + XXHASH: cycles: 860656400, cycles/i 860, 16338.188 MiB/s + +Comparing purely software implementation (ref), current outdated +accelerated using crc32q instruction (NI), optimized implementations by +M. Adler (https://stackoverflow.com/questions/17645167/implementing-sse-4-2s-crc32c-in-software/17646775#17646775) +and the best one that was taken from kernel using the PCLMULQDQ +instruction (PCL). + +Reviewed-by: Christoph Hellwig +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index fc59eb4024438..795b30913c542 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2265,6 +2265,9 @@ static int btrfs_init_csum_hash(struct btrfs_fs_info *fs_info, u16 csum_type) + if (!strstr(crypto_shash_driver_name(csum_shash), "generic")) + set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); + break; ++ case BTRFS_CSUM_TYPE_XXHASH: ++ set_bit(BTRFS_FS_CSUM_IMPL_FAST, &fs_info->flags); ++ break; + default: + break; + } +-- +2.39.2 + diff --git a/tmp-6.4/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch b/tmp-6.4/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch new file mode 100644 index 00000000000..18fbef7c2be --- /dev/null +++ b/tmp-6.4/btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch @@ -0,0 +1,44 @@ +From e73188bd438294cee72fe11e00cbce1b297072ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jun 2023 08:13:23 +0200 +Subject: btrfs: be a bit more careful when setting mirror_num_ret in + btrfs_map_block + +From: Christoph Hellwig + +[ Upstream commit 4e7de35eb7d1a1d4f2dda15f39fbedd4798a0b8d ] + +The mirror_num_ret is allowed to be NULL, although it has to be set when +smap is set. Unfortunately that is not a well enough specifiable +invariant for static type checkers, so add a NULL check to make sure they +are fine. + +Fixes: 03793cbbc80f ("btrfs: add fast path for single device io in __btrfs_map_block") +Reported-by: Dan Carpenter +Reviewed-by: Qu Wenruo +Reviewed-by: Johannes Thumshirn +Signed-off-by: Christoph Hellwig +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 5ec000813f047..436e15e3759da 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -6399,7 +6399,8 @@ int __btrfs_map_block(struct btrfs_fs_info *fs_info, enum btrfs_map_op op, + (!need_full_stripe(op) || !dev_replace_is_ongoing || + !dev_replace->tgtdev)) { + set_io_stripe(smap, map, stripe_index, stripe_offset, stripe_nr); +- *mirror_num_ret = mirror_num; ++ if (mirror_num_ret) ++ *mirror_num_ret = mirror_num; + *bioc_ret = NULL; + ret = 0; + goto out; +-- +2.39.2 + diff --git a/tmp-6.4/btrfs-don-t-check-pageerror-in-__extent_writepage.patch b/tmp-6.4/btrfs-don-t-check-pageerror-in-__extent_writepage.patch new file mode 100644 index 00000000000..086953f047e --- /dev/null +++ b/tmp-6.4/btrfs-don-t-check-pageerror-in-__extent_writepage.patch @@ -0,0 +1,79 @@ +From 8fbd050e44cae916944b0ddd3139df91c9667f1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 May 2023 08:04:56 +0200 +Subject: btrfs: don't check PageError in __extent_writepage + +From: Christoph Hellwig + +[ Upstream commit 3e92499e3b004baffb479d61e191b41b604ece9a ] + +__extent_writepage currenly sets PageError whenever any error happens, +and the also checks for PageError to decide if to call error handling. +This leads to very unclear responsibility for cleaning up on errors. +In the VM and generic writeback helpers the basic idea is that once +I/O is fired off all error handling responsibility is delegated to the +end I/O handler. But if that end I/O handler sets the PageError bit, +and the submitter checks it, the bit could in some cases leak into the +submission context for fast enough I/O. + +Fix this by simply not checking PageError and just using the local +ret variable to check for submission errors. This also fundamentally +solves the long problem documented in a comment in __extent_writepage +by never leaking the error bit into the submission context. + +Reviewed-by: Josef Bacik +Signed-off-by: Christoph Hellwig +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 33 +-------------------------------- + 1 file changed, 1 insertion(+), 32 deletions(-) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index e3ae55d8bae14..a37a6587efaf0 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -1592,38 +1592,7 @@ static int __extent_writepage(struct page *page, struct btrfs_bio_ctrl *bio_ctrl + set_page_writeback(page); + end_page_writeback(page); + } +- /* +- * Here we used to have a check for PageError() and then set @ret and +- * call end_extent_writepage(). +- * +- * But in fact setting @ret here will cause different error paths +- * between subpage and regular sectorsize. +- * +- * For regular page size, we never submit current page, but only add +- * current page to current bio. +- * The bio submission can only happen in next page. +- * Thus if we hit the PageError() branch, @ret is already set to +- * non-zero value and will not get updated for regular sectorsize. +- * +- * But for subpage case, it's possible we submit part of current page, +- * thus can get PageError() set by submitted bio of the same page, +- * while our @ret is still 0. +- * +- * So here we unify the behavior and don't set @ret. +- * Error can still be properly passed to higher layer as page will +- * be set error, here we just don't handle the IO failure. +- * +- * NOTE: This is just a hotfix for subpage. +- * The root fix will be properly ending ordered extent when we hit +- * an error during writeback. +- * +- * But that needs a bigger refactoring, as we not only need to grab the +- * submitted OE, but also need to know exactly at which bytenr we hit +- * the error. +- * Currently the full page based __extent_writepage_io() is not +- * capable of that. +- */ +- if (PageError(page)) ++ if (ret) + end_extent_writepage(page, ret, page_start, page_end); + unlock_page(page); + ASSERT(ret <= 0); +-- +2.39.2 + diff --git a/tmp-6.4/btrfs-fix-double-iput-on-inode-after-an-error-during-orphan-cleanup.patch b/tmp-6.4/btrfs-fix-double-iput-on-inode-after-an-error-during-orphan-cleanup.patch new file mode 100644 index 00000000000..4286ab29aad --- /dev/null +++ b/tmp-6.4/btrfs-fix-double-iput-on-inode-after-an-error-during-orphan-cleanup.patch @@ -0,0 +1,38 @@ +From b777d279ff31979add57e8a3f810bceb7ef0cfb7 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 3 Jul 2023 18:15:30 +0100 +Subject: btrfs: fix double iput() on inode after an error during orphan cleanup + +From: Filipe Manana + +commit b777d279ff31979add57e8a3f810bceb7ef0cfb7 upstream. + +At btrfs_orphan_cleanup(), if we were able to find the inode, we do an +iput() on the inode, then if btrfs_drop_verity_items() succeeds and then +either btrfs_start_transaction() or btrfs_del_orphan_item() fail, we do +another iput() in the respective error paths, resulting in an extra iput() +on the inode. + +Fix this by setting inode to NULL after the first iput(), as iput() +ignores a NULL inode pointer argument. + +Fixes: a13bb2c03848 ("btrfs: add missing iputs on orphan cleanup failure") +CC: stable@vger.kernel.org # 6.4 +Reviewed-by: Boris Burkov +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3618,6 +3618,7 @@ int btrfs_orphan_cleanup(struct btrfs_ro + if (inode) { + ret = btrfs_drop_verity_items(BTRFS_I(inode)); + iput(inode); ++ inode = NULL; + if (ret) + goto out; + } diff --git a/tmp-6.4/btrfs-fix-iput-on-error-pointer-after-error-during-orphan-cleanup.patch b/tmp-6.4/btrfs-fix-iput-on-error-pointer-after-error-during-orphan-cleanup.patch new file mode 100644 index 00000000000..f8422ed5b29 --- /dev/null +++ b/tmp-6.4/btrfs-fix-iput-on-error-pointer-after-error-during-orphan-cleanup.patch @@ -0,0 +1,173 @@ +From cbaee87f2ef628c10331b69a2f3def6bc32402d7 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 3 Jul 2023 18:15:31 +0100 +Subject: btrfs: fix iput() on error pointer after error during orphan cleanup + +From: Filipe Manana + +commit cbaee87f2ef628c10331b69a2f3def6bc32402d7 upstream. + +At btrfs_orphan_cleanup(), if we can't find an inode (btrfs_iget() returns +an -ENOENT error pointer), we proceed with 'ret' set to -ENOENT and the +inode pointer set to ERR_PTR(-ENOENT). Later when we proceed to the body +of the following if statement: + + if (ret == -ENOENT || inode->i_nlink) { + (...) + trans = btrfs_start_transaction(root, 1); + if (IS_ERR(trans)) { + ret = PTR_ERR(trans); + iput(inode); + goto out; + } + (...) + ret = btrfs_del_orphan_item(trans, root, + found_key.objectid); + btrfs_end_transaction(trans); + if (ret) { + iput(inode); + goto out; + } + continue; + } + +If we get an error from btrfs_start_transaction() or from the call to +btrfs_del_orphan_item() we end calling iput() against an inode pointer +that has a value of ERR_PTR(-ENOENT), resulting in a crash with the +following trace: + + [876.667] BUG: kernel NULL pointer dereference, address: 0000000000000096 + [876.667] #PF: supervisor read access in kernel mode + [876.667] #PF: error_code(0x0000) - not-present page + [876.667] PGD 0 P4D 0 + [876.668] Oops: 0000 [#1] PREEMPT SMP PTI + [876.668] CPU: 0 PID: 2356187 Comm: mount Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [876.668] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [876.668] RIP: 0010:iput+0xa/0x20 + [876.668] Code: ff ff ff 66 (...) + [876.669] RSP: 0018:ffffafa9c0c9f9d0 EFLAGS: 00010282 + [876.669] RAX: ffffffffffffffe4 RBX: 000000000009453b RCX: 0000000000000000 + [876.669] RDX: 0000000000000001 RSI: ffffafa9c0c9f930 RDI: fffffffffffffffe + [876.669] RBP: ffff95c612f3b800 R08: 0000000000000001 R09: ffffffffffffffe4 + [876.670] R10: 00018f2a71010000 R11: 000000000ead96e3 R12: ffff95cb7d6909a0 + [876.670] R13: fffffffffffffffe R14: ffff95c60f477000 R15: 00000000ffffffe4 + [876.670] FS: 00007f5fbe30a840(0000) GS:ffff95ccdfa00000(0000) knlGS:0000000000000000 + [876.670] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [876.671] CR2: 0000000000000096 CR3: 000000055e9f6004 CR4: 0000000000370ef0 + [876.671] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [876.671] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [876.672] Call Trace: + [876.744] + [876.744] ? __die_body+0x1b/0x60 + [876.744] ? page_fault_oops+0x15d/0x450 + [876.745] ? __kmem_cache_alloc_node+0x47/0x410 + [876.745] ? do_user_addr_fault+0x65/0x8a0 + [876.745] ? exc_page_fault+0x74/0x170 + [876.746] ? asm_exc_page_fault+0x22/0x30 + [876.746] ? iput+0xa/0x20 + [876.746] btrfs_orphan_cleanup+0x221/0x330 [btrfs] + [876.746] btrfs_lookup_dentry+0x58f/0x5f0 [btrfs] + [876.747] btrfs_lookup+0xe/0x30 [btrfs] + [876.747] __lookup_slow+0x82/0x130 + [876.785] walk_component+0xe5/0x160 + [876.786] path_lookupat.isra.0+0x6e/0x150 + [876.786] filename_lookup+0xcf/0x1a0 + [876.786] ? mod_objcg_state+0xd2/0x360 + [876.786] ? obj_cgroup_charge+0xf5/0x110 + [876.787] ? should_failslab+0xa/0x20 + [876.787] ? kmem_cache_alloc+0x47/0x450 + [876.787] vfs_path_lookup+0x51/0x90 + [876.788] mount_subtree+0x8d/0x130 + [876.788] btrfs_mount+0x149/0x410 [btrfs] + [876.788] ? __kmem_cache_alloc_node+0x47/0x410 + [876.788] ? vfs_parse_fs_param+0xc0/0x110 + [876.789] legacy_get_tree+0x24/0x50 + [876.834] vfs_get_tree+0x22/0xd0 + [876.852] path_mount+0x2d8/0x9c0 + [876.852] do_mount+0x79/0x90 + [876.852] __x64_sys_mount+0x8e/0xd0 + [876.853] do_syscall_64+0x38/0x90 + [876.899] entry_SYSCALL_64_after_hwframe+0x72/0xdc + [876.958] RIP: 0033:0x7f5fbe50b76a + [876.959] Code: 48 8b 0d a9 (...) + [876.959] RSP: 002b:00007fff01925798 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 + [876.959] RAX: ffffffffffffffda RBX: 00007f5fbe694264 RCX: 00007f5fbe50b76a + [876.960] RDX: 0000561bde6c8720 RSI: 0000561bde6bdec0 RDI: 0000561bde6c31a0 + [876.960] RBP: 0000561bde6bdc70 R08: 0000000000000000 R09: 0000000000000001 + [876.960] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 + [876.960] R13: 0000561bde6c31a0 R14: 0000561bde6c8720 R15: 0000561bde6bdc70 + [876.960] + +So fix this by setting 'inode' to NULL whenever we get an error from +btrfs_iget(), and to make the code simpler, stop testing for 'ret' being +-ENOENT to check if we have an inode - instead test for 'inode' being NULL +or not. Having a NULL 'inode' prevents any iput() call from crashing, as +iput() ignores NULL inode pointers. Also, stop testing for a NULL return +value from btrfs_iget() with PTR_ERR_OR_ZERO(), because btrfs_iget() never +returns NULL - in case an inode is not found, it returns ERR_PTR(-ENOENT), +and in case of memory allocation failure, it returns ERR_PTR(-ENOMEM). +We also don't need the extra iput() calls on the error branches for the +btrfs_start_transaction() and btrfs_del_orphan_item() calls, as we have +already called iput() before, so remove them. + +Fixes: a13bb2c03848 ("btrfs: add missing iputs on orphan cleanup failure") +CC: stable@vger.kernel.org # 6.4 +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3546,11 +3546,14 @@ int btrfs_orphan_cleanup(struct btrfs_ro + found_key.type = BTRFS_INODE_ITEM_KEY; + found_key.offset = 0; + inode = btrfs_iget(fs_info->sb, last_objectid, root); +- ret = PTR_ERR_OR_ZERO(inode); +- if (ret && ret != -ENOENT) +- goto out; ++ if (IS_ERR(inode)) { ++ ret = PTR_ERR(inode); ++ inode = NULL; ++ if (ret != -ENOENT) ++ goto out; ++ } + +- if (ret == -ENOENT && root == fs_info->tree_root) { ++ if (!inode && root == fs_info->tree_root) { + struct btrfs_root *dead_root; + int is_dead_root = 0; + +@@ -3611,8 +3614,8 @@ int btrfs_orphan_cleanup(struct btrfs_ro + * deleted but wasn't. The inode number may have been reused, + * but either way, we can delete the orphan item. + */ +- if (ret == -ENOENT || inode->i_nlink) { +- if (!ret) { ++ if (!inode || inode->i_nlink) { ++ if (inode) { + ret = btrfs_drop_verity_items(BTRFS_I(inode)); + iput(inode); + if (ret) +@@ -3621,7 +3624,6 @@ int btrfs_orphan_cleanup(struct btrfs_ro + trans = btrfs_start_transaction(root, 1); + if (IS_ERR(trans)) { + ret = PTR_ERR(trans); +- iput(inode); + goto out; + } + btrfs_debug(fs_info, "auto deleting %Lu", +@@ -3629,10 +3631,8 @@ int btrfs_orphan_cleanup(struct btrfs_ro + ret = btrfs_del_orphan_item(trans, root, + found_key.objectid); + btrfs_end_transaction(trans); +- if (ret) { +- iput(inode); ++ if (ret) + goto out; +- } + continue; + } + diff --git a/tmp-6.4/btrfs-fix-race-between-balance-and-cancel-pause.patch b/tmp-6.4/btrfs-fix-race-between-balance-and-cancel-pause.patch new file mode 100644 index 00000000000..4723e94616d --- /dev/null +++ b/tmp-6.4/btrfs-fix-race-between-balance-and-cancel-pause.patch @@ -0,0 +1,96 @@ +From b19c98f237cd76981aaded52c258ce93f7daa8cb Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 23 Jun 2023 01:05:41 -0400 +Subject: btrfs: fix race between balance and cancel/pause + +From: Josef Bacik + +commit b19c98f237cd76981aaded52c258ce93f7daa8cb upstream. + +Syzbot reported a panic that looks like this: + + assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 + ------------[ cut here ]------------ + kernel BUG at fs/btrfs/messages.c:259! + RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 + Call Trace: + + btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] + btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] + btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The reproducer is running a balance and a cancel or pause in parallel. +The way balance finishes is a bit wonky, if we were paused we need to +save the balance_ctl in the fs_info, but clear it otherwise and cleanup. +However we rely on the return values being specific errors, or having a +cancel request or no pause request. If balance completes and returns 0, +but we have a pause or cancel request we won't do the appropriate +cleanup, and then the next time we try to start a balance we'll trip +this ASSERT. + +The error handling is just wrong here, we always want to clean up, +unless we got -ECANCELLED and we set the appropriate pause flag in the +exclusive op. With this patch the reproducer ran for an hour without +tripping, previously it would trip in less than a few minutes. + +Reported-by: syzbot+c0f3acf145cb465426d5@syzkaller.appspotmail.com +CC: stable@vger.kernel.org # 6.1+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -4071,14 +4071,6 @@ static int alloc_profile_is_valid(u64 fl + return has_single_bit_set(flags); + } + +-static inline int balance_need_close(struct btrfs_fs_info *fs_info) +-{ +- /* cancel requested || normal exit path */ +- return atomic_read(&fs_info->balance_cancel_req) || +- (atomic_read(&fs_info->balance_pause_req) == 0 && +- atomic_read(&fs_info->balance_cancel_req) == 0); +-} +- + /* + * Validate target profile against allowed profiles and return true if it's OK. + * Otherwise print the error message and return false. +@@ -4268,6 +4260,7 @@ int btrfs_balance(struct btrfs_fs_info * + u64 num_devices; + unsigned seq; + bool reducing_redundancy; ++ bool paused = false; + int i; + + if (btrfs_fs_closing(fs_info) || +@@ -4398,6 +4391,7 @@ int btrfs_balance(struct btrfs_fs_info * + if (ret == -ECANCELED && atomic_read(&fs_info->balance_pause_req)) { + btrfs_info(fs_info, "balance: paused"); + btrfs_exclop_balance(fs_info, BTRFS_EXCLOP_BALANCE_PAUSED); ++ paused = true; + } + /* + * Balance can be canceled by: +@@ -4426,8 +4420,8 @@ int btrfs_balance(struct btrfs_fs_info * + btrfs_update_ioctl_balance_args(fs_info, bargs); + } + +- if ((ret && ret != -ECANCELED && ret != -ENOSPC) || +- balance_need_close(fs_info)) { ++ /* We didn't pause, we can clean everything up. */ ++ if (!paused) { + reset_balance_state(fs_info); + btrfs_exclop_finish(fs_info); + } diff --git a/tmp-6.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch b/tmp-6.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch new file mode 100644 index 00000000000..bd3953815bd --- /dev/null +++ b/tmp-6.4/btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch @@ -0,0 +1,89 @@ +From aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Fri, 14 Jul 2023 13:42:06 +0100 +Subject: btrfs: fix warning when putting transaction with qgroups enabled after abort + +From: Filipe Manana + +commit aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 upstream. + +If we have a transaction abort with qgroups enabled we get a warning +triggered when doing the final put on the transaction, like this: + + [552.6789] ------------[ cut here ]------------ + [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6817] Modules linked in: btrfs blake2b_generic xor (...) + [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 + [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6821] Code: bd a0 01 00 (...) + [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 + [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 + [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 + [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 + [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 + [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 + [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 + [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 + [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + [552.6822] Call Trace: + [552.6822] + [552.6822] ? __warn+0x80/0x130 + [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6824] ? report_bug+0x1f4/0x200 + [552.6824] ? handle_bug+0x42/0x70 + [552.6824] ? exc_invalid_op+0x14/0x70 + [552.6824] ? asm_exc_invalid_op+0x16/0x20 + [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] + [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] + [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 + [552.6828] ? try_to_wake_up+0x94/0x5e0 + [552.6828] ? __pfx_process_timeout+0x10/0x10 + [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] + [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] + [552.6832] kthread+0xee/0x120 + [552.6832] ? __pfx_kthread+0x10/0x10 + [552.6832] ret_from_fork+0x29/0x50 + [552.6832] + [552.6832] ---[ end trace 0000000000000000 ]--- + +This corresponds to this line of code: + + void btrfs_put_transaction(struct btrfs_transaction *transaction) + { + (...) + WARN_ON(!RB_EMPTY_ROOT( + &transaction->delayed_refs.dirty_extent_root)); + (...) + } + +The warning happens because btrfs_qgroup_destroy_extent_records(), called +in the transaction abort path, we free all entries from the rbtree +"dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we +don't actually empty the rbtree - it's still pointing to nodes that were +freed. + +So set the rbtree's root node to NULL to avoid this warning (assign +RB_ROOT). + +Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Josef Bacik +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -4433,4 +4433,5 @@ void btrfs_qgroup_destroy_extent_records + ulist_free(entry->old_roots); + kfree(entry); + } ++ *root = RB_ROOT; + } diff --git a/tmp-6.4/btrfs-raid56-always-verify-the-p-q-contents-for-scrub.patch b/tmp-6.4/btrfs-raid56-always-verify-the-p-q-contents-for-scrub.patch new file mode 100644 index 00000000000..37434664335 --- /dev/null +++ b/tmp-6.4/btrfs-raid56-always-verify-the-p-q-contents-for-scrub.patch @@ -0,0 +1,117 @@ +From 486c737f7fdc0c3f6464cf27ede811daec2769a1 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Fri, 30 Jun 2023 08:56:40 +0800 +Subject: btrfs: raid56: always verify the P/Q contents for scrub + +From: Qu Wenruo + +commit 486c737f7fdc0c3f6464cf27ede811daec2769a1 upstream. + +[REGRESSION] +Commit 75b470332965 ("btrfs: raid56: migrate recovery and scrub recovery +path to use error_bitmap") changed the behavior of scrub_rbio(). + +Initially if we have no error reading the raid bio, we will assign +@need_check to true, then finish_parity_scrub() would later verify the +content of P/Q stripes before writeback. + +But after that commit we never verify the content of P/Q stripes and +just writeback them. + +This can lead to unrepaired P/Q stripes during scrub, or already +corrupted P/Q copied to the dev-replace target. + +[FIX] +The situation is more complex than the regression, in fact the initial +behavior is not 100% correct either. + +If we have the following rare case, it can still lead to the same +problem using the old behavior: + + 0 16K 32K 48K 64K + Data 1: |IIIIIII| | + Data 2: | | + Parity: | |CCCCCCC| | + +Where "I" means IO error, "C" means corruption. + +In the above case, we're scrubbing the parity stripe, then read out all +the contents of Data 1, Data 2, Parity stripes. + +But found IO error in Data 1, which leads to rebuild using Data 2 and +Parity and got the correct data. + +In that case, we would not verify if the Parity is correct for range +[16K, 32K). + +So here we have to always verify the content of Parity no matter if we +did recovery or not. + +This patch would remove the @need_check parameter of +finish_parity_scrub() completely, and would always do the P/Q +verification before writeback. + +Fixes: 75b470332965 ("btrfs: raid56: migrate recovery and scrub recovery path to use error_bitmap") +CC: stable@vger.kernel.org # 6.2+ +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/raid56.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/raid56.c ++++ b/fs/btrfs/raid56.c +@@ -71,7 +71,7 @@ static void rmw_rbio_work_locked(struct + static void index_rbio_pages(struct btrfs_raid_bio *rbio); + static int alloc_rbio_pages(struct btrfs_raid_bio *rbio); + +-static int finish_parity_scrub(struct btrfs_raid_bio *rbio, int need_check); ++static int finish_parity_scrub(struct btrfs_raid_bio *rbio); + static void scrub_rbio_work_locked(struct work_struct *work); + + static void free_raid_bio_pointers(struct btrfs_raid_bio *rbio) +@@ -2404,7 +2404,7 @@ static int alloc_rbio_essential_pages(st + return 0; + } + +-static int finish_parity_scrub(struct btrfs_raid_bio *rbio, int need_check) ++static int finish_parity_scrub(struct btrfs_raid_bio *rbio) + { + struct btrfs_io_context *bioc = rbio->bioc; + const u32 sectorsize = bioc->fs_info->sectorsize; +@@ -2445,9 +2445,6 @@ static int finish_parity_scrub(struct bt + */ + clear_bit(RBIO_CACHE_READY_BIT, &rbio->flags); + +- if (!need_check) +- goto writeback; +- + p_sector.page = alloc_page(GFP_NOFS); + if (!p_sector.page) + return -ENOMEM; +@@ -2516,7 +2513,6 @@ static int finish_parity_scrub(struct bt + q_sector.page = NULL; + } + +-writeback: + /* + * time to start writing. Make bios for everything from the + * higher layers (the bio_list in our rbio) and our p/q. Ignore +@@ -2699,7 +2695,6 @@ static int scrub_assemble_read_bios(stru + + static void scrub_rbio(struct btrfs_raid_bio *rbio) + { +- bool need_check = false; + int sector_nr; + int ret; + +@@ -2722,7 +2717,7 @@ static void scrub_rbio(struct btrfs_raid + * We have every sector properly prepared. Can finish the scrub + * and writeback the good content. + */ +- ret = finish_parity_scrub(rbio, need_check); ++ ret = finish_parity_scrub(rbio); + wait_event(rbio->io_wait, atomic_read(&rbio->stripes_pending) == 0); + for (sector_nr = 0; sector_nr < rbio->stripe_nsectors; sector_nr++) { + int found_errors; diff --git a/tmp-6.4/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch b/tmp-6.4/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch new file mode 100644 index 00000000000..db129c6473f --- /dev/null +++ b/tmp-6.4/btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch @@ -0,0 +1,98 @@ +From 17b17fcd6d446b95904a6929c40012ee7f0afc0c Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 12 Jul 2023 12:44:12 -0400 +Subject: btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand + +From: Josef Bacik + +commit 17b17fcd6d446b95904a6929c40012ee7f0afc0c upstream. + +While trying to get the subpage blocksize tests running, I hit the +following panic on generic/476 + + assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 + kernel BUG at fs/btrfs/subpage.c:229! + Internal error: Oops - BUG: 00000000f2000800 [#1] SMP + CPU: 1 PID: 1453 Comm: fsstress Not tainted 6.4.0-rc7+ #12 + Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20230301gitf80f052277c8-26.fc38 03/01/2023 + pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) + pc : btrfs_subpage_assert+0xbc/0xf0 + lr : btrfs_subpage_assert+0xbc/0xf0 + Call trace: + btrfs_subpage_assert+0xbc/0xf0 + btrfs_subpage_clear_checked+0x38/0xc0 + btrfs_page_clear_checked+0x48/0x98 + btrfs_truncate_block+0x5d0/0x6a8 + btrfs_cont_expand+0x5c/0x528 + btrfs_write_check.isra.0+0xf8/0x150 + btrfs_buffered_write+0xb4/0x760 + btrfs_do_write_iter+0x2f8/0x4b0 + btrfs_file_write_iter+0x1c/0x30 + do_iter_readv_writev+0xc8/0x158 + do_iter_write+0x9c/0x210 + vfs_iter_write+0x24/0x40 + iter_file_splice_write+0x224/0x390 + direct_splice_actor+0x38/0x68 + splice_direct_to_actor+0x12c/0x260 + do_splice_direct+0x90/0xe8 + generic_copy_file_range+0x50/0x90 + vfs_copy_file_range+0x29c/0x470 + __arm64_sys_copy_file_range+0xcc/0x498 + invoke_syscall.constprop.0+0x80/0xd8 + do_el0_svc+0x6c/0x168 + el0_svc+0x50/0x1b0 + el0t_64_sync_handler+0x114/0x120 + el0t_64_sync+0x194/0x198 + +This happens because during btrfs_cont_expand we'll get a page, set it +as mapped, and if it's not Uptodate we'll read it. However between the +read and re-locking the page we could have called release_folio() on the +page, but left the page in the file mapping. release_folio() can clear +the page private, and thus further down we blow up when we go to modify +the subpage bits. + +Fix this by putting the set_page_extent_mapped() after the read. This +is safe because read_folio() will call set_page_extent_mapped() before +it does the read, and then if we clear page private but leave it on the +mapping we're completely safe re-setting set_page_extent_mapped(). With +this patch I can now run generic/476 without panicing. + +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Christoph Hellwig +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4734,9 +4734,6 @@ again: + ret = -ENOMEM; + goto out; + } +- ret = set_page_extent_mapped(page); +- if (ret < 0) +- goto out_unlock; + + if (!PageUptodate(page)) { + ret = btrfs_read_folio(NULL, page_folio(page)); +@@ -4751,6 +4748,17 @@ again: + goto out_unlock; + } + } ++ ++ /* ++ * We unlock the page after the io is completed and then re-lock it ++ * above. release_folio() could have come in between that and cleared ++ * PagePrivate(), but left the page in the mapping. Set the page mapped ++ * here to make sure it's properly set for the subpage stuff. ++ */ ++ ret = set_page_extent_mapped(page); ++ if (ret < 0) ++ goto out_unlock; ++ + wait_on_page_writeback(page); + + lock_extent(io_tree, block_start, block_end, &cached_state); diff --git a/tmp-6.4/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch b/tmp-6.4/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch new file mode 100644 index 00000000000..a32631ad3e0 --- /dev/null +++ b/tmp-6.4/btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch @@ -0,0 +1,38 @@ +From f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Mon, 3 Jul 2023 12:03:21 +0100 +Subject: btrfs: zoned: fix memory leak after finding block group with super blocks + +From: Filipe Manana + +commit f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 upstream. + +At exclude_super_stripes(), if we happen to find a block group that has +super blocks mapped to it and we are on a zoned filesystem, we error out +as this is not supposed to happen, indicating either a bug or maybe some +memory corruption for example. However we are exiting the function without +freeing the memory allocated for the logical address of the super blocks. +Fix this by freeing the logical address. + +Fixes: 12659251ca5d ("btrfs: implement log-structured superblock for ZONED mode") +CC: stable@vger.kernel.org # 5.10+ +Reviewed-by: Johannes Thumshirn +Reviewed-by: Anand Jain +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/block-group.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -2084,6 +2084,7 @@ static int exclude_super_stripes(struct + + /* Shouldn't have super stripes in sequential zones */ + if (zoned && nr) { ++ kfree(logical); + btrfs_err(fs_info, + "zoned: block group %llu must not contain super block", + cache->start); diff --git a/tmp-6.4/can-bcm-fix-uaf-in-bcm_proc_show.patch b/tmp-6.4/can-bcm-fix-uaf-in-bcm_proc_show.patch new file mode 100644 index 00000000000..5aad27d3ae2 --- /dev/null +++ b/tmp-6.4/can-bcm-fix-uaf-in-bcm_proc_show.patch @@ -0,0 +1,92 @@ +From 55c3b96074f3f9b0aee19bf93cd71af7516582bb Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Sat, 15 Jul 2023 17:25:43 +0800 +Subject: can: bcm: Fix UAF in bcm_proc_show() + +From: YueHaibing + +commit 55c3b96074f3f9b0aee19bf93cd71af7516582bb upstream. + +BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 +Read of size 8 at addr ffff888155846230 by task cat/7862 + +CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0xd5/0x150 + print_report+0xc1/0x5e0 + kasan_report+0xba/0xf0 + bcm_proc_show+0x969/0xa80 + seq_read_iter+0x4f6/0x1260 + seq_read+0x165/0x210 + proc_reg_read+0x227/0x300 + vfs_read+0x1d5/0x8d0 + ksys_read+0x11e/0x240 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Allocated by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x9e/0xa0 + bcm_sendmsg+0x264b/0x44e0 + sock_sendmsg+0xda/0x180 + ____sys_sendmsg+0x735/0x920 + ___sys_sendmsg+0x11d/0x1b0 + __sys_sendmsg+0xfa/0x1d0 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Freed by task 7846: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x27/0x40 + ____kasan_slab_free+0x161/0x1c0 + slab_free_freelist_hook+0x119/0x220 + __kmem_cache_free+0xb4/0x2e0 + rcu_core+0x809/0x1bd0 + +bcm_op is freed before procfs entry be removed in bcm_release(), +this lead to bcm_proc_show() may read the freed bcm_op. + +Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") +Signed-off-by: YueHaibing +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/bcm.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -1526,6 +1526,12 @@ static int bcm_release(struct socket *so + + lock_sock(sk); + ++#if IS_ENABLED(CONFIG_PROC_FS) ++ /* remove procfs entry */ ++ if (net->can.bcmproc_dir && bo->bcm_proc_read) ++ remove_proc_entry(bo->procname, net->can.bcmproc_dir); ++#endif /* CONFIG_PROC_FS */ ++ + list_for_each_entry_safe(op, next, &bo->tx_ops, list) + bcm_remove_op(op); + +@@ -1561,12 +1567,6 @@ static int bcm_release(struct socket *so + list_for_each_entry_safe(op, next, &bo->rx_ops, list) + bcm_remove_op(op); + +-#if IS_ENABLED(CONFIG_PROC_FS) +- /* remove procfs entry */ +- if (net->can.bcmproc_dir && bo->bcm_proc_read) +- remove_proc_entry(bo->procname, net->can.bcmproc_dir); +-#endif /* CONFIG_PROC_FS */ +- + /* remove device reference */ + if (bo->bound) { + bo->bound = 0; diff --git a/tmp-6.4/can-gs_usb-fix-time-stamp-counter-initialization.patch b/tmp-6.4/can-gs_usb-fix-time-stamp-counter-initialization.patch new file mode 100644 index 00000000000..1a0198cea43 --- /dev/null +++ b/tmp-6.4/can-gs_usb-fix-time-stamp-counter-initialization.patch @@ -0,0 +1,292 @@ +From 5886e4d5ecec3e22844efed90b2dd383ef804b3a Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 7 Jul 2023 18:44:23 +0200 +Subject: can: gs_usb: fix time stamp counter initialization + +From: Marc Kleine-Budde + +commit 5886e4d5ecec3e22844efed90b2dd383ef804b3a upstream. + +If the gs_usb device driver is unloaded (or unbound) before the +interface is shut down, the USB stack first calls the struct +usb_driver::disconnect and then the struct net_device_ops::ndo_stop +callback. + +In gs_usb_disconnect() all pending bulk URBs are killed, i.e. no more +RX'ed CAN frames are send from the USB device to the host. Later in +gs_can_close() a reset control message is send to each CAN channel to +remove the controller from the CAN bus. In this race window the USB +device can still receive CAN frames from the bus and internally queue +them to be send to the host. + +At least in the current version of the candlelight firmware, the queue +of received CAN frames is not emptied during the reset command. After +loading (or binding) the gs_usb driver, new URBs are submitted during +the struct net_device_ops::ndo_open callback and the candlelight +firmware starts sending its already queued CAN frames to the host. + +However, this scenario was not considered when implementing the +hardware timestamp function. The cycle counter/time counter +infrastructure is set up (gs_usb_timestamp_init()) after the USBs are +submitted, resulting in a NULL pointer dereference if +timecounter_cyc2time() (via the call chain: +gs_usb_receive_bulk_callback() -> gs_usb_set_timestamp() -> +gs_usb_skb_set_timestamp()) is called too early. + +Move the gs_usb_timestamp_init() function before the URBs are +submitted to fix this problem. + +For a comprehensive solution, we need to consider gs_usb devices with +more than 1 channel. The cycle counter/time counter infrastructure is +setup per channel, but the RX URBs are per device. Once gs_can_open() +of _a_ channel has been called, and URBs have been submitted, the +gs_usb_receive_bulk_callback() can be called for _all_ available +channels, even for channels that are not running, yet. As cycle +counter/time counter has not set up, this will again lead to a NULL +pointer dereference. + +Convert the cycle counter/time counter from a "per channel" to a "per +device" functionality. Also set it up, before submitting any URBs to +the device. + +Further in gs_usb_receive_bulk_callback(), don't process any URBs for +not started CAN channels, only resubmit the URB. + +Fixes: 45dfa45f52e6 ("can: gs_usb: add RX and TX hardware timestamp support") +Closes: https://github.com/candle-usb/candleLight_fw/issues/137#issuecomment-1623532076 +Cc: stable@vger.kernel.org +Cc: John Whittington +Link: https://lore.kernel.org/all/20230716-gs_usb-fix-time-stamp-counter-v1-2-9017cefcd9d5@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 101 ++++++++++++++++++++++--------------------- + 1 file changed, 53 insertions(+), 48 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -303,12 +303,6 @@ struct gs_can { + struct can_bittiming_const bt_const, data_bt_const; + unsigned int channel; /* channel number */ + +- /* time counter for hardware timestamps */ +- struct cyclecounter cc; +- struct timecounter tc; +- spinlock_t tc_lock; /* spinlock to guard access tc->cycle_last */ +- struct delayed_work timestamp; +- + u32 feature; + unsigned int hf_size_tx; + +@@ -325,6 +319,13 @@ struct gs_usb { + struct gs_can *canch[GS_MAX_INTF]; + struct usb_anchor rx_submitted; + struct usb_device *udev; ++ ++ /* time counter for hardware timestamps */ ++ struct cyclecounter cc; ++ struct timecounter tc; ++ spinlock_t tc_lock; /* spinlock to guard access tc->cycle_last */ ++ struct delayed_work timestamp; ++ + unsigned int hf_size_rx; + u8 active_channels; + }; +@@ -388,15 +389,15 @@ static int gs_cmd_reset(struct gs_can *d + GFP_KERNEL); + } + +-static inline int gs_usb_get_timestamp(const struct gs_can *dev, ++static inline int gs_usb_get_timestamp(const struct gs_usb *parent, + u32 *timestamp_p) + { + __le32 timestamp; + int rc; + +- rc = usb_control_msg_recv(dev->udev, 0, GS_USB_BREQ_TIMESTAMP, ++ rc = usb_control_msg_recv(parent->udev, 0, GS_USB_BREQ_TIMESTAMP, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_INTERFACE, +- dev->channel, 0, ++ 0, 0, + ×tamp, sizeof(timestamp), + USB_CTRL_GET_TIMEOUT, + GFP_KERNEL); +@@ -410,20 +411,20 @@ static inline int gs_usb_get_timestamp(c + + static u64 gs_usb_timestamp_read(const struct cyclecounter *cc) __must_hold(&dev->tc_lock) + { +- struct gs_can *dev = container_of(cc, struct gs_can, cc); ++ struct gs_usb *parent = container_of(cc, struct gs_usb, cc); + u32 timestamp = 0; + int err; + +- lockdep_assert_held(&dev->tc_lock); ++ lockdep_assert_held(&parent->tc_lock); + + /* drop lock for synchronous USB transfer */ +- spin_unlock_bh(&dev->tc_lock); +- err = gs_usb_get_timestamp(dev, ×tamp); +- spin_lock_bh(&dev->tc_lock); ++ spin_unlock_bh(&parent->tc_lock); ++ err = gs_usb_get_timestamp(parent, ×tamp); ++ spin_lock_bh(&parent->tc_lock); + if (err) +- netdev_err(dev->netdev, +- "Error %d while reading timestamp. HW timestamps may be inaccurate.", +- err); ++ dev_err(&parent->udev->dev, ++ "Error %d while reading timestamp. HW timestamps may be inaccurate.", ++ err); + + return timestamp; + } +@@ -431,14 +432,14 @@ static u64 gs_usb_timestamp_read(const s + static void gs_usb_timestamp_work(struct work_struct *work) + { + struct delayed_work *delayed_work = to_delayed_work(work); +- struct gs_can *dev; ++ struct gs_usb *parent; + +- dev = container_of(delayed_work, struct gs_can, timestamp); +- spin_lock_bh(&dev->tc_lock); +- timecounter_read(&dev->tc); +- spin_unlock_bh(&dev->tc_lock); ++ parent = container_of(delayed_work, struct gs_usb, timestamp); ++ spin_lock_bh(&parent->tc_lock); ++ timecounter_read(&parent->tc); ++ spin_unlock_bh(&parent->tc_lock); + +- schedule_delayed_work(&dev->timestamp, ++ schedule_delayed_work(&parent->timestamp, + GS_USB_TIMESTAMP_WORK_DELAY_SEC * HZ); + } + +@@ -446,37 +447,38 @@ static void gs_usb_skb_set_timestamp(str + struct sk_buff *skb, u32 timestamp) + { + struct skb_shared_hwtstamps *hwtstamps = skb_hwtstamps(skb); ++ struct gs_usb *parent = dev->parent; + u64 ns; + +- spin_lock_bh(&dev->tc_lock); +- ns = timecounter_cyc2time(&dev->tc, timestamp); +- spin_unlock_bh(&dev->tc_lock); ++ spin_lock_bh(&parent->tc_lock); ++ ns = timecounter_cyc2time(&parent->tc, timestamp); ++ spin_unlock_bh(&parent->tc_lock); + + hwtstamps->hwtstamp = ns_to_ktime(ns); + } + +-static void gs_usb_timestamp_init(struct gs_can *dev) ++static void gs_usb_timestamp_init(struct gs_usb *parent) + { +- struct cyclecounter *cc = &dev->cc; ++ struct cyclecounter *cc = &parent->cc; + + cc->read = gs_usb_timestamp_read; + cc->mask = CYCLECOUNTER_MASK(32); + cc->shift = 32 - bits_per(NSEC_PER_SEC / GS_USB_TIMESTAMP_TIMER_HZ); + cc->mult = clocksource_hz2mult(GS_USB_TIMESTAMP_TIMER_HZ, cc->shift); + +- spin_lock_init(&dev->tc_lock); +- spin_lock_bh(&dev->tc_lock); +- timecounter_init(&dev->tc, &dev->cc, ktime_get_real_ns()); +- spin_unlock_bh(&dev->tc_lock); ++ spin_lock_init(&parent->tc_lock); ++ spin_lock_bh(&parent->tc_lock); ++ timecounter_init(&parent->tc, &parent->cc, ktime_get_real_ns()); ++ spin_unlock_bh(&parent->tc_lock); + +- INIT_DELAYED_WORK(&dev->timestamp, gs_usb_timestamp_work); +- schedule_delayed_work(&dev->timestamp, ++ INIT_DELAYED_WORK(&parent->timestamp, gs_usb_timestamp_work); ++ schedule_delayed_work(&parent->timestamp, + GS_USB_TIMESTAMP_WORK_DELAY_SEC * HZ); + } + +-static void gs_usb_timestamp_stop(struct gs_can *dev) ++static void gs_usb_timestamp_stop(struct gs_usb *parent) + { +- cancel_delayed_work_sync(&dev->timestamp); ++ cancel_delayed_work_sync(&parent->timestamp); + } + + static void gs_update_state(struct gs_can *dev, struct can_frame *cf) +@@ -560,6 +562,9 @@ static void gs_usb_receive_bulk_callback + if (!netif_device_present(netdev)) + return; + ++ if (!netif_running(netdev)) ++ goto resubmit_urb; ++ + if (hf->echo_id == -1) { /* normal rx */ + if (hf->flags & GS_CAN_FLAG_FD) { + skb = alloc_canfd_skb(dev->netdev, &cfd); +@@ -856,6 +861,9 @@ static int gs_can_open(struct net_device + } + + if (!parent->active_channels) { ++ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) ++ gs_usb_timestamp_init(parent); ++ + for (i = 0; i < GS_MAX_RX_URBS; i++) { + u8 *buf; + +@@ -926,13 +934,9 @@ static int gs_can_open(struct net_device + flags |= GS_CAN_MODE_FD; + + /* if hardware supports timestamps, enable it */ +- if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) { ++ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) + flags |= GS_CAN_MODE_HW_TIMESTAMP; + +- /* start polling timestamp */ +- gs_usb_timestamp_init(dev); +- } +- + /* finally start device */ + dev->can.state = CAN_STATE_ERROR_ACTIVE; + dm.flags = cpu_to_le32(flags); +@@ -942,8 +946,6 @@ static int gs_can_open(struct net_device + GFP_KERNEL); + if (rc) { + netdev_err(netdev, "Couldn't start device (err=%d)\n", rc); +- if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) +- gs_usb_timestamp_stop(dev); + dev->can.state = CAN_STATE_STOPPED; + + goto out_usb_kill_anchored_urbs; +@@ -960,9 +962,13 @@ out_usb_unanchor_urb: + out_usb_free_urb: + usb_free_urb(urb); + out_usb_kill_anchored_urbs: +- if (!parent->active_channels) ++ if (!parent->active_channels) { + usb_kill_anchored_urbs(&dev->tx_submitted); + ++ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) ++ gs_usb_timestamp_stop(parent); ++ } ++ + close_candev(netdev); + + return rc; +@@ -1011,14 +1017,13 @@ static int gs_can_close(struct net_devic + + netif_stop_queue(netdev); + +- /* stop polling timestamp */ +- if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) +- gs_usb_timestamp_stop(dev); +- + /* Stop polling */ + parent->active_channels--; + if (!parent->active_channels) { + usb_kill_anchored_urbs(&parent->rx_submitted); ++ ++ if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) ++ gs_usb_timestamp_stop(parent); + } + + /* Stop sending URBs */ diff --git a/tmp-6.4/can-gs_usb-gs_can_open-improve-error-handling.patch b/tmp-6.4/can-gs_usb-gs_can_open-improve-error-handling.patch new file mode 100644 index 00000000000..0deda172526 --- /dev/null +++ b/tmp-6.4/can-gs_usb-gs_can_open-improve-error-handling.patch @@ -0,0 +1,117 @@ +From 2603be9e8167ddc7bea95dcfab9ffc33414215aa Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 7 Jul 2023 13:43:10 +0200 +Subject: can: gs_usb: gs_can_open(): improve error handling + +From: Marc Kleine-Budde + +commit 2603be9e8167ddc7bea95dcfab9ffc33414215aa upstream. + +The gs_usb driver handles USB devices with more than 1 CAN channel. +The RX path for all channels share the same bulk endpoint (the +transmitted bulk data encodes the channel number). These per-device +resources are allocated and submitted by the first opened channel. + +During this allocation, the resources are either released immediately +in case of a failure or the URBs are anchored. All anchored URBs are +finally killed with gs_usb_disconnect(). + +Currently, gs_can_open() returns with an error if the allocation of a +URB or a buffer fails. However, if usb_submit_urb() fails, the driver +continues with the URBs submitted so far, even if no URBs were +successfully submitted. + +Treat every error as fatal and free all allocated resources +immediately. + +Switch to goto-style error handling, to prepare the driver for more +per-device resource allocation. + +Cc: stable@vger.kernel.org +Cc: John Whittington +Link: https://lore.kernel.org/all/20230716-gs_usb-fix-time-stamp-counter-v1-1-9017cefcd9d5@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 31 ++++++++++++++++++++++--------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -833,6 +833,7 @@ static int gs_can_open(struct net_device + .mode = cpu_to_le32(GS_CAN_MODE_START), + }; + struct gs_host_frame *hf; ++ struct urb *urb = NULL; + u32 ctrlmode; + u32 flags = 0; + int rc, i; +@@ -856,13 +857,14 @@ static int gs_can_open(struct net_device + + if (!parent->active_channels) { + for (i = 0; i < GS_MAX_RX_URBS; i++) { +- struct urb *urb; + u8 *buf; + + /* alloc rx urb */ + urb = usb_alloc_urb(0, GFP_KERNEL); +- if (!urb) +- return -ENOMEM; ++ if (!urb) { ++ rc = -ENOMEM; ++ goto out_usb_kill_anchored_urbs; ++ } + + /* alloc rx buffer */ + buf = kmalloc(dev->parent->hf_size_rx, +@@ -870,8 +872,8 @@ static int gs_can_open(struct net_device + if (!buf) { + netdev_err(netdev, + "No memory left for USB buffer\n"); +- usb_free_urb(urb); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto out_usb_free_urb; + } + + /* fill, anchor, and submit rx urb */ +@@ -894,9 +896,7 @@ static int gs_can_open(struct net_device + netdev_err(netdev, + "usb_submit failed (err=%d)\n", rc); + +- usb_unanchor_urb(urb); +- usb_free_urb(urb); +- break; ++ goto out_usb_unanchor_urb; + } + + /* Drop reference, +@@ -945,7 +945,8 @@ static int gs_can_open(struct net_device + if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP) + gs_usb_timestamp_stop(dev); + dev->can.state = CAN_STATE_STOPPED; +- return rc; ++ ++ goto out_usb_kill_anchored_urbs; + } + + parent->active_channels++; +@@ -953,6 +954,18 @@ static int gs_can_open(struct net_device + netif_start_queue(netdev); + + return 0; ++ ++out_usb_unanchor_urb: ++ usb_unanchor_urb(urb); ++out_usb_free_urb: ++ usb_free_urb(urb); ++out_usb_kill_anchored_urbs: ++ if (!parent->active_channels) ++ usb_kill_anchored_urbs(&dev->tx_submitted); ++ ++ close_candev(netdev); ++ ++ return rc; + } + + static int gs_usb_get_state(const struct net_device *netdev, diff --git a/tmp-6.4/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch b/tmp-6.4/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch new file mode 100644 index 00000000000..e554d4718c6 --- /dev/null +++ b/tmp-6.4/can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch @@ -0,0 +1,87 @@ +From 9efa1a5407e81265ea502cab83be4de503decc49 Mon Sep 17 00:00:00 2001 +From: Fedor Ross +Date: Thu, 4 May 2023 21:50:59 +0200 +Subject: can: mcp251xfd: __mcp251xfd_chip_set_mode(): increase poll timeout + +From: Fedor Ross + +commit 9efa1a5407e81265ea502cab83be4de503decc49 upstream. + +The mcp251xfd controller needs an idle bus to enter 'Normal CAN 2.0 +mode' or . The maximum length of a CAN frame is 736 bits (64 data +bytes, CAN-FD, EFF mode, worst case bit stuffing and interframe +spacing). For low bit rates like 10 kbit/s the arbitrarily chosen +MCP251XFD_POLL_TIMEOUT_US of 1 ms is too small. + +Otherwise during polling for the CAN controller to enter 'Normal CAN +2.0 mode' the timeout limit is exceeded and the configuration fails +with: + +| $ ip link set dev can1 up type can bitrate 10000 +| [ 731.911072] mcp251xfd spi2.1 can1: Controller failed to enter mode CAN 2.0 Mode (6) and stays in Configuration Mode (4) (con=0x068b0760, osc=0x00000468). +| [ 731.927192] mcp251xfd spi2.1 can1: CRC read error at address 0x0e0c (length=4, data=00 00 00 00, CRC=0x0000) retrying. +| [ 731.938101] A link change request failed with some changes committed already. Interface can1 may have been left with an inconsistent configuration, please check. +| RTNETLINK answers: Connection timed out + +Make MCP251XFD_POLL_TIMEOUT_US timeout calculation dynamic. Use +maximum of 1ms and bit time of 1 full 64 data bytes CAN-FD frame in +EFF mode, worst case bit stuffing and interframe spacing at the +current bit rate. + +For easier backporting define the macro MCP251XFD_FRAME_LEN_MAX_BITS +that holds the max frame length in bits, which is 736. This can be +replaced by can_frame_bits(true, true, true, true, CANFD_MAX_DLEN) in +a cleanup patch later. + +Fixes: 55e5b97f003e8 ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") +Signed-off-by: Fedor Ross +Signed-off-by: Marek Vasut +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/20230717-mcp251xfd-fix-increase-poll-timeout-v5-1-06600f34c684@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 10 ++++++++-- + drivers/net/can/spi/mcp251xfd/mcp251xfd.h | 1 + + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +@@ -227,6 +227,8 @@ static int + __mcp251xfd_chip_set_mode(const struct mcp251xfd_priv *priv, + const u8 mode_req, bool nowait) + { ++ const struct can_bittiming *bt = &priv->can.bittiming; ++ unsigned long timeout_us = MCP251XFD_POLL_TIMEOUT_US; + u32 con = 0, con_reqop, osc = 0; + u8 mode; + int err; +@@ -246,12 +248,16 @@ __mcp251xfd_chip_set_mode(const struct m + if (mode_req == MCP251XFD_REG_CON_MODE_SLEEP || nowait) + return 0; + ++ if (bt->bitrate) ++ timeout_us = max_t(unsigned long, timeout_us, ++ MCP251XFD_FRAME_LEN_MAX_BITS * USEC_PER_SEC / ++ bt->bitrate); ++ + err = regmap_read_poll_timeout(priv->map_reg, MCP251XFD_REG_CON, con, + !mcp251xfd_reg_invalid(con) && + FIELD_GET(MCP251XFD_REG_CON_OPMOD_MASK, + con) == mode_req, +- MCP251XFD_POLL_SLEEP_US, +- MCP251XFD_POLL_TIMEOUT_US); ++ MCP251XFD_POLL_SLEEP_US, timeout_us); + if (err != -ETIMEDOUT && err != -EBADMSG) + return err; + +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd.h ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd.h +@@ -387,6 +387,7 @@ static_assert(MCP251XFD_TIMESTAMP_WORK_D + #define MCP251XFD_OSC_STAB_TIMEOUT_US (10 * MCP251XFD_OSC_STAB_SLEEP_US) + #define MCP251XFD_POLL_SLEEP_US (10) + #define MCP251XFD_POLL_TIMEOUT_US (USEC_PER_MSEC) ++#define MCP251XFD_FRAME_LEN_MAX_BITS (736) + + /* Misc */ + #define MCP251XFD_NAPI_WEIGHT 32 diff --git a/tmp-6.4/can-raw-fix-receiver-memory-leak.patch b/tmp-6.4/can-raw-fix-receiver-memory-leak.patch new file mode 100644 index 00000000000..7096dff2c77 --- /dev/null +++ b/tmp-6.4/can-raw-fix-receiver-memory-leak.patch @@ -0,0 +1,233 @@ +From ee8b94c8510ce64afe0b87ef548d23e00915fb10 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Tue, 11 Jul 2023 09:17:37 +0800 +Subject: can: raw: fix receiver memory leak + +From: Ziyang Xuan + +commit ee8b94c8510ce64afe0b87ef548d23e00915fb10 upstream. + +Got kmemleak errors with the following ltp can_filter testcase: + +for ((i=1; i<=100; i++)) +do + ./can_filter & + sleep 0.1 +done + +============================================================== +[<00000000db4a4943>] can_rx_register+0x147/0x360 [can] +[<00000000a289549d>] raw_setsockopt+0x5ef/0x853 [can_raw] +[<000000006d3d9ebd>] __sys_setsockopt+0x173/0x2c0 +[<00000000407dbfec>] __x64_sys_setsockopt+0x61/0x70 +[<00000000fd468496>] do_syscall_64+0x33/0x40 +[<00000000b7e47d51>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +It's a bug in the concurrent scenario of unregister_netdevice_many() +and raw_release() as following: + + cpu0 cpu1 +unregister_netdevice_many(can_dev) + unlist_netdevice(can_dev) // dev_get_by_index() return NULL after this + net_set_todo(can_dev) + raw_release(can_socket) + dev = dev_get_by_index(, ro->ifindex); // dev == NULL + if (dev) { // receivers in dev_rcv_lists not free because dev is NULL + raw_disable_allfilters(, dev, ); + dev_put(dev); + } + ... + ro->bound = 0; + ... + +call_netdevice_notifiers(NETDEV_UNREGISTER, ) + raw_notify(, NETDEV_UNREGISTER, ) + if (ro->bound) // invalid because ro->bound has been set 0 + raw_disable_allfilters(, dev, ); // receivers in dev_rcv_lists will never be freed + +Add a net_device pointer member in struct raw_sock to record bound +can_dev, and use rtnl_lock to serialize raw_socket members between +raw_bind(), raw_release(), raw_setsockopt() and raw_notify(). Use +ro->dev to decide whether to free receivers in dev_rcv_lists. + +Fixes: 8d0caedb7596 ("can: bcm/raw/isotp: use per module netdevice notifier") +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/all/20230711011737.1969582-1-william.xuanziyang@huawei.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/raw.c | 57 ++++++++++++++++++++++++--------------------------------- + 1 file changed, 24 insertions(+), 33 deletions(-) + +--- a/net/can/raw.c ++++ b/net/can/raw.c +@@ -84,6 +84,7 @@ struct raw_sock { + struct sock sk; + int bound; + int ifindex; ++ struct net_device *dev; + struct list_head notifier; + int loopback; + int recv_own_msgs; +@@ -277,7 +278,7 @@ static void raw_notify(struct raw_sock * + if (!net_eq(dev_net(dev), sock_net(sk))) + return; + +- if (ro->ifindex != dev->ifindex) ++ if (ro->dev != dev) + return; + + switch (msg) { +@@ -292,6 +293,7 @@ static void raw_notify(struct raw_sock * + + ro->ifindex = 0; + ro->bound = 0; ++ ro->dev = NULL; + ro->count = 0; + release_sock(sk); + +@@ -337,6 +339,7 @@ static int raw_init(struct sock *sk) + + ro->bound = 0; + ro->ifindex = 0; ++ ro->dev = NULL; + + /* set default filter to single entry dfilter */ + ro->dfilter.can_id = 0; +@@ -385,19 +388,13 @@ static int raw_release(struct socket *so + + lock_sock(sk); + ++ rtnl_lock(); + /* remove current filters & unregister */ + if (ro->bound) { +- if (ro->ifindex) { +- struct net_device *dev; +- +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (dev) { +- raw_disable_allfilters(dev_net(dev), dev, sk); +- dev_put(dev); +- } +- } else { ++ if (ro->dev) ++ raw_disable_allfilters(dev_net(ro->dev), ro->dev, sk); ++ else + raw_disable_allfilters(sock_net(sk), NULL, sk); +- } + } + + if (ro->count > 1) +@@ -405,8 +402,10 @@ static int raw_release(struct socket *so + + ro->ifindex = 0; + ro->bound = 0; ++ ro->dev = NULL; + ro->count = 0; + free_percpu(ro->uniq); ++ rtnl_unlock(); + + sock_orphan(sk); + sock->sk = NULL; +@@ -422,6 +421,7 @@ static int raw_bind(struct socket *sock, + struct sockaddr_can *addr = (struct sockaddr_can *)uaddr; + struct sock *sk = sock->sk; + struct raw_sock *ro = raw_sk(sk); ++ struct net_device *dev = NULL; + int ifindex; + int err = 0; + int notify_enetdown = 0; +@@ -431,14 +431,13 @@ static int raw_bind(struct socket *sock, + if (addr->can_family != AF_CAN) + return -EINVAL; + ++ rtnl_lock(); + lock_sock(sk); + + if (ro->bound && addr->can_ifindex == ro->ifindex) + goto out; + + if (addr->can_ifindex) { +- struct net_device *dev; +- + dev = dev_get_by_index(sock_net(sk), addr->can_ifindex); + if (!dev) { + err = -ENODEV; +@@ -467,26 +466,20 @@ static int raw_bind(struct socket *sock, + if (!err) { + if (ro->bound) { + /* unregister old filters */ +- if (ro->ifindex) { +- struct net_device *dev; +- +- dev = dev_get_by_index(sock_net(sk), +- ro->ifindex); +- if (dev) { +- raw_disable_allfilters(dev_net(dev), +- dev, sk); +- dev_put(dev); +- } +- } else { ++ if (ro->dev) ++ raw_disable_allfilters(dev_net(ro->dev), ++ ro->dev, sk); ++ else + raw_disable_allfilters(sock_net(sk), NULL, sk); +- } + } + ro->ifindex = ifindex; + ro->bound = 1; ++ ro->dev = dev; + } + + out: + release_sock(sk); ++ rtnl_unlock(); + + if (notify_enetdown) { + sk->sk_err = ENETDOWN; +@@ -553,9 +546,9 @@ static int raw_setsockopt(struct socket + rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) { +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (!dev) { ++ dev = ro->dev; ++ if (ro->bound && dev) { ++ if (dev->reg_state != NETREG_REGISTERED) { + if (count > 1) + kfree(filter); + err = -ENODEV; +@@ -596,7 +589,6 @@ static int raw_setsockopt(struct socket + ro->count = count; + + out_fil: +- dev_put(dev); + release_sock(sk); + rtnl_unlock(); + +@@ -614,9 +606,9 @@ static int raw_setsockopt(struct socket + rtnl_lock(); + lock_sock(sk); + +- if (ro->bound && ro->ifindex) { +- dev = dev_get_by_index(sock_net(sk), ro->ifindex); +- if (!dev) { ++ dev = ro->dev; ++ if (ro->bound && dev) { ++ if (dev->reg_state != NETREG_REGISTERED) { + err = -ENODEV; + goto out_err; + } +@@ -640,7 +632,6 @@ static int raw_setsockopt(struct socket + ro->err_mask = err_mask; + + out_err: +- dev_put(dev); + release_sock(sk); + rtnl_unlock(); + diff --git a/tmp-6.4/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch b/tmp-6.4/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch new file mode 100644 index 00000000000..f6b11cf8fff --- /dev/null +++ b/tmp-6.4/cifs-fix-mid-leak-during-reconnection-after-timeout-.patch @@ -0,0 +1,100 @@ +From 5f515044a667882b557d2f1c1ecb6ccdf5886305 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jul 2023 08:56:33 +0000 +Subject: cifs: fix mid leak during reconnection after timeout threshold + +From: Shyam Prasad N + +[ Upstream commit 69cba9d3c1284e0838ae408830a02c4a063104bc ] + +When the number of responses with status of STATUS_IO_TIMEOUT +exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect +the connection. But we do not return the mid, or the credits +returned for the mid, or reduce the number of in-flight requests. + +This bug could result in the server->in_flight count to go bad, +and also cause a leak in the mids. + +This change moves the check to a few lines below where the +response is decrypted, even of the response is read from the +transform header. This way, the code for returning the mids +can be reused. + +Also, the cifs_reconnect was reconnecting just the transport +connection before. In case of multi-channel, this may not be +what we want to do after several timeouts. Changed that to +reconnect the session and the tree too. + +Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name +MAX_STATUS_IO_TIMEOUT. + +Fixes: 8e670f77c4a5 ("Handle STATUS_IO_TIMEOUT gracefully") +Signed-off-by: Shyam Prasad N +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/connect.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c +index d9f0b3b94f007..853209268f507 100644 +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -60,7 +60,7 @@ extern bool disable_legacy_dialects; + #define TLINK_IDLE_EXPIRE (600 * HZ) + + /* Drop the connection to not overload the server */ +-#define NUM_STATUS_IO_TIMEOUT 5 ++#define MAX_STATUS_IO_TIMEOUT 5 + + static int ip_connect(struct TCP_Server_Info *server); + static int generic_ip_connect(struct TCP_Server_Info *server); +@@ -1117,6 +1117,7 @@ cifs_demultiplex_thread(void *p) + struct mid_q_entry *mids[MAX_COMPOUND]; + char *bufs[MAX_COMPOUND]; + unsigned int noreclaim_flag, num_io_timeout = 0; ++ bool pending_reconnect = false; + + noreclaim_flag = memalloc_noreclaim_save(); + cifs_dbg(FYI, "Demultiplex PID: %d\n", task_pid_nr(current)); +@@ -1156,6 +1157,8 @@ cifs_demultiplex_thread(void *p) + cifs_dbg(FYI, "RFC1002 header 0x%x\n", pdu_length); + if (!is_smb_response(server, buf[0])) + continue; ++ ++ pending_reconnect = false; + next_pdu: + server->pdu_size = pdu_length; + +@@ -1213,10 +1216,13 @@ cifs_demultiplex_thread(void *p) + if (server->ops->is_status_io_timeout && + server->ops->is_status_io_timeout(buf)) { + num_io_timeout++; +- if (num_io_timeout > NUM_STATUS_IO_TIMEOUT) { +- cifs_reconnect(server, false); ++ if (num_io_timeout > MAX_STATUS_IO_TIMEOUT) { ++ cifs_server_dbg(VFS, ++ "Number of request timeouts exceeded %d. Reconnecting", ++ MAX_STATUS_IO_TIMEOUT); ++ ++ pending_reconnect = true; + num_io_timeout = 0; +- continue; + } + } + +@@ -1263,6 +1269,11 @@ cifs_demultiplex_thread(void *p) + buf = server->smallbuf; + goto next_pdu; + } ++ ++ /* do this reconnect at the very end after processing all MIDs */ ++ if (pending_reconnect) ++ cifs_reconnect(server, true); ++ + } /* end while !EXITING */ + + /* buffer usually freed in free_mid - need to free it here on exit */ +-- +2.39.2 + diff --git a/tmp-6.4/devlink-make-health-report-on-unregistered-instance-.patch b/tmp-6.4/devlink-make-health-report-on-unregistered-instance-.patch new file mode 100644 index 00000000000..984ca233654 --- /dev/null +++ b/tmp-6.4/devlink-make-health-report-on-unregistered-instance-.patch @@ -0,0 +1,43 @@ +From ffed50746946c408ab88d16ea7c730798e9e312c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 18:55:23 -0700 +Subject: devlink: make health report on unregistered instance warn just once + +From: Jakub Kicinski + +[ Upstream commit 6f4b98147b8dfcabacb19b5c6abd087af66d0049 ] + +Devlink health is involved in error recovery. Machines in bad +state tend to be fairly unreliable, and occasionally get stuck +in error loops. Even with a reasonable grace period devlink health +may get a thousand reports in an hour. + +In case of reporting on an unregistered devlink instance +the subsequent reports don't add much value. Switch to +WARN_ON_ONCE() to avoid flooding dmesg and fleet monitoring +dashboards. + +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20230531015523.48961-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/health.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/devlink/health.c b/net/devlink/health.c +index 0839706d5741a..194340a8bb863 100644 +--- a/net/devlink/health.c ++++ b/net/devlink/health.c +@@ -480,7 +480,7 @@ static void devlink_recover_notify(struct devlink_health_reporter *reporter, + int err; + + WARN_ON(cmd != DEVLINK_CMD_HEALTH_REPORTER_RECOVER); +- WARN_ON(!xa_get_mark(&devlinks, devlink->index, DEVLINK_REGISTERED)); ++ ASSERT_DEVLINK_REGISTERED(devlink); + + msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!msg) +-- +2.39.2 + diff --git a/tmp-6.4/devlink-report-devlink_port_type_warn-source-device.patch b/tmp-6.4/devlink-report-devlink_port_type_warn-source-device.patch new file mode 100644 index 00000000000..f46677d8d6a --- /dev/null +++ b/tmp-6.4/devlink-report-devlink_port_type_warn-source-device.patch @@ -0,0 +1,77 @@ +From efc47b3052db7de925bb43d839f0d060039cac0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:54:47 +0200 +Subject: devlink: report devlink_port_type_warn source device + +From: Petr Oros + +[ Upstream commit a52305a81d6bb74b90b400dfa56455d37872fe4b ] + +devlink_port_type_warn is scheduled for port devlink and warning +when the port type is not set. But from this warning it is not easy +found out which device (driver) has no devlink port set. + +[ 3709.975552] Type was not set for devlink port. +[ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 +[ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm +[ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse +[ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 +[ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 +[ 3710.108437] Workqueue: events devlink_port_type_warn +[ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 +[ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 +[ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 +[ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 +[ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 +[ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 +[ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 +[ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 +[ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 +[ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 +[ 3710.108456] PKRU: 55555554 +[ 3710.108457] Call Trace: +[ 3710.108458] +[ 3710.108459] process_one_work+0x1e2/0x3b0 +[ 3710.108466] ? rescuer_thread+0x390/0x390 +[ 3710.108468] worker_thread+0x50/0x3a0 +[ 3710.108471] ? rescuer_thread+0x390/0x390 +[ 3710.108473] kthread+0xdd/0x100 +[ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 +[ 3710.108479] ret_from_fork+0x1f/0x30 +[ 3710.108485] +[ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]--- + +After patch: +[ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. +[ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. + +Signed-off-by: Petr Oros +Reviewed-by: Pavan Chebbi +Reviewed-by: Jakub Kicinski +Link: https://lore.kernel.org/r/20230615095447.8259-1-poros@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/leftover.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/devlink/leftover.c b/net/devlink/leftover.c +index cd02549680767..790e61b2a9404 100644 +--- a/net/devlink/leftover.c ++++ b/net/devlink/leftover.c +@@ -6772,7 +6772,10 @@ void devlink_notify_unregister(struct devlink *devlink) + + static void devlink_port_type_warn(struct work_struct *work) + { +- WARN(true, "Type was not set for devlink port."); ++ struct devlink_port *port = container_of(to_delayed_work(work), ++ struct devlink_port, ++ type_warn_dw); ++ dev_warn(port->devlink->dev, "Type was not set for devlink port."); + } + + static bool devlink_port_type_should_warn(struct devlink_port *devlink_port) +-- +2.39.2 + diff --git a/tmp-6.4/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch b/tmp-6.4/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch new file mode 100644 index 00000000000..f19af73fc66 --- /dev/null +++ b/tmp-6.4/dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch @@ -0,0 +1,71 @@ +From 05abb3be91d8788328231ee02973ab3d47f5e3d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 13 Jul 2023 22:47:45 +0300 +Subject: dma-buf/dma-resv: Stop leaking on krealloc() failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 05abb3be91d8788328231ee02973ab3d47f5e3d2 upstream. + +Currently dma_resv_get_fences() will leak the previously +allocated array if the fence iteration got restarted and +the krealloc_array() fails. + +Free the old array by hand, and make sure we still clear +the returned *fences so the caller won't end up accessing +freed memory. Some (but not all) of the callers of +dma_resv_get_fences() seem to still trawl through the +array even when dma_resv_get_fences() failed. And let's +zero out *num_fences as well for good measure. + +Cc: Sumit Semwal +Cc: Christian König +Cc: linux-media@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: linaro-mm-sig@lists.linaro.org +Fixes: d3c80698c9f5 ("dma-buf: use new iterator in dma_resv_get_fences v3") +Signed-off-by: Ville Syrjälä +Reviewed-by: Christian König +Cc: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20230713194745.1751-1-ville.syrjala@linux.intel.com +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-resv.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/dma-buf/dma-resv.c ++++ b/drivers/dma-buf/dma-resv.c +@@ -571,6 +571,7 @@ int dma_resv_get_fences(struct dma_resv + dma_resv_for_each_fence_unlocked(&cursor, fence) { + + if (dma_resv_iter_is_restarted(&cursor)) { ++ struct dma_fence **new_fences; + unsigned int count; + + while (*num_fences) +@@ -579,13 +580,17 @@ int dma_resv_get_fences(struct dma_resv + count = cursor.num_fences + 1; + + /* Eventually re-allocate the array */ +- *fences = krealloc_array(*fences, count, +- sizeof(void *), +- GFP_KERNEL); +- if (count && !*fences) { ++ new_fences = krealloc_array(*fences, count, ++ sizeof(void *), ++ GFP_KERNEL); ++ if (count && !new_fences) { ++ kfree(*fences); ++ *fences = NULL; ++ *num_fences = 0; + dma_resv_iter_end(&cursor); + return -ENOMEM; + } ++ *fences = new_fences; + } + + (*fences)[(*num_fences)++] = dma_fence_get(fence); diff --git a/tmp-6.4/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch b/tmp-6.4/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch new file mode 100644 index 00000000000..36d7d6bdfa9 --- /dev/null +++ b/tmp-6.4/drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch @@ -0,0 +1,38 @@ +From 5a25cefc0920088bb9afafeb80ad3dcd84fe278b Mon Sep 17 00:00:00 2001 +From: Taimur Hassan +Date: Tue, 20 Jun 2023 17:00:28 -0400 +Subject: drm/amd/display: check TG is non-null before checking if enabled + +From: Taimur Hassan + +commit 5a25cefc0920088bb9afafeb80ad3dcd84fe278b upstream. + +[Why & How] +If there is no TG allocation we can dereference a NULL pointer when +checking if the TG is enabled. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Nicholas Kazlauskas +Acked-by: Alan Liu +Signed-off-by: Taimur Hassan +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -3309,7 +3309,8 @@ void dcn10_wait_for_mpcc_disconnect( + if (pipe_ctx->stream_res.opp->mpcc_disconnect_pending[mpcc_inst]) { + struct hubp *hubp = get_hubp_by_inst(res_pool, mpcc_inst); + +- if (pipe_ctx->stream_res.tg->funcs->is_tg_enabled(pipe_ctx->stream_res.tg)) ++ if (pipe_ctx->stream_res.tg && ++ pipe_ctx->stream_res.tg->funcs->is_tg_enabled(pipe_ctx->stream_res.tg)) + res_pool->mpc->funcs->wait_for_idle(res_pool->mpc, mpcc_inst); + pipe_ctx->stream_res.opp->mpcc_disconnect_pending[mpcc_inst] = false; + hubp->funcs->set_blank(hubp, true); diff --git a/tmp-6.4/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch b/tmp-6.4/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch new file mode 100644 index 00000000000..6b589736210 --- /dev/null +++ b/tmp-6.4/drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch @@ -0,0 +1,42 @@ +From a460beefe77d780ac48f19d39333852a7f93ffc1 Mon Sep 17 00:00:00 2001 +From: Zhikai Zhai +Date: Fri, 30 Jun 2023 11:35:14 +0800 +Subject: drm/amd/display: Disable MPC split by default on special asic + +From: Zhikai Zhai + +commit a460beefe77d780ac48f19d39333852a7f93ffc1 upstream. + +[WHY] +All of pipes will be used when the MPC split enable on the dcn +which just has 2 pipes. Then MPO enter will trigger the minimal +transition which need programe dcn from 2 pipes MPC split to 2 +pipes MPO. This action will cause lag if happen frequently. + +[HOW] +Disable the MPC split for the platform which dcn resource is limited + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Alvin Lee +Acked-by: Alan Liu +Signed-off-by: Zhikai Zhai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn303/dcn303_resource.c +@@ -65,7 +65,7 @@ static const struct dc_debug_options deb + .timing_trace = false, + .clock_trace = true, + .disable_pplib_clock_request = true, +- .pipe_split_policy = MPC_SPLIT_DYNAMIC, ++ .pipe_split_policy = MPC_SPLIT_AVOID, + .force_single_disp_pipe_split = false, + .disable_dcc = DCC_ENABLE, + .vsr_support = true, diff --git a/tmp-6.4/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch b/tmp-6.4/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch new file mode 100644 index 00000000000..0f5dc5b7106 --- /dev/null +++ b/tmp-6.4/drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch @@ -0,0 +1,42 @@ +From 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Thu, 29 Jun 2023 10:35:59 -0400 +Subject: drm/amd/display: Keep PHY active for DP displays on DCN31 + +From: Nicholas Kazlauskas + +commit 2387ccf43e3c6cb5dbd757c5ef410cca9f14b971 upstream. + +[Why & How] +Port of a change that went into DCN314 to keep the PHY enabled +when we have a connected and active DP display. + +The PHY can hang if PHY refclk is disabled inadvertently. + +Cc: Mario Limonciello +Cc: Alex Deucher +Cc: stable@vger.kernel.org +Reviewed-by: Josip Pavic +Acked-by: Alan Liu +Signed-off-by: Nicholas Kazlauskas +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c +@@ -87,6 +87,11 @@ static int dcn31_get_active_display_cnt_ + stream->signal == SIGNAL_TYPE_DVI_SINGLE_LINK || + stream->signal == SIGNAL_TYPE_DVI_DUAL_LINK) + tmds_present = true; ++ ++ /* Checking stream / link detection ensuring that PHY is active*/ ++ if (dc_is_dp_signal(stream->signal) && !stream->dpms_off) ++ display_count++; ++ + } + + for (i = 0; i < dc->link_count; i++) { diff --git a/tmp-6.4/drm-amd-display-only-accept-async-flips-for-fast-updates.patch b/tmp-6.4/drm-amd-display-only-accept-async-flips-for-fast-updates.patch new file mode 100644 index 00000000000..f1e0c6a71d6 --- /dev/null +++ b/tmp-6.4/drm-amd-display-only-accept-async-flips-for-fast-updates.patch @@ -0,0 +1,82 @@ +From 1ca67aba8d11c2849d395013e1fdce02918d5657 Mon Sep 17 00:00:00 2001 +From: Simon Ser +Date: Wed, 21 Jun 2023 17:24:59 -0300 +Subject: drm/amd/display: only accept async flips for fast updates +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon Ser + +commit 1ca67aba8d11c2849d395013e1fdce02918d5657 upstream. + +Up until now, amdgpu was silently degrading to vsync when +user-space requested an async flip but the hardware didn't support +it. + +The hardware doesn't support immediate flips when the update changes +the FB pitch, the DCC state, the rotation, enables or disables CRTCs +or planes, etc. This is reflected in the dm_crtc_state.update_type +field: UPDATE_TYPE_FAST means that immediate flip is supported. + +Silently degrading async flips to vsync is not the expected behavior +from a uAPI point-of-view. Xorg expects async flips to fail if +unsupported, to be able to fall back to a blit. i915 already behaves +this way. + +This patch aligns amdgpu with uAPI expectations and returns a failure +when an async flip is not possible. + +Signed-off-by: Simon Ser +Reviewed-by: André Almeida +Reviewed-by: Alex Deucher +Reviewed-by: Harry Wentland +Signed-off-by: André Almeida +Signed-off-by: Hamza Mahfooz +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++++++ + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 12 ++++++++++++ + 2 files changed, 20 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -8055,7 +8055,15 @@ static void amdgpu_dm_commit_planes(stru + * Only allow immediate flips for fast updates that don't + * change memory domain, FB pitch, DCC state, rotation or + * mirroring. ++ * ++ * dm_crtc_helper_atomic_check() only accepts async flips with ++ * fast updates. + */ ++ if (crtc->state->async_flip && ++ acrtc_state->update_type != UPDATE_TYPE_FAST) ++ drm_warn_once(state->dev, ++ "[PLANE:%d:%s] async flip with non-fast update\n", ++ plane->base.id, plane->name); + bundle->flip_addrs[planes_count].flip_immediate = + crtc->state->async_flip && + acrtc_state->update_type == UPDATE_TYPE_FAST && +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c +@@ -398,6 +398,18 @@ static int dm_crtc_helper_atomic_check(s + return -EINVAL; + } + ++ /* ++ * Only allow async flips for fast updates that don't change the FB ++ * pitch, the DCC state, rotation, etc. ++ */ ++ if (crtc_state->async_flip && ++ dm_crtc_state->update_type != UPDATE_TYPE_FAST) { ++ drm_dbg_atomic(crtc->dev, ++ "[CRTC:%d:%s] async flips are only supported for fast updates\n", ++ crtc->base.id, crtc->name); ++ return -EINVAL; ++ } ++ + /* In some use cases, like reset, no stream is attached */ + if (!dm_crtc_state->stream) + return 0; diff --git a/tmp-6.4/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch b/tmp-6.4/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch new file mode 100644 index 00000000000..e03c027ce19 --- /dev/null +++ b/tmp-6.4/drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch @@ -0,0 +1,40 @@ +From a4eb11824170d742531998f4ebd1c6a18b63db47 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 13 Jun 2023 12:15:38 -0400 +Subject: drm/amdgpu/pm: make gfxclock consistent for sienna cichlid + +From: Alex Deucher + +commit a4eb11824170d742531998f4ebd1c6a18b63db47 upstream. + +Use average gfxclock for consistency with other dGPUs. + +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +@@ -1927,12 +1927,16 @@ static int sienna_cichlid_read_sensor(st + *size = 4; + break; + case AMDGPU_PP_SENSOR_GFX_MCLK: +- ret = sienna_cichlid_get_current_clk_freq_by_table(smu, SMU_UCLK, (uint32_t *)data); ++ ret = sienna_cichlid_get_smu_metrics_data(smu, ++ METRICS_CURR_UCLK, ++ (uint32_t *)data); + *(uint32_t *)data *= 100; + *size = 4; + break; + case AMDGPU_PP_SENSOR_GFX_SCLK: +- ret = sienna_cichlid_get_current_clk_freq_by_table(smu, SMU_GFXCLK, (uint32_t *)data); ++ ret = sienna_cichlid_get_smu_metrics_data(smu, ++ METRICS_AVERAGE_GFXCLK, ++ (uint32_t *)data); + *(uint32_t *)data *= 100; + *size = 4; + break; diff --git a/tmp-6.4/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch b/tmp-6.4/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch new file mode 100644 index 00000000000..27426d1dce5 --- /dev/null +++ b/tmp-6.4/drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch @@ -0,0 +1,30 @@ +From 068c8bb10f37bb84824625dbbda053a3a3e0d6e1 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 13 Jun 2023 12:36:17 -0400 +Subject: drm/amdgpu/pm: make mclk consistent for smu 13.0.7 + +From: Alex Deucher + +commit 068c8bb10f37bb84824625dbbda053a3a3e0d6e1 upstream. + +Use current uclk to be consistent with other dGPUs. + +Reviewed-by: Kenneth Feng +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org # 6.1.x +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +@@ -940,7 +940,7 @@ static int smu_v13_0_7_read_sensor(struc + break; + case AMDGPU_PP_SENSOR_GFX_MCLK: + ret = smu_v13_0_7_get_smu_metrics_data(smu, +- METRICS_AVERAGE_UCLK, ++ METRICS_CURR_UCLK, + (uint32_t *)data); + *(uint32_t *)data *= 100; + *size = 4; diff --git a/tmp-6.4/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch b/tmp-6.4/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch new file mode 100644 index 00000000000..d26cdf175ba --- /dev/null +++ b/tmp-6.4/drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch @@ -0,0 +1,101 @@ +From b42ae87a7b3878afaf4c3852ca66c025a5b996e0 Mon Sep 17 00:00:00 2001 +From: Guchun Chen +Date: Thu, 6 Jul 2023 15:57:21 +0800 +Subject: drm/amdgpu/vkms: relax timer deactivation by hrtimer_try_to_cancel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guchun Chen + +commit b42ae87a7b3878afaf4c3852ca66c025a5b996e0 upstream. + +In below thousands of screen rotation loop tests with virtual display +enabled, a CPU hard lockup issue may happen, leading system to unresponsive +and crash. + +do { + xrandr --output Virtual --rotate inverted + xrandr --output Virtual --rotate right + xrandr --output Virtual --rotate left + xrandr --output Virtual --rotate normal +} while (1); + +NMI watchdog: Watchdog detected hard LOCKUP on cpu 1 + +? hrtimer_run_softirq+0x140/0x140 +? store_vblank+0xe0/0xe0 [drm] +hrtimer_cancel+0x15/0x30 +amdgpu_vkms_disable_vblank+0x15/0x30 [amdgpu] +drm_vblank_disable_and_save+0x185/0x1f0 [drm] +drm_crtc_vblank_off+0x159/0x4c0 [drm] +? record_print_text.cold+0x11/0x11 +? wait_for_completion_timeout+0x232/0x280 +? drm_crtc_wait_one_vblank+0x40/0x40 [drm] +? bit_wait_io_timeout+0xe0/0xe0 +? wait_for_completion_interruptible+0x1d7/0x320 +? mutex_unlock+0x81/0xd0 +amdgpu_vkms_crtc_atomic_disable + +It's caused by a stuck in lock dependency in such scenario on different +CPUs. + +CPU1 CPU2 +drm_crtc_vblank_off hrtimer_interrupt + grab event_lock (irq disabled) __hrtimer_run_queues + grab vbl_lock/vblank_time_block amdgpu_vkms_vblank_simulate + amdgpu_vkms_disable_vblank drm_handle_vblank + hrtimer_cancel grab dev->event_lock + +So CPU1 stucks in hrtimer_cancel as timer callback is running endless on +current clock base, as that timer queue on CPU2 has no chance to finish it +because of failing to hold the lock. So NMI watchdog will throw the errors +after its threshold, and all later CPUs are impacted/blocked. + +So use hrtimer_try_to_cancel to fix this, as disable_vblank callback +does not need to wait the handler to finish. And also it's not necessary +to check the return value of hrtimer_try_to_cancel, because even if it's +-1 which means current timer callback is running, it will be reprogrammed +in hrtimer_start with calling enable_vblank to make it works. + +v2: only re-arm timer when vblank is enabled (Christian) and add a Fixes +tag as well + +v3: drop warn printing (Christian) + +v4: drop superfluous check of blank->enabled in timer function, as it's +guaranteed in drm_handle_vblank (Christian) + +Fixes: 84ec374bd580 ("drm/amdgpu: create amdgpu_vkms (v4)") +Cc: stable@vger.kernel.org +Suggested-by: Christian König +Signed-off-by: Guchun Chen +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vkms.c +@@ -55,8 +55,9 @@ static enum hrtimer_restart amdgpu_vkms_ + DRM_WARN("%s: vblank timer overrun\n", __func__); + + ret = drm_crtc_handle_vblank(crtc); ++ /* Don't queue timer again when vblank is disabled. */ + if (!ret) +- DRM_ERROR("amdgpu_vkms failure on handling vblank"); ++ return HRTIMER_NORESTART; + + return HRTIMER_RESTART; + } +@@ -81,7 +82,7 @@ static void amdgpu_vkms_disable_vblank(s + { + struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc); + +- hrtimer_cancel(&amdgpu_crtc->vblank_timer); ++ hrtimer_try_to_cancel(&amdgpu_crtc->vblank_timer); + } + + static bool amdgpu_vkms_get_vblank_timestamp(struct drm_crtc *crtc, diff --git a/tmp-6.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch b/tmp-6.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch new file mode 100644 index 00000000000..a9ac372f0a0 --- /dev/null +++ b/tmp-6.4/drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch @@ -0,0 +1,46 @@ +From 2329cc7a101af1a844fbf706c0724c0baea38365 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:44 +0200 +Subject: drm/client: Fix memory leak in drm_client_modeset_probe + +From: Jocelyn Falempe + +commit 2329cc7a101af1a844fbf706c0724c0baea38365 upstream. + +When a new mode is set to modeset->mode, the previous mode should be freed. +This fixes the following kmemleak report: + +drm_mode_duplicate+0x45/0x220 [drm] +drm_client_modeset_probe+0x944/0xf50 [drm] +__drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] +drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] +drm_client_register+0x169/0x240 [drm] +ast_pci_probe+0x142/0x190 [ast] +local_pci_probe+0xdc/0x180 +work_for_cpu_fn+0x4e/0xa0 +process_one_work+0x8b7/0x1540 +worker_thread+0x70a/0xed0 +kthread+0x29f/0x340 +ret_from_fork+0x1f/0x30 + +cc: +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-3-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -867,6 +867,7 @@ int drm_client_modeset_probe(struct drm_ + break; + } + ++ kfree(modeset->mode); + modeset->mode = drm_mode_duplicate(dev, mode); + drm_connector_get(connector); + modeset->connectors[modeset->num_connectors++] = connector; diff --git a/tmp-6.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch b/tmp-6.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch new file mode 100644 index 00000000000..05491d11e2a --- /dev/null +++ b/tmp-6.4/drm-client-fix-memory-leak-in-drm_client_target_cloned.patch @@ -0,0 +1,68 @@ +From c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 Mon Sep 17 00:00:00 2001 +From: Jocelyn Falempe +Date: Tue, 11 Jul 2023 11:20:43 +0200 +Subject: drm/client: Fix memory leak in drm_client_target_cloned + +From: Jocelyn Falempe + +commit c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 upstream. + +dmt_mode is allocated and never freed in this function. +It was found with the ast driver, but most drivers using generic fbdev +setup are probably affected. + +This fixes the following kmemleak report: + backtrace: + [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] + [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] + [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] + [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] + [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] + [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] + [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] + [<00000000987f19bb>] local_pci_probe+0xdc/0x180 + [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 + [<0000000000b85301>] process_one_work+0x8b7/0x1540 + [<000000003375b17c>] worker_thread+0x70a/0xed0 + [<00000000b0d43cd9>] kthread+0x29f/0x340 + [<000000008d770833>] ret_from_fork+0x1f/0x30 +unreferenced object 0xff11000333089a00 (size 128): + +cc: +Fixes: 1d42bbc8f7f9 ("drm/fbdev: fix cloning on fbcon") +Reported-by: Zhang Yi +Signed-off-by: Jocelyn Falempe +Reviewed-by: Javier Martinez Canillas +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20230711092203.68157-2-jfalempe@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_client_modeset.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/drm_client_modeset.c ++++ b/drivers/gpu/drm/drm_client_modeset.c +@@ -311,6 +311,9 @@ static bool drm_client_target_cloned(str + can_clone = true; + dmt_mode = drm_mode_find_dmt(dev, 1024, 768, 60, false); + ++ if (!dmt_mode) ++ goto fail; ++ + for (i = 0; i < connector_count; i++) { + if (!enabled[i]) + continue; +@@ -326,11 +329,13 @@ static bool drm_client_target_cloned(str + if (!modes[i]) + can_clone = false; + } ++ kfree(dmt_mode); + + if (can_clone) { + DRM_DEBUG_KMS("can clone using 1024x768\n"); + return true; + } ++fail: + DRM_INFO("kms: can't enable cloning when we probably wanted to.\n"); + return false; + } diff --git a/tmp-6.4/drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch b/tmp-6.4/drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch new file mode 100644 index 00000000000..571d13a8c25 --- /dev/null +++ b/tmp-6.4/drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch @@ -0,0 +1,49 @@ +From 339638982e36115af550bd2e6ffd2b87fa2d288a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 17:34:10 +0200 +Subject: drm/i915/perf: add sentinel to xehp_oa_b_counters + +From: Andrzej Hajda + +[ Upstream commit 785b3f667b4bf98804cad135005e964df0c750de ] + +Arrays passed to reg_in_range_table should end with empty record. + +The patch solves KASAN detected bug with signature: +BUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915] +Read of size 4 at addr ffffffffa1555d90 by task perf/1518 + +CPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1 +Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023 +Call Trace: + +... +xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915] + +Fixes: 0fa9349dda03 ("drm/i915/perf: complete programming whitelisting for XEHPSDV") +Signed-off-by: Andrzej Hajda +Reviewed-by: Andi Shyti +Reviewed-by: Nirmoy Das +Link: https://patchwork.freedesktop.org/patch/msgid/20230711153410.1224997-1-andrzej.hajda@intel.com +(cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/i915_perf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c +index 3035cba2c6a29..d7caae281fb92 100644 +--- a/drivers/gpu/drm/i915/i915_perf.c ++++ b/drivers/gpu/drm/i915/i915_perf.c +@@ -4442,6 +4442,7 @@ static const struct i915_range mtl_oam_b_counters[] = { + static const struct i915_range xehp_oa_b_counters[] = { + { .start = 0xdc48, .end = 0xdc48 }, /* OAA_ENABLE_REG */ + { .start = 0xdd00, .end = 0xdd48 }, /* OAG_LCE0_0 - OAA_LENABLE_REG */ ++ {} + }; + + static const struct i915_range gen7_oa_mux_regs[] = { +-- +2.39.2 + diff --git a/tmp-6.4/drm-nouveau-disp-pior-dp-uses-gpio-for-hpd-not-pmgr-aux-interrupts.patch b/tmp-6.4/drm-nouveau-disp-pior-dp-uses-gpio-for-hpd-not-pmgr-aux-interrupts.patch new file mode 100644 index 00000000000..16a88f3e81c --- /dev/null +++ b/tmp-6.4/drm-nouveau-disp-pior-dp-uses-gpio-for-hpd-not-pmgr-aux-interrupts.patch @@ -0,0 +1,63 @@ +From 2b5d1c29f6c4cb19369ef92881465e5ede75f4ef Mon Sep 17 00:00:00 2001 +From: Ben Skeggs +Date: Wed, 19 Jul 2023 14:40:50 +1000 +Subject: drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts + +From: Ben Skeggs + +commit 2b5d1c29f6c4cb19369ef92881465e5ede75f4ef upstream. + +Fixes crash on boards with ANX9805 TMDS/DP encoders. + +Cc: stable@vger.kernel.org # 6.4+ +Signed-off-by: Ben Skeggs +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20230719044051.6975-2-skeggsb@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c | 29 +++++++++++++++-------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c +@@ -81,20 +81,29 @@ nvkm_uconn_uevent(struct nvkm_object *ob + return -ENOSYS; + + list_for_each_entry(outp, &conn->disp->outps, head) { +- if (outp->info.connector == conn->index && outp->dp.aux) { +- if (args->v0.types & NVIF_CONN_EVENT_V0_PLUG ) bits |= NVKM_I2C_PLUG; +- if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_I2C_UNPLUG; +- if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ ) bits |= NVKM_I2C_IRQ; +- +- return nvkm_uevent_add(uevent, &device->i2c->event, outp->dp.aux->id, bits, +- nvkm_uconn_uevent_aux); +- } ++ if (outp->info.connector == conn->index) ++ break; ++ } ++ ++ if (&outp->head == &conn->disp->outps) ++ return -EINVAL; ++ ++ if (outp->dp.aux && !outp->info.location) { ++ if (args->v0.types & NVIF_CONN_EVENT_V0_PLUG ) bits |= NVKM_I2C_PLUG; ++ if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_I2C_UNPLUG; ++ if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ ) bits |= NVKM_I2C_IRQ; ++ ++ return nvkm_uevent_add(uevent, &device->i2c->event, outp->dp.aux->id, bits, ++ nvkm_uconn_uevent_aux); + } + + if (args->v0.types & NVIF_CONN_EVENT_V0_PLUG ) bits |= NVKM_GPIO_HI; + if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_GPIO_LO; +- if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ) +- return -EINVAL; ++ if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ) { ++ /* TODO: support DP IRQ on ANX9805 and remove this hack. */ ++ if (!outp->info.location) ++ return -EINVAL; ++ } + + return nvkm_uevent_add(uevent, &device->gpio->event, conn->info.hpd, bits, + nvkm_uconn_uevent_gpio); diff --git a/tmp-6.4/drm-nouveau-i2c-fix-number-of-aux-event-slots.patch b/tmp-6.4/drm-nouveau-i2c-fix-number-of-aux-event-slots.patch new file mode 100644 index 00000000000..c9bf0d564b1 --- /dev/null +++ b/tmp-6.4/drm-nouveau-i2c-fix-number-of-aux-event-slots.patch @@ -0,0 +1,83 @@ +From 752a281032b2d6f4564be827e082bde6f7d2fd4f Mon Sep 17 00:00:00 2001 +From: Ben Skeggs +Date: Wed, 19 Jul 2023 14:40:49 +1000 +Subject: drm/nouveau/i2c: fix number of aux event slots + +From: Ben Skeggs + +commit 752a281032b2d6f4564be827e082bde6f7d2fd4f upstream. + +This was completely bogus before, using maximum DCB device index rather +than maximum AUX ID to size the buffer that stores event refcounts. + +*Pretty* unlikely to have been an actual problem on most configurations, +that is, unless you've got one of the rare boards that have off-chip DP. + +There, it'll likely crash. + +Cc: stable@vger.kernel.org # 6.4+ +Signed-off-by: Ben Skeggs +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20230719044051.6975-1-skeggsb@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h | 4 ++-- + drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c | 11 +++++++++-- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h +index 40a1065ae626..ef441dfdea09 100644 +--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h +@@ -16,7 +16,7 @@ struct nvkm_i2c_bus { + const struct nvkm_i2c_bus_func *func; + struct nvkm_i2c_pad *pad; + #define NVKM_I2C_BUS_CCB(n) /* 'n' is ccb index */ (n) +-#define NVKM_I2C_BUS_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x100) ++#define NVKM_I2C_BUS_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x10) + #define NVKM_I2C_BUS_PRI /* ccb primary comm. port */ -1 + #define NVKM_I2C_BUS_SEC /* ccb secondary comm. port */ -2 + int id; +@@ -38,7 +38,7 @@ struct nvkm_i2c_aux { + const struct nvkm_i2c_aux_func *func; + struct nvkm_i2c_pad *pad; + #define NVKM_I2C_AUX_CCB(n) /* 'n' is ccb index */ (n) +-#define NVKM_I2C_AUX_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x100) ++#define NVKM_I2C_AUX_EXT(n) /* 'n' is dcb external encoder type */ ((n) + 0x10) + int id; + + struct mutex mutex; +diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c +index 976539de4220..731b2f68d3db 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c +@@ -260,10 +260,11 @@ nvkm_i2c_new_(const struct nvkm_i2c_func *func, struct nvkm_device *device, + { + struct nvkm_bios *bios = device->bios; + struct nvkm_i2c *i2c; ++ struct nvkm_i2c_aux *aux; + struct dcb_i2c_entry ccbE; + struct dcb_output dcbE; + u8 ver, hdr; +- int ret, i; ++ int ret, i, ids; + + if (!(i2c = *pi2c = kzalloc(sizeof(*i2c), GFP_KERNEL))) + return -ENOMEM; +@@ -406,5 +407,11 @@ nvkm_i2c_new_(const struct nvkm_i2c_func *func, struct nvkm_device *device, + } + } + +- return nvkm_event_init(&nvkm_i2c_intr_func, &i2c->subdev, 4, i, &i2c->event); ++ ids = 0; ++ list_for_each_entry(aux, &i2c->aux, head) ++ ids = max(ids, aux->id + 1); ++ if (!ids) ++ return 0; ++ ++ return nvkm_event_init(&nvkm_i2c_intr_func, &i2c->subdev, 4, ids, &i2c->event); + } +-- +2.41.0 + diff --git a/tmp-6.4/drm-nouveau-kms-nv50-init-hpd_irq_lock-for-pior-dp.patch b/tmp-6.4/drm-nouveau-kms-nv50-init-hpd_irq_lock-for-pior-dp.patch new file mode 100644 index 00000000000..0860926f5fa --- /dev/null +++ b/tmp-6.4/drm-nouveau-kms-nv50-init-hpd_irq_lock-for-pior-dp.patch @@ -0,0 +1,41 @@ +From ea293f823a8805735d9e00124df81a8f448ed1ae Mon Sep 17 00:00:00 2001 +From: Ben Skeggs +Date: Wed, 19 Jul 2023 14:40:51 +1000 +Subject: drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP + +From: Ben Skeggs + +commit ea293f823a8805735d9e00124df81a8f448ed1ae upstream. + +Fixes OOPS on boards with ANX9805 DP encoders. + +Cc: stable@vger.kernel.org # 6.4+ +Signed-off-by: Ben Skeggs +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20230719044051.6975-3-skeggsb@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/dispnv50/disp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c ++++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c +@@ -1873,6 +1873,8 @@ nv50_pior_destroy(struct drm_encoder *en + nvif_outp_dtor(&nv_encoder->outp); + + drm_encoder_cleanup(encoder); ++ ++ mutex_destroy(&nv_encoder->dp.hpd_irq_lock); + kfree(encoder); + } + +@@ -1917,6 +1919,8 @@ nv50_pior_create(struct drm_connector *c + nv_encoder->i2c = ddc; + nv_encoder->aux = aux; + ++ mutex_init(&nv_encoder->dp.hpd_irq_lock); ++ + encoder = to_drm_encoder(nv_encoder); + encoder->possible_crtcs = dcbe->heads; + encoder->possible_clones = 0; diff --git a/tmp-6.4/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch b/tmp-6.4/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch new file mode 100644 index 00000000000..08d1232a000 --- /dev/null +++ b/tmp-6.4/drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch @@ -0,0 +1,38 @@ +From e9340f07719757a070b11277d243dd9908bca63c Mon Sep 17 00:00:00 2001 +From: hackyzh002 +Date: Wed, 19 Apr 2023 20:20:58 +0800 +Subject: [PATCH AUTOSEL 5.4 01/12] drm/radeon: Fix integer overflow in + radeon_cs_parser_init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit f828b681d0cd566f86351c0b913e6cb6ed8c7b9c ] + +The type of size is unsigned, if size is 0x40000000, there will be an +integer overflow, size will be zero after size *= sizeof(uint32_t), +will cause uninitialized memory to be referenced later + +Reviewed-by: Christian König +Signed-off-by: hackyzh002 +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_cs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -270,7 +270,8 @@ int radeon_cs_parser_init(struct radeon_ + { + struct drm_radeon_cs *cs = data; + uint64_t *chunk_array_ptr; +- unsigned size, i; ++ u64 size; ++ unsigned i; + u32 ring = RADEON_CS_RING_GFX; + s32 priority = 0; + diff --git a/tmp-6.4/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch b/tmp-6.4/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch new file mode 100644 index 00000000000..ec7d02a4a12 --- /dev/null +++ b/tmp-6.4/drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch @@ -0,0 +1,49 @@ +From 4481913607e58196c48a4fef5e6f45350684ec3c Mon Sep 17 00:00:00 2001 +From: Yunxiang Li +Date: Thu, 22 Jun 2023 10:18:03 -0400 +Subject: drm/ttm: fix bulk_move corruption when adding a entry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunxiang Li + +commit 4481913607e58196c48a4fef5e6f45350684ec3c upstream. + +When the resource is the first in the bulk_move range, adding it again +(thus moving it to the tail) will corrupt the list since the first +pointer is not moved. This eventually lead to null pointer deref in +ttm_lru_bulk_move_del() + +Fixes: fee2ede15542 ("drm/ttm: rework bulk move handling v5") +Signed-off-by: Yunxiang Li +Reviewed-by: Christian König +CC: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20230622141902.28718-3-Yunxiang.Li@amd.com +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ttm/ttm_resource.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ttm/ttm_resource.c ++++ b/drivers/gpu/drm/ttm/ttm_resource.c +@@ -86,6 +86,8 @@ static void ttm_lru_bulk_move_pos_tail(s + struct ttm_resource *res) + { + if (pos->last != res) { ++ if (pos->first == res) ++ pos->first = list_next_entry(res, lru); + list_move(&res->lru, &pos->last->lru); + pos->last = res; + } +@@ -111,7 +113,8 @@ static void ttm_lru_bulk_move_del(struct + { + struct ttm_lru_bulk_move_pos *pos = ttm_lru_bulk_move_pos(bulk, res); + +- if (unlikely(pos->first == res && pos->last == res)) { ++ if (unlikely(WARN_ON(!pos->first || !pos->last) || ++ (pos->first == res && pos->last == res))) { + pos->first = NULL; + pos->last = NULL; + } else if (pos->first == res) { diff --git a/tmp-6.4/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch b/tmp-6.4/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch new file mode 100644 index 00000000000..574853312c2 --- /dev/null +++ b/tmp-6.4/dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch @@ -0,0 +1,69 @@ +From 1fa4b768ca5d93b65efcc45c07ce247b86e19e6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 00:34:05 +0200 +Subject: dsa: mv88e6xxx: Do a final check before timing out + +From: Linus Walleij + +[ Upstream commit 95ce158b6c93b28842b54b42ad1cb221b9844062 ] + +I get sporadic timeouts from the driver when using the +MV88E6352. Reading the status again after the loop fixes the +problem: the operation is successful but goes undetected. + +Some added prints show things like this: + +[ 58.356209] mv88e6085 mdio_mux-0.1:00: Timeout while waiting + for switch, addr 1b reg 0b, mask 8000, val 0000, data c000 +[ 58.367487] mv88e6085 mdio_mux-0.1:00: Timeout waiting for + ATU op 4000, fid 0001 +(...) +[ 61.826293] mv88e6085 mdio_mux-0.1:00: Timeout while waiting + for switch, addr 1c reg 18, mask 8000, val 0000, data 9860 +[ 61.837560] mv88e6085 mdio_mux-0.1:00: Timeout waiting + for PHY command 1860 to complete + +The reason is probably not the commands: I think those are +mostly fine with the 50+50ms timeout, but the problem +appears when OpenWrt brings up several interfaces in +parallel on a system with 7 populated ports: if one of +them take more than 50 ms and waits one or more of the +others can get stuck on the mutex for the switch and then +this can easily multiply. + +As we sleep and wait, the function loop needs a final +check after exiting the loop if we were successful. + +Suggested-by: Andrew Lunn +Cc: Tobias Waldekranz +Fixes: 35da1dfd9484 ("net: dsa: mv88e6xxx: Improve performance of busy bit polling") +Signed-off-by: Linus Walleij +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20230712223405.861899-1-linus.walleij@linaro.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 08a46ffd53af9..642e93e8623eb 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -109,6 +109,13 @@ int mv88e6xxx_wait_mask(struct mv88e6xxx_chip *chip, int addr, int reg, + usleep_range(1000, 2000); + } + ++ err = mv88e6xxx_read(chip, addr, reg, &data); ++ if (err) ++ return err; ++ ++ if ((data & mask) == val) ++ return 0; ++ + dev_err(chip->dev, "Timeout while waiting for switch\n"); + return -ETIMEDOUT; + } +-- +2.39.2 + diff --git a/tmp-6.4/erofs-fix-detection-of-atomic-context.patch b/tmp-6.4/erofs-fix-detection-of-atomic-context.patch new file mode 100644 index 00000000000..9ead507c835 --- /dev/null +++ b/tmp-6.4/erofs-fix-detection-of-atomic-context.patch @@ -0,0 +1,100 @@ +From e75759218787dc40a2c6c61685bd4428918ca596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 15:08:47 -0700 +Subject: erofs: Fix detection of atomic context + +From: Sandeep Dhavale + +[ Upstream commit 12d0a24afd9ea58e581ea64d64e066f2027b28d9 ] + +Current check for atomic context is not sufficient as +z_erofs_decompressqueue_endio can be called under rcu lock +from blk_mq_flush_plug_list(). See the stacktrace [1] + +In such case we should hand off the decompression work for async +processing rather than trying to do sync decompression in current +context. Patch fixes the detection by checking for +rcu_read_lock_any_held() and while at it use more appropriate +!in_task() check than in_atomic(). + +Background: Historically erofs would always schedule a kworker for +decompression which would incur the scheduling cost regardless of +the context. But z_erofs_decompressqueue_endio() may not always +be in atomic context and we could actually benefit from doing the +decompression in z_erofs_decompressqueue_endio() if we are in +thread context, for example when running with dm-verity. +This optimization was later added in patch [2] which has shown +improvement in performance benchmarks. + +============================================== +[1] Problem stacktrace +[name:core&]BUG: sleeping function called from invalid context at kernel/locking/mutex.c:291 +[name:core&]in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1615, name: CpuMonitorServi +[name:core&]preempt_count: 0, expected: 0 +[name:core&]RCU nest depth: 1, expected: 0 +CPU: 7 PID: 1615 Comm: CpuMonitorServi Tainted: G S W OE 6.1.25-android14-5-maybe-dirty-mainline #1 +Hardware name: MT6897 (DT) +Call trace: + dump_backtrace+0x108/0x15c + show_stack+0x20/0x30 + dump_stack_lvl+0x6c/0x8c + dump_stack+0x20/0x48 + __might_resched+0x1fc/0x308 + __might_sleep+0x50/0x88 + mutex_lock+0x2c/0x110 + z_erofs_decompress_queue+0x11c/0xc10 + z_erofs_decompress_kickoff+0x110/0x1a4 + z_erofs_decompressqueue_endio+0x154/0x180 + bio_endio+0x1b0/0x1d8 + __dm_io_complete+0x22c/0x280 + clone_endio+0xe4/0x280 + bio_endio+0x1b0/0x1d8 + blk_update_request+0x138/0x3a4 + blk_mq_plug_issue_direct+0xd4/0x19c + blk_mq_flush_plug_list+0x2b0/0x354 + __blk_flush_plug+0x110/0x160 + blk_finish_plug+0x30/0x4c + read_pages+0x2fc/0x370 + page_cache_ra_unbounded+0xa4/0x23c + page_cache_ra_order+0x290/0x320 + do_sync_mmap_readahead+0x108/0x2c0 + filemap_fault+0x19c/0x52c + __do_fault+0xc4/0x114 + handle_mm_fault+0x5b4/0x1168 + do_page_fault+0x338/0x4b4 + do_translation_fault+0x40/0x60 + do_mem_abort+0x60/0xc8 + el0_da+0x4c/0xe0 + el0t_64_sync_handler+0xd4/0xfc + el0t_64_sync+0x1a0/0x1a4 + +[2] Link: https://lore.kernel.org/all/20210317035448.13921-1-huangjianan@oppo.com/ + +Reported-by: Will Shiu +Suggested-by: Gao Xiang +Signed-off-by: Sandeep Dhavale +Reviewed-by: Gao Xiang +Reviewed-by: Alexandre Mergnat +Link: https://lore.kernel.org/r/20230621220848.3379029-1-dhavale@google.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/zdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c +index 997ca4b32e87f..4a1c238600c52 100644 +--- a/fs/erofs/zdata.c ++++ b/fs/erofs/zdata.c +@@ -1411,7 +1411,7 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io, + if (atomic_add_return(bios, &io->pending_bios)) + return; + /* Use (kthread_)work and sync decompression for atomic contexts only */ +- if (in_atomic() || irqs_disabled()) { ++ if (!in_task() || irqs_disabled() || rcu_read_lock_any_held()) { + #ifdef CONFIG_EROFS_FS_PCPU_KTHREAD + struct kthread_worker *worker; + +-- +2.39.2 + diff --git a/tmp-6.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch b/tmp-6.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch new file mode 100644 index 00000000000..da8e336b4be --- /dev/null +++ b/tmp-6.4/ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch @@ -0,0 +1,54 @@ +From 6909cf5c4101214f4305a62d582a5b93c7e1eb9a Mon Sep 17 00:00:00 2001 +From: Eric Whitney +Date: Mon, 22 May 2023 14:15:20 -0400 +Subject: ext4: correct inline offset when handling xattrs in inode body + +From: Eric Whitney + +commit 6909cf5c4101214f4305a62d582a5b93c7e1eb9a upstream. + +When run on a file system where the inline_data feature has been +enabled, xfstests generic/269, generic/270, and generic/476 cause ext4 +to emit error messages indicating that inline directory entries are +corrupted. This occurs because the inline offset used to locate +inline directory entries in the inode body is not updated when an +xattr in that shared region is deleted and the region is shifted in +memory to recover the space it occupied. If the deleted xattr precedes +the system.data attribute, which points to the inline directory entries, +that attribute will be moved further up in the region. The inline +offset continues to point to whatever is located in system.data's former +location, with unfortunate effects when used to access directory entries +or (presumably) inline data in the inode body. + +Cc: stable@kernel.org +Signed-off-by: Eric Whitney +Link: https://lore.kernel.org/r/20230522181520.1570360-1-enwlinux@gmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1782,6 +1782,20 @@ static int ext4_xattr_set_entry(struct e + memmove(here, (void *)here + size, + (void *)last - (void *)here + sizeof(__u32)); + memset(last, 0, size); ++ ++ /* ++ * Update i_inline_off - moved ibody region might contain ++ * system.data attribute. Handling a failure here won't ++ * cause other complications for setting an xattr. ++ */ ++ if (!is_block && ext4_has_inline_data(inode)) { ++ ret = ext4_find_inline_data_nolock(inode); ++ if (ret) { ++ ext4_warning_inode(inode, ++ "unable to update i_inline_off"); ++ goto out; ++ } ++ } + } else if (s->not_found) { + /* Insert new name. */ + size_t size = EXT4_XATTR_LEN(name_len); diff --git a/tmp-6.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch b/tmp-6.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch new file mode 100644 index 00000000000..72947bf228e --- /dev/null +++ b/tmp-6.4/fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch @@ -0,0 +1,40 @@ +From f3098e2e134597b5de84bfaf143eb0113a929381 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 16:16:56 +0800 +Subject: fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe + +From: Zhang Shurong + +[ Upstream commit 4e88761f5f8c7869f15a2046b1a1116f4fab4ac8 ] + +This func misses checking for platform_get_irq()'s call and may passes the +negative error codes to request_irq(), which takes unsigned IRQ #, +causing it to fail with -EINVAL, overriding an original error code. + +Fix this by stop calling request_irq() with invalid IRQ #s. + +Fixes: 1630d85a8312 ("au1200fb: fix hardcoded IRQ") +Signed-off-by: Zhang Shurong +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1200fb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/video/fbdev/au1200fb.c b/drivers/video/fbdev/au1200fb.c +index aed88ce45bf09..d8f085d4ede30 100644 +--- a/drivers/video/fbdev/au1200fb.c ++++ b/drivers/video/fbdev/au1200fb.c +@@ -1732,6 +1732,9 @@ static int au1200fb_drv_probe(struct platform_device *dev) + + /* Now hook interrupt too */ + irq = platform_get_irq(dev, 0); ++ if (irq < 0) ++ return irq; ++ + ret = request_irq(irq, au1200fb_handle_irq, + IRQF_SHARED, "lcd", (void *)dev); + if (ret) { +-- +2.39.2 + diff --git a/tmp-6.4/fbdev-imxfb-removed-unneeded-release_mem_region.patch b/tmp-6.4/fbdev-imxfb-removed-unneeded-release_mem_region.patch new file mode 100644 index 00000000000..ab0525e3219 --- /dev/null +++ b/tmp-6.4/fbdev-imxfb-removed-unneeded-release_mem_region.patch @@ -0,0 +1,36 @@ +From d5ea2fdfc87225588c235e2d54f298077b023d39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Jul 2023 21:19:58 +0800 +Subject: fbdev: imxfb: Removed unneeded release_mem_region + +From: Yangtao Li + +[ Upstream commit 45fcc058a75bf5d65cf4c32da44a252fbe873cd4 ] + +Remove unnecessary release_mem_region from the error path to prevent +mem region from being released twice, which could avoid resource leak +or other unexpected issues. + +Fixes: b083c22d5114 ("video: fbdev: imxfb: Convert request_mem_region + ioremap to devm_ioremap_resource") +Signed-off-by: Yangtao Li +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index 5fbcb78a9caee..c8b1c73412d36 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -1043,7 +1043,6 @@ static int imxfb_probe(struct platform_device *pdev) + failed_map: + failed_ioremap: + failed_getclock: +- release_mem_region(res->start, resource_size(res)); + failed_of_parse: + kfree(info->pseudo_palette); + failed_init: +-- +2.39.2 + diff --git a/tmp-6.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch b/tmp-6.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch new file mode 100644 index 00000000000..a8b7127e2f4 --- /dev/null +++ b/tmp-6.4/fbdev-imxfb-warn-about-invalid-left-right-margin.patch @@ -0,0 +1,43 @@ +From e5b3b55ac7affc28ab87a9c787d2c41e898454c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 15:24:37 +0200 +Subject: fbdev: imxfb: warn about invalid left/right margin + +From: Martin Kaiser + +[ Upstream commit 4e47382fbca916d7db95cbf9e2d7ca2e9d1ca3fe ] + +Warn about invalid var->left_margin or var->right_margin. Their values +are read from the device tree. + +We store var->left_margin-3 and var->right_margin-1 in register +fields. These fields should be >= 0. + +Fixes: 7e8549bcee00 ("imxfb: Fix margin settings") +Signed-off-by: Martin Kaiser +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/imxfb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c +index adf36690c342b..5fbcb78a9caee 100644 +--- a/drivers/video/fbdev/imxfb.c ++++ b/drivers/video/fbdev/imxfb.c +@@ -613,10 +613,10 @@ static int imxfb_activate_var(struct fb_var_screeninfo *var, struct fb_info *inf + if (var->hsync_len < 1 || var->hsync_len > 64) + printk(KERN_ERR "%s: invalid hsync_len %d\n", + info->fix.id, var->hsync_len); +- if (var->left_margin > 255) ++ if (var->left_margin < 3 || var->left_margin > 255) + printk(KERN_ERR "%s: invalid left_margin %d\n", + info->fix.id, var->left_margin); +- if (var->right_margin > 255) ++ if (var->right_margin < 1 || var->right_margin > 255) + printk(KERN_ERR "%s: invalid right_margin %d\n", + info->fix.id, var->right_margin); + if (var->yres < 1 || var->yres > ymax_mask) +-- +2.39.2 + diff --git a/tmp-6.4/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch b/tmp-6.4/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch new file mode 100644 index 00000000000..5f05fd14f14 --- /dev/null +++ b/tmp-6.4/fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch @@ -0,0 +1,41 @@ +From 83e1fa1cec9a9b3872feb64aee1620612e20b784 Mon Sep 17 00:00:00 2001 +From: Immad Mir +Date: Fri, 23 Jun 2023 19:17:08 +0530 +Subject: [PATCH AUTOSEL 5.4 12/12] FS: JFS: Check for read-only mounted + filesystem in txBegin +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 95e2b352c03b0a86c5717ba1d24ea20969abcacc ] + + This patch adds a check for read-only mounted filesystem + in txBegin before starting a transaction potentially saving + from NULL pointer deref. + +Signed-off-by: Immad Mir +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_txnmgr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c +index c8ce7f1bc5942..6f6a5b9203d3f 100644 +--- a/fs/jfs/jfs_txnmgr.c ++++ b/fs/jfs/jfs_txnmgr.c +@@ -354,6 +354,11 @@ tid_t txBegin(struct super_block *sb, int flag) + jfs_info("txBegin: flag = 0x%x", flag); + log = JFS_SBI(sb)->log; + ++ if (!log) { ++ jfs_error(sb, "read-only filesystem\n"); ++ return 0; ++ } ++ + TXN_LOCK(); + + INCREMENT(TxStat.txBegin); +-- +2.39.2 + diff --git a/tmp-6.4/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch b/tmp-6.4/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch new file mode 100644 index 00000000000..e8b03e8b953 --- /dev/null +++ b/tmp-6.4/fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch @@ -0,0 +1,40 @@ +From 097f5e82578e6895fd4f5528a020321647644b89 Mon Sep 17 00:00:00 2001 +From: Immad Mir +Date: Fri, 23 Jun 2023 19:14:01 +0530 +Subject: [PATCH AUTOSEL 5.4 11/12] FS: JFS: Fix null-ptr-deref Read in txBegin +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 47cfdc338d674d38f4b2f22b7612cc6a2763ba27 ] + + Syzkaller reported an issue where txBegin may be called + on a superblock in a read-only mounted filesystem which leads + to NULL pointer deref. This could be solved by checking if + the filesystem is read-only before calling txBegin, and returning + with appropiate error code. + +Reported-By: syzbot+f1faa20eec55e0c8644c@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=be7e52c50c5182cc09a09ea6fc456446b2039de3 + +Signed-off-by: Immad Mir +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/namei.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/jfs/namei.c ++++ b/fs/jfs/namei.c +@@ -799,6 +799,11 @@ static int jfs_link(struct dentry *old_d + if (rc) + goto out; + ++ if (isReadOnly(ip)) { ++ jfs_error(ip->i_sb, "read-only filesystem\n"); ++ return -EROFS; ++ } ++ + tid = txBegin(ip->i_sb, 0); + + mutex_lock_nested(&JFS_IP(dir)->commit_mutex, COMMIT_MUTEX_PARENT); diff --git a/tmp-6.4/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch b/tmp-6.4/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch new file mode 100644 index 00000000000..e3baf5a2fc9 --- /dev/null +++ b/tmp-6.4/fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch @@ -0,0 +1,83 @@ +From d97453868eeba3d85be2772979541dc4ed88233b Mon Sep 17 00:00:00 2001 +From: Yogesh +Date: Thu, 22 Jun 2023 00:07:03 +0530 +Subject: [PATCH AUTOSEL 5.4 09/12] fs: jfs: Fix UBSAN: + array-index-out-of-bounds in dbAllocDmapLev +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 4e302336d5ca1767a06beee7596a72d3bdc8d983 ] + +Syzkaller reported the following issue: + +UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6 +index -84 is out of range for type 's8[341]' (aka 'signed char[341]') +CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 + dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965 + dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809 + dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350 + dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874 + dtSplitUp fs/jfs/jfs_dtree.c:974 [inline] + dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863 + jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137 + lookup_open fs/namei.c:3492 [inline] + open_last_lookups fs/namei.c:3560 [inline] + path_openat+0x13df/0x3170 fs/namei.c:3788 + do_filp_open+0x234/0x490 fs/namei.c:3818 + do_sys_openat2+0x13f/0x500 fs/open.c:1356 + do_sys_open fs/open.c:1372 [inline] + __do_sys_openat fs/open.c:1388 [inline] + __se_sys_openat fs/open.c:1383 [inline] + __x64_sys_openat+0x247/0x290 fs/open.c:1383 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f1f4e33f7e9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9 +RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c +RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + + +The bug occurs when the dbAllocDmapLev()function attempts to access +dp->tree.stree[leafidx + LEAFIND] while the leafidx value is negative. + +To rectify this, the patch introduces a safeguard within the +dbAllocDmapLev() function. A check has been added to verify if leafidx is +negative. If it is, the function immediately returns an I/O error, preventing +any further execution that could potentially cause harm. + +Tested via syzbot. + +Reported-by: syzbot+853a6f4dfa3cf37d3aea@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=ae2f5a27a07ae44b0f17 +Signed-off-by: Yogesh +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1959,6 +1959,9 @@ dbAllocDmapLev(struct bmap * bmp, + if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx)) + return -ENOSPC; + ++ if (leafidx < 0) ++ return -EIO; ++ + /* determine the block number within the file system corresponding + * to the leaf at which free space was found. + */ diff --git a/tmp-6.4/fuse-add-feature-flag-for-expire-only.patch b/tmp-6.4/fuse-add-feature-flag-for-expire-only.patch new file mode 100644 index 00000000000..ea9c473f5ac --- /dev/null +++ b/tmp-6.4/fuse-add-feature-flag-for-expire-only.patch @@ -0,0 +1,62 @@ +From 5cadfbd5a11e5495cac217534c5f788168b1afd7 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Mon, 27 Mar 2023 16:14:49 +0200 +Subject: fuse: add feature flag for expire-only + +From: Miklos Szeredi + +commit 5cadfbd5a11e5495cac217534c5f788168b1afd7 upstream. + +Add an init flag idicating whether the FUSE_EXPIRE_ONLY flag of +FUSE_NOTIFY_INVAL_ENTRY is effective. + +This is needed for backports of this feature, otherwise the server could +just check the protocol version. + +Fixes: 4f8d37020e1f ("fuse: add "expire only" mode to FUSE_NOTIFY_INVAL_ENTRY") +Cc: # v6.2 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 3 ++- + include/uapi/linux/fuse.h | 3 +++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -1254,7 +1254,8 @@ void fuse_send_init(struct fuse_mount *f + FUSE_ABORT_ERROR | FUSE_MAX_PAGES | FUSE_CACHE_SYMLINKS | + FUSE_NO_OPENDIR_SUPPORT | FUSE_EXPLICIT_INVAL_DATA | + FUSE_HANDLE_KILLPRIV_V2 | FUSE_SETXATTR_EXT | FUSE_INIT_EXT | +- FUSE_SECURITY_CTX | FUSE_CREATE_SUPP_GROUP; ++ FUSE_SECURITY_CTX | FUSE_CREATE_SUPP_GROUP | ++ FUSE_HAS_EXPIRE_ONLY; + #ifdef CONFIG_FUSE_DAX + if (fm->fc->dax) + flags |= FUSE_MAP_ALIGNMENT; +--- a/include/uapi/linux/fuse.h ++++ b/include/uapi/linux/fuse.h +@@ -206,6 +206,7 @@ + * - add extension header + * - add FUSE_EXT_GROUPS + * - add FUSE_CREATE_SUPP_GROUP ++ * - add FUSE_HAS_EXPIRE_ONLY + */ + + #ifndef _LINUX_FUSE_H +@@ -369,6 +370,7 @@ struct fuse_file_lock { + * FUSE_HAS_INODE_DAX: use per inode DAX + * FUSE_CREATE_SUPP_GROUP: add supplementary group info to create, mkdir, + * symlink and mknod (single group that matches parent) ++ * FUSE_HAS_EXPIRE_ONLY: kernel supports expiry-only entry invalidation + */ + #define FUSE_ASYNC_READ (1 << 0) + #define FUSE_POSIX_LOCKS (1 << 1) +@@ -406,6 +408,7 @@ struct fuse_file_lock { + #define FUSE_SECURITY_CTX (1ULL << 32) + #define FUSE_HAS_INODE_DAX (1ULL << 33) + #define FUSE_CREATE_SUPP_GROUP (1ULL << 34) ++#define FUSE_HAS_EXPIRE_ONLY (1ULL << 35) + + /** + * CUSE INIT request/reply flags diff --git a/tmp-6.4/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch b/tmp-6.4/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch new file mode 100644 index 00000000000..7ee5a8380e7 --- /dev/null +++ b/tmp-6.4/fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch @@ -0,0 +1,45 @@ +From 3066ff93476c35679cb07a97cce37d9bb07632ff Mon Sep 17 00:00:00 2001 +From: Bernd Schubert +Date: Fri, 15 Apr 2022 13:53:56 +0200 +Subject: fuse: Apply flags2 only when userspace set the FUSE_INIT_EXT + +From: Bernd Schubert + +commit 3066ff93476c35679cb07a97cce37d9bb07632ff upstream. + +This is just a safety precaution to avoid checking flags on memory that was +initialized on the user space side. libfuse zeroes struct fuse_init_out +outarg, but this is not guranteed to be done in all implementations. +Better is to act on flags and to only apply flags2 when FUSE_INIT_EXT is +set. + +There is a risk with this change, though - it might break existing user +space libraries, which are already using flags2 without setting +FUSE_INIT_EXT. + +The corresponding libfuse patch is here +https://github.com/libfuse/libfuse/pull/662 + +Signed-off-by: Bernd Schubert +Fixes: 53db28933e95 ("fuse: extend init flags") +Cc: # v5.17 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -1134,7 +1134,10 @@ static void process_init_reply(struct fu + process_init_limits(fc, arg); + + if (arg->minor >= 6) { +- u64 flags = arg->flags | (u64) arg->flags2 << 32; ++ u64 flags = arg->flags; ++ ++ if (flags & FUSE_INIT_EXT) ++ flags |= (u64) arg->flags2 << 32; + + ra_pages = arg->max_readahead / PAGE_SIZE; + if (flags & FUSE_ASYNC_READ) diff --git a/tmp-6.4/fuse-ioctl-translate-enosys-in-outarg.patch b/tmp-6.4/fuse-ioctl-translate-enosys-in-outarg.patch new file mode 100644 index 00000000000..ffa3f307976 --- /dev/null +++ b/tmp-6.4/fuse-ioctl-translate-enosys-in-outarg.patch @@ -0,0 +1,88 @@ +From 6a567e920fd0451bf29abc418df96c3365925770 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:21 +0200 +Subject: fuse: ioctl: translate ENOSYS in outarg + +From: Miklos Szeredi + +commit 6a567e920fd0451bf29abc418df96c3365925770 upstream. + +Fuse shouldn't return ENOSYS from its ioctl implementation. If userspace +responds with ENOSYS it should be translated to ENOTTY. + +There are two ways to return an error from the IOCTL request: + + - fuse_out_header.error + - fuse_ioctl_out.result + +Commit 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") already fixed this +issue for the first case, but missed the second case. This patch fixes the +second case. + +Reported-by: Jonathan Katz +Closes: https://lore.kernel.org/all/CALKgVmcC1VUV_gJVq70n--omMJZUb4HSh_FqvLTHgNBc+HCLFQ@mail.gmail.com/ +Fixes: 02c0cab8e734 ("fuse: ioctl: translate ENOSYS") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/ioctl.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/fs/fuse/ioctl.c ++++ b/fs/fuse/ioctl.c +@@ -9,14 +9,23 @@ + #include + #include + +-static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args) ++static ssize_t fuse_send_ioctl(struct fuse_mount *fm, struct fuse_args *args, ++ struct fuse_ioctl_out *outarg) + { +- ssize_t ret = fuse_simple_request(fm, args); ++ ssize_t ret; ++ ++ args->out_args[0].size = sizeof(*outarg); ++ args->out_args[0].value = outarg; ++ ++ ret = fuse_simple_request(fm, args); + + /* Translate ENOSYS, which shouldn't be returned from fs */ + if (ret == -ENOSYS) + ret = -ENOTTY; + ++ if (ret >= 0 && outarg->result == -ENOSYS) ++ outarg->result = -ENOTTY; ++ + return ret; + } + +@@ -264,13 +273,11 @@ long fuse_do_ioctl(struct file *file, un + } + + ap.args.out_numargs = 2; +- ap.args.out_args[0].size = sizeof(outarg); +- ap.args.out_args[0].value = &outarg; + ap.args.out_args[1].size = out_size; + ap.args.out_pages = true; + ap.args.out_argvar = true; + +- transferred = fuse_send_ioctl(fm, &ap.args); ++ transferred = fuse_send_ioctl(fm, &ap.args, &outarg); + err = transferred; + if (transferred < 0) + goto out; +@@ -399,12 +406,10 @@ static int fuse_priv_ioctl(struct inode + args.in_args[1].size = inarg.in_size; + args.in_args[1].value = ptr; + args.out_numargs = 2; +- args.out_args[0].size = sizeof(outarg); +- args.out_args[0].value = &outarg; + args.out_args[1].size = inarg.out_size; + args.out_args[1].value = ptr; + +- err = fuse_send_ioctl(fm, &args); ++ err = fuse_send_ioctl(fm, &args, &outarg); + if (!err) { + if (outarg.result < 0) + err = outarg.result; diff --git a/tmp-6.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch b/tmp-6.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch new file mode 100644 index 00000000000..46e5be8f3be --- /dev/null +++ b/tmp-6.4/fuse-revalidate-don-t-invalidate-if-interrupted.patch @@ -0,0 +1,34 @@ +From a9d1c4c6df0e568207907c04aed9e7beb1294c42 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 7 Jun 2023 17:49:20 +0200 +Subject: fuse: revalidate: don't invalidate if interrupted + +From: Miklos Szeredi + +commit a9d1c4c6df0e568207907c04aed9e7beb1294c42 upstream. + +If the LOOKUP request triggered from fuse_dentry_revalidate() is +interrupted, then the dentry will be invalidated, possibly resulting in +submounts being unmounted. + +Reported-by: Xu Rongbo +Closes: https://lore.kernel.org/all/CAJfpegswN_CJJ6C3RZiaK6rpFmNyWmXfaEpnQUJ42KCwNF5tWw@mail.gmail.com/ +Fixes: 9e6268db496a ("[PATCH] FUSE - read-write operations") +Cc: +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -258,7 +258,7 @@ static int fuse_dentry_revalidate(struct + spin_unlock(&fi->lock); + } + kfree(forget); +- if (ret == -ENOMEM) ++ if (ret == -ENOMEM || ret == -EINTR) + goto out; + if (ret || fuse_invalid_attr(&outarg.attr) || + fuse_stale_inode(inode, outarg.generation, &outarg.attr)) diff --git a/tmp-6.4/gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch b/tmp-6.4/gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch new file mode 100644 index 00000000000..0beed69978a --- /dev/null +++ b/tmp-6.4/gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch @@ -0,0 +1,85 @@ +From 6090361de3c7650680b9a2b098828072864fe334 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 10:28:00 -0700 +Subject: gso: fix dodgy bit handling for GSO_UDP_L4 + +From: Yan Zhai + +[ Upstream commit 9840036786d90cea11a90d1f30b6dc003b34ee67 ] + +Commit 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 +packets.") checks DODGY bit for UDP, but for packets that can be fed +directly to the device after gso_segs reset, it actually falls through +to fragmentation: + +https://lore.kernel.org/all/CAJPywTKDdjtwkLVUW6LRA2FU912qcDmQOQGt2WaDo28KzYDg+A@mail.gmail.com/ + +This change restores the expected behavior of GSO_UDP_L4 packets. + +Fixes: 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 packets.") +Suggested-by: Willem de Bruijn +Signed-off-by: Yan Zhai +Reviewed-by: Willem de Bruijn +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp_offload.c | 16 +++++++++++----- + net/ipv6/udp_offload.c | 3 +-- + 2 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c +index 1f01e15ca24fd..4a61832e7f69b 100644 +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -273,13 +273,20 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, + __sum16 check; + __be16 newlen; + +- if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) +- return __udp_gso_segment_list(gso_skb, features, is_ipv6); +- + mss = skb_shinfo(gso_skb)->gso_size; + if (gso_skb->len <= sizeof(*uh) + mss) + return ERR_PTR(-EINVAL); + ++ if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { ++ /* Packet is from an untrusted source, reset gso_segs. */ ++ skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh), ++ mss); ++ return NULL; ++ } ++ ++ if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) ++ return __udp_gso_segment_list(gso_skb, features, is_ipv6); ++ + skb_pull(gso_skb, sizeof(*uh)); + + /* clear destructor to avoid skb_segment assigning it to tail */ +@@ -387,8 +394,7 @@ static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb, + if (!pskb_may_pull(skb, sizeof(struct udphdr))) + goto out; + +- if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4 && +- !skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) ++ if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) + return __udp_gso_segment(skb, features, false); + + mss = skb_shinfo(skb)->gso_size; +diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c +index c39c1e32f9804..e0e10f6bcdc18 100644 +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -42,8 +42,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, + if (!pskb_may_pull(skb, sizeof(struct udphdr))) + goto out; + +- if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4 && +- !skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) ++ if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) + return __udp_gso_segment(skb, features, true); + + mss = skb_shinfo(skb)->gso_size; +-- +2.39.2 + diff --git a/tmp-6.4/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch b/tmp-6.4/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch new file mode 100644 index 00000000000..ec2516b9a3e --- /dev/null +++ b/tmp-6.4/hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch @@ -0,0 +1,49 @@ +From df2df0b1368fc95618c0173e921b0ec0361f3a50 Mon Sep 17 00:00:00 2001 +From: Marco Morandini +Date: Tue, 30 May 2023 15:40:08 +0200 +Subject: [PATCH AUTOSEL 5.4 05/12] HID: add quirk for 03f0:464a HP Elite + Presenter Mouse +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 0db117359e47750d8bd310d19f13e1c4ef7fc26a ] + +HP Elite Presenter Mouse HID Record Descriptor shows +two mouses (Repord ID 0x1 and 0x2), one keypad (Report ID 0x5), +two Consumer Controls (Report IDs 0x6 and 0x3). +Previous to this commit it registers one mouse, one keypad +and one Consumer Control, and it was usable only as a +digitl laser pointer (one of the two mouses). This patch defines +the 464a USB device ID and enables the HID_QUIRK_MULTI_INPUT +quirk for it, allowing to use the device both as a mouse +and a digital laser pointer. + +Signed-off-by: Marco Morandini +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -620,6 +620,7 @@ + #define USB_DEVICE_ID_UGCI_FIGHTING 0x0030 + + #define USB_VENDOR_ID_HP 0x03f0 ++#define USB_PRODUCT_ID_HP_ELITE_PRESENTER_MOUSE_464A 0x464a + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A 0x0a4a + #define USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A 0x0b4a + #define USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE 0x134a +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -96,6 +96,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A096), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_HOLTEK_ALT, USB_DEVICE_ID_HOLTEK_ALT_KEYBOARD_A293), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0A4A), HID_QUIRK_ALWAYS_POLL }, ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_ELITE_PRESENTER_MOUSE_464A), HID_QUIRK_MULTI_INPUT }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_LOGITECH_OEM_USB_OPTICAL_MOUSE_0B4A), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_HP, USB_PRODUCT_ID_HP_PIXART_OEM_USB_OPTICAL_MOUSE_094A), HID_QUIRK_ALWAYS_POLL }, diff --git a/tmp-6.4/ia64-mmap-consider-pgoff-when-searching-for-free-mapping.patch b/tmp-6.4/ia64-mmap-consider-pgoff-when-searching-for-free-mapping.patch new file mode 100644 index 00000000000..ed3cef99490 --- /dev/null +++ b/tmp-6.4/ia64-mmap-consider-pgoff-when-searching-for-free-mapping.patch @@ -0,0 +1,42 @@ +From 07e981137f17e5275b6fa5fd0c28b0ddb4519702 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 21 Jul 2023 17:24:32 +0200 +Subject: ia64: mmap: Consider pgoff when searching for free mapping + +From: Helge Deller + +commit 07e981137f17e5275b6fa5fd0c28b0ddb4519702 upstream. + +IA64 is the only architecture which does not consider the pgoff value when +searching for a possible free memory region with vm_unmapped_area(). +Adding this seems to have no negative side effect on IA64, so add it now +to make IA64 consistent with all other architectures. + +Cc: stable@vger.kernel.org # 6.4 +Signed-off-by: Helge Deller +Tested-by: matoro +Cc: Andrew Morton +Cc: linux-ia64@vger.kernel.org +Link: https://lore.kernel.org/r/20230721152432.196382-3-deller@gmx.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/kernel/sys_ia64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c +index 6e948d015332..eb561cc93632 100644 +--- a/arch/ia64/kernel/sys_ia64.c ++++ b/arch/ia64/kernel/sys_ia64.c +@@ -63,7 +63,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len + info.low_limit = addr; + info.high_limit = TASK_SIZE; + info.align_mask = align_mask; +- info.align_offset = 0; ++ info.align_offset = pgoff << PAGE_SHIFT; + return vm_unmapped_area(&info); + } + +-- +2.41.0 + diff --git a/tmp-6.4/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch b/tmp-6.4/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch new file mode 100644 index 00000000000..2cc89a6021d --- /dev/null +++ b/tmp-6.4/iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch @@ -0,0 +1,342 @@ +From 5f761430984862f987bf461a697a429a2963c676 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 10:52:25 -0400 +Subject: iavf: fix a deadlock caused by rtnl and driver's lock circular + dependencies + +From: Ahmed Zaki + +[ Upstream commit d1639a17319ba78a018280cd2df6577a7e5d9fab ] + +A driver's lock (crit_lock) is used to serialize all the driver's tasks. +Lockdep, however, shows a circular dependency between rtnl and +crit_lock. This happens when an ndo that already holds the rtnl requests +the driver to reset, since the reset task (in some paths) tries to grab +rtnl to either change real number of queues of update netdev features. + + [566.241851] ====================================================== + [566.241893] WARNING: possible circular locking dependency detected + [566.241936] 6.2.14-100.fc36.x86_64+debug #1 Tainted: G OE + [566.241984] ------------------------------------------------------ + [566.242025] repro.sh/2604 is trying to acquire lock: + [566.242061] ffff9280fc5ceee8 (&adapter->crit_lock){+.+.}-{3:3}, at: iavf_close+0x3c/0x240 [iavf] + [566.242167] + but task is already holding lock: + [566.242209] ffffffff9976d350 (rtnl_mutex){+.+.}-{3:3}, at: iavf_remove+0x6b5/0x730 [iavf] + [566.242300] + which lock already depends on the new lock. + + [566.242353] + the existing dependency chain (in reverse order) is: + [566.242401] + -> #1 (rtnl_mutex){+.+.}-{3:3}: + [566.242451] __mutex_lock+0xc1/0xbb0 + [566.242489] iavf_init_interrupt_scheme+0x179/0x440 [iavf] + [566.242560] iavf_watchdog_task+0x80b/0x1400 [iavf] + [566.242627] process_one_work+0x2b3/0x560 + [566.242663] worker_thread+0x4f/0x3a0 + [566.242696] kthread+0xf2/0x120 + [566.242730] ret_from_fork+0x29/0x50 + [566.242763] + -> #0 (&adapter->crit_lock){+.+.}-{3:3}: + [566.242815] __lock_acquire+0x15ff/0x22b0 + [566.242869] lock_acquire+0xd2/0x2c0 + [566.242901] __mutex_lock+0xc1/0xbb0 + [566.242934] iavf_close+0x3c/0x240 [iavf] + [566.242997] __dev_close_many+0xac/0x120 + [566.243036] dev_close_many+0x8b/0x140 + [566.243071] unregister_netdevice_many_notify+0x165/0x7c0 + [566.243116] unregister_netdevice_queue+0xd3/0x110 + [566.243157] iavf_remove+0x6c1/0x730 [iavf] + [566.243217] pci_device_remove+0x33/0xa0 + [566.243257] device_release_driver_internal+0x1bc/0x240 + [566.243299] pci_stop_bus_device+0x6c/0x90 + [566.243338] pci_stop_and_remove_bus_device+0xe/0x20 + [566.243380] pci_iov_remove_virtfn+0xd1/0x130 + [566.243417] sriov_disable+0x34/0xe0 + [566.243448] ice_free_vfs+0x2da/0x330 [ice] + [566.244383] ice_sriov_configure+0x88/0xad0 [ice] + [566.245353] sriov_numvfs_store+0xde/0x1d0 + [566.246156] kernfs_fop_write_iter+0x15e/0x210 + [566.246921] vfs_write+0x288/0x530 + [566.247671] ksys_write+0x74/0xf0 + [566.248408] do_syscall_64+0x58/0x80 + [566.249145] entry_SYSCALL_64_after_hwframe+0x72/0xdc + [566.249886] + other info that might help us debug this: + + [566.252014] Possible unsafe locking scenario: + + [566.253432] CPU0 CPU1 + [566.254118] ---- ---- + [566.254800] lock(rtnl_mutex); + [566.255514] lock(&adapter->crit_lock); + [566.256233] lock(rtnl_mutex); + [566.256897] lock(&adapter->crit_lock); + [566.257388] + *** DEADLOCK *** + +The deadlock can be triggered by a script that is continuously resetting +the VF adapter while doing other operations requiring RTNL, e.g: + + while :; do + ip link set $VF up + ethtool --set-channels $VF combined 2 + ip link set $VF down + ip link set $VF up + ethtool --set-channels $VF combined 4 + ip link set $VF down + done + +Any operation that triggers a reset can substitute "ethtool --set-channles" + +As a fix, add a new task "finish_config" that do all the work which +needs rtnl lock. With the exception of iavf_remove(), all work that +require rtnl should be called from this task. + +As for iavf_remove(), at the point where we need to call +unregister_netdevice() (and grab rtnl_lock), we make sure the finish_config +task is not running (cancel_work_sync()) to safely grab rtnl. Subsequent +finish_config work cannot restart after that since the task is guarded +by the __IAVF_IN_REMOVE_TASK bit in iavf_schedule_finish_config(). + +Fixes: 5ac49f3c2702 ("iavf: use mutexes for locking of critical sections") +Signed-off-by: Ahmed Zaki +Signed-off-by: Mateusz Palczewski +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 + + drivers/net/ethernet/intel/iavf/iavf_main.c | 114 +++++++++++++----- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 + + 3 files changed, 85 insertions(+), 32 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index a5cab19eb6a8b..bf5e3c8e97e04 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -255,6 +255,7 @@ struct iavf_adapter { + struct workqueue_struct *wq; + struct work_struct reset_task; + struct work_struct adminq_task; ++ struct work_struct finish_config; + struct delayed_work client_task; + wait_queue_head_t down_waitqueue; + wait_queue_head_t reset_waitqueue; +@@ -521,6 +522,7 @@ int iavf_process_config(struct iavf_adapter *adapter); + int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); + void iavf_schedule_reset(struct iavf_adapter *adapter); + void iavf_schedule_request_stats(struct iavf_adapter *adapter); ++void iavf_schedule_finish_config(struct iavf_adapter *adapter); + void iavf_reset(struct iavf_adapter *adapter); + void iavf_set_ethtool_ops(struct net_device *netdev); + void iavf_update_stats(struct iavf_adapter *adapter); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 8cb9b74b3ebea..161750c1598f8 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1702,10 +1702,10 @@ static int iavf_set_interrupt_capability(struct iavf_adapter *adapter) + adapter->msix_entries[vector].entry = vector; + + err = iavf_acquire_msix_vectors(adapter, v_budget); ++ if (!err) ++ iavf_schedule_finish_config(adapter); + + out: +- netif_set_real_num_rx_queues(adapter->netdev, pairs); +- netif_set_real_num_tx_queues(adapter->netdev, pairs); + return err; + } + +@@ -1925,9 +1925,7 @@ static int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) + goto err_alloc_queues; + } + +- rtnl_lock(); + err = iavf_set_interrupt_capability(adapter); +- rtnl_unlock(); + if (err) { + dev_err(&adapter->pdev->dev, + "Unable to setup interrupt capabilities\n"); +@@ -2013,6 +2011,78 @@ static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter, bool runni + return err; + } + ++/** ++ * iavf_finish_config - do all netdev work that needs RTNL ++ * @work: our work_struct ++ * ++ * Do work that needs both RTNL and crit_lock. ++ **/ ++static void iavf_finish_config(struct work_struct *work) ++{ ++ struct iavf_adapter *adapter; ++ int pairs, err; ++ ++ adapter = container_of(work, struct iavf_adapter, finish_config); ++ ++ /* Always take RTNL first to prevent circular lock dependency */ ++ rtnl_lock(); ++ mutex_lock(&adapter->crit_lock); ++ ++ if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && ++ adapter->netdev_registered && ++ !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) { ++ netdev_update_features(adapter->netdev); ++ adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; ++ } ++ ++ switch (adapter->state) { ++ case __IAVF_DOWN: ++ if (!adapter->netdev_registered) { ++ err = register_netdevice(adapter->netdev); ++ if (err) { ++ dev_err(&adapter->pdev->dev, "Unable to register netdev (%d)\n", ++ err); ++ ++ /* go back and try again.*/ ++ iavf_free_rss(adapter); ++ iavf_free_misc_irq(adapter); ++ iavf_reset_interrupt_capability(adapter); ++ iavf_change_state(adapter, ++ __IAVF_INIT_CONFIG_ADAPTER); ++ goto out; ++ } ++ adapter->netdev_registered = true; ++ } ++ ++ /* Set the real number of queues when reset occurs while ++ * state == __IAVF_DOWN ++ */ ++ fallthrough; ++ case __IAVF_RUNNING: ++ pairs = adapter->num_active_queues; ++ netif_set_real_num_rx_queues(adapter->netdev, pairs); ++ netif_set_real_num_tx_queues(adapter->netdev, pairs); ++ break; ++ ++ default: ++ break; ++ } ++ ++out: ++ mutex_unlock(&adapter->crit_lock); ++ rtnl_unlock(); ++} ++ ++/** ++ * iavf_schedule_finish_config - Set the flags and schedule a reset event ++ * @adapter: board private structure ++ **/ ++void iavf_schedule_finish_config(struct iavf_adapter *adapter) ++{ ++ if (!test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section)) ++ queue_work(adapter->wq, &adapter->finish_config); ++} ++ + /** + * iavf_process_aq_command - process aq_required flags + * and sends aq command +@@ -2650,22 +2720,8 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) + + netif_carrier_off(netdev); + adapter->link_up = false; +- +- /* set the semaphore to prevent any callbacks after device registration +- * up to time when state of driver will be set to __IAVF_DOWN +- */ +- rtnl_lock(); +- if (!adapter->netdev_registered) { +- err = register_netdevice(netdev); +- if (err) { +- rtnl_unlock(); +- goto err_register; +- } +- } +- +- adapter->netdev_registered = true; +- + netif_tx_stop_all_queues(netdev); ++ + if (CLIENT_ALLOWED(adapter)) { + err = iavf_lan_add_device(adapter); + if (err) +@@ -2678,7 +2734,6 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) + + iavf_change_state(adapter, __IAVF_DOWN); + set_bit(__IAVF_VSI_DOWN, adapter->vsi.state); +- rtnl_unlock(); + + iavf_misc_irq_enable(adapter); + wake_up(&adapter->down_waitqueue); +@@ -2698,10 +2753,11 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter) + /* request initial VLAN offload settings */ + iavf_set_vlan_offload_features(adapter, 0, netdev->features); + ++ iavf_schedule_finish_config(adapter); + return; ++ + err_mem: + iavf_free_rss(adapter); +-err_register: + iavf_free_misc_irq(adapter); + err_sw_init: + iavf_reset_interrupt_capability(adapter); +@@ -2728,15 +2784,6 @@ static void iavf_watchdog_task(struct work_struct *work) + goto restart_watchdog; + } + +- if ((adapter->flags & IAVF_FLAG_SETUP_NETDEV_FEATURES) && +- adapter->netdev_registered && +- !test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && +- rtnl_trylock()) { +- netdev_update_features(adapter->netdev); +- rtnl_unlock(); +- adapter->flags &= ~IAVF_FLAG_SETUP_NETDEV_FEATURES; +- } +- + if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) + iavf_change_state(adapter, __IAVF_COMM_FAILED); + +@@ -4978,6 +5025,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + INIT_WORK(&adapter->reset_task, iavf_reset_task); + INIT_WORK(&adapter->adminq_task, iavf_adminq_task); ++ INIT_WORK(&adapter->finish_config, iavf_finish_config); + INIT_DELAYED_WORK(&adapter->watchdog_task, iavf_watchdog_task); + INIT_DELAYED_WORK(&adapter->client_task, iavf_client_task); + queue_delayed_work(adapter->wq, &adapter->watchdog_task, +@@ -5120,13 +5168,15 @@ static void iavf_remove(struct pci_dev *pdev) + usleep_range(500, 1000); + } + cancel_delayed_work_sync(&adapter->watchdog_task); ++ cancel_work_sync(&adapter->finish_config); + ++ rtnl_lock(); + if (adapter->netdev_registered) { +- rtnl_lock(); + unregister_netdevice(netdev); + adapter->netdev_registered = false; +- rtnl_unlock(); + } ++ rtnl_unlock(); ++ + if (CLIENT_ALLOWED(adapter)) { + err = iavf_lan_del_device(adapter); + if (err) +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 1bab896aaf40c..073ac29ed84c7 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2237,6 +2237,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + + iavf_process_config(adapter); + adapter->flags |= IAVF_FLAG_SETUP_NETDEV_FEATURES; ++ iavf_schedule_finish_config(adapter); + + iavf_set_queue_vlan_tag_loc(adapter); + +-- +2.39.2 + diff --git a/tmp-6.4/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch b/tmp-6.4/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch new file mode 100644 index 00000000000..cc8b7f34cd3 --- /dev/null +++ b/tmp-6.4/iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch @@ -0,0 +1,160 @@ +From 9a0a6f5caa0dcedb4c41554c0d5d7f5fd401e046 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:48 +0800 +Subject: iavf: Fix out-of-bounds when setting channels on remove + +From: Ding Hui + +[ Upstream commit 7c4bced3caa749ce468b0c5de711c98476b23a52 ] + +If we set channels greater during iavf_remove(), and waiting reset done +would be timeout, then returned with error but changed num_active_queues +directly, that will lead to OOB like the following logs. Because the +num_active_queues is greater than tx/rx_rings[] allocated actually. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 3506.152887] iavf 0000:41:02.0: Removing device +[ 3510.400799] ================================================================== +[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536 +[ 3510.400823] +[ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 3510.400835] Call Trace: +[ 3510.400851] dump_stack+0x71/0xab +[ 3510.400860] print_address_description+0x6b/0x290 +[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400868] kasan_report+0x14a/0x2b0 +[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf] +[ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf] +[ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf] +[ 3510.400891] ? wait_woken+0x1d0/0x1d0 +[ 3510.400895] ? notifier_call_chain+0xc1/0x130 +[ 3510.400903] pci_device_remove+0xa8/0x1f0 +[ 3510.400910] device_release_driver_internal+0x1c6/0x460 +[ 3510.400916] pci_stop_bus_device+0x101/0x150 +[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20 +[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420 +[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 3510.400929] ? pci_get_subsys+0x90/0x90 +[ 3510.400932] sriov_disable+0xed/0x3e0 +[ 3510.400936] ? bus_find_device+0x12d/0x1a0 +[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e] +[ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 3510.400968] ? pci_get_device+0x7c/0x90 +[ 3510.400970] ? pci_get_subsys+0x90/0x90 +[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 3510.401001] sriov_numvfs_store+0x214/0x290 +[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30 +[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10 +[ 3510.401011] ? __check_object_size+0x15a/0x350 +[ 3510.401018] kernfs_fop_write+0x280/0x3f0 +[ 3510.401022] vfs_write+0x145/0x440 +[ 3510.401025] ksys_write+0xab/0x160 +[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0 +[ 3510.401031] ? fput_many+0x1a/0x120 +[ 3510.401032] ? filp_close+0xf0/0x130 +[ 3510.401038] do_syscall_64+0xa0/0x370 +[ 3510.401041] ? page_fault+0x8/0x30 +[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 3510.401073] RIP: 0033:0x7f3a9bb842c0 +[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 3510.401080] RSP: 002b:00007ffc05f1fe18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 3510.401083] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f3a9bb842c0 +[ 3510.401085] RDX: 0000000000000002 RSI: 0000000002327408 RDI: 0000000000000001 +[ 3510.401086] RBP: 0000000002327408 R08: 00007f3a9be53780 R09: 00007f3a9c8a4700 +[ 3510.401086] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 3510.401087] R13: 0000000000000001 R14: 00007f3a9be52620 R15: 0000000000000001 +[ 3510.401090] +[ 3510.401093] Allocated by task 76795: +[ 3510.401098] kasan_kmalloc+0xa6/0xd0 +[ 3510.401099] __kmalloc+0xfb/0x200 +[ 3510.401104] iavf_init_interrupt_scheme+0x26f/0x1310 [iavf] +[ 3510.401108] iavf_watchdog_task+0x1d58/0x4050 [iavf] +[ 3510.401114] process_one_work+0x56a/0x11f0 +[ 3510.401115] worker_thread+0x8f/0xf40 +[ 3510.401117] kthread+0x2a0/0x390 +[ 3510.401119] ret_from_fork+0x1f/0x40 +[ 3510.401122] 0xffffffffffffffff +[ 3510.401123] + +In timeout handling, we should keep the original num_active_queues +and reset num_req_queues to 0. + +Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 6f171d1d85b75..92443f8e9fbdf 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -1863,7 +1863,7 @@ static int iavf_set_channels(struct net_device *netdev, + } + if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; +- adapter->num_active_queues = num_req; ++ adapter->num_req_queues = 0; + return -EOPNOTSUPP; + } + +-- +2.39.2 + diff --git a/tmp-6.4/iavf-fix-reset-task-race-with-iavf_remove.patch b/tmp-6.4/iavf-fix-reset-task-race-with-iavf_remove.patch new file mode 100644 index 00000000000..d8c2ed28871 --- /dev/null +++ b/tmp-6.4/iavf-fix-reset-task-race-with-iavf_remove.patch @@ -0,0 +1,190 @@ +From abbc67998f91be1d120f00aa0a1ed11511c3ac34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 10:52:26 -0400 +Subject: iavf: fix reset task race with iavf_remove() + +From: Ahmed Zaki + +[ Upstream commit c34743daca0eb1dc855831a5210f0800a850088e ] + +The reset task is currently scheduled from the watchdog or adminq tasks. +First, all direct calls to schedule the reset task are replaced with the +iavf_schedule_reset(), which is modified to accept the flag showing the +type of reset. + +To prevent the reset task from starting once iavf_remove() starts, we need +to check the __IAVF_IN_REMOVE_TASK bit before we schedule it. This is now +easily added to iavf_schedule_reset(). + +Finally, remove the check for IAVF_FLAG_RESET_NEEDED in the watchdog task. +It is redundant since all callers who set the flag immediately schedules +the reset task. + +Fixes: 3ccd54ef44eb ("iavf: Fix init state closure on remove") +Fixes: 14756b2ae265 ("iavf: Fix __IAVF_RESETTING state usage") +Signed-off-by: Ahmed Zaki +Signed-off-by: Mateusz Palczewski +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 +- + .../net/ethernet/intel/iavf/iavf_ethtool.c | 8 ++--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 32 +++++++------------ + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 3 +- + 4 files changed, 16 insertions(+), 29 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index bf5e3c8e97e04..8cbdebc5b6989 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -520,7 +520,7 @@ int iavf_up(struct iavf_adapter *adapter); + void iavf_down(struct iavf_adapter *adapter); + int iavf_process_config(struct iavf_adapter *adapter); + int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter); +-void iavf_schedule_reset(struct iavf_adapter *adapter); ++void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags); + void iavf_schedule_request_stats(struct iavf_adapter *adapter); + void iavf_schedule_finish_config(struct iavf_adapter *adapter); + void iavf_reset(struct iavf_adapter *adapter); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index b7141c2a941d1..2f47cfa7f06e2 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -532,8 +532,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) + /* issue a reset to force legacy-rx change to take effect */ + if (changed_flags & IAVF_FLAG_LEGACY_RX) { + if (netif_running(netdev)) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + ret = iavf_wait_for_reset(adapter); + if (ret) + netdev_warn(netdev, "Changing private flags timeout or interrupted waiting for reset"); +@@ -676,8 +675,7 @@ static int iavf_set_ringparam(struct net_device *netdev, + } + + if (netif_running(netdev)) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + ret = iavf_wait_for_reset(adapter); + if (ret) + netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); +@@ -1860,7 +1858,7 @@ static int iavf_set_channels(struct net_device *netdev, + + adapter->num_req_queues = num_req; + adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; +- iavf_schedule_reset(adapter); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + + ret = iavf_wait_for_reset(adapter); + if (ret) +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 161750c1598f8..ba96312feb505 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -309,12 +309,14 @@ static int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) + /** + * iavf_schedule_reset - Set the flags and schedule a reset event + * @adapter: board private structure ++ * @flags: IAVF_FLAG_RESET_PENDING or IAVF_FLAG_RESET_NEEDED + **/ +-void iavf_schedule_reset(struct iavf_adapter *adapter) ++void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags) + { +- if (!(adapter->flags & +- (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; ++ if (!test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section) && ++ !(adapter->flags & ++ (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED))) { ++ adapter->flags |= flags; + queue_work(adapter->wq, &adapter->reset_task); + } + } +@@ -342,7 +344,7 @@ static void iavf_tx_timeout(struct net_device *netdev, unsigned int txqueue) + struct iavf_adapter *adapter = netdev_priv(netdev); + + adapter->tx_timeout_count++; +- iavf_schedule_reset(adapter); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + } + + /** +@@ -2490,7 +2492,7 @@ int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter) + adapter->vsi_res->num_queue_pairs); + adapter->flags |= IAVF_FLAG_REINIT_MSIX_NEEDED; + adapter->num_req_queues = adapter->vsi_res->num_queue_pairs; +- iavf_schedule_reset(adapter); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + + return -EAGAIN; + } +@@ -2787,14 +2789,6 @@ static void iavf_watchdog_task(struct work_struct *work) + if (adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) + iavf_change_state(adapter, __IAVF_COMM_FAILED); + +- if (adapter->flags & IAVF_FLAG_RESET_NEEDED) { +- adapter->aq_required = 0; +- adapter->current_op = VIRTCHNL_OP_UNKNOWN; +- mutex_unlock(&adapter->crit_lock); +- queue_work(adapter->wq, &adapter->reset_task); +- return; +- } +- + switch (adapter->state) { + case __IAVF_STARTUP: + iavf_startup(adapter); +@@ -2922,11 +2916,10 @@ static void iavf_watchdog_task(struct work_struct *work) + /* check for hw reset */ + reg_val = rd32(hw, IAVF_VF_ARQLEN1) & IAVF_VF_ARQLEN1_ARQENABLE_MASK; + if (!reg_val) { +- adapter->flags |= IAVF_FLAG_RESET_PENDING; + adapter->aq_required = 0; + adapter->current_op = VIRTCHNL_OP_UNKNOWN; + dev_err(&adapter->pdev->dev, "Hardware reset detected\n"); +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_PENDING); + mutex_unlock(&adapter->crit_lock); + queue_delayed_work(adapter->wq, + &adapter->watchdog_task, HZ * 2); +@@ -3324,9 +3317,7 @@ static void iavf_adminq_task(struct work_struct *work) + } while (pending); + mutex_unlock(&adapter->crit_lock); + +- if ((adapter->flags & +- (IAVF_FLAG_RESET_PENDING | IAVF_FLAG_RESET_NEEDED)) || +- adapter->state == __IAVF_RESETTING) ++ if (iavf_is_reset_in_progress(adapter)) + goto freedom; + + /* check for error indications */ +@@ -4423,8 +4414,7 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + } + + if (netif_running(netdev)) { +- adapter->flags |= IAVF_FLAG_RESET_NEEDED; +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); + ret = iavf_wait_for_reset(adapter); + if (ret < 0) + netdev_warn(netdev, "MTU change interrupted waiting for reset"); +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 073ac29ed84c7..be3c007ce90a9 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -1961,9 +1961,8 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + case VIRTCHNL_EVENT_RESET_IMPENDING: + dev_info(&adapter->pdev->dev, "Reset indication received from the PF\n"); + if (!(adapter->flags & IAVF_FLAG_RESET_PENDING)) { +- adapter->flags |= IAVF_FLAG_RESET_PENDING; + dev_info(&adapter->pdev->dev, "Scheduling reset task\n"); +- queue_work(adapter->wq, &adapter->reset_task); ++ iavf_schedule_reset(adapter, IAVF_FLAG_RESET_PENDING); + } + break; + default: +-- +2.39.2 + diff --git a/tmp-6.4/iavf-fix-use-after-free-in-free_netdev.patch b/tmp-6.4/iavf-fix-use-after-free-in-free_netdev.patch new file mode 100644 index 00000000000..8687449a498 --- /dev/null +++ b/tmp-6.4/iavf-fix-use-after-free-in-free_netdev.patch @@ -0,0 +1,215 @@ +From 787c2cf45c807afa52660119d30d9fa8d9d95e6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 May 2023 19:11:47 +0800 +Subject: iavf: Fix use-after-free in free_netdev + +From: Ding Hui + +[ Upstream commit 5f4fa1672d98fe99d2297b03add35346f1685d6b ] + +We do netif_napi_add() for all allocated q_vectors[], but potentially +do netif_napi_del() for part of them, then kfree q_vectors and leave +invalid pointers at dev->napi_list. + +Reproducer: + + [root@host ~]# cat repro.sh + #!/bin/bash + + pf_dbsf="0000:41:00.0" + vf0_dbsf="0000:41:02.0" + g_pids=() + + function do_set_numvf() + { + echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs + sleep $((RANDOM%3+1)) + } + + function do_set_channel() + { + local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) + [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } + ifconfig $nic 192.168.18.5 netmask 255.255.255.0 + ifconfig $nic up + ethtool -L $nic combined 1 + ethtool -L $nic combined 4 + sleep $((RANDOM%3)) + } + + function on_exit() + { + local pid + for pid in "${g_pids[@]}"; do + kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null + done + g_pids=() + } + + trap "on_exit; exit" EXIT + + while :; do do_set_numvf ; done & + g_pids+=($!) + while :; do do_set_channel ; done & + g_pids+=($!) + + wait + +Result: + +[ 4093.900222] ================================================================== +[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390 +[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699 +[ 4093.900233] +[ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 +[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 +[ 4093.900239] Call Trace: +[ 4093.900244] dump_stack+0x71/0xab +[ 4093.900249] print_address_description+0x6b/0x290 +[ 4093.900251] ? free_netdev+0x308/0x390 +[ 4093.900252] kasan_report+0x14a/0x2b0 +[ 4093.900254] free_netdev+0x308/0x390 +[ 4093.900261] iavf_remove+0x825/0xd20 [iavf] +[ 4093.900265] pci_device_remove+0xa8/0x1f0 +[ 4093.900268] device_release_driver_internal+0x1c6/0x460 +[ 4093.900271] pci_stop_bus_device+0x101/0x150 +[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10 +[ 4093.900278] ? pci_get_subsys+0x90/0x90 +[ 4093.900280] sriov_disable+0xed/0x3e0 +[ 4093.900282] ? bus_find_device+0x12d/0x1a0 +[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e] +[ 4093.900299] ? pci_get_device+0x7c/0x90 +[ 4093.900300] ? pci_get_subsys+0x90/0x90 +[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210 +[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900318] sriov_numvfs_store+0x214/0x290 +[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30 +[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10 +[ 4093.900323] ? __check_object_size+0x15a/0x350 +[ 4093.900326] kernfs_fop_write+0x280/0x3f0 +[ 4093.900329] vfs_write+0x145/0x440 +[ 4093.900330] ksys_write+0xab/0x160 +[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0 +[ 4093.900334] ? fput_many+0x1a/0x120 +[ 4093.900335] ? filp_close+0xf0/0x130 +[ 4093.900338] do_syscall_64+0xa0/0x370 +[ 4093.900339] ? page_fault+0x8/0x30 +[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900357] RIP: 0033:0x7f16ad4d22c0 +[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24 +[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0 +[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001 +[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700 +[ 4093.900364] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002 +[ 4093.900365] R13: 0000000000000001 R14: 00007f16ad7a0620 R15: 0000000000000001 +[ 4093.900367] +[ 4093.900368] Allocated by task 820: +[ 4093.900371] kasan_kmalloc+0xa6/0xd0 +[ 4093.900373] __kmalloc+0xfb/0x200 +[ 4093.900376] iavf_init_interrupt_scheme+0x63b/0x1320 [iavf] +[ 4093.900380] iavf_watchdog_task+0x3d51/0x52c0 [iavf] +[ 4093.900382] process_one_work+0x56a/0x11f0 +[ 4093.900383] worker_thread+0x8f/0xf40 +[ 4093.900384] kthread+0x2a0/0x390 +[ 4093.900385] ret_from_fork+0x1f/0x40 +[ 4093.900387] 0xffffffffffffffff +[ 4093.900387] +[ 4093.900388] Freed by task 6699: +[ 4093.900390] __kasan_slab_free+0x137/0x190 +[ 4093.900391] kfree+0x8b/0x1b0 +[ 4093.900394] iavf_free_q_vectors+0x11d/0x1a0 [iavf] +[ 4093.900397] iavf_remove+0x35a/0xd20 [iavf] +[ 4093.900399] pci_device_remove+0xa8/0x1f0 +[ 4093.900400] device_release_driver_internal+0x1c6/0x460 +[ 4093.900401] pci_stop_bus_device+0x101/0x150 +[ 4093.900402] pci_stop_and_remove_bus_device+0xe/0x20 +[ 4093.900403] pci_iov_remove_virtfn+0x187/0x420 +[ 4093.900404] sriov_disable+0xed/0x3e0 +[ 4093.900409] i40e_free_vfs+0x754/0x1210 [i40e] +[ 4093.900415] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e] +[ 4093.900416] sriov_numvfs_store+0x214/0x290 +[ 4093.900417] kernfs_fop_write+0x280/0x3f0 +[ 4093.900418] vfs_write+0x145/0x440 +[ 4093.900419] ksys_write+0xab/0x160 +[ 4093.900420] do_syscall_64+0xa0/0x370 +[ 4093.900421] entry_SYSCALL_64_after_hwframe+0x65/0xca +[ 4093.900422] 0xffffffffffffffff +[ 4093.900422] +[ 4093.900424] The buggy address belongs to the object at ffff88b4dc144200 + which belongs to the cache kmalloc-8k of size 8192 +[ 4093.900425] The buggy address is located 5184 bytes inside of + 8192-byte region [ffff88b4dc144200, ffff88b4dc146200) +[ 4093.900425] The buggy address belongs to the page: +[ 4093.900427] page:ffffea00d3705000 refcount:1 mapcount:0 mapping:ffff88bf04415c80 index:0x0 compound_mapcount: 0 +[ 4093.900430] flags: 0x10000000008100(slab|head) +[ 4093.900433] raw: 0010000000008100 dead000000000100 dead000000000200 ffff88bf04415c80 +[ 4093.900434] raw: 0000000000000000 0000000000030003 00000001ffffffff 0000000000000000 +[ 4093.900434] page dumped because: kasan: bad access detected +[ 4093.900435] +[ 4093.900435] Memory state around the buggy address: +[ 4093.900436] ffff88b4dc145500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900437] ffff88b4dc145580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] >ffff88b4dc145600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900438] ^ +[ 4093.900439] ffff88b4dc145680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ffff88b4dc145700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 4093.900440] ================================================================== + +Although the patch #2 (of 2) can avoid the issue triggered by this +repro.sh, there still are other potential risks that if num_active_queues +is changed to less than allocated q_vectors[] by unexpected, the +mismatched netif_napi_add/del() can also cause UAF. + +Since we actually call netif_napi_add() for all allocated q_vectors +unconditionally in iavf_alloc_q_vectors(), so we should fix it by +letting netif_napi_del() match to netif_napi_add(). + +Fixes: 5eae00c57f5e ("i40evf: main driver core") +Signed-off-by: Ding Hui +Cc: Donglin Peng +Cc: Huang Cun +Reviewed-by: Simon Horman +Reviewed-by: Madhu Chittim +Reviewed-by: Leon Romanovsky +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 4a66873882d12..601de8e8f3654 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1840,19 +1840,16 @@ static int iavf_alloc_q_vectors(struct iavf_adapter *adapter) + static void iavf_free_q_vectors(struct iavf_adapter *adapter) + { + int q_idx, num_q_vectors; +- int napi_vectors; + + if (!adapter->q_vectors) + return; + + num_q_vectors = adapter->num_msix_vectors - NONQ_VECS; +- napi_vectors = adapter->num_active_queues; + + for (q_idx = 0; q_idx < num_q_vectors; q_idx++) { + struct iavf_q_vector *q_vector = &adapter->q_vectors[q_idx]; + +- if (q_idx < napi_vectors) +- netif_napi_del(&q_vector->napi); ++ netif_napi_del(&q_vector->napi); + } + kfree(adapter->q_vectors); + adapter->q_vectors = NULL; +-- +2.39.2 + diff --git a/tmp-6.4/iavf-make-functions-static-where-possible.patch b/tmp-6.4/iavf-make-functions-static-where-possible.patch new file mode 100644 index 00000000000..e48bf7b084f --- /dev/null +++ b/tmp-6.4/iavf-make-functions-static-where-possible.patch @@ -0,0 +1,223 @@ +From 68b6c8edce9d8fbb94f77072800d2fdebbf603d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 08:54:05 -0700 +Subject: iavf: make functions static where possible + +From: Przemek Kitszel + +[ Upstream commit a4aadf0f5905661cd25c366b96cc1c840f05b756 ] + +Make all possible functions static. + +Move iavf_force_wb() up to avoid forward declaration. + +Suggested-by: Maciej Fijalkowski +Reviewed-by: Maciej Fijalkowski +Signed-off-by: Przemek Kitszel +Signed-off-by: Tony Nguyen +Stable-dep-of: c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger it") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 10 ----- + drivers/net/ethernet/intel/iavf/iavf_main.c | 14 +++---- + drivers/net/ethernet/intel/iavf/iavf_txrx.c | 43 ++++++++++----------- + drivers/net/ethernet/intel/iavf/iavf_txrx.h | 4 -- + 4 files changed, 28 insertions(+), 43 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index 39d0fe76a38ff..f80f2735e6886 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -523,9 +523,6 @@ void iavf_schedule_request_stats(struct iavf_adapter *adapter); + void iavf_reset(struct iavf_adapter *adapter); + void iavf_set_ethtool_ops(struct net_device *netdev); + void iavf_update_stats(struct iavf_adapter *adapter); +-void iavf_reset_interrupt_capability(struct iavf_adapter *adapter); +-int iavf_init_interrupt_scheme(struct iavf_adapter *adapter); +-void iavf_irq_enable_queues(struct iavf_adapter *adapter); + void iavf_free_all_tx_resources(struct iavf_adapter *adapter); + void iavf_free_all_rx_resources(struct iavf_adapter *adapter); + +@@ -579,17 +576,10 @@ void iavf_enable_vlan_stripping_v2(struct iavf_adapter *adapter, u16 tpid); + void iavf_disable_vlan_stripping_v2(struct iavf_adapter *adapter, u16 tpid); + void iavf_enable_vlan_insertion_v2(struct iavf_adapter *adapter, u16 tpid); + void iavf_disable_vlan_insertion_v2(struct iavf_adapter *adapter, u16 tpid); +-int iavf_replace_primary_mac(struct iavf_adapter *adapter, +- const u8 *new_mac); +-void +-iavf_set_vlan_offload_features(struct iavf_adapter *adapter, +- netdev_features_t prev_features, +- netdev_features_t features); + void iavf_add_fdir_filter(struct iavf_adapter *adapter); + void iavf_del_fdir_filter(struct iavf_adapter *adapter); + void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); + void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); + struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + const u8 *macaddr); +-int iavf_lock_timeout(struct mutex *lock, unsigned int msecs); + #endif /* _IAVF_H_ */ +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index b698f8917f049..b24e54823e6ae 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -253,7 +253,7 @@ enum iavf_status iavf_free_virt_mem_d(struct iavf_hw *hw, + * + * Returns 0 on success, negative on failure + **/ +-int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) ++static int iavf_lock_timeout(struct mutex *lock, unsigned int msecs) + { + unsigned int wait, delay = 10; + +@@ -362,7 +362,7 @@ static void iavf_irq_disable(struct iavf_adapter *adapter) + * iavf_irq_enable_queues - Enable interrupt for all queues + * @adapter: board private structure + **/ +-void iavf_irq_enable_queues(struct iavf_adapter *adapter) ++static void iavf_irq_enable_queues(struct iavf_adapter *adapter) + { + struct iavf_hw *hw = &adapter->hw; + int i; +@@ -1003,8 +1003,8 @@ struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + * + * Do not call this with mac_vlan_list_lock! + **/ +-int iavf_replace_primary_mac(struct iavf_adapter *adapter, +- const u8 *new_mac) ++static int iavf_replace_primary_mac(struct iavf_adapter *adapter, ++ const u8 *new_mac) + { + struct iavf_hw *hw = &adapter->hw; + struct iavf_mac_filter *f; +@@ -1860,7 +1860,7 @@ static void iavf_free_q_vectors(struct iavf_adapter *adapter) + * @adapter: board private structure + * + **/ +-void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) ++static void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) + { + if (!adapter->msix_entries) + return; +@@ -1875,7 +1875,7 @@ void iavf_reset_interrupt_capability(struct iavf_adapter *adapter) + * @adapter: board private structure to initialize + * + **/ +-int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) ++static int iavf_init_interrupt_scheme(struct iavf_adapter *adapter) + { + int err; + +@@ -2174,7 +2174,7 @@ static int iavf_process_aq_command(struct iavf_adapter *adapter) + * the watchdog if any changes are requested to expedite the request via + * virtchnl. + **/ +-void ++static void + iavf_set_vlan_offload_features(struct iavf_adapter *adapter, + netdev_features_t prev_features, + netdev_features_t features) +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +index e989feda133c1..8c5f6096b0022 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c +@@ -54,7 +54,7 @@ static void iavf_unmap_and_free_tx_resource(struct iavf_ring *ring, + * iavf_clean_tx_ring - Free any empty Tx buffers + * @tx_ring: ring to be cleaned + **/ +-void iavf_clean_tx_ring(struct iavf_ring *tx_ring) ++static void iavf_clean_tx_ring(struct iavf_ring *tx_ring) + { + unsigned long bi_size; + u16 i; +@@ -110,7 +110,7 @@ void iavf_free_tx_resources(struct iavf_ring *tx_ring) + * Since there is no access to the ring head register + * in XL710, we need to use our local copies + **/ +-u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) ++static u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) + { + u32 head, tail; + +@@ -127,6 +127,24 @@ u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw) + return 0; + } + ++/** ++ * iavf_force_wb - Issue SW Interrupt so HW does a wb ++ * @vsi: the VSI we care about ++ * @q_vector: the vector on which to force writeback ++ **/ ++static void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector) ++{ ++ u32 val = IAVF_VFINT_DYN_CTLN1_INTENA_MASK | ++ IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK | /* set noitr */ ++ IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_MASK | ++ IAVF_VFINT_DYN_CTLN1_SW_ITR_INDX_ENA_MASK ++ /* allow 00 to be written to the index */; ++ ++ wr32(&vsi->back->hw, ++ IAVF_VFINT_DYN_CTLN1(q_vector->reg_idx), ++ val); ++} ++ + /** + * iavf_detect_recover_hung - Function to detect and recover hung_queues + * @vsi: pointer to vsi struct with tx queues +@@ -352,25 +370,6 @@ static void iavf_enable_wb_on_itr(struct iavf_vsi *vsi, + q_vector->arm_wb_state = true; + } + +-/** +- * iavf_force_wb - Issue SW Interrupt so HW does a wb +- * @vsi: the VSI we care about +- * @q_vector: the vector on which to force writeback +- * +- **/ +-void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector) +-{ +- u32 val = IAVF_VFINT_DYN_CTLN1_INTENA_MASK | +- IAVF_VFINT_DYN_CTLN1_ITR_INDX_MASK | /* set noitr */ +- IAVF_VFINT_DYN_CTLN1_SWINT_TRIG_MASK | +- IAVF_VFINT_DYN_CTLN1_SW_ITR_INDX_ENA_MASK +- /* allow 00 to be written to the index */; +- +- wr32(&vsi->back->hw, +- IAVF_VFINT_DYN_CTLN1(q_vector->reg_idx), +- val); +-} +- + static inline bool iavf_container_is_rx(struct iavf_q_vector *q_vector, + struct iavf_ring_container *rc) + { +@@ -687,7 +686,7 @@ int iavf_setup_tx_descriptors(struct iavf_ring *tx_ring) + * iavf_clean_rx_ring - Free Rx buffers + * @rx_ring: ring to be cleaned + **/ +-void iavf_clean_rx_ring(struct iavf_ring *rx_ring) ++static void iavf_clean_rx_ring(struct iavf_ring *rx_ring) + { + unsigned long bi_size; + u16 i; +diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.h b/drivers/net/ethernet/intel/iavf/iavf_txrx.h +index 2624bf6d009e3..7e6ee32d19b69 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.h ++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.h +@@ -442,15 +442,11 @@ static inline unsigned int iavf_rx_pg_order(struct iavf_ring *ring) + + bool iavf_alloc_rx_buffers(struct iavf_ring *rxr, u16 cleaned_count); + netdev_tx_t iavf_xmit_frame(struct sk_buff *skb, struct net_device *netdev); +-void iavf_clean_tx_ring(struct iavf_ring *tx_ring); +-void iavf_clean_rx_ring(struct iavf_ring *rx_ring); + int iavf_setup_tx_descriptors(struct iavf_ring *tx_ring); + int iavf_setup_rx_descriptors(struct iavf_ring *rx_ring); + void iavf_free_tx_resources(struct iavf_ring *tx_ring); + void iavf_free_rx_resources(struct iavf_ring *rx_ring); + int iavf_napi_poll(struct napi_struct *napi, int budget); +-void iavf_force_wb(struct iavf_vsi *vsi, struct iavf_q_vector *q_vector); +-u32 iavf_get_tx_pending(struct iavf_ring *ring, bool in_sw); + void iavf_detect_recover_hung(struct iavf_vsi *vsi); + int __iavf_maybe_stop_tx(struct iavf_ring *tx_ring, int size); + bool __iavf_chk_linearize(struct sk_buff *skb); +-- +2.39.2 + diff --git a/tmp-6.4/iavf-use-internal-state-to-free-traffic-irqs.patch b/tmp-6.4/iavf-use-internal-state-to-free-traffic-irqs.patch new file mode 100644 index 00000000000..c0278ecdafd --- /dev/null +++ b/tmp-6.4/iavf-use-internal-state-to-free-traffic-irqs.patch @@ -0,0 +1,65 @@ +From 31c8df7f7a300777b2f0073fd70320c0734a785f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 May 2023 15:46:02 -0600 +Subject: iavf: use internal state to free traffic IRQs + +From: Ahmed Zaki + +[ Upstream commit a77ed5c5b768e9649be240a2d864e5cd9c6a2015 ] + +If the system tries to close the netdev while iavf_reset_task() is +running, __LINK_STATE_START will be cleared and netif_running() will +return false in iavf_reinit_interrupt_scheme(). This will result in +iavf_free_traffic_irqs() not being called and a leak as follows: + + [7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0' + [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0 + +is shown when pci_disable_msix() is later called. Fix by using the +internal adapter state. The traffic IRQs will always exist if +state == __IAVF_RUNNING. + +Fixes: 5b36e8d04b44 ("i40evf: Enable VF to request an alternate queue allocation") +Signed-off-by: Ahmed Zaki +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 601de8e8f3654..b698f8917f049 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1941,15 +1941,16 @@ static void iavf_free_rss(struct iavf_adapter *adapter) + /** + * iavf_reinit_interrupt_scheme - Reallocate queues and vectors + * @adapter: board private structure ++ * @running: true if adapter->state == __IAVF_RUNNING + * + * Returns 0 on success, negative on failure + **/ +-static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter) ++static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter, bool running) + { + struct net_device *netdev = adapter->netdev; + int err; + +- if (netif_running(netdev)) ++ if (running) + iavf_free_traffic_irqs(adapter); + iavf_free_misc_irq(adapter); + iavf_reset_interrupt_capability(adapter); +@@ -3065,7 +3066,7 @@ static void iavf_reset_task(struct work_struct *work) + + if ((adapter->flags & IAVF_FLAG_REINIT_MSIX_NEEDED) || + (adapter->flags & IAVF_FLAG_REINIT_ITR_NEEDED)) { +- err = iavf_reinit_interrupt_scheme(adapter); ++ err = iavf_reinit_interrupt_scheme(adapter, running); + if (err) + goto reset_err; + } +-- +2.39.2 + diff --git a/tmp-6.4/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch b/tmp-6.4/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch new file mode 100644 index 00000000000..176c0e422c4 --- /dev/null +++ b/tmp-6.4/iavf-wait-for-reset-in-callbacks-which-trigger-it.patch @@ -0,0 +1,253 @@ +From 1536bf50c1b1e60700372a8344141f9a05a00b68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 10:52:22 -0400 +Subject: iavf: Wait for reset in callbacks which trigger it + +From: Marcin Szycik + +[ Upstream commit c2ed2403f12c74a74a0091ed5d830e72c58406e8 ] + +There was a fail when trying to add the interface to bonding +right after changing the MTU on the interface. It was caused +by bonding interface unable to open the interface due to +interface being in __RESETTING state because of MTU change. + +Add new reset_waitqueue to indicate that reset has finished. + +Add waiting for reset to finish in callbacks which trigger hw reset: +iavf_set_priv_flags(), iavf_change_mtu() and iavf_set_ringparam(). +We use a 5000ms timeout period because on Hyper-V based systems, +this operation takes around 3000-4000ms. In normal circumstances, +it doesn't take more than 500ms to complete. + +Add a function iavf_wait_for_reset() to reuse waiting for reset code and +use it also in iavf_set_channels(), which already waits for reset. +We don't use error handling in iavf_set_channels() as this could +cause the device to be in incorrect state if the reset was scheduled +but hit timeout or the waitng function was interrupted by a signal. + +Fixes: 4e5e6b5d9d13 ("iavf: Fix return of set the new channel count") +Signed-off-by: Marcin Szycik +Co-developed-by: Dawid Wesierski +Signed-off-by: Dawid Wesierski +Signed-off-by: Sylwester Dziedziuch +Signed-off-by: Kamil Maziarz +Signed-off-by: Mateusz Palczewski +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 2 + + .../net/ethernet/intel/iavf/iavf_ethtool.c | 31 ++++++----- + drivers/net/ethernet/intel/iavf/iavf_main.c | 51 ++++++++++++++++++- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 + + 4 files changed, 68 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index f80f2735e6886..a5cab19eb6a8b 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -257,6 +257,7 @@ struct iavf_adapter { + struct work_struct adminq_task; + struct delayed_work client_task; + wait_queue_head_t down_waitqueue; ++ wait_queue_head_t reset_waitqueue; + wait_queue_head_t vc_waitqueue; + struct iavf_q_vector *q_vectors; + struct list_head vlan_filter_list; +@@ -582,4 +583,5 @@ void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); + void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); + struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + const u8 *macaddr); ++int iavf_wait_for_reset(struct iavf_adapter *adapter); + #endif /* _IAVF_H_ */ +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 92443f8e9fbdf..b7141c2a941d1 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -484,6 +484,7 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 orig_flags, new_flags, changed_flags; ++ int ret = 0; + u32 i; + + orig_flags = READ_ONCE(adapter->flags); +@@ -533,10 +534,13 @@ static int iavf_set_priv_flags(struct net_device *netdev, u32 flags) + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; + queue_work(adapter->wq, &adapter->reset_task); ++ ret = iavf_wait_for_reset(adapter); ++ if (ret) ++ netdev_warn(netdev, "Changing private flags timeout or interrupted waiting for reset"); + } + } + +- return 0; ++ return ret; + } + + /** +@@ -627,6 +631,7 @@ static int iavf_set_ringparam(struct net_device *netdev, + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 new_rx_count, new_tx_count; ++ int ret = 0; + + if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending)) + return -EINVAL; +@@ -673,9 +678,12 @@ static int iavf_set_ringparam(struct net_device *netdev, + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; + queue_work(adapter->wq, &adapter->reset_task); ++ ret = iavf_wait_for_reset(adapter); ++ if (ret) ++ netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); + } + +- return 0; ++ return ret; + } + + /** +@@ -1830,7 +1838,7 @@ static int iavf_set_channels(struct net_device *netdev, + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 num_req = ch->combined_count; +- int i; ++ int ret = 0; + + if ((adapter->vf_res->vf_cap_flags & VIRTCHNL_VF_OFFLOAD_ADQ) && + adapter->num_tc) { +@@ -1854,20 +1862,11 @@ static int iavf_set_channels(struct net_device *netdev, + adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; + iavf_schedule_reset(adapter); + +- /* wait for the reset is done */ +- for (i = 0; i < IAVF_RESET_WAIT_COMPLETE_COUNT; i++) { +- msleep(IAVF_RESET_WAIT_MS); +- if (adapter->flags & IAVF_FLAG_RESET_PENDING) +- continue; +- break; +- } +- if (i == IAVF_RESET_WAIT_COMPLETE_COUNT) { +- adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; +- adapter->num_req_queues = 0; +- return -EOPNOTSUPP; +- } ++ ret = iavf_wait_for_reset(adapter); ++ if (ret) ++ netdev_warn(netdev, "Changing channel count timeout or interrupted waiting for reset"); + +- return 0; ++ return ret; + } + + /** +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index b24e54823e6ae..8cb9b74b3ebea 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -166,6 +166,45 @@ static struct iavf_adapter *iavf_pdev_to_adapter(struct pci_dev *pdev) + return netdev_priv(pci_get_drvdata(pdev)); + } + ++/** ++ * iavf_is_reset_in_progress - Check if a reset is in progress ++ * @adapter: board private structure ++ */ ++static bool iavf_is_reset_in_progress(struct iavf_adapter *adapter) ++{ ++ if (adapter->state == __IAVF_RESETTING || ++ adapter->flags & (IAVF_FLAG_RESET_PENDING | ++ IAVF_FLAG_RESET_NEEDED)) ++ return true; ++ ++ return false; ++} ++ ++/** ++ * iavf_wait_for_reset - Wait for reset to finish. ++ * @adapter: board private structure ++ * ++ * Returns 0 if reset finished successfully, negative on timeout or interrupt. ++ */ ++int iavf_wait_for_reset(struct iavf_adapter *adapter) ++{ ++ int ret = wait_event_interruptible_timeout(adapter->reset_waitqueue, ++ !iavf_is_reset_in_progress(adapter), ++ msecs_to_jiffies(5000)); ++ ++ /* If ret < 0 then it means wait was interrupted. ++ * If ret == 0 then it means we got a timeout while waiting ++ * for reset to finish. ++ * If ret > 0 it means reset has finished. ++ */ ++ if (ret > 0) ++ return 0; ++ else if (ret < 0) ++ return -EINTR; ++ else ++ return -EBUSY; ++} ++ + /** + * iavf_allocate_dma_mem_d - OS specific memory alloc for shared code + * @hw: pointer to the HW structure +@@ -3161,6 +3200,7 @@ static void iavf_reset_task(struct work_struct *work) + + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; + ++ wake_up(&adapter->reset_waitqueue); + mutex_unlock(&adapter->client_lock); + mutex_unlock(&adapter->crit_lock); + +@@ -4325,6 +4365,7 @@ static int iavf_close(struct net_device *netdev) + static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + { + struct iavf_adapter *adapter = netdev_priv(netdev); ++ int ret = 0; + + netdev_dbg(netdev, "changing MTU from %d to %d\n", + netdev->mtu, new_mtu); +@@ -4337,9 +4378,14 @@ static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + if (netif_running(netdev)) { + adapter->flags |= IAVF_FLAG_RESET_NEEDED; + queue_work(adapter->wq, &adapter->reset_task); ++ ret = iavf_wait_for_reset(adapter); ++ if (ret < 0) ++ netdev_warn(netdev, "MTU change interrupted waiting for reset"); ++ else if (ret) ++ netdev_warn(netdev, "MTU change timed out waiting for reset"); + } + +- return 0; ++ return ret; + } + + #define NETIF_VLAN_OFFLOAD_FEATURES (NETIF_F_HW_VLAN_CTAG_RX | \ +@@ -4940,6 +4986,9 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + /* Setup the wait queue for indicating transition to down status */ + init_waitqueue_head(&adapter->down_waitqueue); + ++ /* Setup the wait queue for indicating transition to running state */ ++ init_waitqueue_head(&adapter->reset_waitqueue); ++ + /* Setup the wait queue for indicating virtchannel events */ + init_waitqueue_head(&adapter->vc_waitqueue); + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 7c0578b5457b9..1bab896aaf40c 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2285,6 +2285,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + case VIRTCHNL_OP_ENABLE_QUEUES: + /* enable transmits */ + iavf_irq_enable(adapter, true); ++ wake_up(&adapter->reset_waitqueue); + adapter->flags &= ~IAVF_FLAG_QUEUES_DISABLED; + break; + case VIRTCHNL_OP_DISABLE_QUEUES: +-- +2.39.2 + diff --git a/tmp-6.4/ice-prevent-null-pointer-deref-during-reload.patch b/tmp-6.4/ice-prevent-null-pointer-deref-during-reload.patch new file mode 100644 index 00000000000..1d5f0e4e51b --- /dev/null +++ b/tmp-6.4/ice-prevent-null-pointer-deref-during-reload.patch @@ -0,0 +1,187 @@ +From 93590b860be32d444cc9d6dfbc0e7308f63b6ef7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jul 2023 08:25:51 +0200 +Subject: ice: prevent NULL pointer deref during reload + +From: Michal Swiatkowski + +[ Upstream commit b3e7b3a6ee92ab927f750a6b19615ce88ece808f ] + +Calling ethtool during reload can lead to call trace, because VSI isn't +configured for some time, but netdev is alive. + +To fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors +to 0 after freeing and add a check for ::tx/rx_rings in ring related +ethtool ops. + +Add proper unroll of filters in ice_start_eth(). + +Reproduction: +$watch -n 0.1 -d 'ethtool -g enp24s0f0np0' +$devlink dev reload pci/0000:18:00.0 action driver_reinit + +Call trace before fix: +[66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[66303.926259] #PF: supervisor read access in kernel mode +[66303.926286] #PF: error_code(0x0000) - not-present page +[66303.926311] PGD 0 P4D 0 +[66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI +[66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1 +[66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018 +[66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice] +[66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 <48> 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48 +[66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246 +[66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48 +[66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000 +[66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000 +[66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000 +[66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50 +[66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000 +[66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0 +[66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[66303.927060] PKRU: 55555554 +[66303.927075] Call Trace: +[66303.927094] +[66303.927111] ? __die+0x23/0x70 +[66303.927140] ? page_fault_oops+0x171/0x4e0 +[66303.927176] ? exc_page_fault+0x7f/0x180 +[66303.927209] ? asm_exc_page_fault+0x26/0x30 +[66303.927244] ? ice_get_ringparam+0x22/0x50 [ice] +[66303.927433] rings_prepare_data+0x62/0x80 +[66303.927469] ethnl_default_doit+0xe2/0x350 +[66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140 +[66303.927538] genl_rcv_msg+0x1b1/0x2c0 +[66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10 +[66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10 +[66303.927615] netlink_rcv_skb+0x58/0x110 +[66303.927644] genl_rcv+0x28/0x40 +[66303.927665] netlink_unicast+0x19e/0x290 +[66303.927691] netlink_sendmsg+0x254/0x4d0 +[66303.927717] sock_sendmsg+0x93/0xa0 +[66303.927743] __sys_sendto+0x126/0x170 +[66303.927780] __x64_sys_sendto+0x24/0x30 +[66303.928593] do_syscall_64+0x5d/0x90 +[66303.929370] ? __count_memcg_events+0x60/0xa0 +[66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30 +[66303.930920] ? handle_mm_fault+0x9e/0x350 +[66303.931688] ? do_user_addr_fault+0x258/0x740 +[66303.932452] ? exc_page_fault+0x7f/0x180 +[66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc + +Fixes: 5b246e533d01 ("ice: split probe into smaller functions") +Reviewed-by: Przemek Kitszel +Signed-off-by: Michal Swiatkowski +Reviewed-by: Simon Horman +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_base.c | 2 ++ + drivers/net/ethernet/intel/ice/ice_ethtool.c | 13 +++++++++++-- + drivers/net/ethernet/intel/ice/ice_main.c | 10 ++++++++-- + 3 files changed, 21 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c +index 1911d644dfa8d..619cb07a40691 100644 +--- a/drivers/net/ethernet/intel/ice/ice_base.c ++++ b/drivers/net/ethernet/intel/ice/ice_base.c +@@ -758,6 +758,8 @@ void ice_vsi_free_q_vectors(struct ice_vsi *vsi) + + ice_for_each_q_vector(vsi, v_idx) + ice_free_q_vector(vsi, v_idx); ++ ++ vsi->num_q_vectors = 0; + } + + /** +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index f86e814354a31..ec4138e684bd2 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -2920,8 +2920,13 @@ ice_get_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring, + + ring->rx_max_pending = ICE_MAX_NUM_DESC; + ring->tx_max_pending = ICE_MAX_NUM_DESC; +- ring->rx_pending = vsi->rx_rings[0]->count; +- ring->tx_pending = vsi->tx_rings[0]->count; ++ if (vsi->tx_rings && vsi->rx_rings) { ++ ring->rx_pending = vsi->rx_rings[0]->count; ++ ring->tx_pending = vsi->tx_rings[0]->count; ++ } else { ++ ring->rx_pending = 0; ++ ring->tx_pending = 0; ++ } + + /* Rx mini and jumbo rings are not supported */ + ring->rx_mini_max_pending = 0; +@@ -2955,6 +2960,10 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring, + return -EINVAL; + } + ++ /* Return if there is no rings (device is reloading) */ ++ if (!vsi->tx_rings || !vsi->rx_rings) ++ return -EBUSY; ++ + new_tx_cnt = ALIGN(ring->tx_pending, ICE_REQ_DESC_MULTIPLE); + if (new_tx_cnt != ring->tx_pending) + netdev_info(netdev, "Requested Tx descriptor count rounded up to %d\n", +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 1277e0a044ee4..fbe70458fda27 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -4655,9 +4655,9 @@ static int ice_start_eth(struct ice_vsi *vsi) + if (err) + return err; + +- rtnl_lock(); + err = ice_vsi_open(vsi); +- rtnl_unlock(); ++ if (err) ++ ice_fltr_remove_all(vsi); + + return err; + } +@@ -5120,6 +5120,7 @@ int ice_load(struct ice_pf *pf) + params = ice_vsi_to_params(vsi); + params.flags = ICE_VSI_FLAG_INIT; + ++ rtnl_lock(); + err = ice_vsi_cfg(vsi, ¶ms); + if (err) + goto err_vsi_cfg; +@@ -5127,6 +5128,7 @@ int ice_load(struct ice_pf *pf) + err = ice_start_eth(ice_get_main_vsi(pf)); + if (err) + goto err_start_eth; ++ rtnl_unlock(); + + err = ice_init_rdma(pf); + if (err) +@@ -5141,9 +5143,11 @@ int ice_load(struct ice_pf *pf) + + err_init_rdma: + ice_vsi_close(ice_get_main_vsi(pf)); ++ rtnl_lock(); + err_start_eth: + ice_vsi_decfg(ice_get_main_vsi(pf)); + err_vsi_cfg: ++ rtnl_unlock(); + ice_deinit_dev(pf); + return err; + } +@@ -5156,8 +5160,10 @@ void ice_unload(struct ice_pf *pf) + { + ice_deinit_features(pf); + ice_deinit_rdma(pf); ++ rtnl_lock(); + ice_stop_eth(ice_get_main_vsi(pf)); + ice_vsi_decfg(ice_get_main_vsi(pf)); ++ rtnl_unlock(); + ice_deinit_dev(pf); + } + +-- +2.39.2 + diff --git a/tmp-6.4/ice-unregister-netdev-and-devlink_port-only-once.patch b/tmp-6.4/ice-unregister-netdev-and-devlink_port-only-once.patch new file mode 100644 index 00000000000..54b6608fdc7 --- /dev/null +++ b/tmp-6.4/ice-unregister-netdev-and-devlink_port-only-once.patch @@ -0,0 +1,90 @@ +From d1aeebd398c1fd5efc7811ba8bf4afb8b5eae005 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jun 2023 12:58:13 +0200 +Subject: ice: Unregister netdev and devlink_port only once + +From: Petr Oros + +[ Upstream commit 24a3298ac9e6bd8de838ab79f7868207170d556d ] + +Since commit 6624e780a577fc ("ice: split ice_vsi_setup into smaller +functions") ice_vsi_release does things twice. There is unregister +netdev which is unregistered in ice_deinit_eth also. + +It also unregisters the devlink_port twice which is also unregistered +in ice_deinit_eth(). This double deregistration is hidden because +devl_port_unregister ignores the return value of xa_erase. + +[ 68.642167] Call Trace: +[ 68.650385] ice_devlink_destroy_pf_port+0xe/0x20 [ice] +[ 68.655656] ice_vsi_release+0x445/0x690 [ice] +[ 68.660147] ice_deinit+0x99/0x280 [ice] +[ 68.664117] ice_remove+0x1b6/0x5c0 [ice] + +[ 171.103841] Call Trace: +[ 171.109607] ice_devlink_destroy_pf_port+0xf/0x20 [ice] +[ 171.114841] ice_remove+0x158/0x270 [ice] +[ 171.118854] pci_device_remove+0x3b/0xc0 +[ 171.122779] device_release_driver_internal+0xc7/0x170 +[ 171.127912] driver_detach+0x54/0x8c +[ 171.131491] bus_remove_driver+0x77/0xd1 +[ 171.135406] pci_unregister_driver+0x2d/0xb0 +[ 171.139670] ice_module_exit+0xc/0x55f [ice] + +Fixes: 6624e780a577 ("ice: split ice_vsi_setup into smaller functions") +Signed-off-by: Petr Oros +Reviewed-by: Maciej Fijalkowski +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_lib.c | 27 ------------------------ + 1 file changed, 27 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index 11ae0e41f518a..284a1f0bfdb54 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -3272,39 +3272,12 @@ int ice_vsi_release(struct ice_vsi *vsi) + return -ENODEV; + pf = vsi->back; + +- /* do not unregister while driver is in the reset recovery pending +- * state. Since reset/rebuild happens through PF service task workqueue, +- * it's not a good idea to unregister netdev that is associated to the +- * PF that is running the work queue items currently. This is done to +- * avoid check_flush_dependency() warning on this wq +- */ +- if (vsi->netdev && !ice_is_reset_in_progress(pf->state) && +- (test_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state))) { +- unregister_netdev(vsi->netdev); +- clear_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state); +- } +- +- if (vsi->type == ICE_VSI_PF) +- ice_devlink_destroy_pf_port(pf); +- + if (test_bit(ICE_FLAG_RSS_ENA, pf->flags)) + ice_rss_clean(vsi); + + ice_vsi_close(vsi); + ice_vsi_decfg(vsi); + +- if (vsi->netdev) { +- if (test_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state)) { +- unregister_netdev(vsi->netdev); +- clear_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state); +- } +- if (test_bit(ICE_VSI_NETDEV_ALLOCD, vsi->state)) { +- free_netdev(vsi->netdev); +- vsi->netdev = NULL; +- clear_bit(ICE_VSI_NETDEV_ALLOCD, vsi->state); +- } +- } +- + /* retain SW VSI data structure since it is needed to unregister and + * free VSI netdev when PF is not in reset recovery pending state,\ + * for ex: during rmmod. +-- +2.39.2 + diff --git a/tmp-6.4/igb-fix-igb_down-hung-on-surprise-removal.patch b/tmp-6.4/igb-fix-igb_down-hung-on-surprise-removal.patch new file mode 100644 index 00000000000..a8077232de8 --- /dev/null +++ b/tmp-6.4/igb-fix-igb_down-hung-on-surprise-removal.patch @@ -0,0 +1,89 @@ +From 47bae22598c4635fb1b9ce70516f7a13ffb75aa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 10:47:32 -0700 +Subject: igb: Fix igb_down hung on surprise removal + +From: Ying Hsu + +[ Upstream commit 004d25060c78fc31f66da0fa439c544dda1ac9d5 ] + +In a setup where a Thunderbolt hub connects to Ethernet and a display +through USB Type-C, users may experience a hung task timeout when they +remove the cable between the PC and the Thunderbolt hub. +This is because the igb_down function is called multiple times when +the Thunderbolt hub is unplugged. For example, the igb_io_error_detected +triggers the first call, and the igb_remove triggers the second call. +The second call to igb_down will block at napi_synchronize. +Here's the call trace: + __schedule+0x3b0/0xddb + ? __mod_timer+0x164/0x5d3 + schedule+0x44/0xa8 + schedule_timeout+0xb2/0x2a4 + ? run_local_timers+0x4e/0x4e + msleep+0x31/0x38 + igb_down+0x12c/0x22a [igb 6615058754948bfde0bf01429257eb59f13030d4] + __igb_close+0x6f/0x9c [igb 6615058754948bfde0bf01429257eb59f13030d4] + igb_close+0x23/0x2b [igb 6615058754948bfde0bf01429257eb59f13030d4] + __dev_close_many+0x95/0xec + dev_close_many+0x6e/0x103 + unregister_netdevice_many+0x105/0x5b1 + unregister_netdevice_queue+0xc2/0x10d + unregister_netdev+0x1c/0x23 + igb_remove+0xa7/0x11c [igb 6615058754948bfde0bf01429257eb59f13030d4] + pci_device_remove+0x3f/0x9c + device_release_driver_internal+0xfe/0x1b4 + pci_stop_bus_device+0x5b/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_bus_device+0x30/0x7f + pci_stop_and_remove_bus_device+0x12/0x19 + pciehp_unconfigure_device+0x76/0xe9 + pciehp_disable_slot+0x6e/0x131 + pciehp_handle_presence_or_link_change+0x7a/0x3f7 + pciehp_ist+0xbe/0x194 + irq_thread_fn+0x22/0x4d + ? irq_thread+0x1fd/0x1fd + irq_thread+0x17b/0x1fd + ? irq_forced_thread_fn+0x5f/0x5f + kthread+0x142/0x153 + ? __irq_get_irqchip_state+0x46/0x46 + ? kthread_associate_blkcg+0x71/0x71 + ret_from_fork+0x1f/0x30 + +In this case, igb_io_error_detected detaches the network interface +and requests a PCIE slot reset, however, the PCIE reset callback is +not being invoked and thus the Ethernet connection breaks down. +As the PCIE error in this case is a non-fatal one, requesting a +slot reset can be avoided. +This patch fixes the task hung issue and preserves Ethernet +connection by ignoring non-fatal PCIE errors. + +Signed-off-by: Ying Hsu +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230620174732.4145155-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index bb3db387d49cf..ba5e1d1320f67 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9585,6 +9585,11 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev, + struct net_device *netdev = pci_get_drvdata(pdev); + struct igb_adapter *adapter = netdev_priv(netdev); + ++ if (state == pci_channel_io_normal) { ++ dev_warn(&pdev->dev, "Non-correctable non-fatal error reported.\n"); ++ return PCI_ERS_RESULT_CAN_RECOVER; ++ } ++ + netif_device_detach(netdev); + + if (state == pci_channel_io_perm_failure) +-- +2.39.2 + diff --git a/tmp-6.4/igc-avoid-transmit-queue-timeout-for-xdp.patch b/tmp-6.4/igc-avoid-transmit-queue-timeout-for-xdp.patch new file mode 100644 index 00000000000..f5fb3bd8114 --- /dev/null +++ b/tmp-6.4/igc-avoid-transmit-queue-timeout-for-xdp.patch @@ -0,0 +1,61 @@ +From df3cfe2aab8fbc415d4ae2485e94aa3caa55fbed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 09:36:11 +0200 +Subject: igc: Avoid transmit queue timeout for XDP + +From: Kurt Kanzenbach + +[ Upstream commit 95b681485563c64585de78662ee52d06b7fa47d9 ] + +High XDP load triggers the netdev watchdog: + +|NETDEV WATCHDOG: enp3s0 (igc): transmit queue 2 timed out + +The reason is the Tx queue transmission start (txq->trans_start) is not updated +in XDP code path. Therefore, add it for all XDP transmission functions. + +Signed-off-by: Kurt Kanzenbach +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Stable-dep-of: 78adb4bcf99e ("igc: Prevent garbled TX queue with XDP ZEROCOPY") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 44aa4342cbbb5..ef4ea46442f21 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -2417,6 +2417,8 @@ static int igc_xdp_xmit_back(struct igc_adapter *adapter, struct xdp_buff *xdp) + nq = txring_txq(ring); + + __netif_tx_lock(nq, cpu); ++ /* Avoid transmit queue timeout since we share it with the slow path */ ++ txq_trans_cond_update(nq); + res = igc_xdp_init_tx_descriptor(ring, xdpf); + __netif_tx_unlock(nq); + return res; +@@ -2833,6 +2835,9 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) + + __netif_tx_lock(nq, cpu); + ++ /* Avoid transmit queue timeout since we share it with the slow path */ ++ txq_trans_cond_update(nq); ++ + budget = igc_desc_unused(ring); + + while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { +@@ -6385,6 +6390,9 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames, + + __netif_tx_lock(nq, cpu); + ++ /* Avoid transmit queue timeout since we share it with the slow path */ ++ txq_trans_cond_update(nq); ++ + drops = 0; + for (i = 0; i < num_frames; i++) { + int err; +-- +2.39.2 + diff --git a/tmp-6.4/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch b/tmp-6.4/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch new file mode 100644 index 00000000000..a98a1d90121 --- /dev/null +++ b/tmp-6.4/igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch @@ -0,0 +1,79 @@ +From ac30745bc06e7ef6e04ae5bc4b2135ca5fcc4df2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 10:54:44 -0700 +Subject: igc: Prevent garbled TX queue with XDP ZEROCOPY + +From: Florian Kauer + +[ Upstream commit 78adb4bcf99effbb960c5f9091e2e062509d1030 ] + +In normal operation, each populated queue item has +next_to_watch pointing to the last TX desc of the packet, +while each cleaned item has it set to 0. In particular, +next_to_use that points to the next (necessarily clean) +item to use has next_to_watch set to 0. + +When the TX queue is used both by an application using +AF_XDP with ZEROCOPY as well as a second non-XDP application +generating high traffic, the queue pointers can get in +an invalid state where next_to_use points to an item +where next_to_watch is NOT set to 0. + +However, the implementation assumes at several places +that this is never the case, so if it does hold, +bad things happen. In particular, within the loop inside +of igc_clean_tx_irq(), next_to_clean can overtake next_to_use. +Finally, this prevents any further transmission via +this queue and it never gets unblocked or signaled. +Secondly, if the queue is in this garbled state, +the inner loop of igc_clean_tx_ring() will never terminate, +completely hogging a CPU core. + +The reason is that igc_xdp_xmit_zc() reads next_to_use +before acquiring the lock, and writing it back +(potentially unmodified) later. If it got modified +before locking, the outdated next_to_use is written +pointing to an item that was already used elsewhere +(and thus next_to_watch got written). + +Fixes: 9acf59a752d4 ("igc: Enable TX via AF_XDP zero-copy") +Signed-off-by: Florian Kauer +Reviewed-by: Kurt Kanzenbach +Tested-by: Kurt Kanzenbach +Acked-by: Vinicius Costa Gomes +Reviewed-by: Simon Horman +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20230717175444.3217831-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index ef4ea46442f21..496a4eb687b00 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -2826,9 +2826,8 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) + struct netdev_queue *nq = txring_txq(ring); + union igc_adv_tx_desc *tx_desc = NULL; + int cpu = smp_processor_id(); +- u16 ntu = ring->next_to_use; + struct xdp_desc xdp_desc; +- u16 budget; ++ u16 budget, ntu; + + if (!netif_carrier_ok(ring->netdev)) + return; +@@ -2838,6 +2837,7 @@ static void igc_xdp_xmit_zc(struct igc_ring *ring) + /* Avoid transmit queue timeout since we share it with the slow path */ + txq_trans_cond_update(nq); + ++ ntu = ring->next_to_use; + budget = igc_desc_unused(ring); + + while (xsk_tx_peek_desc(pool, &xdp_desc) && budget--) { +-- +2.39.2 + diff --git a/tmp-6.4/io_uring-fix-io_uring-mmap-by-using-architecture-provided-get_unmapped_area.patch b/tmp-6.4/io_uring-fix-io_uring-mmap-by-using-architecture-provided-get_unmapped_area.patch new file mode 100644 index 00000000000..3fa307b3781 --- /dev/null +++ b/tmp-6.4/io_uring-fix-io_uring-mmap-by-using-architecture-provided-get_unmapped_area.patch @@ -0,0 +1,134 @@ +From 32832a407a7178eec3215fad9b1a3298c14b0d69 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 21 Jul 2023 17:24:31 +0200 +Subject: io_uring: Fix io_uring mmap() by using architecture-provided get_unmapped_area() + +From: Helge Deller + +commit 32832a407a7178eec3215fad9b1a3298c14b0d69 upstream. + +The io_uring testcase is broken on IA-64 since commit d808459b2e31 +("io_uring: Adjust mapping wrt architecture aliasing requirements"). + +The reason is, that this commit introduced an own architecture +independend get_unmapped_area() search algorithm which finds on IA-64 a +memory region which is outside of the regular memory region used for +shared userspace mappings and which can't be used on that platform +due to aliasing. + +To avoid similar problems on IA-64 and other platforms in the future, +it's better to switch back to the architecture-provided +get_unmapped_area() function and adjust the needed input parameters +before the call. Beside fixing the issue, the function now becomes +easier to understand and maintain. + +This patch has been successfully tested with the io_uring testcase on +physical x86-64, ppc64le, IA-64 and PA-RISC machines. On PA-RISC the LTP +mmmap testcases did not report any regressions. + +Cc: stable@vger.kernel.org # 6.4 +Signed-off-by: Helge Deller +Reported-by: matoro +Fixes: d808459b2e31 ("io_uring: Adjust mapping wrt architecture aliasing requirements") +Link: https://lore.kernel.org/r/20230721152432.196382-2-deller@gmx.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/sys_parisc.c | 15 +++++++++----- + io_uring/io_uring.c | 42 ++++++++++++++++------------------------ + 2 files changed, 27 insertions(+), 30 deletions(-) + +--- a/arch/parisc/kernel/sys_parisc.c ++++ b/arch/parisc/kernel/sys_parisc.c +@@ -26,12 +26,17 @@ + #include + + /* +- * Construct an artificial page offset for the mapping based on the physical ++ * Construct an artificial page offset for the mapping based on the virtual + * address of the kernel file mapping variable. ++ * If filp is zero the calculated pgoff value aliases the memory of the given ++ * address. This is useful for io_uring where the mapping shall alias a kernel ++ * address and a userspace adress where both the kernel and the userspace ++ * access the same memory region. + */ +-#define GET_FILP_PGOFF(filp) \ +- (filp ? (((unsigned long) filp->f_mapping) >> 8) \ +- & ((SHM_COLOUR-1) >> PAGE_SHIFT) : 0UL) ++#define GET_FILP_PGOFF(filp, addr) \ ++ ((filp ? (((unsigned long) filp->f_mapping) >> 8) \ ++ & ((SHM_COLOUR-1) >> PAGE_SHIFT) : 0UL) \ ++ + (addr >> PAGE_SHIFT)) + + static unsigned long shared_align_offset(unsigned long filp_pgoff, + unsigned long pgoff) +@@ -111,7 +116,7 @@ static unsigned long arch_get_unmapped_a + do_color_align = 0; + if (filp || (flags & MAP_SHARED)) + do_color_align = 1; +- filp_pgoff = GET_FILP_PGOFF(filp); ++ filp_pgoff = GET_FILP_PGOFF(filp, addr); + + if (flags & MAP_FIXED) { + /* Even MAP_FIXED mappings must reside within TASK_SIZE */ +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -3433,8 +3433,6 @@ static unsigned long io_uring_mmu_get_un + unsigned long addr, unsigned long len, + unsigned long pgoff, unsigned long flags) + { +- const unsigned long mmap_end = arch_get_mmap_end(addr, len, flags); +- struct vm_unmapped_area_info info; + void *ptr; + + /* +@@ -3449,32 +3447,26 @@ static unsigned long io_uring_mmu_get_un + if (IS_ERR(ptr)) + return -ENOMEM; + +- info.flags = VM_UNMAPPED_AREA_TOPDOWN; +- info.length = len; +- info.low_limit = max(PAGE_SIZE, mmap_min_addr); +- info.high_limit = arch_get_mmap_base(addr, current->mm->mmap_base); ++ /* ++ * Some architectures have strong cache aliasing requirements. ++ * For such architectures we need a coherent mapping which aliases ++ * kernel memory *and* userspace memory. To achieve that: ++ * - use a NULL file pointer to reference physical memory, and ++ * - use the kernel virtual address of the shared io_uring context ++ * (instead of the userspace-provided address, which has to be 0UL ++ * anyway). ++ * For architectures without such aliasing requirements, the ++ * architecture will return any suitable mapping because addr is 0. ++ */ ++ filp = NULL; ++ flags |= MAP_SHARED; ++ pgoff = 0; /* has been translated to ptr above */ + #ifdef SHM_COLOUR +- info.align_mask = PAGE_MASK & (SHM_COLOUR - 1UL); ++ addr = (uintptr_t) ptr; + #else +- info.align_mask = PAGE_MASK & (SHMLBA - 1UL); ++ addr = 0UL; + #endif +- info.align_offset = (unsigned long) ptr; +- +- /* +- * A failed mmap() very likely causes application failure, +- * so fall back to the bottom-up function here. This scenario +- * can happen with large stack limits and large mmap() +- * allocations. +- */ +- addr = vm_unmapped_area(&info); +- if (offset_in_page(addr)) { +- info.flags = 0; +- info.low_limit = TASK_UNMAPPED_BASE; +- info.high_limit = mmap_end; +- addr = vm_unmapped_area(&info); +- } +- +- return addr; ++ return current->mm->get_unmapped_area(filp, addr, len, pgoff, flags); + } + + #else /* !CONFIG_MMU */ diff --git a/tmp-6.4/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch b/tmp-6.4/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch new file mode 100644 index 00000000000..7b407db4bc2 --- /dev/null +++ b/tmp-6.4/io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch @@ -0,0 +1,39 @@ +From a9be202269580ca611c6cebac90eaf1795497800 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 20 Jul 2023 13:16:53 -0600 +Subject: io_uring: treat -EAGAIN for REQ_F_NOWAIT as final for io-wq + +From: Jens Axboe + +commit a9be202269580ca611c6cebac90eaf1795497800 upstream. + +io-wq assumes that an issue is blocking, but it may not be if the +request type has asked for a non-blocking attempt. If we get +-EAGAIN for that case, then we need to treat it as a final result +and not retry or arm poll for it. + +Cc: stable@vger.kernel.org # 5.10+ +Link: https://github.com/axboe/liburing/issues/897 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2032,6 +2032,14 @@ fail: + ret = io_issue_sqe(req, issue_flags); + if (ret != -EAGAIN) + break; ++ ++ /* ++ * If REQ_F_NOWAIT is set, then don't wait or retry with ++ * poll. -EAGAIN is final for that case. ++ */ ++ if (req->flags & REQ_F_NOWAIT) ++ break; ++ + /* + * We can get EAGAIN for iopolled IO even though we're + * forcing a sync submission from here, since we can't diff --git a/tmp-6.4/iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch b/tmp-6.4/iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch new file mode 100644 index 00000000000..15849e6c1ef --- /dev/null +++ b/tmp-6.4/iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch @@ -0,0 +1,45 @@ +From d7bf48d29d77eb138f5bacd1a9c2891e60d7a754 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Apr 2023 11:55:31 +0300 +Subject: iommu/sva: Fix signedness bug in iommu_sva_alloc_pasid() + +From: Dan Carpenter + +[ Upstream commit c20ecf7bb6153149b81a9277eda23398957656f2 ] + +The ida_alloc_range() function returns negative error codes on error. +On success it returns values in the min to max range (inclusive). It +never returns more then INT_MAX even if "max" is higher. It never +returns values in the 0 to (min - 1) range. + +The bug is that "min" is an unsigned int so negative error codes will +be promoted to high positive values errors treated as success. + +Fixes: 1a14bf0fc7ed ("iommu/sva: Use GFP_KERNEL for pasid allocation") +Signed-off-by: Dan Carpenter +Reviewed-by: Lu Baolu +Link: https://lore.kernel.org/r/6b32095d-7491-4ebb-a850-12e96209eaaf@kili.mountain +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/iommu-sva.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/iommu-sva.c b/drivers/iommu/iommu-sva.c +index 3ebd4b6586b3e..05c0fb2acbc44 100644 +--- a/drivers/iommu/iommu-sva.c ++++ b/drivers/iommu/iommu-sva.c +@@ -34,8 +34,9 @@ static int iommu_sva_alloc_pasid(struct mm_struct *mm, ioasid_t min, ioasid_t ma + } + + ret = ida_alloc_range(&iommu_global_pasid_ida, min, max, GFP_KERNEL); +- if (ret < min) ++ if (ret < 0) + goto out; ++ + mm->pasid = ret; + ret = 0; + out: +-- +2.39.2 + diff --git a/tmp-6.4/iov_iter-mark-copy_iovec_from_user-noclone.patch b/tmp-6.4/iov_iter-mark-copy_iovec_from_user-noclone.patch new file mode 100644 index 00000000000..2d1d445c81b --- /dev/null +++ b/tmp-6.4/iov_iter-mark-copy_iovec_from_user-noclone.patch @@ -0,0 +1,43 @@ +From 695a430cb85dc054be8ebfe3f013f48def52def1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 14:43:55 +0200 +Subject: iov_iter: Mark copy_iovec_from_user() noclone + +From: Peter Zijlstra + +[ Upstream commit 719a937b7003933de1298ffa4b881dd6a234e244 ] + +Extend commit 50f9a76ef127 ("iov_iter: Mark +copy_compat_iovec_from_user() noinline") to also cover +copy_iovec_from_user(). Different compiler versions cause the same +problem on different functions. + +lib/iov_iter.o: warning: objtool: .altinstr_replacement+0x1f: redundant UACCESS disable +lib/iov_iter.o: warning: objtool: iovec_from_user+0x84: call to copy_iovec_from_user.part.0() with UACCESS enabled +lib/iov_iter.o: warning: objtool: __import_iovec+0x143: call to copy_iovec_from_user.part.0() with UACCESS enabled + +Fixes: 50f9a76ef127 ("iov_iter: Mark copy_compat_iovec_from_user() noinline") +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Borislav Petkov (AMD) +Link: https://lkml.kernel.org/r/20230616124354.GD4253@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + lib/iov_iter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index 960223ed91991..061cc3ed58f5b 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -1795,7 +1795,7 @@ static __noclone int copy_compat_iovec_from_user(struct iovec *iov, + return ret; + } + +-static int copy_iovec_from_user(struct iovec *iov, ++static __noclone int copy_iovec_from_user(struct iovec *iov, + const struct iovec __user *uiov, unsigned long nr_segs) + { + int ret = -EFAULT; +-- +2.39.2 + diff --git a/tmp-6.4/jbd2-recheck-chechpointing-non-dirty-buffer.patch b/tmp-6.4/jbd2-recheck-chechpointing-non-dirty-buffer.patch new file mode 100644 index 00000000000..2cd2baafb78 --- /dev/null +++ b/tmp-6.4/jbd2-recheck-chechpointing-non-dirty-buffer.patch @@ -0,0 +1,191 @@ +From c2d6fd9d6f35079f1669f0100f05b46708c74b7f Mon Sep 17 00:00:00 2001 +From: Zhang Yi +Date: Tue, 6 Jun 2023 21:59:23 +0800 +Subject: jbd2: recheck chechpointing non-dirty buffer + +From: Zhang Yi + +commit c2d6fd9d6f35079f1669f0100f05b46708c74b7f upstream. + +There is a long-standing metadata corruption issue that happens from +time to time, but it's very difficult to reproduce and analyse, benefit +from the JBD2_CYCLE_RECORD option, we found out that the problem is the +checkpointing process miss to write out some buffers which are raced by +another do_get_write_access(). Looks below for detail. + +jbd2_log_do_checkpoint() //transaction X + //buffer A is dirty and not belones to any transaction + __buffer_relink_io() //move it to the IO list + __flush_batch() + write_dirty_buffer() + do_get_write_access() + clear_buffer_dirty + __jbd2_journal_file_buffer() + //add buffer A to a new transaction Y + lock_buffer(bh) + //doesn't write out + __jbd2_journal_remove_checkpoint() + //finish checkpoint except buffer A + //filesystem corrupt if the new transaction Y isn't fully write out. + +Due to the t_checkpoint_list walking loop in jbd2_log_do_checkpoint() +have already handles waiting for buffers under IO and re-added new +transaction to complete commit, and it also removing cleaned buffers, +this makes sure the list will eventually get empty. So it's fine to +leave buffers on the t_checkpoint_list while flushing out and completely +stop using the t_checkpoint_io_list. + +Cc: stable@vger.kernel.org +Suggested-by: Jan Kara +Signed-off-by: Zhang Yi +Tested-by: Zhihao Cheng +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20230606135928.434610-2-yi.zhang@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/checkpoint.c | 102 ++++++++++++++------------------------------------- + 1 file changed, 29 insertions(+), 73 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -58,28 +58,6 @@ static inline void __buffer_unlink(struc + } + + /* +- * Move a buffer from the checkpoint list to the checkpoint io list +- * +- * Called with j_list_lock held +- */ +-static inline void __buffer_relink_io(struct journal_head *jh) +-{ +- transaction_t *transaction = jh->b_cp_transaction; +- +- __buffer_unlink_first(jh); +- +- if (!transaction->t_checkpoint_io_list) { +- jh->b_cpnext = jh->b_cpprev = jh; +- } else { +- jh->b_cpnext = transaction->t_checkpoint_io_list; +- jh->b_cpprev = transaction->t_checkpoint_io_list->b_cpprev; +- jh->b_cpprev->b_cpnext = jh; +- jh->b_cpnext->b_cpprev = jh; +- } +- transaction->t_checkpoint_io_list = jh; +-} +- +-/* + * Check a checkpoint buffer could be release or not. + * + * Requires j_list_lock +@@ -183,6 +161,7 @@ __flush_batch(journal_t *journal, int *b + struct buffer_head *bh = journal->j_chkpt_bhs[i]; + BUFFER_TRACE(bh, "brelse"); + __brelse(bh); ++ journal->j_chkpt_bhs[i] = NULL; + } + *batch_count = 0; + } +@@ -242,6 +221,11 @@ restart: + jh = transaction->t_checkpoint_list; + bh = jh2bh(jh); + ++ /* ++ * The buffer may be writing back, or flushing out in the ++ * last couple of cycles, or re-adding into a new transaction, ++ * need to check it again until it's unlocked. ++ */ + if (buffer_locked(bh)) { + get_bh(bh); + spin_unlock(&journal->j_list_lock); +@@ -287,28 +271,32 @@ restart: + } + if (!buffer_dirty(bh)) { + BUFFER_TRACE(bh, "remove from checkpoint"); +- if (__jbd2_journal_remove_checkpoint(jh)) +- /* The transaction was released; we're done */ ++ /* ++ * If the transaction was released or the checkpoint ++ * list was empty, we're done. ++ */ ++ if (__jbd2_journal_remove_checkpoint(jh) || ++ !transaction->t_checkpoint_list) + goto out; +- continue; ++ } else { ++ /* ++ * We are about to write the buffer, it could be ++ * raced by some other transaction shrink or buffer ++ * re-log logic once we release the j_list_lock, ++ * leave it on the checkpoint list and check status ++ * again to make sure it's clean. ++ */ ++ BUFFER_TRACE(bh, "queue"); ++ get_bh(bh); ++ J_ASSERT_BH(bh, !buffer_jwrite(bh)); ++ journal->j_chkpt_bhs[batch_count++] = bh; ++ transaction->t_chp_stats.cs_written++; ++ transaction->t_checkpoint_list = jh->b_cpnext; + } +- /* +- * Important: we are about to write the buffer, and +- * possibly block, while still holding the journal +- * lock. We cannot afford to let the transaction +- * logic start messing around with this buffer before +- * we write it to disk, as that would break +- * recoverability. +- */ +- BUFFER_TRACE(bh, "queue"); +- get_bh(bh); +- J_ASSERT_BH(bh, !buffer_jwrite(bh)); +- journal->j_chkpt_bhs[batch_count++] = bh; +- __buffer_relink_io(jh); +- transaction->t_chp_stats.cs_written++; ++ + if ((batch_count == JBD2_NR_BATCH) || +- need_resched() || +- spin_needbreak(&journal->j_list_lock)) ++ need_resched() || spin_needbreak(&journal->j_list_lock) || ++ jh2bh(transaction->t_checkpoint_list) == journal->j_chkpt_bhs[0]) + goto unlock_and_flush; + } + +@@ -322,38 +310,6 @@ restart: + goto restart; + } + +- /* +- * Now we issued all of the transaction's buffers, let's deal +- * with the buffers that are out for I/O. +- */ +-restart2: +- /* Did somebody clean up the transaction in the meanwhile? */ +- if (journal->j_checkpoint_transactions != transaction || +- transaction->t_tid != this_tid) +- goto out; +- +- while (transaction->t_checkpoint_io_list) { +- jh = transaction->t_checkpoint_io_list; +- bh = jh2bh(jh); +- if (buffer_locked(bh)) { +- get_bh(bh); +- spin_unlock(&journal->j_list_lock); +- wait_on_buffer(bh); +- /* the journal_head may have gone by now */ +- BUFFER_TRACE(bh, "brelse"); +- __brelse(bh); +- spin_lock(&journal->j_list_lock); +- goto restart2; +- } +- +- /* +- * Now in whatever state the buffer currently is, we +- * know that it has been written out and so we can +- * drop it from the list +- */ +- if (__jbd2_journal_remove_checkpoint(jh)) +- break; +- } + out: + spin_unlock(&journal->j_list_lock); + result = jbd2_cleanup_journal_tail(journal); diff --git a/tmp-6.4/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch b/tmp-6.4/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch new file mode 100644 index 00000000000..2888b9c887c --- /dev/null +++ b/tmp-6.4/kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch @@ -0,0 +1,104 @@ +From e566bf07b787c98df80e25d78ed32b1cf422af9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jun 2023 11:19:26 -0700 +Subject: kallsyms: strip LTO-only suffixes from promoted global functions + +From: Yonghong Song + +[ Upstream commit 8cc32a9bbf2934d90762d9de0187adcb5ad46a11 ] + +Commit 6eb4bd92c1ce ("kallsyms: strip LTO suffixes from static functions") +stripped all function/variable suffixes started with '.' regardless +of whether those suffixes are generated at LTO mode or not. In fact, +as far as I know, in LTO mode, when a static function/variable is +promoted to the global scope, '.llvm.<...>' suffix is added. + +The existing mechanism breaks live patch for a LTO kernel even if +no .llvm.<...> symbols are involved. For example, for the following +kernel symbols: + $ grep bpf_verifier_vlog /proc/kallsyms + ffffffff81549f60 t bpf_verifier_vlog + ffffffff8268b430 d bpf_verifier_vlog._entry + ffffffff8282a958 d bpf_verifier_vlog._entry_ptr + ffffffff82e12a1f d bpf_verifier_vlog.__already_done +'bpf_verifier_vlog' is a static function. '_entry', '_entry_ptr' and +'__already_done' are static variables used inside 'bpf_verifier_vlog', +so llvm promotes them to file-level static with prefix 'bpf_verifier_vlog.'. +Note that the func-level to file-level static function promotion also +happens without LTO. + +Given a symbol name 'bpf_verifier_vlog', with LTO kernel, current mechanism will +return 4 symbols to live patch subsystem which current live patching +subsystem cannot handle it. With non-LTO kernel, only one symbol +is returned. + +In [1], we have a lengthy discussion, the suggestion is to separate two +cases: + (1). new symbols with suffix which are generated regardless of whether + LTO is enabled or not, and + (2). new symbols with suffix generated only when LTO is enabled. + +The cleanup_symbol_name() should only remove suffixes for case (2). +Case (1) should not be changed so it can work uniformly with or without LTO. + +This patch removed LTO-only suffix '.llvm.<...>' so live patching and +tracing should work the same way for non-LTO kernel. +The cleanup_symbol_name() in scripts/kallsyms.c is also changed to have the same +filtering pattern so both kernel and kallsyms tool have the same +expectation on the order of symbols. + + [1] https://lore.kernel.org/live-patching/20230615170048.2382735-1-song@kernel.org/T/#u + +Fixes: 6eb4bd92c1ce ("kallsyms: strip LTO suffixes from static functions") +Reported-by: Song Liu +Signed-off-by: Yonghong Song +Reviewed-by: Zhen Lei +Reviewed-by: Nick Desaulniers +Acked-by: Song Liu +Link: https://lore.kernel.org/r/20230628181926.4102448-1-yhs@fb.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + kernel/kallsyms.c | 5 ++--- + scripts/kallsyms.c | 6 +++--- + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c +index 77747391f49b6..4874508bb950e 100644 +--- a/kernel/kallsyms.c ++++ b/kernel/kallsyms.c +@@ -174,11 +174,10 @@ static bool cleanup_symbol_name(char *s) + * LLVM appends various suffixes for local functions and variables that + * must be promoted to global scope as part of LTO. This can break + * hooking of static functions with kprobes. '.' is not a valid +- * character in an identifier in C. Suffixes observed: ++ * character in an identifier in C. Suffixes only in LLVM LTO observed: + * - foo.llvm.[0-9a-f]+ +- * - foo.[0-9a-f]+ + */ +- res = strchr(s, '.'); ++ res = strstr(s, ".llvm."); + if (res) { + *res = '\0'; + return true; +diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c +index 0d2db41177b23..13af6d0ff845d 100644 +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -346,10 +346,10 @@ static void cleanup_symbol_name(char *s) + * ASCII[_] = 5f + * ASCII[a-z] = 61,7a + * +- * As above, replacing '.' with '\0' does not affect the main sorting, +- * but it helps us with subsorting. ++ * As above, replacing the first '.' in ".llvm." with '\0' does not ++ * affect the main sorting, but it helps us with subsorting. + */ +- p = strchr(s, '.'); ++ p = strstr(s, ".llvm."); + if (p) + *p = '\0'; + } +-- +2.39.2 + diff --git a/tmp-6.4/kbuild-rust-avoid-creating-temporary-files.patch b/tmp-6.4/kbuild-rust-avoid-creating-temporary-files.patch new file mode 100644 index 00000000000..8780702118a --- /dev/null +++ b/tmp-6.4/kbuild-rust-avoid-creating-temporary-files.patch @@ -0,0 +1,74 @@ +From df01b7cfcef08bf3fdcac2909d0e1910781d6bfd Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Sun, 23 Jul 2023 16:21:28 +0200 +Subject: kbuild: rust: avoid creating temporary files + +From: Miguel Ojeda + +commit df01b7cfcef08bf3fdcac2909d0e1910781d6bfd upstream. + +`rustc` outputs by default the temporary files (i.e. the ones saved +by `-Csave-temps`, such as `*.rcgu*` files) in the current working +directory when `-o` and `--out-dir` are not given (even if +`--emit=x=path` is given, i.e. it does not use those for temporaries). + +Since out-of-tree modules are compiled from the `linux` tree, +`rustc` then tries to create them there, which may not be accessible. + +Thus pass `--out-dir` explicitly, even if it is just for the temporary +files. + +Similarly, do so for Rust host programs too. + +Reported-by: Raphael Nestler +Closes: https://github.com/Rust-for-Linux/linux/issues/1015 +Reported-by: Andrea Righi +Tested-by: Raphael Nestler # non-hostprogs +Tested-by: Andrea Righi # non-hostprogs +Fixes: 295d8398c67e ("kbuild: specify output names separately for each emission type from rustc") +Cc: stable@vger.kernel.org +Signed-off-by: Miguel Ojeda +Tested-by: Martin Rodriguez Reboredo +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Makefile.build | 5 ++++- + scripts/Makefile.host | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/scripts/Makefile.build ++++ b/scripts/Makefile.build +@@ -279,6 +279,9 @@ $(obj)/%.lst: $(src)/%.c FORCE + + rust_allowed_features := core_ffi_c,explicit_generic_args_with_impl_trait,new_uninit,pin_macro + ++# `--out-dir` is required to avoid temporaries being created by `rustc` in the ++# current working directory, which may be not accessible in the out-of-tree ++# modules case. + rust_common_cmd = \ + RUST_MODFILE=$(modfile) $(RUSTC_OR_CLIPPY) $(rust_flags) \ + -Zallow-features=$(rust_allowed_features) \ +@@ -287,7 +290,7 @@ rust_common_cmd = \ + --extern alloc --extern kernel \ + --crate-type rlib -L $(objtree)/rust/ \ + --crate-name $(basename $(notdir $@)) \ +- --emit=dep-info=$(depfile) ++ --out-dir $(dir $@) --emit=dep-info=$(depfile) + + # `--emit=obj`, `--emit=asm` and `--emit=llvm-ir` imply a single codegen unit + # will be used. We explicitly request `-Ccodegen-units=1` in any case, and +--- a/scripts/Makefile.host ++++ b/scripts/Makefile.host +@@ -86,7 +86,11 @@ hostc_flags = -Wp,-MMD,$(depfile) \ + hostcxx_flags = -Wp,-MMD,$(depfile) \ + $(KBUILD_HOSTCXXFLAGS) $(HOST_EXTRACXXFLAGS) \ + $(HOSTCXXFLAGS_$(target-stem).o) +-hostrust_flags = --emit=dep-info=$(depfile) \ ++ ++# `--out-dir` is required to avoid temporaries being created by `rustc` in the ++# current working directory, which may be not accessible in the out-of-tree ++# modules case. ++hostrust_flags = --out-dir $(dir $@) --emit=dep-info=$(depfile) \ + $(KBUILD_HOSTRUSTFLAGS) $(HOST_EXTRARUSTFLAGS) \ + $(HOSTRUSTFLAGS_$(target-stem)) + diff --git a/tmp-6.4/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch b/tmp-6.4/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch new file mode 100644 index 00000000000..75ed3459f73 --- /dev/null +++ b/tmp-6.4/keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch @@ -0,0 +1,177 @@ +From d55901522f96082a43b9842d34867363c0cdbac5 Mon Sep 17 00:00:00 2001 +From: Petr Pavlu +Date: Thu, 23 Mar 2023 14:04:12 +0100 +Subject: keys: Fix linking a duplicate key to a keyring's assoc_array + +From: Petr Pavlu + +commit d55901522f96082a43b9842d34867363c0cdbac5 upstream. + +When making a DNS query inside the kernel using dns_query(), the request +code can in rare cases end up creating a duplicate index key in the +assoc_array of the destination keyring. It is eventually found by +a BUG_ON() check in the assoc_array implementation and results in +a crash. + +Example report: +[2158499.700025] kernel BUG at ../lib/assoc_array.c:652! +[2158499.700039] invalid opcode: 0000 [#1] SMP PTI +[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 +[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 +[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] +[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 +[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f +[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 +[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 +[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 +[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 +[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 +[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 +[2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 +[2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 +[2158499.700702] Call Trace: +[2158499.700741] ? key_alloc+0x447/0x4b0 +[2158499.700768] ? __key_link_begin+0x43/0xa0 +[2158499.700790] __key_link_begin+0x43/0xa0 +[2158499.700814] request_key_and_link+0x2c7/0x730 +[2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] +[2158499.700873] ? key_default_cmp+0x20/0x20 +[2158499.700898] request_key_tag+0x43/0xa0 +[2158499.700926] dns_query+0x114/0x2ca [dns_resolver] +[2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] +[2158499.701164] ? scnprintf+0x49/0x90 +[2158499.701190] ? __switch_to_asm+0x40/0x70 +[2158499.701211] ? __switch_to_asm+0x34/0x70 +[2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] +[2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] +[2158499.701632] process_one_work+0x1f8/0x3e0 +[2158499.701658] worker_thread+0x2d/0x3f0 +[2158499.701682] ? process_one_work+0x3e0/0x3e0 +[2158499.701703] kthread+0x10d/0x130 +[2158499.701723] ? kthread_park+0xb0/0xb0 +[2158499.701746] ret_from_fork+0x1f/0x40 + +The situation occurs as follows: +* Some kernel facility invokes dns_query() to resolve a hostname, for + example, "abcdef". The function registers its global DNS resolver + cache as current->cred.thread_keyring and passes the query to + request_key_net() -> request_key_tag() -> request_key_and_link(). +* Function request_key_and_link() creates a keyring_search_context + object. Its match_data.cmp method gets set via a call to + type->match_preparse() (resolves to dns_resolver_match_preparse()) to + dns_resolver_cmp(). +* Function request_key_and_link() continues and invokes + search_process_keyrings_rcu() which returns that a given key was not + found. The control is then passed to request_key_and_link() -> + construct_alloc_key(). +* Concurrently to that, a second task similarly makes a DNS query for + "abcdef." and its result gets inserted into the DNS resolver cache. +* Back on the first task, function construct_alloc_key() first runs + __key_link_begin() to determine an assoc_array_edit operation to + insert a new key. Index keys in the array are compared exactly as-is, + using keyring_compare_object(). The operation finds that "abcdef" is + not yet present in the destination keyring. +* Function construct_alloc_key() continues and checks if a given key is + already present on some keyring by again calling + search_process_keyrings_rcu(). This search is done using + dns_resolver_cmp() and "abcdef" gets matched with now present key + "abcdef.". +* The found key is linked on the destination keyring by calling + __key_link() and using the previously calculated assoc_array_edit + operation. This inserts the "abcdef." key in the array but creates + a duplicity because the same index key is already present. + +Fix the problem by postponing __key_link_begin() in +construct_alloc_key() until an actual key which should be linked into +the destination keyring is determined. + +[jarkko@kernel.org: added a fixes tag and cc to stable] +Cc: stable@vger.kernel.org # v5.3+ +Fixes: df593ee23e05 ("keys: Hoist locking out of __key_link_begin()") +Signed-off-by: Petr Pavlu +Reviewed-by: Joey Lee +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/request_key.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -401,17 +401,21 @@ static int construct_alloc_key(struct ke + set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags); + + if (dest_keyring) { +- ret = __key_link_lock(dest_keyring, &ctx->index_key); ++ ret = __key_link_lock(dest_keyring, &key->index_key); + if (ret < 0) + goto link_lock_failed; +- ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit); +- if (ret < 0) +- goto link_prealloc_failed; + } + +- /* attach the key to the destination keyring under lock, but we do need ++ /* ++ * Attach the key to the destination keyring under lock, but we do need + * to do another check just in case someone beat us to it whilst we +- * waited for locks */ ++ * waited for locks. ++ * ++ * The caller might specify a comparison function which looks for keys ++ * that do not exactly match but are still equivalent from the caller's ++ * perspective. The __key_link_begin() operation must be done only after ++ * an actual key is determined. ++ */ + mutex_lock(&key_construction_mutex); + + rcu_read_lock(); +@@ -420,12 +424,16 @@ static int construct_alloc_key(struct ke + if (!IS_ERR(key_ref)) + goto key_already_present; + +- if (dest_keyring) ++ if (dest_keyring) { ++ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); ++ if (ret < 0) ++ goto link_alloc_failed; + __key_link(dest_keyring, key, &edit); ++ } + + mutex_unlock(&key_construction_mutex); + if (dest_keyring) +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++ __key_link_end(dest_keyring, &key->index_key, edit); + mutex_unlock(&user->cons_lock); + *_key = key; + kleave(" = 0 [%d]", key_serial(key)); +@@ -438,10 +446,13 @@ key_already_present: + mutex_unlock(&key_construction_mutex); + key = key_ref_to_ptr(key_ref); + if (dest_keyring) { ++ ret = __key_link_begin(dest_keyring, &key->index_key, &edit); ++ if (ret < 0) ++ goto link_alloc_failed_unlocked; + ret = __key_link_check_live_key(dest_keyring, key); + if (ret == 0) + __key_link(dest_keyring, key, &edit); +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++ __key_link_end(dest_keyring, &key->index_key, edit); + if (ret < 0) + goto link_check_failed; + } +@@ -456,8 +467,10 @@ link_check_failed: + kleave(" = %d [linkcheck]", ret); + return ret; + +-link_prealloc_failed: +- __key_link_end(dest_keyring, &ctx->index_key, edit); ++link_alloc_failed: ++ mutex_unlock(&key_construction_mutex); ++link_alloc_failed_unlocked: ++ __key_link_end(dest_keyring, &key->index_key, edit); + link_lock_failed: + mutex_unlock(&user->cons_lock); + key_put(key); diff --git a/tmp-6.4/kvm-arm64-correctly-handle-page-aging-notifiers-for-unaligned-memslot.patch b/tmp-6.4/kvm-arm64-correctly-handle-page-aging-notifiers-for-unaligned-memslot.patch new file mode 100644 index 00000000000..67ebb0aa4d4 --- /dev/null +++ b/tmp-6.4/kvm-arm64-correctly-handle-page-aging-notifiers-for-unaligned-memslot.patch @@ -0,0 +1,204 @@ +From df6556adf27b7372cfcd97e1c0afb0d516c8279f Mon Sep 17 00:00:00 2001 +From: Oliver Upton +Date: Tue, 27 Jun 2023 23:54:05 +0000 +Subject: KVM: arm64: Correctly handle page aging notifiers for unaligned memslot + +From: Oliver Upton + +commit df6556adf27b7372cfcd97e1c0afb0d516c8279f upstream. + +Userspace is allowed to select any PAGE_SIZE aligned hva to back guest +memory. This is even the case with hugepages, although it is a rather +suboptimal configuration as PTE level mappings are used at stage-2. + +The arm64 page aging handlers have an assumption that the specified +range is exactly one page/block of memory, which in the aforementioned +case is not necessarily true. All together this leads to the WARN() in +kvm_age_gfn() firing. + +However, the WARN is only part of the issue as the table walkers visit +at most a single leaf PTE. For hugepage-backed memory in a memslot that +isn't hugepage-aligned, page aging entirely misses accesses to the +hugepage beyond the first page in the memslot. + +Add a new walker dedicated to handling page aging MMU notifiers capable +of walking a range of PTEs. Convert kvm(_test)_age_gfn() over to the new +walker and drop the WARN that caught the issue in the first place. The +implementation of this walker was inspired by the test_clear_young() +implementation by Yu Zhao [*], but repurposed to address a bug in the +existing aging implementation. + +Cc: stable@vger.kernel.org # v5.15 +Fixes: 056aad67f836 ("kvm: arm/arm64: Rework gpa callback handlers") +Link: https://lore.kernel.org/kvmarm/20230526234435.662652-6-yuzhao@google.com/ +Co-developed-by: Yu Zhao +Signed-off-by: Yu Zhao +Reported-by: Reiji Watanabe +Reviewed-by: Marc Zyngier +Reviewed-by: Shaoqin Huang +Link: https://lore.kernel.org/r/20230627235405.4069823-1-oliver.upton@linux.dev +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_pgtable.h | 26 ++++++------------- + arch/arm64/kvm/hyp/pgtable.c | 47 ++++++++++++++++++++++++++++------- + arch/arm64/kvm/mmu.c | 18 +++++-------- + 3 files changed, 55 insertions(+), 36 deletions(-) + +--- a/arch/arm64/include/asm/kvm_pgtable.h ++++ b/arch/arm64/include/asm/kvm_pgtable.h +@@ -556,22 +556,26 @@ int kvm_pgtable_stage2_wrprotect(struct + kvm_pte_t kvm_pgtable_stage2_mkyoung(struct kvm_pgtable *pgt, u64 addr); + + /** +- * kvm_pgtable_stage2_mkold() - Clear the access flag in a page-table entry. ++ * kvm_pgtable_stage2_test_clear_young() - Test and optionally clear the access ++ * flag in a page-table entry. + * @pgt: Page-table structure initialised by kvm_pgtable_stage2_init*(). + * @addr: Intermediate physical address to identify the page-table entry. ++ * @size: Size of the address range to visit. ++ * @mkold: True if the access flag should be cleared. + * + * The offset of @addr within a page is ignored. + * +- * If there is a valid, leaf page-table entry used to translate @addr, then +- * clear the access flag in that entry. ++ * Tests and conditionally clears the access flag for every valid, leaf ++ * page-table entry used to translate the range [@addr, @addr + @size). + * + * Note that it is the caller's responsibility to invalidate the TLB after + * calling this function to ensure that the updated permissions are visible + * to the CPUs. + * +- * Return: The old page-table entry prior to clearing the flag, 0 on failure. ++ * Return: True if any of the visited PTEs had the access flag set. + */ +-kvm_pte_t kvm_pgtable_stage2_mkold(struct kvm_pgtable *pgt, u64 addr); ++bool kvm_pgtable_stage2_test_clear_young(struct kvm_pgtable *pgt, u64 addr, ++ u64 size, bool mkold); + + /** + * kvm_pgtable_stage2_relax_perms() - Relax the permissions enforced by a +@@ -594,18 +598,6 @@ int kvm_pgtable_stage2_relax_perms(struc + enum kvm_pgtable_prot prot); + + /** +- * kvm_pgtable_stage2_is_young() - Test whether a page-table entry has the +- * access flag set. +- * @pgt: Page-table structure initialised by kvm_pgtable_stage2_init*(). +- * @addr: Intermediate physical address to identify the page-table entry. +- * +- * The offset of @addr within a page is ignored. +- * +- * Return: True if the page-table entry has the access flag set, false otherwise. +- */ +-bool kvm_pgtable_stage2_is_young(struct kvm_pgtable *pgt, u64 addr); +- +-/** + * kvm_pgtable_stage2_flush_range() - Clean and invalidate data cache to Point + * of Coherency for guest stage-2 address + * range. +--- a/arch/arm64/kvm/hyp/pgtable.c ++++ b/arch/arm64/kvm/hyp/pgtable.c +@@ -1173,25 +1173,54 @@ kvm_pte_t kvm_pgtable_stage2_mkyoung(str + return pte; + } + +-kvm_pte_t kvm_pgtable_stage2_mkold(struct kvm_pgtable *pgt, u64 addr) ++struct stage2_age_data { ++ bool mkold; ++ bool young; ++}; ++ ++static int stage2_age_walker(const struct kvm_pgtable_visit_ctx *ctx, ++ enum kvm_pgtable_walk_flags visit) + { +- kvm_pte_t pte = 0; +- stage2_update_leaf_attrs(pgt, addr, 1, 0, KVM_PTE_LEAF_ATTR_LO_S2_AF, +- &pte, NULL, 0); ++ kvm_pte_t new = ctx->old & ~KVM_PTE_LEAF_ATTR_LO_S2_AF; ++ struct stage2_age_data *data = ctx->arg; ++ ++ if (!kvm_pte_valid(ctx->old) || new == ctx->old) ++ return 0; ++ ++ data->young = true; ++ ++ /* ++ * stage2_age_walker() is always called while holding the MMU lock for ++ * write, so this will always succeed. Nonetheless, this deliberately ++ * follows the race detection pattern of the other stage-2 walkers in ++ * case the locking mechanics of the MMU notifiers is ever changed. ++ */ ++ if (data->mkold && !stage2_try_set_pte(ctx, new)) ++ return -EAGAIN; ++ + /* + * "But where's the TLBI?!", you scream. + * "Over in the core code", I sigh. + * + * See the '->clear_flush_young()' callback on the KVM mmu notifier. + */ +- return pte; ++ return 0; + } + +-bool kvm_pgtable_stage2_is_young(struct kvm_pgtable *pgt, u64 addr) ++bool kvm_pgtable_stage2_test_clear_young(struct kvm_pgtable *pgt, u64 addr, ++ u64 size, bool mkold) + { +- kvm_pte_t pte = 0; +- stage2_update_leaf_attrs(pgt, addr, 1, 0, 0, &pte, NULL, 0); +- return pte & KVM_PTE_LEAF_ATTR_LO_S2_AF; ++ struct stage2_age_data data = { ++ .mkold = mkold, ++ }; ++ struct kvm_pgtable_walker walker = { ++ .cb = stage2_age_walker, ++ .arg = &data, ++ .flags = KVM_PGTABLE_WALK_LEAF, ++ }; ++ ++ WARN_ON(kvm_pgtable_walk(pgt, addr, size, &walker)); ++ return data.young; + } + + int kvm_pgtable_stage2_relax_perms(struct kvm_pgtable *pgt, u64 addr, +--- a/arch/arm64/kvm/mmu.c ++++ b/arch/arm64/kvm/mmu.c +@@ -1639,27 +1639,25 @@ bool kvm_set_spte_gfn(struct kvm *kvm, s + bool kvm_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range) + { + u64 size = (range->end - range->start) << PAGE_SHIFT; +- kvm_pte_t kpte; +- pte_t pte; + + if (!kvm->arch.mmu.pgt) + return false; + +- WARN_ON(size != PAGE_SIZE && size != PMD_SIZE && size != PUD_SIZE); +- +- kpte = kvm_pgtable_stage2_mkold(kvm->arch.mmu.pgt, +- range->start << PAGE_SHIFT); +- pte = __pte(kpte); +- return pte_valid(pte) && pte_young(pte); ++ return kvm_pgtable_stage2_test_clear_young(kvm->arch.mmu.pgt, ++ range->start << PAGE_SHIFT, ++ size, true); + } + + bool kvm_test_age_gfn(struct kvm *kvm, struct kvm_gfn_range *range) + { ++ u64 size = (range->end - range->start) << PAGE_SHIFT; ++ + if (!kvm->arch.mmu.pgt) + return false; + +- return kvm_pgtable_stage2_is_young(kvm->arch.mmu.pgt, +- range->start << PAGE_SHIFT); ++ return kvm_pgtable_stage2_test_clear_young(kvm->arch.mmu.pgt, ++ range->start << PAGE_SHIFT, ++ size, false); + } + + phys_addr_t kvm_mmu_get_httbr(void) diff --git a/tmp-6.4/kvm-arm64-disable-preemption-in-kvm_arch_hardware_enable.patch b/tmp-6.4/kvm-arm64-disable-preemption-in-kvm_arch_hardware_enable.patch new file mode 100644 index 00000000000..893eef4684e --- /dev/null +++ b/tmp-6.4/kvm-arm64-disable-preemption-in-kvm_arch_hardware_enable.patch @@ -0,0 +1,66 @@ +From 970dee09b230895fe2230d2b32ad05a2826818c6 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Mon, 3 Jul 2023 17:35:48 +0100 +Subject: KVM: arm64: Disable preemption in kvm_arch_hardware_enable() + +From: Marc Zyngier + +commit 970dee09b230895fe2230d2b32ad05a2826818c6 upstream. + +Since 0bf50497f03b ("KVM: Drop kvm_count_lock and instead protect +kvm_usage_count with kvm_lock"), hotplugging back a CPU whilst +a guest is running results in a number of ugly splats as most +of this code expects to run with preemption disabled, which isn't +the case anymore. + +While the context is preemptable, it isn't migratable, which should +be enough. But we have plenty of preemptible() checks all over +the place, and our per-CPU accessors also disable preemption. + +Since this affects released versions, let's do the easy fix first, +disabling preemption in kvm_arch_hardware_enable(). We can always +revisit this with a more invasive fix in the future. + +Fixes: 0bf50497f03b ("KVM: Drop kvm_count_lock and instead protect kvm_usage_count with kvm_lock") +Reported-by: Kristina Martsenko +Tested-by: Kristina Martsenko +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/aeab7562-2d39-e78e-93b1-4711f8cc3fa5@arm.com +Cc: stable@vger.kernel.org # v6.3, v6.4 +Link: https://lore.kernel.org/r/20230703163548.1498943-1-maz@kernel.org +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/arm.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kvm/arm.c ++++ b/arch/arm64/kvm/arm.c +@@ -1793,8 +1793,17 @@ static void _kvm_arch_hardware_enable(vo + + int kvm_arch_hardware_enable(void) + { +- int was_enabled = __this_cpu_read(kvm_arm_hardware_enabled); ++ int was_enabled; + ++ /* ++ * Most calls to this function are made with migration ++ * disabled, but not with preemption disabled. The former is ++ * enough to ensure correctness, but most of the helpers ++ * expect the later and will throw a tantrum otherwise. ++ */ ++ preempt_disable(); ++ ++ was_enabled = __this_cpu_read(kvm_arm_hardware_enabled); + _kvm_arch_hardware_enable(NULL); + + if (!was_enabled) { +@@ -1802,6 +1811,8 @@ int kvm_arch_hardware_enable(void) + kvm_timer_cpu_up(); + } + ++ preempt_enable(); ++ + return 0; + } + diff --git a/tmp-6.4/kvm-arm64-timers-use-cnthctl_el2-when-setting-non-cntkctl_el1-bits.patch b/tmp-6.4/kvm-arm64-timers-use-cnthctl_el2-when-setting-non-cntkctl_el1-bits.patch new file mode 100644 index 00000000000..5184db3f8fa --- /dev/null +++ b/tmp-6.4/kvm-arm64-timers-use-cnthctl_el2-when-setting-non-cntkctl_el1-bits.patch @@ -0,0 +1,65 @@ +From fe769e6c1f80f542d6f4e7f7c8c6bf20c1307f99 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Tue, 27 Jun 2023 15:05:57 +0100 +Subject: KVM: arm64: timers: Use CNTHCTL_EL2 when setting non-CNTKCTL_EL1 bits + +From: Marc Zyngier + +commit fe769e6c1f80f542d6f4e7f7c8c6bf20c1307f99 upstream. + +It recently appeared that, when running VHE, there is a notable +difference between using CNTKCTL_EL1 and CNTHCTL_EL2, despite what +the architecture documents: + +- When accessed from EL2, bits [19:18] and [16:10] of CNTKCTL_EL1 have + the same assignment as CNTHCTL_EL2 +- When accessed from EL1, bits [19:18] and [16:10] are RES0 + +It is all OK, until you factor in NV, where the EL2 guest runs at EL1. +In this configuration, CNTKCTL_EL11 doesn't trap, nor ends up in +the VNCR page. This means that any write from the guest affecting +CNTHCTL_EL2 using CNTKCTL_EL1 ends up losing some state. Not good. + +The fix it obvious: don't use CNTKCTL_EL1 if you want to change bits +that are not part of the EL1 definition of CNTKCTL_EL1, and use +CNTHCTL_EL2 instead. This doesn't change anything for a bare-metal OS, +and fixes it when running under NV. The NV hypervisor will itself +have to work harder to merge the two accessors. + +Note that there is a pending update to the architecture to address +this issue by making the affected bits UNKNOWN when CNTKCTL_EL1 is +used from EL2 with VHE enabled. + +Fixes: c605ee245097 ("KVM: arm64: timers: Allow physical offset without CNTPOFF_EL2") +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org # v6.4 +Reviewed-by: Eric Auger +Link: https://lore.kernel.org/r/20230627140557.544885-1-maz@kernel.org +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/arch_timer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm64/kvm/arch_timer.c ++++ b/arch/arm64/kvm/arch_timer.c +@@ -827,8 +827,8 @@ static void timer_set_traps(struct kvm_v + assign_clear_set_bit(tpt, CNTHCTL_EL1PCEN << 10, set, clr); + assign_clear_set_bit(tpc, CNTHCTL_EL1PCTEN << 10, set, clr); + +- /* This only happens on VHE, so use the CNTKCTL_EL1 accessor */ +- sysreg_clear_set(cntkctl_el1, clr, set); ++ /* This only happens on VHE, so use the CNTHCTL_EL2 accessor. */ ++ sysreg_clear_set(cnthctl_el2, clr, set); + } + + void kvm_timer_vcpu_load(struct kvm_vcpu *vcpu) +@@ -1559,7 +1559,7 @@ no_vgic: + void kvm_timer_init_vhe(void) + { + if (cpus_have_final_cap(ARM64_HAS_ECV_CNTPOFF)) +- sysreg_clear_set(cntkctl_el1, 0, CNTHCTL_ECV); ++ sysreg_clear_set(cnthctl_el2, 0, CNTHCTL_ECV); + } + + int kvm_arm_timer_set_attr(struct kvm_vcpu *vcpu, struct kvm_device_attr *attr) diff --git a/tmp-6.4/kvm-arm64-vgic-v4-make-the-doorbell-request-robust-w.r.t-preemption.patch b/tmp-6.4/kvm-arm64-vgic-v4-make-the-doorbell-request-robust-w.r.t-preemption.patch new file mode 100644 index 00000000000..21aed153f1d --- /dev/null +++ b/tmp-6.4/kvm-arm64-vgic-v4-make-the-doorbell-request-robust-w.r.t-preemption.patch @@ -0,0 +1,134 @@ +From b321c31c9b7b309dcde5e8854b741c8e6a9a05f0 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 13 Jul 2023 08:06:57 +0100 +Subject: KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption + +From: Marc Zyngier + +commit b321c31c9b7b309dcde5e8854b741c8e6a9a05f0 upstream. + +Xiang reports that VMs occasionally fail to boot on GICv4.1 systems when +running a preemptible kernel, as it is possible that a vCPU is blocked +without requesting a doorbell interrupt. + +The issue is that any preemption that occurs between vgic_v4_put() and +schedule() on the block path will mark the vPE as nonresident and *not* +request a doorbell irq. This occurs because when the vcpu thread is +resumed on its way to block, vcpu_load() will make the vPE resident +again. Once the vcpu actually blocks, we don't request a doorbell +anymore, and the vcpu won't be woken up on interrupt delivery. + +Fix it by tracking that we're entering WFI, and key the doorbell +request on that flag. This allows us not to make the vPE resident +when going through a preempt/schedule cycle, meaning we don't lose +any state. + +Cc: stable@vger.kernel.org +Fixes: 8e01d9a396e6 ("KVM: arm64: vgic-v4: Move the GICv4 residency flow to be driven by vcpu_load/put") +Reported-by: Xiang Chen +Suggested-by: Zenghui Yu +Tested-by: Xiang Chen +Co-developed-by: Oliver Upton +Signed-off-by: Marc Zyngier +Acked-by: Zenghui Yu +Link: https://lore.kernel.org/r/20230713070657.3873244-1-maz@kernel.org +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kvm_host.h | 2 ++ + arch/arm64/kvm/arm.c | 6 ++++-- + arch/arm64/kvm/vgic/vgic-v3.c | 2 +- + arch/arm64/kvm/vgic/vgic-v4.c | 7 +++++-- + include/kvm/arm_vgic.h | 2 +- + 5 files changed, 13 insertions(+), 6 deletions(-) + +--- a/arch/arm64/include/asm/kvm_host.h ++++ b/arch/arm64/include/asm/kvm_host.h +@@ -701,6 +701,8 @@ struct kvm_vcpu_arch { + #define DBG_SS_ACTIVE_PENDING __vcpu_single_flag(sflags, BIT(5)) + /* PMUSERENR for the guest EL0 is on physical CPU */ + #define PMUSERENR_ON_CPU __vcpu_single_flag(sflags, BIT(6)) ++/* WFI instruction trapped */ ++#define IN_WFI __vcpu_single_flag(sflags, BIT(7)) + + + /* Pointer to the vcpu's SVE FFR for sve_{save,load}_state() */ +--- a/arch/arm64/kvm/arm.c ++++ b/arch/arm64/kvm/arm.c +@@ -704,13 +704,15 @@ void kvm_vcpu_wfi(struct kvm_vcpu *vcpu) + */ + preempt_disable(); + kvm_vgic_vmcr_sync(vcpu); +- vgic_v4_put(vcpu, true); ++ vcpu_set_flag(vcpu, IN_WFI); ++ vgic_v4_put(vcpu); + preempt_enable(); + + kvm_vcpu_halt(vcpu); + vcpu_clear_flag(vcpu, IN_WFIT); + + preempt_disable(); ++ vcpu_clear_flag(vcpu, IN_WFI); + vgic_v4_load(vcpu); + preempt_enable(); + } +@@ -778,7 +780,7 @@ static int check_vcpu_requests(struct kv + if (kvm_check_request(KVM_REQ_RELOAD_GICv4, vcpu)) { + /* The distributor enable bits were changed */ + preempt_disable(); +- vgic_v4_put(vcpu, false); ++ vgic_v4_put(vcpu); + vgic_v4_load(vcpu); + preempt_enable(); + } +--- a/arch/arm64/kvm/vgic/vgic-v3.c ++++ b/arch/arm64/kvm/vgic/vgic-v3.c +@@ -749,7 +749,7 @@ void vgic_v3_put(struct kvm_vcpu *vcpu) + { + struct vgic_v3_cpu_if *cpu_if = &vcpu->arch.vgic_cpu.vgic_v3; + +- WARN_ON(vgic_v4_put(vcpu, false)); ++ WARN_ON(vgic_v4_put(vcpu)); + + vgic_v3_vmcr_sync(vcpu); + +--- a/arch/arm64/kvm/vgic/vgic-v4.c ++++ b/arch/arm64/kvm/vgic/vgic-v4.c +@@ -336,14 +336,14 @@ void vgic_v4_teardown(struct kvm *kvm) + its_vm->vpes = NULL; + } + +-int vgic_v4_put(struct kvm_vcpu *vcpu, bool need_db) ++int vgic_v4_put(struct kvm_vcpu *vcpu) + { + struct its_vpe *vpe = &vcpu->arch.vgic_cpu.vgic_v3.its_vpe; + + if (!vgic_supports_direct_msis(vcpu->kvm) || !vpe->resident) + return 0; + +- return its_make_vpe_non_resident(vpe, need_db); ++ return its_make_vpe_non_resident(vpe, !!vcpu_get_flag(vcpu, IN_WFI)); + } + + int vgic_v4_load(struct kvm_vcpu *vcpu) +@@ -354,6 +354,9 @@ int vgic_v4_load(struct kvm_vcpu *vcpu) + if (!vgic_supports_direct_msis(vcpu->kvm) || vpe->resident) + return 0; + ++ if (vcpu_get_flag(vcpu, IN_WFI)) ++ return 0; ++ + /* + * Before making the VPE resident, make sure the redistributor + * corresponding to our current CPU expects us here. See the +--- a/include/kvm/arm_vgic.h ++++ b/include/kvm/arm_vgic.h +@@ -431,7 +431,7 @@ int kvm_vgic_v4_unset_forwarding(struct + + int vgic_v4_load(struct kvm_vcpu *vcpu); + void vgic_v4_commit(struct kvm_vcpu *vcpu); +-int vgic_v4_put(struct kvm_vcpu *vcpu, bool need_db); ++int vgic_v4_put(struct kvm_vcpu *vcpu); + + /* CPU HP callbacks */ + void kvm_vgic_cpu_up(void); diff --git a/tmp-6.4/llc-don-t-drop-packet-from-non-root-netns.patch b/tmp-6.4/llc-don-t-drop-packet-from-non-root-netns.patch new file mode 100644 index 00000000000..4a6e0b72084 --- /dev/null +++ b/tmp-6.4/llc-don-t-drop-packet-from-non-root-netns.patch @@ -0,0 +1,50 @@ +From ab300723a1ee5601a0a426d0d158f60c650f82d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 10:41:51 -0700 +Subject: llc: Don't drop packet from non-root netns. + +From: Kuniyuki Iwashima + +[ Upstream commit 6631463b6e6673916d2481f692938f393148aa82 ] + +Now these upper layer protocol handlers can be called from llc_rcv() +as sap->rcv_func(), which is registered by llc_sap_open(). + + * function which is passed to register_8022_client() + -> no in-kernel user calls register_8022_client(). + + * snap_rcv() + `- proto->rcvfunc() : registered by register_snap_client() + -> aarp_rcv() and atalk_rcv() drop packets from non-root netns + + * stp_pdu_rcv() + `- garp_protos[]->rcv() : registered by stp_proto_register() + -> garp_pdu_rcv() and br_stp_rcv() are netns-aware + +So, we can safely remove the netns restriction in llc_rcv(). + +Fixes: e730c15519d0 ("[NET]: Make packet reception network namespace safe") +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index c309b72a58779..7cac441862e21 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -163,9 +163,6 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev, + void (*sta_handler)(struct sk_buff *skb); + void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb); + +- if (!net_eq(dev_net(dev), &init_net)) +- goto drop; +- + /* + * When the interface is in promisc. mode, drop all the crap that it + * receives, do not try to analyse it. +-- +2.39.2 + diff --git a/tmp-6.4/maple_tree-fix-node-allocation-testing-on-32-bit.patch b/tmp-6.4/maple_tree-fix-node-allocation-testing-on-32-bit.patch new file mode 100644 index 00000000000..50edbd715e6 --- /dev/null +++ b/tmp-6.4/maple_tree-fix-node-allocation-testing-on-32-bit.patch @@ -0,0 +1,40 @@ +From ef5c3de5211b5a3a8102b25aa83eb4cde65ac2fd Mon Sep 17 00:00:00 2001 +From: "Liam R. Howlett" +Date: Wed, 12 Jul 2023 13:39:16 -0400 +Subject: maple_tree: fix node allocation testing on 32 bit + +From: Liam R. Howlett + +commit ef5c3de5211b5a3a8102b25aa83eb4cde65ac2fd upstream. + +Internal node counting was altered and the 64 bit test was updated, +however the 32bit test was missed. + +Restore the 32bit test to a functional state. + +Link: https://lore.kernel.org/linux-mm/CAMuHMdV4T53fOw7VPoBgPR7fP6RYqf=CBhD_y_vOg53zZX_DnA@mail.gmail.com/ +Link: https://lkml.kernel.org/r/20230712173916.168805-2-Liam.Howlett@oracle.com +Fixes: 541e06b772c1 ("maple_tree: remove GFP_ZERO from kmem_cache_alloc() and kmem_cache_alloc_bulk()") +Signed-off-by: Liam R. Howlett +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/radix-tree/maple.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/testing/radix-tree/maple.c ++++ b/tools/testing/radix-tree/maple.c +@@ -206,9 +206,9 @@ static noinline void check_new_node(stru + e = i - 1; + } else { + if (i >= 4) +- e = i - 4; +- else if (i == 3) +- e = i - 2; ++ e = i - 3; ++ else if (i >= 1) ++ e = i - 1; + else + e = 0; + } diff --git a/tmp-6.4/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch b/tmp-6.4/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch new file mode 100644 index 00000000000..a246c4bc1cb --- /dev/null +++ b/tmp-6.4/maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch @@ -0,0 +1,44 @@ +From 3c769fd88b9742954763a968e84de09f7ad78cfe Mon Sep 17 00:00:00 2001 +From: Peng Zhang +Date: Tue, 11 Jul 2023 11:54:37 +0800 +Subject: maple_tree: set the node limit when creating a new root node + +From: Peng Zhang + +commit 3c769fd88b9742954763a968e84de09f7ad78cfe upstream. + +Set the node limit of the root node so that the last pivot of all nodes is +the node limit (if the node is not full). + +This patch also fixes a bug in mas_rev_awalk(). Effectively, always +setting a maximum makes mas_logical_pivot() behave as mas_safe_pivot(). +Without this fix, it is possible that very small tasks would fail to find +the correct gap. Although this has not been observed with real tasks, it +has been reported to happen in m68k nommu running the maple tree tests. + +Link: https://lkml.kernel.org/r/20230711035444.526-1-zhangpeng.00@bytedance.com +Link: https://lore.kernel.org/linux-mm/CAMuHMdV4T53fOw7VPoBgPR7fP6RYqf=CBhD_y_vOg53zZX_DnA@mail.gmail.com/ +Link: https://lkml.kernel.org/r/20230711035444.526-2-zhangpeng.00@bytedance.com +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Peng Zhang +Reviewed-by: Liam R. Howlett +Tested-by: Geert Uytterhoeven +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/maple_tree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -3693,7 +3693,8 @@ static inline int mas_root_expand(struct + mas->offset = slot; + pivots[slot] = mas->last; + if (mas->last != ULONG_MAX) +- slot++; ++ pivots[++slot] = ULONG_MAX; ++ + mas->depth = 1; + mas_set_height(mas); + ma_set_meta(node, maple_leaf_64, 0, slot); diff --git a/tmp-6.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch b/tmp-6.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch new file mode 100644 index 00000000000..d6817daedd1 --- /dev/null +++ b/tmp-6.4/md-fix-data-corruption-for-raid456-when-reshape-rest.patch @@ -0,0 +1,60 @@ +From 80f2228049410e7eff45840000d380b5604945b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 May 2023 09:56:07 +0800 +Subject: md: fix data corruption for raid456 when reshape restart while grow + up + +From: Yu Kuai + +[ Upstream commit 873f50ece41aad5c4f788a340960c53774b5526e ] + +Currently, if reshape is interrupted, echo "reshape" to sync_action will +restart reshape from scratch, for example: + +echo frozen > sync_action +echo reshape > sync_action + +This will corrupt data before reshape_position if the array is growing, +fix the problem by continue reshape from reshape_position. + +Reported-by: Peter Neuwirth +Link: https://lore.kernel.org/linux-raid/e2f96772-bfbc-f43b-6da1-f520e5164536@online.de/ +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230512015610.821290-3-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 350094f1cb09f..18384251399ab 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -4807,11 +4807,21 @@ action_store(struct mddev *mddev, const char *page, size_t len) + return -EINVAL; + err = mddev_lock(mddev); + if (!err) { +- if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) ++ if (test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) { + err = -EBUSY; +- else { ++ } else if (mddev->reshape_position == MaxSector || ++ mddev->pers->check_reshape == NULL || ++ mddev->pers->check_reshape(mddev)) { + clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + err = mddev->pers->start_reshape(mddev); ++ } else { ++ /* ++ * If reshape is still in progress, and ++ * md_check_recovery() can continue to reshape, ++ * don't restart reshape because data can be ++ * corrupted for raid456. ++ */ ++ clear_bit(MD_RECOVERY_FROZEN, &mddev->recovery); + } + mddev_unlock(mddev); + } +-- +2.39.2 + diff --git a/tmp-6.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch b/tmp-6.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch new file mode 100644 index 00000000000..b2cb0c775d8 --- /dev/null +++ b/tmp-6.4/md-raid10-prevent-soft-lockup-while-flush-writes.patch @@ -0,0 +1,79 @@ +From ef7e4e57e0ab49f62d54a77d61419b84c4936aff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 May 2023 21:11:00 +0800 +Subject: md/raid10: prevent soft lockup while flush writes + +From: Yu Kuai + +[ Upstream commit 010444623e7f4da6b4a4dd603a7da7469981e293 ] + +Currently, there is no limit for raid1/raid10 plugged bio. While flushing +writes, raid1 has cond_resched() while raid10 doesn't, and too many +writes can cause soft lockup. + +Follow up soft lockup can be triggered easily with writeback test for +raid10 with ramdisks: + +watchdog: BUG: soft lockup - CPU#10 stuck for 27s! [md0_raid10:1293] +Call Trace: + + call_rcu+0x16/0x20 + put_object+0x41/0x80 + __delete_object+0x50/0x90 + delete_object_full+0x2b/0x40 + kmemleak_free+0x46/0xa0 + slab_free_freelist_hook.constprop.0+0xed/0x1a0 + kmem_cache_free+0xfd/0x300 + mempool_free_slab+0x1f/0x30 + mempool_free+0x3a/0x100 + bio_free+0x59/0x80 + bio_put+0xcf/0x2c0 + free_r10bio+0xbf/0xf0 + raid_end_bio_io+0x78/0xb0 + one_write_done+0x8a/0xa0 + raid10_end_write_request+0x1b4/0x430 + bio_endio+0x175/0x320 + brd_submit_bio+0x3b9/0x9b7 [brd] + __submit_bio+0x69/0xe0 + submit_bio_noacct_nocheck+0x1e6/0x5a0 + submit_bio_noacct+0x38c/0x7e0 + flush_pending_writes+0xf0/0x240 + raid10d+0xac/0x1ed0 + +Fix the problem by adding cond_resched() to raid10 like what raid1 did. + +Note that unlimited plugged bio still need to be optimized, for example, +in the case of lots of dirty pages writeback, this will take lots of +memory and io will spend a long time in plug, hence io latency is bad. + +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230529131106.2123367-2-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 9d23963496194..ee75b058438f3 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -920,6 +920,7 @@ static void flush_pending_writes(struct r10conf *conf) + + raid1_submit_write(bio); + bio = next; ++ cond_resched(); + } + blk_finish_plug(&plug); + } else +@@ -1132,6 +1133,7 @@ static void raid10_unplug(struct blk_plug_cb *cb, bool from_schedule) + + raid1_submit_write(bio); + bio = next; ++ cond_resched(); + } + kfree(plug); + } +-- +2.39.2 + diff --git a/tmp-6.4/mips-dec-prom-address-warray-bounds-warning.patch b/tmp-6.4/mips-dec-prom-address-warray-bounds-warning.patch new file mode 100644 index 00000000000..c2f17fc583d --- /dev/null +++ b/tmp-6.4/mips-dec-prom-address-warray-bounds-warning.patch @@ -0,0 +1,56 @@ +From c903bed38cada61c448c48520cd02ec55c71c4bb Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 22 Jun 2023 17:43:57 -0600 +Subject: [PATCH AUTOSEL 5.4 10/12] MIPS: dec: prom: Address -Warray-bounds + warning +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 7b191b9b55df2a844bd32d1d380f47a7df1c2896 ] + +Zero-length arrays are deprecated, and we are replacing them with flexible +array members instead. So, replace zero-length array with flexible-array +member in struct memmap. + +Address the following warning found after building (with GCC-13) mips64 +with decstation_64_defconfig: +In function 'rex_setup_memory_region', + inlined from 'prom_meminit' at arch/mips/dec/prom/memory.c:91:3: +arch/mips/dec/prom/memory.c:72:31: error: array subscript i is outside array bounds of 'unsigned char[0]' [-Werror=array-bounds=] + 72 | if (bm->bitmap[i] == 0xff) + | ~~~~~~~~~~^~~ +In file included from arch/mips/dec/prom/memory.c:16: +./arch/mips/include/asm/dec/prom.h: In function 'prom_meminit': +./arch/mips/include/asm/dec/prom.h:73:23: note: while referencing 'bitmap' + 73 | unsigned char bitmap[0]; + +This helps with the ongoing efforts to globally enable -Warray-bounds. + +This results in no differences in binary output. + +Link: https://github.com/KSPP/linux/issues/79 +Link: https://github.com/KSPP/linux/issues/323 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/dec/prom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/include/asm/dec/prom.h b/arch/mips/include/asm/dec/prom.h +index 1e1247add1cf8..908e96e3a3117 100644 +--- a/arch/mips/include/asm/dec/prom.h ++++ b/arch/mips/include/asm/dec/prom.h +@@ -70,7 +70,7 @@ static inline bool prom_is_rex(u32 magic) + */ + typedef struct { + int pagesize; +- unsigned char bitmap[0]; ++ unsigned char bitmap[]; + } memmap; + + +-- +2.39.2 + diff --git a/tmp-6.4/mm-mlock-fix-vma-iterator-conversion-of-apply_vma_lock_flags.patch b/tmp-6.4/mm-mlock-fix-vma-iterator-conversion-of-apply_vma_lock_flags.patch new file mode 100644 index 00000000000..cdab42a7c6d --- /dev/null +++ b/tmp-6.4/mm-mlock-fix-vma-iterator-conversion-of-apply_vma_lock_flags.patch @@ -0,0 +1,70 @@ +From 2658f94d679243209889cdfa8de3743cde1abea9 Mon Sep 17 00:00:00 2001 +From: "Liam R. Howlett" +Date: Tue, 11 Jul 2023 13:50:20 -0400 +Subject: mm/mlock: fix vma iterator conversion of apply_vma_lock_flags() + +From: Liam R. Howlett + +commit 2658f94d679243209889cdfa8de3743cde1abea9 upstream. + +apply_vma_lock_flags() calls mlock_fixup(), which could merge the VMA +after where the vma iterator is located. Although this is not an issue, +the next iteration of the loop will check the start of the vma to be equal +to the locally saved 'tmp' variable and cause an incorrect failure +scenario. Fix the error by setting tmp to the end of the vma iterator +value before restarting the loop. + +There is also a potential of the error code being overwritten when the +loop terminates early. Fix the return issue by directly returning when an +error is encountered since there is nothing to undo after the loop. + +Link: https://lkml.kernel.org/r/20230711175020.4091336-1-Liam.Howlett@oracle.com +Fixes: 37598f5a9d8b ("mlock: convert mlock to vma iterator") +Signed-off-by: Liam R. Howlett +Reported-by: Ryan Roberts + Link: https://lore.kernel.org/linux-mm/50341ca1-d582-b33a-e3d0-acb08a65166f@arm.com/ +Tested-by: Ryan Roberts +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/mlock.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/mm/mlock.c ++++ b/mm/mlock.c +@@ -471,7 +471,6 @@ static int apply_vma_lock_flags(unsigned + { + unsigned long nstart, end, tmp; + struct vm_area_struct *vma, *prev; +- int error; + VMA_ITERATOR(vmi, current->mm, start); + + VM_BUG_ON(offset_in_page(start)); +@@ -492,6 +491,7 @@ static int apply_vma_lock_flags(unsigned + nstart = start; + tmp = vma->vm_start; + for_each_vma_range(vmi, vma, end) { ++ int error; + vm_flags_t newflags; + + if (vma->vm_start != tmp) +@@ -505,14 +505,15 @@ static int apply_vma_lock_flags(unsigned + tmp = end; + error = mlock_fixup(&vmi, vma, &prev, nstart, tmp, newflags); + if (error) +- break; ++ return error; ++ tmp = vma_iter_end(&vmi); + nstart = tmp; + } + +- if (vma_iter_end(&vmi) < end) ++ if (tmp < end) + return -ENOMEM; + +- return error; ++ return 0; + } + + /* diff --git a/tmp-6.4/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch b/tmp-6.4/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch new file mode 100644 index 00000000000..258fa77bfad --- /dev/null +++ b/tmp-6.4/net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch @@ -0,0 +1,94 @@ +From a7360bc2cf287cca1717eceba861bb3b9886c55e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 17:46:22 -0700 +Subject: net: dsa: microchip: correct KSZ8795 static MAC table access + +From: Tristram Ha + +[ Upstream commit 4bdf79d686b49ac49373b36466acfb93972c7d7c ] + +The KSZ8795 driver code was modified to use on KSZ8863/73, which has +different register definitions. Some of the new KSZ8795 register +information are wrong compared to previous code. + +KSZ8795 also behaves differently in that the STATIC_MAC_TABLE_USE_FID +and STATIC_MAC_TABLE_FID bits are off by 1 when doing MAC table reading +than writing. To compensate that a special code was added to shift the +register value by 1 before applying those bits. This is wrong when the +code is running on KSZ8863, so this special code is only executed when +KSZ8795 is detected. + +Fixes: 4b20a07e103f ("net: dsa: microchip: ksz8795: add support for ksz88xx chips") +Signed-off-by: Tristram Ha +Reviewed-by: Horatiu Vultur +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz8795.c | 8 +++++++- + drivers/net/dsa/microchip/ksz_common.c | 8 ++++---- + drivers/net/dsa/microchip/ksz_common.h | 7 +++++++ + 3 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c +index f56fca1b1a222..cc5b19a3d0df2 100644 +--- a/drivers/net/dsa/microchip/ksz8795.c ++++ b/drivers/net/dsa/microchip/ksz8795.c +@@ -506,7 +506,13 @@ static int ksz8_r_sta_mac_table(struct ksz_device *dev, u16 addr, + (data_hi & masks[STATIC_MAC_TABLE_FWD_PORTS]) >> + shifts[STATIC_MAC_FWD_PORTS]; + alu->is_override = (data_hi & masks[STATIC_MAC_TABLE_OVERRIDE]) ? 1 : 0; +- data_hi >>= 1; ++ ++ /* KSZ8795 family switches have STATIC_MAC_TABLE_USE_FID and ++ * STATIC_MAC_TABLE_FID definitions off by 1 when doing read on the ++ * static MAC table compared to doing write. ++ */ ++ if (ksz_is_ksz87xx(dev)) ++ data_hi >>= 1; + alu->is_static = true; + alu->is_use_fid = (data_hi & masks[STATIC_MAC_TABLE_USE_FID]) ? 1 : 0; + alu->fid = (data_hi & masks[STATIC_MAC_TABLE_FID]) >> +diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c +index a4428be5f483c..a0ba2605bb620 100644 +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -331,13 +331,13 @@ static const u32 ksz8795_masks[] = { + [STATIC_MAC_TABLE_VALID] = BIT(21), + [STATIC_MAC_TABLE_USE_FID] = BIT(23), + [STATIC_MAC_TABLE_FID] = GENMASK(30, 24), +- [STATIC_MAC_TABLE_OVERRIDE] = BIT(26), +- [STATIC_MAC_TABLE_FWD_PORTS] = GENMASK(24, 20), ++ [STATIC_MAC_TABLE_OVERRIDE] = BIT(22), ++ [STATIC_MAC_TABLE_FWD_PORTS] = GENMASK(20, 16), + [DYNAMIC_MAC_TABLE_ENTRIES_H] = GENMASK(6, 0), +- [DYNAMIC_MAC_TABLE_MAC_EMPTY] = BIT(8), ++ [DYNAMIC_MAC_TABLE_MAC_EMPTY] = BIT(7), + [DYNAMIC_MAC_TABLE_NOT_READY] = BIT(7), + [DYNAMIC_MAC_TABLE_ENTRIES] = GENMASK(31, 29), +- [DYNAMIC_MAC_TABLE_FID] = GENMASK(26, 20), ++ [DYNAMIC_MAC_TABLE_FID] = GENMASK(22, 16), + [DYNAMIC_MAC_TABLE_SRC_PORT] = GENMASK(26, 24), + [DYNAMIC_MAC_TABLE_TIMESTAMP] = GENMASK(28, 27), + [P_MII_TX_FLOW_CTRL] = BIT(5), +diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h +index 8abecaf6089ef..33d9a2f6af27a 100644 +--- a/drivers/net/dsa/microchip/ksz_common.h ++++ b/drivers/net/dsa/microchip/ksz_common.h +@@ -569,6 +569,13 @@ static inline void ksz_regmap_unlock(void *__mtx) + mutex_unlock(mtx); + } + ++static inline bool ksz_is_ksz87xx(struct ksz_device *dev) ++{ ++ return dev->chip_id == KSZ8795_CHIP_ID || ++ dev->chip_id == KSZ8794_CHIP_ID || ++ dev->chip_id == KSZ8765_CHIP_ID; ++} ++ + static inline bool ksz_is_ksz88x3(struct ksz_device *dev) + { + return dev->chip_id == KSZ8830_CHIP_ID; +-- +2.39.2 + diff --git a/tmp-6.4/net-ethernet-litex-add-support-for-64-bit-stats.patch b/tmp-6.4/net-ethernet-litex-add-support-for-64-bit-stats.patch new file mode 100644 index 00000000000..3a167dfd58f --- /dev/null +++ b/tmp-6.4/net-ethernet-litex-add-support-for-64-bit-stats.patch @@ -0,0 +1,82 @@ +From 34e9af935105e7093a075c88cfc44a3f7868b627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 00:20:35 +0800 +Subject: net: ethernet: litex: add support for 64 bit stats + +From: Jisheng Zhang + +[ Upstream commit 18da174d865a87d47d2f33f5b0a322efcf067728 ] + +Implement 64 bit per cpu stats to fix the overflow of netdev->stats +on 32 bit platforms. To simplify the code, we use net core +pcpu_sw_netstats infrastructure. One small drawback is some memory +overhead because litex uses just one queue, but we allocate the +counters per cpu. + +Signed-off-by: Jisheng Zhang +Reviewed-by: Simon Horman +Acked-by: Gabriel Somlo +Link: https://lore.kernel.org/r/20230614162035.300-1-jszhang@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/litex/litex_liteeth.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/litex/litex_liteeth.c b/drivers/net/ethernet/litex/litex_liteeth.c +index 35f24e0f09349..ffa96059079c6 100644 +--- a/drivers/net/ethernet/litex/litex_liteeth.c ++++ b/drivers/net/ethernet/litex/litex_liteeth.c +@@ -78,8 +78,7 @@ static int liteeth_rx(struct net_device *netdev) + memcpy_fromio(data, priv->rx_base + rx_slot * priv->slot_size, len); + skb->protocol = eth_type_trans(skb, netdev); + +- netdev->stats.rx_packets++; +- netdev->stats.rx_bytes += len; ++ dev_sw_netstats_rx_add(netdev, len); + + return netif_rx(skb); + +@@ -185,8 +184,7 @@ static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, + litex_write16(priv->base + LITEETH_READER_LENGTH, skb->len); + litex_write8(priv->base + LITEETH_READER_START, 1); + +- netdev->stats.tx_bytes += skb->len; +- netdev->stats.tx_packets++; ++ dev_sw_netstats_tx_add(netdev, 1, skb->len); + + priv->tx_slot = (priv->tx_slot + 1) % priv->num_tx_slots; + dev_kfree_skb_any(skb); +@@ -194,9 +192,17 @@ static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, + return NETDEV_TX_OK; + } + ++static void ++liteeth_get_stats64(struct net_device *netdev, struct rtnl_link_stats64 *stats) ++{ ++ netdev_stats_to_stats64(stats, &netdev->stats); ++ dev_fetch_sw_netstats(stats, netdev->tstats); ++} ++ + static const struct net_device_ops liteeth_netdev_ops = { + .ndo_open = liteeth_open, + .ndo_stop = liteeth_stop, ++ .ndo_get_stats64 = liteeth_get_stats64, + .ndo_start_xmit = liteeth_start_xmit, + }; + +@@ -242,6 +248,11 @@ static int liteeth_probe(struct platform_device *pdev) + priv->netdev = netdev; + priv->dev = &pdev->dev; + ++ netdev->tstats = devm_netdev_alloc_pcpu_stats(&pdev->dev, ++ struct pcpu_sw_netstats); ++ if (!netdev->tstats) ++ return -ENOMEM; ++ + irq = platform_get_irq(pdev, 0); + if (irq < 0) + return irq; +-- +2.39.2 + diff --git a/tmp-6.4/net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch b/tmp-6.4/net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch new file mode 100644 index 00000000000..653b4cbb470 --- /dev/null +++ b/tmp-6.4/net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch @@ -0,0 +1,40 @@ +From 4cb705f4015d47ec6907fcb6d63ca051b0729491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 01:39:36 +0100 +Subject: net: ethernet: mtk_eth_soc: always mtk_get_ib1_pkt_type + +From: Daniel Golle + +[ Upstream commit 9f9d4c1a2e82174a4e799ec405284a2b0de32b6a ] + +entries and bind debugfs files would display wrong data on NETSYS_V2 and +later because instead of using mtk_get_ib1_pkt_type the driver would use +MTK_FOE_IB1_PACKET_TYPE which corresponds to NETSYS_V1(.x) SoCs. +Use mtk_get_ib1_pkt_type so entries and bind records display correctly. + +Fixes: 03a3180e5c09e ("net: ethernet: mtk_eth_soc: introduce flow offloading support for mt7986") +Signed-off-by: Daniel Golle +Acked-by: Lorenzo Bianconi +Link: https://lore.kernel.org/r/c0ae03d0182f4d27b874cbdf0059bc972c317f3c.1689727134.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c b/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c +index 316fe2e70fead..1a97feca77f23 100644 +--- a/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c ++++ b/drivers/net/ethernet/mediatek/mtk_ppe_debugfs.c +@@ -98,7 +98,7 @@ mtk_ppe_debugfs_foe_show(struct seq_file *m, void *private, bool bind) + + acct = mtk_foe_entry_get_mib(ppe, i, NULL); + +- type = FIELD_GET(MTK_FOE_IB1_PACKET_TYPE, entry->ib1); ++ type = mtk_get_ib1_pkt_type(ppe->eth, entry->ib1); + seq_printf(m, "%05x %s %7s", i, + mtk_foe_entry_state_str(state), + mtk_foe_pkt_type_str(type)); +-- +2.39.2 + diff --git a/tmp-6.4/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch b/tmp-6.4/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch new file mode 100644 index 00000000000..07bff9f3a74 --- /dev/null +++ b/tmp-6.4/net-ethernet-mtk_eth_soc-handle-probe-deferral.patch @@ -0,0 +1,86 @@ +From 8c1eaba2f6d01540a7166c686b9673e70df454c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 03:42:29 +0100 +Subject: net: ethernet: mtk_eth_soc: handle probe deferral + +From: Daniel Golle + +[ Upstream commit 1d6d537dc55d1f42d16290f00157ac387985b95b ] + +Move the call to of_get_ethdev_address to mtk_add_mac which is part of +the probe function and can hence itself return -EPROBE_DEFER should +of_get_ethdev_address return -EPROBE_DEFER. This allows us to entirely +get rid of the mtk_init function. + +The problem of of_get_ethdev_address returning -EPROBE_DEFER surfaced +in situations in which the NVMEM provider holding the MAC address has +not yet be loaded at the time mtk_eth_soc is initially probed. In this +case probing of mtk_eth_soc should be deferred instead of falling back +to use a random MAC address, so once the NVMEM provider becomes +available probing can be repeated. + +Fixes: 656e705243fd ("net-next: mediatek: add support for MT7623 ethernet") +Signed-off-by: Daniel Golle +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 29 ++++++++------------- + 1 file changed, 11 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 834c644b67db5..2d15342c260ae 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -3846,23 +3846,6 @@ static int mtk_hw_deinit(struct mtk_eth *eth) + return 0; + } + +-static int __init mtk_init(struct net_device *dev) +-{ +- struct mtk_mac *mac = netdev_priv(dev); +- struct mtk_eth *eth = mac->hw; +- int ret; +- +- ret = of_get_ethdev_address(mac->of_node, dev); +- if (ret) { +- /* If the mac address is invalid, use random mac address */ +- eth_hw_addr_random(dev); +- dev_err(eth->dev, "generated random MAC address %pM\n", +- dev->dev_addr); +- } +- +- return 0; +-} +- + static void mtk_uninit(struct net_device *dev) + { + struct mtk_mac *mac = netdev_priv(dev); +@@ -4278,7 +4261,6 @@ static const struct ethtool_ops mtk_ethtool_ops = { + }; + + static const struct net_device_ops mtk_netdev_ops = { +- .ndo_init = mtk_init, + .ndo_uninit = mtk_uninit, + .ndo_open = mtk_open, + .ndo_stop = mtk_stop, +@@ -4340,6 +4322,17 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np) + mac->hw = eth; + mac->of_node = np; + ++ err = of_get_ethdev_address(mac->of_node, eth->netdev[id]); ++ if (err == -EPROBE_DEFER) ++ return err; ++ ++ if (err) { ++ /* If the mac address is invalid, use random mac address */ ++ eth_hw_addr_random(eth->netdev[id]); ++ dev_err(eth->dev, "generated random MAC address %pM\n", ++ eth->netdev[id]->dev_addr); ++ } ++ + memset(mac->hwlro_ip, 0, sizeof(mac->hwlro_ip)); + mac->hwlro_ip_cnt = 0; + +-- +2.39.2 + diff --git a/tmp-6.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch b/tmp-6.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch new file mode 100644 index 00000000000..aa4f166c2e0 --- /dev/null +++ b/tmp-6.4/net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch @@ -0,0 +1,78 @@ +From 0734d7075e1b22684e639d53914c1b54e355f26f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jul 2023 16:36:57 +0530 +Subject: net: ethernet: ti: cpsw_ale: Fix + cpsw_ale_get_field()/cpsw_ale_set_field() + +From: Tanmay Patil + +[ Upstream commit b685f1a58956fa36cc01123f253351b25bfacfda ] + +CPSW ALE has 75 bit ALE entries which are stored within three 32 bit words. +The cpsw_ale_get_field() and cpsw_ale_set_field() functions assume that the +field will be strictly contained within one word. However, this is not +guaranteed to be the case and it is possible for ALE field entries to span +across up to two words at the most. + +Fix the methods to handle getting/setting fields spanning up to two words. + +Fixes: db82173f23c5 ("netdev: driver: ethernet: add cpsw address lookup engine support") +Signed-off-by: Tanmay Patil +[s-vadapalli@ti.com: rephrased commit message and added Fixes tag] +Signed-off-by: Siddharth Vadapalli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index 0c5e783e574c4..64bf22cd860c9 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -106,23 +106,37 @@ struct cpsw_ale_dev_id { + + static inline int cpsw_ale_get_field(u32 *ale_entry, u32 start, u32 bits) + { +- int idx; ++ int idx, idx2; ++ u32 hi_val = 0; + + idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be fetched exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ hi_val = ale_entry[idx2] << ((idx2 * 32) - start); ++ } + start -= idx * 32; + idx = 2 - idx; /* flip */ +- return (ale_entry[idx] >> start) & BITMASK(bits); ++ return (hi_val + (ale_entry[idx] >> start)) & BITMASK(bits); + } + + static inline void cpsw_ale_set_field(u32 *ale_entry, u32 start, u32 bits, + u32 value) + { +- int idx; ++ int idx, idx2; + + value &= BITMASK(bits); +- idx = start / 32; ++ idx = start / 32; ++ idx2 = (start + bits - 1) / 32; ++ /* Check if bits to be set exceed a word */ ++ if (idx != idx2) { ++ idx2 = 2 - idx2; /* flip */ ++ ale_entry[idx2] &= ~(BITMASK(bits + start - (idx2 * 32))); ++ ale_entry[idx2] |= (value >> ((idx2 * 32) - start)); ++ } + start -= idx * 32; +- idx = 2 - idx; /* flip */ ++ idx = 2 - idx; /* flip */ + ale_entry[idx] &= ~(BITMASK(bits) << start); + ale_entry[idx] |= (value << start); + } +-- +2.39.2 + diff --git a/tmp-6.4/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch b/tmp-6.4/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch new file mode 100644 index 00000000000..2fc2df03878 --- /dev/null +++ b/tmp-6.4/net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch @@ -0,0 +1,140 @@ +From dc77ee4a0a97049edbad6c3f13a92c2edc7a6c5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 20:33:08 +0800 +Subject: net: hns3: fix strncpy() not using dest-buf length as length issue + +From: Hao Chen + +[ Upstream commit 1cf3d5567f273a8746d1bade00633a93204f80f0 ] + +Now, strncpy() in hns3_dbg_fill_content() use src-length as copy-length, +it may result in dest-buf overflow. + +This patch is to fix intel compile warning for csky-linux-gcc (GCC) 12.1.0 +compiler. + +The warning reports as below: + +hclge_debugfs.c:92:25: warning: 'strncpy' specified bound depends on +the length of the source argument [-Wstringop-truncation] + +strncpy(pos, items[i].name, strlen(items[i].name)); + +hclge_debugfs.c:90:25: warning: 'strncpy' output truncated before +terminating nul copying as many bytes from a string as its length +[-Wstringop-truncation] + +strncpy(pos, result[i], strlen(result[i])); + +strncpy() use src-length as copy-length, it may result in +dest-buf overflow. + +So,this patch add some values check to avoid this issue. + +Signed-off-by: Hao Chen +Reported-by: kernel test robot +Closes: https://lore.kernel.org/lkml/202207170606.7WtHs9yS-lkp@intel.com/T/ +Signed-off-by: Hao Lan +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../ethernet/hisilicon/hns3/hns3_debugfs.c | 31 ++++++++++++++----- + .../hisilicon/hns3/hns3pf/hclge_debugfs.c | 29 ++++++++++++++--- + 2 files changed, 48 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +index d385ffc218766..32bb14303473b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c +@@ -438,19 +438,36 @@ static void hns3_dbg_fill_content(char *content, u16 len, + const struct hns3_dbg_item *items, + const char **result, u16 size) + { ++#define HNS3_DBG_LINE_END_LEN 2 + char *pos = content; ++ u16 item_len; + u16 i; + ++ if (!len) { ++ return; ++ } else if (len <= HNS3_DBG_LINE_END_LEN) { ++ *pos++ = '\0'; ++ return; ++ } ++ + memset(content, ' ', len); +- for (i = 0; i < size; i++) { +- if (result) +- strncpy(pos, result[i], strlen(result[i])); +- else +- strncpy(pos, items[i].name, strlen(items[i].name)); ++ len -= HNS3_DBG_LINE_END_LEN; + +- pos += strlen(items[i].name) + items[i].interval; ++ for (i = 0; i < size; i++) { ++ item_len = strlen(items[i].name) + items[i].interval; ++ if (len < item_len) ++ break; ++ ++ if (result) { ++ if (item_len < strlen(result[i])) ++ break; ++ strscpy(pos, result[i], strlen(result[i])); ++ } else { ++ strscpy(pos, items[i].name, strlen(items[i].name)); ++ } ++ pos += item_len; ++ len -= item_len; + } +- + *pos++ = '\n'; + *pos++ = '\0'; + } +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c +index a0b46e7d863eb..233c132dc513e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c +@@ -88,16 +88,35 @@ static void hclge_dbg_fill_content(char *content, u16 len, + const struct hclge_dbg_item *items, + const char **result, u16 size) + { ++#define HCLGE_DBG_LINE_END_LEN 2 + char *pos = content; ++ u16 item_len; + u16 i; + ++ if (!len) { ++ return; ++ } else if (len <= HCLGE_DBG_LINE_END_LEN) { ++ *pos++ = '\0'; ++ return; ++ } ++ + memset(content, ' ', len); ++ len -= HCLGE_DBG_LINE_END_LEN; ++ + for (i = 0; i < size; i++) { +- if (result) +- strncpy(pos, result[i], strlen(result[i])); +- else +- strncpy(pos, items[i].name, strlen(items[i].name)); +- pos += strlen(items[i].name) + items[i].interval; ++ item_len = strlen(items[i].name) + items[i].interval; ++ if (len < item_len) ++ break; ++ ++ if (result) { ++ if (item_len < strlen(result[i])) ++ break; ++ strscpy(pos, result[i], strlen(result[i])); ++ } else { ++ strscpy(pos, items[i].name, strlen(items[i].name)); ++ } ++ pos += item_len; ++ len -= item_len; + } + *pos++ = '\n'; + *pos++ = '\0'; +-- +2.39.2 + diff --git a/tmp-6.4/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch b/tmp-6.4/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch new file mode 100644 index 00000000000..9e2e5f71328 --- /dev/null +++ b/tmp-6.4/net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch @@ -0,0 +1,134 @@ +From eb3d2ceb4d7e11c861c8385f94a0f307e72a546d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 May 2023 18:14:52 +0200 +Subject: net: ipv4: use consistent txhash in TIME_WAIT and SYN_RECV + +From: Antoine Tenart + +[ Upstream commit c0a8966e2bc7d31f77a7246947ebc09c1ff06066 ] + +When using IPv4/TCP, skb->hash comes from sk->sk_txhash except in +TIME_WAIT and SYN_RECV where it's not set in the reply skb from +ip_send_unicast_reply. Those packets will have a mismatched hash with +others from the same flow as their hashes will be 0. IPv6 does not have +the same issue as the hash is set from the socket txhash in those cases. + +This commits sets the hash in the reply skb from ip_send_unicast_reply, +which makes the IPv4 code behaving like IPv6. + +Signed-off-by: Antoine Tenart +Reviewed-by: Eric Dumazet +Signed-off-by: Paolo Abeni +Stable-dep-of: 5e5265522a9a ("tcp: annotate data-races around tcp_rsk(req)->txhash") +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 2 +- + net/ipv4/ip_output.c | 4 +++- + net/ipv4/tcp_ipv4.c | 14 +++++++++----- + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index acec504c469a0..83a1a9bc3ceb1 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -282,7 +282,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + const struct ip_options *sopt, + __be32 daddr, __be32 saddr, + const struct ip_reply_arg *arg, +- unsigned int len, u64 transmit_time); ++ unsigned int len, u64 transmit_time, u32 txhash); + + #define IP_INC_STATS(net, field) SNMP_INC_STATS64((net)->mib.ip_statistics, field) + #define __IP_INC_STATS(net, field) __SNMP_INC_STATS64((net)->mib.ip_statistics, field) +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index 61892268e8a6c..a1bead441026e 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1692,7 +1692,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + const struct ip_options *sopt, + __be32 daddr, __be32 saddr, + const struct ip_reply_arg *arg, +- unsigned int len, u64 transmit_time) ++ unsigned int len, u64 transmit_time, u32 txhash) + { + struct ip_options_data replyopts; + struct ipcm_cookie ipc; +@@ -1755,6 +1755,8 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, + arg->csum)); + nskb->ip_summed = CHECKSUM_NONE; + nskb->mono_delivery_time = !!transmit_time; ++ if (txhash) ++ skb_set_hash(nskb, txhash, PKT_HASH_TYPE_L4); + ip_push_pending_frames(sk, &fl4); + } + out: +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 434e5f0c8b99d..a64069077e388 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -692,6 +692,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + u64 transmit_time = 0; + struct sock *ctl_sk; + struct net *net; ++ u32 txhash = 0; + + /* Never send a reset in response to a reset. */ + if (th->rst) +@@ -829,6 +830,8 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + inet_twsk(sk)->tw_priority : sk->sk_priority; + transmit_time = tcp_transmit_time(sk); + xfrm_sk_clone_policy(ctl_sk, sk); ++ txhash = (sk->sk_state == TCP_TIME_WAIT) ? ++ inet_twsk(sk)->tw_txhash : sk->sk_txhash; + } else { + ctl_sk->sk_mark = 0; + ctl_sk->sk_priority = 0; +@@ -837,7 +840,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) + skb, &TCP_SKB_CB(skb)->header.h4.opt, + ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, + &arg, arg.iov[0].iov_len, +- transmit_time); ++ transmit_time, txhash); + + xfrm_sk_free_policy(ctl_sk); + sock_net_set(ctl_sk, &init_net); +@@ -859,7 +862,7 @@ static void tcp_v4_send_ack(const struct sock *sk, + struct sk_buff *skb, u32 seq, u32 ack, + u32 win, u32 tsval, u32 tsecr, int oif, + struct tcp_md5sig_key *key, +- int reply_flags, u8 tos) ++ int reply_flags, u8 tos, u32 txhash) + { + const struct tcphdr *th = tcp_hdr(skb); + struct { +@@ -935,7 +938,7 @@ static void tcp_v4_send_ack(const struct sock *sk, + skb, &TCP_SKB_CB(skb)->header.h4.opt, + ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, + &arg, arg.iov[0].iov_len, +- transmit_time); ++ transmit_time, txhash); + + sock_net_set(ctl_sk, &init_net); + __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); +@@ -955,7 +958,8 @@ static void tcp_v4_timewait_ack(struct sock *sk, struct sk_buff *skb) + tw->tw_bound_dev_if, + tcp_twsk_md5_key(tcptw), + tw->tw_transparent ? IP_REPLY_ARG_NOSRCCHECK : 0, +- tw->tw_tos ++ tw->tw_tos, ++ tw->tw_txhash + ); + + inet_twsk_put(tw); +@@ -988,7 +992,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +- ip_hdr(skb)->tos); ++ ip_hdr(skb)->tos, tcp_rsk(req)->txhash); + } + + /* +-- +2.39.2 + diff --git a/tmp-6.4/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch b/tmp-6.4/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch new file mode 100644 index 00000000000..1168758b98d --- /dev/null +++ b/tmp-6.4/net-ipv4-use-kfree_sensitive-instead-of-kfree.patch @@ -0,0 +1,38 @@ +From 8f4e7983251e6782f216def6e2b47a48976a5841 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 17:59:19 +0800 +Subject: net: ipv4: Use kfree_sensitive instead of kfree + +From: Wang Ming + +[ Upstream commit daa751444fd9d4184270b1479d8af49aaf1a1ee6 ] + +key might contain private part of the key, so better use +kfree_sensitive to free it. + +Fixes: 38320c70d282 ("[IPSEC]: Use crypto_aead and authenc in ESP") +Signed-off-by: Wang Ming +Reviewed-by: Tariq Toukan +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index ba06ed42e4284..2be2d49225573 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -1132,7 +1132,7 @@ static int esp_init_authenc(struct xfrm_state *x, + err = crypto_aead_setkey(aead, key, keylen); + + free_key: +- kfree(key); ++ kfree_sensitive(key); + + error: + return err; +-- +2.39.2 + diff --git a/tmp-6.4/net-ipv6-check-return-value-of-pskb_trim.patch b/tmp-6.4/net-ipv6-check-return-value-of-pskb_trim.patch new file mode 100644 index 00000000000..37d6b8e74ad --- /dev/null +++ b/tmp-6.4/net-ipv6-check-return-value-of-pskb_trim.patch @@ -0,0 +1,39 @@ +From d0da4855c330577e5a7f752994ed3ff21108a28c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 22:45:19 +0800 +Subject: net:ipv6: check return value of pskb_trim() + +From: Yuanjun Gong + +[ Upstream commit 4258faa130be4ea43e5e2d839467da421b8ff274 ] + +goto tx_err if an unexpected result is returned by pskb_tirm() +in ip6erspan_tunnel_xmit(). + +Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support") +Signed-off-by: Yuanjun Gong +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index da80974ad23ae..070d87abf7c02 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -955,7 +955,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + goto tx_err; + + if (skb->len > dev->mtu + dev->hard_header_len) { +- pskb_trim(skb, dev->mtu + dev->hard_header_len); ++ if (pskb_trim(skb, dev->mtu + dev->hard_header_len)) ++ goto tx_err; + truncate = true; + } + +-- +2.39.2 + diff --git a/tmp-6.4/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch b/tmp-6.4/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch new file mode 100644 index 00000000000..e4403bc3168 --- /dev/null +++ b/tmp-6.4/net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch @@ -0,0 +1,74 @@ +From e235c3ee00174e1880d74b700a763a90fde32659 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 03:02:31 +0300 +Subject: net: phy: prevent stale pointer dereference in phy_init() + +From: Vladimir Oltean + +[ Upstream commit 1c613beaf877c0c0d755853dc62687e2013e55c4 ] + +mdio_bus_init() and phy_driver_register() both have error paths, and if +those are ever hit, ethtool will have a stale pointer to the +phy_ethtool_phy_ops stub structure, which references memory from a +module that failed to load (phylib). + +It is probably hard to force an error in this code path even manually, +but the error teardown path of phy_init() should be the same as +phy_exit(), which is now simply not the case. + +Fixes: 55d8f053ce1b ("net: phy: Register ethtool PHY operations") +Link: https://lore.kernel.org/netdev/ZLaiJ4G6TaJYGJyU@shell.armlinux.org.uk/ +Suggested-by: Russell King (Oracle) +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20230720000231.1939689-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index 53598210be6cb..2c4e6de8f4d9f 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -3452,23 +3452,30 @@ static int __init phy_init(void) + { + int rc; + ++ ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); ++ + rc = mdio_bus_init(); + if (rc) +- return rc; ++ goto err_ethtool_phy_ops; + +- ethtool_set_ethtool_phy_ops(&phy_ethtool_phy_ops); + features_init(); + + rc = phy_driver_register(&genphy_c45_driver, THIS_MODULE); + if (rc) +- goto err_c45; ++ goto err_mdio_bus; + + rc = phy_driver_register(&genphy_driver, THIS_MODULE); +- if (rc) { +- phy_driver_unregister(&genphy_c45_driver); ++ if (rc) ++ goto err_c45; ++ ++ return 0; ++ + err_c45: +- mdio_bus_exit(); +- } ++ phy_driver_unregister(&genphy_c45_driver); ++err_mdio_bus: ++ mdio_bus_exit(); ++err_ethtool_phy_ops: ++ ethtool_set_ethtool_phy_ops(NULL); + + return rc; + } +-- +2.39.2 + diff --git a/tmp-6.4/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch b/tmp-6.4/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch new file mode 100644 index 00000000000..65bbd8b5b76 --- /dev/null +++ b/tmp-6.4/net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch @@ -0,0 +1,165 @@ +From 3f90b408fd41b67b0faf99913c06f69d68098ac1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:13 -0300 +Subject: net: sched: cls_bpf: Undo tcf_bind_filter in case of an error + +From: Victor Nogueira + +[ Upstream commit 26a22194927e8521e304ed75c2f38d8068d55fc7 ] + +If cls_bpf_offload errors out, we must also undo tcf_bind_filter that +was done before the error. + +Fix that by calling tcf_unbind_filter in errout_parms. + +Fixes: eadb41489fd2 ("net: cls_bpf: add support for marking filters as hardware-only") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_bpf.c | 99 +++++++++++++++++++++------------------------ + 1 file changed, 47 insertions(+), 52 deletions(-) + +diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c +index 466c26df853a0..382c7a71f81f2 100644 +--- a/net/sched/cls_bpf.c ++++ b/net/sched/cls_bpf.c +@@ -406,56 +406,6 @@ static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog, + return 0; + } + +-static int cls_bpf_set_parms(struct net *net, struct tcf_proto *tp, +- struct cls_bpf_prog *prog, unsigned long base, +- struct nlattr **tb, struct nlattr *est, u32 flags, +- struct netlink_ext_ack *extack) +-{ +- bool is_bpf, is_ebpf, have_exts = false; +- u32 gen_flags = 0; +- int ret; +- +- is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; +- is_ebpf = tb[TCA_BPF_FD]; +- if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) +- return -EINVAL; +- +- ret = tcf_exts_validate(net, tp, tb, est, &prog->exts, flags, +- extack); +- if (ret < 0) +- return ret; +- +- if (tb[TCA_BPF_FLAGS]) { +- u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); +- +- if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) +- return -EINVAL; +- +- have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; +- } +- if (tb[TCA_BPF_FLAGS_GEN]) { +- gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); +- if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || +- !tc_flags_valid(gen_flags)) +- return -EINVAL; +- } +- +- prog->exts_integrated = have_exts; +- prog->gen_flags = gen_flags; +- +- ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : +- cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); +- if (ret < 0) +- return ret; +- +- if (tb[TCA_BPF_CLASSID]) { +- prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); +- tcf_bind_filter(tp, &prog->res, base); +- } +- +- return 0; +-} +- + static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + struct tcf_proto *tp, unsigned long base, + u32 handle, struct nlattr **tca, +@@ -463,9 +413,12 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + struct netlink_ext_ack *extack) + { + struct cls_bpf_head *head = rtnl_dereference(tp->root); ++ bool is_bpf, is_ebpf, have_exts = false; + struct cls_bpf_prog *oldprog = *arg; + struct nlattr *tb[TCA_BPF_MAX + 1]; ++ bool bound_to_filter = false; + struct cls_bpf_prog *prog; ++ u32 gen_flags = 0; + int ret; + + if (tca[TCA_OPTIONS] == NULL) +@@ -504,11 +457,51 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + goto errout; + prog->handle = handle; + +- ret = cls_bpf_set_parms(net, tp, prog, base, tb, tca[TCA_RATE], flags, +- extack); ++ is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; ++ is_ebpf = tb[TCA_BPF_FD]; ++ if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ ++ ret = tcf_exts_validate(net, tp, tb, tca[TCA_RATE], &prog->exts, ++ flags, extack); ++ if (ret < 0) ++ goto errout_idr; ++ ++ if (tb[TCA_BPF_FLAGS]) { ++ u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); ++ ++ if (bpf_flags & ~TCA_BPF_FLAG_ACT_DIRECT) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ ++ have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; ++ } ++ if (tb[TCA_BPF_FLAGS_GEN]) { ++ gen_flags = nla_get_u32(tb[TCA_BPF_FLAGS_GEN]); ++ if (gen_flags & ~CLS_BPF_SUPPORTED_GEN_FLAGS || ++ !tc_flags_valid(gen_flags)) { ++ ret = -EINVAL; ++ goto errout_idr; ++ } ++ } ++ ++ prog->exts_integrated = have_exts; ++ prog->gen_flags = gen_flags; ++ ++ ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : ++ cls_bpf_prog_from_efd(tb, prog, gen_flags, tp); + if (ret < 0) + goto errout_idr; + ++ if (tb[TCA_BPF_CLASSID]) { ++ prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); ++ tcf_bind_filter(tp, &prog->res, base); ++ bound_to_filter = true; ++ } ++ + ret = cls_bpf_offload(tp, prog, oldprog, extack); + if (ret) + goto errout_parms; +@@ -530,6 +523,8 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb, + return 0; + + errout_parms: ++ if (bound_to_filter) ++ tcf_unbind_filter(tp, &prog->res); + cls_bpf_free_parms(prog); + errout_idr: + if (!oldprog) +-- +2.39.2 + diff --git a/tmp-6.4/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch b/tmp-6.4/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch new file mode 100644 index 00000000000..c1618ab1fc3 --- /dev/null +++ b/tmp-6.4/net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch @@ -0,0 +1,98 @@ +From 8bf4268767afc1aceffbef4ebe37fb672dc70de2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:10 -0300 +Subject: net: sched: cls_matchall: Undo tcf_bind_filter in case of failure + after mall_set_parms + +From: Victor Nogueira + +[ Upstream commit b3d0e0489430735e2e7626aa37e6462cdd136e9d ] + +In case an error occurred after mall_set_parms executed successfully, we +must undo the tcf_bind_filter call it issues. + +Fix that by calling tcf_unbind_filter in err_replace_hw_filter label. + +Fixes: ec2507d2a306 ("net/sched: cls_matchall: Fix error path") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_matchall.c | 35 ++++++++++++----------------------- + 1 file changed, 12 insertions(+), 23 deletions(-) + +diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c +index fa3bbd187eb97..c4ed11df62548 100644 +--- a/net/sched/cls_matchall.c ++++ b/net/sched/cls_matchall.c +@@ -159,26 +159,6 @@ static const struct nla_policy mall_policy[TCA_MATCHALL_MAX + 1] = { + [TCA_MATCHALL_FLAGS] = { .type = NLA_U32 }, + }; + +-static int mall_set_parms(struct net *net, struct tcf_proto *tp, +- struct cls_mall_head *head, +- unsigned long base, struct nlattr **tb, +- struct nlattr *est, u32 flags, u32 fl_flags, +- struct netlink_ext_ack *extack) +-{ +- int err; +- +- err = tcf_exts_validate_ex(net, tp, tb, est, &head->exts, flags, +- fl_flags, extack); +- if (err < 0) +- return err; +- +- if (tb[TCA_MATCHALL_CLASSID]) { +- head->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); +- tcf_bind_filter(tp, &head->res, base); +- } +- return 0; +-} +- + static int mall_change(struct net *net, struct sk_buff *in_skb, + struct tcf_proto *tp, unsigned long base, + u32 handle, struct nlattr **tca, +@@ -187,6 +167,7 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + { + struct cls_mall_head *head = rtnl_dereference(tp->root); + struct nlattr *tb[TCA_MATCHALL_MAX + 1]; ++ bool bound_to_filter = false; + struct cls_mall_head *new; + u32 userflags = 0; + int err; +@@ -226,11 +207,17 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + goto err_alloc_percpu; + } + +- err = mall_set_parms(net, tp, new, base, tb, tca[TCA_RATE], +- flags, new->flags, extack); +- if (err) ++ err = tcf_exts_validate_ex(net, tp, tb, tca[TCA_RATE], ++ &new->exts, flags, new->flags, extack); ++ if (err < 0) + goto err_set_parms; + ++ if (tb[TCA_MATCHALL_CLASSID]) { ++ new->res.classid = nla_get_u32(tb[TCA_MATCHALL_CLASSID]); ++ tcf_bind_filter(tp, &new->res, base); ++ bound_to_filter = true; ++ } ++ + if (!tc_skip_hw(new->flags)) { + err = mall_replace_hw_filter(tp, new, (unsigned long)new, + extack); +@@ -246,6 +233,8 @@ static int mall_change(struct net *net, struct sk_buff *in_skb, + return 0; + + err_replace_hw_filter: ++ if (bound_to_filter) ++ tcf_unbind_filter(tp, &new->res); + err_set_parms: + free_percpu(new->pf); + err_alloc_percpu: +-- +2.39.2 + diff --git a/tmp-6.4/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch b/tmp-6.4/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch new file mode 100644 index 00000000000..9d39b03d79a --- /dev/null +++ b/tmp-6.4/net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch @@ -0,0 +1,49 @@ +From 30ac61ca94fe6221447d2e6ad43c9620bc035240 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:12 -0300 +Subject: net: sched: cls_u32: Undo refcount decrement in case update failed + +From: Victor Nogueira + +[ Upstream commit e8d3d78c19be0264a5692bed477c303523aead31 ] + +In the case of an update, when TCA_U32_LINK is set, u32_set_parms will +decrement the refcount of the ht_down (struct tc_u_hnode) pointer +present in the older u32 filter which we are replacing. However, if +u32_replace_hw_knode errors out, the update command fails and that +ht_down pointer continues decremented. To fix that, when +u32_replace_hw_knode fails, check if ht_down's refcount was decremented +and undo the decrement. + +Fixes: d34e3e181395 ("net: cls_u32: Add support for skip-sw flag to tc u32 classifier.") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index ed358466d042a..5abf31e432caf 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -928,6 +928,13 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + if (err) { + u32_unbind_filter(tp, new, tb); + ++ if (tb[TCA_U32_LINK]) { ++ struct tc_u_hnode *ht_old; ++ ++ ht_old = rtnl_dereference(n->ht_down); ++ if (ht_old) ++ ht_old->refcnt++; ++ } + __u32_destroy_key(new); + return err; + } +-- +2.39.2 + diff --git a/tmp-6.4/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch b/tmp-6.4/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch new file mode 100644 index 00000000000..6454b027c7b --- /dev/null +++ b/tmp-6.4/net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch @@ -0,0 +1,122 @@ +From 30d5f447b9e2287545f1e04059c3a1b974153809 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jul 2023 15:05:11 -0300 +Subject: net: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knode + +From: Victor Nogueira + +[ Upstream commit 9cb36faedeafb9720ac236aeae2ea57091d90a09 ] + +When u32_replace_hw_knode fails, we need to undo the tcf_bind_filter +operation done at u32_set_parms. + +Fixes: d34e3e181395 ("net: cls_u32: Add support for skip-sw flag to tc u32 classifier.") +Signed-off-by: Victor Nogueira +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 41 ++++++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index d15d50de79802..ed358466d042a 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -712,8 +712,23 @@ static const struct nla_policy u32_policy[TCA_U32_MAX + 1] = { + [TCA_U32_FLAGS] = { .type = NLA_U32 }, + }; + ++static void u32_unbind_filter(struct tcf_proto *tp, struct tc_u_knode *n, ++ struct nlattr **tb) ++{ ++ if (tb[TCA_U32_CLASSID]) ++ tcf_unbind_filter(tp, &n->res); ++} ++ ++static void u32_bind_filter(struct tcf_proto *tp, struct tc_u_knode *n, ++ unsigned long base, struct nlattr **tb) ++{ ++ if (tb[TCA_U32_CLASSID]) { ++ n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]); ++ tcf_bind_filter(tp, &n->res, base); ++ } ++} ++ + static int u32_set_parms(struct net *net, struct tcf_proto *tp, +- unsigned long base, + struct tc_u_knode *n, struct nlattr **tb, + struct nlattr *est, u32 flags, u32 fl_flags, + struct netlink_ext_ack *extack) +@@ -760,10 +775,6 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, + if (ht_old) + ht_old->refcnt--; + } +- if (tb[TCA_U32_CLASSID]) { +- n->res.classid = nla_get_u32(tb[TCA_U32_CLASSID]); +- tcf_bind_filter(tp, &n->res, base); +- } + + if (ifindex >= 0) + n->ifindex = ifindex; +@@ -903,17 +914,20 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + if (!new) + return -ENOMEM; + +- err = u32_set_parms(net, tp, base, new, tb, +- tca[TCA_RATE], flags, new->flags, +- extack); ++ err = u32_set_parms(net, tp, new, tb, tca[TCA_RATE], ++ flags, new->flags, extack); + + if (err) { + __u32_destroy_key(new); + return err; + } + ++ u32_bind_filter(tp, new, base, tb); ++ + err = u32_replace_hw_knode(tp, new, flags, extack); + if (err) { ++ u32_unbind_filter(tp, new, tb); ++ + __u32_destroy_key(new); + return err; + } +@@ -1074,15 +1088,18 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + } + #endif + +- err = u32_set_parms(net, tp, base, n, tb, tca[TCA_RATE], ++ err = u32_set_parms(net, tp, n, tb, tca[TCA_RATE], + flags, n->flags, extack); ++ ++ u32_bind_filter(tp, n, base, tb); ++ + if (err == 0) { + struct tc_u_knode __rcu **ins; + struct tc_u_knode *pins; + + err = u32_replace_hw_knode(tp, n, flags, extack); + if (err) +- goto errhw; ++ goto errunbind; + + if (!tc_in_hw(n->flags)) + n->flags |= TCA_CLS_FLAGS_NOT_IN_HW; +@@ -1100,7 +1117,9 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + return 0; + } + +-errhw: ++errunbind: ++ u32_unbind_filter(tp, n, tb); ++ + #ifdef CONFIG_CLS_U32_MARK + free_percpu(n->pcpu_success); + #endif +-- +2.39.2 + diff --git a/tmp-6.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch b/tmp-6.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch new file mode 100644 index 00000000000..8c23502598b --- /dev/null +++ b/tmp-6.4/netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch @@ -0,0 +1,64 @@ +From 1c96f1664cded724709812e0e8e690891772de93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 01:30:33 +0200 +Subject: netfilter: nf_tables: can't schedule in nft_chain_validate + +From: Florian Westphal + +[ Upstream commit 314c82841602a111c04a7210c21dc77e0d560242 ] + +Can be called via nft set element list iteration, which may acquire +rcu and/or bh read lock (depends on set type). + +BUG: sleeping function called from invalid context at net/netfilter/nf_tables_api.c:3353 +in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1232, name: nft +preempt_count: 0, expected: 0 +RCU nest depth: 1, expected: 0 +2 locks held by nft/1232: + #0: ffff8881180e3ea8 (&nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid + #1: ffffffff83f5f540 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire +Call Trace: + nft_chain_validate + nft_lookup_validate_setelem + nft_pipapo_walk + nft_lookup_validate + nft_chain_validate + nft_immediate_validate + nft_chain_validate + nf_tables_validate + nf_tables_abort + +No choice but to move it to nf_tables_validate(). + +Fixes: 81ea01066741 ("netfilter: nf_tables: add rescheduling points during loop detection walks") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 51909bcc181fa..f3a4aa9054876 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3684,8 +3684,6 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain) + if (err < 0) + return err; + } +- +- cond_resched(); + } + + return 0; +@@ -3709,6 +3707,8 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) + err = nft_chain_validate(&ctx, chain); + if (err < 0) + return err; ++ ++ cond_resched(); + } + + return 0; +-- +2.39.2 + diff --git a/tmp-6.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch b/tmp-6.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch new file mode 100644 index 00000000000..eccda340124 --- /dev/null +++ b/tmp-6.4/netfilter-nf_tables-fix-spurious-set-element-inserti.patch @@ -0,0 +1,49 @@ +From f4fcc8395bef8aae868c0a5b93122227e28d956c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 00:29:58 +0200 +Subject: netfilter: nf_tables: fix spurious set element insertion failure + +From: Florian Westphal + +[ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ] + +On some platforms there is a padding hole in the nft_verdict +structure, between the verdict code and the chain pointer. + +On element insertion, if the new element clashes with an existing one and +NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as +the data associated with duplicated element is the same as the existing +one. The data equality check uses memcmp. + +For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT +padding area leads to spurious failure even if the verdict data is the +same. + +This then makes the insertion fail with 'already exists' error, even +though the new "key : data" matches an existing entry and userspace +told the kernel that it doesn't want to receive an error indication. + +Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 18546f9b2a63a..51909bcc181fa 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10482,6 +10482,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + + if (!tb[NFTA_VERDICT_CODE]) + return -EINVAL; ++ ++ /* zero padding hole for memcmp */ ++ memset(data, 0, sizeof(*data)); + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +-- +2.39.2 + diff --git a/tmp-6.4/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch b/tmp-6.4/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch new file mode 100644 index 00000000000..7cbdf132e89 --- /dev/null +++ b/tmp-6.4/netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch @@ -0,0 +1,37 @@ +From 60ac4e0fadccbe1e209e8c149fc44bfce8466f67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 20:19:43 +0200 +Subject: netfilter: nf_tables: skip bound chain in netns release path + +From: Pablo Neira Ayuso + +[ Upstream commit 751d460ccff3137212f47d876221534bf0490996 ] + +Skip bound chain from netns release path, the rule that owns this chain +releases these objects. + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index f3a4aa9054876..e3049c7db9041 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -10767,6 +10767,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table) + ctx.family = table->family; + ctx.table = table; + list_for_each_entry(chain, &table->chains, list) { ++ if (nft_chain_is_bound(chain)) ++ continue; ++ + ctx.chain = chain; + list_for_each_entry_safe(rule, nr, &chain->rules, list) { + list_del(&rule->list); +-- +2.39.2 + diff --git a/tmp-6.4/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch b/tmp-6.4/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch new file mode 100644 index 00000000000..f128b270530 --- /dev/null +++ b/tmp-6.4/netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch @@ -0,0 +1,43 @@ +From dcc7e01ee2a877f6891ba56d1c4572f13efba902 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jul 2023 09:17:21 +0200 +Subject: netfilter: nf_tables: skip bound chain on rule flush + +From: Pablo Neira Ayuso + +[ Upstream commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 ] + +Skip bound chain when flushing table rules, the rule that owns this +chain releases these objects. + +Otherwise, the following warning is triggered: + + WARNING: CPU: 2 PID: 1217 at net/netfilter/nf_tables_api.c:2013 nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + CPU: 2 PID: 1217 Comm: chain-flush Not tainted 6.1.39 #1 + RIP: 0010:nf_tables_chain_destroy+0x1f7/0x210 [nf_tables] + +Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING") +Reported-by: Kevin Rich +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index e3049c7db9041..ccf0b3d80fd97 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4086,6 +4086,8 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, + list_for_each_entry(chain, &table->chains, list) { + if (!nft_is_active_next(net, chain)) + continue; ++ if (nft_chain_is_bound(chain)) ++ continue; + + ctx.chain = chain; + err = nft_delrule_by_chain(&ctx); +-- +2.39.2 + diff --git a/tmp-6.4/netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/tmp-6.4/netfilter-nft_set_pipapo-fix-improper-element-remova.patch new file mode 100644 index 00000000000..fc62486e1f3 --- /dev/null +++ b/tmp-6.4/netfilter-nft_set_pipapo-fix-improper-element-remova.patch @@ -0,0 +1,63 @@ +From e9898b88b4dcdecf994451f8d9d7f65534108a87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:08:21 +0200 +Subject: netfilter: nft_set_pipapo: fix improper element removal + +From: Florian Westphal + +[ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ] + +end key should be equal to start unless NFT_SET_EXT_KEY_END is present. + +Its possible to add elements that only have a start key +("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. + +Insertion treats this via: + +if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) + end = (const u8 *)nft_set_ext_key_end(ext)->data; +else + end = start; + +but removal side always uses nft_set_ext_key_end(). +This is wrong and leads to garbage remaining in the set after removal +next lookup/insert attempt will give: + +BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 +Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 +Call Trace: + kasan_report+0x105/0x140 + pipapo_get+0x8eb/0xb90 + nft_pipapo_insert+0x1dc/0x1710 + nf_tables_newsetelem+0x31f5/0x4e00 + .. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: lonial con +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 0452ee586c1cc..a81829c10feab 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1930,7 +1930,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + int i, start, rules_fx; + + match_start = data; +- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ ++ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) ++ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ else ++ match_end = data; + + start = first_rule; + rules_fx = rules_f0; +-- +2.39.2 + diff --git a/tmp-6.4/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch b/tmp-6.4/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch new file mode 100644 index 00000000000..0230574a51f --- /dev/null +++ b/tmp-6.4/octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch @@ -0,0 +1,43 @@ +From 8c589aa43ad6305dbe3d9b1288d7a998bb0f2e56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jul 2023 15:07:41 +0530 +Subject: octeontx2-pf: Dont allocate BPIDs for LBK interfaces + +From: Geetha sowjanya + +[ Upstream commit 8fcd7c7b3a38ab5e452f542fda8f7940e77e479a ] + +Current driver enables backpressure for LBK interfaces. +But these interfaces do not support this feature. +Hence, this patch fixes the issue by skipping the +backpressure configuration for these interfaces. + +Fixes: 75f36270990c ("octeontx2-pf: Support to enable/disable pause frames via ethtool"). +Signed-off-by: Geetha sowjanya +Signed-off-by: Sunil Goutham +Link: https://lore.kernel.org/r/20230716093741.28063-1-gakula@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 18284ad751572..384d26bee9b23 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1452,8 +1452,9 @@ static int otx2_init_hw_resources(struct otx2_nic *pf) + if (err) + goto err_free_npa_lf; + +- /* Enable backpressure */ +- otx2_nix_config_bp(pf, true); ++ /* Enable backpressure for CGX mapped PF/VFs */ ++ if (!is_otx2_lbkvf(pf->pdev)) ++ otx2_nix_config_bp(pf, true); + + /* Init Auras and pools used by NIX RQ, for free buffer ptrs */ + err = otx2_rq_aura_pool_init(pf); +-- +2.39.2 + diff --git a/tmp-6.4/of-preserve-of-display-device-name-for-compatibility.patch b/tmp-6.4/of-preserve-of-display-device-name-for-compatibility.patch new file mode 100644 index 00000000000..2af0884b5f4 --- /dev/null +++ b/tmp-6.4/of-preserve-of-display-device-name-for-compatibility.patch @@ -0,0 +1,51 @@ +From 0bb8f49cd2cc8cb32ac51189ff9fcbe7ec3d9d65 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Mon, 10 Jul 2023 11:40:07 -0600 +Subject: of: Preserve "of-display" device name for compatibility +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rob Herring + +commit 0bb8f49cd2cc8cb32ac51189ff9fcbe7ec3d9d65 upstream. + +Since commit 241d2fb56a18 ("of: Make OF framebuffer device names unique"), +as spotted by Frédéric Bonnard, the historical "of-display" device is +gone: the updated logic creates "of-display.0" instead, then as many +"of-display.N" as required. + +This means that offb no longer finds the expected device, which prevents +the Debian Installer from setting up its interface, at least on ppc64el. + +Fix this by keeping "of-display" for the first device and "of-display.N" +for subsequent devices. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217328 +Link: https://bugs.debian.org/1033058 +Fixes: 241d2fb56a18 ("of: Make OF framebuffer device names unique") +Cc: stable@vger.kernel.org +Cc: Cyril Brulebois +Cc: Thomas Zimmermann +Cc: Helge Deller +Acked-by: Helge Deller +Acked-by: Thomas Zimmermann +Reviewed-by: Michal Suchánek +Link: https://lore.kernel.org/r/20230710174007.2291013-1-robh@kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/platform.c ++++ b/drivers/of/platform.c +@@ -553,7 +553,7 @@ static int __init of_platform_default_po + if (!of_get_property(node, "linux,opened", NULL) || + !of_get_property(node, "linux,boot-display", NULL)) + continue; +- dev = of_platform_device_create(node, "of-display.0", NULL); ++ dev = of_platform_device_create(node, "of-display", NULL); + of_node_put(node); + if (WARN_ON(!dev)) + return -ENOMEM; diff --git a/tmp-6.4/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch b/tmp-6.4/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch new file mode 100644 index 00000000000..38512f7a3ec --- /dev/null +++ b/tmp-6.4/ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch @@ -0,0 +1,58 @@ +From b31ea69c18255782ee8d005de2dc7f39ca0ab8a2 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Tue, 13 Jun 2023 10:13:37 +0200 +Subject: [PATCH AUTOSEL 5.4 06/12] ovl: check type and offset of struct + vfsmount in ovl_entry +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit f723edb8a532cd26e1ff0a2b271d73762d48f762 ] + +Porting overlayfs to the new amount api I started experiencing random +crashes that couldn't be explained easily. So after much debugging and +reasoning it became clear that struct ovl_entry requires the point to +struct vfsmount to be the first member and of type struct vfsmount. + +During the port I added a new member at the beginning of struct +ovl_entry which broke all over the place in the form of random crashes +and cache corruptions. While there's a comment in ovl_free_fs() to the +effect of "Hack! Reuse ofs->layers as a vfsmount array before freeing +it" there's no such comment on struct ovl_entry which makes this easy to +trip over. + +Add a comment and two static asserts for both the offset and the type of +pointer in struct ovl_entry. + +Signed-off-by: Christian Brauner +Signed-off-by: Amir Goldstein +Signed-off-by: Sasha Levin +--- + fs/overlayfs/ovl_entry.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/overlayfs/ovl_entry.h ++++ b/fs/overlayfs/ovl_entry.h +@@ -32,6 +32,7 @@ struct ovl_sb { + }; + + struct ovl_layer { ++ /* ovl_free_fs() relies on @mnt being the first member! */ + struct vfsmount *mnt; + /* Trap in ovl inode cache */ + struct inode *trap; +@@ -42,6 +43,14 @@ struct ovl_layer { + int fsid; + }; + ++/* ++ * ovl_free_fs() relies on @mnt being the first member when unmounting ++ * the private mounts created for each layer. Let's check both the ++ * offset and type. ++ */ ++static_assert(offsetof(struct ovl_layer, mnt) == 0); ++static_assert(__same_type(typeof_member(struct ovl_layer, mnt), struct vfsmount *)); ++ + struct ovl_path { + const struct ovl_layer *layer; + struct dentry *dentry; diff --git a/tmp-6.4/perf-build-fix-library-not-found-error-when-using-cs.patch b/tmp-6.4/perf-build-fix-library-not-found-error-when-using-cs.patch new file mode 100644 index 00000000000..70fa7345751 --- /dev/null +++ b/tmp-6.4/perf-build-fix-library-not-found-error-when-using-cs.patch @@ -0,0 +1,94 @@ +From e8950b3996fccc846685515d638f7af34ddfaf5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jul 2023 16:45:46 +0100 +Subject: perf build: Fix library not found error when using CSLIBS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Clark + +[ Upstream commit 1feece2780ac2f8de45177fe53979726cee4b3d1 ] + +-L only specifies the search path for libraries directly provided in the +link line with -l. Because -lopencsd isn't specified, it's only linked +because it's a dependency of -lopencsd_c_api. Dependencies like this are +resolved using the default system search paths or -rpath-link=... rather +than -L. This means that compilation only works if OpenCSD is installed +to the system rather than provided with the CSLIBS (-L) option. + +This could be fixed by adding -Wl,-rpath-link=$(CSLIBS) but that is less +conventional than just adding -lopencsd to the link line so that it uses +-L. -lopencsd seems to have been removed in commit ed17b1914978eddb +("perf tools: Drop requirement for libstdc++.so for libopencsd check") +because it was thought that there was a chance compilation would work +even if it didn't exist, but I think that only applies to libstdc++ so +there is no harm to add it back. libopencsd.so and libopencsd_c_api.so +would always exist together. + +Testing +======= + +The following scenarios now all work: + + * Cross build with OpenCSD installed + * Cross build using CSLIBS=... + * Native build with OpenCSD installed + * Native build using CSLIBS=... + * Static cross build with OpenCSD installed + * Static cross build with CSLIBS=... + +Committer testing: + + ⬢[acme@toolbox perf-tools]$ alias m + alias m='make -k BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools -C tools/perf install-bin && git status && perf test python ; perf record -o /dev/null sleep 0.01 ; perf stat --null sleep 0.01' + ⬢[acme@toolbox perf-tools]$ ldd ~/bin/perf | grep csd + libopencsd_c_api.so.1 => /lib64/libopencsd_c_api.so.1 (0x00007fd49c44e000) + libopencsd.so.1 => /lib64/libopencsd.so.1 (0x00007fd49bd56000) + ⬢[acme@toolbox perf-tools]$ cat /etc/redhat-release + Fedora release 36 (Thirty Six) + ⬢[acme@toolbox perf-tools]$ + +Fixes: ed17b1914978eddb ("perf tools: Drop requirement for libstdc++.so for libopencsd check") +Reported-by: Radhey Shyam Pandey +Signed-off-by: James Clark +Tested-by: Arnaldo Carvalho de Melo +Tested-by: Radhey Shyam Pandey +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Uwe Kleine-König +Cc: coresight@lists.linaro.org +Closes: https://lore.kernel.org/linux-arm-kernel/56905d7a-a91e-883a-b707-9d5f686ba5f1@arm.com/ +Link: https://lore.kernel.org/all/36cc4dc6-bf4b-1093-1c0a-876e368af183@kleine-koenig.org/ +Link: https://lore.kernel.org/r/20230707154546.456720-1-james.clark@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index a794d9eca93d8..72f068682c9a2 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -155,9 +155,9 @@ FEATURE_CHECK_LDFLAGS-libcrypto = -lcrypto + ifdef CSINCLUDES + LIBOPENCSD_CFLAGS := -I$(CSINCLUDES) + endif +-OPENCSDLIBS := -lopencsd_c_api ++OPENCSDLIBS := -lopencsd_c_api -lopencsd + ifeq ($(findstring -static,${LDFLAGS}),-static) +- OPENCSDLIBS += -lopencsd -lstdc++ ++ OPENCSDLIBS += -lstdc++ + endif + ifdef CSLIBS + LIBOPENCSD_LDFLAGS := -L$(CSLIBS) +-- +2.39.2 + diff --git a/tmp-6.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch b/tmp-6.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch new file mode 100644 index 00000000000..ac282bd2634 --- /dev/null +++ b/tmp-6.4/perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch @@ -0,0 +1,115 @@ +From 56cbeacf143530576905623ac72ae0964f3293a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Georg=20M=C3=BCller?= +Date: Wed, 28 Jun 2023 10:45:50 +0200 +Subject: perf probe: Add test for regression introduced by switch to die_get_decl_file() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Georg Müller + +commit 56cbeacf143530576905623ac72ae0964f3293a6 upstream. + +This patch adds a test to validate that 'perf probe' works for binaries +where DWARF info is split into multiple CUs + +Signed-off-by: Georg Müller +Acked-by: Masami Hiramatsu (Google) +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: regressions@lists.linux.dev +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230628084551.1860532-5-georgmueller@gmx.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/test_uprobe_from_different_cu.sh | 77 ++++++++++++++++ + 1 file changed, 77 insertions(+) + create mode 100755 tools/perf/tests/shell/test_uprobe_from_different_cu.sh + +--- /dev/null ++++ b/tools/perf/tests/shell/test_uprobe_from_different_cu.sh +@@ -0,0 +1,77 @@ ++#!/bin/bash ++# test perf probe of function from different CU ++# SPDX-License-Identifier: GPL-2.0 ++ ++set -e ++ ++temp_dir=$(mktemp -d /tmp/perf-uprobe-different-cu-sh.XXXXXXXXXX) ++ ++cleanup() ++{ ++ trap - EXIT TERM INT ++ if [[ "${temp_dir}" =~ ^/tmp/perf-uprobe-different-cu-sh.*$ ]]; then ++ echo "--- Cleaning up ---" ++ perf probe -x ${temp_dir}/testfile -d foo ++ rm -f "${temp_dir}/"* ++ rmdir "${temp_dir}" ++ fi ++} ++ ++trap_cleanup() ++{ ++ cleanup ++ exit 1 ++} ++ ++trap trap_cleanup EXIT TERM INT ++ ++cat > ${temp_dir}/testfile-foo.h << EOF ++struct t ++{ ++ int *p; ++ int c; ++}; ++ ++extern int foo (int i, struct t *t); ++EOF ++ ++cat > ${temp_dir}/testfile-foo.c << EOF ++#include "testfile-foo.h" ++ ++int ++foo (int i, struct t *t) ++{ ++ int j, res = 0; ++ for (j = 0; j < i && j < t->c; j++) ++ res += t->p[j]; ++ ++ return res; ++} ++EOF ++ ++cat > ${temp_dir}/testfile-main.c << EOF ++#include "testfile-foo.h" ++ ++static struct t g; ++ ++int ++main (int argc, char **argv) ++{ ++ int i; ++ int j[argc]; ++ g.c = argc; ++ g.p = j; ++ for (i = 0; i < argc; i++) ++ j[i] = (int) argv[i][0]; ++ return foo (3, &g); ++} ++EOF ++ ++gcc -g -Og -flto -c ${temp_dir}/testfile-foo.c -o ${temp_dir}/testfile-foo.o ++gcc -g -Og -c ${temp_dir}/testfile-main.c -o ${temp_dir}/testfile-main.o ++gcc -g -Og -o ${temp_dir}/testfile ${temp_dir}/testfile-foo.o ${temp_dir}/testfile-main.o ++ ++perf probe -x ${temp_dir}/testfile --funcs foo ++perf probe -x ${temp_dir}/testfile foo ++ ++cleanup diff --git a/tmp-6.4/perf-probe-read-dwarf-files-from-the-correct-cu.patch b/tmp-6.4/perf-probe-read-dwarf-files-from-the-correct-cu.patch new file mode 100644 index 00000000000..8d4924e4eea --- /dev/null +++ b/tmp-6.4/perf-probe-read-dwarf-files-from-the-correct-cu.patch @@ -0,0 +1,66 @@ +From c66e1c68c13b872505f25ab641c44b77313ee7fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Georg=20M=C3=BCller?= +Date: Wed, 28 Jun 2023 10:45:51 +0200 +Subject: perf probe: Read DWARF files from the correct CU +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Georg Müller + +commit c66e1c68c13b872505f25ab641c44b77313ee7fe upstream. + +After switching from dwarf_decl_file() to die_get_decl_file(), it is not +possible to add probes for certain functions: + + $ perf probe -x /usr/lib/systemd/systemd-logind match_unit_removed + A function DIE doesn't have decl_line. Maybe broken DWARF? + A function DIE doesn't have decl_line. Maybe broken DWARF? + Probe point 'match_unit_removed' not found. + Error: Failed to add events. + +The problem is that die_get_decl_file() uses the wrong CU to search for +the file. elfutils commit e1db5cdc9f has some good explanation for this: + + dwarf_decl_file uses dwarf_attr_integrate to get the DW_AT_decl_file + attribute. This means the attribute might come from a different DIE + in a different CU. If so, we need to use the CU associated with the + attribute, not the original DIE, to resolve the file name. + +This patch uses the same source of information as elfutils: use attribute +DW_AT_decl_file and use this CU to search for the file. + +Fixes: dc9a5d2ccd5c823c ("perf probe: Fix to get declared file name from clang DWARF5") +Signed-off-by: Georg Müller +Acked-by: Masami Hiramatsu (Google) +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: regressions@lists.linux.dev +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230628084551.1860532-6-georgmueller@gmx.net +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/dwarf-aux.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/dwarf-aux.c ++++ b/tools/perf/util/dwarf-aux.c +@@ -478,8 +478,10 @@ static const char *die_get_file_name(Dwa + { + Dwarf_Die cu_die; + Dwarf_Files *files; ++ Dwarf_Attribute attr_mem; + +- if (idx < 0 || !dwarf_diecu(dw_die, &cu_die, NULL, NULL) || ++ if (idx < 0 || !dwarf_attr_integrate(dw_die, DW_AT_decl_file, &attr_mem) || ++ !dwarf_cu_die(attr_mem.cu, &cu_die, NULL, NULL, NULL, NULL, NULL, NULL) || + dwarf_getsrcfiles(&cu_die, &files, NULL) != 0) + return NULL; + diff --git a/tmp-6.4/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch b/tmp-6.4/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch new file mode 100644 index 00000000000..f493ccf4f70 --- /dev/null +++ b/tmp-6.4/pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch @@ -0,0 +1,118 @@ +From 4c55d9de4ff4c13926e629a17f4bfa200ad81072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jul 2023 12:18:58 +0100 +Subject: pinctrl: renesas: rzg2l: Handle non-unique subnode names + +From: Biju Das + +[ Upstream commit bfc374a145ae133613e05b9b89be561f169cb58d ] + +Currently, sd1 and sd0 have unique subnode names 'sd1_mux' and 'sd0_mux'. +If we change these to non-unique subnode names such as 'mux' this can +lead to the below conflict as the RZ/G2L pin control driver considers +only the names of the subnodes. + + pinctrl-rzg2l 11030000.pinctrl: pin P47_0 already requested by 11c00000.mmc; cannot claim for 11c10000.mmc + pinctrl-rzg2l 11030000.pinctrl: pin-376 (11c10000.mmc) status -22 + pinctrl-rzg2l 11030000.pinctrl: could not request pin 376 (P47_0) from group mux on device pinctrl-rzg2l + renesas_sdhi_internal_dmac 11c10000.mmc: Error applying setting, reverse things back + +Fix this by constructing unique names from the node names of both the +pin control configuration node and its child node, where appropriate. + +Based on the work done by Geert for the RZ/V2M pinctrl driver. + +Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") +Signed-off-by: Biju Das +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230704111858.215278-1-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzg2l.c | 28 ++++++++++++++++++------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +index 9511d920565e9..b53d26167da52 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +@@ -249,6 +249,7 @@ static int rzg2l_map_add_config(struct pinctrl_map *map, + + static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct device_node *np, ++ struct device_node *parent, + struct pinctrl_map **map, + unsigned int *num_maps, + unsigned int *index) +@@ -266,6 +267,7 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct property *prop; + int ret, gsel, fsel; + const char **pin_fn; ++ const char *name; + const char *pin; + + pinmux = of_find_property(np, "pinmux", NULL); +@@ -349,8 +351,19 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + psel_val[i] = MUX_FUNC(value); + } + ++ if (parent) { ++ name = devm_kasprintf(pctrl->dev, GFP_KERNEL, "%pOFn.%pOFn", ++ parent, np); ++ if (!name) { ++ ret = -ENOMEM; ++ goto done; ++ } ++ } else { ++ name = np->name; ++ } ++ + /* Register a single pin group listing all the pins we read from DT */ +- gsel = pinctrl_generic_add_group(pctldev, np->name, pins, num_pinmux, NULL); ++ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); + if (gsel < 0) { + ret = gsel; + goto done; +@@ -360,17 +373,16 @@ static int rzg2l_dt_subnode_to_map(struct pinctrl_dev *pctldev, + * Register a single group function where the 'data' is an array PSEL + * register values read from DT. + */ +- pin_fn[0] = np->name; +- fsel = pinmux_generic_add_function(pctldev, np->name, pin_fn, 1, +- psel_val); ++ pin_fn[0] = name; ++ fsel = pinmux_generic_add_function(pctldev, name, pin_fn, 1, psel_val); + if (fsel < 0) { + ret = fsel; + goto remove_group; + } + + maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; +- maps[idx].data.mux.group = np->name; +- maps[idx].data.mux.function = np->name; ++ maps[idx].data.mux.group = name; ++ maps[idx].data.mux.function = name; + idx++; + + dev_dbg(pctrl->dev, "Parsed %pOF with %d pins\n", np, num_pinmux); +@@ -417,7 +429,7 @@ static int rzg2l_dt_node_to_map(struct pinctrl_dev *pctldev, + index = 0; + + for_each_child_of_node(np, child) { +- ret = rzg2l_dt_subnode_to_map(pctldev, child, map, ++ ret = rzg2l_dt_subnode_to_map(pctldev, child, np, map, + num_maps, &index); + if (ret < 0) { + of_node_put(child); +@@ -426,7 +438,7 @@ static int rzg2l_dt_node_to_map(struct pinctrl_dev *pctldev, + } + + if (*num_maps == 0) { +- ret = rzg2l_dt_subnode_to_map(pctldev, np, map, ++ ret = rzg2l_dt_subnode_to_map(pctldev, np, NULL, map, + num_maps, &index); + if (ret < 0) + goto done; +-- +2.39.2 + diff --git a/tmp-6.4/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch b/tmp-6.4/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch new file mode 100644 index 00000000000..13fece4625d --- /dev/null +++ b/tmp-6.4/pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch @@ -0,0 +1,116 @@ +From 42c475f98a2c3df692cf6e15aa2f9ff1a4451452 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jul 2023 17:07:06 +0200 +Subject: pinctrl: renesas: rzv2m: Handle non-unique subnode names + +From: Geert Uytterhoeven + +[ Upstream commit f46a0b47cc0829acd050213194c5a77351e619b2 ] + +The eMMC and SDHI pin control configuration nodes in DT have subnodes +with the same names ("data" and "ctrl"). As the RZ/V2M pin control +driver considers only the names of the subnodes, this leads to +conflicts: + + pinctrl-rzv2m b6250000.pinctrl: pin P8_2 already requested by 85000000.mmc; cannot claim for 85020000.mmc + pinctrl-rzv2m b6250000.pinctrl: pin-130 (85020000.mmc) status -22 + renesas_sdhi_internal_dmac 85020000.mmc: Error applying setting, reverse things back + +Fix this by constructing unique names from the node names of both the +pin control configuration node and its child node, where appropriate. + +Reported by: Fabrizio Castro + +Fixes: 92a9b825257614af ("pinctrl: renesas: Add RZ/V2M pin and gpio controller driver") +Signed-off-by: Geert Uytterhoeven +Tested-by: Fabrizio Castro +Link: https://lore.kernel.org/r/607bd6ab4905b0b1b119a06ef953fa1184505777.1688396717.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzv2m.c | 28 ++++++++++++++++++------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzv2m.c b/drivers/pinctrl/renesas/pinctrl-rzv2m.c +index e5472293bc7fb..35b23c1a5684d 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzv2m.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzv2m.c +@@ -209,6 +209,7 @@ static int rzv2m_map_add_config(struct pinctrl_map *map, + + static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct device_node *np, ++ struct device_node *parent, + struct pinctrl_map **map, + unsigned int *num_maps, + unsigned int *index) +@@ -226,6 +227,7 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + struct property *prop; + int ret, gsel, fsel; + const char **pin_fn; ++ const char *name; + const char *pin; + + pinmux = of_find_property(np, "pinmux", NULL); +@@ -309,8 +311,19 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + psel_val[i] = MUX_FUNC(value); + } + ++ if (parent) { ++ name = devm_kasprintf(pctrl->dev, GFP_KERNEL, "%pOFn.%pOFn", ++ parent, np); ++ if (!name) { ++ ret = -ENOMEM; ++ goto done; ++ } ++ } else { ++ name = np->name; ++ } ++ + /* Register a single pin group listing all the pins we read from DT */ +- gsel = pinctrl_generic_add_group(pctldev, np->name, pins, num_pinmux, NULL); ++ gsel = pinctrl_generic_add_group(pctldev, name, pins, num_pinmux, NULL); + if (gsel < 0) { + ret = gsel; + goto done; +@@ -320,17 +333,16 @@ static int rzv2m_dt_subnode_to_map(struct pinctrl_dev *pctldev, + * Register a single group function where the 'data' is an array PSEL + * register values read from DT. + */ +- pin_fn[0] = np->name; +- fsel = pinmux_generic_add_function(pctldev, np->name, pin_fn, 1, +- psel_val); ++ pin_fn[0] = name; ++ fsel = pinmux_generic_add_function(pctldev, name, pin_fn, 1, psel_val); + if (fsel < 0) { + ret = fsel; + goto remove_group; + } + + maps[idx].type = PIN_MAP_TYPE_MUX_GROUP; +- maps[idx].data.mux.group = np->name; +- maps[idx].data.mux.function = np->name; ++ maps[idx].data.mux.group = name; ++ maps[idx].data.mux.function = name; + idx++; + + dev_dbg(pctrl->dev, "Parsed %pOF with %d pins\n", np, num_pinmux); +@@ -377,7 +389,7 @@ static int rzv2m_dt_node_to_map(struct pinctrl_dev *pctldev, + index = 0; + + for_each_child_of_node(np, child) { +- ret = rzv2m_dt_subnode_to_map(pctldev, child, map, ++ ret = rzv2m_dt_subnode_to_map(pctldev, child, np, map, + num_maps, &index); + if (ret < 0) { + of_node_put(child); +@@ -386,7 +398,7 @@ static int rzv2m_dt_node_to_map(struct pinctrl_dev *pctldev, + } + + if (*num_maps == 0) { +- ret = rzv2m_dt_subnode_to_map(pctldev, np, map, ++ ret = rzv2m_dt_subnode_to_map(pctldev, np, NULL, map, + num_maps, &index); + if (ret < 0) + goto done; +-- +2.39.2 + diff --git a/tmp-6.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch b/tmp-6.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch new file mode 100644 index 00000000000..2930b69c794 --- /dev/null +++ b/tmp-6.4/posix-timers-ensure-timer-id-search-loop-limit-is-va.patch @@ -0,0 +1,115 @@ +From 8833636766cff05f84668466c87b643c9d37b3fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 20:58:47 +0200 +Subject: posix-timers: Ensure timer ID search-loop limit is valid + +From: Thomas Gleixner + +[ Upstream commit 8ce8849dd1e78dadcee0ec9acbd259d239b7069f ] + +posix_timer_add() tries to allocate a posix timer ID by starting from the +cached ID which was stored by the last successful allocation. + +This is done in a loop searching the ID space for a free slot one by +one. The loop has to terminate when the search wrapped around to the +starting point. + +But that's racy vs. establishing the starting point. That is read out +lockless, which leads to the following problem: + +CPU0 CPU1 +posix_timer_add() + start = sig->posix_timer_id; + lock(hash_lock); + ... posix_timer_add() + if (++sig->posix_timer_id < 0) + start = sig->posix_timer_id; + sig->posix_timer_id = 0; + +So CPU1 can observe a negative start value, i.e. -1, and the loop break +never happens because the condition can never be true: + + if (sig->posix_timer_id == start) + break; + +While this is unlikely to ever turn into an endless loop as the ID space is +huge (INT_MAX), the racy read of the start value caught the attention of +KCSAN and Dmitry unearthed that incorrectness. + +Rewrite it so that all id operations are under the hash lock. + +Reported-by: syzbot+5c54bd3eb218bb595aa9@syzkaller.appspotmail.com +Reported-by: Dmitry Vyukov +Signed-off-by: Thomas Gleixner +Reviewed-by: Frederic Weisbecker +Link: https://lore.kernel.org/r/87bkhzdn6g.ffs@tglx +Signed-off-by: Sasha Levin +--- + include/linux/sched/signal.h | 2 +- + kernel/time/posix-timers.c | 31 ++++++++++++++++++------------- + 2 files changed, 19 insertions(+), 14 deletions(-) + +diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h +index 20099268fa257..669e8cff40c74 100644 +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -135,7 +135,7 @@ struct signal_struct { + #ifdef CONFIG_POSIX_TIMERS + + /* POSIX.1b Interval Timers */ +- int posix_timer_id; ++ unsigned int next_posix_timer_id; + struct list_head posix_timers; + + /* ITIMER_REAL timer for the process */ +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index ed3c4a9543982..2d6cf93ca370a 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -140,25 +140,30 @@ static struct k_itimer *posix_timer_by_id(timer_t id) + static int posix_timer_add(struct k_itimer *timer) + { + struct signal_struct *sig = current->signal; +- int first_free_id = sig->posix_timer_id; + struct hlist_head *head; +- int ret = -ENOENT; ++ unsigned int cnt, id; + +- do { ++ /* ++ * FIXME: Replace this by a per signal struct xarray once there is ++ * a plan to handle the resulting CRIU regression gracefully. ++ */ ++ for (cnt = 0; cnt <= INT_MAX; cnt++) { + spin_lock(&hash_lock); +- head = &posix_timers_hashtable[hash(sig, sig->posix_timer_id)]; +- if (!__posix_timers_find(head, sig, sig->posix_timer_id)) { ++ id = sig->next_posix_timer_id; ++ ++ /* Write the next ID back. Clamp it to the positive space */ ++ sig->next_posix_timer_id = (id + 1) & INT_MAX; ++ ++ head = &posix_timers_hashtable[hash(sig, id)]; ++ if (!__posix_timers_find(head, sig, id)) { + hlist_add_head_rcu(&timer->t_hash, head); +- ret = sig->posix_timer_id; ++ spin_unlock(&hash_lock); ++ return id; + } +- if (++sig->posix_timer_id < 0) +- sig->posix_timer_id = 0; +- if ((sig->posix_timer_id == first_free_id) && (ret == -ENOENT)) +- /* Loop over all possible ids completed */ +- ret = -EAGAIN; + spin_unlock(&hash_lock); +- } while (ret == -ENOENT); +- return ret; ++ } ++ /* POSIX return code when no timer ID could be allocated */ ++ return -EAGAIN; + } + + static inline void unlock_timer(struct k_itimer *timr, unsigned long flags) +-- +2.39.2 + diff --git a/tmp-6.4/prctl-move-pr_get_auxv-out-of-pr_mce_kill.patch b/tmp-6.4/prctl-move-pr_get_auxv-out-of-pr_mce_kill.patch new file mode 100644 index 00000000000..1c29ce63ef1 --- /dev/null +++ b/tmp-6.4/prctl-move-pr_get_auxv-out-of-pr_mce_kill.patch @@ -0,0 +1,67 @@ +From 636e348353a7cc52609fdba5ff3270065da140d5 Mon Sep 17 00:00:00 2001 +From: Miguel Ojeda +Date: Sun, 9 Jul 2023 01:33:44 +0200 +Subject: prctl: move PR_GET_AUXV out of PR_MCE_KILL + +From: Miguel Ojeda + +commit 636e348353a7cc52609fdba5ff3270065da140d5 upstream. + +Somehow PR_GET_AUXV got added into PR_MCE_KILL's switch when the patch was +applied [1]. + +Thus move it out of the switch, to the place the patch added it. + +In the recently released v6.4 kernel some user could, in principle, be +already using this feature by mapping the right page and passing the +PR_GET_AUXV constant as a pointer: + + prctl(PR_MCE_KILL, PR_GET_AUXV, ...) + +So this does change the behavior for users. We could keep the bug since +the other subcases in PR_MCE_KILL (PR_MCE_KILL_CLEAR and PR_MCE_KILL_SET) +do not overlap. + +However, v6.4 may be recent enough (2 weeks old) that moving the lines +(rather than just adding a new case) does not break anybody? Moreover, +the documentation in man-pages was just committed today [2]. + +Link: https://lkml.kernel.org/r/20230708233344.361854-1-ojeda@kernel.org +Fixes: ddc65971bb67 ("prctl: add PR_GET_AUXV to copy auxv to userspace") +Link: https://lore.kernel.org/all/d81864a7f7f43bca6afa2a09fc2e850e4050ab42.1680611394.git.josh@joshtriplett.org/ [1] +Link: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit/?id=8cf0c06bfd3c2b219b044d4151c96f0da50af9ad [2] +Signed-off-by: Miguel Ojeda +Cc: Josh Triplett +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sys.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -2529,11 +2529,6 @@ SYSCALL_DEFINE5(prctl, int, option, unsi + else + return -EINVAL; + break; +- case PR_GET_AUXV: +- if (arg4 || arg5) +- return -EINVAL; +- error = prctl_get_auxv((void __user *)arg2, arg3); +- break; + default: + return -EINVAL; + } +@@ -2688,6 +2683,11 @@ SYSCALL_DEFINE5(prctl, int, option, unsi + case PR_SET_VMA: + error = prctl_set_vma(arg2, arg3, arg4, arg5); + break; ++ case PR_GET_AUXV: ++ if (arg4 || arg5) ++ return -EINVAL; ++ error = prctl_get_auxv((void __user *)arg2, arg3); ++ break; + #ifdef CONFIG_KSM + case PR_SET_MEMORY_MERGE: + if (arg3 || arg4 || arg5) diff --git a/tmp-6.4/quota-fix-warning-in-dqgrab.patch b/tmp-6.4/quota-fix-warning-in-dqgrab.patch new file mode 100644 index 00000000000..982c7d1d8c2 --- /dev/null +++ b/tmp-6.4/quota-fix-warning-in-dqgrab.patch @@ -0,0 +1,100 @@ +From 75b565477bbbb5a728fa106e0189d9fcb2131bcd Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Mon, 5 Jun 2023 22:07:31 +0800 +Subject: [PATCH AUTOSEL 5.4 04/12] quota: fix warning in dqgrab() +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit d6a95db3c7ad160bc16b89e36449705309b52bcb ] + +There's issue as follows when do fault injection: +WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 +Modules linked in: +CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 +RIP: 0010:dquot_disable+0x13b7/0x18c0 +RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 +RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 +RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 +R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 +R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 +FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + dquot_load_quota_sb+0xd53/0x1060 + dquot_resume+0x172/0x230 + ext4_reconfigure+0x1dc6/0x27b0 + reconfigure_super+0x515/0xa90 + __x64_sys_fsconfig+0xb19/0xd20 + do_syscall_64+0x39/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Above issue may happens as follows: +ProcessA ProcessB ProcessC +sys_fsconfig + vfs_fsconfig_locked + reconfigure_super + ext4_remount + dquot_suspend -> suspend all type quota + + sys_fsconfig + vfs_fsconfig_locked + reconfigure_super + ext4_remount + dquot_resume + ret = dquot_load_quota_sb + add_dquot_ref + do_open -> open file O_RDWR + vfs_open + do_dentry_open + get_write_access + atomic_inc_unless_negative(&inode->i_writecount) + ext4_file_open + dquot_file_open + dquot_initialize + __dquot_initialize + dqget + atomic_inc(&dquot->dq_count); + + __dquot_initialize + __dquot_initialize + dqget + if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + ext4_acquire_dquot + -> Return error DQ_ACTIVE_B flag isn't set + dquot_disable + invalidate_dquots + if (atomic_read(&dquot->dq_count)) + dqgrab + WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) + -> Trigger warning + +In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when +dqgrab(). +To solve above issue just replace the dqgrab() use in invalidate_dquots() with +atomic_inc(&dquot->dq_count). + +Signed-off-by: Ye Bin +Signed-off-by: Jan Kara +Message-Id: <20230605140731.2427629-3-yebin10@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -555,7 +555,7 @@ restart: + continue; + /* Wait for dquot users */ + if (atomic_read(&dquot->dq_count)) { +- dqgrab(dquot); ++ atomic_inc(&dquot->dq_count); + spin_unlock(&dq_list_lock); + /* + * Once dqput() wakes us up, we know it's time to free diff --git a/tmp-6.4/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch b/tmp-6.4/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch new file mode 100644 index 00000000000..d7b4aaab3d7 --- /dev/null +++ b/tmp-6.4/quota-properly-disable-quotas-when-add_dquot_ref-fai.patch @@ -0,0 +1,40 @@ +From e215781d8a2d612e8bfa6015837e3d0b89231552 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 5 Jun 2023 22:07:30 +0800 +Subject: [PATCH AUTOSEL 5.4 03/12] quota: Properly disable quotas when + add_dquot_ref() fails +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 6a4e3363792e30177cc3965697e34ddcea8b900b ] + +When add_dquot_ref() fails (usually due to IO error or ENOMEM), we want +to disable quotas we are trying to enable. However dquot_disable() call +was passed just the flags we are enabling so in case flags == +DQUOT_USAGE_ENABLED dquot_disable() call will just fail with EINVAL +instead of properly disabling quotas. Fix the problem by always passing +DQUOT_LIMITS_ENABLED | DQUOT_USAGE_ENABLED to dquot_disable() in this +case. + +Reported-and-tested-by: Ye Bin +Reported-by: syzbot+e633c79ceaecbf479854@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Message-Id: <20230605140731.2427629-2-yebin10@huawei.com> +Signed-off-by: Sasha Levin +--- + fs/quota/dquot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -2420,7 +2420,8 @@ int dquot_load_quota_sb(struct super_blo + + error = add_dquot_ref(sb, type); + if (error) +- dquot_disable(sb, type, flags); ++ dquot_disable(sb, type, ++ DQUOT_USAGE_ENABLED | DQUOT_LIMITS_ENABLED); + + return error; + out_fmt: diff --git a/tmp-6.4/r8169-fix-aspm-related-problem-for-chip-version-42-a.patch b/tmp-6.4/r8169-fix-aspm-related-problem-for-chip-version-42-a.patch new file mode 100644 index 00000000000..6e12fab0d69 --- /dev/null +++ b/tmp-6.4/r8169-fix-aspm-related-problem-for-chip-version-42-a.patch @@ -0,0 +1,44 @@ +From b3641346909bdc69007b6208b28d795d29f08fe1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jul 2023 07:39:36 +0200 +Subject: r8169: fix ASPM-related problem for chip version 42 and 43 + +From: Heiner Kallweit + +[ Upstream commit 162d626f3013215b82b6514ca14f20932c7ccce5 ] + +Referenced commit missed that for chip versions 42 and 43 ASPM +remained disabled in the respective rtl_hw_start_...() routines. +This resulted in problems as described in the referenced bug +ticket. Therefore re-instantiate the previous logic. + +Fixes: 5fc3f6c90cca ("r8169: consolidate disabling ASPM before EPHY access") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217635 +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/realtek/r8169_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c +index ca0140963ff3a..b69122686407d 100644 +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -2747,6 +2747,13 @@ static void rtl_hw_aspm_clkreq_enable(struct rtl8169_private *tp, bool enable) + return; + + if (enable) { ++ /* On these chip versions ASPM can even harm ++ * bus communication of other PCI devices. ++ */ ++ if (tp->mac_version == RTL_GIGA_MAC_VER_42 || ++ tp->mac_version == RTL_GIGA_MAC_VER_43) ++ return; ++ + rtl_mod_config5(tp, 0, ASPM_en); + rtl_mod_config2(tp, 0, ClkReqEn); + +-- +2.39.2 + diff --git a/tmp-6.4/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch b/tmp-6.4/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch new file mode 100644 index 00000000000..67c2488f9b7 --- /dev/null +++ b/tmp-6.4/rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch @@ -0,0 +1,76 @@ +From c2695efafc87a2ebcdaa8213853f069251cdf6dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Apr 2023 16:05:38 -0700 +Subject: rcu: Mark additional concurrent load from ->cpu_no_qs.b.exp + +From: Paul E. McKenney + +[ Upstream commit 9146eb25495ea8bfb5010192e61e3ed5805ce9ef ] + +The per-CPU rcu_data structure's ->cpu_no_qs.b.exp field is updated +only on the instance corresponding to the current CPU, but can be read +more widely. Unmarked accesses are OK from the corresponding CPU, but +only if interrupts are disabled, given that interrupt handlers can and +do modify this field. + +Unfortunately, although the load from rcu_preempt_deferred_qs() is always +carried out from the corresponding CPU, interrupts are not necessarily +disabled. This commit therefore upgrades this load to READ_ONCE. + +Similarly, the diagnostic access from synchronize_rcu_expedited_wait() +might run with interrupts disabled and from some other CPU. This commit +therefore marks this load with data_race(). + +Finally, the C-language access in rcu_preempt_ctxt_queue() is OK as +is because interrupts are disabled and this load is always from the +corresponding CPU. This commit adds a comment giving the rationale for +this access being safe. + +This data race was reported by KCSAN. Not appropriate for backporting +due to failure being unlikely. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_exp.h | 2 +- + kernel/rcu/tree_plugin.h | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h +index 3b7abb58157df..8239b39d945bd 100644 +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -643,7 +643,7 @@ static void synchronize_rcu_expedited_wait(void) + "O."[!!cpu_online(cpu)], + "o."[!!(rdp->grpmask & rnp->expmaskinit)], + "N."[!!(rdp->grpmask & rnp->expmaskinitnext)], +- "D."[!!(rdp->cpu_no_qs.b.exp)]); ++ "D."[!!data_race(rdp->cpu_no_qs.b.exp)]); + } + } + pr_cont(" } %lu jiffies s: %lu root: %#lx/%c\n", +diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h +index 7b0fe741a0886..41021080ad258 100644 +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -257,6 +257,8 @@ static void rcu_preempt_ctxt_queue(struct rcu_node *rnp, struct rcu_data *rdp) + * GP should not be able to end until we report, so there should be + * no need to check for a subsequent expedited GP. (Though we are + * still in a quiescent state in any case.) ++ * ++ * Interrupts are disabled, so ->cpu_no_qs.b.exp cannot change. + */ + if (blkd_state & RCU_EXP_BLKD && rdp->cpu_no_qs.b.exp) + rcu_report_exp_rdp(rdp); +@@ -941,7 +943,7 @@ notrace void rcu_preempt_deferred_qs(struct task_struct *t) + { + struct rcu_data *rdp = this_cpu_ptr(&rcu_data); + +- if (rdp->cpu_no_qs.b.exp) ++ if (READ_ONCE(rdp->cpu_no_qs.b.exp)) + rcu_report_exp_rdp(rdp); + } + +-- +2.39.2 + diff --git a/tmp-6.4/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch b/tmp-6.4/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch new file mode 100644 index 00000000000..a151907eb59 --- /dev/null +++ b/tmp-6.4/rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch @@ -0,0 +1,91 @@ +From 1e5233c6acc983e4260bd78c410a36f74d547a9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 01:22:05 +0900 +Subject: rcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic() + +From: Shigeru Yoshida + +[ Upstream commit 5fc8cbe4cf0fd34ded8045c385790c3bf04f6785 ] + +pr_info() is called with rtp->cbs_gbl_lock spin lock locked. Because +pr_info() calls printk() that might sleep, this will result in BUG +like below: + +[ 0.206455] cblist_init_generic: Setting adjustable number of callback queues. +[ 0.206463] +[ 0.206464] ============================= +[ 0.206464] [ BUG: Invalid wait context ] +[ 0.206465] 5.19.0-00428-g9de1f9c8ca51 #5 Not tainted +[ 0.206466] ----------------------------- +[ 0.206466] swapper/0/1 is trying to lock: +[ 0.206467] ffffffffa0167a58 (&port_lock_key){....}-{3:3}, at: serial8250_console_write+0x327/0x4a0 +[ 0.206473] other info that might help us debug this: +[ 0.206473] context-{5:5} +[ 0.206474] 3 locks held by swapper/0/1: +[ 0.206474] #0: ffffffff9eb597e0 (rcu_tasks.cbs_gbl_lock){....}-{2:2}, at: cblist_init_generic.constprop.0+0x14/0x1f0 +[ 0.206478] #1: ffffffff9eb579c0 (console_lock){+.+.}-{0:0}, at: _printk+0x63/0x7e +[ 0.206482] #2: ffffffff9ea77780 (console_owner){....}-{0:0}, at: console_emit_next_record.constprop.0+0x111/0x330 +[ 0.206485] stack backtrace: +[ 0.206486] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-00428-g9de1f9c8ca51 #5 +[ 0.206488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 +[ 0.206489] Call Trace: +[ 0.206490] +[ 0.206491] dump_stack_lvl+0x6a/0x9f +[ 0.206493] __lock_acquire.cold+0x2d7/0x2fe +[ 0.206496] ? stack_trace_save+0x46/0x70 +[ 0.206497] lock_acquire+0xd1/0x2f0 +[ 0.206499] ? serial8250_console_write+0x327/0x4a0 +[ 0.206500] ? __lock_acquire+0x5c7/0x2720 +[ 0.206502] _raw_spin_lock_irqsave+0x3d/0x90 +[ 0.206504] ? serial8250_console_write+0x327/0x4a0 +[ 0.206506] serial8250_console_write+0x327/0x4a0 +[ 0.206508] console_emit_next_record.constprop.0+0x180/0x330 +[ 0.206511] console_unlock+0xf7/0x1f0 +[ 0.206512] vprintk_emit+0xf7/0x330 +[ 0.206514] _printk+0x63/0x7e +[ 0.206516] cblist_init_generic.constprop.0.cold+0x24/0x32 +[ 0.206518] rcu_init_tasks_generic+0x5/0xd9 +[ 0.206522] kernel_init_freeable+0x15b/0x2a2 +[ 0.206523] ? rest_init+0x160/0x160 +[ 0.206526] kernel_init+0x11/0x120 +[ 0.206527] ret_from_fork+0x1f/0x30 +[ 0.206530] +[ 0.207018] cblist_init_generic: Setting shift to 1 and lim to 1. + +This patch moves pr_info() so that it is called without +rtp->cbs_gbl_lock locked. + +Signed-off-by: Shigeru Yoshida +Tested-by: "Zhang, Qiang1" +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tasks.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h +index 8f08c087142b0..9b9ce09f8f358 100644 +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -241,7 +241,6 @@ static void cblist_init_generic(struct rcu_tasks *rtp) + if (rcu_task_enqueue_lim < 0) { + rcu_task_enqueue_lim = 1; + rcu_task_cb_adjust = true; +- pr_info("%s: Setting adjustable number of callback queues.\n", __func__); + } else if (rcu_task_enqueue_lim == 0) { + rcu_task_enqueue_lim = 1; + } +@@ -272,6 +271,10 @@ static void cblist_init_generic(struct rcu_tasks *rtp) + raw_spin_unlock_rcu_node(rtpcp); // irqs remain disabled. + } + raw_spin_unlock_irqrestore(&rtp->cbs_gbl_lock, flags); ++ ++ if (rcu_task_cb_adjust) ++ pr_info("%s: Setting adjustable number of callback queues.\n", __func__); ++ + pr_info("%s: Setting shift to %d and lim to %d.\n", __func__, data_race(rtp->percpu_enqueue_shift), data_race(rtp->percpu_enqueue_lim)); + } + +-- +2.39.2 + diff --git a/tmp-6.4/regmap-account-for-register-length-in-smbus-i-o-limits.patch b/tmp-6.4/regmap-account-for-register-length-in-smbus-i-o-limits.patch new file mode 100644 index 00000000000..b920fc52b6d --- /dev/null +++ b/tmp-6.4/regmap-account-for-register-length-in-smbus-i-o-limits.patch @@ -0,0 +1,54 @@ +From 0c9d2eb5e94792fe64019008a04d4df5e57625af Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 12 Jul 2023 12:16:40 +0100 +Subject: regmap: Account for register length in SMBus I/O limits + +From: Mark Brown + +commit 0c9d2eb5e94792fe64019008a04d4df5e57625af upstream. + +The SMBus I2C buses have limits on the size of transfers they can do but +do not factor in the register length meaning we may try to do a transfer +longer than our length limit, the core will not take care of this. +Future changes will factor this out into the core but there are a number +of users that assume current behaviour so let's just do something +conservative here. + +This does not take account padding bits but practically speaking these +are very rarely if ever used on I2C buses given that they generally run +slowly enough to mean there's no issue. + +Cc: stable@kernel.org +Signed-off-by: Mark Brown +Reviewed-by: Xu Yilun +Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-2-80e2aed22e83@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-i2c.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/base/regmap/regmap-i2c.c ++++ b/drivers/base/regmap/regmap-i2c.c +@@ -242,8 +242,8 @@ static int regmap_i2c_smbus_i2c_read(voi + static const struct regmap_bus regmap_i2c_smbus_i2c_block = { + .write = regmap_i2c_smbus_i2c_write, + .read = regmap_i2c_smbus_i2c_read, +- .max_raw_read = I2C_SMBUS_BLOCK_MAX, +- .max_raw_write = I2C_SMBUS_BLOCK_MAX, ++ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 1, ++ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 1, + }; + + static int regmap_i2c_smbus_i2c_write_reg16(void *context, const void *data, +@@ -299,8 +299,8 @@ static int regmap_i2c_smbus_i2c_read_reg + static const struct regmap_bus regmap_i2c_smbus_i2c_block_reg16 = { + .write = regmap_i2c_smbus_i2c_write_reg16, + .read = regmap_i2c_smbus_i2c_read_reg16, +- .max_raw_read = I2C_SMBUS_BLOCK_MAX, +- .max_raw_write = I2C_SMBUS_BLOCK_MAX, ++ .max_raw_read = I2C_SMBUS_BLOCK_MAX - 2, ++ .max_raw_write = I2C_SMBUS_BLOCK_MAX - 2, + }; + + static const struct regmap_bus *regmap_get_i2c_bus(struct i2c_client *i2c, diff --git a/tmp-6.4/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch b/tmp-6.4/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch new file mode 100644 index 00000000000..65305f80f18 --- /dev/null +++ b/tmp-6.4/regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch @@ -0,0 +1,64 @@ +From bc64734825c59e18a27ac266b07e14944c111fd8 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 12 Jul 2023 12:16:39 +0100 +Subject: regmap: Drop initial version of maximum transfer length fixes + +From: Mark Brown + +commit bc64734825c59e18a27ac266b07e14944c111fd8 upstream. + +When problems were noticed with the register address not being taken +into account when limiting raw transfers with I2C devices we fixed this +in the core. Unfortunately it has subsequently been realised that a lot +of buses were relying on the prior behaviour, partly due to unclear +documentation not making it obvious what was intended in the core. This +is all more involved to fix than is sensible for a fix commit so let's +just drop the original fixes, a separate commit will fix the originally +observed problem in an I2C specific way + +Fixes: 3981514180c9 ("regmap: Account for register length when chunking") +Fixes: c8e796895e23 ("regmap: spi-avmm: Fix regmap_bus max_raw_write") +Signed-off-by: Mark Brown +Reviewed-by: Xu Yilun +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230712-regmap-max-transfer-v1-1-80e2aed22e83@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-spi-avmm.c | 2 +- + drivers/base/regmap/regmap.c | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/base/regmap/regmap-spi-avmm.c ++++ b/drivers/base/regmap/regmap-spi-avmm.c +@@ -660,7 +660,7 @@ static const struct regmap_bus regmap_sp + .reg_format_endian_default = REGMAP_ENDIAN_NATIVE, + .val_format_endian_default = REGMAP_ENDIAN_NATIVE, + .max_raw_read = SPI_AVMM_VAL_SIZE * MAX_READ_CNT, +- .max_raw_write = SPI_AVMM_REG_SIZE + SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, ++ .max_raw_write = SPI_AVMM_VAL_SIZE * MAX_WRITE_CNT, + .free_context = spi_avmm_bridge_ctx_free, + }; + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -2082,8 +2082,6 @@ int _regmap_raw_write(struct regmap *map + size_t val_count = val_len / val_bytes; + size_t chunk_count, chunk_bytes; + size_t chunk_regs = val_count; +- size_t max_data = map->max_raw_write - map->format.reg_bytes - +- map->format.pad_bytes; + int ret, i; + + if (!val_count) +@@ -2091,8 +2089,8 @@ int _regmap_raw_write(struct regmap *map + + if (map->use_single_write) + chunk_regs = 1; +- else if (map->max_raw_write && val_len > max_data) +- chunk_regs = max_data / val_bytes; ++ else if (map->max_raw_write && val_len > map->max_raw_write) ++ chunk_regs = map->max_raw_write / val_bytes; + + chunk_count = val_count / chunk_regs; + chunk_bytes = chunk_regs * val_bytes; diff --git a/tmp-6.4/regulator-da9063-fix-null-pointer-deref-with-partial.patch b/tmp-6.4/regulator-da9063-fix-null-pointer-deref-with-partial.patch new file mode 100644 index 00000000000..1e71c3257b6 --- /dev/null +++ b/tmp-6.4/regulator-da9063-fix-null-pointer-deref-with-partial.patch @@ -0,0 +1,42 @@ +From 91572c4910ad8526b74672f2e2764d2f86dc2152 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jun 2023 16:36:28 +0200 +Subject: regulator: da9063: fix null pointer deref with partial DT config + +From: Martin Fuzzey + +[ Upstream commit 98e2dd5f7a8be5cb2501a897e96910393a49f0ff ] + +When some of the da9063 regulators do not have corresponding DT nodes +a null pointer dereference occurs on boot because such regulators have +no init_data causing the pointers calculated in +da9063_check_xvp_constraints() to be invalid. + +Do not dereference them in this case. + +Fixes: b8717a80e6ee ("regulator: da9063: implement setter for voltage monitoring") +Signed-off-by: Martin Fuzzey +Link: https://lore.kernel.org/r/20230616143736.2946173-1-martin.fuzzey@flowbird.group +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/da9063-regulator.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/regulator/da9063-regulator.c b/drivers/regulator/da9063-regulator.c +index c5dd77be558b6..dfd5ec9f75c90 100644 +--- a/drivers/regulator/da9063-regulator.c ++++ b/drivers/regulator/da9063-regulator.c +@@ -778,6 +778,9 @@ static int da9063_check_xvp_constraints(struct regulator_config *config) + const struct notification_limit *uv_l = &constr->under_voltage_limits; + const struct notification_limit *ov_l = &constr->over_voltage_limits; + ++ if (!config->init_data) /* No config in DT, pointers will be invalid */ ++ return 0; ++ + /* make sure that only one severity is used to clarify if unchanged, enabled or disabled */ + if ((!!uv_l->prot + !!uv_l->err + !!uv_l->warn) > 1) { + dev_err(config->dev, "%s: at most one voltage monitoring severity allowed!\n", +-- +2.39.2 + diff --git a/tmp-6.4/revert-r8169-disable-aspm-during-napi-poll.patch b/tmp-6.4/revert-r8169-disable-aspm-during-napi-poll.patch new file mode 100644 index 00000000000..c73014b42af --- /dev/null +++ b/tmp-6.4/revert-r8169-disable-aspm-during-napi-poll.patch @@ -0,0 +1,52 @@ +From e31a9fedc7d8d80722b19628e66fcb5a36981780 Mon Sep 17 00:00:00 2001 +From: Heiner Kallweit +Date: Tue, 18 Jul 2023 13:12:32 +0200 +Subject: Revert "r8169: disable ASPM during NAPI poll" + +From: Heiner Kallweit + +commit e31a9fedc7d8d80722b19628e66fcb5a36981780 upstream. + +This reverts commit e1ed3e4d91112027b90c7ee61479141b3f948e6a. + +Turned out the change causes a performance regression. + +Link: https://lore.kernel.org/netdev/20230713124914.GA12924@green245/T/ +Cc: stable@vger.kernel.org +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/055c6bc2-74fa-8c67-9897-3f658abb5ae7@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169_main.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169_main.c ++++ b/drivers/net/ethernet/realtek/r8169_main.c +@@ -4514,10 +4514,6 @@ static irqreturn_t rtl8169_interrupt(int + } + + if (napi_schedule_prep(&tp->napi)) { +- rtl_unlock_config_regs(tp); +- rtl_hw_aspm_clkreq_enable(tp, false); +- rtl_lock_config_regs(tp); +- + rtl_irq_disable(tp); + __napi_schedule(&tp->napi); + } +@@ -4577,14 +4573,9 @@ static int rtl8169_poll(struct napi_stru + + work_done = rtl_rx(dev, tp, budget); + +- if (work_done < budget && napi_complete_done(napi, work_done)) { ++ if (work_done < budget && napi_complete_done(napi, work_done)) + rtl_irq_enable(tp); + +- rtl_unlock_config_regs(tp); +- rtl_hw_aspm_clkreq_enable(tp, true); +- rtl_lock_config_regs(tp); +- } +- + return work_done; + } + diff --git a/tmp-6.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch b/tmp-6.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch new file mode 100644 index 00000000000..59e6ff34715 --- /dev/null +++ b/tmp-6.4/revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch @@ -0,0 +1,113 @@ +From ecd467dd886c50804703a2c430a0a51d19acb739 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:59:18 -0700 +Subject: Revert "tcp: avoid the lookup process failing to get sk in ehash + table" + +From: Kuniyuki Iwashima + +[ Upstream commit 81b3ade5d2b98ad6e0a473b0e1e420a801275592 ] + +This reverts commit 3f4ca5fafc08881d7a57daa20449d171f2887043. + +Commit 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in +ehash table") reversed the order in how a socket is inserted into ehash +to fix an issue that ehash-lookup could fail when reqsk/full sk/twsk are +swapped. However, it introduced another lookup failure. + +The full socket in ehash is allocated from a slab with SLAB_TYPESAFE_BY_RCU +and does not have SOCK_RCU_FREE, so the socket could be reused even while +it is being referenced on another CPU doing RCU lookup. + +Let's say a socket is reused and inserted into the same hash bucket during +lookup. After the blamed commit, a new socket is inserted at the end of +the list. If that happens, we will skip sockets placed after the previous +position of the reused socket, resulting in ehash lookup failure. + +As described in Documentation/RCU/rculist_nulls.rst, we should insert a +new socket at the head of the list to avoid such an issue. + +This issue, the swap-lookup-failure, and another variant reported in [0] +can all be handled properly by adding a locked ehash lookup suggested by +Eric Dumazet [1]. + +However, this issue could occur for every packet, thus more likely than +the other two races, so let's revert the change for now. + +Link: https://lore.kernel.org/netdev/20230606064306.9192-1-duanmuquan@baidu.com/ [0] +Link: https://lore.kernel.org/netdev/CANn89iK8snOz8TYOhhwfimC7ykYA78GA3Nyv8x06SZYa1nKdyA@mail.gmail.com/ [1] +Fixes: 3f4ca5fafc08 ("tcp: avoid the lookup process failing to get sk in ehash table") +Signed-off-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717215918.15723-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 ++--------------- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 6 insertions(+), 19 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index e7391bf310a75..0819d6001b9ab 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -650,20 +650,8 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_hashed(osk); +- if (ret) { +- /* Before deleting the node, we insert a new one to make +- * sure that the look-up-sk process would not miss either +- * of them and that at least one node would exist in ehash +- * table all the time. Otherwise there's a tiny chance +- * that lookup process could find nothing in ehash table. +- */ +- __sk_nulls_add_node_tail_rcu(sk, list); +- sk_nulls_del_node_init_rcu(osk); +- } +- goto unlock; +- } +- if (found_dup_sk) { ++ ret = sk_nulls_del_node_init_rcu(osk); ++ } else if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -672,7 +660,6 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + +-unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index 40052414c7c71..2c1b245dba8e8 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -88,10 +88,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_tail_rcu(&tw->tw_node, list); ++ hlist_nulls_add_head_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -144,7 +144,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_tail_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.2 + diff --git a/tmp-6.4/s390-zcrypt-fix-reply-buffer-calculations-for-cca-replies.patch b/tmp-6.4/s390-zcrypt-fix-reply-buffer-calculations-for-cca-replies.patch new file mode 100644 index 00000000000..fd5360b6832 --- /dev/null +++ b/tmp-6.4/s390-zcrypt-fix-reply-buffer-calculations-for-cca-replies.patch @@ -0,0 +1,93 @@ +From 4cfca532ddc3474b3fc42592d0e4237544344b1a Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Mon, 17 Jul 2023 16:55:29 +0200 +Subject: s390/zcrypt: fix reply buffer calculations for CCA replies + +From: Harald Freudenberger + +commit 4cfca532ddc3474b3fc42592d0e4237544344b1a upstream. + +The length information for available buffer space for CCA +replies is covered with two fields in the T6 header prepended +on each CCA reply: fromcardlen1 and fromcardlen2. The sum of +these both values must not exceed the AP bus limit for this +card (24KB for CEX8, 12KB CEX7 and older) minus the always +present headers. + +The current code adjusted the fromcardlen2 value in case +of exceeding the AP bus limit when there was a non-zero +value given from userspace. Some tests now showed that this +was the wrong assumption. Instead the userspace value given for +this field should always be trusted and if the sum of the +two fields exceeds the AP bus limit for this card the first +field fromcardlen1 should be adjusted instead. + +So now the calculation is done with this new insight in mind. +Also some additional checks for overflow have been introduced +and some comments to provide some documentation for future +maintainers of this complicated calculation code. + +Furthermore the 128 bytes of fix overhead which is used +in the current code is not correct. Investigations showed +that for a reply always the same two header structs are +prepended before a possible payload. So this is also fixed +with this patch. + +Signed-off-by: Harald Freudenberger +Reviewed-by: Holger Dengler +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/zcrypt_msgtype6.c | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +--- a/drivers/s390/crypto/zcrypt_msgtype6.c ++++ b/drivers/s390/crypto/zcrypt_msgtype6.c +@@ -1111,23 +1111,36 @@ static long zcrypt_msgtype6_send_cprb(bo + struct ica_xcRB *xcrb, + struct ap_message *ap_msg) + { +- int rc; + struct response_type *rtype = ap_msg->private; + struct { + struct type6_hdr hdr; + struct CPRBX cprbx; + /* ... more data blocks ... */ + } __packed * msg = ap_msg->msg; ++ unsigned int max_payload_size; ++ int rc, delta; + +- /* +- * Set the queue's reply buffer length minus 128 byte padding +- * as reply limit for the card firmware. +- */ +- msg->hdr.fromcardlen1 = min_t(unsigned int, msg->hdr.fromcardlen1, +- zq->reply.bufsize - 128); +- if (msg->hdr.fromcardlen2) +- msg->hdr.fromcardlen2 = +- zq->reply.bufsize - msg->hdr.fromcardlen1 - 128; ++ /* calculate maximum payload for this card and msg type */ ++ max_payload_size = zq->reply.bufsize - sizeof(struct type86_fmt2_msg); ++ ++ /* limit each of the two from fields to the maximum payload size */ ++ msg->hdr.fromcardlen1 = min(msg->hdr.fromcardlen1, max_payload_size); ++ msg->hdr.fromcardlen2 = min(msg->hdr.fromcardlen2, max_payload_size); ++ ++ /* calculate delta if the sum of both exceeds max payload size */ ++ delta = msg->hdr.fromcardlen1 + msg->hdr.fromcardlen2 ++ - max_payload_size; ++ if (delta > 0) { ++ /* ++ * Sum exceeds maximum payload size, prune fromcardlen1 ++ * (always trust fromcardlen2) ++ */ ++ if (delta > msg->hdr.fromcardlen1) { ++ rc = -EINVAL; ++ goto out; ++ } ++ msg->hdr.fromcardlen1 -= delta; ++ } + + init_completion(&rtype->work); + rc = ap_queue_message(zq->queue, ap_msg); diff --git a/tmp-6.4/sched-fair-don-t-balance-task-to-its-current-running.patch b/tmp-6.4/sched-fair-don-t-balance-task-to-its-current-running.patch new file mode 100644 index 00000000000..c3d56f7147f --- /dev/null +++ b/tmp-6.4/sched-fair-don-t-balance-task-to-its-current-running.patch @@ -0,0 +1,96 @@ +From 498906b1791b700260f1db996d22a4934185a8f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 May 2023 16:25:07 +0800 +Subject: sched/fair: Don't balance task to its current running CPU + +From: Yicong Yang + +[ Upstream commit 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de ] + +We've run into the case that the balancer tries to balance a migration +disabled task and trigger the warning in set_task_cpu() like below: + + ------------[ cut here ]------------ + WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 + Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> + CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 + Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 + pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : set_task_cpu+0x188/0x240 + lr : load_balance+0x5d0/0xc60 + sp : ffff80000803bc70 + x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 + x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 + x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 + x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 + x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 + x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 + x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e + x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a + x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 + Call trace: + set_task_cpu+0x188/0x240 + load_balance+0x5d0/0xc60 + rebalance_domains+0x26c/0x380 + _nohz_idle_balance.isra.0+0x1e0/0x370 + run_rebalance_domains+0x6c/0x80 + __do_softirq+0x128/0x3d8 + ____do_softirq+0x18/0x24 + call_on_irq_stack+0x2c/0x38 + do_softirq_own_stack+0x24/0x3c + __irq_exit_rcu+0xcc/0xf4 + irq_exit_rcu+0x18/0x24 + el1_interrupt+0x4c/0xe4 + el1h_64_irq_handler+0x18/0x2c + el1h_64_irq+0x74/0x78 + arch_cpu_idle+0x18/0x4c + default_idle_call+0x58/0x194 + do_idle+0x244/0x2b0 + cpu_startup_entry+0x30/0x3c + secondary_start_kernel+0x14c/0x190 + __secondary_switched+0xb0/0xb4 + ---[ end trace 0000000000000000 ]--- + +Further investigation shows that the warning is superfluous, the migration +disabled task is just going to be migrated to its current running CPU. +This is because that on load balance if the dst_cpu is not allowed by the +task, we'll re-select a new_dst_cpu as a candidate. If no task can be +balanced to dst_cpu we'll try to balance the task to the new_dst_cpu +instead. In this case when the migration disabled task is not on CPU it +only allows to run on its current CPU, load balance will select its +current CPU as new_dst_cpu and later triggers the warning above. + +The new_dst_cpu is chosen from the env->dst_grpmask. Currently it +contains CPUs in sched_group_span() and if we have overlapped groups it's +possible to run into this case. This patch makes env->dst_grpmask of +group_balance_mask() which exclude any CPUs from the busiest group and +solve the issue. For balancing in a domain with no overlapped groups +the behaviour keeps same as before. + +Suggested-by: Vincent Guittot +Signed-off-by: Yicong Yang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Vincent Guittot +Link: https://lore.kernel.org/r/20230530082507.10444-1-yangyicong@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 4da5f35417626..e427056b440bb 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -10762,7 +10762,7 @@ static int load_balance(int this_cpu, struct rq *this_rq, + .sd = sd, + .dst_cpu = this_cpu, + .dst_rq = this_rq, +- .dst_grpmask = sched_group_span(sd->groups), ++ .dst_grpmask = group_balance_mask(sd->groups), + .idle = idle, + .loop_break = SCHED_NR_MIGRATE_BREAK, + .cpus = cpus, +-- +2.39.2 + diff --git a/tmp-6.4/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch b/tmp-6.4/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch new file mode 100644 index 00000000000..12a4c0ab560 --- /dev/null +++ b/tmp-6.4/sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch @@ -0,0 +1,41 @@ +From eb7afb14a34b80e0302a1d23d86f4850e5a83b66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 16:07:47 +0800 +Subject: sched/fair: Use recent_used_cpu to test p->cpus_ptr + +From: Miaohe Lin + +[ Upstream commit ae2ad293d6be143ad223f5f947cca07bcbe42595 ] + +When checking whether a recently used CPU can be a potential idle +candidate, recent_used_cpu should be used to test p->cpus_ptr as +p->recent_used_cpu is not equal to recent_used_cpu and candidate +decision is made based on recent_used_cpu here. + +Fixes: 89aafd67f28c ("sched/fair: Use prev instead of new target as recent_used_cpu") +Signed-off-by: Miaohe Lin +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Phil Auld +Acked-by: Mel Gorman +Link: https://lore.kernel.org/r/20230620080747.359122-1-linmiaohe@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index e427056b440bb..dacb56d7e9147 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -7174,7 +7174,7 @@ static int select_idle_sibling(struct task_struct *p, int prev, int target) + recent_used_cpu != target && + cpus_share_cache(recent_used_cpu, target) && + (available_idle_cpu(recent_used_cpu) || sched_idle_cpu(recent_used_cpu)) && +- cpumask_test_cpu(p->recent_used_cpu, p->cpus_ptr) && ++ cpumask_test_cpu(recent_used_cpu, p->cpus_ptr) && + asym_fits_cpu(task_util, util_min, util_max, recent_used_cpu)) { + return recent_used_cpu; + } +-- +2.39.2 + diff --git a/tmp-6.4/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch b/tmp-6.4/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch new file mode 100644 index 00000000000..34898dfaba7 --- /dev/null +++ b/tmp-6.4/sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch @@ -0,0 +1,176 @@ +From 56dc7c53b82c1b75affc5981051b3679cdfd065f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 17:56:12 -0700 +Subject: sched/psi: use kernfs polling functions for PSI trigger polling + +From: Suren Baghdasaryan + +[ Upstream commit aff037078ecaecf34a7c2afab1341815f90fba5e ] + +Destroying psi trigger in cgroup_file_release causes UAF issues when +a cgroup is removed from under a polling process. This is happening +because cgroup removal causes a call to cgroup_file_release while the +actual file is still alive. Destroying the trigger at this point would +also destroy its waitqueue head and if there is still a polling process +on that file accessing the waitqueue, it will step on the freed pointer: + +do_select + vfs_poll + do_rmdir + cgroup_rmdir + kernfs_drain_open_files + cgroup_file_release + cgroup_pressure_release + psi_trigger_destroy + wake_up_pollfree(&t->event_wait) +// vfs_poll is unblocked + synchronize_rcu + kfree(t) + poll_freewait -> UAF access to the trigger's waitqueue head + +Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), +however the same issue exists for synchronous poll() case. +The root cause of this issue is that the lifecycles of the psi trigger's +waitqueue and of the file associated with the trigger are different. Fix +this by using kernfs_generic_poll function when polling on cgroup-specific +psi triggers. It internally uses kernfs_open_node->poll waitqueue head +with its lifecycle tied to the file's lifecycle. This also renders the +fix in [1] obsolete, so revert it. + +[1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()") + +Fixes: 0e94682b73bf ("psi: introduce psi monitor") +Closes: https://lore.kernel.org/all/20230613062306.101831-1-lujialin4@huawei.com/ +Reported-by: Lu Jialin +Signed-off-by: Suren Baghdasaryan +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20230630005612.1014540-1-surenb@google.com +Signed-off-by: Sasha Levin +--- + include/linux/psi.h | 5 +++-- + include/linux/psi_types.h | 3 +++ + kernel/cgroup/cgroup.c | 2 +- + kernel/sched/psi.c | 29 +++++++++++++++++++++-------- + 4 files changed, 28 insertions(+), 11 deletions(-) + +diff --git a/include/linux/psi.h b/include/linux/psi.h +index ab26200c28033..e0745873e3f26 100644 +--- a/include/linux/psi.h ++++ b/include/linux/psi.h +@@ -23,8 +23,9 @@ void psi_memstall_enter(unsigned long *flags); + void psi_memstall_leave(unsigned long *flags); + + int psi_show(struct seq_file *s, struct psi_group *group, enum psi_res res); +-struct psi_trigger *psi_trigger_create(struct psi_group *group, +- char *buf, enum psi_res res, struct file *file); ++struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, ++ enum psi_res res, struct file *file, ++ struct kernfs_open_file *of); + void psi_trigger_destroy(struct psi_trigger *t); + + __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file, +diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h +index 040c089581c6c..f1fd3a8044e0e 100644 +--- a/include/linux/psi_types.h ++++ b/include/linux/psi_types.h +@@ -137,6 +137,9 @@ struct psi_trigger { + /* Wait queue for polling */ + wait_queue_head_t event_wait; + ++ /* Kernfs file for cgroup triggers */ ++ struct kernfs_open_file *of; ++ + /* Pending event flag */ + int event; + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 4d42f0cbc11ea..3299ec69ce0d1 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3785,7 +3785,7 @@ static ssize_t pressure_write(struct kernfs_open_file *of, char *buf, + } + + psi = cgroup_psi(cgrp); +- new = psi_trigger_create(psi, buf, res, of->file); ++ new = psi_trigger_create(psi, buf, res, of->file, of); + if (IS_ERR(new)) { + cgroup_put(cgrp); + return PTR_ERR(new); +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index e072f6b31bf30..80d8c10e93638 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -494,8 +494,12 @@ static u64 update_triggers(struct psi_group *group, u64 now, bool *update_total, + continue; + + /* Generate an event */ +- if (cmpxchg(&t->event, 0, 1) == 0) +- wake_up_interruptible(&t->event_wait); ++ if (cmpxchg(&t->event, 0, 1) == 0) { ++ if (t->of) ++ kernfs_notify(t->of->kn); ++ else ++ wake_up_interruptible(&t->event_wait); ++ } + t->last_event_time = now; + /* Reset threshold breach flag once event got generated */ + t->pending_event = false; +@@ -1272,8 +1276,9 @@ int psi_show(struct seq_file *m, struct psi_group *group, enum psi_res res) + return 0; + } + +-struct psi_trigger *psi_trigger_create(struct psi_group *group, +- char *buf, enum psi_res res, struct file *file) ++struct psi_trigger *psi_trigger_create(struct psi_group *group, char *buf, ++ enum psi_res res, struct file *file, ++ struct kernfs_open_file *of) + { + struct psi_trigger *t; + enum psi_states state; +@@ -1333,7 +1338,9 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, + + t->event = 0; + t->last_event_time = 0; +- init_waitqueue_head(&t->event_wait); ++ t->of = of; ++ if (!of) ++ init_waitqueue_head(&t->event_wait); + t->pending_event = false; + t->aggregator = privileged ? PSI_POLL : PSI_AVGS; + +@@ -1390,7 +1397,10 @@ void psi_trigger_destroy(struct psi_trigger *t) + * being accessed later. Can happen if cgroup is deleted from under a + * polling process. + */ +- wake_up_pollfree(&t->event_wait); ++ if (t->of) ++ kernfs_notify(t->of->kn); ++ else ++ wake_up_interruptible(&t->event_wait); + + if (t->aggregator == PSI_AVGS) { + mutex_lock(&group->avgs_lock); +@@ -1462,7 +1472,10 @@ __poll_t psi_trigger_poll(void **trigger_ptr, + if (!t) + return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI; + +- poll_wait(file, &t->event_wait, wait); ++ if (t->of) ++ kernfs_generic_poll(t->of, wait); ++ else ++ poll_wait(file, &t->event_wait, wait); + + if (cmpxchg(&t->event, 1, 0) == 1) + ret |= EPOLLPRI; +@@ -1532,7 +1545,7 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf, + return -EBUSY; + } + +- new = psi_trigger_create(&psi_system, buf, res, file); ++ new = psi_trigger_create(&psi_system, buf, res, file, NULL); + if (IS_ERR(new)) { + mutex_unlock(&seq->lock); + return PTR_ERR(new); +-- +2.39.2 + diff --git a/tmp-6.4/scsi-sg-don-t-grab-scsi-host-module-reference.patch b/tmp-6.4/scsi-sg-don-t-grab-scsi-host-module-reference.patch new file mode 100644 index 00000000000..c0f5e846269 --- /dev/null +++ b/tmp-6.4/scsi-sg-don-t-grab-scsi-host-module-reference.patch @@ -0,0 +1,69 @@ +From fcaa174a9c995cf0af3967e55644a1543ea07e36 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Thu, 22 Jun 2023 00:01:11 +0800 +Subject: scsi/sg: don't grab scsi host module reference + +From: Yu Kuai + +commit fcaa174a9c995cf0af3967e55644a1543ea07e36 upstream. + +In order to prevent request_queue to be freed before cleaning up +blktrace debugfs entries, commit db59133e9279 ("scsi: sg: fix blktrace +debugfs entries leakage") use scsi_device_get(), however, +scsi_device_get() will also grab scsi module reference and scsi module +can't be removed. + +It's reported that blktests can't unload scsi_debug after block/001: + +blktests (master) # ./check block +block/001 (stress device hotplugging) [failed] + +++ /root/blktests/results/nodev/block/001.out.bad 2023-06-19 + Running block/001 + Stressing sd + +modprobe: FATAL: Module scsi_debug is in use. + +Fix this problem by grabbing request_queue reference directly, so that +scsi host module can still be unloaded while request_queue will be +pinged by sg device. + +Reported-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/all/1760da91-876d-fc9c-ab51-999a6f66ad50@nvidia.com/ +Fixes: db59133e9279 ("scsi: sg: fix blktrace debugfs entries leakage") +Signed-off-by: Yu Kuai +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20230621160111.1433521-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sg.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1496,7 +1496,7 @@ sg_add_device(struct device *cl_dev) + int error; + unsigned long iflags; + +- error = scsi_device_get(scsidp); ++ error = blk_get_queue(scsidp->request_queue); + if (error) + return error; + +@@ -1557,7 +1557,7 @@ cdev_add_err: + out: + if (cdev) + cdev_del(cdev); +- scsi_device_put(scsidp); ++ blk_put_queue(scsidp->request_queue); + return error; + } + +@@ -1574,7 +1574,7 @@ sg_device_destroy(struct kref *kref) + */ + + blk_trace_remove(q); +- scsi_device_put(sdp->device); ++ blk_put_queue(q); + + write_lock_irqsave(&sg_index_lock, flags); + idr_remove(&sg_index_idr, sdp->index); diff --git a/tmp-6.4/scsi-sg-fix-blktrace-debugfs-entries-leakage.patch b/tmp-6.4/scsi-sg-fix-blktrace-debugfs-entries-leakage.patch new file mode 100644 index 00000000000..e9fb8ddc8c6 --- /dev/null +++ b/tmp-6.4/scsi-sg-fix-blktrace-debugfs-entries-leakage.patch @@ -0,0 +1,77 @@ +From 16176e2729a460f26254bf143981355bcb83b0a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jun 2023 10:20:02 +0800 +Subject: scsi: sg: fix blktrace debugfs entries leakage + +From: Yu Kuai + +[ Upstream commit db59133e927916d8a25ee1fd8264f2808040909d ] + +sg_ioctl() support to enable blktrace, which will create debugfs entries +"/sys/kernel/debug/block/sgx/", however, there is no guarantee that user +will remove these entries through ioctl, and deleting sg device doesn't +cleanup these blktrace entries. + +This problem can be fixed by cleanup blktrace while releasing +request_queue, however, it's not a good idea to do this special handling +in common layer just for sg device. + +Fix this problem by shutdown bltkrace in sg_device_destroy(), where the +device is deleted and all the users close the device, also grab a +scsi_device reference from sg_add_device() to prevent scsi_device to be +freed before sg_device_destroy(); + +Signed-off-by: Yu Kuai +Reviewed-by: Christoph Hellwig +Reviewed-by: Martin K. Petersen +Link: https://lore.kernel.org/r/20230610022003.2557284-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/scsi/sg.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c +index 037f8c98a6d36..0adfbd77437f3 100644 +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -1496,6 +1496,10 @@ sg_add_device(struct device *cl_dev) + int error; + unsigned long iflags; + ++ error = scsi_device_get(scsidp); ++ if (error) ++ return error; ++ + error = -ENOMEM; + cdev = cdev_alloc(); + if (!cdev) { +@@ -1553,6 +1557,7 @@ sg_add_device(struct device *cl_dev) + out: + if (cdev) + cdev_del(cdev); ++ scsi_device_put(scsidp); + return error; + } + +@@ -1560,6 +1565,7 @@ static void + sg_device_destroy(struct kref *kref) + { + struct sg_device *sdp = container_of(kref, struct sg_device, d_ref); ++ struct request_queue *q = sdp->device->request_queue; + unsigned long flags; + + /* CAUTION! Note that the device can still be found via idr_find() +@@ -1567,6 +1573,9 @@ sg_device_destroy(struct kref *kref) + * any other cleanup. + */ + ++ blk_trace_remove(q); ++ scsi_device_put(sdp->device); ++ + write_lock_irqsave(&sg_index_lock, flags); + idr_remove(&sg_index_idr, sdp->index); + write_unlock_irqrestore(&sg_index_lock, flags); +-- +2.39.2 + diff --git a/tmp-6.4/security-keys-modify-mismatched-function-name.patch b/tmp-6.4/security-keys-modify-mismatched-function-name.patch new file mode 100644 index 00000000000..ff9e657682b --- /dev/null +++ b/tmp-6.4/security-keys-modify-mismatched-function-name.patch @@ -0,0 +1,40 @@ +From 21805edfcc8da6e82b94128693f355e1e10cef54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 10:18:25 +0800 +Subject: security: keys: Modify mismatched function name + +From: Jiapeng Chong + +[ Upstream commit 2a4152742025c5f21482e8cebc581702a0fa5b01 ] + +No functional modification involved. + +security/keys/trusted-keys/trusted_tpm2.c:203: warning: expecting prototype for tpm_buf_append_auth(). Prototype was for tpm2_buf_append_auth() instead. + +Fixes: 2e19e10131a0 ("KEYS: trusted: Move TPM2 trusted keys code") +Reported-by: Abaci Robot +Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=5524 +Signed-off-by: Jiapeng Chong +Reviewed-by: Paul Moore +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + security/keys/trusted-keys/trusted_tpm2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c +index 2b2c8eb258d5b..bc700f85f80be 100644 +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -186,7 +186,7 @@ int tpm2_key_priv(void *context, size_t hdrlen, + } + + /** +- * tpm_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. ++ * tpm2_buf_append_auth() - append TPMS_AUTH_COMMAND to the buffer. + * + * @buf: an allocated tpm_buf instance + * @session_handle: session handle +-- +2.39.2 + diff --git a/tmp-6.4/selftests-mm-mkdirty-fix-incorrect-position-of-endif.patch b/tmp-6.4/selftests-mm-mkdirty-fix-incorrect-position-of-endif.patch new file mode 100644 index 00000000000..bdaf788d1de --- /dev/null +++ b/tmp-6.4/selftests-mm-mkdirty-fix-incorrect-position-of-endif.patch @@ -0,0 +1,37 @@ +From 25b5949c30938c7f26dbadc948b491e0e0811c78 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 12 Jul 2023 14:46:48 +0100 +Subject: selftests/mm: mkdirty: fix incorrect position of #endif + +From: Colin Ian King + +commit 25b5949c30938c7f26dbadc948b491e0e0811c78 upstream. + +The #endif is the wrong side of a } causing a build failure when +__NR_userfaultfd is not defined. Fix this by moving the #end to enclose +the } + +Link: https://lkml.kernel.org/r/20230712134648.456349-1-colin.i.king@gmail.com +Fixes: 9eac40fc0cc7 ("selftests/mm: mkdirty: test behavior of (pte|pmd)_mkdirty on VMAs without write permissions") +Signed-off-by: Colin Ian King +Reviewed-by: David Hildenbrand +Cc: Shuah Khan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mm/mkdirty.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/mm/mkdirty.c ++++ b/tools/testing/selftests/mm/mkdirty.c +@@ -321,8 +321,8 @@ close_uffd: + munmap: + munmap(dst, pagesize); + free(src); +-#endif /* __NR_userfaultfd */ + } ++#endif /* __NR_userfaultfd */ + + int main(void) + { diff --git a/tmp-6.4/selftests-tc-add-conntrack-procfs-kconfig.patch b/tmp-6.4/selftests-tc-add-conntrack-procfs-kconfig.patch new file mode 100644 index 00000000000..cdab180886e --- /dev/null +++ b/tmp-6.4/selftests-tc-add-conntrack-procfs-kconfig.patch @@ -0,0 +1,42 @@ +From 031c99e71fedcce93b6785d38b7d287bf59e3952 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:46 +0200 +Subject: selftests: tc: add ConnTrack procfs kconfig + +From: Matthieu Baerts + +commit 031c99e71fedcce93b6785d38b7d287bf59e3952 upstream. + +When looking at the TC selftest reports, I noticed one test was failing +because /proc/net/nf_conntrack was not available. + + not ok 373 3992 - Add ct action triggering DNAT tuple conflict + Could not match regex pattern. Verify command output: + cat: /proc/net/nf_conntrack: No such file or directory + +It is only available if NF_CONNTRACK_PROCFS kconfig is set. So the issue +can be fixed simply by adding it to the list of required kconfig. + +Fixes: e46905641316 ("tc-testing: add test for ct DNAT tuple collision") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [1] +Signed-off-by: Matthieu Baerts +Tested-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-3-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/tc-testing/config ++++ b/tools/testing/selftests/tc-testing/config +@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m + CONFIG_NF_CONNTRACK_MARK=y + CONFIG_NF_CONNTRACK_ZONES=y + CONFIG_NF_CONNTRACK_LABELS=y ++CONFIG_NF_CONNTRACK_PROCFS=y + CONFIG_NF_FLOW_TABLE=m + CONFIG_NF_NAT=m + CONFIG_NETFILTER_XT_TARGET_LOG=m diff --git a/tmp-6.4/selftests-tc-add-ct-action-kconfig-dep.patch b/tmp-6.4/selftests-tc-add-ct-action-kconfig-dep.patch new file mode 100644 index 00000000000..07859eec8d1 --- /dev/null +++ b/tmp-6.4/selftests-tc-add-ct-action-kconfig-dep.patch @@ -0,0 +1,43 @@ +From 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:45 +0200 +Subject: selftests: tc: add 'ct' action kconfig dep + +From: Matthieu Baerts + +commit 719b4774a8cb1a501e2d22a5a4a3a0a870e427d5 upstream. + +When looking for something else in LKFT reports [1], I noticed most of +the tests were skipped because the "teardown stage" did not complete +successfully. + +Pedro found out this is due to the fact CONFIG_NF_FLOW_TABLE is required +but not listed in the 'config' file. Adding it to the list fixes the +issues on LKFT side. CONFIG_NET_ACT_CT is now set to 'm' in the final +kconfig. + +Fixes: c34b961a2492 ("net/sched: act_ct: Create nf flow table per zone") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Tested-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-2-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/tc-testing/config ++++ b/tools/testing/selftests/tc-testing/config +@@ -5,6 +5,7 @@ CONFIG_NF_CONNTRACK=m + CONFIG_NF_CONNTRACK_MARK=y + CONFIG_NF_CONNTRACK_ZONES=y + CONFIG_NF_CONNTRACK_LABELS=y ++CONFIG_NF_FLOW_TABLE=m + CONFIG_NF_NAT=m + CONFIG_NETFILTER_XT_TARGET_LOG=m + diff --git a/tmp-6.4/selftests-tc-set-timeout-to-15-minutes.patch b/tmp-6.4/selftests-tc-set-timeout-to-15-minutes.patch new file mode 100644 index 00000000000..ea00bbfff7d --- /dev/null +++ b/tmp-6.4/selftests-tc-set-timeout-to-15-minutes.patch @@ -0,0 +1,43 @@ +From fda05798c22a354efde09a76bdfc276b2d591829 Mon Sep 17 00:00:00 2001 +From: Matthieu Baerts +Date: Thu, 13 Jul 2023 23:16:44 +0200 +Subject: selftests: tc: set timeout to 15 minutes + +From: Matthieu Baerts + +commit fda05798c22a354efde09a76bdfc276b2d591829 upstream. + +When looking for something else in LKFT reports [1], I noticed that the +TC selftest ended with a timeout error: + + not ok 1 selftests: tc-testing: tdc.sh # TIMEOUT 45 seconds + +The timeout had been introduced 3 years ago, see the Fixes commit below. + +This timeout is only in place when executing the selftests via the +kselftests runner scripts. I guess this is not what most TC devs are +using and nobody noticed the issue before. + +The new timeout is set to 15 minutes as suggested by Pedro [2]. It looks +like it is plenty more time than what it takes in "normal" conditions. + +Fixes: 852c8cbf34d3 ("selftests/kselftest/runner.sh: Add 45 second timeout per test") +Cc: stable@vger.kernel.org +Link: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20230711/testrun/18267241/suite/kselftest-tc-testing/test/tc-testing_tdc_sh/log [1] +Link: https://lore.kernel.org/netdev/0e061d4a-9a23-9f58-3b35-d8919de332d7@tessares.net/T/ [2] +Suggested-by: Pedro Tammela +Signed-off-by: Matthieu Baerts +Reviewed-by: Zhengchao Shao +Link: https://lore.kernel.org/r/20230713-tc-selftests-lkft-v1-1-1eb4fd3a96e7@tessares.net +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/tc-testing/settings | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tools/testing/selftests/tc-testing/settings + +--- /dev/null ++++ b/tools/testing/selftests/tc-testing/settings +@@ -0,0 +1 @@ ++timeout=900 diff --git a/tmp-6.4/series b/tmp-6.4/series new file mode 100644 index 00000000000..30521451c7f --- /dev/null +++ b/tmp-6.4/series @@ -0,0 +1,227 @@ +io_uring-treat-eagain-for-req_f_nowait-as-final-for-io-wq.patch +io_uring-fix-io_uring-mmap-by-using-architecture-provided-get_unmapped_area.patch +alsa-hda-realtek-remove-3k-pull-low-procedure.patch +alsa-hda-realtek-add-quirk-for-clevo-ns70au.patch +alsa-hda-realtek-enable-mute-led-on-hp-laptop-15s-eq2xxx.patch +maple_tree-set-the-node-limit-when-creating-a-new-root-node.patch +mm-mlock-fix-vma-iterator-conversion-of-apply_vma_lock_flags.patch +maple_tree-fix-node-allocation-testing-on-32-bit.patch +selftests-mm-mkdirty-fix-incorrect-position-of-endif.patch +keys-fix-linking-a-duplicate-key-to-a-keyring-s-assoc_array.patch +prctl-move-pr_get_auxv-out-of-pr_mce_kill.patch +perf-probe-add-test-for-regression-introduced-by-switch-to-die_get_decl_file.patch +perf-probe-read-dwarf-files-from-the-correct-cu.patch +btrfs-fix-iput-on-error-pointer-after-error-during-orphan-cleanup.patch +btrfs-fix-warning-when-putting-transaction-with-qgroups-enabled-after-abort.patch +fuse-revalidate-don-t-invalidate-if-interrupted.patch +fuse-add-feature-flag-for-expire-only.patch +fuse-apply-flags2-only-when-userspace-set-the-fuse_init_ext.patch +btrfs-raid56-always-verify-the-p-q-contents-for-scrub.patch +btrfs-set_page_extent_mapped-after-read_folio-in-btrfs_cont_expand.patch +btrfs-fix-double-iput-on-inode-after-an-error-during-orphan-cleanup.patch +btrfs-zoned-fix-memory-leak-after-finding-block-group-with-super-blocks.patch +fuse-ioctl-translate-enosys-in-outarg.patch +btrfs-fix-race-between-balance-and-cancel-pause.patch +selftests-tc-set-timeout-to-15-minutes.patch +accel-qaic-fix-a-leak-in-map_user_pages.patch +selftests-tc-add-ct-action-kconfig-dep.patch +regmap-drop-initial-version-of-maximum-transfer-length-fixes.patch +s390-zcrypt-fix-reply-buffer-calculations-for-cca-replies.patch +of-preserve-of-display-device-name-for-compatibility.patch +regmap-account-for-register-length-in-smbus-i-o-limits.patch +ia64-mmap-consider-pgoff-when-searching-for-free-mapping.patch +arm64-fpsimd-ensure-sme-storage-is-allocated-after-sve-vl-changes.patch +can-raw-fix-receiver-memory-leak.patch +can-mcp251xfd-__mcp251xfd_chip_set_mode-increase-poll-timeout.patch +can-bcm-fix-uaf-in-bcm_proc_show.patch +can-gs_usb-gs_can_open-improve-error-handling.patch +can-gs_usb-fix-time-stamp-counter-initialization.patch +revert-r8169-disable-aspm-during-napi-poll.patch +selftests-tc-add-conntrack-procfs-kconfig.patch +accel-qaic-tighten-bounds-checking-in-encode_message.patch +accel-qaic-tighten-bounds-checking-in-decode_message.patch +accel-qaic-add-consistent-integer-overflow-checks.patch +dma-buf-dma-resv-stop-leaking-on-krealloc-failure.patch +drm-amdgpu-vkms-relax-timer-deactivation-by-hrtimer_try_to_cancel.patch +drm-amdgpu-pm-make-gfxclock-consistent-for-sienna-cichlid.patch +drm-amdgpu-pm-make-mclk-consistent-for-smu-13.0.7.patch +drm-nouveau-disp-pior-dp-uses-gpio-for-hpd-not-pmgr-aux-interrupts.patch +drm-nouveau-kms-nv50-init-hpd_irq_lock-for-pior-dp.patch +drm-nouveau-i2c-fix-number-of-aux-event-slots.patch +drm-client-fix-memory-leak-in-drm_client_target_cloned.patch +drm-client-fix-memory-leak-in-drm_client_modeset_probe.patch +drm-amd-display-only-accept-async-flips-for-fast-updates.patch +drm-amd-display-disable-mpc-split-by-default-on-special-asic.patch +drm-amd-display-check-tg-is-non-null-before-checking-if-enabled.patch +drm-amd-display-keep-phy-active-for-dp-displays-on-dcn31.patch +asoc-fsl_sai-disable-bit-clock-with-transmitter.patch +asoc-fsl_sai-revert-asoc-fsl_sai-enable-mctl_mclk_en-bit-for-master-mode.patch +asoc-tegra-fix-adx-byte-map.patch +asoc-rt5640-fix-sleep-in-atomic-context.patch +asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch +asoc-codecs-wcd938x-fix-missing-clsh-ctrl-error-handling.patch +asoc-cs35l45-select-regmap_irq.patch +asoc-codecs-wcd-mbhc-v2-fix-resource-leaks-on-component-remove.patch +asoc-qdsp6-audioreach-fix-topology-probe-deferral.patch +asoc-tegra-fix-amx-byte-map.patch +asoc-codecs-wcd938x-fix-resource-leaks-on-component-remove.patch +asoc-codecs-wcd938x-fix-missing-mbhc-init-error-handling.patch +asoc-codecs-wcd934x-fix-resource-leaks-on-component-remove.patch +asoc-codecs-wcd938x-fix-codec-initialisation-race.patch +asoc-codecs-wcd938x-fix-soundwire-initialisation-race.patch +kvm-arm64-timers-use-cnthctl_el2-when-setting-non-cntkctl_el1-bits.patch +kvm-arm64-correctly-handle-page-aging-notifiers-for-unaligned-memslot.patch +kvm-arm64-disable-preemption-in-kvm_arch_hardware_enable.patch +kvm-arm64-vgic-v4-make-the-doorbell-request-robust-w.r.t-preemption.patch +ext4-correct-inline-offset-when-handling-xattrs-in-inode-body.patch +drm-radeon-fix-integer-overflow-in-radeon_cs_parser_.patch +alsa-emu10k1-roll-up-loops-in-dsp-setup-code-for-aud.patch +quota-properly-disable-quotas-when-add_dquot_ref-fai.patch +quota-fix-warning-in-dqgrab.patch +hid-add-quirk-for-03f0-464a-hp-elite-presenter-mouse.patch +ovl-check-type-and-offset-of-struct-vfsmount-in-ovl_.patch +udf-fix-uninitialized-array-access-for-some-pathname.patch +alsa-hda-realtek-add-quirks-for-rog-ally-cs35l41-aud.patch +fs-jfs-fix-ubsan-array-index-out-of-bounds-in-dballo.patch +mips-dec-prom-address-warray-bounds-warning.patch +fs-jfs-fix-null-ptr-deref-read-in-txbegin.patch +fs-jfs-check-for-read-only-mounted-filesystem-in-txb.patch +md-fix-data-corruption-for-raid456-when-reshape-rest.patch +md-raid10-prevent-soft-lockup-while-flush-writes.patch +scsi-sg-fix-blktrace-debugfs-entries-leakage.patch +blk-mq-fix-null-dereference-on-q-elevator-in-blk_mq_.patch +posix-timers-ensure-timer-id-search-loop-limit-is-va.patch +btrfs-add-xxhash-to-fast-checksum-implementations.patch +btrfs-don-t-check-pageerror-in-__extent_writepage.patch +btrfs-abort-transaction-at-update_ref_for_cow-when-r.patch +erofs-fix-detection-of-atomic-context.patch +acpi-x86-add-skip-i2c-clients-quirk-for-nextbook-are.patch +acpi-button-add-lid-disable-dmi-quirk-for-nextbook-a.patch +acpi-x86-add-acpi_quirk_uart1_skip-for-lenovo-yoga-b.patch +acpi-video-add-backlight-native-dmi-quirk-for-apple-.patch +acpi-video-add-backlight-native-dmi-quirk-for-lenovo.patch +acpi-resource-remove-zen-specific-match-and-quirks.patch +arm64-set-__exception_irq_entry-with-__irq_entry-as-.patch +arm64-mm-fix-va-range-sanity-check.patch +acpi-video-add-backlight-native-dmi-quirk-for-dell-s.patch +rcu-tasks-avoid-pr_info-with-spin-lock-in-cblist_ini.patch +rcu-mark-additional-concurrent-load-from-cpu_no_qs.b.patch +tools-nolibc-ensure-stack-protector-guard-is-never-z.patch +sched-fair-don-t-balance-task-to-its-current-running.patch +wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch +bpf-print-a-warning-only-if-writing-to-unprivileged_.patch +bpf-address-kcsan-report-on-bpf_lru_list.patch +spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch +bpf-drop-unnecessary-user-triggerable-warn_once-in-v.patch +bpf-tcp-avoid-taking-fast-sock-lock-in-iterator.patch +wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch +bpf-silence-a-warning-in-btf_type_id_size.patch +devlink-make-health-report-on-unregistered-instance-.patch +wifi-ath11k-add-support-default-regdb-while-searchin.patch +wifi-mac80211_hwsim-fix-possible-null-dereference.patch +spi-dw-add-compatible-for-intel-mount-evans-soc.patch +wifi-ath12k-avoid-null-pointer-access-during-managem.patch +wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch +wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch +net-ethernet-litex-add-support-for-64-bit-stats.patch +devlink-report-devlink_port_type_warn-source-device.patch +wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch +wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch +wifi-iwlwifi-add-support-for-new-pci-id.patch +wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch +wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch +igb-fix-igb_down-hung-on-surprise-removal.patch +net-hns3-fix-strncpy-not-using-dest-buf-length-as-le.patch +asoc-amd-acp-fix-for-invalid-dai-id-handling-in-acp_.patch +asoc-codecs-wcd938x-fix-mbhc-impedance-loglevel.patch +asoc-codecs-wcd938x-fix-db-range-for-hphl-and-hphr.patch +asoc-qcom-q6apm-do-not-close-gpr-port-before-closing.patch +iov_iter-mark-copy_iovec_from_user-noclone.patch +sched-fair-use-recent_used_cpu-to-test-p-cpus_ptr.patch +sched-psi-use-kernfs-polling-functions-for-psi-trigg.patch +pinctrl-renesas-rzv2m-handle-non-unique-subnode-name.patch +pinctrl-renesas-rzg2l-handle-non-unique-subnode-name.patch +spi-bcm63xx-fix-max-prepend-length.patch +fbdev-imxfb-warn-about-invalid-left-right-margin.patch +fbdev-imxfb-removed-unneeded-release_mem_region.patch +perf-build-fix-library-not-found-error-when-using-cs.patch +btrfs-be-a-bit-more-careful-when-setting-mirror_num_.patch +spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch +kallsyms-strip-lto-only-suffixes-from-promoted-globa.patch +smb-client-fix-missed-ses-refcounting.patch +arm64-fix-hfgxtr_el2-field-naming.patch +dsa-mv88e6xxx-do-a-final-check-before-timing-out.patch +net-ethernet-ti-cpsw_ale-fix-cpsw_ale_get_field-cpsw.patch +bridge-add-extack-warning-when-enabling-stp-in-netns.patch +net-ethernet-mtk_eth_soc-handle-probe-deferral.patch +gso-fix-dodgy-bit-handling-for-gso_udp_l4.patch +iommu-sva-fix-signedness-bug-in-iommu_sva_alloc_pasi.patch +cifs-fix-mid-leak-during-reconnection-after-timeout-.patch +ice-unregister-netdev-and-devlink_port-only-once.patch +ice-prevent-null-pointer-deref-during-reload.patch +asoc-sof-ipc3-dtrace-uninitialized-data-in-dfsentry_.patch +regulator-da9063-fix-null-pointer-deref-with-partial.patch +net-sched-cls_matchall-undo-tcf_bind_filter-in-case-.patch +net-sched-cls_u32-undo-tcf_bind_filter-if-u32_replac.patch +net-sched-cls_u32-undo-refcount-decrement-in-case-up.patch +net-sched-cls_bpf-undo-tcf_bind_filter-in-case-of-an.patch +net-dsa-microchip-correct-ksz8795-static-mac-table-a.patch +r8169-fix-aspm-related-problem-for-chip-version-42-a.patch +drm-i915-perf-add-sentinel-to-xehp_oa_b_counters.patch +iavf-fix-use-after-free-in-free_netdev.patch +iavf-fix-out-of-bounds-when-setting-channels-on-remo.patch +iavf-use-internal-state-to-free-traffic-irqs.patch +iavf-make-functions-static-where-possible.patch +iavf-wait-for-reset-in-callbacks-which-trigger-it.patch +iavf-fix-a-deadlock-caused-by-rtnl-and-driver-s-lock.patch +iavf-fix-reset-task-race-with-iavf_remove.patch +security-keys-modify-mismatched-function-name.patch +vrf-fix-lockdep-splat-in-output-path.patch +octeontx2-pf-dont-allocate-bpids-for-lbk-interfaces.patch +bpf-fix-subprog-idx-logic-in-check_max_stack_depth.patch +bpf-repeat-check_max_stack_depth-for-async-callbacks.patch +bpf-arm64-fix-bti-type-used-for-freplace-attached-fu.patch +igc-avoid-transmit-queue-timeout-for-xdp.patch +igc-prevent-garbled-tx-queue-with-xdp-zerocopy.patch +net-ipv4-use-consistent-txhash-in-time_wait-and-syn_.patch +tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch +tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch +net-ipv4-use-kfree_sensitive-instead-of-kfree.patch +net-ipv6-check-return-value-of-pskb_trim.patch +revert-tcp-avoid-the-lookup-process-failing-to-get-s.patch +net-ethernet-mtk_eth_soc-always-mtk_get_ib1_pkt_type.patch +fbdev-au1200fb-fix-missing-irq-check-in-au1200fb_drv.patch +llc-don-t-drop-packet-from-non-root-netns.patch +alsa-hda-realtek-fix-generic-fixup-definition-for-cs.patch +netfilter-nf_tables-fix-spurious-set-element-inserti.patch +netfilter-nf_tables-can-t-schedule-in-nft_chain_vali.patch +netfilter-nft_set_pipapo-fix-improper-element-remova.patch +netfilter-nf_tables-skip-bound-chain-in-netns-releas.patch +netfilter-nf_tables-skip-bound-chain-on-rule-flush.patch +bluetooth-use-rcu-for-hci_conn_params-and-iterate-sa.patch +bluetooth-hci_event-call-disconnect-callback-before-.patch +bluetooth-iso-fix-iso_conn-related-locking-and-valid.patch +bluetooth-hci_sync-avoid-use-after-free-in-dbg-for-h.patch +bluetooth-hci_conn-return-err_ptr-instead-of-null-wh.patch +bluetooth-sco-fix-sco_conn-related-locking-and-valid.patch +bluetooth-btusb-fix-bluetooth-on-intel-macbook-2014.patch +tcp-annotate-data-races-around-tp-tcp_tx_delay.patch +tcp-annotate-data-races-around-tp-tsoffset.patch +tcp-annotate-data-races-around-tp-keepalive_time.patch +tcp-annotate-data-races-around-tp-keepalive_intvl.patch +tcp-annotate-data-races-around-tp-keepalive_probes.patch +tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch +tcp-annotate-data-races-around-tp-linger2.patch +tcp-annotate-data-races-around-rskq_defer_accept.patch +tcp-annotate-data-races-around-tp-notsent_lowat.patch +tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch +tcp-annotate-data-races-around-fastopenq.max_qlen.patch +net-phy-prevent-stale-pointer-dereference-in-phy_ini.patch +jbd2-recheck-chechpointing-non-dirty-buffer.patch +kbuild-rust-avoid-creating-temporary-files.patch +tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch +drm-ttm-fix-bulk_move-corruption-when-adding-a-entry.patch +spi-dw-remove-misleading-comment-for-mount-evans-soc.patch +scsi-sg-don-t-grab-scsi-host-module-reference.patch +x86-cpu-amd-move-the-errata-checking-functionality-up.patch +x86-cpu-amd-add-a-zenbleed-fix.patch diff --git a/tmp-6.4/smb-client-fix-missed-ses-refcounting.patch b/tmp-6.4/smb-client-fix-missed-ses-refcounting.patch new file mode 100644 index 00000000000..a209fbf914a --- /dev/null +++ b/tmp-6.4/smb-client-fix-missed-ses-refcounting.patch @@ -0,0 +1,101 @@ +From 7f47ebc21a8e24962ac932e93de9a7d1e696e3d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 14:15:10 -0300 +Subject: smb: client: fix missed ses refcounting + +From: Paulo Alcantara + +[ Upstream commit bf99f6be2d20146942bce6f9e90a0ceef12cbc1e ] + +Use new cifs_smb_ses_inc_refcount() helper to get an active reference +of @ses and @ses->dfs_root_ses (if set). This will prevent +@ses->dfs_root_ses of being put in the next call to cifs_put_smb_ses() +and thus potentially causing an use-after-free bug. + +Fixes: 8e3554150d6c ("cifs: fix sharing of DFS connections") +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/dfs.c | 26 ++++++++++---------------- + fs/smb/client/smb2transport.c | 2 +- + 2 files changed, 11 insertions(+), 17 deletions(-) + +diff --git a/fs/smb/client/dfs.c b/fs/smb/client/dfs.c +index 26d14dd0482ef..cf83617236d8b 100644 +--- a/fs/smb/client/dfs.c ++++ b/fs/smb/client/dfs.c +@@ -66,6 +66,12 @@ static int get_session(struct cifs_mount_ctx *mnt_ctx, const char *full_path) + return rc; + } + ++/* ++ * Track individual DFS referral servers used by new DFS mount. ++ * ++ * On success, their lifetime will be shared by final tcon (dfs_ses_list). ++ * Otherwise, they will be put by dfs_put_root_smb_sessions() in cifs_mount(). ++ */ + static int add_root_smb_session(struct cifs_mount_ctx *mnt_ctx) + { + struct smb3_fs_context *ctx = mnt_ctx->fs_ctx; +@@ -80,11 +86,12 @@ static int add_root_smb_session(struct cifs_mount_ctx *mnt_ctx) + INIT_LIST_HEAD(&root_ses->list); + + spin_lock(&cifs_tcp_ses_lock); +- ses->ses_count++; ++ cifs_smb_ses_inc_refcount(ses); + spin_unlock(&cifs_tcp_ses_lock); + root_ses->ses = ses; + list_add_tail(&root_ses->list, &mnt_ctx->dfs_ses_list); + } ++ /* Select new DFS referral server so that new referrals go through it */ + ctx->dfs_root_ses = ses; + return 0; + } +@@ -244,7 +251,6 @@ static int __dfs_mount_share(struct cifs_mount_ctx *mnt_ctx) + int dfs_mount_share(struct cifs_mount_ctx *mnt_ctx, bool *isdfs) + { + struct smb3_fs_context *ctx = mnt_ctx->fs_ctx; +- struct cifs_ses *ses; + bool nodfs = ctx->nodfs; + int rc; + +@@ -278,20 +284,8 @@ int dfs_mount_share(struct cifs_mount_ctx *mnt_ctx, bool *isdfs) + } + + *isdfs = true; +- /* +- * Prevent DFS root session of being put in the first call to +- * cifs_mount_put_conns(). If another DFS root server was not found +- * while chasing the referrals (@ctx->dfs_root_ses == @ses), then we +- * can safely put extra refcount of @ses. +- */ +- ses = mnt_ctx->ses; +- mnt_ctx->ses = NULL; +- mnt_ctx->server = NULL; +- rc = __dfs_mount_share(mnt_ctx); +- if (ses == ctx->dfs_root_ses) +- cifs_put_smb_ses(ses); +- +- return rc; ++ add_root_smb_session(mnt_ctx); ++ return __dfs_mount_share(mnt_ctx); + } + + /* Update dfs referral path of superblock */ +diff --git a/fs/smb/client/smb2transport.c b/fs/smb/client/smb2transport.c +index 22954a9c7a6c7..355e8700530fc 100644 +--- a/fs/smb/client/smb2transport.c ++++ b/fs/smb/client/smb2transport.c +@@ -159,7 +159,7 @@ smb2_find_smb_ses_unlocked(struct TCP_Server_Info *server, __u64 ses_id) + spin_unlock(&ses->ses_lock); + continue; + } +- ++ses->ses_count; ++ cifs_smb_ses_inc_refcount(ses); + spin_unlock(&ses->ses_lock); + return ses; + } +-- +2.39.2 + diff --git a/tmp-6.4/spi-bcm63xx-fix-max-prepend-length.patch b/tmp-6.4/spi-bcm63xx-fix-max-prepend-length.patch new file mode 100644 index 00000000000..5375ee76f78 --- /dev/null +++ b/tmp-6.4/spi-bcm63xx-fix-max-prepend-length.patch @@ -0,0 +1,47 @@ +From 85db4a1c7589a014ef7e05be2349369ceb31e125 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jun 2023 09:14:52 +0200 +Subject: spi: bcm63xx: fix max prepend length + +From: Jonas Gorski + +[ Upstream commit 5158814cbb37bbb38344b3ecddc24ba2ed0365f2 ] + +The command word is defined as following: + + /* Command */ + #define SPI_CMD_COMMAND_SHIFT 0 + #define SPI_CMD_DEVICE_ID_SHIFT 4 + #define SPI_CMD_PREPEND_BYTE_CNT_SHIFT 8 + #define SPI_CMD_ONE_BYTE_SHIFT 11 + #define SPI_CMD_ONE_WIRE_SHIFT 12 + +If the prepend byte count field starts at bit 8, and the next defined +bit is SPI_CMD_ONE_BYTE at bit 11, it can be at most 3 bits wide, and +thus the max value is 7, not 15. + +Fixes: b17de076062a ("spi/bcm63xx: work around inability to keep CS up") +Signed-off-by: Jonas Gorski +Link: https://lore.kernel.org/r/20230629071453.62024-1-jonas.gorski@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index 9aecb77c3d892..07b5b71b23520 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -126,7 +126,7 @@ enum bcm63xx_regs_spi { + SPI_MSG_DATA_SIZE, + }; + +-#define BCM63XX_SPI_MAX_PREPEND 15 ++#define BCM63XX_SPI_MAX_PREPEND 7 + + #define BCM63XX_SPI_MAX_CS 8 + #define BCM63XX_SPI_BUS_NUM 0 +-- +2.39.2 + diff --git a/tmp-6.4/spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch b/tmp-6.4/spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch new file mode 100644 index 00000000000..e4ec977db97 --- /dev/null +++ b/tmp-6.4/spi-cadence-quadspi-add-compatible-for-amd-pensando-.patch @@ -0,0 +1,91 @@ +From a6e25408e4037a4e7c973bcbdc45c46f3e710817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 May 2023 11:16:05 -0700 +Subject: spi: cadence-quadspi: Add compatible for AMD Pensando Elba SoC + +From: Brad Larson + +[ Upstream commit f5c2f9f9584353bc816d76a65c97dd03dc61678c ] + +The AMD Pensando Elba SoC has the Cadence QSPI controller integrated. + +The quirk CQSPI_NEEDS_APB_AHB_HAZARD_WAR is added and if enabled +a dummy readback from the controller is performed to ensure +synchronization. + +Signed-off-by: Brad Larson +--- + drivers/spi/spi-cadence-quadspi.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c +index 32449bef4415a..abf10f92415dc 100644 +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -40,6 +40,7 @@ + #define CQSPI_SUPPORT_EXTERNAL_DMA BIT(2) + #define CQSPI_NO_SUPPORT_WR_COMPLETION BIT(3) + #define CQSPI_SLOW_SRAM BIT(4) ++#define CQSPI_NEEDS_APB_AHB_HAZARD_WAR BIT(5) + + /* Capabilities */ + #define CQSPI_SUPPORTS_OCTAL BIT(0) +@@ -90,6 +91,7 @@ struct cqspi_st { + u32 pd_dev_id; + bool wr_completion; + bool slow_sram; ++ bool apb_ahb_hazard; + }; + + struct cqspi_driver_platdata { +@@ -1027,6 +1029,13 @@ static int cqspi_indirect_write_execute(struct cqspi_flash_pdata *f_pdata, + if (cqspi->wr_delay) + ndelay(cqspi->wr_delay); + ++ /* ++ * If a hazard exists between the APB and AHB interfaces, perform a ++ * dummy readback from the controller to ensure synchronization. ++ */ ++ if (cqspi->apb_ahb_hazard) ++ readl(reg_base + CQSPI_REG_INDIRECTWR); ++ + while (remaining > 0) { + size_t write_words, mod_bytes; + +@@ -1754,6 +1763,8 @@ static int cqspi_probe(struct platform_device *pdev) + cqspi->wr_completion = false; + if (ddata->quirks & CQSPI_SLOW_SRAM) + cqspi->slow_sram = true; ++ if (ddata->quirks & CQSPI_NEEDS_APB_AHB_HAZARD_WAR) ++ cqspi->apb_ahb_hazard = true; + + if (of_device_is_compatible(pdev->dev.of_node, + "xlnx,versal-ospi-1.0")) { +@@ -1888,6 +1899,10 @@ static const struct cqspi_driver_platdata jh7110_qspi = { + .quirks = CQSPI_DISABLE_DAC_MODE, + }; + ++static const struct cqspi_driver_platdata pensando_cdns_qspi = { ++ .quirks = CQSPI_NEEDS_APB_AHB_HAZARD_WAR | CQSPI_DISABLE_DAC_MODE, ++}; ++ + static const struct of_device_id cqspi_dt_ids[] = { + { + .compatible = "cdns,qspi-nor", +@@ -1917,6 +1932,10 @@ static const struct of_device_id cqspi_dt_ids[] = { + .compatible = "starfive,jh7110-qspi", + .data = &jh7110_qspi, + }, ++ { ++ .compatible = "amd,pensando-elba-qspi", ++ .data = &pensando_cdns_qspi, ++ }, + { /* end of table */ } + }; + +-- +2.39.2 + diff --git a/tmp-6.4/spi-dw-add-compatible-for-intel-mount-evans-soc.patch b/tmp-6.4/spi-dw-add-compatible-for-intel-mount-evans-soc.patch new file mode 100644 index 00000000000..7e4132d1509 --- /dev/null +++ b/tmp-6.4/spi-dw-add-compatible-for-intel-mount-evans-soc.patch @@ -0,0 +1,81 @@ +From 5c7b90ce00cd6f8e21d963c6fe6d85aec915540e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 07:54:01 -0700 +Subject: spi: dw: Add compatible for Intel Mount Evans SoC + +From: Abe Kohandel + +[ Upstream commit 0760d5d0e9f0c0e2200a0323a61d1995bb745dee ] + +The Intel Mount Evans SoC's Integrated Management Complex uses the SPI +controller for access to a NOR SPI FLASH. However, the SoC doesn't +provide a mechanism to override the native chip select signal. + +This driver doesn't use DMA for memory operations when a chip select +override is not provided due to the native chip select timing behavior. +As a result no DMA configuration is done for the controller and this +configuration is not tested. + +The controller also has an errata where a full TX FIFO can result in +data corruption. The suggested workaround is to never completely fill +the FIFO. The TX FIFO has a size of 32 so the fifo_len is set to 31. + +Signed-off-by: Abe Kohandel +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230606145402.474866-2-abe.kohandel@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-mmio.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/drivers/spi/spi-dw-mmio.c b/drivers/spi/spi-dw-mmio.c +index 15f5e9cb54ad4..5a38cb09a650d 100644 +--- a/drivers/spi/spi-dw-mmio.c ++++ b/drivers/spi/spi-dw-mmio.c +@@ -236,6 +236,31 @@ static int dw_spi_intel_init(struct platform_device *pdev, + return 0; + } + ++/* ++ * The Intel Mount Evans SoC's Integrated Management Complex uses the ++ * SPI controller for access to a NOR SPI FLASH. However, the SoC doesn't ++ * provide a mechanism to override the native chip select signal. ++ * ++ * This driver doesn't use DMA for memory operations when a chip select ++ * override is not provided due to the native chip select timing behavior. ++ * As a result no DMA configuration is done for the controller and this ++ * configuration is not tested. ++ */ ++static int dw_spi_mountevans_imc_init(struct platform_device *pdev, ++ struct dw_spi_mmio *dwsmmio) ++{ ++ /* ++ * The Intel Mount Evans SoC's Integrated Management Complex DW ++ * apb_ssi_v4.02a controller has an errata where a full TX FIFO can ++ * result in data corruption. The suggested workaround is to never ++ * completely fill the FIFO. The TX FIFO has a size of 32 so the ++ * fifo_len is set to 31. ++ */ ++ dwsmmio->dws.fifo_len = 31; ++ ++ return 0; ++} ++ + static int dw_spi_canaan_k210_init(struct platform_device *pdev, + struct dw_spi_mmio *dwsmmio) + { +@@ -405,6 +430,10 @@ static const struct of_device_id dw_spi_mmio_of_match[] = { + { .compatible = "snps,dwc-ssi-1.01a", .data = dw_spi_hssi_init}, + { .compatible = "intel,keembay-ssi", .data = dw_spi_intel_init}, + { .compatible = "intel,thunderbay-ssi", .data = dw_spi_intel_init}, ++ { ++ .compatible = "intel,mountevans-imc-ssi", ++ .data = dw_spi_mountevans_imc_init, ++ }, + { .compatible = "microchip,sparx5-spi", dw_spi_mscc_sparx5_init}, + { .compatible = "canaan,k210-spi", dw_spi_canaan_k210_init}, + { .compatible = "amd,pensando-elba-spi", .data = dw_spi_elba_init}, +-- +2.39.2 + diff --git a/tmp-6.4/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch b/tmp-6.4/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch new file mode 100644 index 00000000000..95194c927c4 --- /dev/null +++ b/tmp-6.4/spi-dw-remove-misleading-comment-for-mount-evans-soc.patch @@ -0,0 +1,41 @@ +From 5b6d0b91f84cff3f28724076f93f6f9e2ef8d775 Mon Sep 17 00:00:00 2001 +From: Abe Kohandel +Date: Tue, 6 Jun 2023 16:18:44 -0700 +Subject: spi: dw: Remove misleading comment for Mount Evans SoC + +From: Abe Kohandel + +commit 5b6d0b91f84cff3f28724076f93f6f9e2ef8d775 upstream. + +Remove a misleading comment about the DMA operations of the Intel Mount +Evans SoC's SPI Controller as requested by Serge. + +Signed-off-by: Abe Kohandel +Link: https://lore.kernel.org/linux-spi/20230606191333.247ucbf7h3tlooxf@mobilestation/ +Fixes: 0760d5d0e9f0 ("spi: dw: Add compatible for Intel Mount Evans SoC") +Reviewed-by: Serge Semin +Link: https://lore.kernel.org/r/20230606231844.726272-1-abe.kohandel@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-dw-mmio.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/drivers/spi/spi-dw-mmio.c ++++ b/drivers/spi/spi-dw-mmio.c +@@ -237,14 +237,7 @@ static int dw_spi_intel_init(struct plat + } + + /* +- * The Intel Mount Evans SoC's Integrated Management Complex uses the +- * SPI controller for access to a NOR SPI FLASH. However, the SoC doesn't +- * provide a mechanism to override the native chip select signal. +- * +- * This driver doesn't use DMA for memory operations when a chip select +- * override is not provided due to the native chip select timing behavior. +- * As a result no DMA configuration is done for the controller and this +- * configuration is not tested. ++ * DMA-based mem ops are not configured for this device and are not tested. + */ + static int dw_spi_mountevans_imc_init(struct platform_device *pdev, + struct dw_spi_mmio *dwsmmio) diff --git a/tmp-6.4/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch b/tmp-6.4/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch new file mode 100644 index 00000000000..33df33382a5 --- /dev/null +++ b/tmp-6.4/spi-s3c64xx-clear-loopback-bit-after-loopback-test.patch @@ -0,0 +1,40 @@ +From 18195ef4c4ce79e318fb5c779ab1ea8c6a1e88c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jul 2023 17:20:20 +0900 +Subject: spi: s3c64xx: clear loopback bit after loopback test + +From: Jaewon Kim + +[ Upstream commit 9ec3c5517e22a12d2ff1b71e844f7913641460c6 ] + +When SPI loopback transfer is performed, S3C64XX_SPI_MODE_SELF_LOOPBACK +bit still remained. It works as loopback even if the next transfer is +not spi loopback mode. +If not SPI_LOOP, needs to clear S3C64XX_SPI_MODE_SELF_LOOPBACK bit. + +Signed-off-by: Jaewon Kim +Fixes: ffb7bcd3b27e ("spi: s3c64xx: support loopback mode") +Reviewed-by: Chanho Park +Link: https://lore.kernel.org/r/20230711082020.138165-1-jaewon02.kim@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 7ac17f0d18a95..1a8b31e20baf2 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -668,6 +668,8 @@ static int s3c64xx_spi_config(struct s3c64xx_spi_driver_data *sdd) + + if ((sdd->cur_mode & SPI_LOOP) && sdd->port_conf->has_loopback) + val |= S3C64XX_SPI_MODE_SELF_LOOPBACK; ++ else ++ val &= ~S3C64XX_SPI_MODE_SELF_LOOPBACK; + + writel(val, regs + S3C64XX_SPI_MODE_CFG); + +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch b/tmp-6.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch new file mode 100644 index 00000000000..c7070edb201 --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-fastopenq.max_qlen.patch @@ -0,0 +1,77 @@ +From 5b09a1d0f89f0fe1f11380b4827375463adc9b58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:57 +0000 +Subject: tcp: annotate data-races around fastopenq.max_qlen + +From: Eric Dumazet + +[ Upstream commit 70f360dd7042cb843635ece9d28335a4addff9eb ] + +This field can be read locklessly. + +Fixes: 1536e2857bd3 ("tcp: Add a TCP_FASTOPEN socket option to get a max backlog on its listner") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-12-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + net/ipv4/tcp.c | 2 +- + net/ipv4/tcp_fastopen.c | 6 ++++-- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index b4c08ac869835..91a37c99ba665 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -513,7 +513,7 @@ static inline void fastopen_queue_tune(struct sock *sk, int backlog) + struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; + int somaxconn = READ_ONCE(sock_net(sk)->core.sysctl_somaxconn); + +- queue->fastopenq.max_qlen = min_t(unsigned int, backlog, somaxconn); ++ WRITE_ONCE(queue->fastopenq.max_qlen, min_t(unsigned int, backlog, somaxconn)); + } + + static inline void tcp_move_syn(struct tcp_sock *tp, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c9b955d9d7ace..79f29e138fc9f 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -4254,7 +4254,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_FASTOPEN: +- val = icsk->icsk_accept_queue.fastopenq.max_qlen; ++ val = READ_ONCE(icsk->icsk_accept_queue.fastopenq.max_qlen); + break; + + case TCP_FASTOPEN_CONNECT: +diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c +index 45cc7f1ca2961..85e4953f11821 100644 +--- a/net/ipv4/tcp_fastopen.c ++++ b/net/ipv4/tcp_fastopen.c +@@ -296,6 +296,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk, + static bool tcp_fastopen_queue_check(struct sock *sk) + { + struct fastopen_queue *fastopenq; ++ int max_qlen; + + /* Make sure the listener has enabled fastopen, and we don't + * exceed the max # of pending TFO requests allowed before trying +@@ -308,10 +309,11 @@ static bool tcp_fastopen_queue_check(struct sock *sk) + * temporarily vs a server not supporting Fast Open at all. + */ + fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq; +- if (fastopenq->max_qlen == 0) ++ max_qlen = READ_ONCE(fastopenq->max_qlen); ++ if (max_qlen == 0) + return false; + +- if (fastopenq->qlen >= fastopenq->max_qlen) { ++ if (fastopenq->qlen >= max_qlen) { + struct request_sock *req1; + spin_lock(&fastopenq->lock); + req1 = fastopenq->rskq_rst_head; +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch b/tmp-6.4/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch new file mode 100644 index 00000000000..8e0c0cc38f6 --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-icsk-icsk_syn_retries.patch @@ -0,0 +1,69 @@ +From 97078fbe71e9da46eaf0ff1bd216712e9fb816e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:52 +0000 +Subject: tcp: annotate data-races around icsk->icsk_syn_retries + +From: Eric Dumazet + +[ Upstream commit 3a037f0f3c4bfe44518f2fbb478aa2f99a9cd8bb ] + +do_tcp_getsockopt() and reqsk_timer_handler() read +icsk->icsk_syn_retries while another cpu might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_connection_sock.c | 2 +- + net/ipv4/tcp.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 1386787eaf1a5..3105a676eba76 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -1016,7 +1016,7 @@ static void reqsk_timer_handler(struct timer_list *t) + + icsk = inet_csk(sk_listener); + net = sock_net(sk_listener); +- max_syn_ack_retries = icsk->icsk_syn_retries ? : ++ max_syn_ack_retries = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_synack_retries); + /* Normally all the openreqs are young and become mature + * (i.e. converted to established socket) for first timeout. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index cc7966cfad1a3..488cf4ae75fab 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3400,7 +3400,7 @@ int tcp_sock_set_syncnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- inet_csk(sk)->icsk_syn_retries = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_syn_retries, val); + release_sock(sk); + return 0; + } +@@ -3681,7 +3681,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_SYNCNT) + err = -EINVAL; + else +- icsk->icsk_syn_retries = val; ++ WRITE_ONCE(icsk->icsk_syn_retries, val); + break; + + case TCP_SAVE_SYN: +@@ -4102,7 +4102,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + val = keepalive_probes(tp); + break; + case TCP_SYNCNT: +- val = icsk->icsk_syn_retries ? : ++ val = READ_ONCE(icsk->icsk_syn_retries) ? : + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch b/tmp-6.4/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch new file mode 100644 index 00000000000..67b0bc746df --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-icsk-icsk_user_timeou.patch @@ -0,0 +1,54 @@ +From 65a31d1209b2ad2cee321305e50cc53cc92031e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:56 +0000 +Subject: tcp: annotate data-races around icsk->icsk_user_timeout + +From: Eric Dumazet + +[ Upstream commit 26023e91e12c68669db416b97234328a03d8e499 ] + +This field can be read locklessly from do_tcp_getsockopt() + +Fixes: dca43c75e7e5 ("tcp: Add TCP_USER_TIMEOUT socket option.") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-11-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 4556ba6e7d74d..c9b955d9d7ace 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3409,7 +3409,7 @@ EXPORT_SYMBOL(tcp_sock_set_syncnt); + void tcp_sock_set_user_timeout(struct sock *sk, u32 val) + { + lock_sock(sk); +- inet_csk(sk)->icsk_user_timeout = val; ++ WRITE_ONCE(inet_csk(sk)->icsk_user_timeout, val); + release_sock(sk); + } + EXPORT_SYMBOL(tcp_sock_set_user_timeout); +@@ -3729,7 +3729,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 0) + err = -EINVAL; + else +- icsk->icsk_user_timeout = val; ++ WRITE_ONCE(icsk->icsk_user_timeout, val); + break; + + case TCP_FASTOPEN: +@@ -4250,7 +4250,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_USER_TIMEOUT: +- val = icsk->icsk_user_timeout; ++ val = READ_ONCE(icsk->icsk_user_timeout); + break; + + case TCP_FASTOPEN: +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-rskq_defer_accept.patch b/tmp-6.4/tcp-annotate-data-races-around-rskq_defer_accept.patch new file mode 100644 index 00000000000..9a5faac4cb3 --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-rskq_defer_accept.patch @@ -0,0 +1,53 @@ +From f1ac3daf1c804ebe70383f81c2f4438bf429b0b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:54 +0000 +Subject: tcp: annotate data-races around rskq_defer_accept + +From: Eric Dumazet + +[ Upstream commit ae488c74422fb1dcd807c0201804b3b5e8a322a3 ] + +do_tcp_getsockopt() reads rskq_defer_accept while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-9-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 0ebe775bde688..c95d8b43390b6 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3703,9 +3703,9 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_DEFER_ACCEPT: + /* Translate value in seconds to number of retransmits */ +- icsk->icsk_accept_queue.rskq_defer_accept = +- secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, +- TCP_RTO_MAX / HZ); ++ WRITE_ONCE(icsk->icsk_accept_queue.rskq_defer_accept, ++ secs_to_retrans(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ)); + break; + + case TCP_WINDOW_CLAMP: +@@ -4111,8 +4111,9 @@ int do_tcp_getsockopt(struct sock *sk, int level, + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; + case TCP_DEFER_ACCEPT: +- val = retrans_to_secs(icsk->icsk_accept_queue.rskq_defer_accept, +- TCP_TIMEOUT_INIT / HZ, TCP_RTO_MAX / HZ); ++ val = READ_ONCE(icsk->icsk_accept_queue.rskq_defer_accept); ++ val = retrans_to_secs(val, TCP_TIMEOUT_INIT / HZ, ++ TCP_RTO_MAX / HZ); + break; + case TCP_WINDOW_CLAMP: + val = tp->window_clamp; +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch b/tmp-6.4/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch new file mode 100644 index 00000000000..3074c2dd698 --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-tcp_rsk-req-ts_recent.patch @@ -0,0 +1,184 @@ +From b7a226c14fd63574e5f9f99c875c51589d9111f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:44:45 +0000 +Subject: tcp: annotate data-races around tcp_rsk(req)->ts_recent + +From: Eric Dumazet + +[ Upstream commit eba20811f32652bc1a52d5e7cc403859b86390d9 ] + +TCP request sockets are lockless, tcp_rsk(req)->ts_recent +can change while being read by another cpu as syzbot noticed. + +This is harmless, but we should annotate the known races. + +Note that tcp_check_req() changes req->ts_recent a bit early, +we might change this in the future. + +BUG: KCSAN: data-race in tcp_check_req / tcp_check_req + +write to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 1: +tcp_check_req+0x694/0xc70 net/ipv4/tcp_minisocks.c:762 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +do_softirq+0x7e/0xb0 kernel/softirq.c:472 +__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:396 +local_bh_enable+0x1f/0x20 include/linux/bottom_half.h:33 +rcu_read_unlock_bh include/linux/rcupdate.h:843 [inline] +__dev_queue_xmit+0xabb/0x1d10 net/core/dev.c:4271 +dev_queue_xmit include/linux/netdevice.h:3088 [inline] +neigh_hh_output include/net/neighbour.h:528 [inline] +neigh_output include/net/neighbour.h:542 [inline] +ip_finish_output2+0x700/0x840 net/ipv4/ip_output.c:229 +ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:317 +NF_HOOK_COND include/linux/netfilter.h:292 [inline] +ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:431 +dst_output include/net/dst.h:458 [inline] +ip_local_out net/ipv4/ip_output.c:126 [inline] +__ip_queue_xmit+0xa4d/0xa70 net/ipv4/ip_output.c:533 +ip_queue_xmit+0x38/0x40 net/ipv4/ip_output.c:547 +__tcp_transmit_skb+0x1194/0x16e0 net/ipv4/tcp_output.c:1399 +tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] +tcp_write_xmit+0x13ff/0x2fd0 net/ipv4/tcp_output.c:2693 +__tcp_push_pending_frames+0x6a/0x1a0 net/ipv4/tcp_output.c:2877 +tcp_push_pending_frames include/net/tcp.h:1952 [inline] +__tcp_sock_set_cork net/ipv4/tcp.c:3336 [inline] +tcp_sock_set_cork+0xe8/0x100 net/ipv4/tcp.c:3343 +rds_tcp_xmit_path_complete+0x3b/0x40 net/rds/tcp_send.c:52 +rds_send_xmit+0xf8d/0x1420 net/rds/send.c:422 +rds_send_worker+0x42/0x1d0 net/rds/threads.c:200 +process_one_work+0x3e6/0x750 kernel/workqueue.c:2408 +worker_thread+0x5f2/0xa10 kernel/workqueue.c:2555 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +read to 0xffff88813c8afb84 of 4 bytes by interrupt on cpu 0: +tcp_check_req+0x32a/0xc70 net/ipv4/tcp_minisocks.c:622 +tcp_v4_rcv+0x12db/0x1b70 net/ipv4/tcp_ipv4.c:2071 +ip_protocol_deliver_rcu+0x356/0x6d0 net/ipv4/ip_input.c:205 +ip_local_deliver_finish+0x13c/0x1a0 net/ipv4/ip_input.c:233 +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_local_deliver+0xec/0x1c0 net/ipv4/ip_input.c:254 +dst_input include/net/dst.h:468 [inline] +ip_rcv_finish net/ipv4/ip_input.c:449 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip_rcv+0x197/0x270 net/ipv4/ip_input.c:569 +__netif_receive_skb_one_core net/core/dev.c:5493 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5607 +process_backlog+0x21f/0x380 net/core/dev.c:5935 +__napi_poll+0x60/0x3b0 net/core/dev.c:6498 +napi_poll net/core/dev.c:6565 [inline] +net_rx_action+0x32b/0x750 net/core/dev.c:6698 +__do_softirq+0xc1/0x265 kernel/softirq.c:571 +run_ksoftirqd+0x17/0x20 kernel/softirq.c:939 +smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 +kthread+0x1d7/0x210 kernel/kthread.c:379 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 + +value changed: 0x1cd237f1 -> 0x1cd237f2 + +Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717144445.653164-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 2 +- + net/ipv4/tcp_minisocks.c | 9 ++++++--- + net/ipv4/tcp_output.c | 2 +- + net/ipv6/tcp_ipv6.c | 2 +- + 4 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 52229c75e76f6..5d3e49ceb6917 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -988,7 +988,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, ++ READ_ONCE(req->ts_recent), + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index 909f3b4ed2059..62641d42b06b5 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -555,7 +555,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, + newtp->max_window = newtp->snd_wnd; + + if (newtp->rx_opt.tstamp_ok) { +- newtp->rx_opt.ts_recent = req->ts_recent; ++ newtp->rx_opt.ts_recent = READ_ONCE(req->ts_recent); + newtp->rx_opt.ts_recent_stamp = ktime_get_seconds(); + newtp->tcp_header_len = sizeof(struct tcphdr) + TCPOLEN_TSTAMP_ALIGNED; + } else { +@@ -619,7 +619,7 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + tcp_parse_options(sock_net(sk), skb, &tmp_opt, 0, NULL); + + if (tmp_opt.saw_tstamp) { +- tmp_opt.ts_recent = req->ts_recent; ++ tmp_opt.ts_recent = READ_ONCE(req->ts_recent); + if (tmp_opt.rcv_tsecr) + tmp_opt.rcv_tsecr -= tcp_rsk(req)->ts_off; + /* We do not store true stamp, but it is not required, +@@ -758,8 +758,11 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb, + + /* In sequence, PAWS is OK. */ + ++ /* TODO: We probably should defer ts_recent change once ++ * we take ownership of @req. ++ */ + if (tmp_opt.saw_tstamp && !after(TCP_SKB_CB(skb)->seq, tcp_rsk(req)->rcv_nxt)) +- req->ts_recent = tmp_opt.rcv_tsval; ++ WRITE_ONCE(req->ts_recent, tmp_opt.rcv_tsval); + + if (TCP_SKB_CB(skb)->seq == tcp_rsk(req)->rcv_isn) { + /* Truncate SYN, it is out of window starting +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 1538b59913777..518cb4abc8b4f 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -876,7 +876,7 @@ static unsigned int tcp_synack_options(const struct sock *sk, + if (likely(ireq->tstamp_ok)) { + opts->options |= OPTION_TS; + opts->tsval = tcp_skb_timestamp(skb) + tcp_rsk(req)->ts_off; +- opts->tsecr = req->ts_recent; ++ opts->tsecr = READ_ONCE(req->ts_recent); + remaining -= TCPOLEN_TSTAMP_ALIGNED; + } + if (likely(ireq->sack_ok)) { +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index a3c86b714b242..f7c248a7f8d1d 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1130,7 +1130,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + tcp_rsk(req)->rcv_nxt, + req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, + tcp_time_stamp_raw() + tcp_rsk(req)->ts_off, +- req->ts_recent, sk->sk_bound_dev_if, ++ READ_ONCE(req->ts_recent), sk->sk_bound_dev_if, + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), + ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, + READ_ONCE(tcp_rsk(req)->txhash)); +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch b/tmp-6.4/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch new file mode 100644 index 00000000000..1ddefd6e96d --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-tcp_rsk-req-txhash.patch @@ -0,0 +1,170 @@ +From 88776fdbebf0e1811026f988f6a954812ae75b6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jul 2023 14:44:44 +0000 +Subject: tcp: annotate data-races around tcp_rsk(req)->txhash + +From: Eric Dumazet + +[ Upstream commit 5e5265522a9a7f91d1b0bd411d634bdaf16c80cd ] + +TCP request sockets are lockless, some of their fields +can change while being read by another cpu as syzbot noticed. + +This is usually harmless, but we should annotate the known +races. + +This patch takes care of tcp_rsk(req)->txhash, +a separate one is needed for tcp_rsk(req)->ts_recent. + +BUG: KCSAN: data-race in tcp_make_synack / tcp_rtx_synack + +write to 0xffff8881362304bc of 4 bytes by task 32083 on cpu 1: +tcp_rtx_synack+0x9d/0x2a0 net/ipv4/tcp_output.c:4213 +inet_rtx_syn_ack+0x38/0x80 net/ipv4/inet_connection_sock.c:880 +tcp_check_req+0x379/0xc70 net/ipv4/tcp_minisocks.c:665 +tcp_v6_rcv+0x125b/0x1b20 net/ipv6/tcp_ipv6.c:1673 +ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 +ip6_input_finish net/ipv6/ip6_input.c:482 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 +dst_input include/net/dst.h:468 [inline] +ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 +NF_HOOK include/linux/netfilter.h:303 [inline] +ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 +__netif_receive_skb_one_core net/core/dev.c:5452 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 +netif_receive_skb_internal net/core/dev.c:5652 [inline] +netif_receive_skb+0x4a/0x310 net/core/dev.c:5711 +tun_rx_batched+0x3bf/0x400 +tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997 +tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043 +call_write_iter include/linux/fs.h:1871 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x4ab/0x7d0 fs/read_write.c:584 +ksys_write+0xeb/0x1a0 fs/read_write.c:637 +__do_sys_write fs/read_write.c:649 [inline] +__se_sys_write fs/read_write.c:646 [inline] +__x64_sys_write+0x42/0x50 fs/read_write.c:646 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffff8881362304bc of 4 bytes by task 32078 on cpu 0: +tcp_make_synack+0x367/0xb40 net/ipv4/tcp_output.c:3663 +tcp_v6_send_synack+0x72/0x420 net/ipv6/tcp_ipv6.c:544 +tcp_conn_request+0x11a8/0x1560 net/ipv4/tcp_input.c:7059 +tcp_v6_conn_request+0x13f/0x180 net/ipv6/tcp_ipv6.c:1175 +tcp_rcv_state_process+0x156/0x1de0 net/ipv4/tcp_input.c:6494 +tcp_v6_do_rcv+0x98a/0xb70 net/ipv6/tcp_ipv6.c:1509 +tcp_v6_rcv+0x17b8/0x1b20 net/ipv6/tcp_ipv6.c:1735 +ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437 +ip6_input_finish net/ipv6/ip6_input.c:482 [inline] +NF_HOOK include/linux/netfilter.h:303 [inline] +ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491 +dst_input include/net/dst.h:468 [inline] +ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79 +NF_HOOK include/linux/netfilter.h:303 [inline] +ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309 +__netif_receive_skb_one_core net/core/dev.c:5452 [inline] +__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566 +netif_receive_skb_internal net/core/dev.c:5652 [inline] +netif_receive_skb+0x4a/0x310 net/core/dev.c:5711 +tun_rx_batched+0x3bf/0x400 +tun_get_user+0x1d24/0x22b0 drivers/net/tun.c:1997 +tun_chr_write_iter+0x18e/0x240 drivers/net/tun.c:2043 +call_write_iter include/linux/fs.h:1871 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x4ab/0x7d0 fs/read_write.c:584 +ksys_write+0xeb/0x1a0 fs/read_write.c:637 +__do_sys_write fs/read_write.c:649 [inline] +__se_sys_write fs/read_write.c:646 [inline] +__x64_sys_write+0x42/0x50 fs/read_write.c:646 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x91d25731 -> 0xe79325cd + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 32078 Comm: syz-executor.4 Not tainted 6.5.0-rc1-syzkaller-00033-geb26cbb1a754 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 + +Fixes: 58d607d3e52f ("tcp: provide skb->hash to synack packets") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/r/20230717144445.653164-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 3 ++- + net/ipv4/tcp_minisocks.c | 2 +- + net/ipv4/tcp_output.c | 4 ++-- + net/ipv6/tcp_ipv6.c | 2 +- + 4 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index a64069077e388..52229c75e76f6 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -992,7 +992,8 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + 0, + tcp_md5_do_lookup(sk, l3index, addr, AF_INET), + inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0, +- ip_hdr(skb)->tos, tcp_rsk(req)->txhash); ++ ip_hdr(skb)->tos, ++ READ_ONCE(tcp_rsk(req)->txhash)); + } + + /* +diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c +index dac0d62120e62..909f3b4ed2059 100644 +--- a/net/ipv4/tcp_minisocks.c ++++ b/net/ipv4/tcp_minisocks.c +@@ -528,7 +528,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk, + newicsk->icsk_ack.lrcvtime = tcp_jiffies32; + + newtp->lsndtime = tcp_jiffies32; +- newsk->sk_txhash = treq->txhash; ++ newsk->sk_txhash = READ_ONCE(treq->txhash); + newtp->total_retrans = req->num_retrans; + + tcp_init_xmit_timers(newsk); +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index cfe128b81a010..1538b59913777 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3578,7 +3578,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst, + rcu_read_lock(); + md5 = tcp_rsk(req)->af_specific->req_md5_lookup(sk, req_to_sk(req)); + #endif +- skb_set_hash(skb, tcp_rsk(req)->txhash, PKT_HASH_TYPE_L4); ++ skb_set_hash(skb, READ_ONCE(tcp_rsk(req)->txhash), PKT_HASH_TYPE_L4); + /* bpf program will be interested in the tcp_flags */ + TCP_SKB_CB(skb)->tcp_flags = TCPHDR_SYN | TCPHDR_ACK; + tcp_header_size = tcp_synack_options(sk, req, mss, skb, &opts, md5, +@@ -4121,7 +4121,7 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req) + + /* Paired with WRITE_ONCE() in sock_setsockopt() */ + if (READ_ONCE(sk->sk_txrehash) == SOCK_TXREHASH_ENABLED) +- tcp_rsk(req)->txhash = net_tx_rndhash(); ++ WRITE_ONCE(tcp_rsk(req)->txhash, net_tx_rndhash()); + res = af_ops->send_synack(sk, NULL, &fl, req, NULL, TCP_SYNACK_NORMAL, + NULL); + if (!res) { +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index 7132eb213a7a2..a3c86b714b242 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1133,7 +1133,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, + req->ts_recent, sk->sk_bound_dev_if, + tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index), + ipv6_get_dsfield(ipv6_hdr(skb)), 0, sk->sk_priority, +- tcp_rsk(req)->txhash); ++ READ_ONCE(tcp_rsk(req)->txhash)); + } + + +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_intvl.patch b/tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_intvl.patch new file mode 100644 index 00000000000..e11dfeec5ce --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_intvl.patch @@ -0,0 +1,68 @@ +From eb1f807c757603fcae643c60d5656a557d7fcf23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:50 +0000 +Subject: tcp: annotate data-races around tp->keepalive_intvl + +From: Eric Dumazet + +[ Upstream commit 5ecf9d4f52ff2f1d4d44c9b68bc75688e82f13b4 ] + +do_tcp_getsockopt() reads tp->keepalive_intvl while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-5-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 9a12e8c09ea04..45d50a40795da 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1514,9 +1514,14 @@ void tcp_leave_memory_pressure(struct sock *sk); + static inline int keepalive_intvl_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepintvl() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_intvl); + +- return tp->keepalive_intvl ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_intvl); + } + + static inline int keepalive_time_when(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c3b743093d482..514817119bd4d 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3454,7 +3454,7 @@ int tcp_sock_set_keepintvl(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tcp_sk(sk)->keepalive_intvl, val * HZ); + release_sock(sk); + return 0; + } +@@ -3668,7 +3668,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPINTVL) + err = -EINVAL; + else +- tp->keepalive_intvl = val * HZ; ++ WRITE_ONCE(tp->keepalive_intvl, val * HZ); + break; + case TCP_KEEPCNT: + if (val < 1 || val > MAX_TCP_KEEPCNT) +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_probes.patch b/tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_probes.patch new file mode 100644 index 00000000000..020838dea02 --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_probes.patch @@ -0,0 +1,69 @@ +From 3c544d75eaf9ba69dfea97b2f66579cb211ea2c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:51 +0000 +Subject: tcp: annotate data-races around tp->keepalive_probes + +From: Eric Dumazet + +[ Upstream commit 6e5e1de616bf5f3df1769abc9292191dfad9110a ] + +do_tcp_getsockopt() reads tp->keepalive_probes while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-6-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 9 +++++++-- + net/ipv4/tcp.c | 5 +++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 45d50a40795da..f5c20afab6286 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1538,9 +1538,14 @@ static inline int keepalive_time_when(const struct tcp_sock *tp) + static inline int keepalive_probes(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; ++ ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepcnt() ++ * and do_tcp_setsockopt(). ++ */ ++ val = READ_ONCE(tp->keepalive_probes); + +- return tp->keepalive_probes ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_probes); + } + + static inline u32 keepalive_time_elapsed(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 514817119bd4d..cc7966cfad1a3 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3466,7 +3466,8 @@ int tcp_sock_set_keepcnt(struct sock *sk, int val) + return -EINVAL; + + lock_sock(sk); +- tcp_sk(sk)->keepalive_probes = val; ++ /* Paired with READ_ONCE() in keepalive_probes() */ ++ WRITE_ONCE(tcp_sk(sk)->keepalive_probes, val); + release_sock(sk); + return 0; + } +@@ -3674,7 +3675,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (val < 1 || val > MAX_TCP_KEEPCNT) + err = -EINVAL; + else +- tp->keepalive_probes = val; ++ WRITE_ONCE(tp->keepalive_probes, val); + break; + case TCP_SYNCNT: + if (val < 1 || val > MAX_TCP_SYNCNT) +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_time.patch b/tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_time.patch new file mode 100644 index 00000000000..bb6ff6bcbd7 --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-tp-keepalive_time.patch @@ -0,0 +1,58 @@ +From 2eef7f4c025ee2aa146f34a5772cc1b7a238dbca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:49 +0000 +Subject: tcp: annotate data-races around tp->keepalive_time + +From: Eric Dumazet + +[ Upstream commit 4164245c76ff906c9086758e1c3f87082a7f5ef5 ] + +do_tcp_getsockopt() reads tp->keepalive_time while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-4-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 7 +++++-- + net/ipv4/tcp.c | 3 ++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 5066e4586cf09..9a12e8c09ea04 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1522,9 +1522,12 @@ static inline int keepalive_intvl_when(const struct tcp_sock *tp) + static inline int keepalive_time_when(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); ++ int val; + +- return tp->keepalive_time ? : +- READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); ++ /* Paired with WRITE_ONCE() in tcp_sock_set_keepidle_locked() */ ++ val = READ_ONCE(tp->keepalive_time); ++ ++ return val ? : READ_ONCE(net->ipv4.sysctl_tcp_keepalive_time); + } + + static inline int keepalive_probes(const struct tcp_sock *tp) +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 15b1191411ec3..c3b743093d482 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3421,7 +3421,8 @@ int tcp_sock_set_keepidle_locked(struct sock *sk, int val) + if (val < 1 || val > MAX_TCP_KEEPIDLE) + return -EINVAL; + +- tp->keepalive_time = val * HZ; ++ /* Paired with WRITE_ONCE() in keepalive_time_when() */ ++ WRITE_ONCE(tp->keepalive_time, val * HZ); + if (sock_flag(sk, SOCK_KEEPOPEN) && + !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) { + u32 elapsed = keepalive_time_elapsed(tp); +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-tp-linger2.patch b/tmp-6.4/tcp-annotate-data-races-around-tp-linger2.patch new file mode 100644 index 00000000000..17e38352929 --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-tp-linger2.patch @@ -0,0 +1,52 @@ +From c991ef8d2f78d59e37d46bc34f83543e35380e48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:53 +0000 +Subject: tcp: annotate data-races around tp->linger2 + +From: Eric Dumazet + +[ Upstream commit 9df5335ca974e688389c875546e5819778a80d59 ] + +do_tcp_getsockopt() reads tp->linger2 while another cpu +might change its value. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 488cf4ae75fab..0ebe775bde688 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3694,11 +3694,11 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + + case TCP_LINGER2: + if (val < 0) +- tp->linger2 = -1; ++ WRITE_ONCE(tp->linger2, -1); + else if (val > TCP_FIN_TIMEOUT_MAX / HZ) +- tp->linger2 = TCP_FIN_TIMEOUT_MAX; ++ WRITE_ONCE(tp->linger2, TCP_FIN_TIMEOUT_MAX); + else +- tp->linger2 = val * HZ; ++ WRITE_ONCE(tp->linger2, val * HZ); + break; + + case TCP_DEFER_ACCEPT: +@@ -4106,7 +4106,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + READ_ONCE(net->ipv4.sysctl_tcp_syn_retries); + break; + case TCP_LINGER2: +- val = tp->linger2; ++ val = READ_ONCE(tp->linger2); + if (val >= 0) + val = (val ? : READ_ONCE(net->ipv4.sysctl_tcp_fin_timeout)) / HZ; + break; +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch b/tmp-6.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch new file mode 100644 index 00000000000..ed048ebf4ba --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-tp-notsent_lowat.patch @@ -0,0 +1,64 @@ +From 4bc5036687890dfe01504c01b2f18fd6df09d832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:55 +0000 +Subject: tcp: annotate data-races around tp->notsent_lowat + +From: Eric Dumazet + +[ Upstream commit 1aeb87bc1440c5447a7fa2d6e3c2cca52cbd206b ] + +tp->notsent_lowat can be read locklessly from do_tcp_getsockopt() +and tcp_poll(). + +Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-10-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tcp.h | 6 +++++- + net/ipv4/tcp.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/net/tcp.h b/include/net/tcp.h +index f5c20afab6286..182337a8cf94a 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -2066,7 +2066,11 @@ void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr); + static inline u32 tcp_notsent_lowat(const struct tcp_sock *tp) + { + struct net *net = sock_net((struct sock *)tp); +- return tp->notsent_lowat ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); ++ u32 val; ++ ++ val = READ_ONCE(tp->notsent_lowat); ++ ++ return val ?: READ_ONCE(net->ipv4.sysctl_tcp_notsent_lowat); + } + + bool tcp_stream_memory_free(const struct sock *sk, int wake); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c95d8b43390b6..4556ba6e7d74d 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3773,7 +3773,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + err = tcp_repair_set_window(tp, optval, optlen); + break; + case TCP_NOTSENT_LOWAT: +- tp->notsent_lowat = val; ++ WRITE_ONCE(tp->notsent_lowat, val); + sk->sk_write_space(sk); + break; + case TCP_INQ: +@@ -4273,7 +4273,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + val = tcp_time_stamp_raw() + READ_ONCE(tp->tsoffset); + break; + case TCP_NOTSENT_LOWAT: +- val = tp->notsent_lowat; ++ val = READ_ONCE(tp->notsent_lowat); + break; + case TCP_INQ: + val = tp->recvmsg_inq; +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch b/tmp-6.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch new file mode 100644 index 00000000000..fa3423207b2 --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-tp-tcp_tx_delay.patch @@ -0,0 +1,46 @@ +From 6da2c91d66ac6794f97598f35fdc0561132cce52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:47 +0000 +Subject: tcp: annotate data-races around tp->tcp_tx_delay + +From: Eric Dumazet + +[ Upstream commit 348b81b68b13ebd489a3e6a46aa1c384c731c919 ] + +do_tcp_getsockopt() reads tp->tcp_tx_delay while another cpu +might change its value. + +Fixes: a842fe1425cb ("tcp: add optional per socket transmit delay") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 8d20d9221238c..c0e0add372f75 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3783,7 +3783,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + case TCP_TX_DELAY: + if (val) + tcp_enable_tx_delay(); +- tp->tcp_tx_delay = val; ++ WRITE_ONCE(tp->tcp_tx_delay, val); + break; + default: + err = -ENOPROTOOPT; +@@ -4263,7 +4263,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_TX_DELAY: +- val = tp->tcp_tx_delay; ++ val = READ_ONCE(tp->tcp_tx_delay); + break; + + case TCP_TIMESTAMP: +-- +2.39.2 + diff --git a/tmp-6.4/tcp-annotate-data-races-around-tp-tsoffset.patch b/tmp-6.4/tcp-annotate-data-races-around-tp-tsoffset.patch new file mode 100644 index 00000000000..3b97d04b026 --- /dev/null +++ b/tmp-6.4/tcp-annotate-data-races-around-tp-tsoffset.patch @@ -0,0 +1,63 @@ +From 5388118e5be93f20f250500b27911813da339615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Jul 2023 21:28:48 +0000 +Subject: tcp: annotate data-races around tp->tsoffset + +From: Eric Dumazet + +[ Upstream commit dd23c9f1e8d5c1d2e3d29393412385ccb9c7a948 ] + +do_tcp_getsockopt() reads tp->tsoffset while another cpu +might change its value. + +Fixes: 93be6ce0e91b ("tcp: set and get per-socket timestamp") +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230719212857.3943972-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 4 ++-- + net/ipv4/tcp_ipv4.c | 5 +++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c0e0add372f75..15b1191411ec3 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3765,7 +3765,7 @@ int do_tcp_setsockopt(struct sock *sk, int level, int optname, + if (!tp->repair) + err = -EPERM; + else +- tp->tsoffset = val - tcp_time_stamp_raw(); ++ WRITE_ONCE(tp->tsoffset, val - tcp_time_stamp_raw()); + break; + case TCP_REPAIR_WINDOW: + err = tcp_repair_set_window(tp, optval, optlen); +@@ -4267,7 +4267,7 @@ int do_tcp_getsockopt(struct sock *sk, int level, + break; + + case TCP_TIMESTAMP: +- val = tcp_time_stamp_raw() + tp->tsoffset; ++ val = tcp_time_stamp_raw() + READ_ONCE(tp->tsoffset); + break; + case TCP_NOTSENT_LOWAT: + val = tp->notsent_lowat; +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index 5d3e49ceb6917..f37d13ee7b4cc 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -307,8 +307,9 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) + inet->inet_daddr, + inet->inet_sport, + usin->sin_port)); +- tp->tsoffset = secure_tcp_ts_off(net, inet->inet_saddr, +- inet->inet_daddr); ++ WRITE_ONCE(tp->tsoffset, ++ secure_tcp_ts_off(net, inet->inet_saddr, ++ inet->inet_daddr)); + } + + inet->inet_id = get_random_u16(); +-- +2.39.2 + diff --git a/tmp-6.4/tools-nolibc-ensure-stack-protector-guard-is-never-z.patch b/tmp-6.4/tools-nolibc-ensure-stack-protector-guard-is-never-z.patch new file mode 100644 index 00000000000..1fee388a390 --- /dev/null +++ b/tmp-6.4/tools-nolibc-ensure-stack-protector-guard-is-never-z.patch @@ -0,0 +1,45 @@ +From f43714dfffa897d008f9e65fde3c5aa5e8c9d357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 May 2023 11:36:31 +0200 +Subject: tools/nolibc: ensure stack protector guard is never zero +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 88fc7eb54ecc6db8b773341ce39ad201066fa7da ] + +The all-zero pattern is one of the more probable out-of-bound writes so +add a special case to not accidentally accept it. + +Also it enables the reliable detection of stack protector initialization +during testing. + +Signed-off-by: Thomas Weißschuh +Signed-off-by: Willy Tarreau +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + tools/include/nolibc/stackprotector.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/include/nolibc/stackprotector.h b/tools/include/nolibc/stackprotector.h +index d119cbbbc256f..9890e86c26172 100644 +--- a/tools/include/nolibc/stackprotector.h ++++ b/tools/include/nolibc/stackprotector.h +@@ -45,8 +45,9 @@ __attribute__((weak,no_stack_protector,section(".text.nolibc_stack_chk"))) + void __stack_chk_init(void) + { + my_syscall3(__NR_getrandom, &__stack_chk_guard, sizeof(__stack_chk_guard), 0); +- /* a bit more randomness in case getrandom() fails */ +- __stack_chk_guard ^= (uintptr_t) &__stack_chk_guard; ++ /* a bit more randomness in case getrandom() fails, ensure the guard is never 0 */ ++ if (__stack_chk_guard != (uintptr_t) &__stack_chk_guard) ++ __stack_chk_guard ^= (uintptr_t) &__stack_chk_guard; + } + #endif // defined(NOLIBC_STACKPROTECTOR) + +-- +2.39.2 + diff --git a/tmp-6.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch b/tmp-6.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch new file mode 100644 index 00000000000..7db4ebfafcd --- /dev/null +++ b/tmp-6.4/tracing-histograms-return-an-error-if-we-fail-to-add-histogram-to-hist_vars-list.patch @@ -0,0 +1,38 @@ +From 4b8b3905165ef98386a3c06f196c85d21292d029 Mon Sep 17 00:00:00 2001 +From: Mohamed Khalfella +Date: Fri, 14 Jul 2023 20:33:41 +0000 +Subject: tracing/histograms: Return an error if we fail to add histogram to hist_vars list + +From: Mohamed Khalfella + +commit 4b8b3905165ef98386a3c06f196c85d21292d029 upstream. + +Commit 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if +they have referenced variables") added a check to fail histogram creation +if save_hist_vars() failed to add histogram to hist_vars list. But the +commit failed to set ret to failed return code before jumping to +unregister histogram, fix it. + +Link: https://lore.kernel.org/linux-trace-kernel/20230714203341.51396-1-mkhalfella@purestorage.com + +Cc: stable@vger.kernel.org +Fixes: 6018b585e8c6 ("tracing/histograms: Add histograms to hist_vars if they have referenced variables") +Signed-off-by: Mohamed Khalfella +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_hist.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_hist.c ++++ b/kernel/trace/trace_events_hist.c +@@ -6668,7 +6668,8 @@ static int event_hist_trigger_parse(stru + goto out_unreg; + + if (has_hist_vars(hist_data) || hist_data->n_var_refs) { +- if (save_hist_vars(hist_data)) ++ ret = save_hist_vars(hist_data); ++ if (ret) + goto out_unreg; + } + diff --git a/tmp-6.4/udf-fix-uninitialized-array-access-for-some-pathname.patch b/tmp-6.4/udf-fix-uninitialized-array-access-for-some-pathname.patch new file mode 100644 index 00000000000..f441b8a81d2 --- /dev/null +++ b/tmp-6.4/udf-fix-uninitialized-array-access-for-some-pathname.patch @@ -0,0 +1,41 @@ +From 5afab5540afc4763031f025a6abfd3be2b509cbf Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 21 Jun 2023 11:32:35 +0200 +Subject: [PATCH AUTOSEL 5.4 07/12] udf: Fix uninitialized array access for + some pathnames +X-stable: review +X-Patchwork-Hint: Ignore +X-stable-base: Linux 5.4.249 + +[ Upstream commit 028f6055c912588e6f72722d89c30b401bbcf013 ] + +For filenames that begin with . and are between 2 and 5 characters long, +UDF charset conversion code would read uninitialized memory in the +output buffer. The only practical impact is that the name may be prepended a +"unification hash" when it is not actually needed but still it is good +to fix this. + +Reported-by: syzbot+cd311b1e43cc25f90d18@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000e2638a05fe9dc8f9@google.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/unicode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c +index 622569007b530..2142cbd1dde24 100644 +--- a/fs/udf/unicode.c ++++ b/fs/udf/unicode.c +@@ -247,7 +247,7 @@ static int udf_name_from_CS0(struct super_block *sb, + } + + if (translate) { +- if (str_o_len <= 2 && str_o[0] == '.' && ++ if (str_o_len > 0 && str_o_len <= 2 && str_o[0] == '.' && + (str_o_len == 1 || str_o[1] == '.')) + needsCRC = 1; + if (needsCRC) { +-- +2.39.2 + diff --git a/tmp-6.4/vrf-fix-lockdep-splat-in-output-path.patch b/tmp-6.4/vrf-fix-lockdep-splat-in-output-path.patch new file mode 100644 index 00000000000..17befa9989a --- /dev/null +++ b/tmp-6.4/vrf-fix-lockdep-splat-in-output-path.patch @@ -0,0 +1,156 @@ +From 758179b3adfd2b1b23f1aeb82d8d9fbcdd680dea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Jul 2023 18:36:05 +0300 +Subject: vrf: Fix lockdep splat in output path + +From: Ido Schimmel + +[ Upstream commit 2033ab90380d46e0e9f0520fd6776a73d107fd95 ] + +Cited commit converted the neighbour code to use the standard RCU +variant instead of the RCU-bh variant, but the VRF code still uses +rcu_read_lock_bh() / rcu_read_unlock_bh() around the neighbour lookup +code in its IPv4 and IPv6 output paths, resulting in lockdep splats +[1][2]. Can be reproduced using [3]. + +Fix by switching to rcu_read_lock() / rcu_read_unlock(). + +[1] +============================= +WARNING: suspicious RCU usage +6.5.0-rc1-custom-g9c099e6dbf98 #403 Not tainted +----------------------------- +include/net/neighbour.h:302 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by ping/183: + #0: ffff888105ea1d80 (sk_lock-AF_INET){+.+.}-{0:0}, at: raw_sendmsg+0xc6c/0x33c0 + #1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output+0x2e3/0x2030 + +stack backtrace: +CPU: 0 PID: 183 Comm: ping Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 #403 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 +Call Trace: + + dump_stack_lvl+0xc1/0xf0 + lockdep_rcu_suspicious+0x211/0x3b0 + vrf_output+0x1380/0x2030 + ip_push_pending_frames+0x125/0x2a0 + raw_sendmsg+0x200d/0x33c0 + inet_sendmsg+0xa2/0xe0 + __sys_sendto+0x2aa/0x420 + __x64_sys_sendto+0xe5/0x1c0 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +[2] +============================= +WARNING: suspicious RCU usage +6.5.0-rc1-custom-g9c099e6dbf98 #403 Not tainted +----------------------------- +include/net/neighbour.h:302 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +2 locks held by ping6/182: + #0: ffff888114b63000 (sk_lock-AF_INET6){+.+.}-{0:0}, at: rawv6_sendmsg+0x1602/0x3e50 + #1: ffffffff85b46820 (rcu_read_lock_bh){....}-{1:2}, at: vrf_output6+0xe9/0x1310 + +stack backtrace: +CPU: 0 PID: 182 Comm: ping6 Not tainted 6.5.0-rc1-custom-g9c099e6dbf98 #403 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc37 04/01/2014 +Call Trace: + + dump_stack_lvl+0xc1/0xf0 + lockdep_rcu_suspicious+0x211/0x3b0 + vrf_output6+0xd32/0x1310 + ip6_local_out+0xb4/0x1a0 + ip6_send_skb+0xbc/0x340 + ip6_push_pending_frames+0xe5/0x110 + rawv6_sendmsg+0x2e6e/0x3e50 + inet_sendmsg+0xa2/0xe0 + __sys_sendto+0x2aa/0x420 + __x64_sys_sendto+0xe5/0x1c0 + do_syscall_64+0x38/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +[3] +#!/bin/bash + +ip link add name vrf-red up numtxqueues 2 type vrf table 10 +ip link add name swp1 up master vrf-red type dummy +ip address add 192.0.2.1/24 dev swp1 +ip address add 2001:db8:1::1/64 dev swp1 +ip neigh add 192.0.2.2 lladdr 00:11:22:33:44:55 nud perm dev swp1 +ip neigh add 2001:db8:1::2 lladdr 00:11:22:33:44:55 nud perm dev swp1 +ip vrf exec vrf-red ping 192.0.2.2 -c 1 &> /dev/null +ip vrf exec vrf-red ping6 2001:db8:1::2 -c 1 &> /dev/null + +Fixes: 09eed1192cec ("neighbour: switch to standard rcu, instead of rcu_bh") +Reported-by: Naresh Kamboju +Link: https://lore.kernel.org/netdev/CA+G9fYtEr-=GbcXNDYo3XOkwR+uYgehVoDjsP0pFLUpZ_AZcyg@mail.gmail.com/ +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230715153605.4068066-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vrf.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index bdb3a76a352e4..6043e63b42f97 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -664,7 +664,7 @@ static int vrf_finish_output6(struct net *net, struct sock *sk, + skb->protocol = htons(ETH_P_IPV6); + skb->dev = dev; + +- rcu_read_lock_bh(); ++ rcu_read_lock(); + nexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr); + neigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop); + if (unlikely(!neigh)) +@@ -672,10 +672,10 @@ static int vrf_finish_output6(struct net *net, struct sock *sk, + if (!IS_ERR(neigh)) { + sock_confirm_neigh(skb, neigh); + ret = neigh_output(neigh, skb, false); +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + return ret; + } +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + + IP6_INC_STATS(dev_net(dst->dev), + ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); +@@ -889,7 +889,7 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s + } + } + +- rcu_read_lock_bh(); ++ rcu_read_lock(); + + neigh = ip_neigh_for_gw(rt, skb, &is_v6gw); + if (!IS_ERR(neigh)) { +@@ -898,11 +898,11 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s + sock_confirm_neigh(skb, neigh); + /* if crossing protocols, can not use the cached header */ + ret = neigh_output(neigh, skb, is_v6gw); +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + return ret; + } + +- rcu_read_unlock_bh(); ++ rcu_read_unlock(); + vrf_tx_error(skb->dev, skb); + return -EINVAL; + } +-- +2.39.2 + diff --git a/tmp-6.4/wifi-ath11k-add-support-default-regdb-while-searchin.patch b/tmp-6.4/wifi-ath11k-add-support-default-regdb-while-searchin.patch new file mode 100644 index 00000000000..f161a7312f6 --- /dev/null +++ b/tmp-6.4/wifi-ath11k-add-support-default-regdb-while-searchin.patch @@ -0,0 +1,137 @@ +From 840cfcbe99d98723176ed5ffc3c5bc25c8fa6eae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 May 2023 12:41:06 +0300 +Subject: wifi: ath11k: add support default regdb while searching board-2.bin + for WCN6855 + +From: Wen Gong + +[ Upstream commit 88ca89202f8e8afb5225eb5244d79cd67c15d744 ] + +Sometimes board-2.bin does not have the regdb data which matched the +parameters such as vendor, device, subsystem-vendor, subsystem-device +and etc. Add default regdb data with 'bus=%s' into board-2.bin for +WCN6855, then ath11k use 'bus=pci' to search regdb data in board-2.bin +for WCN6855. + +kernel: [ 122.515808] ath11k_pci 0000:03:00.0: boot using board name 'bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=262' +kernel: [ 122.517240] ath11k_pci 0000:03:00.0: boot firmware request ath11k/WCN6855/hw2.0/board-2.bin size 6179564 +kernel: [ 122.517280] ath11k_pci 0000:03:00.0: failed to fetch regdb data for bus=pci,vendor=17cb,device=1103,subsystem-vendor=17cb,subsystem-device=3374,qmi-chip-id=2,qmi-board-id=262 from ath11k/WCN6855/hw2.0/board-2.bin +kernel: [ 122.517464] ath11k_pci 0000:03:00.0: boot using board name 'bus=pci' +kernel: [ 122.518901] ath11k_pci 0000:03:00.0: boot firmware request ath11k/WCN6855/hw2.0/board-2.bin size 6179564 +kernel: [ 122.518915] ath11k_pci 0000:03:00.0: board name +kernel: [ 122.518917] ath11k_pci 0000:03:00.0: 00000000: 62 75 73 3d 70 63 69 bus=pci +kernel: [ 122.518918] ath11k_pci 0000:03:00.0: boot found match regdb data for name 'bus=pci' +kernel: [ 122.518920] ath11k_pci 0000:03:00.0: boot found regdb data for 'bus=pci' +kernel: [ 122.518921] ath11k_pci 0000:03:00.0: fetched regdb + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 + +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230517133959.8224-1-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.c | 53 +++++++++++++++++++------- + 1 file changed, 40 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index 9de23c11e18bb..8ab1a62351b98 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -962,7 +962,8 @@ int ath11k_core_check_dt(struct ath11k_base *ab) + } + + static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, +- size_t name_len, bool with_variant) ++ size_t name_len, bool with_variant, ++ bool bus_type_mode) + { + /* strlen(',variant=') + strlen(ab->qmi.target.bdf_ext) */ + char variant[9 + ATH11K_QMI_BDF_EXT_STR_LENGTH] = { 0 }; +@@ -973,15 +974,20 @@ static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, + + switch (ab->id.bdf_search) { + case ATH11K_BDF_SEARCH_BUS_AND_BOARD: +- scnprintf(name, name_len, +- "bus=%s,vendor=%04x,device=%04x,subsystem-vendor=%04x,subsystem-device=%04x,qmi-chip-id=%d,qmi-board-id=%d%s", +- ath11k_bus_str(ab->hif.bus), +- ab->id.vendor, ab->id.device, +- ab->id.subsystem_vendor, +- ab->id.subsystem_device, +- ab->qmi.target.chip_id, +- ab->qmi.target.board_id, +- variant); ++ if (bus_type_mode) ++ scnprintf(name, name_len, ++ "bus=%s", ++ ath11k_bus_str(ab->hif.bus)); ++ else ++ scnprintf(name, name_len, ++ "bus=%s,vendor=%04x,device=%04x,subsystem-vendor=%04x,subsystem-device=%04x,qmi-chip-id=%d,qmi-board-id=%d%s", ++ ath11k_bus_str(ab->hif.bus), ++ ab->id.vendor, ab->id.device, ++ ab->id.subsystem_vendor, ++ ab->id.subsystem_device, ++ ab->qmi.target.chip_id, ++ ab->qmi.target.board_id, ++ variant); + break; + default: + scnprintf(name, name_len, +@@ -1000,13 +1006,19 @@ static int __ath11k_core_create_board_name(struct ath11k_base *ab, char *name, + static int ath11k_core_create_board_name(struct ath11k_base *ab, char *name, + size_t name_len) + { +- return __ath11k_core_create_board_name(ab, name, name_len, true); ++ return __ath11k_core_create_board_name(ab, name, name_len, true, false); + } + + static int ath11k_core_create_fallback_board_name(struct ath11k_base *ab, char *name, + size_t name_len) + { +- return __ath11k_core_create_board_name(ab, name, name_len, false); ++ return __ath11k_core_create_board_name(ab, name, name_len, false, false); ++} ++ ++static int ath11k_core_create_bus_type_board_name(struct ath11k_base *ab, char *name, ++ size_t name_len) ++{ ++ return __ath11k_core_create_board_name(ab, name, name_len, false, true); + } + + const struct firmware *ath11k_core_firmware_request(struct ath11k_base *ab, +@@ -1310,7 +1322,7 @@ int ath11k_core_fetch_bdf(struct ath11k_base *ab, struct ath11k_board_data *bd) + + int ath11k_core_fetch_regdb(struct ath11k_base *ab, struct ath11k_board_data *bd) + { +- char boardname[BOARD_NAME_SIZE]; ++ char boardname[BOARD_NAME_SIZE], default_boardname[BOARD_NAME_SIZE]; + int ret; + + ret = ath11k_core_create_board_name(ab, boardname, BOARD_NAME_SIZE); +@@ -1327,6 +1339,21 @@ int ath11k_core_fetch_regdb(struct ath11k_base *ab, struct ath11k_board_data *bd + if (!ret) + goto exit; + ++ ret = ath11k_core_create_bus_type_board_name(ab, default_boardname, ++ BOARD_NAME_SIZE); ++ if (ret) { ++ ath11k_dbg(ab, ATH11K_DBG_BOOT, ++ "failed to create default board name for regdb: %d", ret); ++ goto exit; ++ } ++ ++ ret = ath11k_core_fetch_board_data_api_n(ab, bd, default_boardname, ++ ATH11K_BD_IE_REGDB, ++ ATH11K_BD_IE_REGDB_NAME, ++ ATH11K_BD_IE_REGDB_DATA); ++ if (!ret) ++ goto exit; ++ + ret = ath11k_core_fetch_board_data_api_1(ab, bd, ATH11K_REGDB_FILE_NAME); + if (ret) + ath11k_dbg(ab, ATH11K_DBG_BOOT, "failed to fetch %s from %s\n", +-- +2.39.2 + diff --git a/tmp-6.4/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch b/tmp-6.4/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch new file mode 100644 index 00000000000..0535b3157d7 --- /dev/null +++ b/tmp-6.4/wifi-ath11k-fix-memory-leak-in-wmi-firmware-stats.patch @@ -0,0 +1,63 @@ +From 83694f488fc680ab7e911063ae8091119626d81b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jun 2023 14:41:28 +0530 +Subject: wifi: ath11k: fix memory leak in WMI firmware stats + +From: P Praneesh + +[ Upstream commit 6aafa1c2d3e3fea2ebe84c018003f2a91722e607 ] + +Memory allocated for firmware pdev, vdev and beacon statistics +are not released during rmmod. + +Fix it by calling ath11k_fw_stats_free() function before hardware +unregister. + +While at it, avoid calling ath11k_fw_stats_free() while processing +the firmware stats received in the WMI event because the local list +is getting spliced and reinitialised and hence there are no elements +in the list after splicing. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: P Praneesh +Signed-off-by: Aditya Kumar Singh +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230606091128.14202-1-quic_adisi@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 1 + + drivers/net/wireless/ath/ath11k/wmi.c | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 05920ad413c55..01ff197b017f7 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -9468,6 +9468,7 @@ void ath11k_mac_destroy(struct ath11k_base *ab) + if (!ar) + continue; + ++ ath11k_fw_stats_free(&ar->fw_stats); + ieee80211_free_hw(ar->hw); + pdev->ar = NULL; + } +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index d0b59bc2905a9..42d9b29623a47 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -8103,6 +8103,11 @@ static void ath11k_update_stats_event(struct ath11k_base *ab, struct sk_buff *sk + rcu_read_unlock(); + spin_unlock_bh(&ar->data_lock); + ++ /* Since the stats's pdev, vdev and beacon list are spliced and reinitialised ++ * at this point, no need to free the individual list. ++ */ ++ return; ++ + free: + ath11k_fw_stats_free(&stats); + } +-- +2.39.2 + diff --git a/tmp-6.4/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch b/tmp-6.4/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch new file mode 100644 index 00000000000..9ce3d807503 --- /dev/null +++ b/tmp-6.4/wifi-ath11k-fix-registration-of-6ghz-only-phy-withou.patch @@ -0,0 +1,71 @@ +From 897dae6285f339120b727c5a3f8488b3ff25af16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Apr 2023 16:54:45 +0200 +Subject: wifi: ath11k: fix registration of 6Ghz-only phy without the full + channel range + +From: Maxime Bizon + +[ Upstream commit e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14 ] + +Because of what seems to be a typo, a 6Ghz-only phy for which the BDF +does not allow the 7115Mhz channel will fail to register: + + WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 + Modules linked in: ath11k_pci sbsa_gwdt + CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 + Hardware name: Freebox V7R Board (DT) + Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : wiphy_register+0x914/0x954 + lr : ieee80211_register_hw+0x67c/0xc10 + sp : ffffff800b123aa0 + x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 + x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 + x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 + x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f + x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd + x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 + x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 + x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 + x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 + Call trace: + wiphy_register+0x914/0x954 + ieee80211_register_hw+0x67c/0xc10 + ath11k_mac_register+0x7c4/0xe10 + ath11k_core_qmi_firmware_ready+0x1f4/0x570 + ath11k_qmi_driver_event_work+0x198/0x590 + process_one_work+0x1b8/0x328 + worker_thread+0x6c/0x414 + kthread+0x100/0x104 + ret_from_fork+0x10/0x20 + ---[ end trace 0000000000000000 ]--- + ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 + ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 + ath11k_pci 0002:01:00.0: failed to create pdev core: -22 + +Signed-off-by: Maxime Bizon +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230421145445.2612280-1-mbizon@freebox.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 1c93f1afccc57..05920ad413c55 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -8892,7 +8892,7 @@ static int ath11k_mac_setup_channels_rates(struct ath11k *ar, + } + + if (supported_bands & WMI_HOST_WLAN_5G_CAP) { +- if (reg_cap->high_5ghz_chan >= ATH11K_MAX_6G_FREQ) { ++ if (reg_cap->high_5ghz_chan >= ATH11K_MIN_6G_FREQ) { + channels = kmemdup(ath11k_6ghz_channels, + sizeof(ath11k_6ghz_channels), GFP_KERNEL); + if (!channels) { +-- +2.39.2 + diff --git a/tmp-6.4/wifi-ath12k-avoid-null-pointer-access-during-managem.patch b/tmp-6.4/wifi-ath12k-avoid-null-pointer-access-during-managem.patch new file mode 100644 index 00000000000..b94f627d18f --- /dev/null +++ b/tmp-6.4/wifi-ath12k-avoid-null-pointer-access-during-managem.patch @@ -0,0 +1,41 @@ +From 45f055b96df5274a12510ef11de0f670e5e27c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jun 2023 13:35:15 +0300 +Subject: wifi: ath12k: Avoid NULL pointer access during management transmit + cleanup + +From: Balamurugan S + +[ Upstream commit 054b5580a36e435692c203c19abdcb9f7734320e ] + +Currently 'ar' reference is not added in skb_cb. +Though this is generally not used during transmit completion +callbacks, on interface removal the remaining idr cleanup callback +uses the ar pointer from skb_cb from management txmgmt_idr. Hence fill them +during transmit call for proper usage to avoid NULL pointer dereference. + +Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Balamurugan S +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230518071046.14337-1-quic_bselvara@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/mac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c +index ee792822b4113..58acfe8fdf8c0 100644 +--- a/drivers/net/wireless/ath/ath12k/mac.c ++++ b/drivers/net/wireless/ath/ath12k/mac.c +@@ -4425,6 +4425,7 @@ static int ath12k_mac_mgmt_tx_wmi(struct ath12k *ar, struct ath12k_vif *arvif, + int buf_id; + int ret; + ++ ATH12K_SKB_CB(skb)->ar = ar; + spin_lock_bh(&ar->txmgmt_idr_lock); + buf_id = idr_alloc(&ar->txmgmt_idr, skb, 0, + ATH12K_TX_MGMT_NUM_PENDING_MAX, GFP_ATOMIC); +-- +2.39.2 + diff --git a/tmp-6.4/wifi-iwlwifi-add-support-for-new-pci-id.patch b/tmp-6.4/wifi-iwlwifi-add-support-for-new-pci-id.patch new file mode 100644 index 00000000000..3c1ae137475 --- /dev/null +++ b/tmp-6.4/wifi-iwlwifi-add-support-for-new-pci-id.patch @@ -0,0 +1,43 @@ +From 52ee25f8ec39aa349eac6d31f626770d6bd2b068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:03:59 +0300 +Subject: wifi: iwlwifi: Add support for new PCI Id + +From: Mukesh Sisodiya + +[ Upstream commit 35bd6f1d043d089fcb60450e1287cc65f0095787 ] + +Add support for the PCI Id 51F1 without IMR support. + +Signed-off-by: Mukesh Sisodiya +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.9800e652e789.Ic06a085832ac3f988c8ef07d856c8e281563295d@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index 79115eb1c2852..e9fe6cea891aa 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -495,6 +495,7 @@ static const struct pci_device_id iwl_hw_card_ids[] = { + {IWL_PCI_DEVICE(0x7AF0, PCI_ANY_ID, iwl_so_trans_cfg)}, + {IWL_PCI_DEVICE(0x51F0, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, + {IWL_PCI_DEVICE(0x51F1, PCI_ANY_ID, iwl_so_long_latency_imr_trans_cfg)}, ++ {IWL_PCI_DEVICE(0x51F1, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, + {IWL_PCI_DEVICE(0x54F0, PCI_ANY_ID, iwl_so_long_latency_trans_cfg)}, + {IWL_PCI_DEVICE(0x7F70, PCI_ANY_ID, iwl_so_trans_cfg)}, + +@@ -544,6 +545,7 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { + IWL_DEV_INFO(0x51F0, 0x1551, iwl9560_2ac_cfg_soc, iwl9560_killer_1550i_160_name), + IWL_DEV_INFO(0x51F0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), + IWL_DEV_INFO(0x51F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), ++ IWL_DEV_INFO(0x51F1, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), + IWL_DEV_INFO(0x54F0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), + IWL_DEV_INFO(0x54F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name), + IWL_DEV_INFO(0x7A70, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name), +-- +2.39.2 + diff --git a/tmp-6.4/wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch b/tmp-6.4/wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch new file mode 100644 index 00000000000..2e4d18afa45 --- /dev/null +++ b/tmp-6.4/wifi-iwlwifi-mvm-add-null-check-before-dereferencing.patch @@ -0,0 +1,68 @@ +From 153c633de624c710571fbdd0782a74845b1b2774 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jun 2023 15:50:08 +0300 +Subject: wifi: iwlwifi: mvm: Add NULL check before dereferencing the pointer + +From: Mukesh Sisodiya + +[ Upstream commit 7dd50fd5478056929a012c6bf8b3c6f87c7e9e87 ] + +While vif pointers are protected by the corresponding "*active" +fields, static checkers can get confused sometimes. Add an explicit +check. + +Signed-off-by: Mukesh Sisodiya +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230614154951.78749ae91fb5.Id3c05d13eeee6638f0930f750e93fb928d5c9dee@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/power.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/power.c b/drivers/net/wireless/intel/iwlwifi/mvm/power.c +index ac1dae52556f8..19839cc44eb3d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/power.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/power.c +@@ -647,30 +647,32 @@ static void iwl_mvm_power_set_pm(struct iwl_mvm *mvm, + return; + + /* enable PM on bss if bss stand alone */ +- if (vifs->bss_active && !vifs->p2p_active && !vifs->ap_active) { ++ if (bss_mvmvif && vifs->bss_active && !vifs->p2p_active && ++ !vifs->ap_active) { + bss_mvmvif->pm_enabled = true; + return; + } + + /* enable PM on p2p if p2p stand alone */ +- if (vifs->p2p_active && !vifs->bss_active && !vifs->ap_active) { ++ if (p2p_mvmvif && vifs->p2p_active && !vifs->bss_active && ++ !vifs->ap_active) { + p2p_mvmvif->pm_enabled = true; + return; + } + +- if (vifs->bss_active && vifs->p2p_active) ++ if (p2p_mvmvif && bss_mvmvif && vifs->bss_active && vifs->p2p_active) + client_same_channel = + iwl_mvm_have_links_same_channel(bss_mvmvif, p2p_mvmvif); + +- if (vifs->bss_active && vifs->ap_active) ++ if (bss_mvmvif && ap_mvmvif && vifs->bss_active && vifs->ap_active) + ap_same_channel = + iwl_mvm_have_links_same_channel(bss_mvmvif, ap_mvmvif); + + /* clients are not stand alone: enable PM if DCM */ + if (!(client_same_channel || ap_same_channel)) { +- if (vifs->bss_active) ++ if (bss_mvmvif && vifs->bss_active) + bss_mvmvif->pm_enabled = true; +- if (vifs->p2p_active) ++ if (p2p_mvmvif && vifs->p2p_active) + p2p_mvmvif->pm_enabled = true; + return; + } +-- +2.39.2 + diff --git a/tmp-6.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch b/tmp-6.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch new file mode 100644 index 00000000000..134f5d4e344 --- /dev/null +++ b/tmp-6.4/wifi-iwlwifi-mvm-avoid-baid-size-integer-overflow.patch @@ -0,0 +1,47 @@ +From dace976cec6dcc24ea4796d017d381407df57a5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jun 2023 13:04:02 +0300 +Subject: wifi: iwlwifi: mvm: avoid baid size integer overflow + +From: Johannes Berg + +[ Upstream commit 1a528ab1da324d078ec60283c34c17848580df24 ] + +Roee reported various hard-to-debug crashes with pings in +EHT aggregation scenarios. Enabling KASAN showed that we +access the BAID allocation out of bounds, and looking at +the code a bit shows that since the reorder buffer entry +(struct iwl_mvm_reorder_buf_entry) is 128 bytes if debug +such as lockdep is enabled, then staring from an agg size +512 we overflow the size calculation, and allocate a much +smaller structure than we should, causing slab corruption +once we initialize this. + +Fix this by simply using u32 instead of u16. + +Reported-by: Roee Goldfiner +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230620125813.f428c856030d.I2c2bb808e945adb71bc15f5b2bac2d8957ea90eb@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +index b85e363544f8b..7f9a809dd081c 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2884,7 +2884,7 @@ int iwl_mvm_sta_rx_agg(struct iwl_mvm *mvm, struct ieee80211_sta *sta, + } + + if (iwl_mvm_has_new_rx_api(mvm) && start) { +- u16 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); ++ u32 reorder_buf_size = buf_size * sizeof(baid_data->entries[0]); + + /* sparse doesn't like the __align() so don't check */ + #ifndef __CHECKER__ +-- +2.39.2 + diff --git a/tmp-6.4/wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch b/tmp-6.4/wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch new file mode 100644 index 00000000000..d1c5e8b417e --- /dev/null +++ b/tmp-6.4/wifi-iwlwifi-mvm-fix-potential-array-out-of-bounds-a.patch @@ -0,0 +1,51 @@ +From a37efc3bc4885e014924de01edb24e2175627ad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jun 2023 15:57:21 +0300 +Subject: wifi: iwlwifi: mvm: fix potential array out of bounds access + +From: Gregory Greenman + +[ Upstream commit 637452360ecde9ac972d19416e9606529576b302 ] + +Account for IWL_SEC_WEP_KEY_OFFSET when needed while verifying +key_len size in iwl_mvm_sec_key_add(). + +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230613155501.f193b7493a93.I6948ba625b9318924b96a5e22602ac75d2bd0125@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c +index 8853821b37168..1e659bd07392a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause + /* +- * Copyright (C) 2022 Intel Corporation ++ * Copyright (C) 2022 - 2023 Intel Corporation + */ + #include + #include +@@ -179,9 +179,14 @@ int iwl_mvm_sec_key_add(struct iwl_mvm *mvm, + .u.add.key_flags = cpu_to_le32(key_flags), + .u.add.tx_seq = cpu_to_le64(atomic64_read(&keyconf->tx_pn)), + }; ++ int max_key_len = sizeof(cmd.u.add.key); + int ret; + +- if (WARN_ON(keyconf->keylen > sizeof(cmd.u.add.key))) ++ if (keyconf->cipher == WLAN_CIPHER_SUITE_WEP40 || ++ keyconf->cipher == WLAN_CIPHER_SUITE_WEP104) ++ max_key_len -= IWL_SEC_WEP_KEY_OFFSET; ++ ++ if (WARN_ON(keyconf->keylen > max_key_len)) + return -EINVAL; + + if (WARN_ON(!sta_mask)) +-- +2.39.2 + diff --git a/tmp-6.4/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch b/tmp-6.4/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch new file mode 100644 index 00000000000..482fbaaa02d --- /dev/null +++ b/tmp-6.4/wifi-iwlwifi-pcie-add-device-id-51f1-for-killer-1675.patch @@ -0,0 +1,38 @@ +From 34442c9ff04263d558c7a4292daac7e818b44817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 13:12:20 +0300 +Subject: wifi: iwlwifi: pcie: add device id 51F1 for killer 1675 + +From: Yi Kuo + +[ Upstream commit f4daceae4087bbb3e9a56044b44601d520d009d2 ] + +Intel Killer AX1675i/s with device id 51f1 would show +"No config found for PCI dev 51f1/1672" in dmesg and refuse to work. +Add the new device id 51F1 for 1675i/s to fix the issue. + +Signed-off-by: Yi Kuo +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230621130444.ee224675380b.I921c905e21e8d041ad808def8f454f27b5ebcd8b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index e9fe6cea891aa..e086664a4eaca 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -684,6 +684,8 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { + IWL_DEV_INFO(0x2726, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), + IWL_DEV_INFO(0x51F0, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), + IWL_DEV_INFO(0x51F0, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), ++ IWL_DEV_INFO(0x51F1, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), ++ IWL_DEV_INFO(0x51F1, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), + IWL_DEV_INFO(0x54F0, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), + IWL_DEV_INFO(0x54F0, 0x1672, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675i_name), + IWL_DEV_INFO(0x7A70, 0x1671, iwlax211_2ax_cfg_so_gf_a0, iwl_ax211_killer_1675s_name), +-- +2.39.2 + diff --git a/tmp-6.4/wifi-mac80211_hwsim-fix-possible-null-dereference.patch b/tmp-6.4/wifi-mac80211_hwsim-fix-possible-null-dereference.patch new file mode 100644 index 00000000000..e3f1c611b85 --- /dev/null +++ b/tmp-6.4/wifi-mac80211_hwsim-fix-possible-null-dereference.patch @@ -0,0 +1,46 @@ +From d130537977b35b9a7ba5591cd4645081cdf732e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jun 2023 12:11:27 +0300 +Subject: wifi: mac80211_hwsim: Fix possible NULL dereference + +From: Ilan Peer + +[ Upstream commit 0cc80943ef518a1c51a1111e9346d1daf11dd545 ] + +In a call to mac80211_hwsim_select_tx_link() the sta pointer might +be NULL, thus need to check that it is not NULL before accessing it. + +Signed-off-by: Ilan Peer +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230604120651.f4d889fc98c4.Iae85f527ed245a37637a874bb8b8c83d79812512@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/virtual/mac80211_hwsim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c +index 89c7a1420381d..ed5af63025979 100644 +--- a/drivers/net/wireless/virtual/mac80211_hwsim.c ++++ b/drivers/net/wireless/virtual/mac80211_hwsim.c +@@ -4,7 +4,7 @@ + * Copyright (c) 2008, Jouni Malinen + * Copyright (c) 2011, Javier Lopez + * Copyright (c) 2016 - 2017 Intel Deutschland GmbH +- * Copyright (C) 2018 - 2022 Intel Corporation ++ * Copyright (C) 2018 - 2023 Intel Corporation + */ + + /* +@@ -1864,7 +1864,7 @@ mac80211_hwsim_select_tx_link(struct mac80211_hwsim_data *data, + + WARN_ON(is_multicast_ether_addr(hdr->addr1)); + +- if (WARN_ON_ONCE(!sta->valid_links)) ++ if (WARN_ON_ONCE(!sta || !sta->valid_links)) + return &vif->bss_conf; + + for (i = 0; i < ARRAY_SIZE(vif->link_conf); i++) { +-- +2.39.2 + diff --git a/tmp-6.4/wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch b/tmp-6.4/wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch new file mode 100644 index 00000000000..e3b4b1b0414 --- /dev/null +++ b/tmp-6.4/wifi-rtw88-sdio-check-the-hisr-rx_request-bit-in-rtw.patch @@ -0,0 +1,93 @@ +From 4357179094d447fe2d49c33c6de95fab7905d53f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 May 2023 22:24:22 +0200 +Subject: wifi: rtw88: sdio: Check the HISR RX_REQUEST bit in rtw_sdio_rx_isr() + +From: Martin Blumenstingl + +[ Upstream commit e967229ead0e6c5047a1cfd5a0db58ceb930800b ] + +rtw_sdio_rx_isr() is responsible for receiving data from the wifi chip +and is called from the SDIO interrupt handler when the interrupt status +register (HISR) has the RX_REQUEST bit set. After the first batch of +data has been processed by the driver the wifi chip may have more data +ready to be read, which is managed by a loop in rtw_sdio_rx_isr(). + +It turns out that there are cases where the RX buffer length (from the +REG_SDIO_RX0_REQ_LEN register) does not match the data we receive. The +following two cases were observed with a RTL8723DS card: +- RX length is smaller than the total packet length including overhead + and actual data bytes (whose length is part of the buffer we read from + the wifi chip and is stored in rtw_rx_pkt_stat.pkt_len). This can + result in errors like: + skbuff: skb_over_panic: text:ffff8000011924ac len:3341 put:3341 + (one case observed was: RX buffer length = 1536 bytes but + rtw_rx_pkt_stat.pkt_len = 1546 bytes, this is not valid as it means + we need to read beyond the end of the buffer) +- RX length looks valid but rtw_rx_pkt_stat.pkt_len is zero + +Check if the RX_REQUEST is set in the HISR register for each iteration +inside rtw_sdio_rx_isr(). This mimics what the RTL8723DS vendor driver +does and makes the driver only read more data if the RX_REQUEST bit is +set (which seems to be a way for the card's hardware or firmware to +tell the host that data is ready to be processed). + +For RTW_WCPU_11AC chips this check is not needed. The RTL8822BS vendor +driver for example states that this check is unnecessary (but still uses +it) and the RTL8822CS drops this check entirely. + +Reviewed-by: Ping-Ke Shih +Signed-off-by: Martin Blumenstingl +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230522202425.1827005-2-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/sdio.c | 24 ++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c +index 06fce7c3addaa..2c1fb2dabd40a 100644 +--- a/drivers/net/wireless/realtek/rtw88/sdio.c ++++ b/drivers/net/wireless/realtek/rtw88/sdio.c +@@ -998,9 +998,9 @@ static void rtw_sdio_rxfifo_recv(struct rtw_dev *rtwdev, u32 rx_len) + + static void rtw_sdio_rx_isr(struct rtw_dev *rtwdev) + { +- u32 rx_len, total_rx_bytes = 0; ++ u32 rx_len, hisr, total_rx_bytes = 0; + +- while (total_rx_bytes < SZ_64K) { ++ do { + if (rtw_chip_wcpu_11n(rtwdev)) + rx_len = rtw_read16(rtwdev, REG_SDIO_RX0_REQ_LEN); + else +@@ -1012,7 +1012,25 @@ static void rtw_sdio_rx_isr(struct rtw_dev *rtwdev) + rtw_sdio_rxfifo_recv(rtwdev, rx_len); + + total_rx_bytes += rx_len; +- } ++ ++ if (rtw_chip_wcpu_11n(rtwdev)) { ++ /* Stop if no more RX requests are pending, even if ++ * rx_len could be greater than zero in the next ++ * iteration. This is needed because the RX buffer may ++ * already contain data while either HW or FW are not ++ * done filling that buffer yet. Still reading the ++ * buffer can result in packets where ++ * rtw_rx_pkt_stat.pkt_len is zero or points beyond the ++ * end of the buffer. ++ */ ++ hisr = rtw_read32(rtwdev, REG_SDIO_HISR); ++ } else { ++ /* RTW_WCPU_11AC chips have improved hardware or ++ * firmware and can use rx_len unconditionally. ++ */ ++ hisr = REG_SDIO_HISR_RX_REQUEST; ++ } ++ } while (total_rx_bytes < SZ_64K && hisr & REG_SDIO_HISR_RX_REQUEST); + } + + static void rtw_sdio_handle_interrupt(struct sdio_func *sdio_func) +-- +2.39.2 + diff --git a/tmp-6.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch b/tmp-6.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch new file mode 100644 index 00000000000..2333f9338d4 --- /dev/null +++ b/tmp-6.4/wifi-wext-core-fix-wstringop-overflow-warning-in-ioc.patch @@ -0,0 +1,71 @@ +From 63e6efa14f435540aab95084d9ee613a389d4fd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 12:04:07 -0600 +Subject: wifi: wext-core: Fix -Wstringop-overflow warning in + ioctl_standard_iw_point() + +From: Gustavo A. R. Silva + +[ Upstream commit 71e7552c90db2a2767f5c17c7ec72296b0d92061 ] + +-Wstringop-overflow is legitimately warning us about extra_size +pontentially being zero at some point, hence potenially ending +up _allocating_ zero bytes of memory for extra pointer and then +trying to access such object in a call to copy_from_user(). + +Fix this by adding a sanity check to ensure we never end up +trying to allocate zero bytes of data for extra pointer, before +continue executing the rest of the code in the function. + +Address the following -Wstringop-overflow warning seen when built +m68k architecture with allyesconfig configuration: + from net/wireless/wext-core.c:11: +In function '_copy_from_user', + inlined from 'copy_from_user' at include/linux/uaccess.h:183:7, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:825:7: +arch/m68k/include/asm/string.h:48:25: warning: '__builtin_memset' writing 1 or more bytes into a region of size 0 overflows the destination [-Wstringop-overflow=] + 48 | #define memset(d, c, n) __builtin_memset(d, c, n) + | ^~~~~~~~~~~~~~~~~~~~~~~~~ +include/linux/uaccess.h:153:17: note: in expansion of macro 'memset' + 153 | memset(to + (n - res), 0, res); + | ^~~~~~ +In function 'kmalloc', + inlined from 'kzalloc' at include/linux/slab.h:694:9, + inlined from 'ioctl_standard_iw_point' at net/wireless/wext-core.c:819:10: +include/linux/slab.h:577:16: note: at offset 1 into destination object of size 0 allocated by '__kmalloc' + 577 | return __kmalloc(size, flags); + | ^~~~~~~~~~~~~~~~~~~~~~ + +This help with the ongoing efforts to globally enable +-Wstringop-overflow. + +Link: https://github.com/KSPP/linux/issues/315 +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/ZItSlzvIpjdjNfd8@work +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/wext-core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index a125fd1fa1342..a161c64d1765e 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -815,6 +815,12 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, + } + } + ++ /* Sanity-check to ensure we never end up _allocating_ zero ++ * bytes of data for extra. ++ */ ++ if (extra_size <= 0) ++ return -EFAULT; ++ + /* kzalloc() ensures NULL-termination for essid_compat. */ + extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) +-- +2.39.2 + diff --git a/tmp-6.4/x86-cpu-amd-add-a-zenbleed-fix.patch b/tmp-6.4/x86-cpu-amd-add-a-zenbleed-fix.patch new file mode 100644 index 00000000000..79557d7bc5b --- /dev/null +++ b/tmp-6.4/x86-cpu-amd-add-a-zenbleed-fix.patch @@ -0,0 +1,161 @@ +From 522b1d69219d8f083173819fde04f994aa051a98 Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:41:28 +0200 +Subject: x86/cpu/amd: Add a Zenbleed fix + +From: Borislav Petkov (AMD) + +commit 522b1d69219d8f083173819fde04f994aa051a98 upstream. + +Add a fix for the Zen2 VZEROUPPER data corruption bug where under +certain circumstances executing VZEROUPPER can cause register +corruption or leak data. + +The optimal fix is through microcode but in the case the proper +microcode revision has not been applied, enable a fallback fix using +a chicken bit. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/microcode.h | 1 + arch/x86/include/asm/microcode_amd.h | 2 + + arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/amd.c | 60 +++++++++++++++++++++++++++++++++++ + arch/x86/kernel/cpu/common.c | 2 + + 5 files changed, 66 insertions(+) + +--- a/arch/x86/include/asm/microcode.h ++++ b/arch/x86/include/asm/microcode.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + struct ucode_patch { + struct list_head plist; +--- a/arch/x86/include/asm/microcode_amd.h ++++ b/arch/x86/include/asm/microcode_amd.h +@@ -48,11 +48,13 @@ extern void __init load_ucode_amd_bsp(un + extern void load_ucode_amd_ap(unsigned int family); + extern int __init save_microcode_in_initrd_amd(unsigned int family); + void reload_ucode_amd(unsigned int cpu); ++extern void amd_check_microcode(void); + #else + static inline void __init load_ucode_amd_bsp(unsigned int family) {} + static inline void load_ucode_amd_ap(unsigned int family) {} + static inline int __init + save_microcode_in_initrd_amd(unsigned int family) { return -EINVAL; } + static inline void reload_ucode_amd(unsigned int cpu) {} ++static inline void amd_check_microcode(void) {} + #endif + #endif /* _ASM_X86_MICROCODE_AMD_H */ +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -545,6 +545,7 @@ + #define MSR_AMD64_DE_CFG 0xc0011029 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT 1 + #define MSR_AMD64_DE_CFG_LFENCE_SERIALIZE BIT_ULL(MSR_AMD64_DE_CFG_LFENCE_SERIALIZE_BIT) ++#define MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT 9 + + #define MSR_AMD64_BU_CFG2 0xc001102a + #define MSR_AMD64_IBSFETCHCTL 0xc0011030 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -70,6 +70,11 @@ static const int amd_erratum_383[] = + static const int amd_erratum_1054[] = + AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); + ++static const int amd_zenbleed[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0x30, 0x0, 0x4f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0x60, 0x0, 0x7f, 0xf), ++ AMD_MODEL_RANGE(0x17, 0xa0, 0x0, 0xaf, 0xf)); ++ + static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) + { + int osvw_id = *erratum++; +@@ -978,6 +983,47 @@ static void init_amd_zn(struct cpuinfo_x + } + } + ++static bool cpu_has_zenbleed_microcode(void) ++{ ++ u32 good_rev = 0; ++ ++ switch (boot_cpu_data.x86_model) { ++ case 0x30 ... 0x3f: good_rev = 0x0830107a; break; ++ case 0x60 ... 0x67: good_rev = 0x0860010b; break; ++ case 0x68 ... 0x6f: good_rev = 0x08608105; break; ++ case 0x70 ... 0x7f: good_rev = 0x08701032; break; ++ case 0xa0 ... 0xaf: good_rev = 0x08a00008; break; ++ ++ default: ++ return false; ++ break; ++ } ++ ++ if (boot_cpu_data.microcode < good_rev) ++ return false; ++ ++ return true; ++} ++ ++static void zenbleed_check(struct cpuinfo_x86 *c) ++{ ++ if (!cpu_has_amd_erratum(c, amd_zenbleed)) ++ return; ++ ++ if (cpu_has(c, X86_FEATURE_HYPERVISOR)) ++ return; ++ ++ if (!cpu_has(c, X86_FEATURE_AVX)) ++ return; ++ ++ if (!cpu_has_zenbleed_microcode()) { ++ pr_notice_once("Zenbleed: please update your microcode for the most optimal fix\n"); ++ msr_set_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } else { ++ msr_clear_bit(MSR_AMD64_DE_CFG, MSR_AMD64_DE_CFG_ZEN2_FP_BACKUP_FIX_BIT); ++ } ++} ++ + static void init_amd(struct cpuinfo_x86 *c) + { + early_init_amd(c); +@@ -1082,6 +1128,8 @@ static void init_amd(struct cpuinfo_x86 + if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) && + cpu_has(c, X86_FEATURE_AUTOIBRS)) + WARN_ON_ONCE(msr_set_bit(MSR_EFER, _EFER_AUTOIBRS)); ++ ++ zenbleed_check(c); + } + + #ifdef CONFIG_X86_32 +@@ -1230,3 +1278,15 @@ u32 amd_get_highest_perf(void) + return 255; + } + EXPORT_SYMBOL_GPL(amd_get_highest_perf); ++ ++static void zenbleed_check_cpu(void *unused) ++{ ++ struct cpuinfo_x86 *c = &cpu_data(smp_processor_id()); ++ ++ zenbleed_check(c); ++} ++ ++void amd_check_microcode(void) ++{ ++ on_each_cpu(zenbleed_check_cpu, NULL, 1); ++} +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -2341,6 +2341,8 @@ void microcode_check(struct cpuinfo_x86 + + perf_check_microcode(); + ++ amd_check_microcode(); ++ + store_cpu_caps(&curr_info); + + if (!memcmp(&prev_info->x86_capability, &curr_info.x86_capability, diff --git a/tmp-6.4/x86-cpu-amd-move-the-errata-checking-functionality-up.patch b/tmp-6.4/x86-cpu-amd-move-the-errata-checking-functionality-up.patch new file mode 100644 index 00000000000..c124bc89b36 --- /dev/null +++ b/tmp-6.4/x86-cpu-amd-move-the-errata-checking-functionality-up.patch @@ -0,0 +1,181 @@ +From 8b6f687743dacce83dbb0c7cfacf88bab00f808a Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Sat, 15 Jul 2023 13:31:32 +0200 +Subject: x86/cpu/amd: Move the errata checking functionality up + +From: Borislav Petkov (AMD) + +commit 8b6f687743dacce83dbb0c7cfacf88bab00f808a upstream. + +Avoid new and remove old forward declarations. + +No functional changes. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/amd.c | 139 ++++++++++++++++++++++------------------------ + 1 file changed, 67 insertions(+), 72 deletions(-) + +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -27,11 +27,6 @@ + + #include "cpu.h" + +-static const int amd_erratum_383[]; +-static const int amd_erratum_400[]; +-static const int amd_erratum_1054[]; +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum); +- + /* + * nodes_per_socket: Stores the number of nodes per socket. + * Refer to Fam15h Models 00-0fh BKDG - CPUID Fn8000_001E_ECX +@@ -39,6 +34,73 @@ static bool cpu_has_amd_erratum(struct c + */ + static u32 nodes_per_socket = 1; + ++/* ++ * AMD errata checking ++ * ++ * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or ++ * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that ++ * have an OSVW id assigned, which it takes as first argument. Both take a ++ * variable number of family-specific model-stepping ranges created by ++ * AMD_MODEL_RANGE(). ++ * ++ * Example: ++ * ++ * const int amd_erratum_319[] = ++ * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), ++ * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), ++ * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); ++ */ ++ ++#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } ++#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } ++#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ ++ ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) ++#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) ++#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) ++#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) ++ ++static const int amd_erratum_400[] = ++ AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), ++ AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); ++ ++static const int amd_erratum_383[] = ++ AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); ++ ++/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ ++static const int amd_erratum_1054[] = ++ AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); ++ ++static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) ++{ ++ int osvw_id = *erratum++; ++ u32 range; ++ u32 ms; ++ ++ if (osvw_id >= 0 && osvw_id < 65536 && ++ cpu_has(cpu, X86_FEATURE_OSVW)) { ++ u64 osvw_len; ++ ++ rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); ++ if (osvw_id < osvw_len) { ++ u64 osvw_bits; ++ ++ rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), ++ osvw_bits); ++ return osvw_bits & (1ULL << (osvw_id & 0x3f)); ++ } ++ } ++ ++ /* OSVW unavailable or ID unknown, match family-model-stepping range */ ++ ms = (cpu->x86_model << 4) | cpu->x86_stepping; ++ while ((range = *erratum++)) ++ if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && ++ (ms >= AMD_MODEL_RANGE_START(range)) && ++ (ms <= AMD_MODEL_RANGE_END(range))) ++ return true; ++ ++ return false; ++} ++ + static inline int rdmsrl_amd_safe(unsigned msr, unsigned long long *p) + { + u32 gprs[8] = { 0 }; +@@ -1115,73 +1177,6 @@ static const struct cpu_dev amd_cpu_dev + + cpu_dev_register(amd_cpu_dev); + +-/* +- * AMD errata checking +- * +- * Errata are defined as arrays of ints using the AMD_LEGACY_ERRATUM() or +- * AMD_OSVW_ERRATUM() macros. The latter is intended for newer errata that +- * have an OSVW id assigned, which it takes as first argument. Both take a +- * variable number of family-specific model-stepping ranges created by +- * AMD_MODEL_RANGE(). +- * +- * Example: +- * +- * const int amd_erratum_319[] = +- * AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0x4, 0x2), +- * AMD_MODEL_RANGE(0x10, 0x8, 0x0, 0x8, 0x0), +- * AMD_MODEL_RANGE(0x10, 0x9, 0x0, 0x9, 0x0)); +- */ +- +-#define AMD_LEGACY_ERRATUM(...) { -1, __VA_ARGS__, 0 } +-#define AMD_OSVW_ERRATUM(osvw_id, ...) { osvw_id, __VA_ARGS__, 0 } +-#define AMD_MODEL_RANGE(f, m_start, s_start, m_end, s_end) \ +- ((f << 24) | (m_start << 16) | (s_start << 12) | (m_end << 4) | (s_end)) +-#define AMD_MODEL_RANGE_FAMILY(range) (((range) >> 24) & 0xff) +-#define AMD_MODEL_RANGE_START(range) (((range) >> 12) & 0xfff) +-#define AMD_MODEL_RANGE_END(range) ((range) & 0xfff) +- +-static const int amd_erratum_400[] = +- AMD_OSVW_ERRATUM(1, AMD_MODEL_RANGE(0xf, 0x41, 0x2, 0xff, 0xf), +- AMD_MODEL_RANGE(0x10, 0x2, 0x1, 0xff, 0xf)); +- +-static const int amd_erratum_383[] = +- AMD_OSVW_ERRATUM(3, AMD_MODEL_RANGE(0x10, 0, 0, 0xff, 0xf)); +- +-/* #1054: Instructions Retired Performance Counter May Be Inaccurate */ +-static const int amd_erratum_1054[] = +- AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x17, 0, 0, 0x2f, 0xf)); +- +-static bool cpu_has_amd_erratum(struct cpuinfo_x86 *cpu, const int *erratum) +-{ +- int osvw_id = *erratum++; +- u32 range; +- u32 ms; +- +- if (osvw_id >= 0 && osvw_id < 65536 && +- cpu_has(cpu, X86_FEATURE_OSVW)) { +- u64 osvw_len; +- +- rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, osvw_len); +- if (osvw_id < osvw_len) { +- u64 osvw_bits; +- +- rdmsrl(MSR_AMD64_OSVW_STATUS + (osvw_id >> 6), +- osvw_bits); +- return osvw_bits & (1ULL << (osvw_id & 0x3f)); +- } +- } +- +- /* OSVW unavailable or ID unknown, match family-model-stepping range */ +- ms = (cpu->x86_model << 4) | cpu->x86_stepping; +- while ((range = *erratum++)) +- if ((cpu->x86 == AMD_MODEL_RANGE_FAMILY(range)) && +- (ms >= AMD_MODEL_RANGE_START(range)) && +- (ms <= AMD_MODEL_RANGE_END(range))) +- return true; +- +- return false; +-} +- + static DEFINE_PER_CPU_READ_MOSTLY(unsigned long[4], amd_dr_addr_mask); + + static unsigned int amd_msr_dr_addr_masks[] = { -- 2.47.3