From b5b3ac0bb65b2fbc9e5677d9d114fbc2b51319ce Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 5 Sep 2022 08:52:11 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...number-of-regulators-for-msm8996_dsi.patch | 39 ++++++++ ...m-dsi-fix-the-inconsistent-indenting.patch | 43 +++++++++ ...fix-sleep-in-atomic-context-bug-in-n.patch | 57 +++++++++++ ...adf7242-defer-destroy_workqueue-call.patch | 60 ++++++++++++ .../kcm-fix-strp_init-order-and-cleanup.patch | 74 +++++++++++++++ ...c-remove-redundant-refcount-increase.patch | 37 ++++++++ ...-pmc_atom-fix-slp_typx-bitfield-mask.patch | 67 +++++++++++++ ...return-__net_xmit_stolen-when-consum.patch | 54 +++++++++++ ...xhci-turn-off-port-power-in-shutdown.patch | 94 +++++++++++++++++++ ...__net_xmit_stolen-when-consuming-enq.patch | 61 ++++++++++++ queue-4.19/series | 12 +++ ...data-race-around-challenge_timestamp.patch | 47 ++++++++++ ...bugfs-fix-return-type-in-ht40allow_m.patch | 41 ++++++++ 13 files changed, 686 insertions(+) create mode 100644 queue-4.19/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch create mode 100644 queue-4.19/drm-msm-dsi-fix-the-inconsistent-indenting.patch create mode 100644 queue-4.19/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch create mode 100644 queue-4.19/ieee802154-adf7242-defer-destroy_workqueue-call.patch create mode 100644 queue-4.19/kcm-fix-strp_init-order-and-cleanup.patch create mode 100644 queue-4.19/net-smc-remove-redundant-refcount-increase.patch create mode 100644 queue-4.19/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch create mode 100644 queue-4.19/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch create mode 100644 queue-4.19/revert-xhci-turn-off-port-power-in-shutdown.patch create mode 100644 queue-4.19/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch create mode 100644 queue-4.19/series create mode 100644 queue-4.19/tcp-annotate-data-race-around-challenge_timestamp.patch create mode 100644 queue-4.19/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch diff --git a/queue-4.19/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch b/queue-4.19/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch new file mode 100644 index 00000000000..1432df3025a --- /dev/null +++ b/queue-4.19/drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch @@ -0,0 +1,39 @@ +From 7a23e8bb3a5aabf562d5323f56932a40a24f7abe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 07:38:48 -0700 +Subject: drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg + +From: Douglas Anderson + +[ Upstream commit 1e00d6ac8a3422765bae37aeac2002dfd3c0bda6 ] + +3 regulators are listed but the number 2 is specified. Fix it. + +Fixes: 3a3ff88a0fc1 ("drm/msm/dsi: Add 8x96 info in dsi_cfg") +Signed-off-by: Douglas Anderson +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/496318/ +Link: https://lore.kernel.org/r/20220804073608.v4.1.I1056ee3f77f71287f333279efe4c85f88d403f65@changeid +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_cfg.c b/drivers/gpu/drm/msm/dsi/dsi_cfg.c +index dcdfb1bb54f98..ad9d693e11da7 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_cfg.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_cfg.c +@@ -105,7 +105,7 @@ static const char * const dsi_8996_bus_clk_names[] = { + static const struct msm_dsi_config msm8996_dsi_cfg = { + .io_offset = DSI_6G_REG_SHIFT, + .reg_cfg = { +- .num = 2, ++ .num = 3, + .regs = { + {"vdda", 18160, 1 }, /* 1.25 V */ + {"vcca", 17000, 32 }, /* 0.925 V */ +-- +2.35.1 + diff --git a/queue-4.19/drm-msm-dsi-fix-the-inconsistent-indenting.patch b/queue-4.19/drm-msm-dsi-fix-the-inconsistent-indenting.patch new file mode 100644 index 00000000000..c9bd74d74d0 --- /dev/null +++ b/queue-4.19/drm-msm-dsi-fix-the-inconsistent-indenting.patch @@ -0,0 +1,43 @@ +From 0d1a1119afc4ab18a3cfdef6d37b5bec0a54ad99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 09:56:22 +0800 +Subject: drm/msm/dsi: fix the inconsistent indenting + +From: sunliming + +[ Upstream commit 2f25a1fb4ec516c5ad67afd754334b491b9f09a5 ] + +Fix the inconsistent indenting in function msm_dsi_dphy_timing_calc_v3(). + +Fix the following smatch warnings: + +drivers/gpu/drm/msm/dsi/phy/dsi_phy.c:350 msm_dsi_dphy_timing_calc_v3() warn: inconsistent indenting + +Fixes: f1fa7ff44056 ("drm/msm/dsi: implement auto PHY timing calculator for 10nm PHY") +Reported-by: kernel test robot +Signed-off-by: sunliming +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/494662/ +Link: https://lore.kernel.org/r/20220719015622.646718-1-sunliming@kylinos.cn +Signed-off-by: Abhinav Kumar +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +index f01e245cd0eee..bed0cd72e3ebd 100644 +--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c ++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c +@@ -355,7 +355,7 @@ int msm_dsi_dphy_timing_calc_v3(struct msm_dsi_dphy_timing *timing, + } else { + timing->shared_timings.clk_pre = + linear_inter(tmax, tmin, pcnt2, 0, false); +- timing->shared_timings.clk_pre_inc_by_2 = 0; ++ timing->shared_timings.clk_pre_inc_by_2 = 0; + } + + timing->ta_go = 3; +-- +2.35.1 + diff --git a/queue-4.19/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch b/queue-4.19/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch new file mode 100644 index 00000000000..2a971a1cc03 --- /dev/null +++ b/queue-4.19/ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch @@ -0,0 +1,57 @@ +From b9181c6697e0191a94ad02def1ea54507fe2e56c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 23:38:15 +0800 +Subject: ethernet: rocker: fix sleep in atomic context bug in + neigh_timer_handler + +From: Duoming Zhou + +[ Upstream commit c0955bf957be4bead01fae1d791476260da7325d ] + +The function neigh_timer_handler() is a timer handler that runs in an +atomic context. When used by rocker, neigh_timer_handler() calls +"kzalloc(.., GFP_KERNEL)" that may sleep. As a result, the sleep in +atomic context bug will happen. One of the processes is shown below: + +ofdpa_fib4_add() + ... + neigh_add_timer() + +(wait a timer) + +neigh_timer_handler() + neigh_release() + neigh_destroy() + rocker_port_neigh_destroy() + rocker_world_port_neigh_destroy() + ofdpa_port_neigh_destroy() + ofdpa_port_ipv4_neigh() + kzalloc(sizeof(.., GFP_KERNEL) //may sleep + +This patch changes the gfp_t parameter of kzalloc() from GFP_KERNEL to +GFP_ATOMIC in order to mitigate the bug. + +Fixes: 00fc0c51e35b ("rocker: Change world_ops API and implementation to be switchdev independant") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rocker/rocker_ofdpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/rocker/rocker_ofdpa.c b/drivers/net/ethernet/rocker/rocker_ofdpa.c +index 6473cc68c2d5c..4039e1fc6e92a 100644 +--- a/drivers/net/ethernet/rocker/rocker_ofdpa.c ++++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c +@@ -1276,7 +1276,7 @@ static int ofdpa_port_ipv4_neigh(struct ofdpa_port *ofdpa_port, + bool removing; + int err = 0; + +- entry = kzalloc(sizeof(*entry), GFP_KERNEL); ++ entry = kzalloc(sizeof(*entry), GFP_ATOMIC); + if (!entry) + return -ENOMEM; + +-- +2.35.1 + diff --git a/queue-4.19/ieee802154-adf7242-defer-destroy_workqueue-call.patch b/queue-4.19/ieee802154-adf7242-defer-destroy_workqueue-call.patch new file mode 100644 index 00000000000..ac6ed16990a --- /dev/null +++ b/queue-4.19/ieee802154-adf7242-defer-destroy_workqueue-call.patch @@ -0,0 +1,60 @@ +From 47fb33c06a099ccc2248d47d860e745c6626ee82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 11:42:24 +0800 +Subject: ieee802154/adf7242: defer destroy_workqueue call + +From: Lin Ma + +[ Upstream commit afe7116f6d3b888778ed6d95e3cf724767b9aedf ] + +There is a possible race condition (use-after-free) like below + + (FREE) | (USE) + adf7242_remove | adf7242_channel + cancel_delayed_work_sync | + destroy_workqueue (1) | adf7242_cmd_rx + | mod_delayed_work (2) + | + +The root cause for this race is that the upper layer (ieee802154) is +unaware of this detaching event and the function adf7242_channel can +be called without any checks. + +To fix this, we can add a flag write at the beginning of adf7242_remove +and add flag check in adf7242_channel. Or we can just defer the +destructive operation like other commit 3e0588c291d6 ("hamradio: defer +ax25 kfree after unregister_netdev") which let the +ieee802154_unregister_hw() to handle the synchronization. This patch +takes the second option. + +Fixes: 58e9683d1475 ("net: ieee802154: adf7242: Fix OCL calibration +runs") +Signed-off-by: Lin Ma +Acked-by: Michael Hennerich +Link: https://lore.kernel.org/r/20220808034224.12642-1-linma@zju.edu.cn +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + drivers/net/ieee802154/adf7242.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c +index a686926bba71e..6ef5523f4e717 100644 +--- a/drivers/net/ieee802154/adf7242.c ++++ b/drivers/net/ieee802154/adf7242.c +@@ -1318,10 +1318,11 @@ static int adf7242_remove(struct spi_device *spi) + + debugfs_remove_recursive(lp->debugfs_root); + ++ ieee802154_unregister_hw(lp->hw); ++ + cancel_delayed_work_sync(&lp->work); + destroy_workqueue(lp->wqueue); + +- ieee802154_unregister_hw(lp->hw); + mutex_destroy(&lp->bmux); + ieee802154_free_hw(lp->hw); + +-- +2.35.1 + diff --git a/queue-4.19/kcm-fix-strp_init-order-and-cleanup.patch b/queue-4.19/kcm-fix-strp_init-order-and-cleanup.patch new file mode 100644 index 00000000000..c96aae7b708 --- /dev/null +++ b/queue-4.19/kcm-fix-strp_init-order-and-cleanup.patch @@ -0,0 +1,74 @@ +From b8bb1c3acd38a8ecfb5f0db80ccd500c2ddfaab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 11:13:14 -0700 +Subject: kcm: fix strp_init() order and cleanup + +From: Cong Wang + +[ Upstream commit 8fc29ff3910f3af08a7c40a75d436b5720efe2bf ] + +strp_init() is called just a few lines above this csk->sk_user_data +check, it also initializes strp->work etc., therefore, it is +unnecessary to call strp_done() to cancel the freshly initialized +work. + +And if sk_user_data is already used by KCM, psock->strp should not be +touched, particularly strp->work state, so we need to move strp_init() +after the csk->sk_user_data check. + +This also makes a lockdep warning reported by syzbot go away. + +Reported-and-tested-by: syzbot+9fc084a4348493ef65d2@syzkaller.appspotmail.com +Reported-by: syzbot+e696806ef96cdd2d87cd@syzkaller.appspotmail.com +Fixes: e5571240236c ("kcm: Check if sk_user_data already set in kcm_attach") +Fixes: dff8baa26117 ("kcm: Call strp_stop before strp_done in kcm_attach") +Cc: Tom Herbert +Signed-off-by: Cong Wang +Link: https://lore.kernel.org/r/20220827181314.193710-1-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/kcm/kcmsock.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c +index b919db02c7f9e..ef2543a4c1fc5 100644 +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1412,12 +1412,6 @@ static int kcm_attach(struct socket *sock, struct socket *csock, + psock->sk = csk; + psock->bpf_prog = prog; + +- err = strp_init(&psock->strp, csk, &cb); +- if (err) { +- kmem_cache_free(kcm_psockp, psock); +- goto out; +- } +- + write_lock_bh(&csk->sk_callback_lock); + + /* Check if sk_user_data is aready by KCM or someone else. +@@ -1425,13 +1419,18 @@ static int kcm_attach(struct socket *sock, struct socket *csock, + */ + if (csk->sk_user_data) { + write_unlock_bh(&csk->sk_callback_lock); +- strp_stop(&psock->strp); +- strp_done(&psock->strp); + kmem_cache_free(kcm_psockp, psock); + err = -EALREADY; + goto out; + } + ++ err = strp_init(&psock->strp, csk, &cb); ++ if (err) { ++ write_unlock_bh(&csk->sk_callback_lock); ++ kmem_cache_free(kcm_psockp, psock); ++ goto out; ++ } ++ + psock->save_data_ready = csk->sk_data_ready; + psock->save_write_space = csk->sk_write_space; + psock->save_state_change = csk->sk_state_change; +-- +2.35.1 + diff --git a/queue-4.19/net-smc-remove-redundant-refcount-increase.patch b/queue-4.19/net-smc-remove-redundant-refcount-increase.patch new file mode 100644 index 00000000000..c93e62814ba --- /dev/null +++ b/queue-4.19/net-smc-remove-redundant-refcount-increase.patch @@ -0,0 +1,37 @@ +From deecd4171b3f9e196e109254f0cbc68ec135dc28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:23:14 +0800 +Subject: net/smc: Remove redundant refcount increase + +From: Yacan Liu + +[ Upstream commit a8424a9b4522a3ab9f32175ad6d848739079071f ] + +For passive connections, the refcount increment has been done in +smc_clcsock_accept()-->smc_sock_alloc(). + +Fixes: 3b2dec2603d5 ("net/smc: restructure client and server code in af_smc") +Signed-off-by: Yacan Liu +Reviewed-by: Tony Lu +Link: https://lore.kernel.org/r/20220830152314.838736-1-liuyacan@corp.netease.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 4c904ab29e0e6..dcd00b514c3f9 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1031,7 +1031,6 @@ static void smc_listen_out_connected(struct smc_sock *new_smc) + { + struct sock *newsmcsk = &new_smc->sk; + +- sk_refcnt_debug_inc(newsmcsk); + if (newsmcsk->sk_state == SMC_INIT) + newsmcsk->sk_state = SMC_ACTIVE; + +-- +2.35.1 + diff --git a/queue-4.19/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch b/queue-4.19/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch new file mode 100644 index 00000000000..7f852780834 --- /dev/null +++ b/queue-4.19/platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch @@ -0,0 +1,67 @@ +From 6cd18f8c1cdb4278543555381c7ca86750c5f9cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 14:37:31 +0300 +Subject: platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask + +From: Andy Shevchenko + +[ Upstream commit 0a90ed8d0cfa29735a221eba14d9cb6c735d35b6 ] + +On Intel hardware the SLP_TYPx bitfield occupies bits 10-12 as per ACPI +specification (see Table 4.13 "PM1 Control Registers Fixed Hardware +Feature Control Bits" for the details). + +Fix the mask and other related definitions accordingly. + +Fixes: 93e5eadd1f6e ("x86/platform: New Intel Atom SOC power management controller driver") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220801113734.36131-1-andriy.shevchenko@linux.intel.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 2 +- + include/linux/platform_data/x86/pmc_atom.h | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index 682fc49d172cb..e8440850b73ac 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -253,7 +253,7 @@ static void pmc_power_off(void) + pm1_cnt_port = acpi_base_addr + PM1_CNT; + + pm1_cnt_value = inl(pm1_cnt_port); +- pm1_cnt_value &= SLEEP_TYPE_MASK; ++ pm1_cnt_value &= ~SLEEP_TYPE_MASK; + pm1_cnt_value |= SLEEP_TYPE_S5; + pm1_cnt_value |= SLEEP_ENABLE; + +diff --git a/include/linux/platform_data/x86/pmc_atom.h b/include/linux/platform_data/x86/pmc_atom.h +index e4905fe69c381..e4cfcb6f16633 100644 +--- a/include/linux/platform_data/x86/pmc_atom.h ++++ b/include/linux/platform_data/x86/pmc_atom.h +@@ -16,6 +16,8 @@ + #ifndef PMC_ATOM_H + #define PMC_ATOM_H + ++#include ++ + /* ValleyView Power Control Unit PCI Device ID */ + #define PCI_DEVICE_ID_VLV_PMC 0x0F1C + /* CherryTrail Power Control Unit PCI Device ID */ +@@ -148,9 +150,9 @@ + #define ACPI_MMIO_REG_LEN 0x100 + + #define PM1_CNT 0x4 +-#define SLEEP_TYPE_MASK 0xFFFFECFF ++#define SLEEP_TYPE_MASK GENMASK(12, 10) + #define SLEEP_TYPE_S5 0x1C00 +-#define SLEEP_ENABLE 0x2000 ++#define SLEEP_ENABLE BIT(13) + + extern int pmc_atom_read(int offset, u32 *value); + extern int pmc_atom_write(int offset, u32 value); +-- +2.35.1 + diff --git a/queue-4.19/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch b/queue-4.19/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch new file mode 100644 index 00000000000..f0702be7a3b --- /dev/null +++ b/queue-4.19/revert-sch_cake-return-__net_xmit_stolen-when-consum.patch @@ -0,0 +1,54 @@ +From 0a33ee65ab61930655792e55b15a7d6130a6b274 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 20:01:32 -0700 +Subject: Revert "sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued + skb" + +From: Jakub Kicinski + +[ Upstream commit 0b4f688d53fdc2a731b9d9cdf0c96255bc024ea6 ] + +This reverts commit 90fabae8a2c225c4e4936723c38857887edde5cc. + +Patch was applied hastily, revert and let the v2 be reviewed. + +Fixes: 90fabae8a2c2 ("sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb") +Link: https://lore.kernel.org/all/87wnao2ha3.fsf@toke.dk/ +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index c0a6947545280..18c207b85d513 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -1666,7 +1666,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + idx--; + flow = &b->flows[idx]; +- ret = NET_XMIT_SUCCESS; + + /* ensure shaper state isn't stale */ + if (!b->tin_backlog) { +@@ -1727,7 +1726,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + + qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen); + consume_skb(skb); +- ret |= __NET_XMIT_STOLEN; + } else { + /* not splitting */ + cobalt_set_enqueue_time(skb, now); +@@ -1851,7 +1849,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + b->drop_overlimit += dropped; + } +- return ret; ++ return NET_XMIT_SUCCESS; + } + + static struct sk_buff *cake_dequeue_one(struct Qdisc *sch) +-- +2.35.1 + diff --git a/queue-4.19/revert-xhci-turn-off-port-power-in-shutdown.patch b/queue-4.19/revert-xhci-turn-off-port-power-in-shutdown.patch new file mode 100644 index 00000000000..62e37d47755 --- /dev/null +++ b/queue-4.19/revert-xhci-turn-off-port-power-in-shutdown.patch @@ -0,0 +1,94 @@ +From 58dab5e5a63194211443afe05c45a3b7fa1c4138 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 18:08:40 +0300 +Subject: Revert "xhci: turn off port power in shutdown" + +From: Mathias Nyman + +[ Upstream commit 8531aa1659f7278d4f2ec7408cc000eaa8d85217 ] + +This reverts commit 83810f84ecf11dfc5a9414a8b762c3501b328185. + +Turning off port power in shutdown did cause issues such as a laptop not +proprly powering off, and some specific usb devies failing to enumerate the +subsequent boot after a warm reset. + +So revert this. + +Fixes: 83810f84ecf1 ("xhci: turn off port power in shutdown") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220825150840.132216-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-hub.c | 2 +- + drivers/usb/host/xhci.c | 15 ++------------- + drivers/usb/host/xhci.h | 2 -- + 3 files changed, 3 insertions(+), 16 deletions(-) + +diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c +index e40370ed7d8a5..1bb48e53449e6 100644 +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -565,7 +565,7 @@ struct xhci_hub *xhci_get_rhub(struct usb_hcd *hcd) + * It will release and re-aquire the lock while calling ACPI + * method. + */ +-void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd, ++static void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd, + u16 index, bool on, unsigned long *flags) + { + struct xhci_hub *rhub; +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 677587479d260..a9e72fee87a77 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -774,8 +774,6 @@ static void xhci_stop(struct usb_hcd *hcd) + void xhci_shutdown(struct usb_hcd *hcd) + { + struct xhci_hcd *xhci = hcd_to_xhci(hcd); +- unsigned long flags; +- int i; + + if (xhci->quirks & XHCI_SPURIOUS_REBOOT) + usb_disable_xhci_ports(to_pci_dev(hcd->self.sysdev)); +@@ -791,21 +789,12 @@ void xhci_shutdown(struct usb_hcd *hcd) + del_timer_sync(&xhci->shared_hcd->rh_timer); + } + +- spin_lock_irqsave(&xhci->lock, flags); ++ spin_lock_irq(&xhci->lock); + xhci_halt(xhci); +- +- /* Power off USB2 ports*/ +- for (i = 0; i < xhci->usb2_rhub.num_ports; i++) +- xhci_set_port_power(xhci, xhci->main_hcd, i, false, &flags); +- +- /* Power off USB3 ports*/ +- for (i = 0; i < xhci->usb3_rhub.num_ports; i++) +- xhci_set_port_power(xhci, xhci->shared_hcd, i, false, &flags); +- + /* Workaround for spurious wakeups at shutdown with HSW */ + if (xhci->quirks & XHCI_SPURIOUS_WAKEUP) + xhci_reset(xhci, XHCI_RESET_SHORT_USEC); +- spin_unlock_irqrestore(&xhci->lock, flags); ++ spin_unlock_irq(&xhci->lock); + + xhci_cleanup_msix(xhci); + +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 3b29dfc6f79e3..3e6cb257fde5a 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -2145,8 +2145,6 @@ int xhci_hub_control(struct usb_hcd *hcd, u16 typeReq, u16 wValue, u16 wIndex, + int xhci_hub_status_data(struct usb_hcd *hcd, char *buf); + int xhci_find_raw_port_number(struct usb_hcd *hcd, int port1); + struct xhci_hub *xhci_get_rhub(struct usb_hcd *hcd); +-void xhci_set_port_power(struct xhci_hcd *xhci, struct usb_hcd *hcd, u16 index, +- bool on, unsigned long *flags); + + void xhci_hc_died(struct xhci_hcd *xhci); + +-- +2.35.1 + diff --git a/queue-4.19/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch b/queue-4.19/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch new file mode 100644 index 00000000000..74b4efeebcf --- /dev/null +++ b/queue-4.19/sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch @@ -0,0 +1,61 @@ +From 539cead4f643a346aa5697a982e1f621d4b3302c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 11:21:03 +0200 +Subject: sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 90fabae8a2c225c4e4936723c38857887edde5cc ] + +When the GSO splitting feature of sch_cake is enabled, GSO superpackets +will be broken up and the resulting segments enqueued in place of the +original skb. In this case, CAKE calls consume_skb() on the original skb, +but still returns NET_XMIT_SUCCESS. This can confuse parent qdiscs into +assuming the original skb still exists, when it really has been freed. Fix +this by adding the __NET_XMIT_STOLEN flag to the return value in this case. + +Fixes: 0c850344d388 ("sch_cake: Conditionally split GSO segments") +Signed-off-by: Toke Høiland-Jørgensen +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-18231 +Link: https://lore.kernel.org/r/20220831092103.442868-1-toke@toke.dk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_cake.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c +index 18c207b85d513..c0a6947545280 100644 +--- a/net/sched/sch_cake.c ++++ b/net/sched/sch_cake.c +@@ -1666,6 +1666,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + idx--; + flow = &b->flows[idx]; ++ ret = NET_XMIT_SUCCESS; + + /* ensure shaper state isn't stale */ + if (!b->tin_backlog) { +@@ -1726,6 +1727,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + + qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen); + consume_skb(skb); ++ ret |= __NET_XMIT_STOLEN; + } else { + /* not splitting */ + cobalt_set_enqueue_time(skb, now); +@@ -1849,7 +1851,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + b->drop_overlimit += dropped; + } +- return NET_XMIT_SUCCESS; ++ return ret; + } + + static struct sk_buff *cake_dequeue_one(struct Qdisc *sch) +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..7da928f8564 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,12 @@ +drm-msm-dsi-fix-the-inconsistent-indenting.patch +drm-msm-dsi-fix-number-of-regulators-for-msm8996_dsi.patch +platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch +ieee802154-adf7242-defer-destroy_workqueue-call.patch +wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch +revert-xhci-turn-off-port-power-in-shutdown.patch +ethernet-rocker-fix-sleep-in-atomic-context-bug-in-n.patch +kcm-fix-strp_init-order-and-cleanup.patch +sch_cake-return-__net_xmit_stolen-when-consuming-enq.patch +tcp-annotate-data-race-around-challenge_timestamp.patch +revert-sch_cake-return-__net_xmit_stolen-when-consum.patch +net-smc-remove-redundant-refcount-increase.patch diff --git a/queue-4.19/tcp-annotate-data-race-around-challenge_timestamp.patch b/queue-4.19/tcp-annotate-data-race-around-challenge_timestamp.patch new file mode 100644 index 00000000000..54782d0523f --- /dev/null +++ b/queue-4.19/tcp-annotate-data-race-around-challenge_timestamp.patch @@ -0,0 +1,47 @@ +From 8cb08b30f9790edddaceff008b0dd59bd66b4b5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 11:56:55 -0700 +Subject: tcp: annotate data-race around challenge_timestamp + +From: Eric Dumazet + +[ Upstream commit 8c70521238b7863c2af607e20bcba20f974c969b ] + +challenge_timestamp can be read an written by concurrent threads. + +This was expected, but we need to annotate the race to avoid potential issues. + +Following patch moves challenge_timestamp and challenge_count +to per-netns storage to provide better isolation. + +Fixes: 354e4aa391ed ("tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Acked-by: Neal Cardwell +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index e1d065ea5a158..0be9d5d3c032f 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3468,11 +3468,11 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) + + /* Then check host-wide RFC 5961 rate limit. */ + now = jiffies / HZ; +- if (now != challenge_timestamp) { ++ if (now != READ_ONCE(challenge_timestamp)) { + u32 ack_limit = READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit); + u32 half = (ack_limit + 1) >> 1; + +- challenge_timestamp = now; ++ WRITE_ONCE(challenge_timestamp, now); + WRITE_ONCE(challenge_count, half + prandom_u32_max(ack_limit)); + } + count = READ_ONCE(challenge_count); +-- +2.35.1 + diff --git a/queue-4.19/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch b/queue-4.19/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch new file mode 100644 index 00000000000..235b64d57a3 --- /dev/null +++ b/queue-4.19/wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch @@ -0,0 +1,41 @@ +From ba3f2279e63325227fe2f1d0343e412b27db0f61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 10:03:21 +0300 +Subject: wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() + +From: Dan Carpenter + +[ Upstream commit d776763f48084926b5d9e25507a3ddb7c9243d5e ] + +The return type is supposed to be ssize_t, which is signed long, +but "r" was declared as unsigned int. This means that on 64 bit systems +we return positive values instead of negative error codes. + +Fixes: 80a3511d70e8 ("cfg80211: add debugfs HT40 allow map") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YutvOQeJm0UjLhwU@kili +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/debugfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/debugfs.c b/net/wireless/debugfs.c +index 30fc6eb352bcc..e6410487e25da 100644 +--- a/net/wireless/debugfs.c ++++ b/net/wireless/debugfs.c +@@ -68,9 +68,10 @@ static ssize_t ht40allow_map_read(struct file *file, + { + struct wiphy *wiphy = file->private_data; + char *buf; +- unsigned int offset = 0, buf_size = PAGE_SIZE, i, r; ++ unsigned int offset = 0, buf_size = PAGE_SIZE, i; + enum nl80211_band band; + struct ieee80211_supported_band *sband; ++ ssize_t r; + + buf = kzalloc(buf_size, GFP_KERNEL); + if (!buf) +-- +2.35.1 + -- 2.47.3