From 76e5d842b55ed002ec8eca24cb8bd04bffcfc36f Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 6 May 2023 07:59:21 -0400 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...state.ss-to-1-to-re-enable-single-st.patch | 128 +++++++++++++++ ...of_node_put-in-assigned-clocks-prope.patch | 74 +++++++++ ...ac-do-not-enable-all-cyclic-channels.patch | 55 +++++++ ...-cancel-previous-job-before-starting.patch | 52 +++++++ ...m-rockchip-drop-unbalanced-obj-unref.patch | 38 +++++ .../drm-vgem-add-missing-mutex_destroy.patch | 42 +++++ ...g-fix-section-mismatch-warning-error.patch | 41 +++++ ...-mmu_rb_node-not-being-evicted-in-lr.patch | 93 +++++++++++ ...al-uninit-variable-access-bug-in-__i.patch | 56 +++++++ ...llow-flow-hash-to-be-set-via-ethtool.patch | 68 ++++++++ ...-setting-rss-table-to-default-values.patch | 147 ++++++++++++++++++ ...h-allow-either-builtin-or-modular-fo.patch | 58 +++++++ ...h-via-pmu-led-requires-ata-to-be-set.patch | 45 ++++++ ...farm_smu_sat-add-missing-of_node_put.patch | 36 +++++ ...eak-of-r10bio-remaining-for-recovery.patch | 73 +++++++++ ...vent-underflow-in-write_ts_to_decode.patch | 47 ++++++ ...d-missing-check-for-create_workqueue.patch | 37 +++++ ...-use-after-free-bug-in-dm1105_remove.patch | 56 +++++++ ...nk-leak-when-verifying-config-failed.patch | 47 ++++++ ...convert-po-auxdata-to-an-atomic-flag.patch | 95 +++++++++++ ...convert-po-origdev-to-an-atomic-flag.patch | 126 +++++++++++++++ ...end-a-reclaim_complete-after-establi.patch | 45 ++++++ .../of-fix-modalias-string-generation.patch | 80 ++++++++++ ...rdlockup-failure-caused-by-perf-thro.patch | 51 ++++++ ...dd-missing-tegra_xusb_port_unregiste.patch | 47 ++++++ ...generic-adc-battery-fix-unit-scaling.patch | 42 +++++ ...x-fix-resource-printk-format-warning.patch | 46 ++++++ ...-memmove-for-potentially-overlapping.patch | 56 +++++++ ...si108-fix-resource-printk-format-war.patch | 45 ++++++ ...-fix-resource-printk-format-warnings.patch | 87 +++++++++++ ...ert-pmsg_lock-back-to-a-normal-mutex.patch | 100 ++++++++++++ ...rdmavt-delete-unnecessary-null-check.patch | 41 +++++ ...-btsdio-fix-use-after-free-bug-in-bt.patch | 39 +++++ ...unc-setting-condition-for-so_passsec.patch | 77 +++++++++ ...aid-fix-mega_cmd_done-cmdid_int_cmds.patch | 38 +++++ ...it-fix-tas-handling-during-conn-clea.patch | 67 ++++++++ ...v_permissions.h-is-built-when-needed.patch | 36 +++++ ...fix-makefile-dependencies-of-flask.h.patch | 43 +++++ ...0-add-missing-wakeup-event-reporting.patch | 53 +++++++ queue-4.14/series | 57 +++++++ ...ect-element-size-for-allocating-bitm.patch | 44 ++++++ ...ve-pm_sleep-based-conditional-compil.patch | 48 ++++++ ...fsl-spi-fix-cpm-qe-mode-litte-endian.patch | 71 +++++++++ ...-for-remove-callback-when-removing-a.patch | 65 ++++++++ ...-fix-w_disable-does-not-work-after-s.patch | 44 ++++++ ...e-maximum-number-of-retries-in-call_.patch | 74 +++++++++ ...eaks-of-sk-and-zerocopy-skbs-with-tx.patch | 125 +++++++++++++++ ...puart-adjust-buffer-length-to-the-in.patch | 39 +++++ ...nst.h-prefer-iso-friendly-__typeof__.patch | 65 ++++++++ ...ea-fix-missing-goto-in-ci_hdrc_probe.patch | 42 +++++ ...ly-enable-siocshwtstamp-in-container.patch | 37 +++++ ...n-off-by-one-check-in-ath5k_eeprom_r.patch | 39 +++++ ...ath6kl-minor-fix-for-allocation-size.patch | 40 +++++ ...l-reduce-warn-to-dev_dbg-in-callback.patch | 43 +++++ ...e-the-loop-for-card-preparation-effe.patch | 50 ++++++ ...ifi-mvm-check-firmware-response-size.patch | 53 +++++++ ...mic-update-of-offset-in-reserve_eilv.patch | 49 ++++++ ...-return-0-from-arch_dynirq_lower_bou.patch | 72 +++++++++ 58 files changed, 3464 insertions(+) create mode 100644 queue-4.14/arm64-kgdb-set-pstate.ss-to-1-to-re-enable-single-st.patch create mode 100644 queue-4.14/clk-add-missing-of_node_put-in-assigned-clocks-prope.patch create mode 100644 queue-4.14/dmaengine-at_xdmac-do-not-enable-all-cyclic-channels.patch create mode 100644 queue-4.14/drm-probe-helper-cancel-previous-job-before-starting.patch create mode 100644 queue-4.14/drm-rockchip-drop-unbalanced-obj-unref.patch create mode 100644 queue-4.14/drm-vgem-add-missing-mutex_destroy.patch create mode 100644 queue-4.14/ia64-mm-contig-fix-section-mismatch-warning-error.patch create mode 100644 queue-4.14/ib-hfi1-fix-sdma-mmu_rb_node-not-being-evicted-in-lr.patch create mode 100644 queue-4.14/ipv4-fix-potential-uninit-variable-access-bug-in-__i.patch create mode 100644 queue-4.14/ixgbe-allow-flow-hash-to-be-set-via-ethtool.patch create mode 100644 queue-4.14/ixgbe-enable-setting-rss-table-to-default-values.patch create mode 100644 queue-4.14/linux-vt_buffer.h-allow-either-builtin-or-modular-fo.patch create mode 100644 queue-4.14/macintosh-via-pmu-led-requires-ata-to-be-set.patch create mode 100644 queue-4.14/macintosh-windfarm_smu_sat-add-missing-of_node_put.patch create mode 100644 queue-4.14/md-raid10-fix-leak-of-r10bio-remaining-for-recovery.patch create mode 100644 queue-4.14/media-av7110-prevent-underflow-in-write_ts_to_decode.patch create mode 100644 queue-4.14/media-bdisp-add-missing-check-for-create_workqueue.patch create mode 100644 queue-4.14/media-dm1105-fix-use-after-free-bug-in-dm1105_remove.patch create mode 100644 queue-4.14/net-amd-fix-link-leak-when-verifying-config-failed.patch create mode 100644 queue-4.14/net-packet-convert-po-auxdata-to-an-atomic-flag.patch create mode 100644 queue-4.14/net-packet-convert-po-origdev-to-an-atomic-flag.patch create mode 100644 queue-4.14/nfsv4.1-always-send-a-reclaim_complete-after-establi.patch create mode 100644 queue-4.14/of-fix-modalias-string-generation.patch create mode 100644 queue-4.14/perf-core-fix-hardlockup-failure-caused-by-perf-thro.patch create mode 100644 queue-4.14/phy-tegra-xusb-add-missing-tegra_xusb_port_unregiste.patch create mode 100644 queue-4.14/power-supply-generic-adc-battery-fix-unit-scaling.patch create mode 100644 queue-4.14/powerpc-mpc512x-fix-resource-printk-format-warning.patch create mode 100644 queue-4.14/powerpc-rtas-use-memmove-for-potentially-overlapping.patch create mode 100644 queue-4.14/powerpc-sysdev-tsi108-fix-resource-printk-format-war.patch create mode 100644 queue-4.14/powerpc-wii-fix-resource-printk-format-warnings.patch create mode 100644 queue-4.14/pstore-revert-pmsg_lock-back-to-a-normal-mutex.patch create mode 100644 queue-4.14/rdma-rdmavt-delete-unnecessary-null-check.patch create mode 100644 queue-4.14/revert-bluetooth-btsdio-fix-use-after-free-bug-in-bt.patch create mode 100644 queue-4.14/scm-fix-msg_ctrunc-setting-condition-for-so_passsec.patch create mode 100644 queue-4.14/scsi-megaraid-fix-mega_cmd_done-cmdid_int_cmds.patch create mode 100644 queue-4.14/scsi-target-iscsit-fix-tas-handling-during-conn-clea.patch create mode 100644 queue-4.14/selinux-ensure-av_permissions.h-is-built-when-needed.patch create mode 100644 queue-4.14/selinux-fix-makefile-dependencies-of-flask.h.patch create mode 100644 queue-4.14/serial-8250-add-missing-wakeup-event-reporting.patch create mode 100644 queue-4.14/sh-sq-fix-incorrect-element-size-for-allocating-bitm.patch create mode 100644 queue-4.14/spi-bcm63xx-remove-pm_sleep-based-conditional-compil.patch create mode 100644 queue-4.14/spi-fsl-spi-fix-cpm-qe-mode-litte-endian.patch create mode 100644 queue-4.14/spmi-add-a-check-for-remove-callback-when-removing-a.patch create mode 100644 queue-4.14/staging-rtl8192e-fix-w_disable-does-not-work-after-s.patch create mode 100644 queue-4.14/sunrpc-remove-the-maximum-number-of-retries-in-call_.patch create mode 100644 queue-4.14/tcp-udp-fix-memleaks-of-sk-and-zerocopy-skbs-with-tx.patch create mode 100644 queue-4.14/tty-serial-fsl_lpuart-adjust-buffer-length-to-the-in.patch create mode 100644 queue-4.14/uapi-linux-const.h-prefer-iso-friendly-__typeof__.patch create mode 100644 queue-4.14/usb-chipidea-fix-missing-goto-in-ci_hdrc_probe.patch create mode 100644 queue-4.14/vlan-partially-enable-siocshwtstamp-in-container.patch create mode 100644 queue-4.14/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch create mode 100644 queue-4.14/wifi-ath6kl-minor-fix-for-allocation-size.patch create mode 100644 queue-4.14/wifi-ath6kl-reduce-warn-to-dev_dbg-in-callback.patch create mode 100644 queue-4.14/wifi-iwlwifi-make-the-loop-for-card-preparation-effe.patch create mode 100644 queue-4.14/wifi-iwlwifi-mvm-check-firmware-response-size.patch create mode 100644 queue-4.14/x86-apic-fix-atomic-update-of-offset-in-reserve_eilv.patch create mode 100644 queue-4.14/x86-ioapic-don-t-return-0-from-arch_dynirq_lower_bou.patch diff --git a/queue-4.14/arm64-kgdb-set-pstate.ss-to-1-to-re-enable-single-st.patch b/queue-4.14/arm64-kgdb-set-pstate.ss-to-1-to-re-enable-single-st.patch new file mode 100644 index 00000000000..d8ef0ab591b --- /dev/null +++ b/queue-4.14/arm64-kgdb-set-pstate.ss-to-1-to-re-enable-single-st.patch @@ -0,0 +1,128 @@ +From 13965018a3d36e591267c0b19b1bfed5b7e8d43a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 13:01:48 +0530 +Subject: arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step + +From: Sumit Garg + +[ Upstream commit af6c0bd59f4f3ad5daad2f7b777954b1954551d5 ] + +Currently only the first attempt to single-step has any effect. After +that all further stepping remains "stuck" at the same program counter +value. + +Refer to the ARM Architecture Reference Manual (ARM DDI 0487E.a) D2.12, +PSTATE.SS=1 should be set at each step before transferring the PE to the +'Active-not-pending' state. The problem here is PSTATE.SS=1 is not set +since the second single-step. + +After the first single-step, the PE transferes to the 'Inactive' state, +with PSTATE.SS=0 and MDSCR.SS=1, thus PSTATE.SS won't be set to 1 due to +kernel_active_single_step()=true. Then the PE transferes to the +'Active-pending' state when ERET and returns to the debugger by step +exception. + +Before this patch: +================== +Entering kdb (current=0xffff3376039f0000, pid 1) on processor 0 due to Keyboard Entry +[0]kdb> + +[0]kdb> +[0]kdb> bp write_sysrq_trigger +Instruction(i) BP #0 at 0xffffa45c13d09290 (write_sysrq_trigger) + is enabled addr at ffffa45c13d09290, hardtype=0 installed=0 + +[0]kdb> go +$ echo h > /proc/sysrq-trigger + +Entering kdb (current=0xffff4f7e453f8000, pid 175) on processor 1 due to Breakpoint @ 0xffffad651a309290 +[1]kdb> ss + +Entering kdb (current=0xffff4f7e453f8000, pid 175) on processor 1 due to SS trap @ 0xffffad651a309294 +[1]kdb> ss + +Entering kdb (current=0xffff4f7e453f8000, pid 175) on processor 1 due to SS trap @ 0xffffad651a309294 +[1]kdb> + +After this patch: +================= +Entering kdb (current=0xffff6851c39f0000, pid 1) on processor 0 due to Keyboard Entry +[0]kdb> bp write_sysrq_trigger +Instruction(i) BP #0 at 0xffffc02d2dd09290 (write_sysrq_trigger) + is enabled addr at ffffc02d2dd09290, hardtype=0 installed=0 + +[0]kdb> go +$ echo h > /proc/sysrq-trigger + +Entering kdb (current=0xffff6851c53c1840, pid 174) on processor 1 due to Breakpoint @ 0xffffc02d2dd09290 +[1]kdb> ss + +Entering kdb (current=0xffff6851c53c1840, pid 174) on processor 1 due to SS trap @ 0xffffc02d2dd09294 +[1]kdb> ss + +Entering kdb (current=0xffff6851c53c1840, pid 174) on processor 1 due to SS trap @ 0xffffc02d2dd09298 +[1]kdb> ss + +Entering kdb (current=0xffff6851c53c1840, pid 174) on processor 1 due to SS trap @ 0xffffc02d2dd0929c +[1]kdb> + +Fixes: 44679a4f142b ("arm64: KGDB: Add step debugging support") +Co-developed-by: Wei Li +Signed-off-by: Wei Li +Signed-off-by: Sumit Garg +Tested-by: Douglas Anderson +Acked-by: Daniel Thompson +Tested-by: Daniel Thompson +Link: https://lore.kernel.org/r/20230202073148.657746-3-sumit.garg@linaro.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/debug-monitors.h | 1 + + arch/arm64/kernel/debug-monitors.c | 5 +++++ + arch/arm64/kernel/kgdb.c | 2 ++ + 3 files changed, 8 insertions(+) + +diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h +index 41b065f1be88c..13630e8078ff4 100644 +--- a/arch/arm64/include/asm/debug-monitors.h ++++ b/arch/arm64/include/asm/debug-monitors.h +@@ -125,6 +125,7 @@ void user_regs_reset_single_step(struct user_pt_regs *regs, + void kernel_enable_single_step(struct pt_regs *regs); + void kernel_disable_single_step(void); + int kernel_active_single_step(void); ++void kernel_rewind_single_step(struct pt_regs *regs); + + #ifdef CONFIG_HAVE_HW_BREAKPOINT + int reinstall_suspended_bps(struct pt_regs *regs); +diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c +index 2ccd0a99d8b35..970ce09078873 100644 +--- a/arch/arm64/kernel/debug-monitors.c ++++ b/arch/arm64/kernel/debug-monitors.c +@@ -434,6 +434,11 @@ int kernel_active_single_step(void) + } + NOKPROBE_SYMBOL(kernel_active_single_step); + ++void kernel_rewind_single_step(struct pt_regs *regs) ++{ ++ set_regs_spsr_ss(regs); ++} ++ + /* ptrace API */ + void user_enable_single_step(struct task_struct *task) + { +diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c +index 7fd7a9cd86161..05790fce1a854 100644 +--- a/arch/arm64/kernel/kgdb.c ++++ b/arch/arm64/kernel/kgdb.c +@@ -223,6 +223,8 @@ int kgdb_arch_handle_exception(int exception_vector, int signo, + */ + if (!kernel_active_single_step()) + kernel_enable_single_step(linux_regs); ++ else ++ kernel_rewind_single_step(linux_regs); + err = 0; + break; + default: +-- +2.39.2 + diff --git a/queue-4.14/clk-add-missing-of_node_put-in-assigned-clocks-prope.patch b/queue-4.14/clk-add-missing-of_node_put-in-assigned-clocks-prope.patch new file mode 100644 index 00000000000..437faa8778c --- /dev/null +++ b/queue-4.14/clk-add-missing-of_node_put-in-assigned-clocks-prope.patch @@ -0,0 +1,74 @@ +From a2747c15f76e822d8cd7cdc21b57840fe5b28b49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 09:32:27 +0100 +Subject: clk: add missing of_node_put() in "assigned-clocks" property parsing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit 27a6e1b09a782517fddac91259970ac466a3f7b6 ] + +When returning from of_parse_phandle_with_args(), the np member of the +of_phandle_args structure should be put after usage. Add missing +of_node_put() calls in both __set_clk_parents() and __set_clk_rates(). + +Fixes: 86be408bfbd8 ("clk: Support for clock parents and rates assigned from device tree") +Signed-off-by: Clément Léger +Link: https://lore.kernel.org/r/20230131083227.10990-1-clement.leger@bootlin.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-conf.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/clk-conf.c b/drivers/clk/clk-conf.c +index 49819b546134b..5c6760e45a16e 100644 +--- a/drivers/clk/clk-conf.c ++++ b/drivers/clk/clk-conf.c +@@ -36,9 +36,12 @@ static int __set_clk_parents(struct device_node *node, bool clk_supplier) + else + return rc; + } +- if (clkspec.np == node && !clk_supplier) ++ if (clkspec.np == node && !clk_supplier) { ++ of_node_put(clkspec.np); + return 0; ++ } + pclk = of_clk_get_from_provider(&clkspec); ++ of_node_put(clkspec.np); + if (IS_ERR(pclk)) { + if (PTR_ERR(pclk) != -EPROBE_DEFER) + pr_warn("clk: couldn't get parent clock %d for %pOF\n", +@@ -51,10 +54,12 @@ static int __set_clk_parents(struct device_node *node, bool clk_supplier) + if (rc < 0) + goto err; + if (clkspec.np == node && !clk_supplier) { ++ of_node_put(clkspec.np); + rc = 0; + goto err; + } + clk = of_clk_get_from_provider(&clkspec); ++ of_node_put(clkspec.np); + if (IS_ERR(clk)) { + if (PTR_ERR(clk) != -EPROBE_DEFER) + pr_warn("clk: couldn't get assigned clock %d for %pOF\n", +@@ -96,10 +101,13 @@ static int __set_clk_rates(struct device_node *node, bool clk_supplier) + else + return rc; + } +- if (clkspec.np == node && !clk_supplier) ++ if (clkspec.np == node && !clk_supplier) { ++ of_node_put(clkspec.np); + return 0; ++ } + + clk = of_clk_get_from_provider(&clkspec); ++ of_node_put(clkspec.np); + if (IS_ERR(clk)) { + if (PTR_ERR(clk) != -EPROBE_DEFER) + pr_warn("clk: couldn't get clock %d for %pOF\n", +-- +2.39.2 + diff --git a/queue-4.14/dmaengine-at_xdmac-do-not-enable-all-cyclic-channels.patch b/queue-4.14/dmaengine-at_xdmac-do-not-enable-all-cyclic-channels.patch new file mode 100644 index 00000000000..decc241aa5c --- /dev/null +++ b/queue-4.14/dmaengine-at_xdmac-do-not-enable-all-cyclic-channels.patch @@ -0,0 +1,55 @@ +From e5cfeb89c1e3dbfe6fb9df60550a2726561f7098 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 17:18:25 +0200 +Subject: dmaengine: at_xdmac: do not enable all cyclic channels + +From: Claudiu Beznea + +[ Upstream commit f8435befd81dd85b7b610598551fadf675849bc1 ] + +Do not global enable all the cyclic channels in at_xdmac_resume(). Instead +save the global status in at_xdmac_suspend() and re-enable the cyclic +channel only if it was active before suspend. + +Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230214151827.1050280-6-claudiu.beznea@microchip.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index c8dd0eef0b67b..3f9f1d6e3b501 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -223,6 +223,7 @@ struct at_xdmac { + int irq; + struct clk *clk; + u32 save_gim; ++ u32 save_gs; + struct dma_pool *at_xdmac_desc_pool; + struct at_xdmac_chan chan[0]; + }; +@@ -1880,6 +1881,7 @@ static int atmel_xdmac_suspend(struct device *dev) + } + } + atxdmac->save_gim = at_xdmac_read(atxdmac, AT_XDMAC_GIM); ++ atxdmac->save_gs = at_xdmac_read(atxdmac, AT_XDMAC_GS); + + at_xdmac_off(atxdmac); + clk_disable_unprepare(atxdmac->clk); +@@ -1917,7 +1919,8 @@ static int atmel_xdmac_resume(struct device *dev) + at_xdmac_chan_write(atchan, AT_XDMAC_CNDC, atchan->save_cndc); + at_xdmac_chan_write(atchan, AT_XDMAC_CIE, atchan->save_cim); + wmb(); +- at_xdmac_write(atxdmac, AT_XDMAC_GE, atchan->mask); ++ if (atxdmac->save_gs & atchan->mask) ++ at_xdmac_write(atxdmac, AT_XDMAC_GE, atchan->mask); + } + } + return 0; +-- +2.39.2 + diff --git a/queue-4.14/drm-probe-helper-cancel-previous-job-before-starting.patch b/queue-4.14/drm-probe-helper-cancel-previous-job-before-starting.patch new file mode 100644 index 00000000000..e0ab7a39999 --- /dev/null +++ b/queue-4.14/drm-probe-helper-cancel-previous-job-before-starting.patch @@ -0,0 +1,52 @@ +From a6decf2ef1a9f4fe277af20d026d7e38a158ff83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 16:40:52 +0100 +Subject: drm/probe-helper: Cancel previous job before starting new one + +From: Dom Cobley + +[ Upstream commit a8e47884f1906cd7440fafa056adc8817568e73e ] + +Currently we schedule a call to output_poll_execute from +drm_kms_helper_poll_enable for 10s in future. Later we try to replace +that in drm_helper_probe_single_connector_modes with a 0s schedule with +delayed_event set. + +But as there is already a job in the queue this fails, and the immediate +job we wanted with delayed_event set doesn't occur until 10s later. + +And that call acts as if connector state has changed, reprobing modes. +This has a side effect of waking up a display that has been blanked. + +Make sure we cancel the old job before submitting the immediate one. + +Fixes: 162b6a57ac50 ("drm/probe-helper: don't lose hotplug event") +Acked-by: Daniel Vetter +Signed-off-by: Dom Cobley +[Maxime: Switched to mod_delayed_work] +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20230127154052.452524-1-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_probe_helper.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_probe_helper.c b/drivers/gpu/drm/drm_probe_helper.c +index adbabf16c07b2..f76eced3ff94f 100644 +--- a/drivers/gpu/drm/drm_probe_helper.c ++++ b/drivers/gpu/drm/drm_probe_helper.c +@@ -465,8 +465,9 @@ int drm_helper_probe_single_connector_modes(struct drm_connector *connector, + */ + dev->mode_config.delayed_event = true; + if (dev->mode_config.poll_enabled) +- schedule_delayed_work(&dev->mode_config.output_poll_work, +- 0); ++ mod_delayed_work(system_wq, ++ &dev->mode_config.output_poll_work, ++ 0); + } + + /* Re-enable polling in case the global poll config changed. */ +-- +2.39.2 + diff --git a/queue-4.14/drm-rockchip-drop-unbalanced-obj-unref.patch b/queue-4.14/drm-rockchip-drop-unbalanced-obj-unref.patch new file mode 100644 index 00000000000..c6a9de2faf9 --- /dev/null +++ b/queue-4.14/drm-rockchip-drop-unbalanced-obj-unref.patch @@ -0,0 +1,38 @@ +From 40ff9076d565210667b6623d2189c99e497bd5c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 15:17:34 -0800 +Subject: drm/rockchip: Drop unbalanced obj unref + +From: Rob Clark + +[ Upstream commit 8ee3b0e85f6ccd9e6c527bc50eaba774c3bb18d0 ] + +In the error path, rockchip_drm_gem_object_mmap() is dropping an obj +reference that it doesn't own. + +Fixes: 41315b793e13 ("drm/rockchip: use drm_gem_mmap helpers") +Signed-off-by: Rob Clark +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20230119231734.2884543-1-robdclark@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c +index bde65186a3c37..8ba3a682dd9ad 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c +@@ -268,9 +268,6 @@ static int rockchip_drm_gem_object_mmap(struct drm_gem_object *obj, + else + ret = rockchip_drm_gem_object_mmap_dma(obj, vma); + +- if (ret) +- drm_gem_vm_close(vma); +- + return ret; + } + +-- +2.39.2 + diff --git a/queue-4.14/drm-vgem-add-missing-mutex_destroy.patch b/queue-4.14/drm-vgem-add-missing-mutex_destroy.patch new file mode 100644 index 00000000000..4323d87da10 --- /dev/null +++ b/queue-4.14/drm-vgem-add-missing-mutex_destroy.patch @@ -0,0 +1,42 @@ +From 327c2e7add5ea238440c59cac4e1b77b09de4747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 09:55:17 -0300 +Subject: drm/vgem: add missing mutex_destroy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +[ Upstream commit 7c18189b14b33c1fbf76480b1bd217877c086e67 ] + +vgem_fence_open() instantiates a mutex for a particular fence +instance, but never destroys it by calling mutex_destroy() in +vgem_fence_close(). + +So, add the missing mutex_destroy() to guarantee proper resource +destruction. + +Fixes: 407779848445 ("drm/vgem: Attach sw fences to exported vGEM dma-buf (ioctl)") +Signed-off-by: Maíra Canal +Reviewed-by: Stanislaw Gruszka +Signed-off-by: Maíra Canal +Link: https://patchwork.freedesktop.org/patch/msgid/20230202125517.427976-1-mcanal@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vgem/vgem_fence.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vgem/vgem_fence.c b/drivers/gpu/drm/vgem/vgem_fence.c +index 8fd52f211e9d9..673db9bf3c5d1 100644 +--- a/drivers/gpu/drm/vgem/vgem_fence.c ++++ b/drivers/gpu/drm/vgem/vgem_fence.c +@@ -280,4 +280,5 @@ void vgem_fence_close(struct vgem_file *vfile) + { + idr_for_each(&vfile->fence_idr, __vgem_fence_idr_fini, vfile); + idr_destroy(&vfile->fence_idr); ++ mutex_destroy(&vfile->fence_mutex); + } +-- +2.39.2 + diff --git a/queue-4.14/ia64-mm-contig-fix-section-mismatch-warning-error.patch b/queue-4.14/ia64-mm-contig-fix-section-mismatch-warning-error.patch new file mode 100644 index 00000000000..af0fd810fc9 --- /dev/null +++ b/queue-4.14/ia64-mm-contig-fix-section-mismatch-warning-error.patch @@ -0,0 +1,41 @@ +From 6ccf44ca995c95e89139dd46894b4871f253d71f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 19:42:58 -0800 +Subject: ia64: mm/contig: fix section mismatch warning/error + +From: Randy Dunlap + +[ Upstream commit 58deeb4ef3b054498747d0929d94ac53ab90981f ] + +alloc_per_cpu_data() is called by find_memory(), which is marked as +__init. Therefore alloc_per_cpu_data() can also be marked as __init to +remedy this modpost problem. + +WARNING: modpost: vmlinux.o: section mismatch in reference: alloc_per_cpu_data (section: .text) -> memblock_alloc_try_nid (section: .init.text) + +Link: https://lkml.kernel.org/r/20230223034258.12917-1-rdunlap@infradead.org +Fixes: 4b9ddc7cf272 ("[IA64] Fix section mismatch in contig.c version of per_cpu_init()") +Signed-off-by: Randy Dunlap +Cc: Christoph Hellwig +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + arch/ia64/mm/contig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/ia64/mm/contig.c b/arch/ia64/mm/contig.c +index 52715a71aede0..179d354e02321 100644 +--- a/arch/ia64/mm/contig.c ++++ b/arch/ia64/mm/contig.c +@@ -129,7 +129,7 @@ void *per_cpu_init(void) + return __per_cpu_start + __per_cpu_offset[smp_processor_id()]; + } + +-static inline void ++static inline __init void + alloc_per_cpu_data(void) + { + cpu_data = __alloc_bootmem(PERCPU_PAGE_SIZE * num_possible_cpus(), +-- +2.39.2 + diff --git a/queue-4.14/ib-hfi1-fix-sdma-mmu_rb_node-not-being-evicted-in-lr.patch b/queue-4.14/ib-hfi1-fix-sdma-mmu_rb_node-not-being-evicted-in-lr.patch new file mode 100644 index 00000000000..0ed44a87db4 --- /dev/null +++ b/queue-4.14/ib-hfi1-fix-sdma-mmu_rb_node-not-being-evicted-in-lr.patch @@ -0,0 +1,93 @@ +From 24f9a331973157057815ff57eb5a57b280b228d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Apr 2023 12:52:39 -0400 +Subject: IB/hfi1: Fix SDMA mmu_rb_node not being evicted in LRU order + +From: Patrick Kelsey + +[ Upstream commit 9fe8fec5e43d5a80f43cbf61aaada1b047a1eb61 ] + +hfi1_mmu_rb_remove_unless_exact() did not move mmu_rb_node objects in +mmu_rb_handler->lru_list after getting a cache hit on an mmu_rb_node. + +As a result, hfi1_mmu_rb_evict() was not guaranteed to evict truly +least-recently used nodes. + +This could be a performance issue for an application when that +application: +- Uses some long-lived buffers frequently. +- Uses a large number of buffers once. +- Hits the mmu_rb_handler cache size or pinned-page limits, forcing + mmu_rb_handler cache entries to be evicted. + +In this case, the one-time use buffers cause the long-lived buffer +entries to eventually filter to the end of the LRU list where +hfi1_mmu_rb_evict() will consider evicting a frequently-used long-lived +entry instead of evicting one of the one-time use entries. + +Fix this by inserting new mmu_rb_node at the tail of +mmu_rb_handler->lru_list and move mmu_rb_ndoe to the tail of +mmu_rb_handler->lru_list when the mmu_rb_node is a hit in +hfi1_mmu_rb_remove_unless_exact(). Change hfi1_mmu_rb_evict() to evict +from the head of mmu_rb_handler->lru_list instead of the tail. + +Fixes: 0636e9ab8355 ("IB/hfi1: Add cache evict LRU list") +Signed-off-by: Brendan Cunningham +Signed-off-by: Patrick Kelsey +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/168088635931.3027109.10423156330761536044.stgit@252.162.96.66.static.eigbox.net +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/mmu_rb.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/mmu_rb.c b/drivers/infiniband/hw/hfi1/mmu_rb.c +index 175002c046ede..42eddaf3a9947 100644 +--- a/drivers/infiniband/hw/hfi1/mmu_rb.c ++++ b/drivers/infiniband/hw/hfi1/mmu_rb.c +@@ -177,7 +177,7 @@ int hfi1_mmu_rb_insert(struct mmu_rb_handler *handler, + goto unlock; + } + __mmu_int_rb_insert(mnode, &handler->root); +- list_add(&mnode->list, &handler->lru_list); ++ list_add_tail(&mnode->list, &handler->lru_list); + + ret = handler->ops->insert(handler->ops_arg, mnode); + if (ret) { +@@ -224,8 +224,10 @@ bool hfi1_mmu_rb_remove_unless_exact(struct mmu_rb_handler *handler, + spin_lock_irqsave(&handler->lock, flags); + node = __mmu_rb_search(handler, addr, len); + if (node) { +- if (node->addr == addr && node->len == len) ++ if (node->addr == addr && node->len == len) { ++ list_move_tail(&node->list, &handler->lru_list); + goto unlock; ++ } + __mmu_int_rb_remove(node, &handler->root); + list_del(&node->list); /* remove from LRU list */ + ret = true; +@@ -246,8 +248,7 @@ void hfi1_mmu_rb_evict(struct mmu_rb_handler *handler, void *evict_arg) + INIT_LIST_HEAD(&del_list); + + spin_lock_irqsave(&handler->lock, flags); +- list_for_each_entry_safe_reverse(rbnode, ptr, &handler->lru_list, +- list) { ++ list_for_each_entry_safe(rbnode, ptr, &handler->lru_list, list) { + if (handler->ops->evict(handler->ops_arg, rbnode, evict_arg, + &stop)) { + __mmu_int_rb_remove(rbnode, &handler->root); +@@ -259,9 +260,7 @@ void hfi1_mmu_rb_evict(struct mmu_rb_handler *handler, void *evict_arg) + } + spin_unlock_irqrestore(&handler->lock, flags); + +- while (!list_empty(&del_list)) { +- rbnode = list_first_entry(&del_list, struct mmu_rb_node, list); +- list_del(&rbnode->list); ++ list_for_each_entry_safe(rbnode, ptr, &del_list, list) { + handler->ops->remove(handler->ops_arg, rbnode); + } + } +-- +2.39.2 + diff --git a/queue-4.14/ipv4-fix-potential-uninit-variable-access-bug-in-__i.patch b/queue-4.14/ipv4-fix-potential-uninit-variable-access-bug-in-__i.patch new file mode 100644 index 00000000000..fc64339a45b --- /dev/null +++ b/queue-4.14/ipv4-fix-potential-uninit-variable-access-bug-in-__i.patch @@ -0,0 +1,56 @@ +From 6ae8799207199cef02c26701b0e97b413ac32976 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 20:40:35 +0800 +Subject: ipv4: Fix potential uninit variable access bug in __ip_make_skb() + +From: Ziyang Xuan + +[ Upstream commit 99e5acae193e369b71217efe6f1dad42f3f18815 ] + +Like commit ea30388baebc ("ipv6: Fix an uninit variable access bug in +__ip6_make_skb()"). icmphdr does not in skb linear region under the +scenario of SOCK_RAW socket. Access icmp_hdr(skb)->type directly will +trigger the uninit variable access bug. + +Use a local variable icmp_type to carry the correct value in different +scenarios. + +Fixes: 96793b482540 ("[IPV4]: Add ICMPMsgStats MIB (RFC 4293)") +Reviewed-by: Willem de Bruijn +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_output.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index aab18ab49e3b9..c5c9dc0f41cbc 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1415,9 +1415,19 @@ struct sk_buff *__ip_make_skb(struct sock *sk, + cork->dst = NULL; + skb_dst_set(skb, &rt->dst); + +- if (iph->protocol == IPPROTO_ICMP) +- icmp_out_count(net, ((struct icmphdr *) +- skb_transport_header(skb))->type); ++ if (iph->protocol == IPPROTO_ICMP) { ++ u8 icmp_type; ++ ++ /* For such sockets, transhdrlen is zero when do ip_append_data(), ++ * so icmphdr does not in skb linear region and can not get icmp_type ++ * by icmp_hdr(skb)->type. ++ */ ++ if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl) ++ icmp_type = fl4->fl4_icmp_type; ++ else ++ icmp_type = icmp_hdr(skb)->type; ++ icmp_out_count(net, icmp_type); ++ } + + ip_cork_release(cork); + out: +-- +2.39.2 + diff --git a/queue-4.14/ixgbe-allow-flow-hash-to-be-set-via-ethtool.patch b/queue-4.14/ixgbe-allow-flow-hash-to-be-set-via-ethtool.patch new file mode 100644 index 00000000000..29b7f6a2dc4 --- /dev/null +++ b/queue-4.14/ixgbe-allow-flow-hash-to-be-set-via-ethtool.patch @@ -0,0 +1,68 @@ +From c9b9a2de51c34da076236e8456a01e4bd7cff815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Apr 2023 19:12:22 +0000 +Subject: ixgbe: Allow flow hash to be set via ethtool + +From: Joe Damato + +[ Upstream commit 4f3ed1293feb9502dc254b05802faf1ad3317ac6 ] + +ixgbe currently returns `EINVAL` whenever the flowhash it set by ethtool +because the ethtool code in the kernel passes a non-zero value for hfunc +that ixgbe should allow. + +When ethtool is called with `ETHTOOL_SRXFHINDIR`, +`ethtool_set_rxfh_indir` will call ixgbe's set_rxfh function +with `ETH_RSS_HASH_NO_CHANGE`. This value should be accepted. + +When ethtool is called with `ETHTOOL_SRSSH`, `ethtool_set_rxfh` will +call ixgbe's set_rxfh function with `rxfh.hfunc`, which appears to be +hardcoded in ixgbe to always be `ETH_RSS_HASH_TOP`. This value should +also be accepted. + +Before this patch: + +$ sudo ethtool -L eth1 combined 10 +$ sudo ethtool -X eth1 default +Cannot set RX flow hash configuration: Invalid argument + +After this patch: + +$ sudo ethtool -L eth1 combined 10 +$ sudo ethtool -X eth1 default +$ sudo ethtool -x eth1 +RX flow hash indirection table for eth1 with 10 RX ring(s): + 0: 0 1 2 3 4 5 6 7 + 8: 8 9 0 1 2 3 4 5 + 16: 6 7 8 9 0 1 2 3 + 24: 4 5 6 7 8 9 0 1 + ... + +Fixes: 1c7cf0784e4d ("ixgbe: support for ethtool set_rxfh") +Signed-off-by: Joe Damato +Reviewed-by: Sridhar Samudrala +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +index f7e68083200cf..4bfa9ba8201b1 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -3020,8 +3020,8 @@ static int ixgbe_set_rxfh(struct net_device *netdev, const u32 *indir, + int i; + u32 reta_entries = ixgbe_rss_indir_tbl_entries(adapter); + +- if (hfunc) +- return -EINVAL; ++ if (hfunc != ETH_RSS_HASH_NO_CHANGE && hfunc != ETH_RSS_HASH_TOP) ++ return -EOPNOTSUPP; + + /* Fill out the redirection table */ + if (indir) { +-- +2.39.2 + diff --git a/queue-4.14/ixgbe-enable-setting-rss-table-to-default-values.patch b/queue-4.14/ixgbe-enable-setting-rss-table-to-default-values.patch new file mode 100644 index 00000000000..5a153bbe04a --- /dev/null +++ b/queue-4.14/ixgbe-enable-setting-rss-table-to-default-values.patch @@ -0,0 +1,147 @@ +From 3440a3b907e9f5c98f7cd13738e3537767e9d047 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Apr 2023 19:12:23 +0000 +Subject: ixgbe: Enable setting RSS table to default values + +From: Joe Damato + +[ Upstream commit e85d3d55875f7a1079edfbc4e4e98d6f8aea9ac7 ] + +ethtool uses `ETHTOOL_GRXRINGS` to compute how many queues are supported +by RSS. The driver should return the smaller of either: + - The maximum number of RSS queues the device supports, OR + - The number of RX queues configured + +Prior to this change, running `ethtool -X $iface default` fails if the +number of queues configured is larger than the number supported by RSS, +even though changing the queue count correctly resets the flowhash to +use all supported queues. + +Other drivers (for example, i40e) will succeed but the flow hash will +reset to support the maximum number of queues supported by RSS, even if +that amount is smaller than the configured amount. + +Prior to this change: + +$ sudo ethtool -L eth1 combined 20 +$ sudo ethtool -x eth1 +RX flow hash indirection table for eth1 with 20 RX ring(s): + 0: 0 1 2 3 4 5 6 7 + 8: 8 9 10 11 12 13 14 15 + 16: 0 1 2 3 4 5 6 7 + 24: 8 9 10 11 12 13 14 15 + 32: 0 1 2 3 4 5 6 7 +... + +You can see that the flowhash was correctly set to use the maximum +number of queues supported by the driver (16). + +However, asking the NIC to reset to "default" fails: + +$ sudo ethtool -X eth1 default +Cannot set RX flow hash configuration: Invalid argument + +After this change, the flowhash can be reset to default which will use +all of the available RSS queues (16) or the configured queue count, +whichever is smaller. + +Starting with eth1 which has 10 queues and a flowhash distributing to +all 10 queues: + +$ sudo ethtool -x eth1 +RX flow hash indirection table for eth1 with 10 RX ring(s): + 0: 0 1 2 3 4 5 6 7 + 8: 8 9 0 1 2 3 4 5 + 16: 6 7 8 9 0 1 2 3 +... + +Increasing the queue count to 48 resets the flowhash to distribute to 16 +queues, as it did before this patch: + +$ sudo ethtool -L eth1 combined 48 +$ sudo ethtool -x eth1 +RX flow hash indirection table for eth1 with 16 RX ring(s): + 0: 0 1 2 3 4 5 6 7 + 8: 8 9 10 11 12 13 14 15 + 16: 0 1 2 3 4 5 6 7 +... + +Due to the other bugfix in this series, the flowhash can be set to use +queues 0-5: + +$ sudo ethtool -X eth1 equal 5 +$ sudo ethtool -x eth1 +RX flow hash indirection table for eth1 with 16 RX ring(s): + 0: 0 1 2 3 4 0 1 2 + 8: 3 4 0 1 2 3 4 0 + 16: 1 2 3 4 0 1 2 3 +... + +Due to this bugfix, the flowhash can be reset to default and use 16 +queues: + +$ sudo ethtool -X eth1 default +$ sudo ethtool -x eth1 +RX flow hash indirection table for eth1 with 16 RX ring(s): + 0: 0 1 2 3 4 5 6 7 + 8: 8 9 10 11 12 13 14 15 + 16: 0 1 2 3 4 5 6 7 +... + +Fixes: 91cd94bfe4f0 ("ixgbe: add basic support for setting and getting nfc controls") +Signed-off-by: Joe Damato +Reviewed-by: Sridhar Samudrala +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +index 4bfa9ba8201b1..55b2b6eaae2bf 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -2554,6 +2554,14 @@ static int ixgbe_get_rss_hash_opts(struct ixgbe_adapter *adapter, + return 0; + } + ++static int ixgbe_rss_indir_tbl_max(struct ixgbe_adapter *adapter) ++{ ++ if (adapter->hw.mac.type < ixgbe_mac_X550) ++ return 16; ++ else ++ return 64; ++} ++ + static int ixgbe_get_rxnfc(struct net_device *dev, struct ethtool_rxnfc *cmd, + u32 *rule_locs) + { +@@ -2562,7 +2570,8 @@ static int ixgbe_get_rxnfc(struct net_device *dev, struct ethtool_rxnfc *cmd, + + switch (cmd->cmd) { + case ETHTOOL_GRXRINGS: +- cmd->data = adapter->num_rx_queues; ++ cmd->data = min_t(int, adapter->num_rx_queues, ++ ixgbe_rss_indir_tbl_max(adapter)); + ret = 0; + break; + case ETHTOOL_GRXCLSRLCNT: +@@ -2964,14 +2973,6 @@ static int ixgbe_set_rxnfc(struct net_device *dev, struct ethtool_rxnfc *cmd) + return ret; + } + +-static int ixgbe_rss_indir_tbl_max(struct ixgbe_adapter *adapter) +-{ +- if (adapter->hw.mac.type < ixgbe_mac_X550) +- return 16; +- else +- return 64; +-} +- + static u32 ixgbe_get_rxfh_key_size(struct net_device *netdev) + { + return IXGBE_RSS_KEY_SIZE; +-- +2.39.2 + diff --git a/queue-4.14/linux-vt_buffer.h-allow-either-builtin-or-modular-fo.patch b/queue-4.14/linux-vt_buffer.h-allow-either-builtin-or-modular-fo.patch new file mode 100644 index 00000000000..d0ec44dfd52 --- /dev/null +++ b/queue-4.14/linux-vt_buffer.h-allow-either-builtin-or-modular-fo.patch @@ -0,0 +1,58 @@ +From 7b99eb01a044e841da073f8636a0eb033330c74b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 19:15:29 -0700 +Subject: linux/vt_buffer.h: allow either builtin or modular for macros + +From: Randy Dunlap + +[ Upstream commit 2b76ffe81e32afd6d318dc4547e2ba8c46207b77 ] + +Fix build errors on ARCH=alpha when CONFIG_MDA_CONSOLE=m. +This allows the ARCH macros to be the only ones defined. + +In file included from ../drivers/video/console/mdacon.c:37: +../arch/alpha/include/asm/vga.h:17:40: error: expected identifier or '(' before 'volatile' + 17 | static inline void scr_writew(u16 val, volatile u16 *addr) + | ^~~~~~~~ +../include/linux/vt_buffer.h:24:34: note: in definition of macro 'scr_writew' + 24 | #define scr_writew(val, addr) (*(addr) = (val)) + | ^~~~ +../include/linux/vt_buffer.h:24:40: error: expected ')' before '=' token + 24 | #define scr_writew(val, addr) (*(addr) = (val)) + | ^ +../arch/alpha/include/asm/vga.h:17:20: note: in expansion of macro 'scr_writew' + 17 | static inline void scr_writew(u16 val, volatile u16 *addr) + | ^~~~~~~~~~ +../arch/alpha/include/asm/vga.h:25:29: error: expected identifier or '(' before 'volatile' + 25 | static inline u16 scr_readw(volatile const u16 *addr) + | ^~~~~~~~ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Randy Dunlap +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: dri-devel@lists.freedesktop.org +Cc: linux-fbdev@vger.kernel.org +Link: https://lore.kernel.org/r/20230329021529.16188-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/linux/vt_buffer.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/vt_buffer.h b/include/linux/vt_buffer.h +index 848db1b1569ff..919d999a8c1db 100644 +--- a/include/linux/vt_buffer.h ++++ b/include/linux/vt_buffer.h +@@ -16,7 +16,7 @@ + + #include + +-#if defined(CONFIG_VGA_CONSOLE) || defined(CONFIG_MDA_CONSOLE) ++#if IS_ENABLED(CONFIG_VGA_CONSOLE) || IS_ENABLED(CONFIG_MDA_CONSOLE) + #include + #endif + +-- +2.39.2 + diff --git a/queue-4.14/macintosh-via-pmu-led-requires-ata-to-be-set.patch b/queue-4.14/macintosh-via-pmu-led-requires-ata-to-be-set.patch new file mode 100644 index 00000000000..2070db199d7 --- /dev/null +++ b/queue-4.14/macintosh-via-pmu-led-requires-ata-to-be-set.patch @@ -0,0 +1,45 @@ +From f9edf72a195ff502030d0ea75f19c1df86ee0d55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 17:42:41 -0800 +Subject: macintosh: via-pmu-led: requires ATA to be set + +From: Randy Dunlap + +[ Upstream commit 05dce4ba125336875cd3eed3c1503fa81cd2f691 ] + +LEDS_TRIGGER_DISK depends on ATA, so selecting LEDS_TRIGGER_DISK +when ATA is not set/enabled causes a Kconfig warning: + +WARNING: unmet direct dependencies detected for LEDS_TRIGGER_DISK + Depends on [n]: NEW_LEDS [=y] && LEDS_TRIGGERS [=y] && ATA [=n] + Selected by [y]: + - ADB_PMU_LED_DISK [=y] && MACINTOSH_DRIVERS [=y] && ADB_PMU_LED [=y] && LEDS_CLASS [=y] + +Fix this by making ADB_PMU_LED_DISK depend on ATA. + +Seen on both PPC32 and PPC64. + +Fixes: 0e865a80c135 ("macintosh: Remove dependency on IDE_GD_ATA if ADB_PMU_LED_DISK is selected") +Signed-off-by: Randy Dunlap +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230223014241.20878-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/macintosh/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/macintosh/Kconfig b/drivers/macintosh/Kconfig +index 5e47d91da5193..aa42a41ba4389 100644 +--- a/drivers/macintosh/Kconfig ++++ b/drivers/macintosh/Kconfig +@@ -94,6 +94,7 @@ config ADB_PMU_LED + + config ADB_PMU_LED_DISK + bool "Use front LED as DISK LED by default" ++ depends on ATA + depends on ADB_PMU_LED + depends on LEDS_CLASS + select LEDS_TRIGGERS +-- +2.39.2 + diff --git a/queue-4.14/macintosh-windfarm_smu_sat-add-missing-of_node_put.patch b/queue-4.14/macintosh-windfarm_smu_sat-add-missing-of_node_put.patch new file mode 100644 index 00000000000..1b5690e012c --- /dev/null +++ b/queue-4.14/macintosh-windfarm_smu_sat-add-missing-of_node_put.patch @@ -0,0 +1,36 @@ +From 78fd33913cf92eac8013d7606c7b449ad12875a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 11:35:58 +0800 +Subject: macintosh/windfarm_smu_sat: Add missing of_node_put() + +From: Liang He + +[ Upstream commit 631cf002826007ab7415258ee647dcaf8845ad5a ] + +We call of_node_get() in wf_sat_probe() after sat is created, +so we need the of_node_put() before *kfree(sat)*. + +Fixes: ac171c46667c ("[PATCH] powerpc: Thermal control for dual core G5s") +Signed-off-by: Liang He +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230330033558.2562778-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/macintosh/windfarm_smu_sat.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/macintosh/windfarm_smu_sat.c b/drivers/macintosh/windfarm_smu_sat.c +index a0f61eb853c55..644e123510c52 100644 +--- a/drivers/macintosh/windfarm_smu_sat.c ++++ b/drivers/macintosh/windfarm_smu_sat.c +@@ -172,6 +172,7 @@ static void wf_sat_release(struct kref *ref) + + if (sat->nr >= 0) + sats[sat->nr] = NULL; ++ of_node_put(sat->node); + kfree(sat); + } + +-- +2.39.2 + diff --git a/queue-4.14/md-raid10-fix-leak-of-r10bio-remaining-for-recovery.patch b/queue-4.14/md-raid10-fix-leak-of-r10bio-remaining-for-recovery.patch new file mode 100644 index 00000000000..ce3ed3cb987 --- /dev/null +++ b/queue-4.14/md-raid10-fix-leak-of-r10bio-remaining-for-recovery.patch @@ -0,0 +1,73 @@ +From 4d78ceab23a3e2c044c126adf2925858ff184030 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 15:38:53 +0800 +Subject: md/raid10: fix leak of 'r10bio->remaining' for recovery + +From: Yu Kuai + +[ Upstream commit 26208a7cffd0c7cbf14237ccd20c7270b3ffeb7e ] + +raid10_sync_request() will add 'r10bio->remaining' for both rdev and +replacement rdev. However, if the read io fails, recovery_request_write() +returns without issuing the write io, in this case, end_sync_request() +is only called once and 'remaining' is leaked, cause an io hang. + +Fix the problem by decreasing 'remaining' according to if 'bio' and +'repl_bio' is valid. + +Fixes: 24afd80d99f8 ("md/raid10: handle recovery of replacement devices.") +Signed-off-by: Yu Kuai +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20230310073855.1337560-5-yukuai1@huaweicloud.com +Signed-off-by: Sasha Levin +--- + drivers/md/raid10.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c +index 3ad0a1460eb77..95c3a21cd7335 100644 +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2234,11 +2234,22 @@ static void recovery_request_write(struct mddev *mddev, struct r10bio *r10_bio) + { + struct r10conf *conf = mddev->private; + int d; +- struct bio *wbio, *wbio2; ++ struct bio *wbio = r10_bio->devs[1].bio; ++ struct bio *wbio2 = r10_bio->devs[1].repl_bio; ++ ++ /* Need to test wbio2->bi_end_io before we call ++ * generic_make_request as if the former is NULL, ++ * the latter is free to free wbio2. ++ */ ++ if (wbio2 && !wbio2->bi_end_io) ++ wbio2 = NULL; + + if (!test_bit(R10BIO_Uptodate, &r10_bio->state)) { + fix_recovery_read_error(r10_bio); +- end_sync_request(r10_bio); ++ if (wbio->bi_end_io) ++ end_sync_request(r10_bio); ++ if (wbio2) ++ end_sync_request(r10_bio); + return; + } + +@@ -2247,14 +2258,6 @@ static void recovery_request_write(struct mddev *mddev, struct r10bio *r10_bio) + * and submit the write request + */ + d = r10_bio->devs[1].devnum; +- wbio = r10_bio->devs[1].bio; +- wbio2 = r10_bio->devs[1].repl_bio; +- /* Need to test wbio2->bi_end_io before we call +- * generic_make_request as if the former is NULL, +- * the latter is free to free wbio2. +- */ +- if (wbio2 && !wbio2->bi_end_io) +- wbio2 = NULL; + if (wbio->bi_end_io) { + atomic_inc(&conf->mirrors[d].rdev->nr_pending); + md_sync_acct(conf->mirrors[d].rdev->bdev, bio_sectors(wbio)); +-- +2.39.2 + diff --git a/queue-4.14/media-av7110-prevent-underflow-in-write_ts_to_decode.patch b/queue-4.14/media-av7110-prevent-underflow-in-write_ts_to_decode.patch new file mode 100644 index 00000000000..7ea903b8959 --- /dev/null +++ b/queue-4.14/media-av7110-prevent-underflow-in-write_ts_to_decode.patch @@ -0,0 +1,47 @@ +From 115a6ca458cf1a9c55764a1b23b572d9affa3cf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Mar 2023 11:00:23 +0100 +Subject: media: av7110: prevent underflow in write_ts_to_decoder() + +From: Dan Carpenter + +[ Upstream commit eed9496a0501357aa326ddd6b71408189ed872eb ] + +The buf[4] value comes from the user via ts_play(). It is a value in +the u8 range. The final length we pass to av7110_ipack_instant_repack() +is "len - (buf[4] + 1) - 4" so add a check to ensure that the length is +not negative. It's not clear that passing a negative len value does +anything bad necessarily, but it's not best practice. + +With the new bounds checking the "if (!len)" condition is no longer +possible or required so remove that. + +Fixes: fd46d16d602a ("V4L/DVB (11759): dvb-ttpci: Add TS replay capability") +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ttpci/av7110_av.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/pci/ttpci/av7110_av.c b/drivers/media/pci/ttpci/av7110_av.c +index 2aa4ba675194e..43b780aadf5fe 100644 +--- a/drivers/media/pci/ttpci/av7110_av.c ++++ b/drivers/media/pci/ttpci/av7110_av.c +@@ -836,10 +836,10 @@ static int write_ts_to_decoder(struct av7110 *av7110, int type, const u8 *buf, s + av7110_ipack_flush(ipack); + + if (buf[3] & ADAPT_FIELD) { ++ if (buf[4] > len - 1 - 4) ++ return 0; + len -= buf[4] + 1; + buf += buf[4] + 1; +- if (!len) +- return 0; + } + + av7110_ipack_instant_repack(buf + 4, len - 4, ipack); +-- +2.39.2 + diff --git a/queue-4.14/media-bdisp-add-missing-check-for-create_workqueue.patch b/queue-4.14/media-bdisp-add-missing-check-for-create_workqueue.patch new file mode 100644 index 00000000000..ccc8ac956c4 --- /dev/null +++ b/queue-4.14/media-bdisp-add-missing-check-for-create_workqueue.patch @@ -0,0 +1,37 @@ +From cf9fd04dc5c1210c5d4f00f0516ad0e3d7caa435 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 08:14:42 +0100 +Subject: media: bdisp: Add missing check for create_workqueue + +From: Jiasheng Jiang + +[ Upstream commit 2371adeab717d8fe32144a84f3491a03c5838cfb ] + +Add the check for the return value of the create_workqueue +in order to avoid NULL pointer dereference. + +Fixes: 28ffeebbb7bd ("[media] bdisp: 2D blitter driver using v4l2 mem2mem framework") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +index 79de7d413cf5e..d7432e0e3e6e1 100644 +--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +@@ -1308,6 +1308,8 @@ static int bdisp_probe(struct platform_device *pdev) + init_waitqueue_head(&bdisp->irq_queue); + INIT_DELAYED_WORK(&bdisp->timeout_work, bdisp_irq_timeout); + bdisp->work_queue = create_workqueue(BDISP_NAME); ++ if (!bdisp->work_queue) ++ return -ENOMEM; + + spin_lock_init(&bdisp->slock); + mutex_init(&bdisp->lock); +-- +2.39.2 + diff --git a/queue-4.14/media-dm1105-fix-use-after-free-bug-in-dm1105_remove.patch b/queue-4.14/media-dm1105-fix-use-after-free-bug-in-dm1105_remove.patch new file mode 100644 index 00000000000..402074da9c2 --- /dev/null +++ b/queue-4.14/media-dm1105-fix-use-after-free-bug-in-dm1105_remove.patch @@ -0,0 +1,56 @@ +From 2fc9db5a8a57746d3a9edeac0a9160e93e770a9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 16:15:06 +0800 +Subject: media: dm1105: Fix use after free bug in dm1105_remove due to race + condition + +From: Zheng Wang + +[ Upstream commit 5abda7a16698d4d1f47af1168d8fa2c640116b4a ] + +In dm1105_probe, it called dm1105_ir_init and bound +&dm1105->ir.work with dm1105_emit_key. +When it handles IRQ request with dm1105_irq, +it may call schedule_work to start the work. + +When we call dm1105_remove to remove the driver, there +may be a sequence as follows: + +Fix it by finishing the work before cleanup in dm1105_remove + +CPU0 CPU1 + + |dm1105_emit_key +dm1105_remove | + dm1105_ir_exit | + rc_unregister_device | + rc_free_device | + rc_dev_release | + kfree(dev); | + | + | rc_keydown + | //use + +Fixes: 34d2f9bf189c ("V4L/DVB: dm1105: use dm1105_dev & dev instead of dm1105dvb") +Signed-off-by: Zheng Wang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/dm1105/dm1105.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/pci/dm1105/dm1105.c b/drivers/media/pci/dm1105/dm1105.c +index 7c3900dec3686..df08297911546 100644 +--- a/drivers/media/pci/dm1105/dm1105.c ++++ b/drivers/media/pci/dm1105/dm1105.c +@@ -1185,6 +1185,7 @@ static void dm1105_remove(struct pci_dev *pdev) + struct dvb_demux *dvbdemux = &dev->demux; + struct dmx_demux *dmx = &dvbdemux->dmx; + ++ cancel_work_sync(&dev->ir.work); + dm1105_ir_exit(dev); + dmx->close(dmx); + dvb_net_release(&dev->dvbnet); +-- +2.39.2 + diff --git a/queue-4.14/net-amd-fix-link-leak-when-verifying-config-failed.patch b/queue-4.14/net-amd-fix-link-leak-when-verifying-config-failed.patch new file mode 100644 index 00000000000..89e16eaeaea --- /dev/null +++ b/queue-4.14/net-amd-fix-link-leak-when-verifying-config-failed.patch @@ -0,0 +1,47 @@ +From fe0a60efa93b40d0b21784a9c05a99724d5af5d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 23:28:01 +0800 +Subject: net: amd: Fix link leak when verifying config failed + +From: Gencen Gan + +[ Upstream commit d325c34d9e7e38d371c0a299d415e9b07f66a1fb ] + +After failing to verify configuration, it returns directly without +releasing link, which may cause memory leak. + +Paolo Abeni thinks that the whole code of this driver is quite +"suboptimal" and looks unmainatained since at least ~15y, so he +suggests that we could simply remove the whole driver, please +take it into consideration. + +Simon Horman suggests that the fix label should be set to +"Linux-2.6.12-rc2" considering that the problem has existed +since the driver was introduced and the commit above doesn't +seem to exist in net/net-next. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Gan Gecen +Reviewed-by: Dongliang Mu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/nmclan_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/nmclan_cs.c b/drivers/net/ethernet/amd/nmclan_cs.c +index 9c152d85840d7..c9d2a6f150624 100644 +--- a/drivers/net/ethernet/amd/nmclan_cs.c ++++ b/drivers/net/ethernet/amd/nmclan_cs.c +@@ -652,7 +652,7 @@ static int nmclan_config(struct pcmcia_device *link) + } else { + pr_notice("mace id not found: %x %x should be 0x40 0x?9\n", + sig[0], sig[1]); +- return -ENODEV; ++ goto failed; + } + } + +-- +2.39.2 + diff --git a/queue-4.14/net-packet-convert-po-auxdata-to-an-atomic-flag.patch b/queue-4.14/net-packet-convert-po-auxdata-to-an-atomic-flag.patch new file mode 100644 index 00000000000..8b9adff5c93 --- /dev/null +++ b/queue-4.14/net-packet-convert-po-auxdata-to-an-atomic-flag.patch @@ -0,0 +1,95 @@ +From 14334e4ea438b7bad46e1c7ab8f22fca4844dd0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 01:10:08 +0000 +Subject: net/packet: convert po->auxdata to an atomic flag + +From: Eric Dumazet + +[ Upstream commit fd53c297aa7b077ae98a3d3d2d3aa278a1686ba6 ] + +po->auxdata can be read while another thread +is changing its value, potentially raising KCSAN splat. + +Convert it to PACKET_SOCK_AUXDATA flag. + +Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 8 +++----- + net/packet/diag.c | 2 +- + net/packet/internal.h | 4 ++-- + 3 files changed, 6 insertions(+), 8 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index ce6afdb50933b..8b44ad304a656 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3480,7 +3480,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len); + } + +- if (pkt_sk(sk)->auxdata) { ++ if (packet_sock_flag(pkt_sk(sk), PACKET_SOCK_AUXDATA)) { + struct tpacket_auxdata aux; + + aux.tp_status = TP_STATUS_USER; +@@ -3865,9 +3865,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + +- lock_sock(sk); +- po->auxdata = !!val; +- release_sock(sk); ++ packet_sock_flag_set(po, PACKET_SOCK_AUXDATA, val); + return 0; + } + case PACKET_ORIGDEV: +@@ -4009,7 +4007,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, + + break; + case PACKET_AUXDATA: +- val = po->auxdata; ++ val = packet_sock_flag(po, PACKET_SOCK_AUXDATA); + break; + case PACKET_ORIGDEV: + val = packet_sock_flag(po, PACKET_SOCK_ORIGDEV); +diff --git a/net/packet/diag.c b/net/packet/diag.c +index bf5928e5df035..d9f912ad23dfa 100644 +--- a/net/packet/diag.c ++++ b/net/packet/diag.c +@@ -22,7 +22,7 @@ static int pdiag_put_info(const struct packet_sock *po, struct sk_buff *nlskb) + pinfo.pdi_flags = 0; + if (po->running) + pinfo.pdi_flags |= PDI_RUNNING; +- if (po->auxdata) ++ if (packet_sock_flag(po, PACKET_SOCK_AUXDATA)) + pinfo.pdi_flags |= PDI_AUXDATA; + if (packet_sock_flag(po, PACKET_SOCK_ORIGDEV)) + pinfo.pdi_flags |= PDI_ORIGDEV; +diff --git a/net/packet/internal.h b/net/packet/internal.h +index f39dcc7608bc6..3d871cae85b8c 100644 +--- a/net/packet/internal.h ++++ b/net/packet/internal.h +@@ -117,8 +117,7 @@ struct packet_sock { + struct mutex pg_vec_lock; + unsigned long flags; + unsigned int running; /* bind_lock must be held */ +- unsigned int auxdata:1, /* writer must hold sock lock */ +- has_vnet_hdr:1, ++ unsigned int has_vnet_hdr:1, /* writer must hold sock lock */ + tp_loss:1, + tp_tx_has_off:1; + int pressure; +@@ -144,6 +143,7 @@ static struct packet_sock *pkt_sk(struct sock *sk) + + enum packet_sock_flags { + PACKET_SOCK_ORIGDEV, ++ PACKET_SOCK_AUXDATA, + }; + + static inline void packet_sock_flag_set(struct packet_sock *po, +-- +2.39.2 + diff --git a/queue-4.14/net-packet-convert-po-origdev-to-an-atomic-flag.patch b/queue-4.14/net-packet-convert-po-origdev-to-an-atomic-flag.patch new file mode 100644 index 00000000000..062646a31e9 --- /dev/null +++ b/queue-4.14/net-packet-convert-po-origdev-to-an-atomic-flag.patch @@ -0,0 +1,126 @@ +From dcf8ddc946faa69febc2a5d6d4d223ee959f4016 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Mar 2023 01:10:07 +0000 +Subject: net/packet: convert po->origdev to an atomic flag + +From: Eric Dumazet + +[ Upstream commit ee5675ecdf7a4e713ed21d98a70c2871d6ebed01 ] + +syzbot/KCAN reported that po->origdev can be read +while another thread is changing its value. + +We can avoid this splat by converting this field +to an actual bit. + +Following patches will convert remaining 1bit fields. + +Fixes: 80feaacb8a64 ("[AF_PACKET]: Add option to return orig_dev to userspace.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 10 ++++------ + net/packet/diag.c | 2 +- + net/packet/internal.h | 22 +++++++++++++++++++++- + 3 files changed, 26 insertions(+), 8 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 1be5fb6af0178..ce6afdb50933b 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2144,7 +2144,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev, + sll = &PACKET_SKB_CB(skb)->sa.ll; + sll->sll_hatype = dev->type; + sll->sll_pkttype = skb->pkt_type; +- if (unlikely(po->origdev)) ++ if (unlikely(packet_sock_flag(po, PACKET_SOCK_ORIGDEV))) + sll->sll_ifindex = orig_dev->ifindex; + else + sll->sll_ifindex = dev->ifindex; +@@ -2410,7 +2410,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + sll->sll_hatype = dev->type; + sll->sll_protocol = skb->protocol; + sll->sll_pkttype = skb->pkt_type; +- if (unlikely(po->origdev)) ++ if (unlikely(packet_sock_flag(po, PACKET_SOCK_ORIGDEV))) + sll->sll_ifindex = orig_dev->ifindex; + else + sll->sll_ifindex = dev->ifindex; +@@ -3879,9 +3879,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + +- lock_sock(sk); +- po->origdev = !!val; +- release_sock(sk); ++ packet_sock_flag_set(po, PACKET_SOCK_ORIGDEV, val); + return 0; + } + case PACKET_VNET_HDR: +@@ -4014,7 +4012,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, + val = po->auxdata; + break; + case PACKET_ORIGDEV: +- val = po->origdev; ++ val = packet_sock_flag(po, PACKET_SOCK_ORIGDEV); + break; + case PACKET_VNET_HDR: + val = po->has_vnet_hdr; +diff --git a/net/packet/diag.c b/net/packet/diag.c +index 7ef1c881ae741..bf5928e5df035 100644 +--- a/net/packet/diag.c ++++ b/net/packet/diag.c +@@ -24,7 +24,7 @@ static int pdiag_put_info(const struct packet_sock *po, struct sk_buff *nlskb) + pinfo.pdi_flags |= PDI_RUNNING; + if (po->auxdata) + pinfo.pdi_flags |= PDI_AUXDATA; +- if (po->origdev) ++ if (packet_sock_flag(po, PACKET_SOCK_ORIGDEV)) + pinfo.pdi_flags |= PDI_ORIGDEV; + if (po->has_vnet_hdr) + pinfo.pdi_flags |= PDI_VNETHDR; +diff --git a/net/packet/internal.h b/net/packet/internal.h +index f10294800aafb..f39dcc7608bc6 100644 +--- a/net/packet/internal.h ++++ b/net/packet/internal.h +@@ -115,9 +115,9 @@ struct packet_sock { + int copy_thresh; + spinlock_t bind_lock; + struct mutex pg_vec_lock; ++ unsigned long flags; + unsigned int running; /* bind_lock must be held */ + unsigned int auxdata:1, /* writer must hold sock lock */ +- origdev:1, + has_vnet_hdr:1, + tp_loss:1, + tp_tx_has_off:1; +@@ -142,4 +142,24 @@ static struct packet_sock *pkt_sk(struct sock *sk) + return (struct packet_sock *)sk; + } + ++enum packet_sock_flags { ++ PACKET_SOCK_ORIGDEV, ++}; ++ ++static inline void packet_sock_flag_set(struct packet_sock *po, ++ enum packet_sock_flags flag, ++ bool val) ++{ ++ if (val) ++ set_bit(flag, &po->flags); ++ else ++ clear_bit(flag, &po->flags); ++} ++ ++static inline bool packet_sock_flag(const struct packet_sock *po, ++ enum packet_sock_flags flag) ++{ ++ return test_bit(flag, &po->flags); ++} ++ + #endif +-- +2.39.2 + diff --git a/queue-4.14/nfsv4.1-always-send-a-reclaim_complete-after-establi.patch b/queue-4.14/nfsv4.1-always-send-a-reclaim_complete-after-establi.patch new file mode 100644 index 00000000000..9167b7db98d --- /dev/null +++ b/queue-4.14/nfsv4.1-always-send-a-reclaim_complete-after-establi.patch @@ -0,0 +1,45 @@ +From a105a14304820fd123ceda9de693ced025437d5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 18:45:53 -0400 +Subject: NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease + +From: Trond Myklebust + +[ Upstream commit 40882deb83c29d8df4470d4e5e7f137b6acf7ad1 ] + +The spec requires that we always at least send a RECLAIM_COMPLETE when +we're done establishing the lease and recovering any state. + +Fixes: fce5c838e133 ("nfs41: RECLAIM_COMPLETE functionality") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4state.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c +index 9616f7eacd4cb..85e005efc9779 100644 +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -65,6 +65,8 @@ + + #define OPENOWNER_POOL_SIZE 8 + ++static void nfs4_state_start_reclaim_reboot(struct nfs_client *clp); ++ + const nfs4_stateid zero_stateid = { + { .data = { 0 } }, + .type = NFS4_SPECIAL_STATEID_TYPE, +@@ -321,6 +323,8 @@ int nfs41_init_clientid(struct nfs_client *clp, struct rpc_cred *cred) + status = nfs4_proc_create_session(clp, cred); + if (status != 0) + goto out; ++ if (!(clp->cl_exchange_flags & EXCHGID4_FLAG_CONFIRMED_R)) ++ nfs4_state_start_reclaim_reboot(clp); + nfs41_finish_session_reset(clp); + nfs_mark_client_ready(clp, NFS_CS_READY); + out: +-- +2.39.2 + diff --git a/queue-4.14/of-fix-modalias-string-generation.patch b/queue-4.14/of-fix-modalias-string-generation.patch new file mode 100644 index 00000000000..2e8e2ef86a4 --- /dev/null +++ b/queue-4.14/of-fix-modalias-string-generation.patch @@ -0,0 +1,80 @@ +From 8fddb19a1e0d8d113cda22d92ca924765a3806ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Apr 2023 18:21:09 +0100 +Subject: of: Fix modalias string generation + +From: Miquel Raynal + +[ Upstream commit b19a4266c52de78496fe40f0b37580a3b762e67d ] + +The helper generating an OF based modalias (of_device_get_modalias()) +works fine, but due to the use of snprintf() internally it needs a +buffer one byte longer than what should be needed just for the entire +string (excluding the '\0'). Most users of this helper are sysfs hooks +providing the modalias string to users. They all provide a PAGE_SIZE +buffer which is way above the number of bytes required to fit the +modalias string and hence do not suffer from this issue. + +There is another user though, of_device_request_module(), which is only +called by drivers/usb/common/ulpi.c. This request module function is +faulty, but maybe because in most cases there is an alternative, ULPI +driver users have not noticed it. + +In this function, of_device_get_modalias() is called twice. The first +time without buffer just to get the number of bytes required by the +modalias string (excluding the null byte), and a second time, after +buffer allocation, to fill the buffer. The allocation asks for an +additional byte, in order to store the trailing '\0'. However, the +buffer *length* provided to of_device_get_modalias() excludes this extra +byte. The internal use of snprintf() with a length that is exactly the +number of bytes to be written has the effect of using the last available +byte to store a '\0', which then smashes the last character of the +modalias string. + +Provide the actual size of the buffer to of_device_get_modalias() to fix +this issue. + +Note: the "str[size - 1] = '\0';" line is not really needed as snprintf +will anyway end the string with a null byte, but there is a possibility +that this function might be called on a struct device_node without +compatible, in this case snprintf() would not be executed. So we keep it +just to avoid possible unbounded strings. + +Cc: Stephen Boyd +Cc: Peter Chen +Fixes: 9c829c097f2f ("of: device: Support loading a module with OF based modalias") +Signed-off-by: Miquel Raynal +Reviewed-by: Rob Herring +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20230404172148.82422-2-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/of/device.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/of/device.c b/drivers/of/device.c +index 64b710265d390..3255c97b14f64 100644 +--- a/drivers/of/device.c ++++ b/drivers/of/device.c +@@ -257,12 +257,15 @@ int of_device_request_module(struct device *dev) + if (size < 0) + return size; + +- str = kmalloc(size + 1, GFP_KERNEL); ++ /* Reserve an additional byte for the trailing '\0' */ ++ size++; ++ ++ str = kmalloc(size, GFP_KERNEL); + if (!str) + return -ENOMEM; + + of_device_get_modalias(dev, str, size); +- str[size] = '\0'; ++ str[size - 1] = '\0'; + ret = request_module(str); + kfree(str); + +-- +2.39.2 + diff --git a/queue-4.14/perf-core-fix-hardlockup-failure-caused-by-perf-thro.patch b/queue-4.14/perf-core-fix-hardlockup-failure-caused-by-perf-thro.patch new file mode 100644 index 00000000000..52b70815ee6 --- /dev/null +++ b/queue-4.14/perf-core-fix-hardlockup-failure-caused-by-perf-thro.patch @@ -0,0 +1,51 @@ +From 1df784937a5671ad43d77ca3e7b8dec1cd2c6de2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 10:35:08 +0800 +Subject: perf/core: Fix hardlockup failure caused by perf throttle + +From: Yang Jihong + +[ Upstream commit 15def34e2635ab7e0e96f1bc32e1b69609f14942 ] + +commit e050e3f0a71bf ("perf: Fix broken interrupt rate throttling") +introduces a change in throttling threshold judgment. Before this, +compare hwc->interrupts and max_samples_per_tick, then increase +hwc->interrupts by 1, but this commit reverses order of these two +behaviors, causing the semantics of max_samples_per_tick to change. +In literal sense of "max_samples_per_tick", if hwc->interrupts == +max_samples_per_tick, it should not be throttled, therefore, the judgment +condition should be changed to "hwc->interrupts > max_samples_per_tick". + +In fact, this may cause the hardlockup to fail, The minimum value of +max_samples_per_tick may be 1, in this case, the return value of +__perf_event_account_interrupt function is 1. +As a result, nmi_watchdog gets throttled, which would stop PMU (Use x86 +architecture as an example, see x86_pmu_handle_irq). + +Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling") +Signed-off-by: Yang Jihong +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20230227023508.102230-1-yangjihong1@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 392e48bbba448..20ba0d90e8ae1 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7490,8 +7490,8 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle) + hwc->interrupts = 1; + } else { + hwc->interrupts++; +- if (unlikely(throttle +- && hwc->interrupts >= max_samples_per_tick)) { ++ if (unlikely(throttle && ++ hwc->interrupts > max_samples_per_tick)) { + __this_cpu_inc(perf_throttled_count); + tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS); + hwc->interrupts = MAX_INTERRUPTS; +-- +2.39.2 + diff --git a/queue-4.14/phy-tegra-xusb-add-missing-tegra_xusb_port_unregiste.patch b/queue-4.14/phy-tegra-xusb-add-missing-tegra_xusb_port_unregiste.patch new file mode 100644 index 00000000000..2d413a7a1d1 --- /dev/null +++ b/queue-4.14/phy-tegra-xusb-add-missing-tegra_xusb_port_unregiste.patch @@ -0,0 +1,47 @@ +From 0d1a66c815798848ce65995e62a1ac9ab2340211 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 19:16:34 +0800 +Subject: phy: tegra: xusb: Add missing tegra_xusb_port_unregister for + usb2_port and ulpi_port + +From: Gaosheng Cui + +[ Upstream commit e024854048e733391b31fe5a398704b31b9af803 ] + +The tegra_xusb_port_unregister should be called when usb2_port +and ulpi_port map fails in tegra_xusb_add_usb2_port() or in +tegra_xusb_add_ulpi_port(), fix it. + +Fixes: 53d2a715c240 ("phy: Add Tegra XUSB pad controller support") +Signed-off-by: Gaosheng Cui +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20221129111634.1547747-1-cuigaosheng1@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/tegra/xusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c +index 9c55e0f45ea8a..d0483712637b9 100644 +--- a/drivers/phy/tegra/xusb.c ++++ b/drivers/phy/tegra/xusb.c +@@ -596,6 +596,7 @@ static int tegra_xusb_add_usb2_port(struct tegra_xusb_padctl *padctl, + usb2->base.lane = usb2->base.ops->map(&usb2->base); + if (IS_ERR(usb2->base.lane)) { + err = PTR_ERR(usb2->base.lane); ++ tegra_xusb_port_unregister(&usb2->base); + goto out; + } + +@@ -648,6 +649,7 @@ static int tegra_xusb_add_ulpi_port(struct tegra_xusb_padctl *padctl, + ulpi->base.lane = ulpi->base.ops->map(&ulpi->base); + if (IS_ERR(ulpi->base.lane)) { + err = PTR_ERR(ulpi->base.lane); ++ tegra_xusb_port_unregister(&ulpi->base); + goto out; + } + +-- +2.39.2 + diff --git a/queue-4.14/power-supply-generic-adc-battery-fix-unit-scaling.patch b/queue-4.14/power-supply-generic-adc-battery-fix-unit-scaling.patch new file mode 100644 index 00000000000..18884be15aa --- /dev/null +++ b/queue-4.14/power-supply-generic-adc-battery-fix-unit-scaling.patch @@ -0,0 +1,42 @@ +From 5c0363d9e519f1442e18a76f60d083f534ffacf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 23:56:57 +0100 +Subject: power: supply: generic-adc-battery: fix unit scaling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sebastian Reichel + +[ Upstream commit 44263f50065969f2344808388bd589740f026167 ] + +power-supply properties are reported in µV, µA and µW. +The IIO API provides mV, mA, mW, so the values need to +be multiplied by 1000. + +Fixes: e60fea794e6e ("power: battery: Generic battery driver using IIO") +Reviewed-by: Linus Walleij +Reviewed-by: Matti Vaittinen +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/generic-adc-battery.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c +index c5bde3c24c319..42a9e03744c7d 100644 +--- a/drivers/power/supply/generic-adc-battery.c ++++ b/drivers/power/supply/generic-adc-battery.c +@@ -138,6 +138,9 @@ static int read_channel(struct gab *adc_bat, enum power_supply_property psp, + result); + if (ret < 0) + pr_err("read channel error\n"); ++ else ++ *result *= 1000; ++ + return ret; + } + +-- +2.39.2 + diff --git a/queue-4.14/powerpc-mpc512x-fix-resource-printk-format-warning.patch b/queue-4.14/powerpc-mpc512x-fix-resource-printk-format-warning.patch new file mode 100644 index 00000000000..eed91a49882 --- /dev/null +++ b/queue-4.14/powerpc-mpc512x-fix-resource-printk-format-warning.patch @@ -0,0 +1,46 @@ +From ce3c1b86993018308131e1b0b3e12c44237b2bd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 23:01:13 -0800 +Subject: powerpc/mpc512x: fix resource printk format warning + +From: Randy Dunlap + +[ Upstream commit 7538c97e2b80ff6b7a8ea2ecf16a04355461b439 ] + +Use "%pa" format specifier for resource_size_t to avoid a compiler +printk format warning. + +../arch/powerpc/platforms/512x/clock-commonclk.c: In function 'mpc5121_clk_provide_backwards_compat': +../arch/powerpc/platforms/512x/clock-commonclk.c:989:44: error: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=] + 989 | snprintf(devname, sizeof(devname), "%08x.%s", res.start, np->name); \ + | ^~~~~~~~~ ~~~~~~~~~ + | | + | resource_size_t {aka long long unsigned int} + +Prevents 24 such warnings. + +Fixes: 01f25c371658 ("clk: mpc512x: add backwards compat to the CCF code") +Signed-off-by: Randy Dunlap +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230223070116.660-2-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/512x/clock-commonclk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/512x/clock-commonclk.c b/arch/powerpc/platforms/512x/clock-commonclk.c +index b3097fe6441b9..1019d78e44bb4 100644 +--- a/arch/powerpc/platforms/512x/clock-commonclk.c ++++ b/arch/powerpc/platforms/512x/clock-commonclk.c +@@ -985,7 +985,7 @@ static void mpc5121_clk_provide_migration_support(void) + + #define NODE_PREP do { \ + of_address_to_resource(np, 0, &res); \ +- snprintf(devname, sizeof(devname), "%08x.%s", res.start, np->name); \ ++ snprintf(devname, sizeof(devname), "%pa.%s", &res.start, np->name); \ + } while (0) + + #define NODE_CHK(clkname, clkitem, regnode, regflag) do { \ +-- +2.39.2 + diff --git a/queue-4.14/powerpc-rtas-use-memmove-for-potentially-overlapping.patch b/queue-4.14/powerpc-rtas-use-memmove-for-potentially-overlapping.patch new file mode 100644 index 00000000000..66e8ac09858 --- /dev/null +++ b/queue-4.14/powerpc-rtas-use-memmove-for-potentially-overlapping.patch @@ -0,0 +1,56 @@ +From 213098c3afc199325ba774c55817d379f43de157 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Mar 2023 15:33:41 -0600 +Subject: powerpc/rtas: use memmove for potentially overlapping buffer copy + +From: Nathan Lynch + +[ Upstream commit 271208ee5e335cb1ad280d22784940daf7ddf820 ] + +Using memcpy() isn't safe when buf is identical to rtas_err_buf, which +can happen during boot before slab is up. Full context which may not +be obvious from the diff: + + if (altbuf) { + buf = altbuf; + } else { + buf = rtas_err_buf; + if (slab_is_available()) + buf = kmalloc(RTAS_ERROR_LOG_MAX, GFP_ATOMIC); + } + if (buf) + memcpy(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX); + +This was found by inspection and I'm not aware of it causing problems +in practice. It appears to have been introduced by commit +033ef338b6e0 ("powerpc: Merge rtas.c into arch/powerpc/kernel"); the +old ppc64 version of this code did not have this problem. + +Use memmove() instead. + +Fixes: 033ef338b6e0 ("powerpc: Merge rtas.c into arch/powerpc/kernel") +Signed-off-by: Nathan Lynch +Reviewed-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230220-rtas-queue-for-6-4-v1-2-010e4416f13f@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/rtas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 5d84b412b2fd4..35f1f8b2f6253 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -400,7 +400,7 @@ static char *__fetch_rtas_last_error(char *altbuf) + buf = kmalloc(RTAS_ERROR_LOG_MAX, GFP_ATOMIC); + } + if (buf) +- memcpy(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX); ++ memmove(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX); + } + + return buf; +-- +2.39.2 + diff --git a/queue-4.14/powerpc-sysdev-tsi108-fix-resource-printk-format-war.patch b/queue-4.14/powerpc-sysdev-tsi108-fix-resource-printk-format-war.patch new file mode 100644 index 00000000000..e2d5faa8fbb --- /dev/null +++ b/queue-4.14/powerpc-sysdev-tsi108-fix-resource-printk-format-war.patch @@ -0,0 +1,45 @@ +From f7f691fc4b99486e73c7dc7f524a17e30f71327b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 23:01:16 -0800 +Subject: powerpc/sysdev/tsi108: fix resource printk format warnings + +From: Randy Dunlap + +[ Upstream commit 55d8bd02cc1b9f1063993b5c42c9cabf4af67dea ] + +Use "%pa" format specifier for resource_size_t to avoid a compiler +printk format warning. + + arch/powerpc/sysdev/tsi108_pci.c: In function 'tsi108_setup_pci': + include/linux/kern_levels.h:5:25: error: format '%x' expects argument of type 'unsigned int', but argument 2 has type 'resource_size_t' + +Fixes: c4342ff92bed ("[POWERPC] Update mpc7448hpc2 board irq support using device tree") +Fixes: 2b9d7467a6db ("[POWERPC] Add tsi108 pci and platform device data register function") +Signed-off-by: Randy Dunlap +[mpe: Use pr_info() and unsplit string] +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230223070116.660-5-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/tsi108_pci.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/sysdev/tsi108_pci.c b/arch/powerpc/sysdev/tsi108_pci.c +index 28ff1f53cefc1..6bd50c690006f 100644 +--- a/arch/powerpc/sysdev/tsi108_pci.c ++++ b/arch/powerpc/sysdev/tsi108_pci.c +@@ -229,9 +229,8 @@ int __init tsi108_setup_pci(struct device_node *dev, u32 cfg_phys, int primary) + + (hose)->ops = &tsi108_direct_pci_ops; + +- printk(KERN_INFO "Found tsi108 PCI host bridge at 0x%08x. " +- "Firmware bus number: %d->%d\n", +- rsrc.start, hose->first_busno, hose->last_busno); ++ pr_info("Found tsi108 PCI host bridge at 0x%pa. Firmware bus number: %d->%d\n", ++ &rsrc.start, hose->first_busno, hose->last_busno); + + /* Interpret the "ranges" property */ + /* This also maps the I/O region and sets isa_io/mem_base */ +-- +2.39.2 + diff --git a/queue-4.14/powerpc-wii-fix-resource-printk-format-warnings.patch b/queue-4.14/powerpc-wii-fix-resource-printk-format-warnings.patch new file mode 100644 index 00000000000..7ffd4832ea3 --- /dev/null +++ b/queue-4.14/powerpc-wii-fix-resource-printk-format-warnings.patch @@ -0,0 +1,87 @@ +From 55a4c4931e16b6cbfcf739a534c62b9971d9a249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Feb 2023 23:01:14 -0800 +Subject: powerpc/wii: fix resource printk format warnings + +From: Randy Dunlap + +[ Upstream commit 7b69600d4da0049244e9be2f5ef5a2f8e04fcd9a ] + +Use "%pa" format specifier for resource_size_t to avoid compiler +printk format warnings. + +../arch/powerpc/platforms/embedded6xx/flipper-pic.c: In function 'flipper_pic_init': +../include/linux/kern_levels.h:5:25: error: format '%x' expects argument of type 'unsigned int', but argument 2 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=] +../arch/powerpc/platforms/embedded6xx/flipper-pic.c:148:9: note: in expansion of macro 'pr_info' + 148 | pr_info("controller at 0x%08x mapped to 0x%p\n", res.start, io_base); + | ^~~~~~~ + +../arch/powerpc/platforms/embedded6xx/hlwd-pic.c: In function 'hlwd_pic_init': +../include/linux/kern_levels.h:5:25: error: format '%x' expects argument of type 'unsigned int', but argument 2 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=] +../arch/powerpc/platforms/embedded6xx/hlwd-pic.c:174:9: note: in expansion of macro 'pr_info' + 174 | pr_info("controller at 0x%08x mapped to 0x%p\n", res.start, io_base); + | ^~~~~~~ + +../arch/powerpc/platforms/embedded6xx/wii.c: In function 'wii_ioremap_hw_regs': +../include/linux/kern_levels.h:5:25: error: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=] +../arch/powerpc/platforms/embedded6xx/wii.c:77:17: note: in expansion of macro 'pr_info' + 77 | pr_info("%s at 0x%08x mapped to 0x%p\n", name, + | ^~~~~~~ + +Fixes: 028ee972f032 ("powerpc: gamecube/wii: flipper interrupt controller support") +Fixes: 9c21025c7845 ("powerpc: wii: hollywood interrupt controller support") +Fixes: 5a7ee3198dfa ("powerpc: wii: platform support") +Signed-off-by: Randy Dunlap +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230223070116.660-3-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/embedded6xx/flipper-pic.c | 2 +- + arch/powerpc/platforms/embedded6xx/hlwd-pic.c | 2 +- + arch/powerpc/platforms/embedded6xx/wii.c | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/embedded6xx/flipper-pic.c b/arch/powerpc/platforms/embedded6xx/flipper-pic.c +index ade83829d5e8b..416375b346ba6 100644 +--- a/arch/powerpc/platforms/embedded6xx/flipper-pic.c ++++ b/arch/powerpc/platforms/embedded6xx/flipper-pic.c +@@ -157,7 +157,7 @@ struct irq_domain * __init flipper_pic_init(struct device_node *np) + } + io_base = ioremap(res.start, resource_size(&res)); + +- pr_info("controller at 0x%08x mapped to 0x%p\n", res.start, io_base); ++ pr_info("controller at 0x%pa mapped to 0x%p\n", &res.start, io_base); + + __flipper_quiesce(io_base); + +diff --git a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +index db2ea6b6889de..7b7d659fd1568 100644 +--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c ++++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +@@ -178,7 +178,7 @@ struct irq_domain *hlwd_pic_init(struct device_node *np) + return NULL; + } + +- pr_info("controller at 0x%08x mapped to 0x%p\n", res.start, io_base); ++ pr_info("controller at 0x%pa mapped to 0x%p\n", &res.start, io_base); + + __hlwd_quiesce(io_base); + +diff --git a/arch/powerpc/platforms/embedded6xx/wii.c b/arch/powerpc/platforms/embedded6xx/wii.c +index 2914529c06955..eabbced08d5f9 100644 +--- a/arch/powerpc/platforms/embedded6xx/wii.c ++++ b/arch/powerpc/platforms/embedded6xx/wii.c +@@ -143,8 +143,8 @@ static void __iomem *wii_ioremap_hw_regs(char *name, char *compatible) + + hw_regs = ioremap(res.start, resource_size(&res)); + if (hw_regs) { +- pr_info("%s at 0x%08x mapped to 0x%p\n", name, +- res.start, hw_regs); ++ pr_info("%s at 0x%pa mapped to 0x%p\n", name, ++ &res.start, hw_regs); + } + + out_put: +-- +2.39.2 + diff --git a/queue-4.14/pstore-revert-pmsg_lock-back-to-a-normal-mutex.patch b/queue-4.14/pstore-revert-pmsg_lock-back-to-a-normal-mutex.patch new file mode 100644 index 00000000000..2d0ff04cab4 --- /dev/null +++ b/queue-4.14/pstore-revert-pmsg_lock-back-to-a-normal-mutex.patch @@ -0,0 +1,100 @@ +From cc81db7acea1de156d6e11eb674c3b8cee941b1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Mar 2023 20:40:43 +0000 +Subject: pstore: Revert pmsg_lock back to a normal mutex +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Stultz + +[ Upstream commit 5239a89b06d6b199f133bf0ffea421683187f257 ] + +This reverts commit 76d62f24db07f22ccf9bc18ca793c27d4ebef721. + +So while priority inversion on the pmsg_lock is an occasional +problem that an rt_mutex would help with, in uses where logging +is writing to pmsg heavily from multiple threads, the pmsg_lock +can be heavily contended. + +After this change landed, it was reported that cases where the +mutex locking overhead was commonly adding on the order of 10s +of usecs delay had suddenly jumped to ~msec delay with rtmutex. + +It seems the slight differences in the locks under this level +of contention causes the normal mutexes to utilize the spinning +optimizations, while the rtmutexes end up in the sleeping +slowpath (which allows additional threads to pile on trying +to take the lock). + +In this case, it devolves to a worse case senerio where the lock +acquisition and scheduling overhead dominates, and each thread +is waiting on the order of ~ms to do ~us of work. + +Obviously, having tons of threads all contending on a single +lock for logging is non-optimal, so the proper fix is probably +reworking pstore pmsg to have per-cpu buffers so we don't have +contention. + +Additionally, Steven Rostedt has provided some furhter +optimizations for rtmutexes that improves the rtmutex spinning +path, but at least in my testing, I still see the test tripping +into the sleeping path on rtmutexes while utilizing the spinning +path with mutexes. + +But in the short term, lets revert the change to the rt_mutex +and go back to normal mutexes to avoid a potentially major +performance regression. And we can work on optimizations to both +rtmutexes and finer-grained locking for pstore pmsg in the +future. + +Cc: Wei Wang +Cc: Midas Chien +Cc: "Chunhui Li (李春辉)" +Cc: Steven Rostedt +Cc: Kees Cook +Cc: Anton Vorontsov +Cc: "Guilherme G. Piccoli" +Cc: Tony Luck +Cc: kernel-team@android.com +Fixes: 76d62f24db07 ("pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion") +Reported-by: "Chunhui Li (李春辉)" +Signed-off-by: John Stultz +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230308204043.2061631-1-jstultz@google.com +Signed-off-by: Sasha Levin +--- + fs/pstore/pmsg.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/fs/pstore/pmsg.c b/fs/pstore/pmsg.c +index ffc13ea196d2a..24db02de17874 100644 +--- a/fs/pstore/pmsg.c ++++ b/fs/pstore/pmsg.c +@@ -15,10 +15,9 @@ + #include + #include + #include +-#include + #include "internal.h" + +-static DEFINE_RT_MUTEX(pmsg_lock); ++static DEFINE_MUTEX(pmsg_lock); + + static ssize_t write_pmsg(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +@@ -37,9 +36,9 @@ static ssize_t write_pmsg(struct file *file, const char __user *buf, + if (!access_ok(VERIFY_READ, buf, count)) + return -EFAULT; + +- rt_mutex_lock(&pmsg_lock); ++ mutex_lock(&pmsg_lock); + ret = psinfo->write_user(&record, buf); +- rt_mutex_unlock(&pmsg_lock); ++ mutex_unlock(&pmsg_lock); + return ret ? ret : count; + } + +-- +2.39.2 + diff --git a/queue-4.14/rdma-rdmavt-delete-unnecessary-null-check.patch b/queue-4.14/rdma-rdmavt-delete-unnecessary-null-check.patch new file mode 100644 index 00000000000..c308264d74c --- /dev/null +++ b/queue-4.14/rdma-rdmavt-delete-unnecessary-null-check.patch @@ -0,0 +1,41 @@ +From 23ad06a67d806d50fef6fb3ded13650cc6589371 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 15:44:08 +0300 +Subject: RDMA/rdmavt: Delete unnecessary NULL check + +From: Natalia Petrova + +[ Upstream commit b73a0b80c69de77d8d4942abb37066531c0169b2 ] + +There is no need to check 'rdi->qp_dev' for NULL. The field 'qp_dev' +is created in rvt_register_device() which will fail if the 'qp_dev' +allocation fails in rvt_driver_qp_init(). Overwise this pointer +doesn't changed and passed to rvt_qp_exit() by the next step. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 0acb0cc7ecc1 ("IB/rdmavt: Initialize and teardown of qpn table") +Signed-off-by: Natalia Petrova +Link: https://lore.kernel.org/r/20230303124408.16685-1-n.petrova@fintech.ru +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rdmavt/qp.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c +index b0309876f4bb1..2bfcd47b58baa 100644 +--- a/drivers/infiniband/sw/rdmavt/qp.c ++++ b/drivers/infiniband/sw/rdmavt/qp.c +@@ -318,8 +318,6 @@ void rvt_qp_exit(struct rvt_dev_info *rdi) + if (qps_inuse) + rvt_pr_err(rdi, "QP memory leak! %u still in use\n", + qps_inuse); +- if (!rdi->qp_dev) +- return; + + kfree(rdi->qp_dev->qp_table); + free_qpn_table(&rdi->qp_dev->qpn_table); +-- +2.39.2 + diff --git a/queue-4.14/revert-bluetooth-btsdio-fix-use-after-free-bug-in-bt.patch b/queue-4.14/revert-bluetooth-btsdio-fix-use-after-free-bug-in-bt.patch new file mode 100644 index 00000000000..72c1be47b7f --- /dev/null +++ b/queue-4.14/revert-bluetooth-btsdio-fix-use-after-free-bug-in-bt.patch @@ -0,0 +1,39 @@ +From 51190cd585d749a13c9745d66b331962fa041700 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 18:30:06 +0800 +Subject: Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove + due to unfinished work" + +From: Liu Jian + +[ Upstream commit db2bf510bd5d57f064d9e1db395ed86a08320c54 ] + +This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f. + +This patch introduces a possible null-ptr-def problem. Revert it. And the +fixed bug by this patch have resolved by commit 73f7b171b7c0 ("Bluetooth: +btsdio: fix use after free bug in btsdio_remove due to race condition"). + +Fixes: 1e9ac114c442 ("Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work") +Signed-off-by: Liu Jian +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btsdio.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c +index bd55bf7a9914c..20142bc77554c 100644 +--- a/drivers/bluetooth/btsdio.c ++++ b/drivers/bluetooth/btsdio.c +@@ -353,7 +353,6 @@ static void btsdio_remove(struct sdio_func *func) + + BT_DBG("func %p", func); + +- cancel_work_sync(&data->work); + if (!data) + return; + +-- +2.39.2 + diff --git a/queue-4.14/scm-fix-msg_ctrunc-setting-condition-for-so_passsec.patch b/queue-4.14/scm-fix-msg_ctrunc-setting-condition-for-so_passsec.patch new file mode 100644 index 00000000000..2c9eb2e18b0 --- /dev/null +++ b/queue-4.14/scm-fix-msg_ctrunc-setting-condition-for-so_passsec.patch @@ -0,0 +1,77 @@ +From 0783d91bdf78e9b0eb2e8ffb641fad4efba4c4e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Mar 2023 12:32:11 +0100 +Subject: scm: fix MSG_CTRUNC setting condition for SO_PASSSEC + +From: Alexander Mikhalitsyn + +[ Upstream commit a02d83f9947d8f71904eda4de046630c3eb6802c ] + +Currently, kernel would set MSG_CTRUNC flag if msg_control buffer +wasn't provided and SO_PASSCRED was set or if there was pending SCM_RIGHTS. + +For some reason we have no corresponding check for SO_PASSSEC. + +In the recvmsg(2) doc we have: + MSG_CTRUNC + indicates that some control data was discarded due to lack + of space in the buffer for ancillary data. + +So, we need to set MSG_CTRUNC flag for all types of SCM. + +This change can break applications those don't check MSG_CTRUNC flag. + +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Leon Romanovsky +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alexander Mikhalitsyn + +v2: +- commit message was rewritten according to Eric's suggestion +Acked-by: Paul Moore + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/scm.h | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/include/net/scm.h b/include/net/scm.h +index 903771c8d4e33..1268a051f1aa2 100644 +--- a/include/net/scm.h ++++ b/include/net/scm.h +@@ -104,16 +104,27 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc + } + } + } ++ ++static inline bool scm_has_secdata(struct socket *sock) ++{ ++ return test_bit(SOCK_PASSSEC, &sock->flags); ++} + #else + static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) + { } ++ ++static inline bool scm_has_secdata(struct socket *sock) ++{ ++ return false; ++} + #endif /* CONFIG_SECURITY_NETWORK */ + + static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg, + struct scm_cookie *scm, int flags) + { + if (!msg->msg_control) { +- if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp) ++ if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp || ++ scm_has_secdata(sock)) + msg->msg_flags |= MSG_CTRUNC; + scm_destroy(scm); + return; +-- +2.39.2 + diff --git a/queue-4.14/scsi-megaraid-fix-mega_cmd_done-cmdid_int_cmds.patch b/queue-4.14/scsi-megaraid-fix-mega_cmd_done-cmdid_int_cmds.patch new file mode 100644 index 00000000000..3eaff93f729 --- /dev/null +++ b/queue-4.14/scsi-megaraid-fix-mega_cmd_done-cmdid_int_cmds.patch @@ -0,0 +1,38 @@ +From 24f17fddb75eb2ac8f7b33b75278ce8d08647a9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 17:51:09 +0000 +Subject: scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS + +From: Danila Chernetsov + +[ Upstream commit 75cb113cd43f06aaf4f1bda0069cfd5b98e909eb ] + +When cmdid == CMDID_INT_CMDS, the 'cmds' pointer is NULL but is +dereferenced below. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 0f2bb84d2a68 ("[SCSI] megaraid: simplify internal command handling") +Signed-off-by: Danila Chernetsov +Link: https://lore.kernel.org/r/20230317175109.18585-1-listdansp@mail.ru +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c +index eed6d45b80251..b6a62c8c26715 100644 +--- a/drivers/scsi/megaraid.c ++++ b/drivers/scsi/megaraid.c +@@ -1443,6 +1443,7 @@ mega_cmd_done(adapter_t *adapter, u8 completed[], int nstatus, int status) + */ + if (cmdid == CMDID_INT_CMDS) { + scb = &adapter->int_scb; ++ cmd = scb->cmd; + + list_del_init(&scb->list); + scb->state = SCB_FREE; +-- +2.39.2 + diff --git a/queue-4.14/scsi-target-iscsit-fix-tas-handling-during-conn-clea.patch b/queue-4.14/scsi-target-iscsit-fix-tas-handling-during-conn-clea.patch new file mode 100644 index 00000000000..6b57a7809b3 --- /dev/null +++ b/queue-4.14/scsi-target-iscsit-fix-tas-handling-during-conn-clea.patch @@ -0,0 +1,67 @@ +From a095d305afb26a74772995a656f11cf12853ccb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Mar 2023 20:56:19 -0500 +Subject: scsi: target: iscsit: Fix TAS handling during conn cleanup + +From: Mike Christie + +[ Upstream commit cc79da306ebb2edb700c3816b90219223182ac3c ] + +Fix a bug added in commit f36199355c64 ("scsi: target: iscsi: Fix cmd abort +fabric stop race"). + +If CMD_T_TAS is set on the se_cmd we must call iscsit_free_cmd() to do the +last put on the cmd and free it, because the connection is down and we will +not up sending the response and doing the put from the normal I/O +path. + +Add a check for CMD_T_TAS in iscsit_release_commands_from_conn() so we now +detect this case and run iscsit_free_cmd(). + +Fixes: f36199355c64 ("scsi: target: iscsi: Fix cmd abort fabric stop race") +Signed-off-by: Mike Christie +Link: https://lore.kernel.org/r/20230319015620.96006-9-michael.christie@oracle.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/iscsi/iscsi_target.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c +index d9fcef82ddf59..d801f5b388b8a 100644 +--- a/drivers/target/iscsi/iscsi_target.c ++++ b/drivers/target/iscsi/iscsi_target.c +@@ -4088,9 +4088,12 @@ static void iscsit_release_commands_from_conn(struct iscsi_conn *conn) + list_for_each_entry_safe(cmd, cmd_tmp, &tmp_list, i_conn_node) { + struct se_cmd *se_cmd = &cmd->se_cmd; + +- if (se_cmd->se_tfo != NULL) { +- spin_lock_irq(&se_cmd->t_state_lock); +- if (se_cmd->transport_state & CMD_T_ABORTED) { ++ if (!se_cmd->se_tfo) ++ continue; ++ ++ spin_lock_irq(&se_cmd->t_state_lock); ++ if (se_cmd->transport_state & CMD_T_ABORTED) { ++ if (!(se_cmd->transport_state & CMD_T_TAS)) + /* + * LIO's abort path owns the cleanup for this, + * so put it back on the list and let +@@ -4098,11 +4101,10 @@ static void iscsit_release_commands_from_conn(struct iscsi_conn *conn) + */ + list_move_tail(&cmd->i_conn_node, + &conn->conn_cmd_list); +- } else { +- se_cmd->transport_state |= CMD_T_FABRIC_STOP; +- } +- spin_unlock_irq(&se_cmd->t_state_lock); ++ } else { ++ se_cmd->transport_state |= CMD_T_FABRIC_STOP; + } ++ spin_unlock_irq(&se_cmd->t_state_lock); + } + spin_unlock_bh(&conn->cmd_lock); + +-- +2.39.2 + diff --git a/queue-4.14/selinux-ensure-av_permissions.h-is-built-when-needed.patch b/queue-4.14/selinux-ensure-av_permissions.h-is-built-when-needed.patch new file mode 100644 index 00000000000..b017ab54abd --- /dev/null +++ b/queue-4.14/selinux-ensure-av_permissions.h-is-built-when-needed.patch @@ -0,0 +1,36 @@ +From ef4da801cec60eff29f3c6e38aaf9c2b59b564c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 13:29:11 -0400 +Subject: selinux: ensure av_permissions.h is built when needed + +From: Paul Moore + +[ Upstream commit 4ce1f694eb5d8ca607fed8542d32a33b4f1217a5 ] + +The Makefile rule responsible for building flask.h and +av_permissions.h only lists flask.h as a target which means that +av_permissions.h is only generated when flask.h needs to be +generated. This patch fixes this by adding av_permissions.h as a +target to the rule. + +Fixes: 8753f6bec352 ("selinux: generate flask headers during kernel build") +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/selinux/Makefile b/security/selinux/Makefile +index 3efb0dda95b55..08ba8ca81d403 100644 +--- a/security/selinux/Makefile ++++ b/security/selinux/Makefile +@@ -22,5 +22,5 @@ quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h + cmd_flask = $< $(obj)/flask.h $(obj)/av_permissions.h + + targets += flask.h av_permissions.h +-$(obj)/flask.h: scripts/selinux/genheaders/genheaders FORCE ++$(obj)/flask.h $(obj)/av_permissions.h &: scripts/selinux/genheaders/genheaders FORCE + $(call if_changed,flask) +-- +2.39.2 + diff --git a/queue-4.14/selinux-fix-makefile-dependencies-of-flask.h.patch b/queue-4.14/selinux-fix-makefile-dependencies-of-flask.h.patch new file mode 100644 index 00000000000..5b15a4cac17 --- /dev/null +++ b/queue-4.14/selinux-fix-makefile-dependencies-of-flask.h.patch @@ -0,0 +1,43 @@ +From 623eb197554c4fab8ccf70272099a1421ec786b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 15:59:19 +0200 +Subject: selinux: fix Makefile dependencies of flask.h + +From: Ondrej Mosnacek + +[ Upstream commit bcab1adeaad4b39a1e04cb98979a367d08253f03 ] + +Make the flask.h target depend on the genheaders binary instead of +classmap.h to ensure that it is rebuilt if any of the dependencies of +genheaders are changed. + +Notably this fixes flask.h not being rebuilt when +initial_sid_to_string.h is modified. + +Fixes: 8753f6bec352 ("selinux: generate flask headers during kernel build") +Signed-off-by: Ondrej Mosnacek +Acked-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + security/selinux/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/selinux/Makefile b/security/selinux/Makefile +index c7161f8792b2d..3efb0dda95b55 100644 +--- a/security/selinux/Makefile ++++ b/security/selinux/Makefile +@@ -19,8 +19,8 @@ ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include + $(addprefix $(obj)/,$(selinux-y)): $(obj)/flask.h + + quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h +- cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h ++ cmd_flask = $< $(obj)/flask.h $(obj)/av_permissions.h + + targets += flask.h av_permissions.h +-$(obj)/flask.h: $(src)/include/classmap.h FORCE ++$(obj)/flask.h: scripts/selinux/genheaders/genheaders FORCE + $(call if_changed,flask) +-- +2.39.2 + diff --git a/queue-4.14/serial-8250-add-missing-wakeup-event-reporting.patch b/queue-4.14/serial-8250-add-missing-wakeup-event-reporting.patch new file mode 100644 index 00000000000..42068a23e09 --- /dev/null +++ b/queue-4.14/serial-8250-add-missing-wakeup-event-reporting.patch @@ -0,0 +1,53 @@ +From 2eed74e61146367d4ccf4a0b7d8c06bcbf9d633b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Apr 2023 10:02:39 -0700 +Subject: serial: 8250: Add missing wakeup event reporting + +From: Florian Fainelli + +[ Upstream commit 0ba9e3a13c6adfa99e32b2576d20820ab10ad48a ] + +An 8250 UART configured as a wake-up source would not have reported +itself through sysfs as being the source of wake-up, correct that. + +Fixes: b3b708fa2780 ("wake up from a serial port") +Signed-off-by: Florian Fainelli +Link: https://lore.kernel.org/r/20230414170241.2016255-1-f.fainelli@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index fe1de63269d1a..cdc1b2b0f4bc6 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1886,6 +1887,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir) + unsigned char status; + unsigned long flags; + struct uart_8250_port *up = up_to_u8250p(port); ++ struct tty_port *tport = &port->state->port; + bool skip_rx = false; + + if (iir & UART_IIR_NO_INT) +@@ -1909,6 +1911,8 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir) + skip_rx = true; + + if (status & (UART_LSR_DR | UART_LSR_BI) && !skip_rx) { ++ if (irqd_is_wakeup_set(irq_get_irq_data(port->irq))) ++ pm_wakeup_event(tport->tty->dev, 0); + if (!up->dma || handle_rx_dma(up, iir)) + status = serial8250_rx_chars(up, status); + } +-- +2.39.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 55287c90bd5..5b91cc0ad84 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -13,3 +13,60 @@ i2c-omap-fix-standard-mode-false-ack-readings.patch revert-ubifs-dirty_cow_znode-fix-memleak-in-error-handling-path.patch ubi-fix-return-value-overwrite-issue-in-try_write_vid_and_data.patch ubifs-free-memory-for-tmpfile-name.patch +selinux-fix-makefile-dependencies-of-flask.h.patch +selinux-ensure-av_permissions.h-is-built-when-needed.patch +drm-rockchip-drop-unbalanced-obj-unref.patch +drm-vgem-add-missing-mutex_destroy.patch +drm-probe-helper-cancel-previous-job-before-starting.patch +media-bdisp-add-missing-check-for-create_workqueue.patch +media-av7110-prevent-underflow-in-write_ts_to_decode.patch +x86-apic-fix-atomic-update-of-offset-in-reserve_eilv.patch +media-dm1105-fix-use-after-free-bug-in-dm1105_remove.patch +x86-ioapic-don-t-return-0-from-arch_dynirq_lower_bou.patch +arm64-kgdb-set-pstate.ss-to-1-to-re-enable-single-st.patch +wifi-ath6kl-minor-fix-for-allocation-size.patch +wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch +wifi-ath6kl-reduce-warn-to-dev_dbg-in-callback.patch +scm-fix-msg_ctrunc-setting-condition-for-so_passsec.patch +vlan-partially-enable-siocshwtstamp-in-container.patch +net-packet-convert-po-origdev-to-an-atomic-flag.patch +net-packet-convert-po-auxdata-to-an-atomic-flag.patch +scsi-target-iscsit-fix-tas-handling-during-conn-clea.patch +scsi-megaraid-fix-mega_cmd_done-cmdid_int_cmds.patch +md-raid10-fix-leak-of-r10bio-remaining-for-recovery.patch +wifi-iwlwifi-make-the-loop-for-card-preparation-effe.patch +wifi-iwlwifi-mvm-check-firmware-response-size.patch +ixgbe-allow-flow-hash-to-be-set-via-ethtool.patch +ixgbe-enable-setting-rss-table-to-default-values.patch +ipv4-fix-potential-uninit-variable-access-bug-in-__i.patch +revert-bluetooth-btsdio-fix-use-after-free-bug-in-bt.patch +net-amd-fix-link-leak-when-verifying-config-failed.patch +tcp-udp-fix-memleaks-of-sk-and-zerocopy-skbs-with-tx.patch +pstore-revert-pmsg_lock-back-to-a-normal-mutex.patch +linux-vt_buffer.h-allow-either-builtin-or-modular-fo.patch +spi-fsl-spi-fix-cpm-qe-mode-litte-endian.patch +of-fix-modalias-string-generation.patch +ia64-mm-contig-fix-section-mismatch-warning-error.patch +uapi-linux-const.h-prefer-iso-friendly-__typeof__.patch +sh-sq-fix-incorrect-element-size-for-allocating-bitm.patch +usb-chipidea-fix-missing-goto-in-ci_hdrc_probe.patch +tty-serial-fsl_lpuart-adjust-buffer-length-to-the-in.patch +serial-8250-add-missing-wakeup-event-reporting.patch +staging-rtl8192e-fix-w_disable-does-not-work-after-s.patch +spmi-add-a-check-for-remove-callback-when-removing-a.patch +spi-bcm63xx-remove-pm_sleep-based-conditional-compil.patch +macintosh-windfarm_smu_sat-add-missing-of_node_put.patch +powerpc-mpc512x-fix-resource-printk-format-warning.patch +powerpc-wii-fix-resource-printk-format-warnings.patch +powerpc-sysdev-tsi108-fix-resource-printk-format-war.patch +macintosh-via-pmu-led-requires-ata-to-be-set.patch +powerpc-rtas-use-memmove-for-potentially-overlapping.patch +perf-core-fix-hardlockup-failure-caused-by-perf-thro.patch +rdma-rdmavt-delete-unnecessary-null-check.patch +power-supply-generic-adc-battery-fix-unit-scaling.patch +clk-add-missing-of_node_put-in-assigned-clocks-prope.patch +ib-hfi1-fix-sdma-mmu_rb_node-not-being-evicted-in-lr.patch +nfsv4.1-always-send-a-reclaim_complete-after-establi.patch +sunrpc-remove-the-maximum-number-of-retries-in-call_.patch +phy-tegra-xusb-add-missing-tegra_xusb_port_unregiste.patch +dmaengine-at_xdmac-do-not-enable-all-cyclic-channels.patch diff --git a/queue-4.14/sh-sq-fix-incorrect-element-size-for-allocating-bitm.patch b/queue-4.14/sh-sq-fix-incorrect-element-size-for-allocating-bitm.patch new file mode 100644 index 00000000000..b7531b20cec --- /dev/null +++ b/queue-4.14/sh-sq-fix-incorrect-element-size-for-allocating-bitm.patch @@ -0,0 +1,44 @@ +From 2ebf3efc95faab17af8e5a1e4e322fc778391c81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Apr 2023 13:48:52 +0200 +Subject: sh: sq: Fix incorrect element size for allocating bitmap buffer + +From: John Paul Adrian Glaubitz + +[ Upstream commit 80f746e2bd0e1da3fdb49a53570e54a1a225faac ] + +The Store Queue code allocates a bitmap buffer with the size of +multiple of sizeof(long) in sq_api_init(). While the buffer size +is calculated correctly, the code uses the wrong element size to +allocate the buffer which results in the allocated bitmap buffer +being too small. + +Fix this by allocating the buffer with kcalloc() with element size +sizeof(long) instead of kzalloc() whose elements size defaults to +sizeof(char). + +Fixes: d7c30c682a27 ("sh: Store Queue API rework.") +Reviewed-by: Geert Uytterhoeven +Signed-off-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/20230419114854.528677-1-glaubitz@physik.fu-berlin.de +Signed-off-by: Sasha Levin +--- + arch/sh/kernel/cpu/sh4/sq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sh/kernel/cpu/sh4/sq.c b/arch/sh/kernel/cpu/sh4/sq.c +index 4ca78ed71ad2c..c218bae8fe208 100644 +--- a/arch/sh/kernel/cpu/sh4/sq.c ++++ b/arch/sh/kernel/cpu/sh4/sq.c +@@ -383,7 +383,7 @@ static int __init sq_api_init(void) + if (unlikely(!sq_cache)) + return ret; + +- sq_bitmap = kzalloc(size, GFP_KERNEL); ++ sq_bitmap = kcalloc(size, sizeof(long), GFP_KERNEL); + if (unlikely(!sq_bitmap)) + goto out; + +-- +2.39.2 + diff --git a/queue-4.14/spi-bcm63xx-remove-pm_sleep-based-conditional-compil.patch b/queue-4.14/spi-bcm63xx-remove-pm_sleep-based-conditional-compil.patch new file mode 100644 index 00000000000..bd00b6282ba --- /dev/null +++ b/queue-4.14/spi-bcm63xx-remove-pm_sleep-based-conditional-compil.patch @@ -0,0 +1,48 @@ +From 5d6d21696db98be3c7db3d076e3d87fa93cb24cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Apr 2023 17:46:15 +0530 +Subject: spi: bcm63xx: remove PM_SLEEP based conditional compilation + +From: Dhruva Gole + +[ Upstream commit 25f0617109496e1aff49594fbae5644286447a0f ] + +Get rid of conditional compilation based on CONFIG_PM_SLEEP because +it may introduce build issues with certain configs where it maybe disabled +This is because if above config is not enabled the suspend-resume +functions are never part of the code but the bcm63xx_spi_pm_ops struct +still inits them to non-existent suspend-resume functions. + +Fixes: b42dfed83d95 ("spi: add Broadcom BCM63xx SPI controller driver") + +Signed-off-by: Dhruva Gole +Link: https://lore.kernel.org/r/20230420121615.967487-1-d-gole@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index bfe5754768f97..c7b67388709fe 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -625,7 +625,6 @@ static int bcm63xx_spi_remove(struct platform_device *pdev) + return 0; + } + +-#ifdef CONFIG_PM_SLEEP + static int bcm63xx_spi_suspend(struct device *dev) + { + struct spi_master *master = dev_get_drvdata(dev); +@@ -652,7 +651,6 @@ static int bcm63xx_spi_resume(struct device *dev) + + return 0; + } +-#endif + + static const struct dev_pm_ops bcm63xx_spi_pm_ops = { + SET_SYSTEM_SLEEP_PM_OPS(bcm63xx_spi_suspend, bcm63xx_spi_resume) +-- +2.39.2 + diff --git a/queue-4.14/spi-fsl-spi-fix-cpm-qe-mode-litte-endian.patch b/queue-4.14/spi-fsl-spi-fix-cpm-qe-mode-litte-endian.patch new file mode 100644 index 00000000000..9fcafd556f0 --- /dev/null +++ b/queue-4.14/spi-fsl-spi-fix-cpm-qe-mode-litte-endian.patch @@ -0,0 +1,71 @@ +From 51fb6cd98c13ef4aa6f3910e73fc8c10fbfdc541 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Apr 2023 19:59:46 +0200 +Subject: spi: fsl-spi: Fix CPM/QE mode Litte Endian + +From: Christophe Leroy + +[ Upstream commit c20c57d9868d7f9fd1b2904c7801b07e128f6322 ] + +CPM has the same problem as QE so for CPM also use the fix added +by commit 0398fb70940e ("spi/spi_mpc8xxx: Fix QE mode Litte Endian"): + + CPM mode uses Little Endian so words > 8 bits are byte swapped. + Workaround this by always enforcing wordsize 8 for 16 and 32 bits + words. Unfortunately this will not work for LSB transfers + where wordsize is > 8 bits so disable these for now. + +Also limit the workaround to 16 and 32 bits words because it can +only work for multiples of 8-bits. + +Signed-off-by: Christophe Leroy +Cc: Joakim Tjernlund +Fixes: 0398fb70940e ("spi/spi_mpc8xxx: Fix QE mode Litte Endian") +Link: https://lore.kernel.org/r/1b7d3e84b1128f42c1887dd2fb9cdf390f541bc1.1680371809.git.christophe.leroy@csgroup.eu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-fsl-spi.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c +index cd784552de7f1..479d10dc6cb84 100644 +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -205,8 +205,8 @@ static int mspi_apply_qe_mode_quirks(struct spi_mpc8xxx_cs *cs, + struct spi_device *spi, + int bits_per_word) + { +- /* QE uses Little Endian for words > 8 +- * so transform all words > 8 into 8 bits ++ /* CPM/QE uses Little Endian for words > 8 ++ * so transform 16 and 32 bits words into 8 bits + * Unfortnatly that doesn't work for LSB so + * reject these for now */ + /* Note: 32 bits word, LSB works iff +@@ -214,9 +214,11 @@ static int mspi_apply_qe_mode_quirks(struct spi_mpc8xxx_cs *cs, + if (spi->mode & SPI_LSB_FIRST && + bits_per_word > 8) + return -EINVAL; +- if (bits_per_word > 8) ++ if (bits_per_word <= 8) ++ return bits_per_word; ++ if (bits_per_word == 16 || bits_per_word == 32) + return 8; /* pretend its 8 bits */ +- return bits_per_word; ++ return -EINVAL; + } + + static int fsl_spi_setup_transfer(struct spi_device *spi, +@@ -246,7 +248,7 @@ static int fsl_spi_setup_transfer(struct spi_device *spi, + bits_per_word = mspi_apply_cpu_mode_quirks(cs, spi, + mpc8xxx_spi, + bits_per_word); +- else if (mpc8xxx_spi->flags & SPI_QE) ++ else + bits_per_word = mspi_apply_qe_mode_quirks(cs, spi, + bits_per_word); + +-- +2.39.2 + diff --git a/queue-4.14/spmi-add-a-check-for-remove-callback-when-removing-a.patch b/queue-4.14/spmi-add-a-check-for-remove-callback-when-removing-a.patch new file mode 100644 index 00000000000..d6ce6c7f679 --- /dev/null +++ b/queue-4.14/spmi-add-a-check-for-remove-callback-when-removing-a.patch @@ -0,0 +1,65 @@ +From 24053f4133242d88de36cc440cf8b8abb2dc7395 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 15:38:34 -0700 +Subject: spmi: Add a check for remove callback when removing a SPMI driver + +From: Jishnu Prakash + +[ Upstream commit b56eef3e16d888883fefab47425036de80dd38fc ] + +When removing a SPMI driver, there can be a crash due to NULL pointer +dereference if it does not have a remove callback defined. This is +one such call trace observed when removing the QCOM SPMI PMIC driver: + + dump_backtrace.cfi_jt+0x0/0x8 + dump_stack_lvl+0xd8/0x16c + panic+0x188/0x498 + __cfi_slowpath+0x0/0x214 + __cfi_slowpath+0x1dc/0x214 + spmi_drv_remove+0x16c/0x1e0 + device_release_driver_internal+0x468/0x79c + driver_detach+0x11c/0x1a0 + bus_remove_driver+0xc4/0x124 + driver_unregister+0x58/0x84 + cleanup_module+0x1c/0xc24 [qcom_spmi_pmic] + __do_sys_delete_module+0x3ec/0x53c + __arm64_sys_delete_module+0x18/0x28 + el0_svc_common+0xdc/0x294 + el0_svc+0x38/0x9c + el0_sync_handler+0x8c/0xf0 + el0_sync+0x1b4/0x1c0 + +If a driver has all its resources allocated through devm_() APIs and +does not need any other explicit cleanup, it would not require a +remove callback to be defined. Hence, add a check for remove callback +presence before calling it when removing a SPMI driver. + +Link: https://lore.kernel.org/r/1671601032-18397-2-git-send-email-quic_jprakash@quicinc.com +Fixes: 6f00f8c8635f ("mfd: qcom-spmi-pmic: Use devm_of_platform_populate()") +Fixes: 5a86bf343976 ("spmi: Linux driver framework for SPMI") +Signed-off-by: Jishnu Prakash +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20230413223834.4084793-7-sboyd@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/spmi/spmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/spmi/spmi.c b/drivers/spmi/spmi.c +index aa3edabc2b0fe..55f1cad836ba2 100644 +--- a/drivers/spmi/spmi.c ++++ b/drivers/spmi/spmi.c +@@ -356,7 +356,8 @@ static int spmi_drv_remove(struct device *dev) + const struct spmi_driver *sdrv = to_spmi_driver(dev->driver); + + pm_runtime_get_sync(dev); +- sdrv->remove(to_spmi_device(dev)); ++ if (sdrv->remove) ++ sdrv->remove(to_spmi_device(dev)); + pm_runtime_put_noidle(dev); + + pm_runtime_disable(dev); +-- +2.39.2 + diff --git a/queue-4.14/staging-rtl8192e-fix-w_disable-does-not-work-after-s.patch b/queue-4.14/staging-rtl8192e-fix-w_disable-does-not-work-after-s.patch new file mode 100644 index 00000000000..e2a8a51ca3c --- /dev/null +++ b/queue-4.14/staging-rtl8192e-fix-w_disable-does-not-work-after-s.patch @@ -0,0 +1,44 @@ +From f4da1b16f1c1326daea03116790882b815d68c88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 22:02:01 +0200 +Subject: staging: rtl8192e: Fix W_DISABLE# does not work after stop/start + +From: Philipp Hortmann + +[ Upstream commit 3fac2397f562eb669ddc2f45867a253f3fc26184 ] + +When loading the driver for rtl8192e, the W_DISABLE# switch is working as +intended. But when the WLAN is turned off in software and then turned on +again the W_DISABLE# does not work anymore. Reason for this is that in +the function _rtl92e_dm_check_rf_ctrl_gpio() the bfirst_after_down is +checked and returned when true. bfirst_after_down is set true when +switching the WLAN off in software. But it is not set to false again +when WLAN is turned on again. + +Add bfirst_after_down = false in _rtl92e_sta_up to reset bit and fix +above described bug. + +Fixes: 94a799425eee ("From: wlanfae [PATCH 1/8] rtl8192e: Import new version of driver from realtek") +Signed-off-by: Philipp Hortmann +Link: https://lore.kernel.org/r/20230418200201.GA17398@matrix-ESPRIMO-P710 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +index e1ede9fd4920b..8420bdae1a5cc 100644 +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +@@ -778,6 +778,7 @@ static int _rtl92e_sta_up(struct net_device *dev, bool is_silent_reset) + else + netif_wake_queue(dev); + ++ priv->bfirst_after_down = false; + return 0; + } + +-- +2.39.2 + diff --git a/queue-4.14/sunrpc-remove-the-maximum-number-of-retries-in-call_.patch b/queue-4.14/sunrpc-remove-the-maximum-number-of-retries-in-call_.patch new file mode 100644 index 00000000000..c3a45db1f30 --- /dev/null +++ b/queue-4.14/sunrpc-remove-the-maximum-number-of-retries-in-call_.patch @@ -0,0 +1,74 @@ +From 83f989885731328a256f5f17bca14ea8646fb0eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 13:19:02 -0700 +Subject: SUNRPC: remove the maximum number of retries in call_bind_status + +From: Dai Ngo + +[ Upstream commit 691d0b782066a6eeeecbfceb7910a8f6184e6105 ] + +Currently call_bind_status places a hard limit of 3 to the number of +retries on EACCES error. This limit was done to prevent NLM unlock +requests from being hang forever when the server keeps returning garbage. +However this change causes problem for cases when NLM service takes +longer than 9 seconds to register with the port mapper after a restart. + +This patch removes this hard coded limit and let the RPC handles +the retry based on the standard hard/soft task semantics. + +Fixes: 0b760113a3a1 ("NLM: Don't hang forever on NLM unlock requests") +Reported-by: Helen Chao +Tested-by: Helen Chao +Signed-off-by: Dai Ngo +Reviewed-by: Jeff Layton +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/sched.h | 3 +-- + net/sunrpc/clnt.c | 3 --- + net/sunrpc/sched.c | 1 - + 3 files changed, 1 insertion(+), 6 deletions(-) + +diff --git a/include/linux/sunrpc/sched.h b/include/linux/sunrpc/sched.h +index c9548a63d09bb..0f7c8f820aa3f 100644 +--- a/include/linux/sunrpc/sched.h ++++ b/include/linux/sunrpc/sched.h +@@ -88,8 +88,7 @@ struct rpc_task { + #endif + unsigned char tk_priority : 2,/* Task priority */ + tk_garb_retry : 2, +- tk_cred_retry : 2, +- tk_rebind_retry : 2; ++ tk_cred_retry : 2; + }; + + typedef void (*rpc_action)(struct rpc_task *); +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 411925b043cce..de917d45e512a 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1827,9 +1827,6 @@ call_bind_status(struct rpc_task *task) + status = -EOPNOTSUPP; + break; + } +- if (task->tk_rebind_retry == 0) +- break; +- task->tk_rebind_retry--; + rpc_delay(task, 3*HZ); + goto retry_timeout; + case -ETIMEDOUT: +diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c +index 4e0ebb4780df8..b368f5aabe291 100644 +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -697,7 +697,6 @@ rpc_init_task_statistics(struct rpc_task *task) + /* Initialize retry counters */ + task->tk_garb_retry = 2; + task->tk_cred_retry = 2; +- task->tk_rebind_retry = 2; + + /* starting timestamp */ + task->tk_start = ktime_get(); +-- +2.39.2 + diff --git a/queue-4.14/tcp-udp-fix-memleaks-of-sk-and-zerocopy-skbs-with-tx.patch b/queue-4.14/tcp-udp-fix-memleaks-of-sk-and-zerocopy-skbs-with-tx.patch new file mode 100644 index 00000000000..244b4d807ac --- /dev/null +++ b/queue-4.14/tcp-udp-fix-memleaks-of-sk-and-zerocopy-skbs-with-tx.patch @@ -0,0 +1,125 @@ +From e64eac31bdef97baaf613f62c4fdfa2e4e221887 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Apr 2023 15:20:22 -0700 +Subject: tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp. + +From: Kuniyuki Iwashima + +[ Upstream commit 50749f2dd6854a41830996ad302aef2ffaf011d8 ] + +syzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY +skbs. We can reproduce the problem with these sequences: + + sk = socket(AF_INET, SOCK_DGRAM, 0) + sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE) + sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1) + sk.sendto(b'', MSG_ZEROCOPY, ('127.0.0.1', 53)) + sk.close() + +sendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets +skb->cb->ubuf.refcnt to 1, and calls sock_hold(). Here, struct +ubuf_info_msgzc indirectly holds a refcnt of the socket. When the +skb is sent, __skb_tstamp_tx() clones it and puts the clone into +the socket's error queue with the TX timestamp. + +When the original skb is received locally, skb_copy_ubufs() calls +skb_unclone(), and pskb_expand_head() increments skb->cb->ubuf.refcnt. +This additional count is decremented while freeing the skb, but struct +ubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is +not called. + +The last refcnt is not released unless we retrieve the TX timestamped +skb by recvmsg(). Since we clear the error queue in inet_sock_destruct() +after the socket's refcnt reaches 0, there is a circular dependency. +If we close() the socket holding such skbs, we never call sock_put() +and leak the count, sk, and skb. + +TCP has the same problem, and commit e0c8bccd40fc ("net: stream: +purge sk_error_queue in sk_stream_kill_queues()") tried to fix it +by calling skb_queue_purge() during close(). However, there is a +small chance that skb queued in a qdisc or device could be put +into the error queue after the skb_queue_purge() call. + +In __skb_tstamp_tx(), the cloned skb should not have a reference +to the ubuf to remove the circular dependency, but skb_clone() does +not call skb_copy_ubufs() for zerocopy skb. So, we need to call +skb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs(). + +[0]: +BUG: memory leak +unreferenced object 0xffff88800c6d2d00 (size 1152): + comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................ + 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ + backtrace: + [<0000000055636812>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024 + [<0000000054d77b7a>] sk_alloc+0x3b/0x800 net/core/sock.c:2083 + [<0000000066f3c7e0>] inet_create net/ipv4/af_inet.c:319 [inline] + [<0000000066f3c7e0>] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245 + [<000000009b83af97>] __sock_create+0x2ab/0x550 net/socket.c:1515 + [<00000000b9b11231>] sock_create net/socket.c:1566 [inline] + [<00000000b9b11231>] __sys_socket_create net/socket.c:1603 [inline] + [<00000000b9b11231>] __sys_socket_create net/socket.c:1588 [inline] + [<00000000b9b11231>] __sys_socket+0x138/0x250 net/socket.c:1636 + [<000000004fb45142>] __do_sys_socket net/socket.c:1649 [inline] + [<000000004fb45142>] __se_sys_socket net/socket.c:1647 [inline] + [<000000004fb45142>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 + [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +BUG: memory leak +unreferenced object 0xffff888017633a00 (size 240): + comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m..... + backtrace: + [<000000002b1c4368>] __alloc_skb+0x229/0x320 net/core/skbuff.c:497 + [<00000000143579a6>] alloc_skb include/linux/skbuff.h:1265 [inline] + [<00000000143579a6>] sock_omalloc+0xaa/0x190 net/core/sock.c:2596 + [<00000000be626478>] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline] + [<00000000be626478>] msg_zerocopy_realloc+0x1ce/0x7f0 net/core/skbuff.c:1370 + [<00000000cbfc9870>] __ip_append_data+0x2adf/0x3b30 net/ipv4/ip_output.c:1037 + [<0000000089869146>] ip_make_skb+0x26c/0x2e0 net/ipv4/ip_output.c:1652 + [<00000000098015c2>] udp_sendmsg+0x1bac/0x2390 net/ipv4/udp.c:1253 + [<0000000045e0e95e>] inet_sendmsg+0x10a/0x150 net/ipv4/af_inet.c:819 + [<000000008d31bfde>] sock_sendmsg_nosec net/socket.c:714 [inline] + [<000000008d31bfde>] sock_sendmsg+0x141/0x190 net/socket.c:734 + [<0000000021e21aa4>] __sys_sendto+0x243/0x360 net/socket.c:2117 + [<00000000ac0af00c>] __do_sys_sendto net/socket.c:2129 [inline] + [<00000000ac0af00c>] __se_sys_sendto net/socket.c:2125 [inline] + [<00000000ac0af00c>] __x64_sys_sendto+0xe1/0x1c0 net/socket.c:2125 + [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: f214f915e7db ("tcp: enable MSG_ZEROCOPY") +Fixes: b5947e5d1e71 ("udp: msg_zerocopy") +Reported-by: syzbot +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 9dae8009b407d..71827da47274c 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4420,6 +4420,9 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, + skb = alloc_skb(0, GFP_ATOMIC); + } else { + skb = skb_clone(orig_skb, GFP_ATOMIC); ++ ++ if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) ++ return; + } + if (!skb) + return; +-- +2.39.2 + diff --git a/queue-4.14/tty-serial-fsl_lpuart-adjust-buffer-length-to-the-in.patch b/queue-4.14/tty-serial-fsl_lpuart-adjust-buffer-length-to-the-in.patch new file mode 100644 index 00000000000..2099444f126 --- /dev/null +++ b/queue-4.14/tty-serial-fsl_lpuart-adjust-buffer-length-to-the-in.patch @@ -0,0 +1,39 @@ +From 448e513a5f603920bf805c5f30584fa36444395f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 14:55:55 -0500 +Subject: tty: serial: fsl_lpuart: adjust buffer length to the intended size + +From: Shenwei Wang + +[ Upstream commit f73fd750552524b06b5d77ebfdd106ccc8fcac61 ] + +Based on the fls function definition provided below, we should not +subtract 1 to obtain the correct buffer length: + +fls(0) = 0, fls(1) = 1, fls(0x80000000) = 32. + +Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx") +Signed-off-by: Shenwei Wang +Link: https://lore.kernel.org/r/20230410195555.1003900-1-shenwei.wang@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 20dd476e4d1a1..e7ab8ec032cfe 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -998,7 +998,7 @@ static inline int lpuart_start_rx_dma(struct lpuart_port *sport) + * 10ms at any baud rate. + */ + sport->rx_dma_rng_buf_len = (DMA_RX_TIMEOUT * baud / bits / 1000) * 2; +- sport->rx_dma_rng_buf_len = (1 << (fls(sport->rx_dma_rng_buf_len) - 1)); ++ sport->rx_dma_rng_buf_len = (1 << fls(sport->rx_dma_rng_buf_len)); + if (sport->rx_dma_rng_buf_len < 16) + sport->rx_dma_rng_buf_len = 16; + +-- +2.39.2 + diff --git a/queue-4.14/uapi-linux-const.h-prefer-iso-friendly-__typeof__.patch b/queue-4.14/uapi-linux-const.h-prefer-iso-friendly-__typeof__.patch new file mode 100644 index 00000000000..97b5fa74a2a --- /dev/null +++ b/queue-4.14/uapi-linux-const.h-prefer-iso-friendly-__typeof__.patch @@ -0,0 +1,65 @@ +From a4883c38661d3b34b7e7b7968303f9e2a3245912 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 10:27:47 +0100 +Subject: uapi/linux/const.h: prefer ISO-friendly __typeof__ + +From: Kevin Brodsky + +[ Upstream commit 31088f6f7906253ef4577f6a9b84e2d42447dba0 ] + +typeof is (still) a GNU extension, which means that it cannot be used when +building ISO C (e.g. -std=c99). It should therefore be avoided in uapi +headers in favour of the ISO-friendly __typeof__. + +Unfortunately this issue could not be detected by +CONFIG_UAPI_HEADER_TEST=y as the __ALIGN_KERNEL() macro is not expanded in +any uapi header. + +This matters from a userspace perspective, not a kernel one. uapi +headers and their contents are expected to be usable in a variety of +situations, and in particular when building ISO C applications (with +-std=c99 or similar). + +This particular problem can be reproduced by trying to use the +__ALIGN_KERNEL macro directly in application code, say: + +#include + +int align(int x, int a) +{ + return __KERNEL_ALIGN(x, a); +} + +and trying to build that with -std=c99. + +Link: https://lkml.kernel.org/r/20230411092747.3759032-1-kevin.brodsky@arm.com +Fixes: a79ff731a1b2 ("netfilter: xtables: make XT_ALIGN() usable in exported headers by exporting __ALIGN_KERNEL()") +Signed-off-by: Kevin Brodsky +Reported-by: Ruben Ayrapetyan +Tested-by: Ruben Ayrapetyan +Reviewed-by: Petr Vorel +Tested-by: Petr Vorel +Reviewed-by: Masahiro Yamada +Cc: Sam Ravnborg +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/uapi/linux/const.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/const.h b/include/uapi/linux/const.h +index 0bd39530b2e38..4ef7c87d12492 100644 +--- a/include/uapi/linux/const.h ++++ b/include/uapi/linux/const.h +@@ -28,7 +28,7 @@ + #define _BITUL(x) (_AC(1,UL) << (x)) + #define _BITULL(x) (_AC(1,ULL) << (x)) + +-#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1) ++#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (__typeof__(x))(a) - 1) + #define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask)) + + #define __KERNEL_DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d)) +-- +2.39.2 + diff --git a/queue-4.14/usb-chipidea-fix-missing-goto-in-ci_hdrc_probe.patch b/queue-4.14/usb-chipidea-fix-missing-goto-in-ci_hdrc_probe.patch new file mode 100644 index 00000000000..218ba6418ef --- /dev/null +++ b/queue-4.14/usb-chipidea-fix-missing-goto-in-ci_hdrc_probe.patch @@ -0,0 +1,42 @@ +From 55d48c9b3a140dff34d56423ae3d56af811964ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Apr 2023 13:58:52 +0800 +Subject: usb: chipidea: fix missing goto in `ci_hdrc_probe` + +From: Yinhao Hu + +[ Upstream commit d6f712f53b79f5017cdcefafb7a5aea9ec52da5d ] + +From the comment of ci_usb_phy_init, it returns an error code if +usb_phy_init has failed, and it should do some clean up, not just +return directly. + +Fix this by goto the error handling. + +Fixes: 74475ede784d ("usb: chipidea: move PHY operation to core") +Reviewed-by: Dongliang Mu +Acked-by: Peter Chen +Signed-off-by: Yinhao Hu +Link: https://lore.kernel.org/r/20230412055852.971991-1-dddddd@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/chipidea/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c +index 48fbb6302e60e..4cacb91c47291 100644 +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -987,7 +987,7 @@ static int ci_hdrc_probe(struct platform_device *pdev) + ret = ci_usb_phy_init(ci); + if (ret) { + dev_err(dev, "unable to init phy: %d\n", ret); +- return ret; ++ goto ulpi_exit; + } + + ci->hw_bank.phys = res->start; +-- +2.39.2 + diff --git a/queue-4.14/vlan-partially-enable-siocshwtstamp-in-container.patch b/queue-4.14/vlan-partially-enable-siocshwtstamp-in-container.patch new file mode 100644 index 00000000000..f6a9566ff33 --- /dev/null +++ b/queue-4.14/vlan-partially-enable-siocshwtstamp-in-container.patch @@ -0,0 +1,37 @@ +From 82a30ef8297ef5ceefd302e9967cf10bf2c66dd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Mar 2023 08:33:02 -0700 +Subject: vlan: partially enable SIOCSHWTSTAMP in container + +From: Vadim Fedorenko + +[ Upstream commit 731b73dba359e3ff00517c13aa0daa82b34ff466 ] + +Setting timestamp filter was explicitly disabled on vlan devices in +containers because it might affect other processes on the host. But it's +absolutely legit in case when real device is in the same namespace. + +Fixes: 873017af7784 ("vlan: disable SIOCSHWTSTAMP in container") +Signed-off-by: Vadim Fedorenko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/8021q/vlan_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index ed3717dc2d201..e871d3b27c479 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -367,7 +367,7 @@ static int vlan_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + + switch (cmd) { + case SIOCSHWTSTAMP: +- if (!net_eq(dev_net(dev), &init_net)) ++ if (!net_eq(dev_net(dev), dev_net(real_dev))) + break; + case SIOCGMIIPHY: + case SIOCGMIIREG: +-- +2.39.2 + diff --git a/queue-4.14/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch b/queue-4.14/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch new file mode 100644 index 00000000000..b463534e0b8 --- /dev/null +++ b/queue-4.14/wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch @@ -0,0 +1,39 @@ +From 02fe2fab521f2a02e3e45abf78e50e32948e3e12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 16:15:48 +0300 +Subject: wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list() + +From: Dan Carpenter + +[ Upstream commit 4c856ee12df85aabd437c3836ed9f68d94268358 ] + +This loop checks that i < max at the start of loop but then it does +i++ which could put it past the end of the array. It's harmless to +check again and prevent a potential out of bounds. + +Fixes: 1048643ea94d ("ath5k: Clean up eeprom parsing and add missing calibration data") +Signed-off-by: Dan Carpenter +Reviewed-by: Luis Chamberlain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Y+D9hPQrHfWBJhXz@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath5k/eeprom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath5k/eeprom.c b/drivers/net/wireless/ath/ath5k/eeprom.c +index 01163b3339451..92f5c8e830901 100644 +--- a/drivers/net/wireless/ath/ath5k/eeprom.c ++++ b/drivers/net/wireless/ath/ath5k/eeprom.c +@@ -529,7 +529,7 @@ ath5k_eeprom_read_freq_list(struct ath5k_hw *ah, int *offset, int max, + ee->ee_n_piers[mode]++; + + freq2 = (val >> 8) & 0xff; +- if (!freq2) ++ if (!freq2 || i >= max) + break; + + pc[i++].freq = ath5k_eeprom_bin2freq(ee, +-- +2.39.2 + diff --git a/queue-4.14/wifi-ath6kl-minor-fix-for-allocation-size.patch b/queue-4.14/wifi-ath6kl-minor-fix-for-allocation-size.patch new file mode 100644 index 00000000000..85c47b7f49a --- /dev/null +++ b/queue-4.14/wifi-ath6kl-minor-fix-for-allocation-size.patch @@ -0,0 +1,40 @@ +From e4adf38968bc5294b0376d8216738d9393753e64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 20:31:37 +0200 +Subject: wifi: ath6kl: minor fix for allocation size + +From: Alexey V. Vissarionov + +[ Upstream commit 778f83f889e7fca37780d9640fcbd0229ae38eaa ] + +Although the "param" pointer occupies more or equal space compared +to "*param", the allocation size should use the size of variable +itself. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: bdcd81707973cf8a ("Add ath6kl cleaned up driver") +Signed-off-by: Alexey V. Vissarionov +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230117110414.GC12547@altlinux.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/bmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/bmi.c b/drivers/net/wireless/ath/ath6kl/bmi.c +index 334dbd834b3a6..8380ee76bdde7 100644 +--- a/drivers/net/wireless/ath/ath6kl/bmi.c ++++ b/drivers/net/wireless/ath/ath6kl/bmi.c +@@ -246,7 +246,7 @@ int ath6kl_bmi_execute(struct ath6kl *ar, u32 addr, u32 *param) + return -EACCES; + } + +- size = sizeof(cid) + sizeof(addr) + sizeof(param); ++ size = sizeof(cid) + sizeof(addr) + sizeof(*param); + if (size > ar->bmi.max_cmd_size) { + WARN_ON(1); + return -EINVAL; +-- +2.39.2 + diff --git a/queue-4.14/wifi-ath6kl-reduce-warn-to-dev_dbg-in-callback.patch b/queue-4.14/wifi-ath6kl-reduce-warn-to-dev_dbg-in-callback.patch new file mode 100644 index 00000000000..0a267f7dc29 --- /dev/null +++ b/queue-4.14/wifi-ath6kl-reduce-warn-to-dev_dbg-in-callback.patch @@ -0,0 +1,43 @@ +From e8b3f4cc2dae19f6c5cd7631a8e511151f0e5f0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Feb 2023 12:28:05 +0200 +Subject: wifi: ath6kl: reduce WARN to dev_dbg() in callback + +From: Fedor Pchelkin + +[ Upstream commit 75c4a8154cb6c7239fb55d5550f481f6765fb83c ] + +The warn is triggered on a known race condition, documented in the code above +the test, that is correctly handled. Using WARN() hinders automated testing. +Reducing severity. + +Fixes: de2070fc4aa7 ("ath6kl: Fix kernel panic on continuous driver load/unload") +Reported-and-tested-by: syzbot+555908813b2ea35dae9a@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230126182431.867984-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/htc_pipe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/htc_pipe.c b/drivers/net/wireless/ath/ath6kl/htc_pipe.c +index 546243e117379..634cde696272c 100644 +--- a/drivers/net/wireless/ath/ath6kl/htc_pipe.c ++++ b/drivers/net/wireless/ath/ath6kl/htc_pipe.c +@@ -969,8 +969,8 @@ static int ath6kl_htc_pipe_rx_complete(struct ath6kl *ar, struct sk_buff *skb, + * Thus the possibility of ar->htc_target being NULL + * via ath6kl_recv_complete -> ath6kl_usb_io_comp_work. + */ +- if (WARN_ON_ONCE(!target)) { +- ath6kl_err("Target not yet initialized\n"); ++ if (!target) { ++ ath6kl_dbg(ATH6KL_DBG_HTC, "Target not yet initialized\n"); + status = -EINVAL; + goto free_skb; + } +-- +2.39.2 + diff --git a/queue-4.14/wifi-iwlwifi-make-the-loop-for-card-preparation-effe.patch b/queue-4.14/wifi-iwlwifi-make-the-loop-for-card-preparation-effe.patch new file mode 100644 index 00000000000..e4966ccbca3 --- /dev/null +++ b/queue-4.14/wifi-iwlwifi-make-the-loop-for-card-preparation-effe.patch @@ -0,0 +1,50 @@ +From cd234b86dc1f219f23eb43d3ffdfbf138c780413 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Apr 2023 15:47:38 +0300 +Subject: wifi: iwlwifi: make the loop for card preparation effective + +From: Emmanuel Grumbach + +[ Upstream commit 28965ec0b5d9112585f725660e2ff13218505ace ] + +Since we didn't reset t to 0, only the first iteration of the loop +did checked the ready bit several times. +From the second iteration and on, we just tested the bit once and +continued to the next iteration. + +Reported-and-tested-by: Lorenzo Zolfanelli +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216452 +Fixes: 289e5501c314 ("iwlwifi: fix the preparation of the card") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230416154301.615b683ab9c8.Ic52c3229d3345b0064fa34263293db095d88daf8@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +index 4d3cbe554f5bf..647ca6479a1e7 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -562,7 +562,6 @@ static int iwl_pcie_set_hw_ready(struct iwl_trans *trans) + int iwl_pcie_prepare_card_hw(struct iwl_trans *trans) + { + int ret; +- int t = 0; + int iter; + + IWL_DEBUG_INFO(trans, "iwl_trans_prepare_card_hw enter\n"); +@@ -577,6 +576,8 @@ int iwl_pcie_prepare_card_hw(struct iwl_trans *trans) + usleep_range(1000, 2000); + + for (iter = 0; iter < 10; iter++) { ++ int t = 0; ++ + /* If HW is not ready, prepare the conditions to check again */ + iwl_set_bit(trans, CSR_HW_IF_CONFIG_REG, + CSR_HW_IF_CONFIG_REG_PREPARE); +-- +2.39.2 + diff --git a/queue-4.14/wifi-iwlwifi-mvm-check-firmware-response-size.patch b/queue-4.14/wifi-iwlwifi-mvm-check-firmware-response-size.patch new file mode 100644 index 00000000000..b6cbc7dc58b --- /dev/null +++ b/queue-4.14/wifi-iwlwifi-mvm-check-firmware-response-size.patch @@ -0,0 +1,53 @@ +From 2a4213feb83768845f48a7ade7d1b66beb485918 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Apr 2023 11:41:33 +0300 +Subject: wifi: iwlwifi: mvm: check firmware response size + +From: Johannes Berg + +[ Upstream commit 13513cec93ac9902d0b896976d8bab3758a9881c ] + +Check the firmware response size for responses to the +memory read/write command in debugfs before using it. + +Fixes: 2b55f43f8e47 ("iwlwifi: mvm: Add mem debugfs entry") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230417113648.0d56fcaf68ee.I70e9571f3ed7263929b04f8fabad23c9b999e4ea@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c +index 714996187236e..7a830a9f702f7 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c +@@ -1721,6 +1721,11 @@ static ssize_t iwl_dbgfs_mem_read(struct file *file, char __user *user_buf, + if (ret < 0) + return ret; + ++ if (iwl_rx_packet_payload_len(hcmd.resp_pkt) < sizeof(*rsp)) { ++ ret = -EIO; ++ goto out; ++ } ++ + rsp = (void *)hcmd.resp_pkt->data; + if (le32_to_cpu(rsp->status) != DEBUG_MEM_STATUS_SUCCESS) { + ret = -ENXIO; +@@ -1798,6 +1803,11 @@ static ssize_t iwl_dbgfs_mem_write(struct file *file, + if (ret < 0) + return ret; + ++ if (iwl_rx_packet_payload_len(hcmd.resp_pkt) < sizeof(*rsp)) { ++ ret = -EIO; ++ goto out; ++ } ++ + rsp = (void *)hcmd.resp_pkt->data; + if (rsp->status != DEBUG_MEM_STATUS_SUCCESS) { + ret = -ENXIO; +-- +2.39.2 + diff --git a/queue-4.14/x86-apic-fix-atomic-update-of-offset-in-reserve_eilv.patch b/queue-4.14/x86-apic-fix-atomic-update-of-offset-in-reserve_eilv.patch new file mode 100644 index 00000000000..eaa5355d3cc --- /dev/null +++ b/queue-4.14/x86-apic-fix-atomic-update-of-offset-in-reserve_eilv.patch @@ -0,0 +1,49 @@ +From 34f7fd2ff978935732512b129738fcae2c35eb8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Feb 2023 17:09:17 +0100 +Subject: x86/apic: Fix atomic update of offset in reserve_eilvt_offset() + +From: Uros Bizjak + +[ Upstream commit f96fb2df3eb31ede1b34b0521560967310267750 ] + +The detection of atomic update failure in reserve_eilvt_offset() is +not correct. The value returned by atomic_cmpxchg() should be compared +to the old value from the location to be updated. + +If these two are the same, then atomic update succeeded and +"eilvt_offsets[offset]" location is updated to "new" in an atomic way. + +Otherwise, the atomic update failed and it should be retried with the +value from "eilvt_offsets[offset]" - exactly what atomic_try_cmpxchg() +does in a correct and more optimal way. + +Fixes: a68c439b1966c ("apic, x86: Check if EILVT APIC registers are available (AMD only)") +Signed-off-by: Uros Bizjak +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20230227160917.107820-1-ubizjak@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/apic.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 488e0853a44df..c3a4eeabe7534 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -411,10 +411,9 @@ static unsigned int reserve_eilvt_offset(int offset, unsigned int new) + if (vector && !eilvt_entry_is_changeable(vector, new)) + /* may not change if vectors are different */ + return rsvd; +- rsvd = atomic_cmpxchg(&eilvt_offsets[offset], rsvd, new); +- } while (rsvd != new); ++ } while (!atomic_try_cmpxchg(&eilvt_offsets[offset], &rsvd, new)); + +- rsvd &= ~APIC_EILVT_MASKED; ++ rsvd = new & ~APIC_EILVT_MASKED; + if (rsvd && rsvd != vector) + pr_info("LVT offset %d assigned for vector 0x%02x\n", + offset, rsvd); +-- +2.39.2 + diff --git a/queue-4.14/x86-ioapic-don-t-return-0-from-arch_dynirq_lower_bou.patch b/queue-4.14/x86-ioapic-don-t-return-0-from-arch_dynirq_lower_bou.patch new file mode 100644 index 00000000000..d57caf0804d --- /dev/null +++ b/queue-4.14/x86-ioapic-don-t-return-0-from-arch_dynirq_lower_bou.patch @@ -0,0 +1,72 @@ +From 3d885d1dec96d5ca4722368c406d91865c8e817e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 00:30:04 -0700 +Subject: x86/ioapic: Don't return 0 from arch_dynirq_lower_bound() + +From: Saurabh Sengar + +[ Upstream commit 5af507bef93c09a94fb8f058213b489178f4cbe5 ] + +arch_dynirq_lower_bound() is invoked by the core interrupt code to +retrieve the lowest possible Linux interrupt number for dynamically +allocated interrupts like MSI. + +The x86 implementation uses this to exclude the IO/APIC GSI space. +This works correctly as long as there is an IO/APIC registered, but +returns 0 if not. This has been observed in VMs where the BIOS does +not advertise an IO/APIC. + +0 is an invalid interrupt number except for the legacy timer interrupt +on x86. The return value is unchecked in the core code, so it ends up +to allocate interrupt number 0 which is subsequently considered to be +invalid by the caller, e.g. the MSI allocation code. + +The function has already a check for 0 in the case that an IO/APIC is +registered, as ioapic_dynirq_base is 0 in case of device tree setups. + +Consolidate this and zero check for both ioapic_dynirq_base and gsi_top, +which is used in the case that no IO/APIC is registered. + +Fixes: 3e5bedc2c258 ("x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines") +Signed-off-by: Saurabh Sengar +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/1679988604-20308-1-git-send-email-ssengar@linux.microsoft.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/apic/io_apic.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c +index de74bca6a8ff6..1cceb30357aaf 100644 +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -2357,17 +2357,21 @@ static int io_apic_get_redir_entries(int ioapic) + + unsigned int arch_dynirq_lower_bound(unsigned int from) + { ++ unsigned int ret; ++ + /* + * dmar_alloc_hwirq() may be called before setup_IO_APIC(), so use + * gsi_top if ioapic_dynirq_base hasn't been initialized yet. + */ +- if (!ioapic_initialized) +- return gsi_top; ++ ret = ioapic_dynirq_base ? : gsi_top; ++ + /* +- * For DT enabled machines ioapic_dynirq_base is irrelevant and not +- * updated. So simply return @from if ioapic_dynirq_base == 0. ++ * For DT enabled machines ioapic_dynirq_base is irrelevant and ++ * always 0. gsi_top can be 0 if there is no IO/APIC registered. ++ * 0 is an invalid interrupt number for dynamic allocations. Return ++ * @from instead. + */ +- return ioapic_dynirq_base ? : from; ++ return ret ? : from; + } + + #ifdef CONFIG_X86_32 +-- +2.39.2 + -- 2.47.3