From 82f3fb4c39d63fe8f08ef7f9127cd57ddae5e776 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 10 Sep 2022 08:37:38 +0200 Subject: [PATCH] 5.15-stable patches added patches: drm-i915-implement-waedplinkratedatareload.patch nvmet-fix-a-use-after-free.patch scsi-lpfc-add-missing-destroy_workqueue-in-error-path.patch scsi-mpt3sas-fix-use-after-free-warning.patch --- ...15-implement-waedplinkratedatareload.patch | 90 +++++++++++++++++++ queue-5.15/nvmet-fix-a-use-after-free.patch | 63 +++++++++++++ ...sing-destroy_workqueue-in-error-path.patch | 43 +++++++++ ...i-mpt3sas-fix-use-after-free-warning.patch | 41 +++++++++ queue-5.15/series | 4 + 5 files changed, 241 insertions(+) create mode 100644 queue-5.15/drm-i915-implement-waedplinkratedatareload.patch create mode 100644 queue-5.15/nvmet-fix-a-use-after-free.patch create mode 100644 queue-5.15/scsi-lpfc-add-missing-destroy_workqueue-in-error-path.patch create mode 100644 queue-5.15/scsi-mpt3sas-fix-use-after-free-warning.patch diff --git a/queue-5.15/drm-i915-implement-waedplinkratedatareload.patch b/queue-5.15/drm-i915-implement-waedplinkratedatareload.patch new file mode 100644 index 00000000000..0d323923a5d --- /dev/null +++ b/queue-5.15/drm-i915-implement-waedplinkratedatareload.patch @@ -0,0 +1,90 @@ +From 672d6ca758651f0ec12cd0d59787067a5bde1c96 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 2 Sep 2022 10:03:18 +0300 +Subject: drm/i915: Implement WaEdpLinkRateDataReload +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 672d6ca758651f0ec12cd0d59787067a5bde1c96 upstream. + +A lot of modern laptops use the Parade PS8461E MUX for eDP +switching. The MUX can operate in jitter cleaning mode or +redriver mode, the first one resulting in higher link +quality. The jitter cleaning mode needs to know the link +rate used and the MUX achieves this by snooping the +LINK_BW_SET, LINK_RATE_SELECT and SUPPORTED_LINK_RATES +DPCD accesses. + +When the MUX is powered down (seems this can happen whenever +the display is turned off) it loses track of the snooped +link rates so when we do the LINK_RATE_SELECT write it no +longer knowns which link rate we're selecting, and thus it +falls back to the lower quality redriver mode. This results +in unstable high link rates (eg. usually 8.1Gbps link rate +no longer works correctly). + +In order to avoid all that let's re-snoop SUPPORTED_LINK_RATES +from the sink at the start of every link training. + +Unfortunately we don't have a way to detect the presence of +the MUX. It looks like the set of laptops equipped with this +MUX is fairly large and contains devices from multiple +manufacturers. It may also still be growing with new models. +So a quirk doesn't seem like a very easily maintainable +option, thus we shall attempt to do this unconditionally on +all machines that use LINK_RATE_SELECT. Hopefully this extra +DPCD read doesn't cause issues for any unaffected machine. +If that turns out to be the case we'll need to convert this +into a quirk in the future. + +Cc: stable@vger.kernel.org +Cc: Jason A. Donenfeld +Cc: Ankit Nautiyal +Cc: Jani Nikula +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/6205 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220902070319.15395-1-ville.syrjala@linux.intel.com +Tested-by: Aaron Ma +Tested-by: Jason A. Donenfeld +Reviewed-by: Jani Nikula +(cherry picked from commit 25899c590cb5ba9b9f284c6ca8e7e9086793d641) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dp_link_training.c | 22 ++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_dp_link_training.c ++++ b/drivers/gpu/drm/i915/display/intel_dp_link_training.c +@@ -475,6 +475,28 @@ intel_dp_prepare_link_train(struct intel + intel_dp_compute_rate(intel_dp, crtc_state->port_clock, + &link_bw, &rate_select); + ++ /* ++ * WaEdpLinkRateDataReload ++ * ++ * Parade PS8461E MUX (used on varius TGL+ laptops) needs ++ * to snoop the link rates reported by the sink when we ++ * use LINK_RATE_SET in order to operate in jitter cleaning ++ * mode (as opposed to redriver mode). Unfortunately it ++ * loses track of the snooped link rates when powered down, ++ * so we need to make it re-snoop often. Without this high ++ * link rates are not stable. ++ */ ++ if (!link_bw) { ++ struct intel_connector *connector = intel_dp->attached_connector; ++ __le16 sink_rates[DP_MAX_SUPPORTED_RATES]; ++ ++ drm_dbg_kms(&i915->drm, "[CONNECTOR:%d:%s] Reloading eDP link rates\n", ++ connector->base.base.id, connector->base.name); ++ ++ drm_dp_dpcd_read(&intel_dp->aux, DP_SUPPORTED_LINK_RATES, ++ sink_rates, sizeof(sink_rates)); ++ } ++ + if (link_bw) + drm_dbg_kms(&i915->drm, + "Using LINK_BW_SET value %02x\n", link_bw); diff --git a/queue-5.15/nvmet-fix-a-use-after-free.patch b/queue-5.15/nvmet-fix-a-use-after-free.patch new file mode 100644 index 00000000000..aa9b37b83a0 --- /dev/null +++ b/queue-5.15/nvmet-fix-a-use-after-free.patch @@ -0,0 +1,63 @@ +From 6a02a61e81c231cc5c680c5dbf8665275147ac52 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 12 Aug 2022 14:03:17 -0700 +Subject: nvmet: fix a use-after-free + +From: Bart Van Assche + +commit 6a02a61e81c231cc5c680c5dbf8665275147ac52 upstream. + +Fix the following use-after-free complaint triggered by blktests nvme/004: + +BUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350 +Read of size 4 at addr 0000607bd1835943 by task kworker/13:1/460 +Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop] +Call Trace: + show_stack+0x52/0x58 + dump_stack_lvl+0x49/0x5e + print_report.cold+0x36/0x1e2 + kasan_report+0xb9/0xf0 + __asan_load4+0x6b/0x80 + blk_mq_complete_request_remote+0xac/0x350 + nvme_loop_queue_response+0x1df/0x275 [nvme_loop] + __nvmet_req_complete+0x132/0x4f0 [nvmet] + nvmet_req_complete+0x15/0x40 [nvmet] + nvmet_execute_io_connect+0x18a/0x1f0 [nvmet] + nvme_loop_execute_work+0x20/0x30 [nvme_loop] + process_one_work+0x56e/0xa70 + worker_thread+0x2d1/0x640 + kthread+0x183/0x1c0 + ret_from_fork+0x1f/0x30 + +Cc: stable@vger.kernel.org +Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") +Signed-off-by: Bart Van Assche +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -736,6 +736,8 @@ static void nvmet_set_error(struct nvmet + + static void __nvmet_req_complete(struct nvmet_req *req, u16 status) + { ++ struct nvmet_ns *ns = req->ns; ++ + if (!req->sq->sqhd_disabled) + nvmet_update_sq_head(req); + req->cqe->sq_id = cpu_to_le16(req->sq->qid); +@@ -746,9 +748,9 @@ static void __nvmet_req_complete(struct + + trace_nvmet_req_complete(req); + +- if (req->ns) +- nvmet_put_namespace(req->ns); + req->ops->queue_response(req); ++ if (ns) ++ nvmet_put_namespace(ns); + } + + void nvmet_req_complete(struct nvmet_req *req, u16 status) diff --git a/queue-5.15/scsi-lpfc-add-missing-destroy_workqueue-in-error-path.patch b/queue-5.15/scsi-lpfc-add-missing-destroy_workqueue-in-error-path.patch new file mode 100644 index 00000000000..73860f1917f --- /dev/null +++ b/queue-5.15/scsi-lpfc-add-missing-destroy_workqueue-in-error-path.patch @@ -0,0 +1,43 @@ +From da6d507f5ff328f346b3c50e19e19993027b8ffd Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Tue, 23 Aug 2022 12:42:37 +0800 +Subject: scsi: lpfc: Add missing destroy_workqueue() in error path + +From: Yang Yingliang + +commit da6d507f5ff328f346b3c50e19e19993027b8ffd upstream. + +Add the missing destroy_workqueue() before return from +lpfc_sli4_driver_resource_setup() in the error path. + +Link: https://lore.kernel.org/r/20220823044237.285643-1-yangyingliang@huawei.com +Fixes: 3cee98db2610 ("scsi: lpfc: Fix crash on driver unload in wq free") +Reviewed-by: James Smart +Signed-off-by: Yang Yingliang +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_init.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -7893,7 +7893,7 @@ lpfc_sli4_driver_resource_setup(struct l + /* Allocate device driver memory */ + rc = lpfc_mem_alloc(phba, SGL_ALIGN_SZ); + if (rc) +- return -ENOMEM; ++ goto out_destroy_workqueue; + + /* IF Type 2 ports get initialized now. */ + if (bf_get(lpfc_sli_intf_if_type, &phba->sli4_hba.sli_intf) >= +@@ -8309,6 +8309,9 @@ out_free_bsmbx: + lpfc_destroy_bootstrap_mbox(phba); + out_free_mem: + lpfc_mem_free(phba); ++out_destroy_workqueue: ++ destroy_workqueue(phba->wq); ++ phba->wq = NULL; + return rc; + } + diff --git a/queue-5.15/scsi-mpt3sas-fix-use-after-free-warning.patch b/queue-5.15/scsi-mpt3sas-fix-use-after-free-warning.patch new file mode 100644 index 00000000000..db6ebf40e9c --- /dev/null +++ b/queue-5.15/scsi-mpt3sas-fix-use-after-free-warning.patch @@ -0,0 +1,41 @@ +From 991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34 Mon Sep 17 00:00:00 2001 +From: Sreekanth Reddy +Date: Tue, 6 Sep 2022 19:19:08 +0530 +Subject: scsi: mpt3sas: Fix use-after-free warning + +From: Sreekanth Reddy + +commit 991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34 upstream. + +Fix the following use-after-free warning which is observed during +controller reset: + +refcount_t: underflow; use-after-free. +WARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0 + +Link: https://lore.kernel.org/r/20220906134908.1039-2-sreekanth.reddy@broadcom.com +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -3670,6 +3670,7 @@ static struct fw_event_work *dequeue_nex + fw_event = list_first_entry(&ioc->fw_event_list, + struct fw_event_work, list); + list_del_init(&fw_event->list); ++ fw_event_work_put(fw_event); + } + spin_unlock_irqrestore(&ioc->fw_event_lock, flags); + +@@ -3751,7 +3752,6 @@ _scsih_fw_event_cleanup_queue(struct MPT + if (cancel_work_sync(&fw_event->work)) + fw_event_work_put(fw_event); + +- fw_event_work_put(fw_event); + } + ioc->fw_events_cleanup = 0; + } diff --git a/queue-5.15/series b/queue-5.15/series index 0ce96597ef6..0bf0d7eb766 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -36,3 +36,7 @@ kprobes-prohibit-probes-in-gate-area.patch debugfs-add-debugfs_lookup_and_remove.patch sched-debug-fix-dentry-leak-in-update_sched_domain_debugfs.patch drm-amd-display-fix-memory-leak-when-using-debugfs_lookup.patch +nvmet-fix-a-use-after-free.patch +drm-i915-implement-waedplinkratedatareload.patch +scsi-mpt3sas-fix-use-after-free-warning.patch +scsi-lpfc-add-missing-destroy_workqueue-in-error-path.patch -- 2.47.3